Before diving into BLE exploitation and analysis, it’s crucial to understand what BLE actually is. This blog lays out the key concepts behind BLE, including its architecture, core protocols, and how it differs from classic Bluetooth. If you’re new to BLE, this is where it all starts.

What is BLE and How It Works?

Bluetooth Low Energy (BLE) is a lightweight wireless communication protocol designed for short-range data transfer with minimal power consumption. It was introduced as part of the Bluetooth 4.0 standard to support battery-powered devices like smartwatches, fitness bands, medical sensors, and IoT gadgets.

Unlike classic Bluetooth which is built for continuous streaming like music or large file transfers BLE is optimized for brief, quick exchanges of small data packets. Think of it as a “check-in and move on” protocol.

BLE works on the 2.4 GHz ISM band and uses a system of advertising and connecting. Devices either broadcast data or scan for other devices to connect with. Once connected, they follow a structured format using profiles, services, and characteristics to exchange data.

Key Characteristics of BLE

• Low Power Consumption

BLE is built to sip power, not gulp it. Ideal for devices like fitness trackers and smart locks that need to last months or even years on small batteries.

• Operates in 2.4 GHz ISM Band

Just like Wi-Fi and Classic Bluetooth, BLE operates at 2.4 GHz, but with a twist in how it uses that spectrum.

• Channel Structure: 40 Channels

BLE splits the 2.4 GHz band into 40 channels, each 2 MHz wide:

• 3 Primary Advertising Channels(channels 37, 38, 39) used to announce presence and connect.
• 37 Data Channels used after a connection is established for actual data transfer.


• Adaptive Frequency Hopping (AFH)

BLE hops across channels to avoid interference from Wi-Fi, microwave ovens, or other nearby devices. This improves connection stability and reduces packet loss.

• Data Throughput
• Theoretical max: ~1 Mbps for BLE 4.x
• BLE 5.x can go up to 2 Mbps in high-speed mode, or trade speed for longer range (Coded PHY).
• Real-world throughput is usually less due to overhead (around 0.27 to 0.8 Mbps typically).


• Range
• Typically up to 10–50 meters indoors.
• BLE 5.x can push this up to 100+ meters in ideal conditions (with lower data rates).

BLE vs. Classic Bluetooth

Core BLE Concepts You Should Know

Before diving into packet logs, writing payloads, or reverse-engineering devices it's important to understand the foundational building blocks of Bluetooth Low Energy (BLE). Here’s everything you need to get started the right way.

GAP (Generic Access Profile)

GAP defines the rules for device discovery, advertising, and connections. It handles how BLE devices become visible, connect, and exchange roles.

Key roles defined by GAP:

• Peripheral: BLE device that advertises (e.g., smartwatches, sensors).
• Central: Scanning and connecting device (usually a smartphone or PC).

GAP also defines:

• Advertising intervals & payloads
• Connection parameters
• Visibility modes (discoverable/non-discoverable)

In short, GAP is the matchmaking layer it makes sure the devices find each other and establish a connection in a power-efficient way.

GATT (Generic Attribute Profile)

Once connected, devices switch to GATT mode. This is where all the actual data communication happens.

GATT is built around:

• Services: Logical containers for grouping functionality (e.g., Heart Rate Service).
• Characteristics: Individual data points or controls (e.g., current heart rate).

Each characteristic can have properties:

• Read: Get data from the device.
• Write / Write Without Response: Send data to the device.
• Notify: Get automatic updates when data changes.
• Indicate: Like notify, but requires acknowledgment.

The communication follows a request-response model over ATT (Attribute Protocol) this is where we work with handles and hex values.

Central vs Peripheral (Device Roles)

• Peripheral: Usually a small, power-efficient device that passively advertises its presence. It doesn't initiate connections but waits for a Central.
• Central: The active scanner. It scans for advertising devices and initiates the connection.

These roles are fixed per session, but some devices (like smartphones) can switch roles dynamically if needed.

Advertising & Scanning

Advertising is the broadcast mechanism used by peripherals to announce their presence. These are small packets (max 31 bytes + 31 optional scan response bytes) that include:

• Device name
• Available services UUIDs
• Manufacturer-specific data
• Connection request flags

Scanning is how a Central listens for these packets. Once it finds a relevant device, it may initiate a connection request based on the advertisement data.

You can capture this process using HCI logs and analyze it with Wireshark.

BLE Connections

After a successful scan + connect, a secure and lightweight BLE connection is established. Key points:

• Data is exchanged on 37 data channels (out of 40 total 2.4GHz channels).
• Connection interval, latency, and supervision timeout are negotiated to save power.
• The link is maintained using regular connection events, even when no data is being sent.

Think of it as a chatroom they stay connected but don’t need to talk constantly.

Services & Characteristics (GATT Layer)

Every BLE device exposes a GATT Profile, consisting of:

• Services (e.g., Battery Service)
• Contain one or more Characteristics (e.g., Battery Level)
• Each characteristic has a handle, UUID, value, and properties.

This hierarchy is what we interact with using tools like gatttool. When we do char-write-req -a 0x0035, we’re writing to a specific characteristic handle.Each service and characteristic is identified using a 16-bit or 128-bit UUID, and the order matters because tools like Wireshark show them as grouped attributes.

Security in BLE

• Pairing:The process of creating a temporary encrypted link by exchanging cryptographic keys. This establishes a one‐time secure session so that subsequent communication in that connection is encrypted.


• Bonding:After pairing, devices can save (bond) the exchanged keys so that future reconnections between the same devices can automatically resume encryption without repeating the full pairing process.


• Association Models (how the keys are exchanged):
1. Just Works
• No user input required—easy but vulnerable to MITM attacks.
2. Passkey Entry
• One device displays a 6‑digit code which the user enters on the other device, adding protection against eavesdropping.
3. Numeric Comparison (BLE 4.2+)
• Both devices display a number; the user confirms they match to guard against MITM.
4. Out of Band (OOB)
• Uses an external channel (e.g., NFC) to exchange data securely before pairing, offering the strongest protection.

Wrapping Up & What’s Next

We’ve covered the basics of Bluetooth Low Energy how it works, why it’s used, key concepts like GAP, GATT, advertising, scanning, and how BLE devices communicate through services and characteristics. This foundation gives you the context needed to start interacting with real devices.

In Blog 2 , we’ll dive into the actual communication between a BLE smartwatch and its app capturing it using HCI snoop logs, and analyzing it with Wireshark to uncover how the app talks to the device.

Then in Blog 3 , we’ll use that information to manually connect to the device using gatttool, write custom values to it, and see how those changes reflect on the smartwatch.Let’s move from learning how BLE works to actually making it work for us.