Query Bluetooth LE bicycle Cadence and Speed sensor using gattool

06/02/2018 - 12:57
No votes yet

How to query a Bluetooth LE bicycle Cadence and Speed sensor using gattool. Originaly written as two blog posts: Playing with CSCP Cycling Speed and Cadence using gattool & How How to get Cadense and speed information using gattool.

Find sensor device

First use hcitool to scan for your sensor device, you probably need to activate it in some way so that it powers on first. hcitool will scan for LE devices until you stop it with CTRL+C.

$ hcitool lescan

LE Scan ...
FC:11:EB:xx:xx:xx V05
D3:05:FD:xx:xx:xx V05
00:18:31:E4:D7:89 (unknown)

Connect to sensor

Find you Cadence sensor from the scan result list and connect to it using gattool in interactive mode (-I parameter).

$ gatttool -b 00:18:31:E4:D7:89 -I
[ ][00:18:31:E4:D7:89][LE]> connect

Now ask for the primary services from the device:

[CON][00:18:31:E4:D7:89][LE]> primary
attr handle: 0x0001, end grp handle: 0x000b uuid: 00001800-0000-1000-8000-00805f9b34fb
attr handle: 0x000c, end grp handle: 0x000f uuid: 00001801-0000-1000-8000-00805f9b34fb
attr handle: 0x0010, end grp handle: 0x001a uuid: 00001816-0000-1000-8000-00805f9b34fb
attr handle: 0x001b, end grp handle: 0x0029 uuid: 0000180a-0000-1000-8000-00805f9b34fb
attr handle: 0x002a, end grp handle: 0xffff uuid: 0000180f-0000-1000-8000-00805f9b34fb

Ask for the characteristics of the handler for the CSCP service (uuid 1816)

[CON][00:18:31:E4:D7:89][LE]> characteristics 0x0010 0x001a
handle: 0x0011, char properties: 0x10, char value handle: 0x0012, uuid: 00002a5b-0000-1000-8000-00805f9b34fb
handle: 0x0014, char properties: 0x02, char value handle: 0x0015, uuid: 00002a5c-0000-1000-8000-00805f9b34fb
handle: 0x0016, char properties: 0x02, char value handle: 0x0017, uuid: 00002a5d-0000-1000-8000-00805f9b34fb
handle: 0x0018, char properties: 0x08, char value handle: 0x0019, uuid: 00002a55-0000-1000-8000-00805f9b34fb

Ask for the character descriptor for the cadence information (uuid 2a5b)

[CON][00:18:31:E4:D7:89][LE]> char-desc 0x0011 0x0013
handle: 0x0011, uuid: 2803 handle: 0x0012, uuid: 2a5b handle: 0x0013, uuid: 2902

Enable notification by writing 0100 to handle 0x0013.

[CON][00:18:31:E4:D7:89][LE]> char-write-req 0x0013 0100
Characteristic value was written successfully

You should now start to get notifications from the device, that looks similar to these:

Notification handle = 0x0012 value: 03 ce 00 00 00 82 20 ea 00 be d8 
Notification handle = 0x0012 value: 03 cf 00 00 00 aa dd ea 00 be d8

Interpred Notification Result

Notification handle = 0x0012 value: 03 c8 00 00 00 06 99 e1 00 45 99
Notification data explained
Byte location Byte 1 Bytes 2,3,4,5 Bytes 6,7 Bytes 8,9 Bytes 10,11
Description What data is available, crank=0x01 and wheel=0x02 Wheel revolutions Wheel event timestamp Crank revolutions Crank event timestamp
Sample data 0x03 C8 00 00 00 06 99 E1 00 45 99


Blueooth LE, BLE, Cadence