Contexte :

Les commandes sont passées sur un Raspberry Pi 2 avec un dongle bluetooth sur la distribution Raspbian.

Commandes :

Trouver son interface BT

 1 $ hciconfig -a
 2 hci0:   Type: BR/EDR  Bus: USB
 3         BD Address: 00:1A:7D:DA:71:02  ACL MTU: 310:10  SCO MTU: 64:8
 4         UP RUNNING
 5         RX bytes:628 acl:0 sco:0 events:39 errors:0
 6         TX bytes:1472 acl:0 sco:0 commands:39 errors:0
 7         Features: 0xff 0xff 0x8f 0xfe 0xdb 0xff 0x5b 0x87
 8         Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
 9         Link policy: RSWITCH HOLD SNIFF PARK
10         Link mode: SLAVE ACCEPT
11         Name: 'rip'
12         Class: 0x000000
13         Service Classes: Unspecified
14         Device Class: Miscellaneous,
15         HCI Version: 4.0 (0x6)  Revision: 0x22bb
16         LMP Version: 4.0 (0x6)  Subversion: 0x22bb
17         Manufacturer: Cambridge Silicon Radio (10)

ou

1 $ rfkill list
2 0: hci0: Bluetooth
3         Soft blocked: no
4         Hard blocked: no

Note :
Installation via : apt-get install rfkill

ou

1 $ hcitool dev
2 Devices:
3         hci0    00:1A:7D:DA:71:02

ou

 1 $ bluetoothctl
 2 [NEW] Controller 00:1A:7D:DA:71:02 rip [default]
 3 [bluetooth]# list
 4 Controller 00:1A:7D:DA:71:02 rip [default]
 5 [bluetooth]# show
 6 Controller 00:1A:7D:DA:71:02
 7         Name: rip
 8         Alias: rip
 9         Class: 0x000000
10         Powered: yes
11         Discoverable: no
12         Pairable: yes
13         UUID: PnP Information           (00001200-0000-1000-8000-00805f9b34fb)
14         UUID: Generic Access Profile    (00001800-0000-1000-8000-00805f9b34fb)
15         UUID: Generic Attribute Profile (00001801-0000-1000-8000-00805f9b34fb)
16         UUID: A/V Remote Control        (0000110e-0000-1000-8000-00805f9b34fb)
17         UUID: A/V Remote Control Target (0000110c-0000-1000-8000-00805f9b34fb)
18         Modalias: usb:v1D6Bp0246d0517
19         Discovering: no
20 [bluetooth]# 

Note :
D'autres informations sont disponibles via :

  • hciconfig hci0 version
  • hciconfig hci0 revision
  • hciconfig hci0 class
  • hciconfig hci0 features
  • hciconfig hci0 sspmode
  • hciconfig hci0 name

Scan BT

BT

 1 $ hcitool scan
 2 Scanning ...
 3  84:74:2A:C8:32:EA   Mon Dallas
 4  B0:E2:35:00:E5:FE  5m
 5 
 6 # ou
 7 
 8 $ hcitool inq
 9 Inquiring ...
10  84:74:2A:C8:32:EA   clock offset: 0x1307  class: 0x5a0204
11  B0:E2:35:00:E5:FE  clock offset: 0x11c9  class: 0x5a020c

BLE (Bluetooth Low Energy)

1 $ sudo hcitool lescan
2 LE Scan ...
3 
4 76:7D:C5:71:5C:61 (unknown)
5 76:7D:C5:71:5C:61 (unknown)
6 76:7D:C5:71:5C:61 (unknown)

Informations sur un périphérique BT

 1 $ sudo hcitool info  14:10:30:22:15:A0
 2 Requesting information ...
 3  BD Address:  14:10:30:22:15:A0
 4  Device Name: Bluedio
 5  LMP Version: 4.0 (0x6) LMP Subversion: 0x21c8
 6  Manufacturer: Cambridge Silicon Radio (10)
 7  Features page 0: 0xff 0xff 0x8f 0xfe 0xdb 0xff 0x5b 0x87
 8      <3-slot packets> <5-slot packets> <encryption> <slot offset>
 9      <timing accuracy> <role switch> <hold mode> <sniff mode>
10      <park state> <RSSI> <channel quality> <SCO link> <HV2 packets>
11      <HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme>
12      <power control> <transparent SCO> <broadcast encrypt>
13      <EDR ACL 2 Mbps> <EDR ACL 3 Mbps> <enhanced iscan>
14      <interlaced iscan> <interlaced pscan> <inquiry with RSSI>
15      <extended SCO> <EV4 packets> <EV5 packets> <AFH cap. slave>
16      <AFH class. slave> <LE support> <3-slot EDR ACL>
17      <5-slot EDR ACL> <sniff subrating> <pause encryption>
18      <AFH cap. master> <AFH class. master> <EDR eSCO 2 Mbps>
19      <EDR eSCO 3 Mbps> <3-slot EDR eSCO> <extended inquiry>
20      <LE and BR/EDR> <simple pairing> <encapsulated PDU>
21      <non-flush flag> <LSTO> <inquiry TX power> <EPC>
22      <extended features>
23  Features page 1: 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00

ou

  1 $ sdptool browse B0:E2:35:00:E6:A8
  2 Browsing B0:E2:35:00:E6:A8 ...
  3 Service RecHandle: 0x10000
  4 Service Class ID List:
  5   "Generic Attribute" (0x1801)
  6 Protocol Descriptor List:
  7   "L2CAP" (0x0100)
  8     PSM: 31
  9   "ATT" (0x0007)
 10     uint16: 0x0001
 11     uint16: 0x0005
 12 
 13 Service RecHandle: 0x10001
 14 Service Class ID List:
 15   "Generic Access" (0x1800)
 16 Protocol Descriptor List:
 17   "L2CAP" (0x0100)
 18     PSM: 31
 19   "ATT" (0x0007)
 20     uint16: 0x0014
 21     uint16: 0x001c
 22 
 23 Service Name: Headset Gateway
 24 Service RecHandle: 0x10003
 25 Service Class ID List:
 26   "Headset Audio Gateway" (0x1112)
 27   "Generic Audio" (0x1203)
 28 Protocol Descriptor List:
 29   "L2CAP" (0x0100)
 30   "RFCOMM" (0x0003)
 31     Channel: 2
 32 Profile Descriptor List:
 33   "Headset" (0x1108)
 34     Version: 0x0102
 35 
 36 Service Name: Handsfree Gateway
 37 Service RecHandle: 0x10004
 38 Service Class ID List:
 39   "Handsfree Audio Gateway" (0x111f)
 40   "Generic Audio" (0x1203)
 41 Protocol Descriptor List:
 42   "L2CAP" (0x0100)
 43   "RFCOMM" (0x0003)
 44     Channel: 3
 45 Profile Descriptor List:
 46   "Handsfree" (0x111e)
 47     Version: 0x0106
 48 
 49 Service Name: AV Remote Control Target
 50 Service RecHandle: 0x10005
 51 Service Class ID List:
 52   "AV Remote Target" (0x110c)
 53 Protocol Descriptor List:
 54   "L2CAP" (0x0100)
 55     PSM: 23
 56   "AVCTP" (0x0017)
 57     uint16: 0x0104
 58 Profile Descriptor List:
 59   "AV Remote" (0x110e)
 60     Version: 0x0103
 61 
 62 Service Name: Advanced Audio
 63 Service RecHandle: 0x10006
 64 Service Class ID List:
 65   "Audio Source" (0x110a)
 66 Protocol Descriptor List:
 67   "L2CAP" (0x0100)
 68     PSM: 25
 69   "AVDTP" (0x0019)
 70     uint16: 0x0102
 71 Profile Descriptor List:
 72   "Advanced Audio" (0x110d)
 73     Version: 0x0102
 74 
 75 Service RecHandle: 0x10007
 76 Service Class ID List:
 77   "AV Remote" (0x110e)
 78   "AV Remote Controller" (0x110f)
 79 Protocol Descriptor List:
 80   "L2CAP" (0x0100)
 81     PSM: 23
 82   "AVCTP" (0x0017)
 83     uint16: 0x0104
 84 Profile Descriptor List:
 85   "AV Remote" (0x110e)
 86     Version: 0x0103
 87 
 88 Service Name: Android Network Access Point
 89 Service Description: NAP
 90 Service RecHandle: 0x10008
 91 Service Class ID List:
 92   "Network Access Point" (0x1116)
 93 Protocol Descriptor List:
 94   "L2CAP" (0x0100)
 95     PSM: 15
 96   "BNEP" (0x000f)
 97     Version: 0x0100
 98     SEQ8: 0 6
 99 Language Base Attr List:
100   code_ISO639: 0x656e
101   encoding:    0x6a
102   base_offset: 0x100
103 Profile Descriptor List:
104   "Network Access Point" (0x1116)
105     Version: 0x0100
106 
107 Service Name: Android Network User
108 Service Description: PANU
109 Service RecHandle: 0x10009
110 Service Class ID List:
111   "PAN User" (0x1115)
112 Protocol Descriptor List:
113   "L2CAP" (0x0100)
114     PSM: 15
115   "BNEP" (0x000f)
116     Version: 0x0100
117     SEQ8: 0 6
118 Language Base Attr List:
119   code_ISO639: 0x656e
120   encoding:    0x6a
121   base_offset: 0x100
122 Profile Descriptor List:
123   "PAN User" (0x1115)
124     Version: 0x0100
125 
126 Service Name: SMS/MMS
127 Service RecHandle: 0x1000a
128 Service Class ID List:
129   "Message Access - MAS" (0x1132)
130 Protocol Descriptor List:
131   "L2CAP" (0x0100)
132   "RFCOMM" (0x0003)
133     Channel: 4
134   "OBEX" (0x0008)
135 Profile Descriptor List:
136   "Message Access" (0x1134)
137     Version: 0x0102
138 
139 Browsing B0:E2:35:00:E6:A8 ...
140 Service Search failed: Invalid argument
141 Service Name: SIM Access
142 Service RecHandle: 0x1000b
143 Service Class ID List:
144   "SIM Access" (0x112d)
145   "Generic Telephony" (0x1204)
146 Protocol Descriptor List:
147   "L2CAP" (0x0100)
148   "RFCOMM" (0x0003)
149     Channel: 5
150 Profile Descriptor List:
151   "SIM Access" (0x112d)
152     Version: 0x0102
153 
154 Service Name: OBEX Phonebook Access Server
155 Service RecHandle: 0x1000c
156 Service Class ID List:
157   "Phonebook Access - PSE" (0x112f)
158 Protocol Descriptor List:
159   "L2CAP" (0x0100)
160   "RFCOMM" (0x0003)
161     Channel: 19
162   "OBEX" (0x0008)
163 Profile Descriptor List:
164   "Phonebook Access" (0x1130)
165     Version: 0x0101
166 
167 Service Name: OBEX Object Push
168 Service RecHandle: 0x1000d
169 Service Class ID List:
170   "OBEX Object Push" (0x1105)
171 Protocol Descriptor List:
172   "L2CAP" (0x0100)
173   "RFCOMM" (0x0003)
174     Channel: 6
175   "OBEX" (0x0008)
176 Profile Descriptor List:
177   "OBEX Object Push" (0x1105)
178     Version: 0x0102
179 
180 Browsing B0:E2:35:00:E6:A8 ...
181 Service Search failed: Invalid argument

Sniffer

 1 $ sudo hcitool spinq
 2 
 3 $ sudo hcidump
 4 HCI sniffer - Bluetooth packet analyzer ver 5.23
 5 device: hci0 snap_len: 1500 filter: 0xffffffff
 6 > HCI Event: Extended Inquiry Result (0x2f) plen 255
 7     bdaddr B0:E2:35:00:E6:A8 mode 1 clkoffset 0x11b9 class 0x5a020c rssi -55
 8 > HCI Event: Extended Inquiry Result (0x2f) plen 255
 9     bdaddr B0:E2:35:00:E6:A8 mode 1 clkoffset 0x11b9 class 0x5a020c rssi -65
10 > HCI Event: Extended Inquiry Result (0x2f) plen 255
11     bdaddr 84:74:2A:C8:32:EA mode 1 clkoffset 0x1300 class 0x5a0204 rssi -84
12 > HCI Event: Inquiry Complete (0x01) plen 1
13     status 0x00
14 > HCI Event: Inquiry Complete (0x01) plen 1
15     status 0x00

Au format RAW

 1 $ sudo hcidump --raw
 2 HCI sniffer - Bluetooth packet analyzer ver 5.23
 3 device: hci0 snap_len: 1500 filter: 0xffffffff
 4 > 04 2F FF 01 FE E5 00 35 E2 B0 01 02 0C 02 5A B9 11 B5 00 00
 5   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 6   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 7   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 8   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 9   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
10   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
11   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
13   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
14   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
15   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
16   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
17 > 04 2F FF 01 FE E5 00 35 E2 B0 01 02 0C 02 5A B9 11 BB 00 00
18   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
19   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
20   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
21   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
22   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
23   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
24   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
25   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
26   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
27   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
28   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
29   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
30 > 04 01 01 00 

Informations :

Sur la class

Récupérer le BT classify sur le dépôt Github

1 $ ./btclassify.py 0x5a020c 0x5a0204
2 0x5a020c: Phone (Smartphone): Telephony, Object Transfer, Capturing, Networking
3 0x5a0204: Phone (Cellular): Telephony, Object Transfer, Capturing, Networking

Cela permet de déchiffrer les CoD (Class of Device).

Outils

BTScanner

 1 $ sudo btscanner
 2 i
 3 
 4 ┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
 5 Time                 Address            Clk off  Class     Name                                                       
 6 2016/11/01 20:53:42  B0:E2:35:00:E6:A8  0x11b5   0x5a020c  5m                                                         
 7 2016/11/01 20:53:41  84:74:2A:C8:32:EA  0x12fd   0x5a0204  Mon Dallas                                                 
 8                                                                                                                       
 9                                                                                                                       
10                                                                                                                       
11                                                                                                                       
12                                                                                                                       
13                                                                                                                       
14                                                                                                                       
15 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
16 Found device 84:74:2A:C8:32:EA                                                                                        
17 Found device B0:E2:35:00:E6:A8                                                                                        
18 Found device 84:74:2A:C8:32:EA                                                                                        
19 Found device B0:E2:35:00:E6:A8                                                                                        
20 └──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Note:
Installation via sudo apt-get install btscanner.

Informations sur un device BT, il suffit de le selectionner et de taper sur entrée.

 1 ┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
 2 RSSI:    +0   LQ:  000    TXPWR:  Cur   +0                                                                            
 3 Address:       84:74:2A:C8:32:EA                                                                                      
 4 Found by:      00:1A:7D:DA:71:02                                                                                      
 5 OUI owner:                                                                                                            
 6 First seen:    2016/11/01 20:51:31                                                                                    
 7 Last seen:     2016/11/01 20:54:02                                                                                    
 8 Name:          Mon Dallas                                                                                             
 9 Vulnerable to:                                                                                                        
10 Clk off:       0x12fd                                                                                                 
11 Class:         0x5a0204                                                                                               
12                Phone/Mobile                                                                                           
13 Services:      Networking,Capturing,Object Transfer,Telephony                                                         
14                                                                                                                       
15 HCI Version                                                                                                           
16 -----------                                                                                                           
17 LMP Version: 3.0 (0x5) LMP Subversion: 0x0                                                                            
18 Manufacturer: MediaTek, Inc. (70)                                                                                     
19                                                                                                                       
20 HCI Features                                                                                                          
21 ------------                                                                                                          
22 Features:     0xff 0xff 0x8d 0xfe                                                                                     
23     <3-slot packets> <5-slot packets> <encryption> <slot offset>                                                      
24     <timing accuracy> <role switch> <hold mode> <sniff mode> <park state>                                             
25     <RSSI> <channel quality> <SCO link> <HV2 packets> <HV3 packets>                                                   
26     <u-law log> <A-law log> <CVSD> <power control> <transparent SCO>                                                  
27     <broadcast encrypt> <EDR ACL 2 Mbps> <EDR ACL 3 Mbps>                                                             
28     <enhanced iscan> <interlaced iscan> <interlaced pscan>                                                            
29     <inquiry with RSSI> <extended SCO> <EV4 packets> <EV5 packets>                                                    
30     <AFH cap. slave> <AFH class. slave> <3-slot EDR ACL> <5-slot EDR ACL>                                             
31     <sniff subrating> <pause encryption> <AFH cap. master>                                                            
32     <AFH class. master> <extended inquiry> <simple pairing>                                                           
33     <encapsulated PDU> <err. data report> <non-flush flag>                                                            
34     <extended features>                                                                                               
35                                                                                                                       
36                                                                                                                       
37                                                                                                                       
38                                                                                                                       
39                                                                                                                       
40                                                                                                                       
41                                                                                                                       
42                                                                                                                       
43 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
44 Found device B0:E2:35:00:E6:A8                                                                                        
45 aborting scan                                                                                                         
46 aborted                                                                                                               
47 keys: h=help, i=inquiry scan, b=brute force scan, a=abort scan, s=save summary, o=select sort, enter=select, Q=quit   
48 └──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Bluelog

 1 $ bluelog -v -nmcf
 2 Bluelog (v1.1.3-dev) by MS3FGX
 3 ---------------------------
 4 Autodetecting device...OK
 5 Opening output file: bluelog-2016-11-01-2104.log...OK
 6 Writing PID file: /tmp/bluelog.pid...OK
 7 Scan started at [11/01/16 21:04:56] on 00:1A:7D:DA:71:02
 8 Hit Ctrl+C to end scan.
 9 [11/01/16 21:05:00] B0:E2:35:00:E6:A8,5m,0x5a020c
10 [11/01/16 21:05:10] 84:74:2A:C8:32:EA,Mon Dallas,0x5a0204
11 ^C
12 Closing files and freeing memory...Done!

Affichage du résultat du scan

1 $ cat bluelog-2016-11-01-2104.log
2 B0:E2:35:00:E6:A8,0x5a020c,Xiaomi Communications Co Ltd,5m
3 84:74:2A:C8:32:EA,0x5a0204,zte corporation,Mon Dallas

l2ping
Test de connectivité

1 $ sudo l2ping B0:E2:35:00:E6:A8
2 Ping: B0:E2:35:00:E6:A8 from 00:1A:7D:DA:71:02 (data size 44) ...
3 44 bytes from B0:E2:35:00:E6:A8 id 0 time 24.80ms
4 44 bytes from B0:E2:35:00:E6:A8 id 1 time 14.94ms
5 44 bytes from B0:E2:35:00:E6:A8 id 2 time 27.59ms
6 ^C3 sent, 3 received, 0% loss

Spoofing d'adresse BT

Installation

1 $ sudo apt-get install libbluetooth-dev libncurses5-dev
2 
3 $ wget http://downloads.sourceforge.net/project/spooftooph/spooftooph-0.5.2/spooftooph-0.5.2.tar.gz
4 
5 $ tar xzvf spooftooph-0.5.2.tar.gz
6 $ cd spooftooph/
7 $ make
8 $ sudo make install
9 $ sudo make clean

Utilisation : changement d'adresse et/ou de nom

1 $ sudo spooftooph -i hci0 -a 11:22:33:44:55:66 -n TyTy
2 Manufacturer:   Cambridge Silicon Radio (10)
3 Device address: 00:1A:7D:DA:71:02
4 New BD address: 11:22:33:44:55:66
5 
6 Address changed

Note : de mémoire tous les adaptateurs BT ne permettent pas la modification d'adresse BT.
Les circuits Cambridge Silicon Radio le permettent.

Vérification

1 $ sudo hciconfig info
2 hci0:  Type: BR/EDR  Bus: USB
3   BD Address: 11:22:33:44:55:66  ACL MTU: 310:10  SCO MTU: 64:8
4   UP RUNNING
5   RX bytes:616 acl:0 sco:0 events:37 errors:0
6   TX bytes:1193 acl:0 sco:0 commands:37 errors:0

Note : le changement de nom ne survit pas au reboot. Pour cela il faut modifier le hostname du RPI et redémarrer le service BT.