[New Tutorial For BT3 ONLY]One bluetooth post to rule them all!

[drgr33n]

Sorry about the late reply.

I cannot download the dump file, I keep getting invalid session? It might be a error at rapidshare so I'l try later in the evening.

[hongman]

Hmm its coming up invalid for me too.

I'll try re-do it later.

[thewheelieking]

Hello everyone,

This is my first post and would like to say that Dr GrEen is very informative in many aspects of pen testing. I would also like to thank you Dr GrEen, for the various information you have posted on this site, which has kept me lurking and learning for 5 months. I finally found something I can contribute, so here goes.

I was having the same authentication issue, as Hongman, where I would try to connect with any program from Back Track 3 Beta which prompted the phone for a passkey and found that typing in the passkey on the phone (seems everyone is using "1234") would end in a "connection refused". After Googling "hcid.conf outgoing passkey", because I took the time to read the hcid.conf completely the billionth time around and found it said incoming passkey, I came across entering the passkey I wanted into the following file:

kwrite /etc/bluetooth/passkeys/default <-- type in just the passkey no quotes & save.

I was able to verify the pin when typing it into my MetroPCS Motorola V3M. I have only had success connecting to a phone, so far, using obexftp and the following commands:

First get the directory tree.
obexftp -b BD_ADDR -c / -l

To download files
obexftp -b BD_ADDR -c /Picture -g example.jpg

to upload Files
obexftp -b BD_ADDR -c /Picture -p example.jpg

Got the above info here hxxp://xxx.go2linux.org/transfer-files-with-bluetooth-Linux.

Also to have your phone "discoverable" you need to add to the hcid.conf the following:

# Inquiry and Page scan
iscan enable; pscan enable;
discovto 0;

I was not able to try the discovery mode, as my phone only connects to bluetooth headsets and I have a Targus ACB10US USB dongle with Broadcom chipset. BCCMD reports "unsupported device" , but I will be purchasing something better shortly.

One last thing, I noticed I would never see PSCAN ISCAN in the "hciconfig -a" output until I entered this command:

hciconfig hci0 piscan

One last last thing, I made the following script file called "bluetoothsetup" saved to /mnt/sda1, as I use BT3usb:

hciconfig hci0 up
hciconfig hci0 down
hciconfig hci0 reset
cp -f /mnt/sda1/backups/targusinfo/hcid.conf /etc/bluetooth/hcid.conf
cp -f /mnt/sda1/backups/targusinfo/default /etc/bluetooth/passkey/default <-- can't get this to work yet
mknod -m 666 /dev/rfcomm0 c 216 8
mknod -m 666 /dev/rfcomm1 c 216 17
mknod -m 666 /dev/rfcomm2 c 216 16
sdptool add --channel=8 DUN
sdptool add --channel=16 FTP
sdptool add --channel=17 OPUSH
bash /etc/rc.d/rc.bluetooth restart
hciconfig hci0 piscan
hciconfig -a

I just open up a console and type "/mnt/sda1/backups/targusinfo/bluetoothsetup". No more retyping all that in everytime I reboot!



P.S. I named my device "HitYesThenType1234" and then used bluebugger to initiate a connection to the wifes phone, without her knowing I was doing it. Guess what? She followed the directions and I was authenticated with her phone, where I pushed up a picture of some naked guy (using obexftp commands above). I then went to her and asked to take a picture of our daughter, which I did, then proceeded to question her about the naked picture. After some heckling, I told her what I did and got a "how clever, your way better looking, but if it was Antonio Banderas...." That Social Engineering is a mofo, ain't it...

[hongman]

lol, very nicely done.

I am very busy at the moment with Work but as soon as I get a spare few I will try re-upload that file and also try the above.

Thanks for your contributions, great first post!

[sanshinron]

after readin this topic carefully i managed to get this working. i had to download newest bluez-libs, bluez-utils, bluez-firmware and bluez-hcitool (install in that order: firmware, libs, utils, hcitool) and then dr green's tutorial worked perfectly. but then i had to solve the connection refused issue (tried to write it to /etc/bluetooth/passkeys/default - bullseye ;d)

i made the same script as thewheelieking, except those two cp-f lines cause a ihave backtrack on hdd and put it in /root/.kde/autostart

rebooted and everything works just fine, but i still have to pair phones using 1234 pin.
when i get connection refused i just randomly try other channels until it works.

when i will have some time i'll post more specific output, what phones i tested and on which channels they connected.

Since its no real use cause of the need to enter pin i am interested in some info on btcrack, i've looked on the google but no tutorials or manual whatsoever. Can you shed some light on this topic, pls?

i had pdf with at commands somewhere, i'll post it as soon as i find it ;d

[drgr33n]

Just a quick add instead of sifting through your saved sniffed packets for the ramdom numbers ETC I've only just found out you can use hcidump to read sorbo's dump file properly to extract the relevant data.

Here's a dump of a link key exchange between my phone and my laptop.

Code:

drgr33n ~ # hcidump -V -r out
HCI sniffer - Bluetooth packet analyzer ver 1.41
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> ACL data: handle 0 flags 0x02 dlen 10
    L2CAP(s): Info req: type 2
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> ACL data: handle 0 flags 0x02 dlen 12
    L2CAP(s): Info rsp: type 2 result 1
      Not supported
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20

> HCI Event: Vendor (0xff) plen 20
> HCI Event: Vendor (0xff) plen 20

As you can see hcidump partially understands this, but doesn't know the op codes so just displays HCI event.

You have to tell hcidump what manufacturer of device you are using. CSR's manuf code is 10 so we add this to hcidump and ...

Code:

HCI sniffer - Bluetooth packet analyzer ver 1.41
> HCI Event: Vendor (0xff) plen 20
    LMP(r): version_res(m): op code 38
      VersNr 3 (2.0)
      CompId 10 (Cambridge Silicon Radio)
      SubVersNr 3164
> HCI Event: Vendor (0xff) plen 20
    LMP(s): host_connection_req(m): op code 51
> HCI Event: Vendor (0xff) plen 20
    LMP(r): accepted(m): op code 3
      op code 51 (host_connection_req)
> HCI Event: Vendor (0xff) plen 20
    LMP(r): setup_complete(s): op code 49
> HCI Event: Vendor (0xff) plen 20
    LMP(s): packet_type_table_req(m): op code 127/11
      packet type table 1 (2/3Mbps)
> HCI Event: Vendor (0xff) plen 20
    LMP(s): set_AFH(m): op code 60
      AFH_instant 0x5072c
      AFH_mode 1
      AFH_channel_map 0xffffffffffffffffff7f
> HCI Event: Vendor (0xff) plen 20
    LMP(r): accepted_ext(m): op code 127/1
      op code 127/11 (packet_type_table_req)
> HCI Event: Vendor (0xff) plen 20
    LMP(s): channel_classification_req(m): op code 127/16
      AFH reporting mode 1
      AFH min interval 0x0640
      AFH max interval 0xbb80
> HCI Event: Vendor (0xff) plen 20
    LMP(s): in_rand(m): op code 8
      random number c93ebf1f5c9a7362a80a72414dfabeb1
> HCI Event: Vendor (0xff) plen 20
    LMP(r): accepted(m): op code 3
      op code 8 (in_rand)
> HCI Event: Vendor (0xff) plen 20
    LMP(s): comb_key(m): op code 9
      random number 0f34da046545e5a15a11639d71a067b6
> HCI Event: Vendor (0xff) plen 20
    LMP(r): comb_key(m): op code 9
      random number 8e429e343d0c330f1c00071806389c87
> HCI Event: Vendor (0xff) plen 20
    LMP(s): au_rand(m): op code 11
      random number 54fba1db6e2d0aabda8a06b9ff0a2ae8
> HCI Event: Vendor (0xff) plen 20
    LMP(r): sres(m): op code 12
      authentication response 1c890d81
> HCI Event: Vendor (0xff) plen 20
    LMP(r): au_rand(m): op code 11
      random number 760affcf59bec9e178556145a01ab630
> HCI Event: Vendor (0xff) plen 20

    LMP(s): sres(m): op code 12
              IN_RAND  c93ebf1f5c9a7362a80a72414dfabeb1
              COMB_KEY 0f34da046545e5a15a11639d71a067b6 (M)
              COMB_KEY 8e429e343d0c330f1c00071806389c87 (S)
              AU_RAND  54fba1db6e2d0aabda8a06b9ff0a2ae8 SRES 1c890d81 (M)
              AU_RAND  760affcf59bec9e178556145a01ab630 SRES b2b6be7f (S)
      authentication response b2b6be7f

> HCI Event: Vendor (0xff) plen 20
    LMP(s): setup_complete(m): op code 49
> HCI Event: Vendor (0xff) plen 20
    LMP(s): max_slot(m): op code 45
      max slots 5
> HCI Event: Vendor (0xff) plen 20
    LMP(s): max_slot_req(m): op code 46
      max slots 5
> HCI Event: Vendor (0xff) plen 20
    LMP(s): auto_rate(m): op code 35
> HCI Event: Vendor (0xff) plen 20
    LMP(r): auto_rate(s): op code 35
> HCI Event: Vendor (0xff) plen 20
    LMP(r): max_slot(s): op code 45
      max slots 5
> HCI Event: Vendor (0xff) plen 20
    LMP(r): timing_accuracy_req(s): op code 47
> HCI Event: Vendor (0xff) plen 20
    LMP(r): accepted(m): op code 3
      op code 46 (max_slot_req)
> HCI Event: Vendor (0xff) plen 20
    LMP(s): timing_accuracy_res(s): op code 48
      drift 250
      jitter 10
> ACL data: handle 0 flags 0x02 dlen 10
    L2CAP(s): Info req: type 2
> HCI Event: Vendor (0xff) plen 20
    LMP(s): timing_accuracy_req(m): op code 47
> HCI Event: Vendor (0xff) plen 20
    LMP(r): timing_accuracy_res(m): op code 48
      drift 250
      jitter 10
> HCI Event: Vendor (0xff) plen 20
    LMP(r): feature_req(s): op code 39
      features 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0x00 0x80
> HCI Event: Vendor (0xff) plen 20
    LMP(s): clkoffset_req(m): op code 5
> HCI Event: Vendor (0xff) plen 20
    LMP(s): feature_res(s): op code 40
      features 0xff 0xff 0x8d 0xfe 0x9b 0xf9 0x00 0x80
> ACL data: handle 0 flags 0x02 dlen 12
    L2CAP(s): Info rsp: type 2 result 1
      Not supported
> HCI Event: Vendor (0xff) plen 20
    LMP(r): clkoffset_res(m): op code 6
      clock offset 0x34d4
> HCI Event: Vendor (0xff) plen 20
    LMP(r): name_req(s): op code 1
      name offset 0
> HCI Event: Vendor (0xff) plen 20
    LMP(s): supervision_timeout(m): op code 55
      supervision timeout 9600
> HCI Event: Vendor (0xff) plen 20
    LMP(s): name_res(s): op code 2
      name offset 0
      name length 8
      name fragment 'LG KG290'
> HCI Event: Vendor (0xff) plen 20
    LMP(s): name_req(m): op code 1
      name offset 0
> HCI Event: Vendor (0xff) plen 20
    LMP(r): name_res(m): op code 2
      name offset 0
      name length 11
      name fragment 'drgr33n (0)'
> HCI Event: Vendor (0xff) plen 20
    LMP(s): preferred_rate(m): op code 36
      data rate 0x70
      Basic: use FEC, no packet-size preference
      EDR: use 3 Mbps packets, use 5-slot packets
> HCI Event: Vendor (0xff) plen 20
    LMP(s): decr_power_req(m): op code 32
      future use 0x00

I've removed alot of the l2cap packets, but now hcidump understands the op codes and displays all the info needed to crack the link key Alot easier to spot

Hope this helps a few people out as it save me a good half hour I will add something to bluesmash later but I've been so busy lately I've barely got time for a coffee !!!!

[DeadWolf]

Dr_GrEeN, Is there a major difference between CSR firmware versions 46 and 49 used in your video? And what's the difference between say versions airsnifferdev46bc2.dfu and airsnifferdev46bc3.dfu, and airsnifferdev46bc4.dfu?

Does the bc2, bc3, and bc4 correspond with the Bluecore#? (i.e. BC4 = Bluecore4)

[imported_=Tron=]

Does the bc2, bc3, and bc4 correspond with the Bluecore#? (i.e. BC4 = Bluecore4)

Yes I believe so, as I tried it with a BC2 bluetooth dongle, and had to choose the airsnifferdev46bc2.dfu for it to fit.

[aggtrfrad]

hola
heres my story (please read :P)
-got my a7eng usb dongle today
-changed product id to 0002, restart, works perfectly in raw mode
-my stupidity gets in the game
-i wanted to upgrade the firmware, so i can use it on windows-frontline, so i said lets us frontline's tool to upgrade firmware. started the tool, selected device, selected firmware (airsnifferdev47bc2.dfu), device changes automatically to dfu mode (dev id: ffff), im asked to install new drivers, starting upgrade, at the end of the upload i get an error: verification failed, maybe firmware doesnt match device
-device stays in dfu mode, devid:ffff
-i pluged in back to linux, hciconfig cannot see it, bccmd cannot see it as hci (also tried usb serial connection but no luck), dfutool can succesfully see it but:
-it cannot start downloading firmware FROM the dongle TO my pc
-it can start uploading firmware FROM my pc TO the dongle, but at the end it just says "Waiting for Device" and quits
-device still at the same state
-i also tried to restore to the old firmware with frontline's tool, starts uploading but at the end says device not responding
-conclusion: I'm sorry if i wasnt clear but its a very screwed up case.
edit:
-hciconfig revision showed csr bc2 external
-i saved the original firmware before flashing

[imported_=Tron=]

You should be able to restore your old firmware on the dongle in linux using dfutool and your backup.