-
Notifications
You must be signed in to change notification settings - Fork 53
BLE Services & characteristics
Djamil Elaidi edited this page Jun 21, 2019
·
1 revision
| UUID | Value |
|---|---|
| Base | 0x9E, 0xCA, 0xDC, 0x24, 0x0E, 0xE5, 0xA9, 0xE0, 0x93, 0xF3, 0xA3, 0xB5, 0x00, 0x00, 0x40, 0x6E |
| NUS Service | 0x0001 - 6e400001-b5a3-f393-e0a9-e50e24dcca9e |
| NUS TX Characteristic | 0x0002 - 6e400002-b5a3-f393-e0a9-e50e24dcca9e |
| NUS RX Characteristic | 0x0003 - 6e400003-b5a3-f393-e0a9-e50e24dcca9e |
NUS Service is the bearer for all RF messages, to and from PandwaRF.
To see how a message is transmitted over NUS, refer to Sending RfCat messages over BLE link
Standard service, cf https://developer.bluetooth.org/TechnologyOverview/Pages/BAS.aspx
| UUID | Value |
|---|---|
| Base | 0x180F |
Standard service, cf https://developer.bluetooth.org/TechnologyOverview/Pages/DIS.aspx
| UUID | Value |
|---|---|
| Base | 0x180A |
| UUID | Value |
|---|---|
| Base | DEADxxxx-2DBB-4D90-91D7-BDC47B265643 |
| Base | 0x43, 0x56, 0x26, 0x7B, 0xC4, 0xBD, 0xD7, 0x91, 0x90, 0x4D, 0xBB, 0x2D, 0x00, 0x00, 0xAD, 0xDE |
| UUID | Value (xxxx) | Smartphone - Dongle | Size (bytes) | |
|---|---|---|---|---|
| BUS Service | 0x0001 | |||
| Button pushed Characteristic | 0x1524 | Indicate a button has been pushed | ⇐ | 1 |
| LED Characteristic | 0x1525 | Control the LED. byte 1: Led id(1,2,3), byte 2: led value (0,1) | ⇒ | 2 |
| Push Button Characteristic | 0x1526 | Equivalent to physically pushing a button | ⇒ | 1 |
| Config Characteristic | 0x1527 | Write a config value or launch a self test OR read status | ⇐⇒ | 4 |
| BLE Error Characteristic | 0x1529 | Read BLE errors from SPI memory | ⇐⇒ | - |
Used by Gollum Config Write characteristic
BLE Payload is:
| bytes | 0 | 1,2,3,4,5 |
|---|---|---|
| Command [0..10] | Payload for related command |
| Command | Code | Value | Description |
|---|---|---|---|
| CMD_CONFIG_SET_LOOPBACK_MODE | 0 | 00 or 01 | if set to 1, put dongle in loopback mode. BLE received data is sent back to smartphone |
| CMD_CONFIG_RESET_CC1111 | 1 | - | Force a CC1111 reset using RESETn pin |
| CMD_CONFIG_RUN_SELF_TEST | 2 | - | Force a self-test to be run (not implemented) |
| CMD_CONFIG_GET_LAST_SELF_TEST_RESULT | 3 | - | Read the last self-test verdict (not implemented: use a read on BUS Config Characteristic 0x1527) |
| CMD_CONFIG_SET_USB_COMMUNICATION | 4 | 00 or 01 | Set CC1111 USB communication using BT_CC_GPIO_ENABLE_USB pin |
| CMD_CONFIG_SET_TX_RETRY_MODE | 5 | 00 or 01 | Set to true to retry a BLE transmission when no TX buffer is available |
| CMD_CONFIG_SET_SPI_HW_REVISION | 6 | HW revision code (1 byte) | Set HW revision in SPI memory. Rev.D: 0x44, Rev.DE: 0x30, Rev.E: 0x45, Rev.F: 0x46 |
| CMD_CONFIG_SET_BATTERY_CAPACITY | 7 | Battery capacity (2 bytes) | Set Battery capacity in SPI memory |
| CMD_CONFIG_RESET_NORDIC | 8 | - | Force a nRF51 reset |
| CMD_CONFIG_SLEEP_NORDIC | 9 | - | Force nRF51 to enter sleep mode |
| CMD_CONFIG_SET_DELAY_POWER_OFF | 10 | Delay in mn (2 bytes) | Set delay in SPI memory before powering off Gollum |
| bytes | 5,4 | 3,2,1,0 |
|---|---|---|
| Auto Power Off Time value in mn | Power On Self Test bitmask result |
Used by Gollum Config Notify/Read characteristic
| Status | Code | Value | Description |
|---|---|---|---|
| POWER_ON_SELF_TEST_RESULT | 0 | result | XXX |
| CODE_ERROR | 1 | error_code | XXX |
Power On Self Test bitmask (bytes 3,2,1,0) signification
| bit number | Code | Description |
|---|---|---|
| 0 | GOLLUM_PO_ST_BSP_LED_BUTTONS_INIT_ERROR | Status of buttons and LED I/O init |
| 1 | GOLLUM_PO_ST_SPI_MASTER_INIT_ERROR | Status of SPI master driver initialization |
| 2 | GOLLUM_PO_ST_SPI_MEM_COMM_ERROR | Status of SPI memory communication |
| 3 | GOLLUM_PO_ST_UART_FIFO_INIT_ERROR | Status of UART module |
| 4 | GOLLUM_PO_ST_RFCAT_NOT_RUNNING_ERROR | Status of CC1111 RfCat running |
| 5 | GOLLUM_PO_ST_I2C_MASTER_INIT_ERROR | Status of I2C port and Battery Gas Gauge |
| 6 | GOLLUM_PO_ST_I2C_COMM_ERROR | Status of I2C nRF <--> LTC2941 communication |
| 7 | GOLLUM_PO_ST_SPI_MEM_R_W_ERROR | Status of SPI nRF <--> memory R/W |
| 8 | GOLLUM_PO_ST_DIS_TIMEOUT | Status of CC1111 Device Information procedure |
| 24 | GOLLUM_PO_ST_STATUS_USB_POWERED | If set to 1, USB power is detected |
| 25 | GOLLUM_PO_ST_STATUS_BLE_WHITELIST_BYPASS_MODE | If 1, whitelist bypass mode is active |
| 26 | GOLLUM_PO_ST_STATUS_BLE_WHITELIST_MODE | If 1, Whitelist mode is active. If 0: Whitelist mode is inactive |
| 27 | GOLLUM_PO_ST_STATUS_FW_LOCKED_TO_MAC_ADDRESS | If 1, FW is locked to a MAC address |
| 28 | GOLLUM_PO_ST_STATUS_NRF_BOOTLOADER_DETECTED | If 1, nRF bootloader has been detected, 0 if no bootloader present |
| 29 | GOLLUM_PO_ST_STATUS_LOOPBACK_MODE | If set to 1, dongle is in loopback mode. BLE received data is sent back to smartphone |
| 30 | GOLLUM_PO_ST_STATUS_USB_ALLOWED | If set to 1, USB is allowed for CC1111 using BT_CC_GPIO_ENABLE_USB pin |
| 31 | GOLLUM_PO_ST_STATUS_TX_RETRY_MODE | If set to 1, TX retry mode is enabled |
| Command | Code | Description |
|---|---|---|
| BUS_SERVICE_BLE_ERROR_CHAR_RESET_ERROR_TABLE | 0 | Erase the error table |
| BUS_SERVICE_BLE_ERROR_CHAR_RESET_READ_INDEX | 1 | Reset the read counter |
| BUS_SERVICE_BLE_ERROR_CHAR_PREPARE_NEXT_READ | 2 | Increment the read counter & update the characteristic with data for next BLE error read |
Read the characteristic with data prepared at previous write. We use a GATTS Read Request without Authorization, so data to read is updated when a BLE Error Write is made.
Nordic specific, cf https://developer.nordicsemi.com/nRF51_SDK/nRF51_SDK_v7.x.x/doc/7.0.1/s110/html/a00071.html#ota_spec_sec
| UUID | Value |
|---|---|
| Base | 0x9E, 0xCA, 0xDC, 0x24, 0x0E, 0xE5, 0xA9, 0xE0, 0x93, 0xF3, 0xA3, 0xB5, 0x00, 0x00, 0x40, 0x6E |
| NUS Service | 0x0001 |
| Description | Number Base |
|---|---|
| Company Identifier: | 0x0059 |
| UUID Base: | 0x23, 0xD1, 0xBC, 0xEA, 0x5F, 0x78, 0x23, 0x15, 0xDE, 0xEF, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00 |
| Service UUID start: | 0x1530 |
| Characteristic UUID start: | 0x1531 |
Questions or need help? Get in touch or open an Issue!
Project Information
- PandwaRF Home
- General Overview
- Technical Overview
- Possible Applications
- Development Status
- Requirements
PandwaRF Android Application (Normal Mode)
- Quick Start
- Navigation
- Navigation on Tablet
- Android Permissions
- Activity states
- Kaiju account connection
- Kaiju delete account
- Scan
- Bus Service
- Rx/Tx
- Kaiju Analysis
- Rolling code analysis & generation
- Rx Data Rate Measurement
- Spectrum Analyzer
- RF Power Amplifiers
- RF Brute Force
- RF Brute Force Tutorial
- RF Brute Force Session Import Tutorial
- RF Brute Force De Bruijn
- Protocols
- Jamming
- JavaScript
- FW Update
- Dev Mode
- USB Connection
- Pairing/Bonding
- Keeloq Secure Decrypt
- Get PandwaRF Gov App
PandwaRF Android Application (Dev Mode)
- BLE Perf measurement
- CC1111 RF registers direct access
- BLE Errors
- Bus Service Extended
- BLE Parameters
Marauder Android Application
iOS Application
Linux
Hardware
- Architecture
- Power Management
- Buttons
- LEDs Indication States
- Schematics
- Programming
- Battery
- Antennas
- PandwaRF Bare Settings
- FW releases Nordic
- FW releases CC1111
For developers
- Scripting with JavaScript
- JavaScript Functions Mapping
- Scripting with Python
- BLE Services & Characteristics
- CC1111 RfCat Commands
- PandwaRF Android SDK
- PandwaRF Android API
- RX Data Post Rest API
- Software and available applications
Support
- User Guides
- FAQ
- Tested Devices
- Known Issues
- BLE connection issues
- How to clear secure pairing
- How to report an issue
- PandwaRF test procedure
- Recovery mode
- PandwaRF Device Bounty
- Product return information
- Discord Server
- Forum (legacy)
- Chat (legacy)
- Privacy Policy
- Terms & Conditions
Gimme moar!