[Hackrf-dev] State of bluetooth sniffing
Michael Ossmann
mike at ossmann.com
Mon Oct 5 11:00:02 EDT 2015
On Mon, Oct 05, 2015 at 07:48:32AM -0400, Richard Smith wrote:
>
> Based on DEF CON 17 - Bluetooth Smells like Chicken video I have
> watced with Dominic Spill, Michael Ossmann, and Mark Steward. All of
> this seemed possible with the USRP.
>
> Has similar stuff been done with the hackrf one?
>
> Is there anyone here actively using hackrf one to sniff BT packets or
> to follow a devices hopping pattern?
Most of our Bluetooth monitoring efforts have shifted from SDR to
Ubertooth in recent years, but it should be possible to run gr-bluetooth
with HackRF One. The aliasing trick for all-channel monitoring doesn't
work on HackRF One, however. (Actually it partially works, but you can
capture a maximum of about 31 channels that way, so you would still need
multiple devices to capture all 79 channels.)
Hopping along with Bluetooth connections by tuning the radio hardware
has never been implemented in gr-bluetooth. We implemented it for
Ubertooth, but it has not been as reliable as we hoped, so the benefit
of porting that function to HackRF One would be limited.
EDR decoding is possible with SDR, but it has not been implemented in
gr-bluetooth. Every EDR packet starts with a Basic Rate header, so
you'll get the header but not the payload.
If capturing headers on a subset of Bluetooth channels is okay for you,
then HackRF One with gr-bluetooth could be a good solution. If you need
to capture and decode every packet on every channel, I suggest looking
elsewhere.
Mike
More information about the HackRF-dev
mailing list