[Hackrf-dev] State of bluetooth sniffing

Richard Smith smithbone at gmail.com
Mon Oct 5 13:51:28 EDT 2015


On 10/05/2015 11:00 AM, Michael Ossmann wrote:
> On Mon, Oct 05, 2015 at 07:48:32AM -0400, Richard Smith wrote:
>>
>> Based on DEF CON 17 - Bluetooth Smells like Chicken video I have
>> watced with  Dominic Spill, Michael Ossmann, and Mark Steward.  All of
>> this seemed possible with the USRP.
>>
>> Has similar stuff been done with the hackrf one?
>>
>> Is there anyone here actively using hackrf one to sniff BT packets or
>> to follow a devices hopping pattern?
>
> Most of our Bluetooth monitoring efforts have shifted from SDR to
> Ubertooth in recent years, but it should be possible to run gr-bluetooth
> with HackRF One.  The aliasing trick for all-channel monitoring doesn't
> work on HackRF One, however.  (Actually it partially works, but you can
> capture a maximum of about 31 channels that way, so you would still need
> multiple devices to capture all 79 channels.)

 > Hopping along with Bluetooth connections by tuning the radio hardware
 > has never been implemented in gr-bluetooth.  We implemented it for
 > Ubertooth, but it has not been as reliable as we hoped, so the benefit
 > of porting that function to HackRF One would be limited.

Thanks. Heh.. Funny.  That exactly backwards from my conclusion from all 
the info I reviewed.  I assumed HackRF One to be the successor to 
Ubertooth capable of all that and more.

It's not clear to me what the existing state of things are on Ubertooth. 
  Is there some sort of document that covers what you can and can't do 
with Ubertooth?  I know it can't decode EDR packets which is one of the 
reason's I was looking for an alternative.

> EDR decoding is possible with SDR, but it has not been implemented in
> gr-bluetooth.  Every EDR packet starts with a Basic Rate header, so
> you'll get the header but not the payload.
>
> If capturing headers on a subset of Bluetooth channels is okay for you,
> then HackRF One with gr-bluetooth could be a good solution.  If you need
> to capture and decode every packet on every channel, I suggest looking
> elsewhere.

Ok.  Sounds like it may not be the tool for looking at some of our 
connectivity issues where I'd like to try and see what's happening when 
the devices pair and when they reconnect.  Guess I'll have to op for the 
mucho $$ options. :(

But I'm also looking for something that can report general signal 
strength of the BT packets.  Something that I can evaluate the 
difference that orientation, proximity to the body, and the industrial 
design make on the radiated signal.

Sounds like the HackRF or the Ubertooth devices might be able to assist 
there.  Is there any sort of BER metric in either of those setups?

Also is Wundertooth the new Ubertooth as claimed below?

http://store.ryscc.com/products/wundertooth

There is mention of using it as a 2.4Ghz spectrum analyzer.  Where can I 
find more info on that?

Thanks for your time and I'm enjoying your SDR tutorials.

-- 
Richard A. Smith


More information about the HackRF-dev mailing list