iOS advertisements in the background
Mobile phone developers have a hard time to use iOS advertisements when an app goes into background mode. However, with Crownstones we can receive all kind of BLE messages over the air. It is possible to receive data from iOS devices. It just requires more in-depth knowledge. A perfect challenge for Crownstone!
You can find many developers stating this problem (and no solutions) on StackOverflow:
- Advertising with iBeacon when app is in background
- Run iPhone as an iBeacon in the background
- iOS - iBeacon - Advertise (Broadcast) as beacon in Background after iOS 7.1 update
- CoreBluetooth advertising in background on iOS 10
- iOS BLE peripheral / advertisement data in background mode
- BLE : Advertising of UUID from background iOS app (I’ve added my answer there)
Somehow nobody started to actually look at the bits send over the air… People know that one iPhone can receive these UUIDs from another iPhone, so it is interesting that no one actually tries reverse engineering the “protocol”.
There is a so-called overflow area according to Apple documentation. More information can be found in this archive page about Core Bluetooth concepts.
I’ve sniffed the packets over the air. You can read the details on github. What iOS does is broadcasting custom packages with particular bits representing UUIDs. For example UUID
3333 is represented by a bit going up in the BLE package.
04 3E 24 02 01 00 01 8C 91 A0 AD 8F 40 18 02 01 1A 14 FF 4C 00 01 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 D3
You see here
02 somewhere surrounded by zeros (preceding
D3 the 8-bit RSSI value).
Every UUID is one-hot encoded to a bit in this range. This will lead to collisions. You will notice that if you send
1001 by one iPhone and scan for
3333 by another iPhone you will receive the advertisements as if UUID
3333 is sent.
Note, there is a lot of nonsense written about this. For example, it is just a regular undirected BLE packet; it is not a scan response.
In the following figure is seen how reliable to advertisements arrive over the weekend. Three iPhones have been sending advertisements when the app was in the background. The first sending UUID
1000, the second sending UUID
FFFF, and the third sending UUID
Time is on the x-axis (over a couple of days). The interval between messages is plotted on the y-axis. You see that at times the intervals are a multiple of 0.2 seconds. The pictures are almost the same. The differences only become visible by zooming to shorter timescales. This means that this is an artifact from the laptop receiving the messages. The iPhones are broadcasting probably even more robust than this! Over the entire weekend the battery drop is like 25%, which has very likely to do with other things than broadcasting the BLE messages (checking wifi, movements, and other background processes).
You can download an application that runs on a computer with a 64-bit Linux operating system. You will need the following files.
To use install prerequisites, such as
sudo apt install libbluetooth. Check with
ldd ./lescan_crownstone in case you miss other libraries on your system.
lescan_crownstone binary with a comma-separated list of UUIDs:
sudo LD_LIBRARY_PATH=$LD_LIBRARY_PATH:. ./lescan_crownstone -u 1000,3333,FFFF
LD_LIBRARY_PATH only needs to be added when the linker cannot find the
libble++.so.5 library in the local path.
The exact mapping from UUIDs to the bit mask in the overflow area has been reverse engineered by Crownstone. If you are interested in this functionality, we can provide that under a suitable license.
27 June 2018