uni.horse / poking BLE beacons/knockoff AirTags from Linux

I got a pile of these BLE beepers. They're advertised as GPS trackers, but they have no GPS functionality as far as I can tell, but I knew that before buying them. Their only function is to beep when another Bluetooth device pokes them in the right way.

They turned out to be too quiet for that purpose, so I can't recommend them, but I did put effort into figuring out how to trigger them from a Linux machine instead of a sketchy phone app. That's poorly documented, so here's some documentation.

Using bluetoothctl, scan for BLE devices, and grab the MAC address of the tag when it appears:

~ $ bluetoothctl
Agent registered
[bluetooth]# scan le
Discovery started
[CHG] Controller 50:2F:9B:15:BB:24 Discovering: yes
[NEW] Device FF:23:08:16:81:70 Smart Tag       

The tags seem to disappear shortly after the scan finds them. If a [DEL] line appears for the same tag, this has happened; restart the scan with scan off then scan le.

Connect to the tag. (Not pair. That also connects to it, but in a different mode where it'll get mad after a few seconds that you haven't authenticated, and disconnect and start beeping at you.)

[bluetooth]# connect FF:23:08:16:81:70
Attempting to connect to FF:23:08:16:81:70
[CHG] Device FF:23:08:16:81:70 Connected: yes
Connection successful
[Smart Tag       ]#

Enter the gatt submenu, and get the list of attributes the tag exposes. Variables are called "Characteristics". They're grouped under "Primary Services". Some of them have "Descriptors" under them. Sometimes the descriptors are labels for what the corresponding characteristic does. Other times they're empty or useless.

One of them is called "Alert Level", in the "Immediate Alert" service. Note its path. (The UUIDs can conflict, because of course they can.)

[Smart Tag       ]# menu gatt 
[Smart Tag       ]# list-attributes
Primary Service (Handle 0x0000)
	Immediate Alert
Characteristic (Handle 0x0000)
	Alert Level

Select that attribute, and write 1 or 2 to it to make it start beeping quickly (about 4 Hz), 3 for slow beeping (about 1 Hz), or 0 to stop beeping.

[Smart Tag       ]# select-attribute /org/bluez/hci0/dev_FF_23_08_16_81_70/service000c/char000d
[Smart Tag       :/service000c/char000d]# write 1
Attempting to write /org/bluez/hci0/dev_FF_23_08_16_81_70/service000c/char000d
[Smart Tag       :/service000c/char000d]# write 0
Attempting to write /org/bluez/hci0/dev_FF_23_08_16_81_70/service000c/char000d

You can also read from the Battery Level characteristic. I believe this is a percentage value (0x64 is 100):

[Smart Tag       ]# list-attributes
Characteristic (Handle 0x0000)
	Battery Level
[Smart Tag       ]# select-attribute /org/bluez/hci0/dev_FF_23_08_16_81_70/service0001/char0002
[Smart Tag       :/service0001/char0002]# read
Attempting to read /org/bluez/hci0/dev_FF_23_08_16_81_70/service0001/char0002
[CHG] Attribute /org/bluez/hci0/dev_FF_23_08_16_81_70/service0001/char0002 Value:
  64                                               d               
  64                                               d      

The full list of characteristics my tag has is below. Most of these don't seem to do anything. The read/write column is based solely on whether bluetoothctl reported an error when reading or writing, not whether anything changed.

.../service0001/char0002 R Battery level, as a percentage.
.../service0005/char0006 R Tx power. Unsure what units this is in. Defaults to 7.
.../service0008/char0009 R/W Beep mode on signal loss.
.../service000c/char000d R/W Beep right now in this mode.
.../service0010/char0011 R Descriptor says "Button". This device has no buttons. I assume this is for some other device with the same firmware.
.../service0010/char0015 W Descriptor says "Set LinkLost Alert". I don't know what this does. It lets me write numbers to it. They don't affect char0009.
.../service0010/char0018 R Device's MAC address, as 6 raw bytes.
.../service0010/char001b R/W "reserved", so probably something very exciting. Reads as 20 00 bytes.
.../service0010/char001e W Labeled "Tx Power". Appears not connected to the other one labeled that.
.../service0010/char0021 R Labeled "Modify Device Name", reads as 20 00 bytes, but is read-only. idk.
.../service0010/char0024 R/W "Set Alert"
.../service002d/char002e W ???
.../service002d/char0030 - ??? Can't read *or* write.