Wednesday, November 12, 2008

Building your own Bluetooth sniffer

On May 2007 Max Moser published a procedure to build your own cheap Bluetooth sniffer from a consumer Bluetooth dongle. Here's the practical how-to, it's fully documented on the internet so this is a short and quick explanation.





There are specific requirements for the Bluetooth adaptor so it can be flashed into a Bluetooth sniffer:

1. Cambridge Silicon Radio (CSR) chipset.



2. BC4 External or Flash. ROM memory adaptors can't be used.


The second dongle (BC4 EXT) will do, the first (BC2 EXT) not sure.

You need these tools:
  • bccmd: modify firmware settings
  • dfutool: flash and update the firmware
You can obtain them via bluez-cvs, here is how to:

# sudo apt-get install libbluetooth2 libbluetooth2-dev libusb-0.1-4 libusb-dev
# cvs -d:pserver:anonymous@cvs.bluez.org:/cvsroot/bluez login
# cvs -d:pserver:anonymous@cvs.bluez.org:/cvsroot/bluez co utils
# cd utils/tools
# gcc -lusb -lbluetooth csr.c csr_3wire.c csr_bcsp.c csr_h4.c csr_hci.c csr_usb.c ubcsp.c bccmd.c -o bccmd
# gcc -lusb -lbluetooth csr.c dfutool.c -o dfutool

You will also need to download and install Frontline Test Equipment FTS4BT version <= 5.6.9.0, in order to obtain the airsnifferdev4*bc4.dfu firmware which you can use to upgrade the dongle.

The procedure is simple. First, you need to change the product id (should be 0x0002) and vendor id (should be 0x0a12), the FTS4BT tool requires that to recognize the Bluetooth adaptor.



Then, you need to backup the firmware of the dongle before flashing it with airsnifferdev4*bc4.dfu.




If you use airsnifferdev5*bc4.dfu you might brick your dongle and make it useless so it's important to find the correct version of FTS4BT (with airsnifferdev4*bc4.dfu), the last version won't do.

After you have done those two operations successfully you can see the Bluetooth dongle is in RAW mode. (You may need to plug it out & in).


The RX and TX bytes should be rising.

You can also test it's working by executing frontline, the tool released by Andrea (aka sorbo) for sending commands to a hardware sniffer.


The timer should be increasing.

You got it!



You can follow these useful links to find more information:
Posted by Alberto at 1:39 PM
Labels:

3 comments:

Maurizio said...

Can you tell us the brand and the model of the usb key that you used?

Thank you

March 13, 2009 11:46 AM
Alberto said...

Sure ;)

Zappa Bluetooth 2.0 EDR USB Adapter
Model: ZBTA-6030

March 13, 2009 1:41 PM
John said...

Do u happen to have a copy of the firmware for the comprobe? Frontline does not provide the older version anymore. Would appreciate that u can send me via email boris.yeowATgmail.com

Thanks very much

May 21, 2009 11:59 AM

Post a Comment

Subscribe to: Post Comments (Atom)