Skip to content

H00lyshit – DIY Bluetooth Sniffer

Last updated on 2021-05-31

Since the [23c3]( every interested researcher knew that is easy to compromise bluetooth sessions using the BTcrack tool.Thierry Zoller showed how it’s possible to [retrieve]( link keys, The only problem was to get hands on a bluetooth sniffer device to get the raw bluetooth packets. Such devices are not available at consumer prices. But somehow Max Moser found a [way]( to tranform a vanilla usb bt dongle into a bluetooth sniffer device. Don’t believe the hype…Now bluetooth security is dead.

Mini Howto:

#Backup old firmware
dfutool -d hci0 archiv backup.dfu
# Backup config
bccmd -d hci0 pslist -s 0x000F >> backup_cfg
# Check Vendor ID ( has to be 0x0a12)
bccmd -d hci0 psget -s 0x000f 0x02be
# Write new Product ID
bccmd -d hci0 psset -s 0x0002 0x02bf 0x0002 




    I was trying to do this with my Siemens dongle, but I read that I also have to change the vendor id and that did not work.

    Maybe you have a clue whats wrong with my cmdline:

    bccmd -d hci0 psset -r -s 0x0002 0x02be 0x0a12

    It is accepted, but bccmd -d hci0 psget -s 0x000f 0x02be gives me:
    USB vendor identifier: 0x0bf8 (3064)


    Okay, got it.

    bccmd -d hci0 psset -s 0x0001 0x02be 0x0a12

    USB vendor identifier: 0x0a12 (2578)

  3. Administrator Administrator

    Yes, u need to use the correct ram/flash location to it get persistent.

    ./bccmd -d hci1 memtypes
    psi (0x0001) = Flash memory (0)
    psf (0x0002) = Flash memory (0)
    psram (0x0008) = RAM (transient) (2)

    if you want to use psi it will be:

    bccmd -d hci0 psget -s 0×0001 0×02be

    look out for this pdf ‘BCCMD Commands (bcore-sp-005Pe).pdf’ for more details
    on the bccmd interface and locations.

  4. Dar Dar

    Ok, then ?
    how to sniff with this “new” device ?

  5. foo foo

    I did the upgrade and now hcitool dev says:
    hci0 00:00:00:00:00:00
    Is this good?:)

Comments are closed, but trackbacks and pingbacks are open.