Reverse engineer Rizer elite

[PSenfft]

Sniff GATT Packages between smartphone app and rizer elite

• [x] read the BT LE introduction https://learn.adafruit.com/introduction-to-bluetooth-low-energy/introduction
• [x] use the nrf sniffer with wireshark and try if we can read the packages when two other devices are connected (try if its encrypted)
• [x] create API to change the tilt
• [x] change the while loop and read steering method to decrease the lag to write the tilt (maybe own thread)
• [x] test everything

[unitylab-dev]

BT Notes Filtering BT devices by advertising number in Wireshark (Rizer Elite) btle.advertising_address == fc:12:65:28:cb:44

[unitylab-dev]

First try to sniff connection between smartphone and Rizer Elite. SCN_REQ and SCAN_RSP is probably the interesting stuff

[unitylab-dev]

First try to sniff connection between smartphone and Rizer Elite. SCN_REQ and SCAN_RSP is probably the interesting stuff

Frame 192773: 38 bytes on wire (304 bits), 38 bytes captured (304 bits) on interface COM4-4.2, id 0 Section number: 1 Interface id: 0 (COM4-4.2) Encapsulation type: nRF Sniffer for Bluetooth LE (186) Arrival Time: Mar 21, 2024 17:17:08.108476000 Mitteleuropäische Zeit UTC Arrival Time: Mar 21, 2024 16:17:08.108476000 UTC Epoch Arrival Time: 1711037828.108476000 [Time shift for this packet: 0.000000000 seconds] [Time delta from previous captured frame: 0.000503000 seconds] [Time delta from previous displayed frame: 0.000503000 seconds] [Time since reference or first frame: 649.014506000 seconds] Frame Number: 192773 Frame Length: 38 bytes (304 bits) Capture Length: 38 bytes (304 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: nordic_ble:btle] nRF Sniffer for Bluetooth LE Board: 4 Header Version: 3, Packet counter: 19048 Length of payload: 31 Protocol version: 3 Packet counter: 19048 Packet ID: 2 Length of packet: 10 Flags: 0x01 .... ...1 = CRC: Ok .... ..0. = Reserved: 0 .... .0.. = Reserved: 0 .... 0... = Address Resolved: No .000 .... = PHY: LE 1M (0) 0... .... = Reserved: 0 Channel Index: 38 RSSI: -38 dBm Event counter: 0 Timestamp: 1187318866µs [Packet time (start to end): 176µs] [Delta time (end to start): 151µs] [Delta time (start to start): 503µs] Bluetooth Low Energy Link Layer Access Address: 0x8e89bed6 Packet Header: 0x0cc3 (PDU Type: SCAN_REQ, TxAdd: Random, RxAdd: Random) Scanning Address: 54:3f:83:63:47:a6 (54:3f:83:63:47:a6) Advertising Address: fc:12:65:28:cb:44 (fc:12:65:28:cb:44) CRC: 0x531a21

---

Frame 192774: 32 bytes on wire (256 bits), 32 bytes captured (256 bits) on interface COM4-4.2, id 0 Section number: 1 Interface id: 0 (COM4-4.2) Interface name: COM4-4.2 Interface description: nRF Sniffer for Bluetooth LE COM4 Encapsulation type: nRF Sniffer for Bluetooth LE (186) Arrival Time: Mar 21, 2024 17:17:08.108802000 Mitteleuropäische Zeit UTC Arrival Time: Mar 21, 2024 16:17:08.108802000 UTC Epoch Arrival Time: 1711037828.108802000 [Time shift for this packet: 0.000000000 seconds] [Time delta from previous captured frame: 0.000326000 seconds] [Time delta from previous displayed frame: 0.000326000 seconds] [Time since reference or first frame: 649.014832000 seconds] Frame Number: 192774 Frame Length: 32 bytes (256 bits) Capture Length: 32 bytes (256 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: nordic_ble:btle] nRF Sniffer for Bluetooth LE Board: 4 Header Version: 3, Packet counter: 19049 Length of payload: 25 Protocol version: 3 Packet counter: 19049 Packet ID: 2 Length of packet: 10 Flags: 0x01 .... ...1 = CRC: Ok .... ..0. = Reserved: 0 .... .0.. = Reserved: 0 .... 0... = Address Resolved: No .000 .... = PHY: LE 1M (0) 0... .... = Reserved: 0 Channel Index: 38 RSSI: -74 dBm Event counter: 0 Timestamp: 1187319192µs [Packet time (start to end): 128µs] [Delta time (end to start): 150µs] [Delta time (start to start): 326µs] Bluetooth Low Energy Link Layer Access Address: 0x8e89bed6 Packet Header: 0x0644 (PDU Type: SCAN_RSP, TxAdd: Random) Advertising Address: fc:12:65:28:cb:44 (fc:12:65:28:cb:44) Scan Response Data: CRC: 0xd0befa

[unitylab-dev]

Mybe usefull links https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/one-minute-to-understand-ble-connection-data-packa https://www.bluetooth.com/blog/bluetooth-low-energy-it-starts-with-advertising/

[unitylab-dev]

https://devzone.nordicsemi.com/guides/short-range-guides/b/bluetooth-low-energy/posts/ble-characteristics-a-beginners-tutorial

[PSenfft]

BT debugging log from Android Smartphone when I change the value of the rizer with the App.

btsnoop_hci.log

[PSenfft]

Here is the BT debugging log again. Connection between my Android Phone (Google Pixel 7) between the Elite Rizer. I changed the Value to the maximum (20% gradient) to the minimum. After that, I connected with the Headwind device and changed the speed manual (with the buttons on the device) from the lowest to the highest value

btsnoop_hci.log

[pooja0973]

I was able to replicate till here but I am facing issue while connecting IOS phone.

[PSenfft]

I think we don't need the nrf sniffer. I got better results with the log files from my phone. when you use the filter btatt.opcode == 0x12 in wireshark, when you open my last log files you can see we have package 472-482 with different Handle code. I think that's a handshake or something like that.

and after that, we have just two different packages. The first one to increase the gradient and the second package typ to decrease the gradient. Just like in the app with + and -

This Hex Stream should be the value for up:
060102 and this for down: 060402

[unitylab-dev]

to activate python venv source ./.env/Scripts/activate

[marc-hessenauer]

Nicely done!! Is this issue still in progress?

[PSenfft]

Nicely done!! Is this issue still in progress?

Yeah. The last task is still in progress.

[marc-hessenauer]

Alright! Narrowed down the issue to just one assignee as this reflects the current state of work distribution