Wednesday, March 5, 2014

The iBeacon Protocol and How to Hack It

Welcome back,

Following my post on Monday about the iBeacon GUI Generator, I figured that it was only fair to share with you how the iBeacon functions and operates. I also would like to show you how to bend the parameters of the iBeacon protocol to expand it in a functional way.

TL;DR: The iBeacon (BLE) Protocol is limiting for businesses that would like to use a single Mobile Application for over 65,536 customers and a small hack to grow it to 16.7 million customers.

As a preface, iBeacons are quite easy to hack into! But for the context of my post, I am talking about utilizing the existing iBeacon Protocol and expand it for your own experimental use.

How the iBeacon Protocol Works: 

There are 3 pieces of transmitted data that make the iBeacon extraordinarily powerful.
1.) UUID (So the iOS/Android Application is able to recognize it)
2.) Major Value (Transmitted as four-4 bit characters)
3.) Minor Value (Again transmitted as four-4 bit characters)

1.) Why the UUID is so important.
The Transmitted and Received UUID is the link between an iBeacon and the application that it is talking to. DBA's reading this site, think of this as a foreign key. While your iBeacon is transmitting its UUID nonstop daily, its responsibility is to transmit and hope that some second party receives that transmission. (Insert outdated SETI joke here). However, while building your iOS application, you need to specify what UUID you would like to listen for.

Here is an example of Apple's AirLocate UUID:  83256b74-78d0-43a4-8269-05f9dc8a44ba

And a graphic I decided to draw up to depict the unhealthy iPhone/iBeacon Give & Take relationship.



2.) Why are Major and Minor Values useful?

Major and Minor Values are so important because these are identifiers that an iOS/Android application is able to act and respond on. 

The format of the Major and Minor values is as follows:
Major Value: FFFF (4 hex characters)
Minor Value: FFFF

For every UUID that you broadcast, you are able to transmit 65,536 (FFFF + 1 in decimal) major values and each major value can have 65,536 minor values totaling.... 4,294,967,295 uniquely addressable iBeacons per iOS/Android application. 

3.) Why I decided to hack the protocol for more reasonable uses.

My test case: I am trying to deliver iBeacons to customers that will respond to my application's single UUID. As the company grows in breadth, I needed a way to handle my 65,537th customer. If using the naive approach provided in the iBeacon (Bluetooth Low Energy) protocol, this means that your upper limit of businesses that you can service will ALWAYS max out at 65,536. 

So I think to myself, how do I get around this?

One of the easiest ways is to hijack the two leading hex characters from the minor value. No business that I can think of will ever need to use 65,535 individual iBeacon's in their vicinity (Note: we are talking about the Minor Values AKA individual beacons in a building or business). By performing this simple hack, we are now able to address 16,777,215 individually unique businesses without ever needing to touch our UUID. 

The new format of Major and Minor values: 
Major Value: FFFFFF (6 hex characters, the two in bold were swapped from the minor value)
Minor Value: FF

As a result each individual business' Minor Value now has an upper limit of 256 addressable iBeacons, which is what I thought is more appropriate in my use case. 


You've made it.

Thank you for taking the time to read about how to use iBeacons effectively when building your business around them. 

If this post helped you in any way, please feel free to donate my Bitcoin wallet: 1G6boGibqU14pHxMf5zNK8Gmo9uiAgerbt

Good luck bit switching out there,
@skylarrudolph

P.S. When we address our 65537th customer on the iBeacon GUI app, we get a screen like this.


 The Regular Hex and Broadcast Hex turns red because we are out of the range for normal operating procedures. The top two hex values will show what values the iBeacon will send out. When decrypting this we simply pull the preceding two hex values from the minor signal and place it in front of the major signal. 

Business #:             010000 = 65536
Business Minor #:          01 = 1






No comments:

Post a Comment