Sniffing – How to sniff Bluetooth traffic to an Android app?

Please nude with me with this introduction to the problem. Unfortunately, the title can be confusing, but it's hard to find the right one – let me show you why.

I'm trying to decode the WM-Bus frame (smart meters). Here is what the situation looks like:

  1. J & # 39; have:
    • a water meter
    • device to read this meter (wm-bus <-> Bluetooth)
    • Android application that connects to this device via Bluetooth.
    • On PC, I have software that decodes the received data (the frame is encrypted, the key m is known).

In addition, I disassembled Android Apk (the source was not obscured, passwords in plain text, etc.), I modified the source code to save the received frame ( I hope correct, dalvik / smali), then I used adb logcat to get this data.

  1. I have a wm-bus USB dongle connected to my PC. Through the virtual serial port, I receive the same data (at least, in my opinion) that is transmitted to the device indicated in point 1.

Here is the frame of the USB key:

FF 64 44 01 06 81 32 20 00 05 07 7 CD 00 60 85 C1 03 5C D8 C9 86 9A 7D 55 49 DC 3A 4B 48 AC A4 BD 95 FE 4F BA 79 EE 01 55 D7 BC A8 9D B8 E1 33 33 56 58 75 BB 8B 2E FF 1E 4A F8 41 FB 82 FF 4B 46 C9 68 5A 56 37 5D BE 4B 05 6E BE 44 16 E2 59 D6 16 A7 73 C9 E1 7E FC CA 6B 3F 15 BF 3A 21 B5 28 6B 62 73 8C FD 96 FD 35 40 F5 71 23 91 B1 B6 A1

And here is the frame of the device:

C0 02 7B D0 6C 44 01 06 81 32 20 00 05 07 47 5A 7A CD 00 00 80 0E 15 02 AB 92 08 00 08 43 36 05 F4 F1 83 00 11 51 15 02 4B 01 40 1A 26 10 A1 00 00 00 CB CB 7B 1C A1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A2 00 00 00 00 36 A5 00 00 A0 CF BC 11 02 FF FF FF FF FF FF 2D CA FF 79 F4 B5 C2

Some fragments are the same, for example:

44 01 06

20 00 05 07

7A CD 00

So … I get two different pictures for the exact the same transmission (which I am sure). I think the problem could be:

  • the camera adds something to the frame
  • I do not read raw data (despite the fact that the variable I'm reading calls raw frame

It is out of the question to play with the device (to solder wires and intercept raw data from the chip) (it's a pretty expensive hardware, but nothing extraordinary on board).

I was thinking of intercepting raw data that goes on my Android phone – and that is the question – can I do this quite simply? I was trying to connect this Bluetooth data, but there is a lot of traffic. It would be nice to have something like Wireshark to look at just future data.

Whatever it is – I am open to other suggestions, reflections …