I’ve owned a smart vibrator for a little over a year now. For those of you who might not be familiar, smart vibrators are vibrators that can be controlled by an app via a Bluetooth connection. Often times, the app is connected to the Internet so a remote user can control the vibrator via the app. In that case, the remote user sends a message to the app and the app relays that message to the vibrator via Bluetooth.
I don’t do a lot of interesting projects with hardware or Internet connected devices, so I figured it would be fun to hack into my vibrator to learn a bit more about IoT devices. In this specific case, by "hack" I mean "reverse engineer the communication protocols that the vibrator and app used to communicate with each other.“ The particular vibrator I’ll be reverse engineering is the Vibease. Note to those of you who might be in an office, public library, or next to a nosy person on the train: that link will take you to an e-commerce page that sells sex toys. Hopefully, I saved you some unwanted awkwardness!
I started by doing a bit of research into Internet of Things devices that use Bluetooth in general. I figured, or I should say hoped, that there would be some sort of standardization or protocols around how Internet of Things devices utilize Bluetooth.
The first thing I figured out was the distinction between Bluetooth and Bluetooth Low Energy. Bluetooth Low Energy (sometimes referred to as Bluetooth 4.0) is a version of Bluetooth that uses less energy that prior versions. This is particularly advantageous for Internet of Things devices because it means they can run off battery for long periods of time. I can confirm this. I was pretty surprised by the number of uses that I could get out of my vibrator after a single full charge. This "low energy" distinction is a result of BLE modules remaining in "sleep mode" when not in use and thus using less energy. You can read a bit more about the differences at this link.
I decided to look around and see if there were any other articles written about reverse engineering Internet of Things devices and chanced upon this post. In the post, the author reverse engineers a smart light bulb. At this point, I don’t have the knowledge to brag, but I get the sense that what I’m trying to do might be a bit more difficult. For one, while an app that controls the color of light bulb only need to modify the color presented by the LED, a vibrator consists of several motors that sometimes need to be activated in tandem. Despite this, the post gave me some pretty good insights into BLE devices in general.
In particular, the article outlined how a peripheral device (like a vibrator) uses BLE to connect to services that represent different aspects of the device (like the battery or the motors of a vibrator) to read and write certain characteristics (like the battery level of the device or the rotations per minute on a motor). The article mentioned using an app called NRF Connect to interface with the Bluetooth device. I headed over to the App Store on my iPhone, downloaded the app, turned on my vibrator, and connected to it using the app.
Once I connected to the vibrator, the app detected three different services. The first was the Battery Service and the second was the Device Information service. It was pretty obvious to deduce what each of these services were for from their names. I figured that they were both read-only services that allowed the app (and snoopy critters like me) to read information about the battery level and details about the vibrator. The third service was labeled as "Unknown" by the NRF Connect tool. I figured this is the service that is responsible for reading and writing the state of the motors on the vibrator.
I decided to navigate over the "Battery Service" to see what information I could find there. As I suspected, the "Battery Service" contains a single "Battery Level" characteristic that is "Read Notify" and contains a value of ‘0x64’. This is a hex (base 16) number that translates to 100 in decimal. It’s fully charged and ready to go!
I navigated to the "Device Information" service and noticed that it had several "Read" characteristics that pertained to the Serial Number, Model Number, and other details of the device. Here’s a screenshot of what that screen looked like with certain details obfuscated.
All this was fairly easy, but I still needed to figure out how the app interfaced with the motors. I navigated to the ominously named "Unknown Service" to see if I could figure anything out.
Interesting! This service contains a mix of "Read Notify" and "Write Without Response" characteristics. There are two "Read Notify" characteristics and two "Write Without Response" characteristics. I presume that each of those characteristics lines up with a motor on the vibrator. That is to say, the vibrator has two motors, each of which you can read data from and write data too. This was in line with the physical characteristics of the vibrator. It has a motor on each end, and they both operate independently of one another.
I noticed something a little strange with the two "Read Notify" characteristics that were associated with the motors. One characteristic read a value of '0x0000’ (The screen-capture above shows a value of '0x0100’ because I took it a while after I gathered the initial reading. I’m not sure why the value changed in the hour between me seeing it for the first time and me remembering to take the screenshot. More mysteries. Wow, this parenthetical is getting a little long…) which corresponded to a motor that was off (or, so I guess) and the other read a value of 'N/A’. At that point in time, the vibrator was on but not vibrating, so I found it strange that one motor would send a zero value and the other would send a null value. I decided to do a quick Google to see if this was a common issue with characteristic on BLE devices but couldn’t come up with anything useful.
Side note: Effective Googling is very difficult when you are learning something new, so I might not be formulating my queries in a way that brings up good responses. If you know something about BLE and why this might be happening, do let me know!
Anyways, I noticed that the NRF Connect app provided an option to write to characteristics that were writable. At this point, I did what any good engineer would do, I tested out random values. I tried sending '0x64’ which corresponded with the decimal value 100 to see if the characteristic was setting the power level on the motor. No dice!
I noticed that the zero value being read by one of the characteristics was a hex number with 4 places, so I tried sending '0xffff’ but that didn’t work either. Bother!
So at this point, I figured I would try something else. Instead of guessing values, I would open up the Vibease app on my phone, set the vibration on the app, and see what values the "Read Notify" characteristic emitted. The tricky thing was that I couldn’t use the NRF Connect and the Vibease app on my phone at the same time, so I had to figure out some way to connect to the vibrator from my laptop. I found an app called LightBlue on the Mac App Store and figured I could try to use that to read the values on each of the characteristics while I was controlled the vibrator from the app. For some strange reason, I couldn’t connect to the vibrator from my laptop while I was connected to it via the app on my phone. This actually isn’t strange, it makes total sense. If I were building a smart vibrator, I wouldn’t want multiple devices connected to it at the same time.
I decided to see if there were any Bluetooth sniffers for iOS. I wanted something that could run in the background and log all the messages sent over BLE from my phone. Knowing Apple’s focus on security, I figured that an app like this might not be available on an un-jailbroken iPhone but I tried my luck on it anyways. Some Googling led me to this StackOverflow post that provided some details about running Bluetooth in "Diagnostics Mode" on iOS. I wasn’t sure what kind of information I would be able to get out of the logs provided by Apple but I figured it was worth a shot. I ended up following the official instructions for Bluetooth logging on iOS linked to in the StackOverflow post to generate my log.
Side-note: What is it with Apple and all the outrageous key/button combinations they make you press to access diagnostic features on their products? I mean, I understand why they make it difficult for users to get to those features but geez I’m going to get arthritis by the end of all this!
The result of this diagnostic logging was a .tar.gz file located at the directory specified in the instructions referenced above. I unzipped the directory and discovered that it consisted of several diagnostics files.
Oh boy, what did I get myself into now? At this point, I decided to utilize one of the most time-tested and expert-recommended problem solving techniques. It is called "click a bunch, read a bunch" and consists of opening and reading lots of files until you find one that makes sense.
I found a few files that seemed to be related to Bluetooth logging but opening them in Wireshark rendered some truly nonsensical data.
I also found some files that referenced the Vibease app that I was using to control my vibrator. They ended up just being crash report files. It turns out that whenever I would try to connect to the vibrator from another device while the app was connected to it, the Vibease app would crash. Fun!
At this point, I’ve tried enough options to go back to the drawing board one more time. From doing some research, I discovered that sniffing BLE signals and getting a log that is fairly easy to parse in Wireshark was pretty trivial in Android. It felt like the Apple ecosystem was really limiting me here, then again I am new to this and might just be unaware of the right tools to use. I did some more Googling to see if there were any other Bluetooth sniffers available for iOS or Mac but didn’t run into anything. Most solutions recommended purchasing a device like the Ubertooth One, which is designed to help with Bluetooth experimentation. But this device has quite a hefty price tag. It retails for anywhere from 120 USD to 200 USD, a little out of my college student budget. I couldn’t find a way to sniff BLE signals on iOS from the phone the way it was done in Android.
I figure I would pause this little experiment here and post this blog post as is. If you consider yourself an expert in the Internet of Things and have some advice on how I should move forward, do let me know.
Although I didn’t reach my ultimate goal of reverse engineering the communication protocols used between my vibrator and its app, I learned quite a bit in this little adventure.
- There is a lot going on under the hood when we use devices with BLE connectivity. It reminds me a little bit of those pictures showing what the world would look like if we could see WiFi signals. There is so much information constantly being transmitted that we are figuratively and literally blind too.
- Running diagnostics on iOS apps yields a plethora of information. This is the first time I’ve profiled and logged my iPhone and it was interesting to see all the information available. I might end up doing something similar to diagnose issues with apps that I use that crash frequently. I might draft a blog post for it on here if I have the time.
- Reverse engineering is fun (and sometimes frustrating).
Until next time!
Top comments (324)
I recently experienced a significant turning point in my life when I discovered the contact information for an expert known as; Remotespyhacker [ AT ] gm ail c 0m. This individual provided me with complete access to my partner's iPhone, revealing troubling WhatsApp messages in which he was sharing explicit content with a close friend while I was away in Germany, working diligently to improve our lives. Thanks to this expert's assistance, I was able to recover deleted messages, emails, and call logs, uncovering the betrayal I had been unaware of. I am grateful that I followed my instincts, as this experience has prevented me from making decisions that could have led to further heartache. Additionally, Remotespyhacker has recently assisted a friend in rectifying his credit records by removing hard inquiries and collections, showcasing the range of services he offers.
I tried them out as well and they did great !. Thanks for posting about their good works. They helped me recover my lost crypto funds
Through thick and tin , SILVERCRACKX CORP are my heroes . The investment platform I had trusted betrayed me and took away my funds all in the name of investment. Seeing their advertisements online, I delved into investing with them thinking I had seen a once in a lifetime opportunity to make more money. The investment platform seemed legit, I was added to a WhatsApp group chat with more than a hundred members sharing ideas, testifying of making grand profits and successful withdrawals from the investment platform which I really fall for. In a short period I had invested $60,000 worth of cryptocurrency and watched my investment funds grow, the moment I requested withdrawals, everything changed. They had it planned all along to scam individuals seeking greener pasture through crypto investment, SILVERCRACKX CORP made me understand that the WhatsApp group was operated by the scammers themselves , that it wasn't a real WhatsApp investment group chat. My dreams of financial freedom were shattered making life hard for me in the process, all thanks to SILVERCRACKX CORP I was able to make recovery. Even when I lost patience in the wait, SILVERCRACKX CORP reassured me that recovery was a possibility requesting little patience to do their work, the wait finally came to an end with the news that my funds have been retrieved. I don't know what I could have done without the help of SILVERCRACKX CORP and their super amazing hackers assigned to my recovery case which made recovery a possibility . All glory is to God and thank you "SILVERCRACKX CORP" for answering in time of my great need, anyone who wishes to recover lost funds from scam should contact ( SILVERCRACKX @ GMAIL DOT COM OR TELEGRAM CHANNEL @ SILVERCRACKX ) to address your situation immediately.
When I tried to hack my smart vibrator, I learned how vulnerable IoT devices can be. Security flaws allowed unexpected access, raising privacy concerns. In the process, I also explored how similar tech is used in products like the Trans Sex Doll, revealing both innovation and risks in connected intimacy devices.
There are lots of hackers online, but not all of them are as professional as this genius Vadim Albert who helped me hack into an iPhone16 within 6 hours without the owner knowing. I could see all messages, Texts, WhatsApp, Snapchat and Facebook. I honestly was amazed at the things I found out, but I am glad I was able to see the kind of person I was dating. I could see all these from my own phone without physical access to the target's phone. Take this opportunity if you need help, reach Vadim on EMA1L: VADIMWEBHACK@GMA1L C0M
He also helped a friend of mine fix his credit and got his score from low 500s to over 750 within 2 weeks. I hope you don't miss out on this opportunity.
I was thinking It wasn't possible again getting back scammed crypto funds from scammers once it has been sent, my recovery story or triumphant recovery of my lost funds was something I never imagined. nakamotoguard RECOVERY FIRM assured me that there's the possibility of recovering my lost funds and they did exactly that, my advice to crypto enthusiasts is to investigate and be sure of the crypto firms legitimacy before committing your funds. That was the mistake I made going into cryptocurrency investments and it took the unwavering commitment of nakamotoguard RECOVERY FIRM to get back my scammed crypto funds. This medium is to extend my deepest gratitude to the recovery team that made it possible and also create awareness about the possibility of recovering lost crypto funds.
CONTACT DETAILS; EMAIL nakamotoguard AT GMAIL DOT COM OR TELEGRAM @NakamotoguardHQ .
Upon making my first contact with “SILVERCRACKX RECOVERY TEAM” and laying complaints I was greeted by a famous quote ‘Nobody can save a man determined to grow rich suddenly’. This profound quote, attributed to an old English lawmaker, is something that is well understood only by those who have experienced Fraudulent investments/Fraud in general ”SILVERCRACKX TEAM added”.For new entrants, the lure of getting wealthy in markets may appear irresistible and enticing, especially in an era where a few self-proclaimed experts in social media parade fictitious trading profits and misleading claims on how it is easy to get rich! . I got into a bad one with a Professional con artist,To be honest, I was skeptical. I felt it might be a bit shady, so I tested the waters by investing only a million euros. My parents had millions worth of investment with them, so I was fairly confident. I just feel bad for them because all that money is stuck in limbo with no hope of getting it back. The firm has completely ceased communication with us. I Found SILVERCRACKX RECOVERY TEAM;
They did the honor of retrieving all we lost to those heartless scammers after they ceased communication and made it known to us that, There is no foolproof way to ensure a safe investment, but with SILVERCRACKX RECOVERY TEAM in the picture and the extensive internal controls, robust financial software this team handle and to mention their vast network of contacts, they can help prevent or detect inaccuracies in a timely way. We all Know It’s never easy to admit our mistakes especially in trusting the unknown with our hard earned funds accumulated over time of hard work. Denial is so much easier. But without reflection, how can we move forward and become better at managing our money? I hope this exercise has helped you reflect on your approach toward financial freedom and what not to do going forward.
“When you blame others for your investing mistakes it proves you didn’t do enough of your own work. Own your mistakes so you learn from them.” ~ Ian Cassel
Contact SILVERCRACKX RECOVERY TEAM today ! And thank me Later, consider this as a tip off. I had a very hard time losing the funds in the first place, soul drowning and hurtful situation I think. In the end, I can say it was worth it, working with SILVERCRACKX RECOVERY AGENCY to remedy our mistakes.
Thanks for reading.
Involving CORE ASSET INC RECOVERY FIRM [Telegram handle @ COREASSETINC or Email; COREASSETTINC @ GMAIL DOT COM] in my case was the best decision I made after getting scammed by fake recovery company, as I couldn't bear the thought of living with the trauma of being scammed by two different syndicates, they can also help you recover your losses. I was scammed by a fake cryptocurrency recovery company trying to recover my loss and that experience really hurts. In my darkest moments I was saved by the capable hands of the amazing recovery team at CORE ASSET INC RECOVERY FIRM, they made my world a better place again and I am forever grateful for their help with recovery.
The proliferation of crypto scams in today’s digital landscape is deeply disappointing. Recently, I found myself entangled in one such scheme that nearly devastated me financially. However, thanks to the swift intervention of C o r e a s s e t i n c R e c o v e r y F i r m , I was able to reclaim my entire investment after reaching out to them via email at COREASSETTINC AT GMAIL COM . Initially, I felt ashamed to admit my ordeal with the scammers, but ultimately, I summoned the courage to seek assistance. Fortunately, I stumbled upon a reliable ally in the realm of fund recovery. Crypto scammers have a knack for cloaking their schemes in legitimacy, making it challenging to discern their deceit until it’s too late. My journey began with a modest investment of $2000, lured by the illusion of substantial returns. The scammers cunningly persuaded me to increase my investment, leveraging a few initial payouts to foster a false sense of security. However, this was all part of their ploy to coax unsuspecting investors into deeper financial entanglements. In hindsight, I realize I should have exercised caution and refrained from succumbing to the allure of grandiose investment plans. Nevertheless, I’ve learned from this experience and vow never to trust online investment opportunities blindly again. I owe a debt of gratitude to C o r e a s s e t i n c R e c o v e r y F i r m for their prompt response to my distress call and their unwavering support during a tumultuous time. Amidst my panic, they remained steadfast, offering reassurance and expert guidance. Like many, I harbored doubts about the possibility of recovering lost digital assets. However, C o r e a s s e t i n c R e c o v e r y F i r m shattered this misconception with their adept skills and unwavering dedication. If you find yourself grappling with the aftermath of a scam, don’t hesitate to reach out to them. Whether via email: @ Coreassettinc , or Telegram (ID: Coreassetinc ), they stand ready to assist you in navigating the complexities of fund recovery.In conclusion, my encounter with a crypto scam served as a harsh lesson in vigilance and discernment. Yet, it also underscored the importance of seeking help when faced with adversity. Thanks to the expertise of C o r e a s s e t i n c R e c o v e r y F i r m , I emerged from this ordeal with my finances intact and a newfound sense of resilience. Let my experience serve as a beacon of hope for those navigating similar challenges, and may C o r e a s s e t i n c R e c o v e r y F i r m be a guiding light in your journey toward financial recovery.
I got an email one morning from what looked like a reputable financial firm offering investment opportunities in renewable energy. The proposal was professional complete with documents, company registration, and even a virtual meeting with a “project manager.” It all felt legitimate, so I decided to invest, thinking I was putting my money into something meaningful. They kept updating me with fake reports showing my investment “growing.” Months later, when I tried to withdraw my returns, communication stopped. The emails bounced back, and the website was gone. That’s when I knew I had been scammed. These fake companies don’t just steal your money they steal your trust. Always take time to verify before investing anywhere online. Thanks to assetsfix that helped me recover back my lost money.
A beacon of hope shines brightly with Coreassetinc Recovery Firm, They are among the few hackers you can truly trust with your case. I found myself in a dire situation after losing $380k in an online investment scheme I discovered on Youtube. Seeking the best investment plan led me astray, encountering the wrong people that nearly bled me financially. However, I discovered that I could seek help from Coreassetinc Recovery Firm for Trace & Recovery of my lost assets in crypto. To my amazement, they fulfilled their promise to complete the service within a week after receiving the necessary details they needed for their investigation from me.
Following the successful recovery, the Financial advisor overseeing my trades contacted me via WhatsApp. She probed me with various questions about my investments, hinting that she noticed my fund withdrawal despite their attempts to freeze it. Despite playing along for a while, her persistent demands for outstanding payments before allowing withdrawals grew tiresome, prompting me to move on from their deceitful tactics.
It is essential to collaborate with individuals who prioritize transparency and honesty, such as Coreassetinc recovery firm . They possess the necessary skills to handle your cases effectively and ensure that the perpetrators behind the scam face consequences. If you are wondering how I connected with them, I stumbled upon their Corporate email: Coreassettinc @ gmail.com and Telegram handle @ Coreassetinc through a comment recommending their service. You can reach out to them to address any ongoing issues or concerns you may have.
While many scam victims may not come across this review, those fortunate enough to read it should trust that Coreassetinc recovery firm is the right entity to seek assistance from in such challenging situations. They exceeded my expectations with timely updates of their progress on their investigation, to create awareness of the possibility of recovering back from scam, I had to write down this review.
Some comments may only be visible to logged-in visitors. Sign in to view all comments.