You don’t need to know Bluetooth. You don’t need hardware experience. You need curiosity and this guide.
Before You Start
Most BLE security tutorials assume you already know what GATT is. Or what advertising means. Or why pairing is dangerous.
They jump straight into attack tools and leave you copying commands you don’t understand.
This series is different.
I am learning this too. I wrote every part while figuring it out. Every confusion I had, every “wait, how does this actually work” moment I documented it. Because the best way to teach something is right after you’ve understood it yourself.
We start from the chip itself. What is the nRF52840. What protocols it supports. Why a security researcher should care. Then we climb protocol internals, lab setup, passive attacks, active attacks, and finally hardware-level exploitation.
By the end, you will not just know how to run a BLE sniff. You will understand why it works. And that’s the part that makes you dangerous.
Let’s go.
How to Use This Index
- Parts are released progressively. If a part has no link, it hasn’t been published yet.
- Work through phases in order. Each phase builds on the last.
- Every part links to the official Nordic or Bluetooth SIG documentation it references. Read those too they are free and excellent.
- Stuck? Re-read the previous part before moving forward.
- Bookmark this page it is your home base for the entire series.
Series Overview
| Phase | Theme | Parts |
|---|---|---|
 Phase 1 |
Understanding What You’re Holding | 1 – 4 |
 Phase 2 |
BLE Protocol — How It Actually Works | 5 – 10 |
 Phase 3 |
Setting Up Your Attack Lab | 11 – 14 |
 Phase 4 |
Passive Attacks — Sniffing and Reconnaissance | 15 – 20 |
 Phase 5 |
Active Attacks — MITM, Replay, and Fuzzing | 21 – 28 |
 Phase 6 |
Hardware-Level Security | 29 – 34 |
Phase 1 - Understanding What You’re Holding
Before you attack anything, you need to understand what you’re actually holding.
This phase is the foundation. Most people skip this and go straight to tools. Don’t. The nRF52840 is not “just a Bluetooth module.” It is a multi-protocol SoC with a security architecture worth studying before you even plug it in.
Official Reference: nRF52840 Product Page — Nordic Semiconductor
| # | Title | Status |
|---|---|---|
| Part 1 | What Is the nRF52840 and Why Should a Security Researcher Care? |  (coming soon) |
| Part 2 | The Multi-Protocol Surface — BLE, Zigbee, Thread, NFC in One Chip | (coming soon) |
| Part 3 | Setting Up the nRF Connect SDK — Installing, Flashing, Hello World | (coming soon) |
| Part 4 | Reading the Memory Map — FLASH, RAM, UICR, and What Lives Where | (coming soon) |
Phase 2 - BLE Protocol: How It Actually Works
You can’t break something you don’t understand. This phase fixes that.
BLE is not one thing. It is a stack of layers. GAP handles discovery. ATT handles data storage. GATT handles how that data is organized. Security Manager handles pairing. If you skip this phase and go straight to attacking, you will copy commands without knowing why they work — or why they sometimes don’t.
| # | Title | Status |
|---|---|---|
| Part 5 | What Is BLE? How It’s Different From Classic Bluetooth | (coming soon) |
| Part 6 | Advertising Packets What Your Device Broadcasts Before Anyone Connects | (coming soon) |
| Part 7 | GATT How BLE Devices Exchange Data (Profiles, Services, Characteristics) | (coming soon) |
| Part 8 | Pairing and Bonding How BLE “Authenticates” | (coming soon) |
| Part 9 | The Six Pairing Methods JustWorks, Passkey, OOB, Numeric Comparison | (coming soon) |
| Part 10 | Why JustWorks Is a Security Disaster (And Why Millions of Devices Use It) | (coming soon) |
Phase 3 - Setting Up Your Attack Lab
No sanitized tutorials. Real setup. Real errors. Real fixes.
Every tool in this phase has a quirk that tutorials skip over. The nRF Sniffer has a firmware version dependency. Wireshark dissects BLE differently than you expect. GATTacker requires specific Python versions. I ran into all of these. I documented all of them.
| # | Title | Status |
|---|---|---|
| Part 11 | What Tools You Actually Need - nRF Sniffer, Wireshark, GATTacker, Saleae | (coming soon) |
| Part 12 | Setting Up the nRF Sniffer Dongle Installing, Configuring, First Capture | (coming soon) |
| Part 13 | Wireshark for BLE Reading a Packet Capture Without Going Insane | (coming soon) |
| Part 14 | Picking Your Target Device What Makes a Good Research Target | (coming soon) |
Phase 4 - Passive Attacks: Sniffing and Reconnaissance
Before you touch anything, you listen. This phase is entirely about listening.
Passive reconnaissance is underrated. Most beginners skip it because it feels boring compared to running actual attacks. That is a mistake. Everything you learn in passive recon directly improves your active attacks. You will know what services exist, what is exposed without pairing, and how the device behaves under normal operation before you ever send a single packet to it.
| # | Title | Status |
|---|---|---|
| Part 15 | BLE Reconnaissance Scanning, Enumerating, Reading Advertising Packets | (coming soon) |
| Part 16 | I Sniffed a BLE Conversation Here’s What I Found | (coming soon) |
| Part 17 | Reading GATT Services Without Pairing What’s Exposed by Default | (coming soon) |
| Part 18 | Extracting Device Information Firmware Version, Manufacturer, Capabilities | (coming soon) |
| Part 19 | Passive Fingerprinting Identifying a Device by Its Advertising Behavior Alone | (coming soon) |
| Part 20 | Building a Target Profile Everything You Know Before You Touch the Device | (coming soon) |
Phase 5 - Active Attacks: MITM, Replay, and Fuzzing
This is where everything you’ve learned becomes a weapon.
Phase 5 is what most people come to BLE security research for. But if you skipped the earlier phases, this will feel like magic you can’t repeat. If you didn’t skip them, every attack here will make complete sense — because you already understand the protocol it’s exploiting.
| # | Title | Status |
|---|---|---|
| Part 21 | BLE MITM The Concept, The Setup, The Limitations | (coming soon) |
| Part 22 | I Performed a BLE MITM Attack Here Is What Happened | (coming soon) |
| Part 23 | Replay Attacks Recording and Replaying BLE Commands | (coming soon) |
| Part 24 | I Replayed a BLE Lock Command Here’s Exactly How It Worked | (coming soon) |
| Part 25 | GATT Fuzzing Throwing Random Data at a BLE Device | (coming soon) |
| Part 26 | Fuzzing With BtleJuice Setup, First Crash, What It Means | (coming soon) |
| Part 27 | CVE Hunting on BLE Devices What to Look For and Where | (coming soon) |
| Part 28 | Writing a Simple BLE Security Audit Script in Python | (coming soon) |
Phase 6 - Hardware-Level Security
The chip has secrets the firmware doesn’t tell you. This phase goes there.
This is where the series connects back to hardware security. SWD is the debug interface that can bypass everything. UICR readback protection is what manufacturers use to stop you and it fails in specific ways. If you’ve followed the ChipWhisperer series on this forum, Phase 6 will feel very familiar.
| # | Title | Status |
|---|---|---|
| Part 29 | SWD The Debug Interface That Can Unlock Everything | (coming soon) |
| Part 30 | Reading Firmware From a Live nRF52840 Over SWD | (coming soon) |
| Part 31 | UICR Readback Protection What It Is, How It Works, How It Fails | (coming soon) |
| Part 32 | Bypassing Readback Protection Fault Injection Theory | (coming soon) |
| Part 33 | nRF52840 + ChipWhisperer Power Analysis on a Bluetooth SoC | (coming soon) |
| Part 34 | Series Wrap-Up From Sniffing Packets to Stealing Firmware, What You Now Know | (coming soon) |
Tools Used in This Series
| Tool | Purpose | Source |
|---|---|---|
| nRF52840 DK / Dongle | Primary research hardware | Nordic Semiconductor |
| nRF Connect SDK | Firmware development and flashing | Nordic Documentation |
| nRF Sniffer for BLE | Passive BLE packet capture | Nordic Documentation |
| Wireshark | Packet analysis | wireshark.org |
| GATTacker | BLE MITM framework | GitHub |
| BtleJuice | BLE fuzzing and proxy | GitHub |
| nRF Connect (Mobile) | GATT browser and testing | Nordic Semiconductor |
| Python + BlueZ | Scripting BLE attacks | Standard Linux BLE stack |
| ChipWhisperer | Power analysis (Phase 6) | NewAE Technology |
| Saleae Logic Analyzer | Signal capture (Phase 6) | saleae.com |
Key Official References
Everything in this series is grounded in real documentation. These are the primary sources:
- nRF52840 Product Page Nordic Semiconductor
- nRF52840 Product Specification (Full Datasheet) Nordic InfoCenter
- nRF52840 SoC Block Diagram Nordic InfoCenter
- nRF52840 DK Block Diagram Nordic InfoCenter
- ATT & GATT Explained Nordic Developer Academy
- Introduction to BLE Adafruit Learn (GATT, GAP, Profiles)
- GATT Specification Supplement Bluetooth SIG
- Bluetooth Core Specification Bluetooth SIG