Reverse Engineering the iBeacon Profile

URL : http://developer.radiusnetworks.com/2013/10/01/reverse-engineering-the-ibeacon-profile.html

The Results

The packet sniffer tool let us output its capture in a binary format that I had to write Python script to parse. Once I did, I could see the contents of the individual packets as hex bytes:

 0      1            0us (+   0.000ms) [ 47]
d6 be 89 8e 40 24 5 a2 17 6e 3d 71 2 1 1a 1a ff 4c 0 2 15 e2 c5 6d b5 df fb 48 d2 b0 60 d0 f5 a7 10 96 e0 0 0 0 0 c5 52 ab 8d 38 a5
 0      2        31252us (+  31.252ms) [ 47]
d6 be 89 8e 40 24 5 a2 17 6e 3d 71 2 1 1a 1a ff 4c 0 2 15 e2 c5 6d b5 df fb 48 d2 b0 60 d0 f5 a7 10 96 e0 0 0 0 0 c5 52 ab 8d 38 a5
 0      3        66253us (+  35.001ms) [ 47]
d6 be 89 8e 40 24 5 a2 17 6e 3d 71 2 1 1a 1a ff 4c 0 2 15 e2 c5 6d b5 df fb 48 d2 b0 60 d0 f5 a7 10 96 e0 0 0 0 0 c5 52 ab 8d 38 a5
 0      4       100004us (+  33.751ms) [ 47]
d6 be 89 8e 40 24 5 a2 17 6e 3d 71 2 1 1a 1a ff 4c 0 2 15 e2 c5 6d b5 df fb 48 d2 b0 60 d0 f5 a7 10 96 e0 0 0 0 0 c5 52 ab 8d 38 a5
 0      5       132502us (+  32.498ms) [ 47]
d6 be 89 8e 40 24 5 a2 17 6e 3d 71 2 1 1a 1a ff 4c 0 2 15 e2 c5 6d b5 df fb 48 d2 b0 60 d0 f5 a7 10 96 e0 0 0 0 0 c5 52 ab 8d 38 a5
 0      6       167505us (+  35.003ms) [ 47]
d6 be 89 8e 40 24 5 a2 17 6e 3d 71 2 1 1a 1a ff 4c 0 2 15 e2 c5 6d b5 df fb 48 d2 b0 60 d0 f5 a7 10 96 e0 0 0 0 0 c5 52 ab 8d 38 a5

As you can see from the above, the same packet is repeated over and over again. And this packet contains the profile UUID of the iBeacon (E2C56DB5-DFFB-48D2-B060-D0F5A71096E0)

Conclusions

But what do these bytes mean? TI's wiki pages helped a bit as did this page from the EE Times Based on the information here, I figured out the following about the packet structure:

# Packet Header Starts Here
d6 be 89 8e # Access address for advertising data (this is always the same fixed value)
40 # Advertising Channel PDU Header byte 0.  Contains: (type = 0), (tx add = 1), (rx add = 0)
24 # Advertising Channel PDU Header byte 1.  Contains:  (length = total bytes of the advertising payload + 6 bytes for the mac address.)
05 a2 17 6e 3d 71 # Mac address.... note this does not seem to be the actual bluetooth mac of the iPad -- apparently it gets spoofed by iOS
# Actual Advertising Data Starts Here
02 01 1a 1a ff 4c 00 02 15 # Apple's static prefix to the advertising data -- this is always the same
e2 c5 6d b5 df fb 48 d2 b0 60 d0 f5 a7 10 96 e0 # iBeacon ProximityUUID
00 00 # major (LSB first)
00 00 # minor (LSB first)
c5 # The 2's complement of the calibrated Tx Power
# Actual Advertising Data Ends Here
52 ab 8d 38 a5 # CRC

To validate that this was what was going on, we tried changing different values of major, minor and the profileUUID, and they changed exactly as we expected.