I’ve owned a smart vibrator for a little over a year now. For those of you who might not be familiar, smart vibrators are vibrators that can be controlled by an app via a Bluetooth connection. Often times, the app is connected to the Internet so a remote user can control the vibrator via the app. In that case, the remote user sends a message to the app and the app relays that message to the vibrator via Bluetooth.
I don’t do a lot of interesting projects with hardware or Internet connected devices, so I figured it would be fun to hack into my vibrator to learn a bit more about IoT devices. In this specific case, by "hack" I mean "reverse engineer the communication protocols that the vibrator and app used to communicate with each other.“ The particular vibrator I’ll be reverse engineering is the Vibease. Note to those of you who might be in an office, public library, or next to a nosy person on the train: that link will take you to an e-commerce page that sells sex toys. Hopefully, I saved you some unwanted awkwardness!
I started by doing a bit of research into Internet of Things devices that use Bluetooth in general. I figured, or I should say hoped, that there would be some sort of standardization or protocols around how Internet of Things devices utilize Bluetooth.
The first thing I figured out was the distinction between Bluetooth and Bluetooth Low Energy. Bluetooth Low Energy (sometimes referred to as Bluetooth 4.0) is a version of Bluetooth that uses less energy that prior versions. This is particularly advantageous for Internet of Things devices because it means they can run off battery for long periods of time. I can confirm this. I was pretty surprised by the number of uses that I could get out of my vibrator after a single full charge. This "low energy" distinction is a result of BLE modules remaining in "sleep mode" when not in use and thus using less energy. You can read a bit more about the differences at this link.
I decided to look around and see if there were any other articles written about reverse engineering Internet of Things devices and chanced upon this post. In the post, the author reverse engineers a smart light bulb. At this point, I don’t have the knowledge to brag, but I get the sense that what I’m trying to do might be a bit more difficult. For one, while an app that controls the color of light bulb only need to modify the color presented by the LED, a vibrator consists of several motors that sometimes need to be activated in tandem. Despite this, the post gave me some pretty good insights into BLE devices in general.
In particular, the article outlined how a peripheral device (like a vibrator) uses BLE to connect to services that represent different aspects of the device (like the battery or the motors of a vibrator) to read and write certain characteristics (like the battery level of the device or the rotations per minute on a motor). The article mentioned using an app called NRF Connect to interface with the Bluetooth device. I headed over to the App Store on my iPhone, downloaded the app, turned on my vibrator, and connected to it using the app.
Once I connected to the vibrator, the app detected three different services. The first was the Battery Service and the second was the Device Information service. It was pretty obvious to deduce what each of these services were for from their names. I figured that they were both read-only services that allowed the app (and snoopy critters like me) to read information about the battery level and details about the vibrator. The third service was labeled as "Unknown" by the NRF Connect tool. I figured this is the service that is responsible for reading and writing the state of the motors on the vibrator.
I decided to navigate over the "Battery Service" to see what information I could find there. As I suspected, the "Battery Service" contains a single "Battery Level" characteristic that is "Read Notify" and contains a value of ‘0x64’. This is a hex (base 16) number that translates to 100 in decimal. It’s fully charged and ready to go!
I navigated to the "Device Information" service and noticed that it had several "Read" characteristics that pertained to the Serial Number, Model Number, and other details of the device. Here’s a screenshot of what that screen looked like with certain details obfuscated.
All this was fairly easy, but I still needed to figure out how the app interfaced with the motors. I navigated to the ominously named "Unknown Service" to see if I could figure anything out.
Interesting! This service contains a mix of "Read Notify" and "Write Without Response" characteristics. There are two "Read Notify" characteristics and two "Write Without Response" characteristics. I presume that each of those characteristics lines up with a motor on the vibrator. That is to say, the vibrator has two motors, each of which you can read data from and write data too. This was in line with the physical characteristics of the vibrator. It has a motor on each end, and they both operate independently of one another.
I noticed something a little strange with the two "Read Notify" characteristics that were associated with the motors. One characteristic read a value of '0x0000’ (The screen-capture above shows a value of '0x0100’ because I took it a while after I gathered the initial reading. I’m not sure why the value changed in the hour between me seeing it for the first time and me remembering to take the screenshot. More mysteries. Wow, this parenthetical is getting a little long…) which corresponded to a motor that was off (or, so I guess) and the other read a value of 'N/A’. At that point in time, the vibrator was on but not vibrating, so I found it strange that one motor would send a zero value and the other would send a null value. I decided to do a quick Google to see if this was a common issue with characteristic on BLE devices but couldn’t come up with anything useful.
Side note: Effective Googling is very difficult when you are learning something new, so I might not be formulating my queries in a way that brings up good responses. If you know something about BLE and why this might be happening, do let me know!
Anyways, I noticed that the NRF Connect app provided an option to write to characteristics that were writable. At this point, I did what any good engineer would do, I tested out random values. I tried sending '0x64’ which corresponded with the decimal value 100 to see if the characteristic was setting the power level on the motor. No dice!
I noticed that the zero value being read by one of the characteristics was a hex number with 4 places, so I tried sending '0xffff’ but that didn’t work either. Bother!
So at this point, I figured I would try something else. Instead of guessing values, I would open up the Vibease app on my phone, set the vibration on the app, and see what values the "Read Notify" characteristic emitted. The tricky thing was that I couldn’t use the NRF Connect and the Vibease app on my phone at the same time, so I had to figure out some way to connect to the vibrator from my laptop. I found an app called LightBlue on the Mac App Store and figured I could try to use that to read the values on each of the characteristics while I was controlled the vibrator from the app. For some strange reason, I couldn’t connect to the vibrator from my laptop while I was connected to it via the app on my phone. This actually isn’t strange, it makes total sense. If I were building a smart vibrator, I wouldn’t want multiple devices connected to it at the same time.
I decided to see if there were any Bluetooth sniffers for iOS. I wanted something that could run in the background and log all the messages sent over BLE from my phone. Knowing Apple’s focus on security, I figured that an app like this might not be available on an un-jailbroken iPhone but I tried my luck on it anyways. Some Googling led me to this StackOverflow post that provided some details about running Bluetooth in "Diagnostics Mode" on iOS. I wasn’t sure what kind of information I would be able to get out of the logs provided by Apple but I figured it was worth a shot. I ended up following the official instructions for Bluetooth logging on iOS linked to in the StackOverflow post to generate my log.
Side-note: What is it with Apple and all the outrageous key/button combinations they make you press to access diagnostic features on their products? I mean, I understand why they make it difficult for users to get to those features but geez I’m going to get arthritis by the end of all this!
The result of this diagnostic logging was a .tar.gz file located at the directory specified in the instructions referenced above. I unzipped the directory and discovered that it consisted of several diagnostics files.
Oh boy, what did I get myself into now? At this point, I decided to utilize one of the most time-tested and expert-recommended problem solving techniques. It is called "click a bunch, read a bunch" and consists of opening and reading lots of files until you find one that makes sense.
I found a few files that seemed to be related to Bluetooth logging but opening them in Wireshark rendered some truly nonsensical data.
I also found some files that referenced the Vibease app that I was using to control my vibrator. They ended up just being crash report files. It turns out that whenever I would try to connect to the vibrator from another device while the app was connected to it, the Vibease app would crash. Fun!
At this point, I’ve tried enough options to go back to the drawing board one more time. From doing some research, I discovered that sniffing BLE signals and getting a log that is fairly easy to parse in Wireshark was pretty trivial in Android. It felt like the Apple ecosystem was really limiting me here, then again I am new to this and might just be unaware of the right tools to use. I did some more Googling to see if there were any other Bluetooth sniffers available for iOS or Mac but didn’t run into anything. Most solutions recommended purchasing a device like the Ubertooth One, which is designed to help with Bluetooth experimentation. But this device has quite a hefty price tag. It retails for anywhere from 120 USD to 200 USD, a little out of my college student budget. I couldn’t find a way to sniff BLE signals on iOS from the phone the way it was done in Android.
I figure I would pause this little experiment here and post this blog post as is. If you consider yourself an expert in the Internet of Things and have some advice on how I should move forward, do let me know.
Although I didn’t reach my ultimate goal of reverse engineering the communication protocols used between my vibrator and its app, I learned quite a bit in this little adventure.
- There is a lot going on under the hood when we use devices with BLE connectivity. It reminds me a little bit of those pictures showing what the world would look like if we could see WiFi signals. There is so much information constantly being transmitted that we are figuratively and literally blind too.
- Running diagnostics on iOS apps yields a plethora of information. This is the first time I’ve profiled and logged my iPhone and it was interesting to see all the information available. I might end up doing something similar to diagnose issues with apps that I use that crash frequently. I might draft a blog post for it on here if I have the time.
- Reverse engineering is fun (and sometimes frustrating).
Until next time!
Top comments (227)
Remotespywise specializes in providing reliable and efficient monitoring services to meet all your needs. Whether you're looking to keep an eye on your home, office, or any other space, Remotespywise team of experts is here to help. With Remotespywise, you can trust that your security and peace of mind are their top priorities. Their user-friendly interface and advanced features make monitoring easy and convenient for everyone. Don't wait any longer to secure your valuables and loved ones – book with Remotespywise today and experience the difference for yourself. Join countless satisfied customers just as myself who have already chosen Remotespywise as their go-to monitoring solution. All lost bitcoin, litecoin, ethereum wallets can be recovered through our well developed powerful wallet solutions already yielding great solutions. Contact REMOTESPYWISE @ GM AIL C OM.
Few days ago I came online in search of a hacker that I could hire to do a spy job for me, it was very important so I needed a strong hacker for my job. I came across several reviews but I figured hackerone975 @ gmail com was well praised for doing similar jobs that I needed. I decided to give this hacker on google mail the job, he gave me 4 hours to wait for results and then he came in. I was more surprised when I was informed I could see everything like a website. I'm Grateful , everyone please reach out to him hackerone975 @ gmail com ; he is top notch
I caught my husband so many times through his chats and all about cheating on me and when i told him he always claims that he has changed and all. right now he hides his phone from me and i still guess he is cheating cause i could not break into his phone any more so i was referred to a hacker named FRED who i ran to for help and this hacker was able to break into his phone and proved me with the access to my husband phone without my spouse knowing about the hack. Right in my phone I have all my husband's daily activities . I got to read all his chats, texts, calls, WhatsApp, Facebook, and many more. This hacker is really great, thank you. Did you find this review helpful? contact him via Gmail fredvalcyberghost@gmail.com and you can text,call him on +19782951763 and you can whatsapp him on +15177981808
I appreciate 'Remote spy h ac k er' for making me realise the truth to a certified hacker who knows a lot about what his doing. I strongly recommend you hire him because his the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphones cloning ,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker. Thank me later. Contact via ( Remote spy h ac k er @ g M ail c o m )
DUNE NECTAR WEB EXPERT provided invaluable assistance during a difficult time. Their ethical hacking, private investigation, and cryptocurrency recovery expertise helped me obtain irrefutable evidence of infidelity. Their professional, discrete approach ensured legal compliance. Beyond infidelity, they offer solutions for cybercrime, data breaches, and cryptocurrency fraud. I highly recommend their reliable and ethical services. "' dunenectarwebexpert.com, support@dunenectarwebexpert.com, Telegram @DUNENECTARWEBEXPERT '"
The best way to avoid a psychological breakdown after experiencing or having to deal with infidelity is to make sure you are not just assuming your partner is cheating, as a policy , don’t say they are cheating until you have gathered proof of their act, confrontation without evidence is just unacceptable, I contacted this Genius hacker REMOTESPYWISE @ GM A IL C O M when I was in the eye of the storm with my Ex husband I saw all his mails, Skype, Instagram, messages, kik, Facebook and even pictures he exchanged with his lover, but it was easier at the end really, having proof helps a lot. you never going to regret working with him, talk to him via Email: REMOTESPYWISE @ GM AIL C O M
Hi guys, my name is Sarah Flower, I ended my marriage in 2024 due to suffering from domestic abuse at the hands of my husband. Currently, he is trying to reconcile with me after finding out that I won a Jackpot Lottery Prize of $96 million. Fortunately, I received assistance online from Lord Meduza, the great spell caster who has successfully aided many individuals worldwide in winning the lottery. I reached out to him about my circumstances and expressed my desire to win the lottery. After casting the spell, he provided me with the exact numbers to play. Now, my husband wants me back, fully aware of my $96 million lottery win, but I told him no; I will not return to him. I am incredibly grateful to Lord Meduza, and if you find yourself facing a tough situation, I recommend that you reach out to him as he's the best in his field. You can contact him by
Email: lordmeduzatemple@hotmail.com
WhatsApp: +1 807 907 2687.
Good luck to you all.
You can Hire a professional and special hacker with good reputations and integrity to hack any cell phone activities remotely for you as long as you have the target person cell phone numbers. This SpyTech Hacker can provide you a full and untraceable access to live call recording, ambient listening of background sound recording, Text messages, including the deleted text, WhatsApp chats, Facebook account conversations, photos, Email, tracks location, monitor browser activity and history and can clone any cell phone remotely for you without the target person knowledge. You can reach out to him for any of the above services for help. A professional and ethical hacker and always ready to help. Just tell him your problem he’ll help and provides a lasting solutions to it. Text him via email: secretprohackers @ GMAIL COM ) He will help you and you can also meet him if you’re in the state.
I love my wife so much and never felt in-secured for once but lately have been hearing some upsetting news about my wife cheating on me but for the trust have always had for her I could not confront her, so I had to go through a hacker called verifiedprohackers@gmail.com. I had her phone hacked with the help of this hacker and gained access into her phone remotely so I saw things for my self starting from her WhatsApp messages, deleted messages and also her call logs I saw it has been a particular name and number that has been texting and calling my wife, I feel betrayed because I trusted her so much but she ended up cheating on me with another man. All thanks to you verifiedprohackers @ gmail.
com
I am not the first to recommend him because his recommendations can be seen everywhere but I am doing this because I am very happy, I am very happy because I made the right choice and that right choice is me chosen to follow my instincts and go with the good reviews i saw about Fred hacker, believe, if it's not for that choice i made i would have still been in a very toxic relationship with my ex partner who was a serial cheat but all that is gone now thanks to Mr. Fred everyone deserves happiness that includes you so to get that happiness you deserve I reckon. contact the best in the game for spying and gaining access into phone remotely without having the device on your hands contact email ; fredvalcyberghost@gmail.com and you can text,call him on +15177981808 .
I caught my husband so many times through his chats and all about cheating on me and when i told him he always claims that he has changed and all. right now he hides his phone from me and i still guess he is cheating cause i could not break into his phone any more so i was referred to a hacker named FRED who i ran to for help and this hacker was able to break into his phone and proved me with the access to my husband phone without my spouse knowing about the hack. Right in my phone I have all my husband's daily activities . I got to read all his chats, texts, calls, WhatsApp, Facebook, and many more. This hacker is really great, thank you. Did you find this review helpful? contact him via Gmail fredvalcyberghost@gmail.com and you can text,call him on +15177981808
Consult this team to recover your stolen investment
There is a glimmer of hope in the form of FORENSIC INVESTMENT Recovery. Back in 2024, I threw all my hard-earned cash into investment. Fast forward to today, I had amassed $100,000. I thought my private password were safely tucked away offline, but turns out I fell for a sneaky phishing scam. Next thing I knew, my investment fortune had disappeared into the abyss of an anonymous account. Lesson learned: always keep your password and your scams closer. Distraught at having my nest egg wiped out, I turned to Forensichackerstech Recovery, a new service specializing in tracking stolen investment funds and assisting victims. Through advanced blockchain analysis, They was able to trace the path the stolen investment took as they got laundered through various accounts under the hacker's control. Eventually They located the hacker's main account and coordinated with law enforcement to seize the wallet and return the stolen investment to me. Thanks to this FIT, which deals on investment tracking and perseverance, I recovered my lost life savings. I am now a firm believer in using investment recovery services for protection against theft. My story highlights that even if you lose investment funds to hacking or scams, there are still options like this FIT Recovery, their Email Forensichackerstech@ gmail.com that may be able to recover your losses by following the digital trail on the blockchain. So reach out to them today through: Email: Forensichackerstech@gmail.com
Yes it is very possible that a good hacker can hack into a cellphone and grant you access to all the messages on the phone. I hired one and he delivered perfectly well. He helped me gain access to my ex's text messages, WhatsApp messages, Facebook and Instagram. He also helped me recover deleted messages. His name is Albert. IF YOU NEED HELP, CONTACT HIM ON HIS EMAIL:
Vadimwebhack@ GMAIL . C0M
He offers many other services like removing bad records, credit repair/ score boost and many other services I can't mention them all here.
Some comments may only be visible to logged-in visitors. Sign in to view all comments.