H00lyshit – DIY Bluetooth Sniffer

Since the 23c3 every interested researcher knew that is easy to compromise bluetooth sessions using the BTcrack tool.Thierry Zoller showed how it’s possible to retrieve link keys, The only problem was to get hands on a bluetooth sniffer device to get the raw bluetooth packets. Such devices are not available at consumer prices. But somehow Max Moser found a way to tranform a vanilla usb bt dongle into a bluetooth sniffer device. Don’t believe the hype…Now bluetooth security is dead.

Mini Howto:

#Backup old firmware
dfutool -d hci0 archiv backup.dfu
# Backup config
bccmd -d hci0 pslist -s 0x000F >> backup_cfg
# Check Vendor ID ( has to be 0x0a12)
bccmd -d hci0 psget -s 0x000f 0x02be
# Write new Product ID
bccmd -d hci0 psset -s 0x0002 0x02bf 0x0002 

5 thoughts on “H00lyshit – DIY Bluetooth Sniffer”

  1. Hi,

    I was trying to do this with my Siemens dongle, but I read that I also have to change the vendor id and that did not work.

    Maybe you have a clue whats wrong with my cmdline:

    bccmd -d hci0 psset -r -s 0x0002 0x02be 0x0a12

    It is accepted, but bccmd -d hci0 psget -s 0x000f 0x02be gives me:
    USB vendor identifier: 0x0bf8 (3064)

  2. Okay, got it.

    bccmd -d hci0 psset -s 0x0001 0x02be 0x0a12

    USB vendor identifier: 0x0a12 (2578)

  3. Administrator

    Yes, u need to use the correct ram/flash location to it get persistent.

    ./bccmd -d hci1 memtypes
    psi (0x0001) = Flash memory (0)
    psf (0x0002) = Flash memory (0)
    psram (0x0008) = RAM (transient) (2)

    if you want to use psi it will be:

    bccmd -d hci0 psget -s 0×0001 0×02be

    look out for this pdf ‘BCCMD Commands (bcore-sp-005Pe).pdf’ for more details
    on the bccmd interface and locations.

  4. I did the upgrade and now hcitool dev says:
    hci0 00:00:00:00:00:00
    Is this good?:)

Comments are closed.

Scroll to Top