Bluetooth Sniffing For Less
History:
--------
Bluetooth Security seems to be very good compared to 802.11 problems. But most
of the Bluetooth Security is based the PIN you have to enter during pairing
two devices or on the link key, which is a result of it. In addition Bluetooth
uses much more channels and hops frequently within the spectrum, which makes
Analyzing a real pain. Sniffing raw communication without being paired is
until now only available to rich companies or individuals which could buy one
of the over-priced Bluetooth Sniffers. When i say High-Priced i talk about
10'000 US$.
Frontline (http://www.fte.com) is one of the few Bluetooth Sniffer
manufacturers and they sell their application together with a "special"
Bluetooth sniffer ComProbe / dongle. Here are some marketing highlights from
their FTS4BT product website:
- Supports EDR (Enhanced Data Rate): FTS4BT is the only analyzer currently on
the market to support Bluetooth v2.0 + EDR.
- Finger-sized Bluetooth ComProbe: Air sniffing hardware is incredibly
portable and requires no power.
- Synchronized air and HCI sniffing: FTS4BT provides multiple points of
observation, speeding up debug time.
- Real-time debugging: FTS4BT captures, decodes, filters and displays
data, and detects protocol errors simultaneously, all live and in real-time.
- Decodes all Bluetooth protocols and most profiles.
Quick release of new profiles to keep pace with changing Bluetooth
specifications.
- Extract Audio into WAV files for playback and analysis.
- Includes Framedecoder for rapid development and seamless integration of
HCI Vendor Extensions and other custom protocol implementations.
- This Frontline technology is how we meet Bluetooth challenges.
Current:
--------
It is in fact very easy to modify a very cheap standard USB dongle to be usable
as comprobe and together with the nifty keygenerator, everyone can analyze
Bluetooth. Follow the instructions below to get your Bluetooth raw sniffer for
a few bugs. So for the marketing: This piece of reversing is how we meet the
Frontline challenges :-)
Warning:
--------
Using a keygenerator to run illegal software copies is prohibited in many
countries and you do it at your own risk. And we still think that you should buy
this expensive tools if you do business with it.
Prepare yourself:
-----------------
To conduct all the steps you need the following:
- Linux installation with Bluez and the important BCCMD, BDADDR and DFUTOOL
from the CVS tree. Get it at http://www.bluez.org. A few security testing
focused Linux distributions have them already pre-installed.
- A supported CSR chip based Bluetooth dongle
- A copy of the FTS4BT software (Should be available in combination with this
howto)
- A copy of the license and authentication code generator (Should be available
in combination with this howto)
Step 1 - Backup original firmware:
----------------------------------
First you want to backup your USB sticks current firmware and configuration for
later use. Follow the points below to do this:
- Insert your stick into your linux machine and do a hciconfig up
(Most often is hci0). Check using hciconfig -a if the device is
there and UP. Looks somewhat similar to that list below i suggest that you
copy your information to a safe place, in case you want to switch back to it:
linux ~ # hciconfig -a
hci0: Type: USB
BD Address: 00:DE:EA:DB:EE:EF ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING
RX bytes:85 acl:0 sco:0 events:9 errors:0
TX bytes:30 acl:0 sco:0 commands:8 errors:0
Features: 0xff 0xff 0x0f 0x00 0x00 0x00 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'COMPUTER'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.1 (0x1) HCI Rev: 0x33c LMP Ver: 1.1 (0x1) LMP Subver: 0x33c
Manufacturer: Cambridge Silicon Radio (10)
- Write down your btaddr (similar to mac addr),in our case its 00:DE:EA:DB:EE:EF
You will need it later on, so write it down. Tip: You can also set a specific
address using the tool btaddr which als also from bluez.
- Now just backup the current firmware using the dfutool. Please notice that
ID 0a12:0001 thats the vendor and product id (You can also get it using lsub).
We need the product to be 0002 but we do this a bit later. Now do your
backup, it should look like the example below. Please not that doing this in
virtual machines may fail.In addition you need to use again hciconfig
up after the dfutool because it resets the state of the device.:
linux ~ # dfutool -d hci0 archive my_bluetooth_dongle_firmware_backup.dfu
Available devices with DFU support:
2) Bus 1 Device 2: ID 0a12:0001 Interface 2
Select device (abort with 0): 2
Firmware upload ... 358832 bytes
linux ~ # hciconfig hci0 up
Step 1 - View original configuration:
-------------------------------------
Acording to the CSR specifications there are multiple places to read stuff on
the stick. Depending on your product these can be different. In generel these
are "Default" (0x0000), "param" (0x0008), "psi" (0x0001), "psf" (0x0002) and
"psrom" (0x0004). You can use those values usind bccmd pslist -s . Its
even more easy if you like to get a complete list of parameters, just use:
linux ~ # bccmd -d hci0 pslist -s 0x000F >> backup-configuration
look in there for the lines that contains something similar to these:
"0x02bf - USB product identifier (2 bytes)"
"0x02be - USB vendor identifier (2 bytes)"
Now get the values of those two bytes:
Use the following command to get the location of the product id:
linux ~ # bccmd -d hci0 psget -s 0x000f 0x02bf
USB product identifier: 0x0001 (1) <----This is what we want to change later
linux ~ # bccmd -d hci0 psget -s 0x000f 0x02be
USB vendor identifier: 0x0a12 (2578) <----If you have something different
we have to change it as well
Step 2 - Change product ID:
----------------------------------------
Acording to the CSR specifications there are multiple places to store stuff. On
most dongles we know about it the product id is stored in "psf" (0x0002). Never
mind if its not there just check your configuration and search for it. If you
the right location then use the following or similar line to modify the product
id from 0x0001 to 0x0002. Otherwise Frontline drivers wont install properly.
linux ~ # bccmd -d hci0 psset -s 0x0002 0x02bf 0x0002 <--- new id
If you got no feedback then it was successful, check it by reading that value
again using:
linux ~ # bccmd -d hci0 psget -s 0x000f 0x02bf
USB product identifier: 0x0002 (2) <----Yeah baby!
Step 2 1/2 - Change vendor ID:
----------------------------------------
Most dongles i did see where Cambridged Silicon Radio,so its likely that
you will get 0x0a12 as the usb vendor id. If you got that one, your finished
with modifications on your dongle. Go to Step 3 of this guide. When you are
using the Toshiba Version 2.0 + ERD dongle (which is amazing) you need to change
also the vendor id from 0x0903 to 0x0a12 uing psget/psset.
Step 3 - Install the sniffer software
-------------------------------------
I guess i dont have to explain that. Use your license or generate one if you
got a keygen :-). Please note, its important on the keygen that you enter the
mac / btaddr of your dongle in lowercase and without any ":".
The keygen is available as a linux binary as well as windows .exe file
Use the serial number during installation. You will get a Desktop Folder with a
lot of links. Don't delete it you will need it.
Step 4 - Install the USB stick driver from frontline
----------------------------------------------------
When you insert your stick, windows will try to install a driver. You will find
it in your Frontline installation dirctory, quite simple uh?
Step 6 - Install the firmware package from frontline
----------------------------------------------------
Pretty straigth forward, but you will need it.
Step 7 - Configure the sticks firmware etc.
-------------------------------------------
Open the Bluetooth ComProbe Maintenance Utility. You find a shortcut on
"Desktop\5.6.9.0 FTS4BT\Setup" or at similar places. Use the "Select Device"
button and if you did previous steps correct, it will be detected. Yeah!
Now use "Update Firmware" to update your desired firmware version (You will
find it in the subfolder "Bluetooth ComProbe Firmware" in the frontline
installation directory. I normaly use the latest one. After that you should
use "Check Configuration" to configure the stick with the serial and the
authentication code. Finally i suggest to use "Calibrate" which takes time.
Step 8 - Use it
---------------
Thats it.
Future / Todo:
-------
We did the first step and show you how to do it for less, now its the
communities opurtunity to take that know-how and generate a custom, free
firmware and sniffer module to generate a real opensource sniffer.