Skip to content

Latest commit

 

History

History
295 lines (208 loc) · 6.67 KB

readme.md

File metadata and controls

295 lines (208 loc) · 6.67 KB

Bluetooth Basics and Analysis with Raspberry PI

The Raspberry PI already comes with a Bluetooth device. This is very good because you can achieve a lot with it. Since many Bluetooth device manufacturers want to make the connection as easy as possible for users, you can start with the analysis.

Objective

The aim of this tutorial is to learn some Bluetooth basics and to start with the Bluetooth analysis.

Precondition

You should already have read (and successful carried out) the following tutorials.

Install needed and/or optional packages

Install (or ensure they are installed) following packages.

# update system (optional)
$ sudo apt update -y && sudo apt upgrade -y

# install optional packages (optional)
$ sudo apt install -y bluez bluez-hcidump

Some basics first

With bluez you have already some common tools available on Raspberry PI - for example hcitool, bluetoothctl, sdptool and gattool.

Controller

Some basic commands for the controller with bluetoothctl.

# verify Bluetooth service is enabled (optional)
$ sudo systemctl status bluetooth.service

# access Bluetooth control
$ sudo bluetoothctl

# show help (optional)
[bluetooth]# help

# enable controller auto-power (optional)
[bluetooth]# power on

# list available controllers
[bluetooth]# list

# show all controller information's
[bluetooth]# show

# show specific controller information
[bluetooth]# show [mac address]

# select default controller (optional)
[bluetooth]# select [mac address or alias]

# show environment variables (optional)
[bluetooth]# export

# exit bluetoothctl (same as quit command)
[bluetooth]# exit

Now with the hcitool.

# show help (optional)
$ hcitool --help

# display local devices
$ sudo hcitool dev

Scan for devices

Now already the cool stuff, you start to analyze what devices are around with bluetoothctl.

# enable agent
[bluetooth]# agent on

# set agent as the default one
[bluetooth]# default-agent

# start scan for devices
[bluetooth]# scan on

# stop scan for devices
[bluetooth]# scan off
  • [NEW] means 'found new devices'
  • [CHG] means 'device has changed'
  • [DEL] means 'device deleted'

Scan with the hcitool.

# scan for remote devices
$ sudo hcitool scan

# scan for remote devices (incl. information and oui)
$ sudo hcitool scan --info --oui

# start passive LE scan (default is active)
$ sudo hcitool lescan --passive

# start active LE scan (don't filter duplicates)
$ sudo hcitool lescan --duplicates

Analysis of Devices

While the scan is running (or quickly after the stop), you can try to get more information about the devices. You have to be fast!

# start scan for devices
[bluetooth]# scan on
...
[NEW] Device E8:38:80:7F:E3:D7 root
...

# show device information
[bluetooth]# info E8:38:80:7F:E3:D7
Device E8:38:80:7F:E3:D7 (public)
	Name: root
	Alias: root
	Class: 0x007a020c
	Icon: phone
	Paired: no
	Trusted: no
	Blocked: no
	Connected: no
	...

# stop scan for devices
[bluetooth]# scan off

Again with the hcitool.

# show specific device information
$ sudo hcitool info E8:38:80:7F:E3:D7
Requesting information ...
	BD Address:  E8:38:80:7F:E3:D7
	OUI Company: Apple, Inc. (E8-38-80)
	Device Name: root
	...

# show specific LE device information
$ sudo hcitool leinfo 4D:87:7A:55:2F:31
Requesting information ...
	Handle: 64 (0x0040)
	LMP Version: 4.2 (0x8) LMP Subversion: 0x35f4
	Manufacturer: Cambridge Silicon Radio (10)

Wow ... the showed information's are really great. With this information you know already a lot about the device! Store this information and continue with your Bluetooth analysis.

After the scan is stopped, all devices will be deleted soon.

...
[DEL] Device E8:38:80:7F:E3:D7 root
...
[bluetooth]# info E8:38:80:7F:E3:D7
Device E8:38:80:7F:E3:D7 not available

Dive deeper with sdptool.

# show help (optional)
$ sdptool --help

# show all available services
$ sudo sdptool browser E8:38:80:7F:E3:D7
...
Service Name: Phonebook
Service RecHandle: 0x4f49112f
Service Class ID List:
  "Phonebook Access - PSE" (0x112f)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 13
  "OBEX" (0x0008)
...

You will see (with sdptool) much more information! For example services, channel and protocols. The following services can be discovered.

DID SP DUN LAN FAX OPUSH FTP PRINT HS HSAG HF HFAG SAP PBAP MAP NAP GN PANU HCRP HID KEYB WIIMOTE CIP CTP A2SRC A2SNK AVRCT AVRTG UDIUE UDITE SEMCHLA SR1 SYNCML SYNCMLSERV ACTIVESYNC HOTSYNC PALMOS NOKID PCSUITE NFTP NSYNCML NGAGE APPLE IAP ISYNC GATT

Try to connect

# trust a device
[bluetooth]# trust [mac address]

# pair a device
[bluetooth]# pair [mac address]

# list paired devices
[bluetooth]# paired-devices

# connect to device
[bluetooth]# connect [mac address]

# remove a device
[bluetooth]# remove [mac address]

Connect with gatttool for BLE.

# start interactive session
$ sudo gatttool -b 4D:87:5D:55:2F:31 -I

# start interactive session (with random address)
$ sudo gatttool -t random -b 4D:87:5D:55:2F:31 -I

# show help (optional)
[4D:87:5D:55:2F:31][LE]> help

# connect to LE device
[4D:87:5D:55:2F:31][LE]> connect
Attempting to connect to 4D:87:5D:55:2F:31

# show the primary UUIDs
[4D:87:5D:55:2F:31][LE]> primary

# show all available handles
[4D:87:5D:55:2F:31][LE]> char-desc

# executed command
[4D:87:5D:55:2F:31][LE]> char-write-cmd 0x001 1234567890

# disconnect from LE device
[4D:87:5D:55:2F:31][LE]> disconnect

# exit gattool
[4D:87:5D:55:2F:31][LE]> exit

Note: Some connections require you to change the address type to random -t random.

Read this manual to get more information about gattool.

Info

Sometimes the connect command does not work (e.g. speakers), in such cases you can try to install a GUI or use the package pulseaudio-module-bluetooth.

...
Failed to connect: org.bluez.Error.Failed
[bluetooth]# exit

# install package
$ sudo apt install -y pulseaudio-module-bluetooth

Have a look on this specific tutorial about Bluetooth Speaker with Raspberry PI.

Start to dump

The hcidump utility allows the monitoring of Bluetooth activity. It provides a disassembly of the Bluetooth traffic.

# start LE scan (if no connection is established)
$ sudo hcitool lescan

For example with a 2nd SSH connection you can run hcidump.

# show help (optional)
$ hcidump --help

# dump data in raw
$ sudo hcidump --raw

# dump data in ascii
$ sudo hcidump --ascii

# dump data in ascii and raw
$ sudo hcidump --ext

Go Back