A loving farewell, in code, to the ToughBuilt TB-H2-LM-165-BT laser distance measurer and the company that sold it, took our money, then quietly turned off the lights and walked into the sea.
What happened. ToughBuilt Industries got Nasdaq-delisted in June 2024 for missing basic SEC paperwork. Their auth backend at
app.tbconnect.toughbuilt.comdoesn't even resolve in DNS anymore — it's not "down for maintenance," it's gone. Their officialtoughbuilt.com/connectpage is literally Lorem ipsum filler text ("Nullam sit amet nisi condimentum erat iaculis auctor…") because they never finished writing it. Independent analysts peg their bankruptcy probability at 65–80%. The iOS app is bricked at the login screen for everyone who paid them money for a Bluetooth laser, because the cloud login is the only login and the cloud is dead.So we wrote our own.
This repo:
- Unbricks the official ToughBuilt Connect app so it accepts any garbage credentials and reaches its main menu, by spoofing the dead cloud with a stub server you run on your LAN.
- Talks directly to the laser over Bluetooth Low Energy from Linux, decodes notifications, and POSTs them to a webhook of your choice — in case you want to skip the app entirely (recommended; see the hard truth below).
- Documents the exact protocol ToughBuilt's hardware engineers half-implemented before management shipped it and put the lights out.
| Component | What it does |
|---|---|
auth-stub/ |
A FastAPI service that impersonates the dead app.tbconnect.toughbuilt.com API. Returns a fake JWT for any login, with every plausible JSON envelope shape baked in. This is what makes the official app boot again. |
ble-bridge/ |
Python + bleak + a self-contained BlueZ stack in a Docker container. Connects to the laser, runs the documented YD handshake, decodes (the bytes the firmware would emit if it were finished), and POSTs everything to your hub. |
hub/ |
The original use case: an OpenSCAD-driven parametric model that wants live laser measurements. FastAPI + OpenSCAD CLI + a small web UI + a built-in MCP server so an AI agent can drive the model. Optional. |
docs/ |
The complete reverse-engineering trail. Read docs/INVESTIGATION.md before you assume anything works. It's the cliff-notes of every dead-end and every lesson, so you don't have to walk the same path. |
After three exhaustive passes through the decompiled APK (we got good at
this by the end), the conclusion is unavoidable: the laser firmware is
half-finished. The phone-side parser is wired up to handle a 35-byte
slot-based measurement frame. The hardware never sends one. It sends an
OK ack, a 5-byte status frame, and — this one's a real treat — a 3-byte
ASCII "1.0", which turns out to be the firmware version, repeated
back at us as if to say "everything is fine here, thanks for asking."
The official iOS app produces identical BLE traffic to our bridge. We verified this by reviving the dead cloud, logging in, and watching every byte. The app and our bridge are equally helpless against this firmware because the bug is in the laser, not in any client. ToughBuilt shipped a Bluetooth-enabled laser whose Bluetooth doesn't actually transmit measurements. Then they ran out of money before fixing it.
If you have this laser and were hoping to do something useful with it over Bluetooth: yes, it's broken. No, it's not your fault. No, the app isn't going to start working. The only path forward is a firmware update the manufacturer is no longer in any condition to ship.
That said — the BLE pipeline, the auth-stub, and the OpenSCAD hub all work end-to-end and are ready for the day someone finds the missing command, OR for any of ToughBuilt's other connected devices (stud finder, moisture meter) which may have more complete firmware. The auth-stub will probably revive any of their apps; the BLE bridge would need a 50-line decoder swap.
git clone https://github.com/nullEFFORT/toughbuilt-laser
cd toughbuilt-laser/auth-stub
docker compose up -dThen:
- Point your DNS resolver (Pi-hole, AdGuard Home, OPNsense, your router's
custom DNS) so
app.tbconnect.toughbuilt.comresolves to the host running the auth-stub. The cloud is dead, you're the cloud now. - Install the self-signed CA on your phone and trust it (Settings → General → About → Certificate Trust Settings on iOS, or Security → Encryption & credentials → Install certificate on Android). You will of course be reminded by your operating system that doing this is a security decision. It is. Make it anyway, because the alternative is throwing the laser away.
- Open the app, enter literally anything for email and password,
reach the main menu. (Suggested:
iWantMyLaserBack@example.com/nasdaq-delisted.)
Detailed step-by-step in docs/SETUP.md.
docker compose up -d ble-bridgeYou'll see the GATT handshake go through, see your laser connect, and see — exactly as advertised above — no measurements. Watching the firmware NOT send what it should is a ritual that builds character.
See docs/INVESTIGATION.md. It's the timeline
of every hypothesis we tested, what failed, what worked, and what the
hardware actually does (vs what the documentation hints at).
The full reverse-engineered protocol — GATT UUIDs, the YD handshake,
the slot-based 35-byte measurement format the firmware should emit
but doesn't — is in docs/protocol.md.
The auth-bypass research — including TypeORM SQLite seeding as an
alternative to the API stub, the lack of TLS pinning (one small mercy),
and the exact JS bundle offsets of the auth gate — is in
docs/auth-bypass.md.
The raw jadx grep evidence backing everything in those docs is in
docs/apk-findings.md, so you don't have to
take our word for it.
Confirmed working with:
- Hardware: ToughBuilt TB-H2-LM-165-BT (Feasycom FSC-BT986 BLE module, MCU firmware 9.0.6 from 2021-12-20 — the firmware that shipped, the firmware that will never be updated)
- Apps:
- ToughBuilt Connect Android v1.1 (
com.tbconnectv2) — login bypass confirmed; in-app BLE traffic confirmed identical to our bridge - ToughBuilt Connect iOS v1.0.6 — login bypass confirmed working with a multi-shape JSON envelope; behaviour identical to Android
- ToughBuilt Connect Android v1.1 (
The auth-stub probably also works for ToughBuilt's other apps and
products, since they all share the same dead app.tbconnect.toughbuilt.com
backend. We didn't test any of them. If you have a ToughBuilt stud
finder or moisture meter, please open an issue and let us know.
MIT. See LICENSE. No vendor source code is included; this
repo is the result of observing publicly distributed binaries and the
public BLE behaviour of a device the original author paid retail price
for. ToughBuilt is a trademark of ToughBuilt Industries; this project
is not affiliated with, endorsed by, or — let's be honest — likely to
ever be acknowledged by ToughBuilt Industries.
A user wanted to drive an OpenSCAD parametric deck model from his laser measurements. Windows wouldn't pair, the official app rejected his login because the cloud was dead, the company was in financial freefall, and the only Lorem-ipsum-filled product page on the manufacturer's website was for the very feature he was trying to use.
There were three exhaustive APK passes, hours of bytewise investigation, a fully working DNS spoof / auth-stub / cert-pinning workaround, an attempted Android-in-Docker emulator with USB-Bluetooth passthrough (blocked by host driver re-binding — see the agent log if you're into that sort of thing), and ultimately a clean confirmation that we'd done everything that can be done. The firmware bug remains; the toolchain to drive any working successor is in this repo.
If you're reading this because you also bought one of these lasers and the app stopped working: sorry. Hope this helps. Welcome to the post-vendor era of consumer hardware.