Reverse Engineering BLE From the Droid Depot App

We were finally able to successfully get working BLE data for the Droids, thanks to the new Droid Depot app and Jamie from #makerspace on the Galaxy’s Edge Discord Server. 😀 We’re still combing through the data and still testing things, but here’s what we’ve discovered so far.

On May 4th, Disney released a new Droid Depot that allowed iOS and Android users to control their Mubo’s Droid Depot droids via Bluetooth (BLE). Previously, we hadn’t been able to reliably send BLE data to the droids without losing connection– we weren’t sure if that was due to lack of successful pairing/correct passcode/etc, or if the Droid just wasn’t designed with that functionality. 

However, this official app proved a BLE connection was possible without a droid firmware update! What better way to celebrate Star Wars Day then with an epic gamechanger? All we had to do now was figure out how the app was communicating via BLE, and what data was being sent.

Thankfully, Android is *perfect* for scenarios like troubleshooting BLE connections in an Android app, thanks to its Developer Options.  

  1. Enable Developer Mode (if you haven’t already)
  2. Enable Bluetooth HCI logging:
    Settings > Developer Options > “Enable Bluetooth HCI snoop log”
  3. Turn Bluetooth Off then On
  4. Reboot Android device
  5. Enjoy glass of blue milk

Your Android device is now automatically saving a log file of your BLE activity, probably in one of these locations, depending on your device. 

/sdcard/Android/data/btsnoop_hci.log
/sdcard/btsnoop_hci.log

With logging enabled, I used several functions of the Droid Depot app while trying to make careful note of what I was doing and at what time. Some of the things I recorded: Connecting/Pairing to a new droid, using the Piloting mode, playing Tic Tac Toe, and changing the droid volume. When I was done, I copied the file to my laptop via USB and opened the log file in Wireshark to review the data.

After comparing the data to my notes, I was able to identify some potential BLE droid commands. Huge thanks again to Jamie in #makerspace, who was able to help test out these potential commands via his own Android droid app.

I hope to have a full confirmed list soon, but here’s a couple of tested values:

  • Identify Droid Beep: 27420f4444001802
  • Set Volume to 100: 27420f4444000e1e 
  • Set Volume to 0: 27420f4444000e00

In the meantime, if you’d like to review the data yourself, here’s the full Android BLE HCI log and timestamp notes. Enjoy!

 

Above: And that’s why you always leave a note