barkure

barkure

telegram
github
HomeArchives

2022 Autumn Semester "CSU Extracurricular Sports" Guide to Slacking Off

1083
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The author discusses the difficulty of completing a running check-in for college students and the various methods they have used, such as using a running check-in WeChat mini program or changing their location using third-party tools. However, the author encountered a problem when the school installed devices on the campus track to detect if students were present during the check-in. The author explores two options: going to the track before each check-in or cloning the device's Bluetooth information to check-in from anywhere. The author chooses the latter option and successfully clones the Bluetooth signal using a Bluetooth module. They are then able to check-in remotely. The author concludes by stating the materials needed for this method.

Summary#

As we all know, checking in for running is a very difficult task for college students, so various methods have emerged, such as athletes running alone, weaklings checking in relay, using bicycles/electric vehicles as transportation for cycling check-ins, and the emerging simulated positioning.

Currently, Zuojialong Vocational School uses a self-developed running check-in WeChat mini program, which obtains limited information from the user's device. Therefore, it is relatively easy to achieve simulated positioning check-ins.

Previously, iOS devices could use iTools to change their location for running. Android devices, on the other hand, were a bit more complicated. They needed to be unlocked (bootloader), then flashed with Magisk, and finally granted Fake Location permission to achieve the desired location change. With the above methods, during my freshman year, I could check in while eating, during class, lying in bed, and even while taking a dump ( ).

This semester, the running check-in started on September 5th. I spent 9CNY to purchase a monthly membership for Fake Location, ready to use the same trick again. However, when I opened the check-in mini program, I found that I couldn't start checking in. After consulting customer service, I learned that the school had installed related equipment on the playground, and it would use this equipment to determine whether students were on the playground.
[collapse title="View chat history"]
image
[/collapse]
At this point, there are two options: ① Before each check-in, go to the playground and wait for the device to detect the Bluetooth signal from the playground equipment before starting the simulated positioning check-in; ② Clone the Bluetooth information of the playground equipment, then use your own device to broadcast it, thereby enabling check-ins anytime, anywhere.

Obviously, the former option would waste a lot of energy during the process of going to (leaving) the playground, which is not a good thing for environmental protection. Therefore, I chose the latter option.

Solution Process#

First of all, I took my phone and tablet to the playground.

After arriving at the playground, I opened the Bluetooth settings interface on my phone, searched for Bluetooth devices, and saw many devices.
[collapse title="Expand image"]
image
[/collapse]
Based on walking around the playground and combining information found online, I learned that HB511007XXXX should be the Bluetooth signal of the Hello bike on the side of the road, and xBeacon should be the newly installed device by the school.

Next, we use nRF Connect to view more information.
image
It can be seen that this thing uses the iBeacon protocol. For more information about iBeacon, you can refer to the relevant documentation.

Wikipedia provides the following information:

iBeacon is different from some other location-based technologies because the broadcasting device (beacon) is only a one-way transmitter to the receiving smartphone or receiving device, and a specific application needs to be installed on the device to interact with the beacon. This ensures that only the installed application (not the iBeacon transmitter) can track it as the user moves around the transmitter.

This further explains that the phone only receives signals emitted by xBeacon in one direction to determine whether it is in a legal area.

Therefore, as long as we simulate this iBeacon signal, we can achieve our goal. You can buy many iBeacon modules on Taobao, but the average price is over 80, which makes me not want to buy them.
image
I tried to use some software on my phone/computer to emit simulated signals.

After testing, Beacon Simulator can clone information other than the Bluetooth MAC address, as shown in the following figure:
image
It can be seen that the advertising information (RAW), UUID, Major, Minor, and other information of the two are exactly the same. At this point, we need to test whether it can meet the needs of simulating check-ins.

To avoid interference from the original signals on the playground, I ran with the tablet and phone to a distance of two hundred meters. After confirming that I couldn't detect the xBeacon signal from the playground, I started broadcasting the simulated signal, and then opened the running check-in mini program. It went smoothly, but it was useless.

I returned to the playground.

Therefore, the running check-in mini program should only detect the advertising information emitted by Bluetooth devices with specific MAC addresses. When simulating, the MAC address needs to be simulated as well.

I returned to Taobao and, after communicating with a merchant, I learned that the ECB02U Bluetooth module can modify the MAC and RAW data (and it only costs a little over ten yuan with shipping), so I decisively placed an order. (As for why I asked for a refund, I will explain later)
image

On the way back to the dormitory, I happened to see a post written by @ztc1997 on a certain security platform. He developed an Xposed module that can simulate the broadcast of BLE peripheral devices.
[collapse title="View post"]
image
[/collapse]
After returning to the dormitory, I successfully simulated the signal emitted by an xBeacon transmitter with a MAC address of D4:10:28:00:03:11 using this module.
image
I tried to check in for running again, and it was already able to locate successfully (at this time, I was already in the dormitory).

At this point, the problem was solved. The things needed are: 9 yuan RMB (to purchase a Fake Location membership), an unlockable Android device, and a pair of not too stupid hands.

2022/09/20: After verification, iOS device owners can purchase the ECB02U Bluetooth module to simulate Bluetooth and combine it with iTools to simulate location check-ins.
2022/10/13: Simulating BLE Signals with the ECB02U Bluetooth Module

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.