Ticket Created
over 4 years ago

WERETECH-9123

Connect-IQ Ble advertising layer parsing bug, prevent many devices to function properly. (paired or not paired) Toybox::BluetoothLowEnergy::ScanResult:getRawData(), getServiceData , getServiceUuids are broken

Connect-IQ Ble advertising layer parsing bug, prevent many devices to function properly.
Reproduced on simulator, fenix 6x (9.0), fenix 6s.

Used bluetooth sniffer to confirm that the advertising bytes were correct, and different than what connect IQ returns.

When not paired :

Toybox::BluetoothLowEnergy::ScanResult:getRawData(), getServiceData , getServiceUuids
 are not receiving the proper data bytes from the network layer when **to be confirmed !!**the last advertising data type are :
 Complete List of 16-bit Service Class UUIDs

which is very common !
if the order is changed, and something else is set at the end, there is no problem at all.

In order to demonstrate this, I'm parsing the content of getRaw, using 2 stryd devices (ble indeed), one hardware v4 (last advertising data, is Shortened local name), which is working perfectly.

The parser, read all data, and decode them, now problem on this trace, it is complete, and perfectly good and valid.

devicename:Stryd kl
raw Adverting Data:[2, 1, 6, 7, 3, 24, 24, 20, 24, 10, 24, 9, 255, 170, 170, 210, 91, 0, 81, 82, 41, 9, 8, 83, 116, 114, 121, 100, 32, 107, 108]
--[AD Dump:
----[Record Dump:
    AD Len:2
    AD Type:Flags
    AD Type Integer:1
    AD Data Integer:[6]
    AD Data Hex:06
----[Record Dump:
    AD Len:7
    AD Type:Complete List of 16-bit Service Class UUIDs
    AD Type Integer:3
    AD Data Integer:[24, 24, 20, 24, 10, 24]
    AD Data Hex:181814180a18
    AD Data 16bits Service Class UUIDs:
        UUID: 0x1818
        UUID: 0x1418
        UUID: 0x0A18
----[Record Dump:
    AD Len:9
    AD Type:Manufacturer Specific Data
    AD Type Integer:255
    AD Data Integer:[170, 170, 210, 91, 0, 81, 82, 41]
    AD Data Hex:aaaad25b00515229
    AD Data String:ªªÒ[QR)
----[Record Dump:
    AD Len:9
    AD Type:Shortened Local Name
    AD Type Integer:8
    AD Data Integer:[83, 116, 114, 121, 100, 32, 107, 108]
    AD Data Hex:5374727964206b6c
    AD Data String:Stryd kl
--end of AD Dump]


Now, another generation of stryd (v3), where by lack of lack, advertising data last bytes are ...Complete List of 16-bit Service Class UUIDs

In this case, you can see that the raw data, is not correct, and stop before those advertising data.

If it was only the raw data, it won't be a problem, but getServiceUuids looks to use those bytes... so return none of those services.

devicename:Stryd
raw Adverting Data:[2, 1, 6, 9, 255, 170, 170, 115, 84, 0, 80, 82, 166, 6, 9, 83, 116, 114, 121, 100]
--[AD Dump:
----[Record Dump:
    AD Len:2
    AD Type:Flags
    AD Type Integer:1
    AD Data Integer:[6]
    AD Data Hex:06
----[Record Dump:
    AD Len:9
    AD Type:Manufacturer Specific Data
    AD Type Integer:255
    AD Data Integer:[170, 170, 115, 84, 0, 80, 82, 166]
    AD Data Hex:aaaa7354005052a6
    AD Data String:ªªsTPR¦
----[Record Dump:
    AD Len:6
    AD Type:Complete Local Name
    AD Type Integer:9
    AD Data Integer:[83, 116, 114, 121, 100]
    AD Data Hex:5374727964
    AD Data String:Stryd
--end of AD Dump]


When paired :

Class: Toybox::BluetoothLowEnergy::Device getService() and getServices()

are also affected !

This was confirmed with :
- nrf connect on android
- nrf connect desktop, with the nrf52 dongle I'm using for the simulator (confirmed into the simulator indeed)

Now, if it was only stryd, it would be okay, but my elliptical bike(FTMS profile), also adverstise services at the end... so they are not visible to the watch.

It is the same for many devices I checked, all that was availlable to me.

Is reporting to this forum enough to get it tracked by garmin ? anything else to do ?

Kind Regards.

Klick

Parents
  • If you are just starting with CIQ Ble, I have BleScan in the app store that lets you see what devices can be seen in a scan, and what's available as far as a name (most, you won't see one), and UUID (some you won't see one)

    https://apps.garmin.com/apps/9bcc8b66-8385-4afb-b93e-f69e01422284

    You can use this to check things out from the CIQ perspective. There are things you can see with something like nRFconnect you can't see in CIQ.

Comment
  • If you are just starting with CIQ Ble, I have BleScan in the app store that lets you see what devices can be seen in a scan, and what's available as far as a name (most, you won't see one), and UUID (some you won't see one)

    https://apps.garmin.com/apps/9bcc8b66-8385-4afb-b93e-f69e01422284

    You can use this to check things out from the CIQ perspective. There are things you can see with something like nRFconnect you can't see in CIQ.

Children
  • Not all devices can be seen with CIQ BLE.  Sometimes it's the flags used in the advertisement.  You can see what's being send as flags in rfConnect.

    Also, CIQ BLE is a minimal implementation and has always been.  A max of 3 services can be used/defined. Very small amounts of data and be sent/received.  There are also things hidden for security reasons, like the MAC address.

    With bleScan, you can see the raw data received, and it will be fairly small (<30 bytes).  What's in those 30 bytes can vary by sensor. 

  • Mmmm... I really don't know if I fully understand this bug actually. I have a device which (I think) I don't see neither in my implementation or your BLEScan app. Does the Garmin SDK change the order of the Bytes or something in getRawData()?

    This is the advertising packet I see with nRF desktop or Android:

    `0x09094F4E41533942383303030D180DFF010000000000D38F85919B830201060816262A322E322E30`

    ```
    LENGTH |                                  TYPE                                    | VALUE
              09 | 09 (Complete Local Name)                                    | 4F4E415339423833 (ONAS9B83)
              03 | 03 (Complete List of 16-bit Service Class UUIDs) | 0D18 (HR MONITOR)
              13 | FF (Manufacturer Specific Data)                            | 010000000000D38F85919B83
              02 | 01 (Flags)                                                               | 06 (LE General Discoverable Mode, BR/EDR Not Supported)
              08 | 16 (Service Data - 16-bit UUID)                             | 262A322E322E30

    ```

    Why is it? because it is too long (41 bytes)?

    Is there any clear reason that makes some devices appear and not other? I am able to connect to this device as a HR monitor in a regular activity such as a bike ride...