Hacking the Bosch GLM 20 Laser Measuring Tape

[TrickyNekro]

I haven´t seen if that is actually posted by someone else but...

The photosensor seems to have two seperate arrays, one could be used for ambient detection and dynamic range, the other for that price range would be used for triangulation.

You say the device was unaffected by another laser but... Have you seen if there are any filters in the optics or not? Are you sure your interference laser is of the same wavelength as the sensor laser?
And it could be using a form of modulation to distinct between laser sources, but that would be rather low freq. modulation. You only need to test the laser with a current probe and a scope.
A normal voltage prob even when AC coupled might not bring much, but try it first.

[jgustavoam]

Some interesting Patents of Robert Bosch manufacturer, about Laser distance meters :

Laser distance measuring device
https://patents.google.com/patent/US7075626B2

Device for measuring distance using a semiconductor laser in the visible wavelength range
https://patents.google.com/patent/US6369880B1

Measuring Apparatus and Referencing Method for a Digital Laser Distance Meter
https://patents.google.com/patent/US20140168632

Multi-Target Laser Distance Meter
https://patents.google.com/patent/US20170074975A1

Device and method for optical distance measurement
https://patents.google.com/patent/US6801305B2/en

Device and method for optical distance measurement
https://patents.google.com/patent/US7728957B2/en

[jgustavoam]

Array size is quess based on image.

I was able to see external laser pointers dot in intensity part of dataflow, which matched array horizontal positions.
Laser pointer didn't interference with measurement.

I think distance is calculated from phase difference of transmitted and received modulated laser pulse.(+light intensity)

I guess you are correct !


Device and method for optical distance measurement
https://patents.google.com/patent/US6801305B2/en

Device and method for optical distance measurement
https://patents.google.com/patent/US7728957B2/en

"In addition to the embodiment that has been described up to this point, which is used essentially to determine the time delay of the measurement signal between the measurement device 10 and the target object 20, an in particular to determine such a time delay by means of a phase measurement, the device 10 according to the present invention also has an additional reception unit 19 equipped with a triangulation sensor 66. This additional reception unit 19 is essentially comprised of a projection lens 51 for the triangulation and a position-sensitive detector 55. In lieu of the projection lens, it is possible to alternatively provide, or to additionally provide along with the projection lens, a circular aperture 53 as a projection aperture, which assures the required depth of field"

[voltsandjolts]

if i meassure 3729mm i get the result 0d1b hex

Two bytes doesn't seem enough, maybe should be four bytes like user 'rtv' post above.
IEEE754 floating point format converter:
https://babbage.cs.qc.cuny.edu/ieee-754.old/32bit.html

[A32]

Hi. What are the components on your picture? I need to  replace them but cant recognize

[mcb]

I think that the sensor array is not for triangulation but for laser interferometer.
It seems  plr15 uses laser interferometry with a sweeping laser diode or at least the laser's frequency could be adjustable to measure the distance.
That sensor array is used to get fringe patterns.

[gjakobsche]

Has anyone investigated the pads on the front of the PCB for additional function buttons? The GLM 20 has only one button, but according to the pictures, it has pads for four additional buttons. Do any of them do anything? Or, does Bosch use the same PCB for several models of LDMs, perhaps with different microcode and/or different microcontrollers?
-George

[Razor512]

Sorry if off topic, I was wondering do any of the common laser distance measuring devices have a simple way to increase the laser's output power? Most tend to do a fraction of a milliwatt, but often have laser modules that can easily do 5 milliwatts+


One of the biggest issues especially with lower cost devices, is measurements and accuracy when light levels are high or when outdoors. The more expensive devices will have a brighter laser that allows them to do things like measure 40-50 meters outdoors, while some cheaper ones (rated for 60+ meters) will have the laser become invisible after around 15-20 meters outdoors, thus causing the unit to fail to measure the distance. It would also be interesting considering how it is common to see 3 or so different models of a cheap laser distance measure where they look the same but for the max range and laser intensity. It makes me thing they are just increasing the upper limit on what numbers it will display in firmware, and then increasing the laser output to cover that distance.

It would be awesome if  the laser output could be tweaked for a little higher output while still maintaining accuracy.

[iliasam]

Also sorry for offtopic, maybe my research would we interested to someone here: https://github.com/iliasam/Laser_tape_reverse_engineering
I successfully completed reverse engineering hardware of a cheap chinese laser tape measure and write my own code for its MCU.
I was more concentrated at measurements speed instead of accuracy.

Back to topic: I tried to make reverse engineering of my BOSCH PLR15 laser tape measure a long time ago - nearly in 2015. It has the same SOC sensor as was mentioned here.
I suppose that this integrated sensor is containing two SiPM photosensors: https://en.wikipedia.org/wiki/Silicon_photomultiplier
SiPM sensors are containing a lot of SPAD diodes, connected in parallel, so it is not possible to say that BOSCH sensor can detect and analyze image. 
Probably this laser tape measure is using phase method for distance measurement - one photosensor is used for measuring distance, another one is used as a reference channel.
I tried to analyze SPI data and (as I can remember) - resulting data was looking as sinusoidal signals.
Also there was some strange data that I can't process.

[Dainius_UK]

Hi.
Thanks everyone for sharing your research.
Don't know if this will have any benefit to anyone or this research. But I have decompiled "Bosch MeasureON" android apk file using "JADX"https://github.com/skylot/jadx

https://www.dropbox.com/s/3xcvlzzflls3eky/Crc.PNG?dl=0
https://www.dropbox.com/s/x2gimzjl9at4388/MtBLE.PNG?dl=0
https://www.dropbox.com/s/x0x5j41wt9qxgzp/MtFrame.PNG?dl=0
https://www.dropbox.com/s/loe53yrf6579fnr/MtProtocol.PNG?dl=0

And there is tons of info on Bosch GLM100C measure tape connection protocols, crc calculation, both classic and BLE......

[elham]

Dear Sir,
thank you for sharing information's about hacking PLR15 and GLM20.
I can read data from the connection of two board on the leaser, but I could not read the serial data of PLR15.
can you please help me?
I am waiting for your answer.
Best  regards

[anm]

I read out firmware binary from BOSCH GLM 250 VF and disassembled it. Then I wrote python script for communicating with rangefinder by UART and read distance. But after this rangefinder doesn't works in normal mode with batteries - it beeps always when turned on (as if continuously press buttons). Think made some damages while soldered wires. Has anyone had the same problem?

[jgustavoam]

To colleagues who have Bosch measuring tapes with Bluetooth, I have this suggestion to make.
You will be able to help us a lot to decipher the serial communication with the tape.

Using Bosch's Measure ON Android app, use this procedure to capture the Bluetooth communication protocol.

Measure ON:
https://play.google.com/store/apps/details?id=com.bosch.ptmt.measrOn

Bluetooth Capture procedure:
https://support.honeywellaidc.com/s/article/How-to-capture-Bluetooth-traffic-from-and-to-an-Android-Device

On the applicable Android devices, it is possible to capture Bluetooth traffic as follows:
- Go to Settings
  If developer options is not enabled, enable it now.
https://www.digitaltrends.com/mobile/how-to-get-developer-options-on-android/

- Go into developer options
  Enable the option Enable Bluetooth HCI snoop log
   Enable the Bluetooth option and Connected to the device.
- Perform the actions which need to be captured. Run Measure ON app.
- Turn off the Bluetooth on the device.
- Disable the option Enable Bluetooth HCI snoop log
- Make sure the device is connected to the PC.

As the relevant files might not be shown in a PC's file browser in 'Internal Storage', copy the file to a PC by means of the Android Debug Bridge:  adb pull /sdcard
The files of interest are btsnoop_hci.log and all files with the extension .cfa
These are binary files, which can be opened with Wireshark.
https://www.wireshark.org/

How To Reverse Engineer A Bluetooth Device
https://youtu.be/NIBmiPtCDdM


With this other application you will be able to obtain a lot of important information about Bluetooth communication.
nRF Connect for Mobile:
https://play.google.com/store/apps/details?id=no.nordicsemi.android.mcp

Any questions about the apps, contact me
Thanks in advance.

[kosnick]

Hi all,

i have a BOSCH GLM 50-27 cg.
i try to connect it to my ubuntu machine.
when using bluetoothctl i am able to connect to it, but when i try to pair with it, the connection is lost.
when using some python script (or c even) the device is not even discovered.
Any help would be much appreciated.

[jgustavoam]

Hi Kosnik,

Normally, measuring devices use Bluetooth Low energy, which has a different protocol than Bluetooth Classic. Probably the GLM50 uses BLE.
Reading suggestion:
https://punchthrough.com/category/ble/

[kosnick]

Hi JG!
I think you  were right!
As soon as I tried to connect (no pairing for BLE) then it seems that I am able to connect
and receive some info about the device (services and UUIDs for example).
So thank you for the tip, it was a breakthrough!
Now, I am trying to snif some bluetooth messages with my android smartphone as suggested in your previous post.
However I was not able to find any service or uuid in the wireshark log file.
On the other hand, googling some of the UUIDs I found this page:

https://devzone.nordicsemi.com/f/nordic-q-a/80589/sniffing-a-bosch-laser-tape-2

so I am "assuming" (yes, I know...) that it is the correct UUID.
I'll look into it again.
Once again, thanks!

[artag]

As the relevant files might not be shown in a PC's file browser in 'Internal Storage', copy the file to a PC by means of the Android Debug Bridge:  adb pull /sdcard
The files of interest are btsnoop_hci.log and all files with the extension .cfa

I have a PLR 40 C and a moto g(50) running android 12

I've done the procedure above and briefly tried it :

- enabled log
- make a measurement, which spoke the measurement on the phone
- disable log
adb
adb pull /sdcard

This gives me all of sdcard but I can't see any logfiles in it
Do I need to do anything else ? Or is the switching of bluetooth on the Bosch critical ? I'm not practised with adb.

[jgustavoam]

Hi Artag,
Look for the file in the Android/data folder.
The file of interest is btsnoop_hci.log.
This is a binary file, which can be opened with Wireshark.

[artag]

No such file, at least within the /sdcard copy pulled from adb
Most of them start com.motorola or com.google. Nothing with bt in at all.
Maybe I need to do more to get the file flushed beforte it ends ?

I did try to look in the root device while adb was connected and I had no permission to look in data
(bastards ! whose phone is it anyway !)

oh, just noticed that I have to toggle bluetooth after enabling logging

.. but still not there

Looking at some suggestions in https://stackoverflow.com/questions/23877761/sniffing-logging-your-own-android-bluetooth-traffic
There's no 'FileName' in  the config file

[jgustavoam]

This file is in the root of Android device, not  the SD card.
Look for the file in the Android/data folder.
The file of interest is btsnoop_hci.log.
You can then share the file via your email. It was the simplest way I found to transfer.
This is a binary file, which can be opened with Wireshark.

[artag]

https://stackoverflow.com/questions/28445552/bluetooth-hci-snoop-log-not-generated/30352487#30352487

It seems like it could be in a number of places. I'm trying the bugreport route

I also have hardware sniffing devices - nrf8240 etc. haven't really tried those but I could do with workling them out, I need to do some ble debugging for another project


The bugreport file contains it here :

$ ls -l ~/FS/data/misc/bluetooth/logs/
total 168
-rw-r--r-- 1 adrian adrian     16 Mar 20 21:07 btsnoop_hci.log
-rw-r--r-- 1 adrian adrian 166989 Mar 20 21:59 hci_snoop20230320210739.cfa

So I guess I need to root it to get that easily. The logfile contains very little :

00000000  62 74 73 6e 6f 6f 70 00  00 00 00 01 00 00 03 ea  |btsnoop.........|
00000010

The cfa is rather bigger, and wireshark can read it
Maybe it's more useful to try to get a smaller number of transactions in each log

[jgustavoam]

Review the procedures.
Something is wrong.

[artag]

It seems to follow the scheme written in that last stackoverflow entry

https://stackoverflow.com/questions/28445552/bluetooth-hci-snoop-log-not-generated/30352487#30352487

UPDATE: The btsnoop hci log seems to be getting phased out of the user-accessible areas on a lot of phones. Assuming you have hci logging enabled, you can get a bugreport

adb bugreport anewbugreportfolder
Then decompress the folder. If you're lucky there is an 'FS' folder that contains the btsnoop_hci.log log several layers down (not sure why some phones have this and some don't.) If you don`t have it, grab the bug report text file that looks like this

bugreport-2018-08-01-15-08-01.txt

[jgustavoam]

Artag,
If your Android device doesn't have access to the file, try with an older device. In my case, I used a Tablet S2 Samsung Android 7.0. And it worked.

[jgustavoam]

I always look for free codes on Github. Look what I found.

https://github.com/prudhvirajstark/BoschGLM50C

https://github.com/Scarfsail/BoschGLM50

https://github.com/piannucci/pymtprotocol

https://github.com/philipptrenz/BOSCH-GLM-rangefinder

https://github.com/fantom3ds/LaserBluetooth