Cheapest Bluetooth Low Energy Tag Teardown

Overview

This is one of the cheapest bluetooth low energy tags currently available. (aka iTag, MLE-15, Intelligent Bluetooth Anti-lost Tracking Tag Alarm Patch)
Purchased online for less than 4$.

Bluetooth Low Energy Tag Package

It comes packed in a simple plastic bag. User manual and CR2032 cell battery are included.

Bluetooth Low Energy Tag size compared to coin

The tag is slightly bigger than 2 Euro coin. Actual size is 38x38x7mm (1.50"x1.50"x0.28") and it's weight is 9 grams.
The device has one push button and a blue LED.

Software

The tag identifies itself as MLE-15, it's bluetooth address starts with unassigned OUI prefix FF:FF:80 (see FF:FF:80 lookup results here).
Below is the output of "hcitool leinfo" command:

$ sudo hcitool leinfo FF:FF:80:00:XX:XX
Requesting information ...
	Handle: 40 (0x0028)
	LMP Version: 4.0 (0x6) LMP Subversion: 0x4103
	Manufacturer: Telink Semiconductor Co. Ltd (529)
	Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Both manufacturer recommended iTracing and open source iTracing2 applications works fine.

Teardown

Lets look what's inside.

Inside Bluetooth Low Energy Tag

 

The PCB

PCB of Bluetooth Low Energy Tag - front sidePCB of Bluetooth Low Energy Tag - back side
Click to view large images

The PCB is marked as "RB-FD02 Ver1.2 20151212". All components are mounted on a single side. There are six programming/debugging/testing interface pads: PIN10, PIN8, SWS, VPP, BAT+ and GND.

The BLE microcontroller is ST17H26 (ST17H26 / CH1549 / CG851G. 1X). The chip package looks like SSOP-16. Unfortunately I couldn't find the ST17H26 datasheet online.
Further investigation shows that based on LMP_CompID the chip is produced by Telink Semiconductor and there is only one SSOP-16 packaged BLE SoC in their product range - TLSR8263. But still no datasheet and SDK freely available.

The system is clocked by a 12Mhz crystal. Other components are: push button, piezo buzzer, 4 capacitors, transistor (1AMe), diode (S4), blue LED.

Conclusion

Due to lack of datasheet and SDK the hardware seems unhackable (not possible to reprogram the device to turn it, for example, into a bluetooth BLE beacon).
But BLE GATT interface generally is not a secret. For more details check the iTracing2 project on GitHub.

 

Tags:

Comments

Alexander

Mon, 08/29/2016 - 16:10

Hi, Is there any Windows 10 software for this or similar tags?

admin

Tue, 08/30/2016 - 14:26

I couldn't find such software, moreover my findings show that It's even impossible to pair this device with Windows.
Windows 10 thinks it's a keyboard.

MLE15 Bluetooth Tag Windows 10 Pairing
Try again, and make sure your keyboard is still discoverable.

Awe

Tue, 10/11/2016 - 19:56

This hardware is pretty simple, it has 1 alert peripheral where you can send 0x01 to turn beep ON and 0x00 to off beeping, and also you can read battery service from device, that's all. just code a simple C program and use it.

Wolass

Thu, 02/09/2017 - 18:49

Could you provide more details how you read the codes from the device and how you were able to controll/ connect to it?

Shirish Jadav

Wed, 05/17/2017 - 13:02

if you know BLE protocol you can make one with Redbear lab modules

Shirish Jadav

Wed, 05/17/2017 - 13:01

I tried it with BLE scanner app. when I set alert service with ox01 or 0x02 or 0x03 nothing happens.

SapphireHunter

Fri, 04/21/2017 - 19:08

Hello! I have a BT controller and I was searching this IC datasheet.
Here is it: http://www.docin.com/p-1814309628.html

Byeee! :)

admin

Wed, 05/24/2017 - 19:28

Thank you!
Does anyone know how to download complete single pdf file from that site?

Palmer653

Mon, 05/15/2017 - 12:23

Not likely to be reprogramed. there are other chips 8266, 8261 etc are flash based. You can find some tools in Github. data sheet should be at their website.

vasya

Sun, 06/25/2017 - 11:47

http://res.cloudinary.com/metsys/image/upload/v1498380191/bluetooth_face_c5uwjs.jpg

http://res.cloudinary.com/metsys/image/upload/v1498380265/bluetooth_back_tai8z5.jpg

RB-FD01 Ver 1.6

vasya

Sun, 06/25/2017 - 12:43

RB-FD01 Ver 1.6

http://res.cloudinary.com/metsys/image/upload/v1498383765/rb-fd01_rtflfp.jpg

vasya

Sun, 06/25/2017 - 13:03

https://68.media.tumblr.com/083dd20363b017cb02d1af5946bd0075/tumblr_oitng6zviQ1v2jpkqo4_1280.jpg

https://68.media.tumblr.com/c4cfb96c51bac80bec78cbda58610bdd/tumblr_oitng6zviQ1v2jpkqo3_1280.jpg

https://68.media.tumblr.com/13335504addd067251c20e3b166c0fb7/tumblr_oitng6zviQ1v2jpkqo2_1280.jpg

So, i think that Pin10,8 had it's own purpose (like software configurator/ing not flashing firmware) for flashing i guess used - sws (single wire slave) and guess needed swm (single wire master) by Telink

bonzai

Sun, 12/27/2020 - 20:16

wow thanks thats interesting i have both devices too :)

vasya

Sun, 06/25/2017 - 13:49

sws (single wire slave) and guess needed swm (single wire master) NOT by Telink(need to be amend in previous message), by LENZE! (page 60)

http://www.docin.com/p-1814309628.html

vasya

Thu, 06/28/2018 - 18:26

datasheet from 2016/7/7 Ver. 2.0.0 http://www.docin.com/p-1814297477.html
for ST17H26, ST17H28, ST17H29, ST17H30, ST17H38

Александр

Tue, 02/27/2018 - 18:29

Уважаемый,не поможете ли мне вывести контакты кнопок на провод для подключения как простой не блютузовский джойстик? Если правильно понимаю то этого сделать не возможно из за конструкции микроконтроллера. Дело в том что мои аппараты не видят этот джойстик. Вот и хотел его подсоединить ОТГ кабелем. Как думаете подойдет ли такая идея?