write_gatt_descriptor keeps telling me "descriptor not found"

[tyler-g]

• bleak version: 0.21.1
• Python version: 3.12.2
• Operating System: OSX Sonoma 14.2.1

Description

Hi all, I'm trying to reverse engineer a battery BMS bluetooth device. I don't have any dongles or boards, but just using my iphone and my macbook pro. The iphone has installed the app for the device (pretty buggy), and I used that to sniff the connection and write requests.

I'm able to connect to the device on OSX but cannot get write_gatt_descriptor to work because I think I may be specifying "Handle" incorrectly

What I Did

• downloaded and install Bluetooth profile for ios on iphone (https://developer.apple.com/bug-reporting/profiles-and-logs/?name=bluetooth)

• on macbook, installed PacketLogger (from additional xcode tools)

• with iphone usb connected to macbook, open a new ios session in PacketLogger and start listening

• open the ios app and connect to the device, wait a few seconds for it to send all the parameters

• stop listening, save log BTSnoop format so I can inspect further in Wireshark

• disconnect and close the ios app

• everything I see indicates no encryption because there's no "Start Encryption" commands

• inspect the logs and find the first Write Request that I need to emulate:

• set up my python script for connecting to the device from OSX:

import asyncio
from bleak import BleakClient

DOT_ADDRESS = "1DEE58FF-E253-A0EC-996A-2EA440A02A09"

async def main(address):
    async with BleakClient(address) as client:
        print(client.is_connected) # prints True or False
        data = await client.write_gatt_descriptor(0x001D , bytearray(b"\x01\x03\x00\x00\x00\'\x05\xd0"))
        
        print(data)

asyncio.run(main(DOT_ADDRESS))

I get error:

    raise BleakError("Descriptor {} was not found!".format(handle))
bleak.exc.BleakError: Descriptor 29 was not found!

Obviously the handle is incorrect, but I'm unsure why or what I need to put there. What am I doing wrong here? Thanks

[tyler-g]

if it's helpful, here's the output from running service_explorer.py

python3 service_explorer.py --address "1DEE58FF-E253-A0EC-996A-2EA440A02A09"
2024-03-15 18:36:31,762 __main__ INFO: starting scan...
2024-03-15 18:36:32,496 __main__ INFO: connecting to device...
2024-03-15 18:36:32,851 __main__ INFO: connected
2024-03-15 18:36:32,851 __main__ INFO: [Service] 0000180a-0000-1000-8000-00805f9b34fb (Handle: 8): Device Information
2024-03-15 18:36:32,887 __main__ INFO:   [Characteristic] 00002a23-0000-1000-8000-00805f9b34fb (Handle: 9): System ID (read,write-without-response,write), Value: bytearray(b'\x00\x00\x00\x00\x00\x00\x00\x00')
2024-03-15 18:36:32,948 __main__ INFO:   [Characteristic] 00002a24-0000-1000-8000-00805f9b34fb (Handle: 11): Model Number String (read), Value: bytearray(b'TC,R2#4,1,248,S')
2024-03-15 18:36:33,007 __main__ INFO:   [Characteristic] 00002a25-0000-1000-8000-00805f9b34fb (Handle: 13): Serial Number String (read), Value: bytearray(b'2020-4-23')
2024-03-15 18:36:33,068 __main__ INFO:   [Characteristic] 00002a26-0000-1000-8000-00805f9b34fb (Handle: 15): Firmware Revision String (read), Value: bytearray(b'V3.3')
2024-03-15 18:36:33,127 __main__ INFO:   [Characteristic] 00002a27-0000-1000-8000-00805f9b34fb (Handle: 17): Hardware Revision String (read), Value: bytearray(b'609866F05890')
2024-03-15 18:36:33,187 __main__ INFO:   [Characteristic] 00002a28-0000-1000-8000-00805f9b34fb (Handle: 19): Software Revision String (read), Value: bytearray(b'V3.3')
2024-03-15 18:36:33,277 __main__ INFO:   [Characteristic] 00002a29-0000-1000-8000-00805f9b34fb (Handle: 21): Manufacturer Name String (read), Value: bytearray(b'www.tuner168.com')
2024-03-15 18:36:33,337 __main__ INFO:   [Characteristic] 00002a2a-0000-1000-8000-00805f9b34fb (Handle: 23): IEEE 11073-20601 Regulatory Cert. Data List (read), Value: bytearray(b'\xfe\x00experimental')
2024-03-15 18:36:33,397 __main__ INFO:   [Characteristic] 00002a50-0000-1000-8000-00805f9b34fb (Handle: 25): PnP ID (read), Value: bytearray(b'\x01\r\x00\x00\x00\x10\x01')
2024-03-15 18:36:33,397 __main__ INFO: [Service] 00001000-0000-1000-8000-00805f9b34fb (Handle: 27): Service Discovery Server Service Class
2024-03-15 18:36:33,458 __main__ INFO:   [Characteristic] 00001001-0000-1000-8000-00805f9b34fb (Handle: 28): Browse Group Descriptor Service Class (read,write-without-response,write), Value: bytearray(b'')
2024-03-15 18:36:33,517 __main__ INFO:     [Descriptor] 00002901-0000-1000-8000-00805f9b34fb (Handle: 30): Characteristic User Description, Value: bytearray(b'RX')
2024-03-15 18:36:33,578 __main__ INFO:   [Characteristic] 00001002-0000-1000-8000-00805f9b34fb (Handle: 31): Public Browse Root (read,notify), Value: bytearray(b'')
2024-03-15 18:36:33,638 __main__ INFO:     [Descriptor] 00002902-0000-1000-8000-00805f9b34fb (Handle: 33): Client Characteristic Configuration, Value: bytearray(b'')
2024-03-15 18:36:33,698 __main__ INFO:     [Descriptor] 00002901-0000-1000-8000-00805f9b34fb (Handle: 34): Characteristic User Description, Value: bytearray(b'TX')
2024-03-15 18:36:33,698 __main__ INFO:   [Characteristic] 00001003-0000-1000-8000-00805f9b34fb (Handle: 35): Vendor specific (write)
2024-03-15 18:36:33,757 __main__ INFO:     [Descriptor] 00002901-0000-1000-8000-00805f9b34fb (Handle: 37): Characteristic User Description, Value: bytearray(b'REG_WRITE')
2024-03-15 18:36:33,817 __main__ INFO:   [Characteristic] 00001004-0000-1000-8000-00805f9b34fb (Handle: 38): Vendor specific (read), Value: bytearray(b'')
2024-03-15 18:36:33,877 __main__ INFO:     [Descriptor] 00002901-0000-1000-8000-00805f9b34fb (Handle: 40): Characteristic User Description, Value: bytearray(b'REG_READ')
2024-03-15 18:36:33,937 __main__ INFO:   [Characteristic] 00001005-0000-1000-8000-00805f9b34fb (Handle: 41): Vendor specific (read,write), Value: bytearray(b'')
2024-03-15 18:36:33,997 __main__ INFO:     [Descriptor] 00002901-0000-1000-8000-00805f9b34fb (Handle: 43): Characteristic User Description, Value: bytearray(b'REG')
2024-03-15 18:36:33,998 __main__ INFO: [Service] f000ffd0-0451-4000-b000-000000000000 (Handle: 44): Unknown
2024-03-15 18:36:33,998 __main__ INFO:   [Characteristic] f000ffd1-0451-4000-b000-000000000000 (Handle: 45): Unknown (write-without-response,write)
2024-03-15 18:36:34,057 __main__ INFO:     [Descriptor] 00002901-0000-1000-8000-00805f9b34fb (Handle: 47): Characteristic User Description, Value: bytearray(b'Reset')
2024-03-15 18:36:34,058 __main__ INFO: disconnecting...
2024-03-15 18:36:34,060 __main__ INFO: disconnected

[dlech]

Since you want to write to handle 29, I'm guessing that you actually want to write to the 00001001-0000-1000-8000-00805f9b34fb characteristic (not descriptor). Handles aren't stable numbers and vary by OS, so it is best to look up characteristics by UUID. Since there is only one with this UUID, you can pass it directly to the read function. And it can be abbreviated to the 16-bit value. Also, writing doesn't return a value. And no need to cast to bytearray.

await client.write_gatt_char("1001" , b"\x01\x03\x00\x00\x00\x27\x05\xd0", response=True)

[tyler-g]

@dlech thanks so much for the fast reply. I realized that after yes I needed to use write_gatt_char instead.

I actually found in my case the "1001" alone doesn't work but I have to specify the full UUID. I don't know if this is just an OSX thing (probably).

In my case I found the best way to get all the uuids is to use gatttool. I did this on a raspberry pi (not sure if it even works on osx):

in interactive mode:
gatttool --device=30:95:66:D0:58:90 -I

then in the interactive console (separate steps):

connect
characteristics
char-desc

output something like this: (abbreviated here for readability, not the full output)

Connection successful
[LE]> characteristics
handle: 0x0002, char properties: 0x02, char value handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb
handle: 0x0004, char properties: 0x02, char value handle: 0x0005, uuid: 00002a01-0000-1000-8000-00805f9b34fb

[LE]> char-desc
handle: 0x0001, uuid: 00002800-0000-1000-8000-00805f9b34fb
handle: 0x0002, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0021, uuid: 00002902-0000-1000-8000-00805f9b34fb

Anyway, like you mentioned, I am now able to send the first write successfully with:

await client.write_gatt_char('00001001-0000-1000-8000-00805f9b34fb', bytearray(b"\x01\x03\x00\x00\x00\'\x05\xd0"))

I need to send one more afterwards but it is a descriptor (I found it matching the handle I need using the char-desc command ) For reference here is the 2nd command I need to emulate:

But when I do it:

await client.write_gatt_descriptor('00002902-0000-1000-8000-00805f9b34fb', bytearray(b'\x01\x00'))

I'm getting the Descriptor not found error:

    raise BleakError("Descriptor {} was not found!".format(handle))
bleak.exc.BleakError: Descriptor 00002902-0000-1000-8000-00805f9b34fb was not found!

Am I using .write_gatt_char incorrectly here? I'm using this because the handle matched a uuid under descriptors and not characteristics

[dlech]

That is a Client Characteristic Configuration descriptor which is use to enable notifications, so you want this instead.

await client.start_notify('00001001-0000-1000-8000-00805f9b34fb', my_callback)