Last updated on 2021-05-31
Since the [23c3]( http://events.ccc.de/congress/2006/Home) every interested researcher knew that is easy to compromise bluetooth sessions using the BTcrack tool.Thierry Zoller showed how it’s possible to [retrieve](http://secdev.zoller.lu/research/bluetoothcracker.htm) link keys, The only problem was to get hands on a bluetooth sniffer device to get the raw bluetooth packets. Such devices are not available at consumer prices. But somehow Max Moser found a [way](http://www.remote-exploit.org/research/busting_bluetooth_myth.pdf) to tranform a vanilla usb bt dongle into a bluetooth sniffer device. Don’t believe the hype…Now bluetooth security is dead.
Mini Howto:
#Backup old firmware dfutool -d hci0 archiv backup.dfu # Backup config bccmd -d hci0 pslist -s 0x000F >> backup_cfg # Check Vendor ID ( has to be 0x0a12) bccmd -d hci0 psget -s 0x000f 0x02be # Write new Product ID bccmd -d hci0 psset -s 0x0002 0x02bf 0x0002
Hi,
I was trying to do this with my Siemens dongle, but I read that I also have to change the vendor id and that did not work.
Maybe you have a clue whats wrong with my cmdline:
bccmd -d hci0 psset -r -s 0x0002 0x02be 0x0a12
It is accepted, but bccmd -d hci0 psget -s 0x000f 0x02be gives me:
USB vendor identifier: 0x0bf8 (3064)
Okay, got it.
bccmd -d hci0 psset -s 0x0001 0x02be 0x0a12
USB vendor identifier: 0x0a12 (2578)
Yes, u need to use the correct ram/flash location to it get persistent.
./bccmd -d hci1 memtypes
psi (0x0001) = Flash memory (0)
psf (0x0002) = Flash memory (0)
psram (0x0008) = RAM (transient) (2)
if you want to use psi it will be:
bccmd -d hci0 psget -s 0×0001 0×02be
look out for this pdf ‘BCCMD Commands (bcore-sp-005Pe).pdf’ for more details
on the bccmd interface and locations.
Hello.
Ok, then ?
how to sniff with this “new” device ?
I did the upgrade and now hcitool dev says:
Devices:
hci0 00:00:00:00:00:00
Is this good?:)