Raspberry - Bluetooth
Alasta 31 Octobre 2016 raspberry cli shell bluetooth
Description : Voici quelques commandes Linux pour jouer avec le module bluetooth.
Contexte :
Les commandes sont passées sur un Raspberry Pi 2 avec un dongle bluetooth sur la distribution Raspbian.
Commandes :
Trouver son interface BT
$ hciconfig -a
hci0: Type: BR/EDR Bus: USB
BD Address: 00:1A:7D:DA:71:02 ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING
RX bytes:628 acl:0 sco:0 events:39 errors:0
TX bytes:1472 acl:0 sco:0 commands:39 errors:0
Features: 0xff 0xff 0x8f 0xfe 0xdb 0xff 0x5b 0x87
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: 'rip'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Version: 4.0 (0x6) Revision: 0x22bb
LMP Version: 4.0 (0x6) Subversion: 0x22bb
Manufacturer: Cambridge Silicon Radio (10)ou
$ rfkill list
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: noNote :
Installation via : apt-get install rfkill
ou
$ hcitool dev
Devices:
hci0 00:1A:7D:DA:71:02ou
$ bluetoothctl
[NEW] Controller 00:1A:7D:DA:71:02 rip [default]
[bluetooth]# list
Controller 00:1A:7D:DA:71:02 rip [default]
[bluetooth]# show
Controller 00:1A:7D:DA:71:02
Name: rip
Alias: rip
Class: 0x000000
Powered: yes
Discoverable: no
Pairable: yes
UUID: PnP Information (00001200-0000-1000-8000-00805f9b34fb)
UUID: Generic Access Profile (00001800-0000-1000-8000-00805f9b34fb)
UUID: Generic Attribute Profile (00001801-0000-1000-8000-00805f9b34fb)
UUID: A/V Remote Control (0000110e-0000-1000-8000-00805f9b34fb)
UUID: A/V Remote Control Target (0000110c-0000-1000-8000-00805f9b34fb)
Modalias: usb:v1D6Bp0246d0517
Discovering: no
[bluetooth]# Note :
D’autres informations sont disponibles via :
- hciconfig hci0 version
- hciconfig hci0 revision
- hciconfig hci0 class
- hciconfig hci0 features
- hciconfig hci0 sspmode
- hciconfig hci0 name
Scan BT
BT
$ hcitool scan
Scanning ...
84:74:2A:C8:32:EA Mon Dallas
B0:E2:35:00:E5:FE 5m
# ou
$ hcitool inq
Inquiring ...
84:74:2A:C8:32:EA clock offset: 0x1307 class: 0x5a0204
B0:E2:35:00:E5:FE clock offset: 0x11c9 class: 0x5a020cBLE (Bluetooth Low Energy)
$ sudo hcitool lescan
LE Scan ...
76:7D:C5:71:5C:61 (unknown)
76:7D:C5:71:5C:61 (unknown)
76:7D:C5:71:5C:61 (unknown)Informations sur un périphérique BT
$ sudo hcitool info 14:10:30:22:15:A0
Requesting information ...
BD Address: 14:10:30:22:15:A0
Device Name: Bluedio
LMP Version: 4.0 (0x6) LMP Subversion: 0x21c8
Manufacturer: Cambridge Silicon Radio (10)
Features page 0: 0xff 0xff 0x8f 0xfe 0xdb 0xff 0x5b 0x87
<3-slot packets> <5-slot packets> <encryption> <slot offset>
<timing accuracy> <role switch> <hold mode> <sniff mode>
<park state> <RSSI> <channel quality> <SCO link> <HV2 packets>
<HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme>
<power control> <transparent SCO> <broadcast encrypt>
<EDR ACL 2 Mbps> <EDR ACL 3 Mbps> <enhanced iscan>
<interlaced iscan> <interlaced pscan> <inquiry with RSSI>
<extended SCO> <EV4 packets> <EV5 packets> <AFH cap. slave>
<AFH class. slave> <LE support> <3-slot EDR ACL>
<5-slot EDR ACL> <sniff subrating> <pause encryption>
<AFH cap. master> <AFH class. master> <EDR eSCO 2 Mbps>
<EDR eSCO 3 Mbps> <3-slot EDR eSCO> <extended inquiry>
<LE and BR/EDR> <simple pairing> <encapsulated PDU>
<non-flush flag> <LSTO> <inquiry TX power> <EPC>
<extended features>
Features page 1: 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00ou
$ sdptool browse B0:E2:35:00:E6:A8
Browsing B0:E2:35:00:E6:A8 ...
Service RecHandle: 0x10000
Service Class ID List:
"Generic Attribute" (0x1801)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 31
"ATT" (0x0007)
uint16: 0x0001
uint16: 0x0005
Service RecHandle: 0x10001
Service Class ID List:
"Generic Access" (0x1800)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 31
"ATT" (0x0007)
uint16: 0x0014
uint16: 0x001c
Service Name: Headset Gateway
Service RecHandle: 0x10003
Service Class ID List:
"Headset Audio Gateway" (0x1112)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0102
Service Name: Handsfree Gateway
Service RecHandle: 0x10004
Service Class ID List:
"Handsfree Audio Gateway" (0x111f)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Profile Descriptor List:
"Handsfree" (0x111e)
Version: 0x0106
Service Name: AV Remote Control Target
Service RecHandle: 0x10005
Service Class ID List:
"AV Remote Target" (0x110c)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 23
"AVCTP" (0x0017)
uint16: 0x0104
Profile Descriptor List:
"AV Remote" (0x110e)
Version: 0x0103
Service Name: Advanced Audio
Service RecHandle: 0x10006
Service Class ID List:
"Audio Source" (0x110a)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 25
"AVDTP" (0x0019)
uint16: 0x0102
Profile Descriptor List:
"Advanced Audio" (0x110d)
Version: 0x0102
Service RecHandle: 0x10007
Service Class ID List:
"AV Remote" (0x110e)
"AV Remote Controller" (0x110f)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 23
"AVCTP" (0x0017)
uint16: 0x0104
Profile Descriptor List:
"AV Remote" (0x110e)
Version: 0x0103
Service Name: Android Network Access Point
Service Description: NAP
Service RecHandle: 0x10008
Service Class ID List:
"Network Access Point" (0x1116)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 15
"BNEP" (0x000f)
Version: 0x0100
SEQ8: 0 6
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Network Access Point" (0x1116)
Version: 0x0100
Service Name: Android Network User
Service Description: PANU
Service RecHandle: 0x10009
Service Class ID List:
"PAN User" (0x1115)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 15
"BNEP" (0x000f)
Version: 0x0100
SEQ8: 0 6
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"PAN User" (0x1115)
Version: 0x0100
Service Name: SMS/MMS
Service RecHandle: 0x1000a
Service Class ID List:
"Message Access - MAS" (0x1132)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 4
"OBEX" (0x0008)
Profile Descriptor List:
"Message Access" (0x1134)
Version: 0x0102
Browsing B0:E2:35:00:E6:A8 ...
Service Search failed: Invalid argument
Service Name: SIM Access
Service RecHandle: 0x1000b
Service Class ID List:
"SIM Access" (0x112d)
"Generic Telephony" (0x1204)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 5
Profile Descriptor List:
"SIM Access" (0x112d)
Version: 0x0102
Service Name: OBEX Phonebook Access Server
Service RecHandle: 0x1000c
Service Class ID List:
"Phonebook Access - PSE" (0x112f)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 19
"OBEX" (0x0008)
Profile Descriptor List:
"Phonebook Access" (0x1130)
Version: 0x0101
Service Name: OBEX Object Push
Service RecHandle: 0x1000d
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 6
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0102
Browsing B0:E2:35:00:E6:A8 ...
Service Search failed: Invalid argumentSniffer
$ sudo hcitool spinq
$ sudo hcidump
HCI sniffer - Bluetooth packet analyzer ver 5.23
device: hci0 snap_len: 1500 filter: 0xffffffff
> HCI Event: Extended Inquiry Result (0x2f) plen 255
bdaddr B0:E2:35:00:E6:A8 mode 1 clkoffset 0x11b9 class 0x5a020c rssi -55
> HCI Event: Extended Inquiry Result (0x2f) plen 255
bdaddr B0:E2:35:00:E6:A8 mode 1 clkoffset 0x11b9 class 0x5a020c rssi -65
> HCI Event: Extended Inquiry Result (0x2f) plen 255
bdaddr 84:74:2A:C8:32:EA mode 1 clkoffset 0x1300 class 0x5a0204 rssi -84
> HCI Event: Inquiry Complete (0x01) plen 1
status 0x00
> HCI Event: Inquiry Complete (0x01) plen 1
status 0x00Au format RAW
$ sudo hcidump --raw
HCI sniffer - Bluetooth packet analyzer ver 5.23
device: hci0 snap_len: 1500 filter: 0xffffffff
> 04 2F FF 01 FE E5 00 35 E2 B0 01 02 0C 02 5A B9 11 B5 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 04 2F FF 01 FE E5 00 35 E2 B0 01 02 0C 02 5A B9 11 BB 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 04 01 01 00 Informations :
Sur la class
Récupérer le BT classify sur le dépôt Github
$ ./btclassify.py 0x5a020c 0x5a0204
0x5a020c: Phone (Smartphone): Telephony, Object Transfer, Capturing, Networking
0x5a0204: Phone (Cellular): Telephony, Object Transfer, Capturing, NetworkingCela permet de déchiffrer les CoD (Class of Device).
Outils
BTScanner
$ sudo btscanner
i
┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│Time Address Clk off Class Name │
│2016/11/01 20:53:42 B0:E2:35:00:E6:A8 0x11b5 0x5a020c 5m │
│2016/11/01 20:53:41 84:74:2A:C8:32:EA 0x12fd 0x5a0204 Mon Dallas │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│Found device 84:74:2A:C8:32:EA │
│Found device B0:E2:35:00:E6:A8 │
│Found device 84:74:2A:C8:32:EA │
│Found device B0:E2:35:00:E6:A8 │
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘Note:
Installation via sudo apt-get install btscanner.
Informations sur un device BT, il suffit de le selectionner et de taper sur entrée.
┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│RSSI: +0 LQ: 000 TXPWR: Cur +0 │
│Address: 84:74:2A:C8:32:EA │
│Found by: 00:1A:7D:DA:71:02 │
│OUI owner: │
│First seen: 2016/11/01 20:51:31 │
│Last seen: 2016/11/01 20:54:02 │
│Name: Mon Dallas │
│Vulnerable to: │
│Clk off: 0x12fd │
│Class: 0x5a0204 │
│ Phone/Mobile │
│Services: Networking,Capturing,Object Transfer,Telephony │
│ │
│HCI Version │
│----------- │
│LMP Version: 3.0 (0x5) LMP Subversion: 0x0 │
│Manufacturer: MediaTek, Inc. (70) │
│ │
│HCI Features │
│------------ │
│Features: 0xff 0xff 0x8d 0xfe │
│ <3-slot packets> <5-slot packets> <encryption> <slot offset> │
│ <timing accuracy> <role switch> <hold mode> <sniff mode> <park state> │
│ <RSSI> <channel quality> <SCO link> <HV2 packets> <HV3 packets> │
│ <u-law log> <A-law log> <CVSD> <power control> <transparent SCO> │
│ <broadcast encrypt> <EDR ACL 2 Mbps> <EDR ACL 3 Mbps> │
│ <enhanced iscan> <interlaced iscan> <interlaced pscan> │
│ <inquiry with RSSI> <extended SCO> <EV4 packets> <EV5 packets> │
│ <AFH cap. slave> <AFH class. slave> <3-slot EDR ACL> <5-slot EDR ACL> │
│ <sniff subrating> <pause encryption> <AFH cap. master> │
│ <AFH class. master> <extended inquiry> <simple pairing> │
│ <encapsulated PDU> <err. data report> <non-flush flag> │
│ <extended features> │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│Found device B0:E2:35:00:E6:A8 │
│aborting scan │
│aborted │
│keys: h=help, i=inquiry scan, b=brute force scan, a=abort scan, s=save summary, o=select sort, enter=select, Q=quit │
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘Bluelog
$ bluelog -v -nmcf
Bluelog (v1.1.3-dev) by MS3FGX
---------------------------
Autodetecting device...OK
Opening output file: bluelog-2016-11-01-2104.log...OK
Writing PID file: /tmp/bluelog.pid...OK
Scan started at [11/01/16 21:04:56] on 00:1A:7D:DA:71:02
Hit Ctrl+C to end scan.
[11/01/16 21:05:00] B0:E2:35:00:E6:A8,5m,0x5a020c
[11/01/16 21:05:10] 84:74:2A:C8:32:EA,Mon Dallas,0x5a0204
^C
Closing files and freeing memory...Done!Affichage du résultat du scan
$ cat bluelog-2016-11-01-2104.log
B0:E2:35:00:E6:A8,0x5a020c,Xiaomi Communications Co Ltd,5m
84:74:2A:C8:32:EA,0x5a0204,zte corporation,Mon Dallasl2ping
Test de connectivité
$ sudo l2ping B0:E2:35:00:E6:A8
Ping: B0:E2:35:00:E6:A8 from 00:1A:7D:DA:71:02 (data size 44) ...
44 bytes from B0:E2:35:00:E6:A8 id 0 time 24.80ms
44 bytes from B0:E2:35:00:E6:A8 id 1 time 14.94ms
44 bytes from B0:E2:35:00:E6:A8 id 2 time 27.59ms
^C3 sent, 3 received, 0% lossSpoofing d’adresse BT
Installation
$ sudo apt-get install libbluetooth-dev libncurses5-dev
$ wget http://downloads.sourceforge.net/project/spooftooph/spooftooph-0.5.2/spooftooph-0.5.2.tar.gz
$ tar xzvf spooftooph-0.5.2.tar.gz
$ cd spooftooph/
$ make
$ sudo make install
$ sudo make cleanUtilisation : changement d’adresse et/ou de nom
$ sudo spooftooph -i hci0 -a 11:22:33:44:55:66 -n TyTy
Manufacturer: Cambridge Silicon Radio (10)
Device address: 00:1A:7D:DA:71:02
New BD address: 11:22:33:44:55:66
Address changedNote : de mémoire tous les adaptateurs BT ne permettent pas la modification d’adresse BT.
Les circuits Cambridge Silicon Radio le permettent.
Vérification
$ sudo hciconfig info
hci0: Type: BR/EDR Bus: USB
BD Address: 11:22:33:44:55:66 ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING
RX bytes:616 acl:0 sco:0 events:37 errors:0
TX bytes:1193 acl:0 sco:0 commands:37 errors:0Note : le changement de nom ne survit pas au reboot. Pour cela il faut modifier le hostname du RPI et redémarrer le service BT.