Reverse Engineering iBeacon and Eddystone Bluetooth GATT Services

For some of our beacons such as the Axaet and Sensoro product ranges the manufacturers haven’t documented their Bluetooth Service Characteristics. This means that while they are ok for scanning/proximity type applications, you can’t write your own app to, for example, change programatically the UUID, major and minor and must rely on the manufacturer’s configuration app or, in the case of the Sensoro beacon, their SDK. While this of no consequence for the majority of uses, more ambitious scenarios might want directly access the Bluetooth GATT services.

Uri Shaked has written a great article on Medium on how to Reverse Engineer a Bluetooth Lightbulb. His method uses the developer logging in Android 4.4 and later to allow inspection of the Bluetooth packets and hence the Bluetooth Services and Characteristics that are being used. This method can equally be used with iBeacon and Eddystone beacons to reverse engineer the Bluetooth GATT information.

Should I Use the Manufacturer iBeacon SDKs?

Some manufacturers offer SDKs to allow programmatic access to their beacons from iOS and Android. Most SDKs tend to be poorly implemented/documented, tie your code into using that particular beacon and rarely get updated to use newer platform APIs. Instead, when you can, we recommend you use the iOS and Android Bluetooth APIs directly to make your code independent of the beacon type. Alternatively, use an independent 3rd party library such as Radius Network’s iOS SDK and the EasiBeacon Android library.

However, there are some cases where you must use the manufacturer library. This is usually in cases where there the app needs to connect with the beacon (as opposed to only view advertising scans) to perform beacon specific things. The Sensoro SDK is an example where their private protocol (to prevent squatters) and sensor information can only be obtained via their SDK.