[New Tutorial For BT3 ONLY]One bluetooth post to rule them all!

**aggtrfrad** · 06-16-2008, 04:19 PM

thank you, i tried and it starts uploading, at the end i get no errors at all.
but nothing changes, even if i replug the dongle...
dev id still "ffff" instead of "0001", and no hci tools can see it as an hci device.
im trying to connect to it via bccmd, but since it is not an hci device, im trying to connect directly by a serial connection but no luck.
dmesg shows that when i plug the device, it doesnt point to any file at all.
i will post the exact output of dmesg when i reboot to linux

**aggtrfrad** · 06-18-2008, 10:08 AM

Originally Posted by =Tron=

You should be able to restore your old firmware on the dongle in linux using dfutool and your backup.

I figured out that my back up at the end of the file it has ASCI code.
I think thats why my dongle will not accept it, dfu ****ed up somehow.
heres how by backed up original firmware looks like @ 98-100%

Code:

000A6340 2D00 2D00 2D00 2D00 2D00 2D00 2D00 0D00 -.-.-.-.-.-.-...
000A6350 0D00 0000 5400 6800 6500 2000 6600 6F00 ....T.h.e. .f.o.
000A6360 6C00 6C00 6F00 7700 6900 6E00 6700 2000 l.l.o.w.i.n.g. .
000A6370 6300 6F00 6D00 6D00 6100 6E00 6400 7300 c.o.m.m.a.n.d.s.
000A6380 2000 6100 7200 6500 2000 7500 6E00 6400  .a.r.e. .u.n.d.
000A6390 6F00 6300 7500 6D00 6500 6E00 7400 6500 o.c.u.m.e.n.t.e.
000A63A0 6400 2000 6100 6E00 6400 2000 6D00 6100 d. .a.n.d. .m.a.
000A63B0 7900 2000 6200 6500 2000 6300 6800 6100 y. .b.e. .c.h.a.
000A63C0 6E00 6700 6500 6400 2000 6F00 7200 2000 n.g.e.d. .o.r. .
000A63D0 7200 6500 6D00 6F00 7600 6500 6400 0D00 r.e.m.o.v.e.d...
000A63E0 0000 6900 6E00 2000 6600 7500 7400 7500 ..i.n. .f.u.t.u.
000A63F0 7200 6500 2000 6600 6900 7200 6D00 7700 r.e. .f.i.r.m.w.
000A6400 6100 7200 6500 2000 7200 6500 7600 6900 a.r.e. .r.e.v.i.
000A6410 7300 6900 6F00 6E00 7300 2E00 0D00 0D00 s.i.o.n.s.......
000A6420 0000 4700 4500 5400 2000 5400 5200 5500 ..G.E.T. .T.R.U.
000A6430 5300 5400 4500 4400 4C00 4900 5300 5400 S.T.E.D.L.I.S.T.
000A6440 3C00 4300 5200 3E00 0D00 0000 5200 6500 <.C.R.>.....R.e.
000A6450 7400 7200 6900 6500 7600 6500 7300 2000 t.r.i.e.v.e.s. .
000A6460 7400 6800 6500 2000 6300 7500 7200 7200 t.h.e. .c.u.r.r.
000A6470 6500 6E00 7400 2000 7400 7200 7500 7300 e.n.t. .t.r.u.s.
000A6480 7400 6500 6400 6C00 6900 7300 7400 2000 t.e.d.l.i.s.t. .
000A6490 7300 6500 7400 7400 6900 6E00 6700 2E00 s.e.t.t.i.n.g...
000A64A0 2000 5400 6800 6900 7300 2000 7600 6100  .T.h.i.s. .v.a.
000A64B0 6C00 7500 6500 2000 7700 6900 6C00 6C00 l.u.e. .w.i.l.l.
000A64C0 2000 6200 6500 2000 4F00 4E00 2000 6900  .b.e. .O.N. .i.
000A64D0 6600 2000 7400 6800 6500 2000 7400 7200 f. .t.h.e. .t.r.
000A64E0 7500 7300 7400 6500 6400 0D00 0000 6C00 u.s.t.e.d.....l.
000A64F0 6900 7300 7400 2000 6900 7300 2000 6300 i.s.t. .i.s. .c.
000A6500 7500 7200 7200 6500 6E00 7400 6C00 7900 u.r.r.e.n.t.l.y.
000A6510 2000 6500 6E00 6100 6200 6C00 6500 6400  .e.n.a.b.l.e.d.
000A6520 2000 6100 6E00 6400 2000 4F00 4600 4600  .a.n.d. .O.F.F.
000A6530 2000 6900 6600 2000 6900 7400 2000 6900  .i.f. .i.t. .i.
000A6540 7300 2000 6400 6900 7300 6100 6200 6C00 s. .d.i.s.a.b.l.
000A6550 6500 6400 2E00 2000 5700 6800 6500 6E00 e.d... .W.h.e.n.
000A6560 2000 7400 6800 6900 7300 2000 7300 6500  .t.h.i.s. .s.e.
000A6570 7400 7400 6900 6E00 6700 2000 6900 7300 t.t.i.n.g. .i.s.
000A6580 2000 7400 7500 7200 6E00 6500 6400 0D00  .t.u.r.n.e.d...
000A6590 0000 6F00 6600 6600 2C00 2000 6900 6E00 ..o.f.f.,. .i.n.
000A65A0 6600 6F00 7200 6D00 6100 7400 6900 6F00 f.o.r.m.a.t.i.o.
000A65B0 6E00 2000 6600 6F00 7200 2000 6E00 6500 n. .f.o.r. .n.e.
000A65C0 7700 6C00 7900 2000 7400 7200 7500 7300 w.l.y. .t.r.u.s.
000A65D0 7400 6500 6400 2000 6400 6500 7600 6900 t.e.d. .d.e.v.i.
000A65E0 6300 6500 7300 2000 6900 7300 2000 6E00 c.e.s. .i.s. .n.
000A65F0 6F00 7400 2000 7000 6500 7200 7300 6900 o.t. .p.e.r.s.i.
000A6600 7300 7400 6500 6400 2E00 0D00 0D00 0000 s.t.e.d.........
000A6610 5300 4500 5400 2000 4D00 4F00 4400 4500 S.E.T. .M.O.D.E.
000A6620 2000 4200 4300 5300 5000 3C00 4300 5200  .B.C.S.P.<.C.R.
000A6630 3E00 0D00 0000 5300 7700 6900 7400 6300 >.....S.w.i.t.c.
000A6640 6800 2000 7400 6800 6500 2000 6D00 6F00 h. .t.h.e. .m.o.
000A6650 6400 7500 6C00 6500 2000 6900 6E00 7400 d.u.l.e. .i.n.t.
000A6660 6F00 2000 4800 4300 4900 2000 6D00 6F00 o. .H.C.I. .m.o.
000A6670 6400 6500 2000 6F00 7600 6500 7200 2000 d.e. .o.v.e.r. .
000A6680 7400 6800 6500 2000 4200 4300 5300 5000 t.h.e. .B.C.S.P.
000A6690 2000 5000 7200 6F00 7400 6F00 6300 6F00  .P.r.o.t.o.c.o.
000A66A0 6C00 2E00 0D00 0D00 0000 5300 4500 5400 l.........S.E.T.
000A66B0 2000 4D00 4F00 4400 4500 2000 4400 4900  .M.O.D.E. .D.I.
000A66C0 4100 4700 4E00 4F00 5300 5400 4900 4300 A.G.N.O.S.T.I.C.
000A66D0 3C00 4300 5200 3E00 0D00 0000 5300 7700 <.C.R.>.....S.w.
000A66E0 6900 7400 6300 6800 2000 7400 6800 6500 i.t.c.h. .t.h.e.
000A66F0 2000 6D00 6F00 6400 7500 6C00 6500 2000  .m.o.d.u.l.e. .
000A6700 6900 6E00 7400 6F00 2000 6400 6900 6100 i.n.t.o. .d.i.a.
000A6710 6700 6E00 6F00 7300 7400 6900 6300 7300 g.n.o.s.t.i.c.s.
000A6720 2000 6D00 6F00 6400 6500 2E00 2000 5400  .m.o.d.e... .T.
000A6730 6800 6900 7300 2000 7700 6900 6C00 6C00 h.i.s. .w.i.l.l.
000A6740 2000 6300 6100 7500 7300 6500 2000 6100  .c.a.u.s.e. .a.
000A6750 2000 6C00 6100 7200 6700 6500 2000 6E00  .l.a.r.g.e. .n.
000A6760 7500 6D00 6200 6500 7200 2000 6F00 6600 u.m.b.e.r. .o.f.
000A6770 0D00 0000 7400 7200 6100 6300 6500 2000 ....t.r.a.c.e. .
000A6780 6D00 6500 7300 7300 6100 6700 6500 7300 m.e.s.s.a.g.e.s.
000A6790 2000 7400 6F00 2000 6200 6500 2000 6F00  .t.o. .b.e. .o.
000A67A0 7500 7400 7000 7500 7400 2000 6100 6C00 u.t.p.u.t. .a.l.
000A67B0 6F00 6E00 6700 2000 7700 6900 7400 6800 o.n.g. .w.i.t.h.
000A67C0 2000 6E00 6F00 7200 6D00 6100 6C00 2000  .n.o.r.m.a.l. .
000A67D0 6300 6F00 6D00 6D00 6100 6E00 6400 2000 c.o.m.m.a.n.d. .
000A67E0 6D00 6F00 6400 6500 2000 6400 6100 7400 m.o.d.e. .d.a.t.
000A67F0 6100 2E00 0D00 0D00 0000 5300 4500 5400 a.........S.E.T.
000A6800 2000 5300 5400 4100 5400 5500 5300 2000  .S.T.A.T.U.S. .
000A6810 6900 6E00 7600 6500 7200 7400 6500 6400 i.n.v.e.r.t.e.d.
000A6820 2000 7C00 2000 6E00 6F00 7200 6D00 6100  .|. .n.o.r.m.a.
000A6830 6C00 3C00 4300 5200 3E00 0D00 0000 5700 l.<.C.R.>.....W.
000A6840 6800 6500 6E00 2000 7300 6500 7400 2000 h.e.n. .s.e.t. .
000A6850 7400 6F00 2000 6E00 6F00 7200 6D00 6100 t.o. .n.o.r.m.a.
000A6860 6C00 2000 7400 6800 6500 2000 5300 5400 l. .t.h.e. .S.T.
000A6870 4100 5400 5500 5300 2000 6C00 6900 6E00 A.T.U.S. .l.i.n.
000A6880 6500 2000 7700 6900 6C00 6C00 2000 6200 e. .w.i.l.l. .b.
000A6890 6500 2000 6100 6300 7400 6900 7600 6500 e. .a.c.t.i.v.e.
000A68A0 2000 6C00 6F00 7700 2E00 2000 5700 6800  .l.o.w... .W.h.
000A68B0 6500 6E00 2000 7300 6500 7400 2000 7400 e.n. .s.e.t. .t.
000A68C0 6F00 2000 6900 6E00 7600 6500 7200 7400 o. .i.n.v.e.r.t.
000A68D0 6500 6400 0D00 0000 7400 6800 6500 2000 e.d.....t.h.e. .
000A68E0 5300 5400 4100 5400 5500 5300 2000 6C00 S.T.A.T.U.S. .l.
000A68F0 6900 6E00 6500 2000 7700 6900 6C00 6C00 i.n.e. .w.i.l.l.
000A6900 2000 6200 6500 2000 6100 6300 7400 6900  .b.e. .a.c.t.i.
000A6910 7600 6500 2000 6800 6900 6700 6800 2E00 v.e. .h.i.g.h...
000A6920 0D00 0D00 0000 3E00 0000 4100 4300 4B00 ......>...A.C.K.
000A6930 0000 6600 6100 6300 7400 6F00 7200 7900 ..f.a.c.t.o.r.y.
000A6940 0000 6F00 6E00 0000 6F00 6600 6600 0000 ..o.n...o.f.f...
000A6950 5300 6100 7600 6900 6E00 6700 2000 6E00 S.a.v.i.n.g. .n.
000A6960 6500 7700 2000 7300 6500 7400 7400 6900 e.w. .s.e.t.t.i.
000A6970 6E00 6700 7300 2000 7400 6F00 2000 6600 n.g.s. .t.o. .f.
000A6980 6C00 6100 7300 6800 0D00 0000 6200 6300 l.a.s.h.....b.c.
000A6990 7300 7000 0000 6400 6900 6100 6700 6E00 s.p...d.i.a.g.n.
000A69A0 6F00 7300 7400 6900 6300 0000 6900 6E00 o.s.t.i.c...i.n.
000A69B0 7600 6500 7200 7400 6500 6400 0000 6E00 v.e.r.t.e.d...n.
000A69C0 6F00 7200 6D00 6100 6C00 0000 4E00 4100 o.r.m.a.l...N.A.
000A69D0 4B00 0D00 0000 3E00 0000 3100 3200 3000 K.....>...1.2.0.
000A69E0 3000 0000 4100 4300 4B00 0D00 0000 3200 0...A.C.K.....2

**sws2007** · 06-20-2008, 05:11 PM

Hi aggtrfrad,

I have the EXACTLY same problem, just that I bricked until now 3 * a7eng 502 dongles. It seems that this dongle is not so compatible with this method of changing firmware.

I tried with frontline and it doesn't get out of DFU mode (ffff)
I tried with dfutool and it doesn't get out of DFU mode (ffff)
Trying to restore the backup firmware is successfull, but the device never gets back to 0001, it just stays with ffff

I would like to know if everyone got this dongle ever to work in sniffing mode.

Also, this dongle has different places to write to, and I only figured out now, when I have no other dongles to play with. It has 0x0000, 0x0001, 0x0003, 0x0004 .. 5, 6, and 0x0007. The values on 0x0004 are not changeable, it seems they are rom, however, i figured out that I can change it to 0x0002 on 0x0007, 0x0000, 0x0001, 0x0002

Hopefully my next attempt will be successful or some mate will post some solution here.

Thank you all

**akamagic** · 06-24-2008, 07:32 AM

first off this entire thread has helped alot however after about 4 hours of trail and error im officially stuck...but sadly im afraid i already know the answer, which is to get a dongle that is ext......but as read in previous posts its not a simple task and easy to brick...so i was just wondering since i only have a rom based dongle if i could get better results. So far im at the point where i can finally connect to my phone (razr v9m but hopeing im just having troubles because it is an up to date phone) after entering my pin (0000) however sometimes i dont even need to but instead just "accept" (and rarely it just connects without any means of accepting on my phone). the problem is even though im connected it doesn't do any of the commands i implement using bluebugger but rather it hangs after it gives me the device and name (while still remaining connected to phone). for example it hangs even though i use channel 18 (OBEX Phonebook Access profile) and by using the line:
bluebugger -c 18 -a 00:1c:c1:80:15:18 phonebook

same results with bluesnarfer:
bluesnarfer -r A-C -b 00:1c:c1:80:15:18

everything looks right since im connected (unless my phone is lying) but i dont get any results

PS:i was finally able to connect by using the tip of passkeys/default/ typing 0000 and also using hciconfig hci0 piscan and finding the channels which seem appropriate for the commands i try. im obviously a noobie so bare with me....BUT IN SHORT is my only option getting a dongle ext based? or should i stick with my rom based one? Thanx in advanced

**imported_johnjohnsp1** · 06-24-2008, 03:30 PM

Great Tutorial DrGr33n, i have a dongle Dlink Bleutooth DBT-122 and i have hard time to make it in a RAW mode like u do .. here some of my output

hciconfig hci0 revision
hci0: Type: USB
BD Address: 00:1C:F0:6C:AC

4 ACL MTU: 1017:8 SCO MTU: 64:0
Firmware 61.67 / 14

so i dont really understand when thats mean, dont see EXT or ROM chipset i will post here more info about my device

hciconfig -a
hci0: Type: USB
BD Address: 00:1C:F0:6C:AC

4 ACL MTU: 1017:8 SCO MTU: 64:0
UP RUNNING
RX bytes:398 acl:0 sco:0 events:14 errors:0
TX bytes:48 acl:0 sco:0 commands:14 errors:0
Features: 0xff 0xff 0x8d 0xfe 0x9b 0xf9 0x00 0x80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'BCM2045B3'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 2.0 (0x3) HCI Rev: 0x403d LMP Ver: 2.0 (0x3) LMP Subver: 0x430e
Manufacturer: Broadcom Corporation (15)

once i try to do the command for backup the firmware i get this
dfutool -d hci0 archive backolddlink.dfu
Available devices with DFU support:

1) Bus 3 Device 4: ID 07d1:f101 Interface 3

Select device (abort with 0): 1

Can't identify device with DFU mode

even when i try to do any of the BCCMD command i still get this message

bccmd psget -s 0x0000 0x02bf
Unsupported manufacturer

was tryin to find the frontline comprobe pack firmware u used in the video drgr33n but havent found they around yet .. u have by any chance a link or somethin ?

.. im runnin BT3beta Live USB install with saves changes on a toshiba satellita A-100
will be really appreciated the help folks ..as my first steps inside the world of Bluetooth..

**imported_=Tron=** · 06-24-2008, 03:38 PM

was tryin to find the frontline comprobe pack firmware u used in the video drgr33n but havent found they around yet .. u have by any chance a link or somethin ?

The only way to legally obtain a copy of the firmware is to actually buy the frontline comprobe. As with every expensive software there are pirated versions of it available on the interweb, but even linking to these could be considered illegal.

**daleapearson** · 06-25-2008, 04:34 PM

Guys,

can any of you guys advise on what method needs to be used to send a txt message, via bluesnarfer or bluebugger.

I assume this is done via an AT command, but any information you guys could share would be much appreciated.

Thanks in advance.
Dale

**akamagic** · 06-26-2008, 06:21 AM

Ok someone correct me if im wrong but basically every phone can be either non-vournable, or vournable to a selected types of attacks ie. bluesnarfer, helomoto, bluesmack etc. this is also based on the types of profiles (ie. object push profile etc.) a phone has. so generally speaking the odds of getting into any given phone and being able, for example, to see there contacts are very low no matter what firmware a dongle has? just wondering since i wanted to know if this was worth the hassle for getting an EXT dongle or if even makes a difference with my current ROM dongle
any feedback is appreciated

**DARTIS** · 06-27-2008, 09:32 AM

My first post here and the reason I logged in was to say the following:

I kindly thank DR_GREEN for the effort to try to help us all with specialised matters on bluetooth (he forced me to look in this matter) but from my experience in this, what he has managed is to disorient every reader of this forum.

There are lots of threads, places around the internet to find this information and the only thing that is done here is to summarise them all with many-many mistakes and wrong things.

There is nowhere explained how exactly he did manage to make this work but has given some information on many un-connected things which in the end do not make sense.

In his example of the frontline modding of a dongle he does not mention that the correct firmware has to be found also and installed. In the first post here he just uses dfutool and shouts that this is all what is needed...
Many posts follow with questions with no answer.

Secondly there is no need to complex things with the mknod files because you can fix whatever rfcomm file you want and then give the service...why to complex channels 3,5,7,.....10 and whatever when you can simply add 3 rfcomm devices 1,2,3 then give them respectively a service and channel.

For example:
mknod –m 666 /dev/rfcomm1 c 216 1
mknod –m 666 /dev/rfcomm2 c 216 2
mknod –m 666 /dev/rfcomm3 c 216 3

sdptool add --channel=1 DUN
sdptool add --channel=2 OPUSH
sdptool add --channel=3 FTP

rfcomm bind 1 [….MAC] 3
rfcomm bind 2 [….MAC] 6
rfcomm bind 3 [….MAC] 7

Afterwards you connect/bind with rfcomm the device 1 with the respective channel of the phone which has the same service..this shows some luck of knowledge.

A lot could be said.

The famous video which is showing how the work is done connects the MAC of the sniffer and not of a phone...you hack with the sniffer but not showing how all this is prepared in the first place.

The blue|smash 2.0 application is completely broken and not ready to be on BackTrack 3.
I modded it just to begin (It does not work at all!) and then later the db. files are all messed up. I have given up because I lacked the time.

It should not have been inserted if not ready.

The BlueISmash 1.0 was better and worked OK but it can not hack anything unless there is proper information of what to do exactly.

There is the software "BlueDiving" which is written in Perl and I recommend everybody to look at it... I fear there is a conflict between BlueSmash and BlueDiving because they do the same thing only to find out that the Perl is antagonizing a Python script...who has written it first I am unsure.

I am sorry for the harsh words. I believe this thread needs a lot more contriubution and it is obvious that a lot of readers are discouraged due to lack of proper information. I will try to create a proper tutorial when I manage to do so.

PS. I have the experience to have an Internet Modding work with hundreds of thousands downloads (Later I may reveal myself). I believe to the proper information and the proper handling of the readers of it.

So for the sake of this community, we have to give a proper tutorial in this matter and not XXXXX.

**akamagic** · 06-27-2008, 06:33 PM

Well you seem to make sense since the whole bluetooth coverage really isn't "proper" and introduced here so much, although you do come off a little harsh since dr green has done a great amount of contribution to this matter and is willing to help those who need help, but yes i do agree there should be revisions to make a more "complete" tutorial. I admit i was a little discouraged since i had so many questions about this matter. but than again questions lead to interest, (for me at least) so i have done a good amount of research in the past few days but still have questions, so your tutorial would be more than welcomed

PS: you mentioned there were "lots" of threads on this, however i really don't believe this is true. But there is guide on how to upgrade your firmware which comes with the frontline comprobe pack (even though it doesn't mention u need a compatible EXT dongle but thats besides the point).But my point is we do need a tutorial were bluetooth is covered in good detail all in one thread/site which was the concept of dr greens tutorial. But again more does need to be added and don't get me wrong its obvious dr green has a vast amount of knowledge in bluetooth, but writing a "complete" tutorial isn't the easiest thing do.

BackTrack Linux - Penetration Testing Distribution

Thread: [New Tutorial For BT3 ONLY]One bluetooth post to rule them all!

Thread Tools

Search Thread

Display

switch or stay?

Posting Permissions