Home > 3rd-Party Integration > GATT Reference

GATT Reference

The complete BLE GATT surface a 3rd-party client needs to drive a Biscuit. Every value on this page is stable across the public firmware line and matches what the iOS and Android companion apps consume.


Advertising

Field Value
Local name Biscuit
Service UUID in advertisement 4fafc201-1fb5-459e-8fcc-c5c9c331914b

The local name is identical on every device; match on the service UUID. Biscuit does not include a per-device suffix in the advertised name.


Primary Service

Service UUID: 4fafc201-1fb5-459e-8fcc-c5c9c331914b

Characteristic UUID Properties Direction Use
Command beb5483e-36e1-4688-b7f5-ea07361b26a8 Write, Write Without Response Central to device Send CMD: lines
Response beb5483e-36e1-4688-b7f5-ea07361b26a9 Notify Device to central Receive RSP, STATUS, DATA, ERROR, TIME lines
Status beb5483e-36e1-4688-b7f5-ea07361b26aa Read Device to central Pollable JSON snapshot of device health
Settings beb5483e-36e1-4688-b7f5-ea07361b26ab Read, Write, Notify Bidirectional Read or update device configuration as JSON

Notifications must be enabled. Until the Response characteristic’s CCCD is set to 0x0001, the device does not send anything in response to commands. Subscribing is a prerequisite, not optional.


Device Information Service

Standard BLE Device Information Service (0x180A) exposes:

Characteristic UUID Content
Manufacturer Name 2A29 Biscuit Shop
Model Number 2A24 Board name (Biscuit Pro, Biscuit Ultra, Biscuit DIY)
Firmware Revision 2A26 Primary firmware version, e.g. v1.4.5
Software Revision 2A28 Scanner firmware version
Serial Number 2A25 Per-device serial

Connection Parameters

Parameter Value
MTU requested by device 517
Recommended client MTU At least 247
Data Length Extension Device requests 251-byte PDUs on connect
Connection interval 30 to 60 ms preferred
Slave latency 0
Supervision timeout 8000 ms

Below an MTU of 247, large notifications during wardrive streams will be fragmented across multiple ATT packets. Most BLE stacks reassemble these transparently, but throughput drops.


Message Framing

Every text-carrying characteristic uses the same line-oriented format:

TYPE:SUBTYPE:PAYLOAD\n

Every line ends with a single line-feed (\n, 0x0A). The payload may be empty; the trailing colon is still present (for example, CMD:stopscan:).

Message types

Type Direction Meaning
CMD Central to device A command
RSP Device to central Acceptance of a CMD (sent within 100 ms)
STATUS Device to central Execution-state change
DATA Device to central Live scan record
ERROR Device to central Command rejected or runtime error
TIME Device to central Time-sync request

A RSP means “command accepted”, not “command finished”. For commands that produce output (scans, attacks, wardrive), the actual completion signal arrives as a subsequent STATUS: line.

Status codes

STATUS: lines carry a numeric code in the SUBTYPE position:

Code Meaning
0 Booting
1 Ready
2 Busy (a scan or attack is running)
3 OK
4 Warning
5 Error
6 Scan complete

STATUS:1:Ready is the signal that no further DATA: lines will arrive for the previous operation.


Notification Packing

During wardrive and other high-throughput scans, the device packs multiple DATA: records into a single BLE notification to reduce radio overhead. Records inside a packed notification are newline-delimited:

DATA:AP:Network1,AA:BB:CC:DD:EE:FF,6,-58,WPA2_PSK
DATA:BT:Device1,11:22:33:44:55:66,-72,BLE
DATA:AP:Network2,22:33:44:55:66:77,11,-65,WPA3_SAE

The pack buffer flushes on any of:

Trigger What happens
Buffer reaches 240 bytes Immediate flush
50 ms elapsed since first buffered record Timer-based flush
A non-DATA message is queued Immediate flush, preserving order

Always split each notification on \n and process each line independently. Never assume one notification equals one record.


Status Characteristic JSON

The Status characteristic returns a JSON object summarizing current device health. It is safe to read at any time; the official apps poll it about once per second.

Initial value just after connect:

{"status":0,"battery":-1,"c5Connected":false,"c5State":0}

Full schema (optional keys appear only once the relevant subsystem reports):

Key Type Meaning
status int Overall health: 0 Ready, 1 Warning, 2 Error
battery int Battery percentage 0 to 100, or -1 if not yet measured
c5Connected bool Scanner subsystem link alive
c5State int Scanner state: 0 Booting, 1 Ready, 2 Busy, 6 Scan complete
wroomHeap [free, total] Optional. Present when the device is reporting heap.
c5Heap [free, total] Optional
sd bool Optional. Present and true when an SD card is mounted.
op string Optional. pktmon or eapol while an SD-backed capture is running.

Treat the JSON keys as opaque string identifiers. Field values may evolve across firmware releases; the keys themselves are stable across the public firmware line.