Baseus earbuds that use the in-house Bluetrum CCSDK (Control Center SDK) communicate with Android over BLE GATT for all runtime control functions (battery, ANC, EQ, gestures). Classic Bluetooth SPP/RFCOMM is present in the APK only for JieLi-chip OTA firmware updates.
| Role | UUID |
|---|---|
| Service | 02F00000-0000-0000-0000-00000000FE00 |
| Write (app → device) | 02F00000-0000-0000-0000-00000000FF01 |
| Notify (device → app) | 02F00000-0000-0000-0000-00000000FF02 |
| OTA / extra | 02F00000-0000-0000-0000-00000000FF05 |
These UUIDs are used by the Bluetrum CCSDK (com.bluetrum.ccsdk), confirmed from APK static
analysis (classes2.dex).
The on-wire packet format is proprietary to the Bluetrum CCSDK and its inner classes are heavily
obfuscated (single-letter names a0, b1, …). The exact byte layout requires a live BLE
capture to confirm.
[ CMD_CATEGORY : 1 ]
[ CMD_ID : 1 ]
[ DATA_LEN : 2 ] (little-endian)
[ PAYLOAD : DATA_LEN bytes ]
The SDK internally builds packets in CCSdkApi and dispatches them to the write characteristic.
Response notifications on FF02 are parsed back by the SDK into high-level API objects.
Before any command can be sent, the CCSDK performs a challenge-response handshake:
App → Device : DevAuthChallenge (random nonce)
Device → App : DevAuthResponse (HMAC of nonce + shared secret)
App → Device : AppAuthResponse (app's reply)
Device → App : AppAuthResult (auth OK / FAILED)
This is implemented via com.bluetrum.cccomm.auth.IAuthenticator. The ExampleAuthenticator
in the CC SDK demo implements the simplest form. The shared secret is likely derived from the
device's MAC address or serial number.
TODO: Capture the auth bytes from a live session.
Classic Bluetooth SPP UUID 00001101-0000-1000-8000-00805F9B34FB is present in the APK and
handled exclusively by the JieLi OTA SDK (com.jieli.jl_bt_ota, package com.jieli.otasdk).
The JieLi RCSP protocol is used for firmware file transfer and is NOT part of the normal
control path.
Option A — Android HCI snoop log:
- Enable developer mode on Android.
- Enable Bluetooth HCI snoop log in Developer Options.
- Open Baseus app, pair earbuds, perform operations.
adb pull /sdcard/btsnoop_hci.log- Open in Wireshark; filter
btleand look for writes to characteristicFF01.
Option B — Frida socket-trace on real device (not emulator):
- Use
docs/frida/socket-trace.json a real Android device with USB debugging. - Frida 17.x Java bridge works on real devices; it does not work reliably on x86_64 Android 12 emulators (confirmed limitation).