Reverse Engineering Bluetooth Vapes 2: Electric Boogaloo

After only forgetting I have a blog for a month (which is a record low… who knows, maybe we’ll get under the month mark soon) I finally got around to cleaning up and publishing my findings on the Pax Bluetooth protocol. If the idea of writing xblaze appeals to you, read on.

I haven’t really done any work on looking more into the Pax after I published the last post. Real life got in the way and other things seemed more interesting at the time. I did manage to verify my findings with a few other folks, so they’re at least not completely worthless. What I did try and do is look into disassembling the firmware (after I got my hands on a dump) it didn’t reveal much that I hadn’t already figured out.

The proof of concept macOS application I showed off in the last post is available here. It’s pretty awful code, but most of the Pax communication lives in its own classes. I originally planned to extract that into its own library to make available instead, but here we are. It relies only on CoreBluetooth so it should be reasonably easy to use on all Apple platforms that have that framework available.

On top of the code, I also cleaned up some of the notes I took during the entire reversing process. This covers supported message types, some more information about the underlying protocol, and additional information on some messages not documented elsewhere.

Hopefully, that’s enough to get this protocol implemented on other platforms. I assume most of this applies to the Era Pro as well, but I don’t have a device to test with.

Anyways, that’s all I’ve got today. Hopefully this will remain as one of the shorter posts on here, and also hopefully I can stop neglecting this site for months at a time. I have a few neat 68000-related projects in the works I need to finish up and write about…