-
Notifications
You must be signed in to change notification settings - Fork 53
Developer BLE Services Characteristics
This page describes how PandwaRF organizes its features and can be accessed through BLE services and characteristics. Refer here for a tutorial on how Bluetooth low energy Services.
This is the most important service used by PandwaRF. It is a serial port emulated over BLE.
"BLE NUS is a proprietary BLE service, which has a service named "UART service" to mimic the older Bluetooth classic RFCOMM profile (UART over BT). NUS sets up one "RX" (characteristic with "write" properties) and one "TX" (characteristic with "notify" properties) data channel, to fit basic UART communication needs."
Refer here for more details.
| UUID | Value |
|---|---|
| Base | 0x9E, 0xCA, 0xDC, 0x24, 0x0E, 0xE5, 0xA9, 0xE0, 0x93, 0xF3, 0xA3, 0xB5, 0x00, 0x00, 0x40, 0x6E |
| NUS Service | 0x0001 - 6e400001-b5a3-f393-e0a9-e50e24dcca9e |
| NUS TX Characteristic | 0x0002 - 6e400002-b5a3-f393-e0a9-e50e24dcca9e |
| NUS RX Characteristic | 0x0003 - 6e400003-b5a3-f393-e0a9-e50e24dcca9e |
NUS Service is the bearer for all RF messages, to and from PandwaRF.
To see how a message is transmitted over NUS, refer to Sending RfCat messages over BLE link
Standard service, cf https://developer.bluetooth.org/TechnologyOverview/Pages/BAS.aspx
| UUID | Value |
|---|---|
| Base | 0x180F |
Standard service, cf https://developer.bluetooth.org/TechnologyOverview/Pages/DIS.aspx
| UUID | Value |
|---|---|
| Base | 0x180A |
| UUID | Value |
|---|---|
| Base | DEADxxxx-2DBB-4D90-91D7-BDC47B265643 |
| Base | 0x43, 0x56, 0x26, 0x7B, 0xC4, 0xBD, 0xD7, 0x91, 0x90, 0x4D, 0xBB, 0x2D, 0x00, 0x00, 0xAD, 0xDE |
| UUID | Value (xxxx) | Smartphone - Dongle | Size (bytes) | |
|---|---|---|---|---|
| BUS Service | 0x0001 | |||
| Button pushed Characteristic | 0x1524 | Indicate a button has been pushed | ⇐ | 1 |
| LED Characteristic | 0x1525 | Control the LED. byte 1: Led id(1,2,3), byte 2: led value (0,1) | ⇒ | 2 |
| Push Button Characteristic | 0x1526 | Equivalent to physically pushing a button | ⇒ | 1 |
| Config Characteristic | 0x1527 | Write a config value or launch a self test OR read status | ⇐⇒ | 4 |
| BLE Error Characteristic | 0x1529 | Read BLE errors from SPI memory | ⇐⇒ | - |
Used by Gollum Config Write characteristic
BLE Payload is:
| bytes | 0 | 1,2,3,4,5 |
|---|---|---|
| Command [0..10] | Payload for related command |
| Command | Code | Value | Description |
|---|---|---|---|
| CMD_CONFIG_SET_LOOPBACK_MODE | 0 | 00 or 01 | if set to 1, put dongle in loopback mode. BLE received data is sent back to smartphone |
| CMD_CONFIG_RESET_CC1111 | 1 | - | Force a CC1111 reset using RESETn pin |
| CMD_CONFIG_RUN_SELF_TEST | 2 | - | Force a self-test to be run (not implemented) |
| CMD_CONFIG_GET_LAST_SELF_TEST_RESULT | 3 | - | Read the last self-test verdict (not implemented: use a read on BUS Config Characteristic 0x1527) |
| CMD_CONFIG_SET_USB_COMMUNICATION | 4 | 00 or 01 | Set CC1111 USB communication using BT_CC_GPIO_ENABLE_USB pin |
| CMD_CONFIG_SET_TX_RETRY_MODE | 5 | 00 or 01 | Set to true to retry a BLE transmission when no TX buffer is available |
| CMD_CONFIG_SET_SPI_HW_REVISION | 6 | HW revision code (1 byte) | Set HW revision in SPI memory. Rev.D: 0x44, Rev.DE: 0x30, Rev.E: 0x45, Rev.F: 0x46 |
| CMD_CONFIG_SET_BATTERY_CAPACITY | 7 | Battery capacity (2 bytes) | Set Battery capacity in SPI memory |
| CMD_CONFIG_RESET_NORDIC | 8 | - | Force a nRF51 reset |
| CMD_CONFIG_SLEEP_NORDIC | 9 | - | Force nRF51 to enter sleep mode |
| CMD_CONFIG_SET_DELAY_POWER_OFF | 10 | Delay in mn (2 bytes) | Set delay in SPI memory before powering off Gollum |
| bytes | 5,4 | 3,2,1,0 |
|---|---|---|
| Auto Power Off Time value in mn | Power On Self Test bitmask result |
Used by Gollum Config Notify/Read characteristic
| Status | Code | Value | Description |
|---|---|---|---|
| POWER_ON_SELF_TEST_RESULT | 0 | result | XXX |
| CODE_ERROR | 1 | error_code | XXX |
Power On Self Test bitmask (bytes 3,2,1,0) signification
| bit number | Code | Description |
|---|---|---|
| 0 | GOLLUM_PO_ST_BSP_LED_BUTTONS_INIT_ERROR | Status of buttons and LED I/O init |
| 1 | GOLLUM_PO_ST_SPI_MASTER_INIT_ERROR | Status of SPI master driver initialization |
| 2 | GOLLUM_PO_ST_SPI_MEM_COMM_ERROR | Status of SPI memory communication |
| 3 | GOLLUM_PO_ST_UART_FIFO_INIT_ERROR | Status of UART module |
| 4 | GOLLUM_PO_ST_RFCAT_NOT_RUNNING_ERROR | Status of CC1111 RfCat running |
| 5 | GOLLUM_PO_ST_I2C_MASTER_INIT_ERROR | Status of I2C port and Battery Gas Gauge |
| 6 | GOLLUM_PO_ST_I2C_COMM_ERROR | Status of I2C nRF <--> LTC2941 communication |
| 7 | GOLLUM_PO_ST_SPI_MEM_R_W_ERROR | Status of SPI nRF <--> memory R/W |
| 8 | GOLLUM_PO_ST_DIS_TIMEOUT | Status of CC1111 Device Information procedure |
| 24 | GOLLUM_PO_ST_STATUS_USB_POWERED | If set to 1, USB power is detected |
| 25 | GOLLUM_PO_ST_STATUS_BLE_WHITELIST_BYPASS_MODE | If 1, whitelist bypass mode is active |
| 26 | GOLLUM_PO_ST_STATUS_BLE_WHITELIST_MODE | If 1, Whitelist mode is active. If 0: Whitelist mode is inactive |
| 27 | GOLLUM_PO_ST_STATUS_FW_LOCKED_TO_MAC_ADDRESS | If 1, FW is locked to a MAC address |
| 28 | GOLLUM_PO_ST_STATUS_NRF_BOOTLOADER_DETECTED | If 1, nRF bootloader has been detected, 0 if no bootloader present |
| 29 | GOLLUM_PO_ST_STATUS_LOOPBACK_MODE | If set to 1, dongle is in loopback mode. BLE received data is sent back to smartphone |
| 30 | GOLLUM_PO_ST_STATUS_USB_ALLOWED | If set to 1, USB is allowed for CC1111 using BT_CC_GPIO_ENABLE_USB pin |
| 31 | GOLLUM_PO_ST_STATUS_TX_RETRY_MODE | If set to 1, TX retry mode is enabled |
| Command | Code | Description |
|---|---|---|
| BUS_SERVICE_BLE_ERROR_CHAR_RESET_ERROR_TABLE | 0 | Erase the error table |
| BUS_SERVICE_BLE_ERROR_CHAR_RESET_READ_INDEX | 1 | Reset the read counter |
| BUS_SERVICE_BLE_ERROR_CHAR_PREPARE_NEXT_READ | 2 | Increment the read counter & update the characteristic with data for next BLE error read |
Read the characteristic with data prepared at previous write. We use a GATTS Read Request without Authorization, so data to read is updated when a BLE Error Write is made.
Nordic specific, cf https://developer.nordicsemi.com/nRF51_SDK/nRF51_SDK_v7.x.x/doc/7.0.1/s110/html/a00071.html#ota_spec_sec
| UUID | Value |
|---|---|
| Base | 0x9E, 0xCA, 0xDC, 0x24, 0x0E, 0xE5, 0xA9, 0xE0, 0x93, 0xF3, 0xA3, 0xB5, 0x00, 0x00, 0x40, 0x6E |
| NUS Service | 0x0001 |
| Description | Number Base |
|---|---|
| Company Identifier: | 0x0059 |
| UUID Base: | 0x23, 0xD1, 0xBC, 0xEA, 0x5F, 0x78, 0x23, 0x15, 0xDE, 0xEF, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00 |
| Service UUID start: | 0x1530 |
| Characteristic UUID start: | 0x1531 |
Questions or need help? Get in touch or open an Issue!
Project Information
- PandwaRF Home
- General Overview
- Technical Overview
- Possible Applications
- Development Status
- Requirements
PandwaRF Android Application (Normal Mode)
- Quick Start
- Navigation
- Navigation on Tablet
- Android Permissions
- Activity states
- Kaiju account connection
- Kaiju delete account
- Scan
- Bus Service
- Rx/Tx
- Kaiju Analysis
- Rolling code analysis & generation
- Rx Data Rate Measurement
- Spectrum Analyzer
- RF Power Amplifiers
- RF Brute Force
- RF Brute Force Tutorial
- RF Brute Force Session Import Tutorial
- RF Brute Force De Bruijn
- Protocols
- Jamming
- JavaScript
- FW Update
- Dev Mode
- USB Connection
- Pairing/Bonding
- Keeloq Secure Decrypt
- Get PandwaRF Gov App
PandwaRF Android Application (Dev Mode)
- BLE Perf measurement
- CC1111 RF registers direct access
- BLE Errors
- Bus Service Extended
- BLE Parameters
Marauder Android Application
iOS Application
Linux
Hardware
- Architecture
- Power Management
- Buttons
- LEDs Indication States
- Schematics
- Programming
- Battery
- Antennas
- PandwaRF Bare Settings
- FW releases Nordic
- FW releases CC1111
For developers
- Scripting with JavaScript
- JavaScript Functions Mapping
- Scripting with Python
- BLE Services & Characteristics
- CC1111 RfCat Commands
- PandwaRF Android SDK
- PandwaRF Android API
- RX Data Post Rest API
- Software and available applications
Support
- User Guides
- FAQ
- Tested Devices
- Known Issues
- BLE connection issues
- How to clear secure pairing
- How to report an issue
- PandwaRF test procedure
- Recovery mode
- PandwaRF Device Bounty
- Product return information
- Discord Server
- Forum (legacy)
- Chat (legacy)
- Privacy Policy
- Terms & Conditions
Gimme moar!