Jan 132016
 

http://makezine.com/2014/01/03/reverse-engineering-the-estimote/

The case is made of soft silicon with a rubberized feel and it is entirely closed so that it’s waterproof. I more-or-less had to destroy the enclosure to extract the PCB from it, which also means that changing the batteries—at least on the models in the preview kit—isn’t going to be possible. However it does mean that you can install it outdoors, which is a big plus point for some use cases.

The Estimote Beacon is built around a Nordic Semiconductor nRF51822.

The Estimote Beacon is built around a Nordic Semiconductor nRF51822. You can also see the on-board antenna for the Bluetooth LE radio to the right of the picture.

The Estimote is built around the Nordic Semiconductor nRF51822, which explains theirpresence on the Nordic booth at CES. It’s a nice chip, basically a 32-bit ARM Cortex M0 CPU with 256KB of flash and 16KB of RAM with a built-in 2.4GHz radio supporting both Bluetooth LE as well as 2.4GHz operation—where the 2.4GHz mode is on air compatible with thenRF24L series products from Nordic.

What does the Estimote Beacon advertise?

Using Sandeep‘s noble package for node.js we can look at what’s advertised by one of the beacons, using the advertisement discovery script included with the package.

An Estimote beacon—picked at random from our developer preview kit—with a Bluetooth Address of E7:44:89:31:ED:4E advertises a local name of “Estimote”, along with some service and manufacturer data. However it doesn’t seem to be advertise any service UUIDs.

Taking a closer look at the manufacture data then, the data advertised by the beacon was,

4C00 02 15 B9407F30F5F8466EAFF925556B57FE6D ED4E 8931 B6

Breaking this down,

  • First two bytes are the Apple Company Identifier (Little Endian) 0x0042.
  • The third byte—at least most likely—specifies the data type, which is 2.
  • The fourth byte specifies the remaining data length, 21 bytes.
  • Estimote Beacons have a fixed iBeacon UUID of B9407F30-F5F8-466E-AFF9-25556B57FE6D.
  • The next two bytes after the iBeacon UUID are the iBeacon Major (Big Endian), i.e. 0xED4E, 60750.
  • The next two bytes after the iBeacon Major are the iBeacon Minor (Big Endian), i.e. 0x8931, 35121.
  • The final byte is the measured RSSI at 1 meter away, i.e. 0xB6, -74.

Effectively the Estimote isn’t doing anything special here, this is just standard iBeacon data. Three of the properties create the beacon’s identity. These are:

  • UUID — This is a property which is unique to each company, n most use cases the same UUID would be given to all beacons deployed by a company (or group). Estimote is unusual in that they’ve fixed the UUID for all “their” beacons to be the same.
  • Major — The property that you use to specify a related set of beacons, e.g. all the beacons in one store would share the same Major value.
  • Minor — The property that you useto specify a particular beacon in a location.

We need to look at the service data advertised by the beacon,

0A18 4EED318944E7 B6 4EED 3189

to see anything Estimote specific,

  • The first two bytes specify this service data is for a service with UUID 0x180A.
  • The next 6 bytes are the Bluetooth Address but in reverse order, E7:44:89:31:ED:4E.
  • The next byte, 0xB6 matches the measured RSSI at 1 m away.
  • The next 2 bytes, match the iBeacon Major but this time it’s Little Endian.
  • The final 2 bytes, match the iBeacon Minor again in Little Endian format.

According to the Bluetooth core specification service data must be prefixed with the 16-bit UUID of the service the data is for—and here for the Estimote—the service data is for for a service with UUID of 0x180a, which is interesting because as we’ll see later when we look at the GATT, that service doesn’t exist on the device.

 Posted by at 6:01 am

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)