Hacking Dollar-Store Bluetooth Devices (The Kindness of Strangers) part 3

This is a continuation of “Hacking Dollar-Store Bluetooth Devices (The Kindness of Strangers) part 2”

Inspired by fellow SkullSpace member Edwin, who utilised a bus pirate to re-write the bluetooth device name via EEPROM (Note – this is indeed the right tool for the job) I took the initiative to get it done similarly, with my trusty Arduino Uno and some light coding.

Now, the neat thing about I2C is that it’s multi-master capable; at least, the bus is designed to be such.  This means that we can interface the EEPROM without disconnecting the usual master (ie the bluetooth IC).  So in short, you don’t need to lift the pins on your EEPROM, and toast the thing in the process:


Unfortunately I forgot about this design feature, and spent quite a bit of time trying to read this IC from the arduino. It wasn’t until I took the same method to my second Bluetooth device that I realised that the first was toasted:

After hacking a few devices (into oblivion), you eventually learn you should buy more than one…. this time around I added a terminal block and hot glue for stability

With that all wired up, I connected my arduino and started testing that I could read EEPROM addresses:



It turns out that the “AB Shutter” device name was not where I expected it to be, based on my binary image – the most likely explanation is that my binary processing program is buggy 🙂  So, undeterred, I wrote a little arduino sketch that searched through the EEPROM’s memory byte-by-byte for a simple “AB” pattern (the first two characters of the device name).  Interestingly, “AB Shutter” shows up at 0x3B44 and 0x5B44.  This is the sketch I used:


Then, knowing the address, I wrote another little sketch to over-write that address space, and confirm it by reading it back.  I wrote to 0x3B44, and it reads back correctly from both 0x3B44 and 0x5B44, suggesting some paging or mirroring going on:

And, lo and behold, my PC picked it up with the new name!….almost:


The trailing ” 3″ is part of the old name – I tried over-writing it, with no success.  Perhaps there is some paging mechanism I am not taking into account 🙂


Next steps include searching through the memory via arduino sketches, and attempting to locate where it stores its keyboard “key codes”, if at all.  This would let me change which keys are sent to the PC/smartphone, at least in theory. Stay tuned!