webbluetoothcg / registries Goto Github PK
View Code? Open in Web Editor NEWA collection of registries, for use in the Web Bluetooth spec
License: Apache License 2.0
A collection of registries, for use in the Web Bluetooth spec
License: Apache License 2.0
The service UUID is 00001016-d102-11e1-9b23-00025b00a5a5
The only information I could find on that service is here: https://www.csrsupport.com/download/49800/CS-327746-RP-1-Training%20and%20Tutorials%20-%20CSR%20Over-the-Air-Update.pdf
The protocol seems to do challenge-response with a shared key, rather than properly signing the firmware.
Sometimes there are collisions between blacklisted Service UUIDs and non-blacklisted Characteristic UUIDs which results in missing features for Web Bluetooth. For example the FIDO Service (0xfffd) is blacklisted; Playbulb uses that UUID for one of its characteristics which means we can't use the characteristic on Playbulb.
Hi there,
Please blacklist the FIDO U2F Service: 0xFFFD
. If this service is not blacklisted, the phishing protection offered by FIDO U2F devices will be compromised.
Bluetooth ORG's 16-bit allocated uuids for SDOs: https://www.bluetooth.com/specifications/assigned-numbers/16-bit-uuids-for-sdos
Specification for those that might be interested: https://fidoalliance.org/specs/fido-u2f-bt-protocol-id-20150514.pdf
When trying to connect to a Polar H6 heart-beat measurement device, the recommended standard procedure failed.
In the Polar reference implementation for Android
we can see that the descriptor needs to be modified (search for BluetoothGattDescriptor.ENABLE_NOTIFICATION_VALUE in the example android code).
In summary, WebBluetooth blocks what the manufacturer recommends. This clearly limits the value of WebBluetooth.
00001530-1212-efde-1523-785feabcd123
The latest version, v11, of the nRF5 SDK doesn't support checking signatures of transferred firmware images. That introduces what I think is an unacceptable risk of users being phished to update their devices to malicious firmware. There's some experimental support, for manufacturers who go looking for it, but it's undocumented, and I don't expect enough to adopt it to justify the risk to everyone else.
Let's discuss here if there are any mitigations I've missed that would argue against blacklisting.
I'm currently developing a product which I'm hoping will be used heavily with Web Bluetooth.
I had planned on updating firmware over BLE (obviously allowing any device to update firmware was insecure, so it would have needed physical access to the device to have put it into bootloader mode). Unfortunately I've just found out that this is now blocked because it might be insecure on some devices and I'll have to wait for a new bootloader version from Nordic.
I already own maybe 10 devices that implement DFU, and on these it was done in a sensible way that wouldn't have been a security problem. These can no longer be updated by Web Bluetooth. There are probably over 100,000 devices like this out there that can no longer be updated.
It's even more worrying as I was on the cc list of the emails about getting Web Bluetooth and OTA updates working, and yet even then I had no idea this was now blocked until a few days ago.
I also use the Nordic UART UUIDs for a UART service, so that I can be compatible with existing apps that use the service.
My worry is that at some point in the future, a manufacturer is going to do something dodgy like make a pacemaker with a Nordic UART UUID (which let's face it, is quite likely) and then you will feel compelled to block that UUID in Web Bluetooth - breaking it for everyone who is using that service (it's not just me - Adafruit use it on their BLE products and apps, as do many others).
Or what if someone cloned a legitimate product's UUID, and allowed someone to do something dangerous with it. Are you then going to block even the legitimate product?
How can we ensure this doesn't happen, or that people are notified if it is about to happen?
Can we have a flag, or a black-whitelist that allows certain URLs to keep using the blacklisted UUIDs if their product depends on it?
If any manufacturer can have their product remotely disabled at any time without notice, it's going to be hard to convince anyone to invest the time to use Web Bluetooth for anything serious.
Some months ago https://mrdoob.github.io/daydream-controller.js/ stopped working.
After a long day investigating these are my findings:
characteristicvaluechanged
no longer fires.00002902-0000-1000-8000-00805f9b34fb
to new Uint8Array( [ 1 ] )
. Source.00002902-0000-1000-8000-00805f9b34fb
is blocklisted in this repo ๐What that blocklisting specifically for Daydream Controller or was that a side effect?
Is there a chrome flag to disable the blocklisting so I can use the controller for prototyping?
Like the Nordic DFU service (#7), TI's update service also doesn't require signatures by default. The CC254x version of it appears to have support for encrypting the image with a symmetric key that would be embedded in all copies of the firmware, but that's missing from the CC26xx version.
This UUID is f000ffc0-0451-4000-b000-000000000000
.
The Cypress Bootloader Service allows a Bootloader component to update the existing firmware on the Cypress BLE device using the Bluetooth Low Energy interface as a communication interface.
Source: http://www.cypress.com/documentation/application-notes/an97060-psoc-4-ble-and-proc-ble-over-air-ota-device-firmware-upgrade
GATT Service UUID: 00060000-0000-1000-8000-00805F9B34FB
Hi am building a website with Web Bluetooth right now.
i have this problem that the device i want to connect to has many Services one of them is The Blocked HID Service. Somehow i am not able to connect to any other Service/Characteristic from that device.
Is that a bug or is it meant to be that way?
When i browse the same website on my Android Phone via Chrome i can connect to that device and the non blocked Services.
Took a while to get behind this, i am emulating the BLE device with and without the HID Service and when the HID Service is Disabled it does work fine via Chrome on Windows 10
Hope i was clear enough.
Thanks for any Answers
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.