Wednesday, February 13, 2019

Experimenting with HM10 Bluetooth 4.0 CC2541 Devices: Reprogramming HM10 firmware on fake devices

These things are what I am talking about.
First off... It seems to be hard to find a comprehensive list of AT commands for this device. Some online seem to work, and some don't. Here is what is displayed when I command AT+HELP

********************************************************************
* Command             Description             *
* ---------------------------------------------------------------- *
* AT                  Check if the command terminal work normally  *
* AT+RESET            Software reboot *
* AT+VERSION          Get firmware, bluetooth, HCI and LMP version *
* AT+HELP             List all the commands             *
* AT+NAME             Get/Set local device name                    *
* AT+PIN              Get/Set pin code for pairing                  *
* AT+BAUD             Get/Set baud rate                     *
* AT+LADDR            Get local bluetooth address   *
* AT+ADDR             Get local bluetooth address     *
* AT+DEFAULT          Restore factory default   *
* AT+RENEW            Restore factory default     *
* AT+STATE            Get current state     *
* AT+PWRM             Get/Set power on mode(low power)     *
* AT+POWE             Get/Set RF transmit power     *
* AT+SLEEP            Sleep mode                     *
* AT+ROLE             Get/Set current role.                     *
* AT+PARI             Get/Set UART parity bit.                      *
* AT+STOP             Get/Set UART stop bit.                        *
* AT+INQ              Search slave model                            *
* AT+SHOW             Show the searched slave model.                *
* AT+CONN             Connect the index slave model.                *
* AT+IMME             System wait for command when power on.     *
* AT+START            System start working.     *
* AT+UUID             Get/Set system SERVER_UUID .                *
* AT+CHAR             Get/Set system CHAR_UUID .                *
* ----------------------------------------------------------------- *
* Note: (M) = The command support master mode only.             *
* Copyright@2013 www.cyobd.com.   All rights reserved.     *
********************************************************************

Wait can you copyright a help readout? Does that make any sense at all?

Anyways, we see that my devices come with Firmware V4.2.0
Also for some reason it is talking at 74880 baud, and so we are going to change it to something more common. However a AT+BAUD query yields the value 45... Resetting yielded errors. However, spamming the reset and factory default commands seemed to knock it back to 9600. Supposedly:


"AT+BAUD[para1]
Should return: OK+Set:[para1]
Details: Scope of para1:0 ~ 8. The parameters corresponding to: 0 represents 9600, 1, 2, 9600, 38400, on behalf of the representative representative of 57600, 115200, 5, 4800, 6, 7 represents 1200, 1200 2400. The default baud rate is 9600.
Note: If you switch to the 1200, module will no longer support the configurations of the AT command, and press the PIO0 under standby, module can restore the factory Settings.Do not recommend using the baud rate.After setting the baud rate, modules should be on electricity, anew set parameters can take effect. "


This does not explain the numbering on my device. Mine returns: "+BAUD=4" now at 9600.

Both of my devices have +ADDR=00:15:85:14:9C:09 with +NAME=BT05. But aren't addresses supposed to be unique? Additionally there does not seem to be a way to spoof addresses.

After some more digging, it seems that these were programmed with some shoddy HM10 firmware from that cyobd company from above (they manufacture OBD port tools for car diagnostics by the looks of it..).

I followed this video!

I reprogrammed the firmware without any level shifters or resistors, and it behaved nominally.
I now have different addresses!

This now abides by the AT command standards that are listed for standard HM10 firmware setup.
If you manage to intercept my packets / man-in-middle attack me, then congrats! You are far too close for comfort.

No comments:

Post a Comment