How to listen quietly for other Bluetooth devices?

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to listen quietly for other Bluetooth devices?

Mikhail T.-6
Hello!

I'd like my FreeBSD computer to detect the presence of other
Bluetooth-devices nearby.

I have a little USB-dongle plugged into it, which is recognized as ubt0.
I started "hcidump -a" while turning Bluetooth on the iPhone next to the
dongle on and trying to link to a pair of BT-headphones. The "hcidump"
didn't print any traffic even though, of course, the phone did try to
radio out.

How can the detection be made to work? Note, I don't want to decode any
communications between BT-devices. I just want to detect their presence
and what information about them, that's not encrypted...

Thanks! Yours,

    -mi

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to listen quietly for other Bluetooth devices?

Maksim Yevmenkin-2
Hi Mikhail,

> I'd like my FreeBSD computer to detect the presence of other
> Bluetooth-devices nearby.

you probably look for inquiry command. i.e. hcidump inquiry. please be
aware that remote device may not answer inquiry, i.e. "not
discoverable". apart from inquiry, there is not a whole lot you can do
with standard hci interface

thanks!
max
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to listen quietly for other Bluetooth devices?

Maksim Yevmenkin-2
On Sat, Jul 8, 2017 at 7:58 PM, Maksim Yevmenkin
<[hidden email]> wrote:
> Hi Mikhail,
>
>> I'd like my FreeBSD computer to detect the presence of other
>> Bluetooth-devices nearby.
>
> you probably look for inquiry command. i.e. hcidump inquiry. please be

this should read hcicontrol instead of hcidump

> aware that remote device may not answer inquiry, i.e. "not
> discoverable". apart from inquiry, there is not a whole lot you can do
> with standard hci interface
>
> thanks!
> max
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to listen quietly for other Bluetooth devices?

Mikhail T.-4
In reply to this post by Maksim Yevmenkin-2
Doesn't "inquiry" imply activity? I'd like the computer to listen passively... I assume, if a phone nearby is communicating with something (like headphones), other Bluetooth devices hear it - even if they typically ignore it. Is that a valid assumption?

Can a Bluetooth dongle be placed into some sort of "promiscuous" mode instead?
--
Sent from mobile device, please, pardon shorthand.

8 лип. 2017 р. о 22:58 Maksim Yevmenkin <[hidden email]> написав(ла):

> Hi Mikhail,
>
>> I'd like my FreeBSD computer to detect the presence of other
>> Bluetooth-devices nearby.
>
> you probably look for inquiry command. i.e. hcidump inquiry. please be
> aware that remote device may not answer inquiry, i.e. "not
> discoverable". apart from inquiry, there is not a whole lot you can do
> with standard hci interface
>
> thanks!
> max

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to listen quietly for other Bluetooth devices?

Maksim Yevmenkin-2
> Doesn't "inquiry" imply activity?

yes, device will go into "inquiry scan"

> I'd like the computer to listen passively...
> I assume, if a phone nearby is communicating with something (like headphones),
> other Bluetooth devices hear it - even if they typically ignore it. Is that a valid assumption?

well, yes and no. bluetooth is basically TDMA (time division multiple
access). what it means is that each device is assigned time slot in
which it can communicate. so, device will effectively "not
listen/talk" unless its in the assigned time slot. i'm simplifying
things a lot here, but, i hope you get the general idea

> Can a Bluetooth dongle be placed into some sort of "promiscuous" mode instead?

not that i know of. bluetooth scanners exist (as completely separate
units), but they are (or at least used to be) expensive. those are
used to grab over-the-air transmissions and decode them. i'm not aware
(not have i ever seen) of-the-shelf bluetooth dongle that is capable
of going into "promiscuous" mode.

thanks!
max
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to listen quietly for other Bluetooth devices?

Mikhail T.-6
On 08.07.2017 23:22, Maksim Yevmenkin wrote:
> i'm not aware (not have i ever seen) of-the-shelf bluetooth dongle that is capable of going into "promiscuous" mode.

Thank you, Max, for sharing your expertise... So, you are saying, the
decision on whether to notify the host of a particular bit of traffic
the dongle "hears" is controlled by the hard-coded logic on the dongle
itself -- and can not be reprogrammed by the host?

Sad... Maybe, I will have to "broadcast" something in order to register
responses.

    -mi

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to listen quietly for other Bluetooth devices?

Maksim Yevmenkin-2

>> i'm not aware (not have i ever seen) of-the-shelf bluetooth dongle that is capable of going into "promiscuous" mode.
> Thank you, Max, for sharing your expertise... So, you are saying, the decision on whether to notify the host of a particular bit of traffic the dongle "hears" is controlled by the hard-coded logic on the dongle itself -- and can not be reprogrammed by the host?
>
Host normally does not get to see past HCI (host controller interface). HCI defines set of commands, responses and events that can be sent and received. This set varies slightly from one Bluetooth specification version to another, however bulk of commands is mostly the same.

The way host accesses HCI is via transport. Serial, USB etc. HCI transport specifies how HCI datagrams are transferred over particular low level transport interface. For example, with USB, HCI events are transferred over USB interrupt endpoint, ACL data are transferred as USB bulk transfers and SCO data as isochronous transfers.

So, basically, host gets to access particular HCI transport (USB in your case) and gets to see HCI datagrams that are received over the transport. Host does not get direct access to baseband (radio). All access is indirect via HCI commands.

Of course HCI has provision for so called "vendor" commands. Those are specific to each vendor and generally not documented. It is possible that some vendor may have implemented commands that allow low level access to baseband, however, I never saw anything like that.
> Sad... Maybe, I will have to "broadcast" something in order to register responses.
>
One possible way to do something like this is to instruct local Bluetooth devices to perform "periodic inquiry". This way local device will periodically perform inquiry scan and save results into "neighbor cache". Dumping "neighbor cache" periodically will give an approximate list of "discoverable devices" in RF proximity.

Of course timing is not going to be perfect (can't tell exactly when remote device was seen) but it's something. Also, remote device may choose to  not answer inquiry scan (not discoverable). In this case there is still and option to "page" remote device (try to open baseband connection) using remote device bd_addr

Thanks !
Max

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Ubertooth (Re: How to listen quietly for other Bluetooth devices?)

Mikhail T.-6
On 09.07.2017 12:54, maksim yevmenkin wrote:
> Of course HCI has provision for so called "vendor" commands. Those are
> specific to each vendor and generally not documented. It is possible
> that some vendor may have implemented commands that allow low level
> access to baseband, however, I never saw anything like that.

On the note of different vendors, has anyone tried to port the
"Ubertooth" software parts to FreeBSD?

    https://github.com/greatscottgadgets/ubertooth

The code has a few instances of "ifdef FreeBSD", but does not build "out
of the box"...

    -mi

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ubertooth (Re: How to listen quietly for other Bluetooth devices?)

Maksim Yevmenkin-2

>> Of course HCI has provision for so called "vendor" commands. Those are specific to each vendor and generally not documented. It is possible that some vendor may have implemented commands that allow low level access to baseband, however, I never saw anything like that.
> On the note of different vendors, has anyone tried to port the "Ubertooth" software parts to FreeBSD?
>
> https://github.com/greatscottgadgets/ubertooth
>
> The code has a few instances of "ifdef FreeBSD", but does not build "out of the box"...
>
Interesting... I personally have not seen this. Thank you for the pointer. It looks like custom hardware running custom firmware. This should be able to give full access to baseband. Still kinda pricey. Ubertooth one hardware sells for $120 at sparkfun. That's 3x price of raspberry pi 2/3 :) for a fraction of general usability :) could make an relatively inexpensive Bluetooth scanner though.

Thanks !
Max
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ubertooth (Re: How to listen quietly for other Bluetooth devices?)

Mikhail T.-6
On 09.07.2017 18:54, maksim yevmenkin wrote:
> Interesting... I personally have not seen this. Thank you for the
> pointer. It looks like custom hardware running custom firmware. This
> should be able to give full access to baseband. Still kinda pricey.
> Ubertooth one hardware sells for $120 at sparkfun. That's 3x price of
> raspberry pi 2/3 :) for a fraction of general usability :) could make
> an relatively inexpensive Bluetooth scanner though.
>
They are using "bluez" to flush their own firmware into the dongle, it
seems. I doubt, they make their own chipset -- it may be possible to
flush the same firmware into a much cheaper dongle with the same chipset...

    -mi

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ubertooth (Re: How to listen quietly for other Bluetooth devices?)

tj-4
In reply to this post by Mikhail T.-6
On Sun, Jul 09, 2017 at 02:33:45PM -0400, Mikhail T. wrote:

> On 09.07.2017 12:54, maksim yevmenkin wrote:
> > Of course HCI has provision for so called "vendor" commands. Those are
> > specific to each vendor and generally not documented. It is possible
> > that some vendor may have implemented commands that allow low level
> > access to baseband, however, I never saw anything like that.
>
> On the note of different vendors, has anyone tried to port the
> "Ubertooth" software parts to FreeBSD?
>
>     https://github.com/greatscottgadgets/ubertooth
>
> The code has a few instances of "ifdef FreeBSD", but does not build "out
> of the box"...
>

I have spoken to Dominic Spill (author/maintainer of the software) about
this in the past. We decided it was a non-trivial task to implement
support for FreeBSD.

- [tj]
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ubertooth (Re: How to listen quietly for other Bluetooth devices?)

Maksim Yevmenkin-2
In reply to this post by Mikhail T.-6
On Sun, Jul 9, 2017 at 4:11 PM, Mikhail T. <[hidden email]> wrote:

> On 09.07.2017 18:54, maksim yevmenkin wrote:
>
> Interesting... I personally have not seen this. Thank you for the pointer.
> It looks like custom hardware running custom firmware. This should be able
> to give full access to baseband. Still kinda pricey. Ubertooth one hardware
> sells for $120 at sparkfun. That's 3x price of raspberry pi 2/3 :) for a
> fraction of general usability :) could make an relatively inexpensive
> Bluetooth scanner though.
>
> They are using "bluez" to flush their own firmware into the dongle, it
> seems. I doubt, they make their own chipset -- it may be possible to flush
> the same firmware into a much cheaper dongle with the same chipset...

hmm... i don't see it. sorry. may be i'm looking in the wrong place.

so, yes, they have custom firmware that is flashed onto ubertooth-zero
or ubertooth-one dongle. my understanding is that those are not
off-the-shelf dongles.

https://www.sparkfun.com/products/10573 is $120 (ubertooth-one)

https://www.amazon.com/Great-Scott-Gadgets-WRL-10573-Ubertooth/dp/B007R9UPHA
(Amazon)

yes, they are not making completely custom chip, they are reusing some
off-the-shelf components. however, final board it custom. in fact, i'm
not even 100% sure that ubertooth-one is a complete bluetooth dongle.
according to schematics they use CC2400  Single-Chip 2.4 GHz ISM Band
Transceiver and CC2591 2.4 GHz Range Extender strapped to LPC175x ARM
Cortex-M3 microcontroller. it may be just designed for the purpose of
scanning and may be injecting packets.

there are references to a modded CSR firmware that can be flashed onto
off-the-shelf CSR dongle. however, even with modded firmware, it will
not act as full scanner. according to the posts it will sniff traffic
for known BD_ADDR.

as far as porting it, i don't see what's the big deal. it seems like
it should be possible to port this.

thanks!
max
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ubertooth (Re: How to listen quietly for other Bluetooth devices?)

Maksim Yevmenkin-2
On Mon, Jul 10, 2017 at 10:06 AM, Maksim Yevmenkin
<[hidden email]> wrote:

> On Sun, Jul 9, 2017 at 4:11 PM, Mikhail T. <[hidden email]> wrote:
>> On 09.07.2017 18:54, maksim yevmenkin wrote:
>>
>> Interesting... I personally have not seen this. Thank you for the pointer.
>> It looks like custom hardware running custom firmware. This should be able
>> to give full access to baseband. Still kinda pricey. Ubertooth one hardware
>> sells for $120 at sparkfun. That's 3x price of raspberry pi 2/3 :) for a
>> fraction of general usability :) could make an relatively inexpensive
>> Bluetooth scanner though.
>>
>> They are using "bluez" to flush their own firmware into the dongle, it
>> seems. I doubt, they make their own chipset -- it may be possible to flush
>> the same firmware into a much cheaper dongle with the same chipset...
>
> hmm... i don't see it. sorry. may be i'm looking in the wrong place.
>
> so, yes, they have custom firmware that is flashed onto ubertooth-zero
> or ubertooth-one dongle. my understanding is that those are not
> off-the-shelf dongles.
>
> https://www.sparkfun.com/products/10573 is $120 (ubertooth-one)
>
> https://www.amazon.com/Great-Scott-Gadgets-WRL-10573-Ubertooth/dp/B007R9UPHA
> (Amazon)
>
> yes, they are not making completely custom chip, they are reusing some
> off-the-shelf components. however, final board it custom. in fact, i'm
> not even 100% sure that ubertooth-one is a complete bluetooth dongle.
> according to schematics they use CC2400  Single-Chip 2.4 GHz ISM Band
> Transceiver and CC2591 2.4 GHz Range Extender strapped to LPC175x ARM
> Cortex-M3 microcontroller. it may be just designed for the purpose of
> scanning and may be injecting packets.
>
> there are references to a modded CSR firmware that can be flashed onto
> off-the-shelf CSR dongle. however, even with modded firmware, it will
> not act as full scanner. according to the posts it will sniff traffic
> for known BD_ADDR.
>
> as far as porting it, i don't see what's the big deal. it seems like
> it should be possible to port this.

after 15 minutes of looking at source code, i'm convinced that it
should be possible to get it working in freebsd.

it looks like ubertooth-one is already shipped with at least
bootloader programmed. it may even already contain something called
bluetooth_rxtx. even if one can not build bluetooth_rxtx (i.e.
firmware) on freebsd right out of the box, there is a pre-build binary
available.

to flash bluetooth_rxtx onto ubertoot-one one can use usb dfu tool.
that's a standard protocol and even if freebsd does not have a tool
available right away, a little bit of user space libusb programming is
all that is needed

finally, as soon as bluetooth_rxtx (i.e. firmware) is flashed onto
ubertooth-one, it will answer to a limited set of vendor HCI commands.
again, a little bit of user space libusb programming and it should be
all set.

again, keep in mind that ubertooth-one is NOT a bluetooth dongle. i
suppose it is possible to turn it into one by writing code that would
implement both baseband and HCI. but then again, unless there is a
specific need, its more cost effective to pick up $5-$10 off-the-shelf
real bluetooth dongle. a $120 bluetooth sniffer (even if it has
limited functionality) could be useful to some people.

to summarize: $120 in hardware and weekend (or less) of coding will
produce dedicated bluetooth sniffer. it is not even required to modify
any kernel parts. as long as ubertooth-one is recognized as ugenX
device, its possible to use libusb to control it.

ubertooth-one bootloader / firmware development is a bit more
complicated due to

a) cross-compile toolchain. however, if one already has cross-compile
toolchain for that micro-controller, its a piece of cake. if not,
building gcc-based cross-compile toolchain should be doable.

b) intimate knowledge of programming rf transceivers, understanding of
other-the-air low level protocols, etc. etc. with enough dedication
its also should be doable.

thanks!
max
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to listen quietly for other Bluetooth devices?

Stari Karp-2
In reply to this post by Mikhail T.-6
On Sun, 2017-07-09 at 10:51 -0400, Mikhail T. wrote:

> On 08.07.2017 23:22, Maksim Yevmenkin wrote:
> > i'm not aware (not have i ever seen) of-the-shelf bluetooth dongle
> > that is capable of going into "promiscuous" mode.
>
> Thank you, Max, for sharing your expertise... So, you are saying,
> the
> decision on whether to notify the host of a particular bit of
> traffic
> the dongle "hears" is controlled by the hard-coded logic on the
> dongle
> itself -- and can not be reprogrammed by the host?
>
> Sad... Maybe, I will have to "broadcast" something in order to
> register
> responses.
>
>     -mi
>
>

I have a question too. Almost two years ago was made a patch for Apple
Magic Mouse and I think is still there but was never use for update
FreeBSD bluetooth. I am using this patch all the time on all updates of
FreeBSD and loooks like it is dead. I am true, please?

Thank you.

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Magic Mouse patch

Maksim Yevmenkin-2

> I have a question too. Almost two years ago was made a patch for Apple
> Magic Mouse and I think is still there but was never use for update
> FreeBSD bluetooth. I am using this patch all the time on all updates of
> FreeBSD and loooks like it is dead. I am true, please?

Apologies. I'm not sure I understand. Are you saying your patch was not committed ?

Did you send it to me ? Or did you file pr?

If I missed it, I'm sorry. Can you please point me to it again ?

Thanks
Max

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Magic Mouse patch

Stari Karp-2
On Fri, 2017-07-14 at 09:47 -0700, maksim yevmenkin wrote:

> > I have a question too. Almost two years ago was made a patch for
> > Apple
> > Magic Mouse and I think is still there but was never use for update
> > FreeBSD bluetooth. I am using this patch all the time on all
> > updates of
> > FreeBSD and loooks like it is dead. I am true, please?
>
> Apologies. I'm not sure I understand. Are you saying your patch was
> not committed ?
>
> Did you send it to me ? Or did you file pr?
>
> If I missed it, I'm sorry. Can you please point me to it again ?
>
> Thanks
> Max
>

It was not mine patch but it was patch which is working for me and some
other people. I never heard anything about this patch again:
https://reviews.freebsd.org/D3702

Thank you.

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Magic Mouse patch

Maksim Yevmenkin-2
> It was not mine patch but it was patch which is working for me and some
> other people. I never heard anything about this patch again:
> https://reviews.freebsd.org/D3702

right... i can see that i approved this. i suppose author did not
merge this in. may be contact author?

thanks!
max
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Magic Mouse patch

Dirk Engling <Dirk Engling
On 14.07.17 22:10, Maksim Yevmenkin wrote:
>> It was not mine patch but it was patch which is working for me and some
>> other people. I never heard anything about this patch again:
>> https://reviews.freebsd.org/D3702
>
> right... i can see that i approved this. i suppose author did not
> merge this in. may be contact author?

Patch is mine. I do not have commit bits, so I never knew where to merge
it. Who do I nudge?

One problem is, the patch bumps config file format, which once rewritten
is not readable with old lexer. Maybe bthidd should switch to libucl?
Would be willing to provide a patch for that.

  erdgeist
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "[hidden email]"
Loading...