Introduction
Many papers and posts on internet forums have commented on the success of turning normal everyday bluetooth USB dongles ($10), into their more powerful counterparts that allow the capturing of packets from the airwaves. These more powerful USB dongles are usually sold at a much higher price ($10,000) together with the software to drive and control these devices.
The problems associated with BlueTooth sniffing
- You cant simply just purchase the dongle with the alternate firmware.
- There is next to no real opensource packet capture program for the bluetooth protocol.
Hardware & Limitations
Chipsets: Whats the difference?
The chipset of the Bluetooth USB Dongles are very important. Broadcom chipsets are cheap hardware and are deemed unsuitable devices for this paper. But unfortunalty nowadays, every manufacturer seems to prefer putting these chips in their products compared to the more reliable Cambridge Silicon Radio (CSR) chipset. If your lucky enough to find a dongle with a CSR chipset, your going to encounter different models:
- Bluecore2-ROM/EXTERNAL (BC2-ROM,BC2-EXT)
- Bluecore3-ROM/EXTERNAL (BC3-ROM,BC3-EXT)
- Bluecore4-ROM/EXTERNAL (BC4-ROM,BC4-EXT)
You will notice each model has two distinct chipsets ROM and EXT. The ROM (Read Only Memory) chip is the cheaper version and usually only sells for $6 less compared to the EXT. The ROM is completely useless to us because we cant change the contents of its memory. The EXT or External model has a flashable EEPROM (Eraseable Electronic Programmable Read Only Memory). This means we can change the contents of the chip by using a computer to alter the firmware.
Small Note: The bluecore firware uses a programming language called XAP, which is closely related to Assembler a low level programming language on modern computers.
Bluecore 4 chips are availble from fujitsu at roughly $14 GBP:
http://www.fujitsu-siemens-shop.co.u…gory=Bluetooth
How can I tell what chipset I have?
It is relatively easy to determine the chipset of a usb dongle on a linux Operating System. With the Bluetooth device functionalilty compiled into the kernel, you simply need bluez-libs and bluez-utils installed, for the necessary software to talk to the device.
Using hciconfig to get the manufactuer
Using the command ‘hciconfig -a’ you can display information about all bluetooth devices currently up and running:
$ hciconfig -a
hci0: Type: USB
BD Address: <my_mac_address> ACL MTU: 384:8 SCO MTU: 64:8
UP RUNNING PSCAN
RX bytes:946 acl:0 sco:0 events:24 errors:0
TX bytes:590 acl:0 sco:0 commands:23 errors:0
Features: 0xff 0xff 0×8f 0xfe 0×9b 0xf9 0×00 0×80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: ‘my_name’
Class: 0×100104
Service Classes: Object Transfer
Device Class: Computer, Desktop workstation
HCI Ver: 2.0 (0×3) HCI Rev: 0×7ad LMP Ver: 2.0 (0×3) LMP Subver: 0×7ad
Manufacturer: Cambridge Silicon Radio (10)
Using bccmd to get the Chip Revision
This method only works for CSR chipsets:
$ bccmd -d hci0 chiprev
Chip revision: 0×0026 (BC4-External)
So in the above example, we have a flashable BlueCore4-External chip, perfectly the right version for the alternative firmware obtained from the Internet. N.B. Other EXT chips may be flashable, but the firmware availble will not work for them.
Uploading/Downloading Firmware to/from the BT USB Dongle
Other hackers on the internet have made the alternative firmware freely availble for download and the files are in the format of a Device Format Upgrade (DFU) file. You can then use on Linux the opensource tool dfutool (only works with CSR devices), to backup your original firmware, and download the alternative firmware onto your USB dongle.
Backup existing firmware
$ dfutool archive old_firmware.dfu
Download new firmware
$ dfutool upgrade new_firmware.dfu
Firmware available from the demo product of Frontlines FTS4B (Bluetooth Sniffer) here:
http://www.fte.com/dlfile.asp?name=s…Product=FTS4BT
Internet Forums usually guide people into installing and running pirated software. Using the commercial product to upgrade the USB dongles. However, the software will only download the firmware for a specific USB dongle. Another opensource package bccmd, can be used on a subset of dongles to change the vendor and product identifiers of the chip. With the identifers changed to something like 0×0a12 0×0002 [1]. The commercial software will gladly flash you device with the recent firmware upgrades.
How can I tell if the update worked?
Use hciconfig -a to show information about your connected dongles, the one you just re-flashed should look something like, (notice the UP RUNNING RAW):
hci1: Type: USB
BD Address: <my_mac_addr> ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:42 acl:0 sco:0 events:0 errors:0
TX bytes:9 acl:0 sco:0 commands:3 errors:0
Then goto Software, for information on using opensource sniffing software, to capture the bluetooth communication.
Playing with the Flash memory
You can do some interesting stuff with the memory locations on the USB Dongle (results vary model to model). To read/write to these areas you need the opensource package bccmd.
To list the memory areas available
$ bccmd -d hci0 memtypes
psi (0×0001) = Flash memory (0)
psf (0×0002) = Flash memory (0)
psram (0×0008) = RAM (transient) (2)
psi (0×0001) – Flash Memory
psf (0×0002) – Flash Memory: Write new variables in here to override any declared in 0×0004+
psrom (0×0004) – This is a read only memory section, often contains vendor and product ids.
psram (0×0008) – Flash Memory
How to read the contents of a given byte address
In the following example, we will extract the devices mac address (00:01:DE:AD:BE:EF) from its memory:
$ bccmd -d hci0 psget -s 0×000f 0×0001
Bluetooth address: 0xAD00 0xEFBE 0xDE00 0×0100
NB. notice the macaddress bytes appear in the following order {4 0 6 5 3 0 2 1}
0×000f is used so we first look in location 0×0001, then 0×0002, 0×0004 and so on.
How to write to a given byte address
WARNING – YOU CAN BRICK YOUR DONGLE WHEN WRITING TO ANY OF THE AVAILBLE ADDRESSED AREAS. THE BLUECORE COMMAND PROTOCOL IS NOT PART OF BLUETOOTH SPECIFICATION.
In this example we will change the mac address of our dongle:
$ bccmd -d hci0 psset -s 0×0002 0×0001 0×08 0×07 0×06 0×05 0×04 0×03 0×02 0×01
would change the mac address to 01:02:04:08:05:06
Software
Opensource sniffing software
An opensource c program is available that uses the bluez bluetooth protocol stack and the opensource CSR drivers.It tends to be available under two different names, firstly one of the commerical entity’s name or csrsniff.
The code is available from: http://darkircop.org/bt/bt.tgz
To see if everything works:
$./csrsniff -d hci0 -t
You should get an incrementing number (the clock of the dongle).
1) To stop sniffing:
$./csrsniff -d hci0 -s
2) To set the dongle’s packet filter (i.e. which packets to receive):
$./csrsniff -d hci0 -f 7 [receive all packet types]
3) To start sniffing:
$./csrsniff -d hci0 -S mac:addr:of:master <at> mac:addr:of:slave
To dump sniffed data in a file that hcidump understands:
$./csrsniff -d hci0 -e -w capture.cap
[hcidump -r capture.cap]
The dongle’s clock needs to be synchronized with that of the master. To maintain synchronization, you might want to perform steps 1–3 periodically(e.g. every minute).
Conclusion
We can successfully reflash a cheap usb dongle, to perform like their more expensive counterparts.
There is some basic opensource programming code available for sniffing raw bluetooth traffic.
References
[1] Busting The Bluetooth® Myth – Getting RAW Access
aka “Transforming a consumer Bluetooth Dongle into a Bluetooth Sniffer”
Max Moser
http://www.remote-exploit.org
[2] Bluetooth Sniffing For Less
http://bluetoothsecurity.wordpress.c…fing-for-less/
[3] Bluetooth Dongle with CSR chipset and flash or external memory using Flash
http://www.evilgenius.de/2007/04/10/…y-using-flash/
[4] Hacking Bluetooth by Martin Karger & Bastian Ballmann
http://www.acrobatfiles.com/bluetoot…-5547-pdf.html
Tutorial By Unknown
Wireless Punter
