Last updated on 2023-05-20
Since the 23c3 every interested researcher knew that is easy to compromise bluetooth sessions using the BTcrack tool.Thierry Zoller showed how it’s possible to retrieve link keys, The only problem was to get hands on a bluetooth sniffer device to get the raw bluetooth packets. Such devices are not available at consumer prices. But somehow Max Moser found a way to tranform a vanilla usb bt dongle into a bluetooth sniffer device. Don’t believe the hype…Now bluetooth security is dead.
Mini Howto:
#Backup old firmware dfutool -d hci0 archiv backup.dfu # Backup config bccmd -d hci0 pslist -s 0x000F >> backup_cfg # Check Vendor ID ( has to be 0x0a12) bccmd -d hci0 psget -s 0x000f 0x02be # Write new Product ID bccmd -d hci0 psset -s 0x0002 0x02bf 0x0002
Hi,
I was trying to do this with my Siemens dongle, but I read that I also have to change the vendor id and that did not work.
Maybe you have a clue whats wrong with my cmdline:
bccmd -d hci0 psset -r -s 0x0002 0x02be 0x0a12
It is accepted, but bccmd -d hci0 psget -s 0x000f 0x02be gives me:
USB vendor identifier: 0x0bf8 (3064)
Okay, got it.
bccmd -d hci0 psset -s 0x0001 0x02be 0x0a12
USB vendor identifier: 0x0a12 (2578)
Yes, u need to use the correct ram/flash location to it get persistent.
./bccmd -d hci1 memtypes
psi (0x0001) = Flash memory (0)
psf (0x0002) = Flash memory (0)
psram (0x0008) = RAM (transient) (2)
if you want to use psi it will be:
bccmd -d hci0 psget -s 0×0001 0×02be
look out for this pdf ‘BCCMD Commands (bcore-sp-005Pe).pdf’ for more details
on the bccmd interface and locations.
Hello.
Ok, then ?
how to sniff with this “new” device ?
I did the upgrade and now hcitool dev says:
Devices:
hci0 00:00:00:00:00:00
Is this good?:)