Reverse Engineering iBeacon and Eddystone Bluetooth GATT Services

For some of our beacons such as the Axaet and Sensoro product ranges the manufacturers haven’t documented their Bluetooth Service Characteristics. This means that while they are ok for scanning/proximity type applications, you can’t write your own app to, for example, change programatically the UUID, major and minor and must rely on the manufacturer’s configuration app or, in the case of the Sensoro beacon, their SDK. While this of no consequence for the majority of uses, more ambitious scenarios might want directly access the Bluetooth GATT services.

Uri Shaked has written a great article on Medium on how to Reverse Engineer a Bluetooth Lightbulb. His method uses the developer logging in Android 4.4 and later to allow inspection of the Bluetooth packets and hence the Bluetooth Services and Characteristics that are being used. This method can equally be used with iBeacon and Eddystone beacons to reverse engineer the Bluetooth GATT information.