Bluetooth Basics

Basics of Interaction

  • hciconfig command is to bluetooth adapters as ifconfig is to linux networking interfaces.

  • View your device

hciconfig
hci0:	Type: Primary  Bus: USB
	BD Address: 00:01:95:79:EF:89  ACL MTU: 310:10  SCO MTU: 64:8
	UP RUNNING 
	RX bytes:1252 acl:0 sco:0 events:76 errors:0
	TX bytes:2862 acl:0 sco:0 commands:75 errors:0

  • Can see Bus: USB

  • Interface name hci0

  • BD Address (our address) 00:01:95:79:EF:89

  • Status of our adapter UP RUNNING

  • ACL MTU: 310:10

    • The MTU size for ACL connections. 310 bytes. An ACL buffer size uses 10 packets.

  • SCO MTU: 64:8

    • The MTU size for SCO connection. 64 bytes. An SCO buffer size uses 8 packets.

  • UP - The interface is in the UP state.

  • RUNNING - The interface is currently operational.

  • PSCAN - The interface will respond to page scan messages.

Change the name of Adapter 

hciconfig hci0 name 
sudo hciconfig hci0 name SECRET
hciconfig hci0 name

  • Names cannot be blank and names cannot be in excess of 248 bytes in length

  • BlueZ stack limits devices to 247 byte name length

Bring Adapter Up/Down

hciconfig 
hci0:	Type: Primary  Bus: USB
	BD Address: 00:01:95:79:EF:89  ACL MTU: 310:10  SCO MTU: 64:8
	UP RUNNING 
	RX bytes:1252 acl:0 sco:0 events:76 errors:0
	TX bytes:2862 acl:0 sco:0 commands:75 errors:0
hciconfig hci0 down
hciconfig hci0 up

Central v Peripheral Mode

  • See if your adapter is running in central or peripheral mode 

hciconfig hci0 lm
hci0:	Type: Primary  Bus: USB
	BD Address: 00:01:95:79:EF:89  ACL MTU: 310:10  SCO MTU: 64:8
	Link mode: PERIPHERAL ACCEPT

  • Can see we are in peripheral mode

  • ACCEPT means that the interface will accept new baseband connections from a central device

View Version 

hciconfig hci0 version
hci0:	Type: Primary  Bus: USB
	BD Address: 00:01:95:79:EF:89  ACL MTU: 310:10  SCO MTU: 64:8
	HCI Version: 4.0 (0x6)  Revision: 0x2031
	LMP Version: 4.0 (0x6)  Subversion: 0x2031
	Manufacturer: Cambridge Silicon Radio (10)

Enable Discoverable Mode

  • configure device to be in discoverable mode and allow connections to the interface 

sudo hciconfig hci0 piscan
hciconfig hci0 
hci0:	Type: Primary  Bus: USB
	BD Address: 00:01:95:79:EF:89  ACL MTU: 310:10  SCO MTU: 64:8
	UP RUNNING PSCAN ISCAN 
	RX bytes:1278 acl:0 sco:0 events:79 errors:0
	TX bytes:2904 acl:0 sco:0 commands:78 errors:0

  • If successful you will see PSCAN ISCAN

Disable Discoverable Mode

sudo hciconfig hci0 noscan 
hciconfig 
hci0:	Type: Primary  Bus: USB
	BD Address: 00:01:95:79:EF:89  ACL MTU: 310:10  SCO MTU: 64:8
	UP RUNNING 
	RX bytes:1290 acl:0 sco:0 events:81 errors:0
	TX bytes:2943 acl:0 sco:0 commands:80 errors:0

PSCAN V ISCAN

  • PSCAN enabled allows connections to the interface

  • ISCAN places the device in discoverable mode

Place device in discoverable mode but dont accept new connections 

sudo hciconfig hci0 noscan 
sudo hciconfig hci0 pscan 
hciconfig hci0 
sudo hciconfig hci0 noscan 
sudo hciconfig hci0 iscan 
hciconfig hci0

  • Should see UP RUNNING ISCAN in the output of the second hciconfig hci0 command

Restore ability to accept new connections 

sudo hciconfig hci0 piscan
hciconfig hci0

  • should see UP RUNNING PSCAN ISCAN

Spoofing Device Class

  • There are three types of Bluetooth device classes 1-3.

  • It is important to have the ability to spoof a device in a different class

  • Some devices might simply ignore your device if it is of the wrong class.

    • i.e. a headset for phone calls might ignore your device if you are not a phone

    • case by case basis per manufacturer

  • change the class for a device

  • useful site for attaining the codes to act like other devices

  • https://bluetooth-pentest.narod.ru/software/bluetooth_class_of_device-service_generator.html

hciconfig hci0 class
sudo hciconfig hci0 class 0x3e0100
hciconfig hci0 class
sudo hciconfig hci0 class 0x84010c
hciconfig hci0 class
sudo hciconfig hci0 class 0x050204
hciconfig hci0 class

Scanning for Devices

  • Basic Scan

hcitool -i hci0 scan
Scanning ...
	98:2C:BC:0E:06:8B	BALTIMORE

  • Detailed Scan 

hcitool -i hci0 scan --info --class
Scanning ...
BD Address:	98:2C:BC:0E:06:8B [mode 1, clkoffset 0x717b]
Device name:	BALTIMORE
Device class:	Computer, Laptop (0x2a410c)

  • A better example

hcitool -i hci1 scan
Scanning ...
	00:1F:FF:7C:8A:F2	PR BT 9747
	E0:D8:C4:3F:DF:F7	Living Room TV 2
	E0:D4:64:55:20:61	dev #1
	E0:03:6B:60:9B:4D	Samsung CU7000 50 1
	E0:03:6B:5E:34:C4	Samsung CU7000 50

hcitool -i hci1 scan --info --class
Scanning ...

BD Address:	E0:D4:64:55:20:61 [mode 1, clkoffset 0x16c2]
Device name:	dev #1
Device class:	Computer, Laptop (0x7c010c)

BD Address:	E0:03:6B:5E:34:C4 [mode 1, clkoffset 0x6703]
Device name:	Samsung CU7000 50
Device class:	Audio/Video, Video Display and Loudspeaker (0x08043c)

BD Address:	E0:D8:C4:3F:DF:F7 [mode 1, clkoffset 0x6245]
Device name:	Living Room TV 2
Device class:	Audio/Video, Video Display and Loudspeaker (0x28043c)

BD Address:	E0:03:6B:60:9B:4D [mode 1, clkoffset 0x188f]
Device name:	Samsung CU7000 50 1
Device class:	Audio/Video, Video Display and Loudspeaker (0x08043c)
PreviousWifi Capture FiltersNextWifi Overview

Last updated