name	class	specs	chip	antenna	features*
AIRcable Host XR	class 1	bluetooth 2.0 usb 1.1	CSR BlueCore4-?	external RP-SMA	?
Conceptronic CBT200U2	class 1	bt 2.0+EDR usb 2.0	CSR BlueCore4-ROM	internal chip, connector mod	BD_ADDR VID&PID
D-link DBT-120 Rev. B4	class 2	bluetooth 1.1 usb 2.0	CSR BlueCore2-EXT	-	BD_ADDR firmware FTS4BT frontline.c VID&PID
Linksys USBBT100 v.2	class 1	bluetooth 1.2 usb 1.1	Broadcom ?	ext antenna, antenna mod	firmware
MSI MS-6967	class 1	bluetooth 1.1 usb 1.1	CSR ?	ext antenna mod	?
Zoom 4310BF	class 1	bt 2.0+EDR usb 1.1	?	ext anenna, antenna mod	?

* Features:
   BD_ADDR - we can change BD_ADDR, with bccmd for example
   firmware - we can upload/download firmware
   frontline.c - we can use it with frontline.c
   FTS4BT - we can use it with FTS4BT
   VID&PID - we can change the VID&PID

hardware modifications:
USB Linksys (USBBT100) [USB 1.1 / BT 1.1 / Class 1] dongle. External antenna mod
USB MSI (MS-6967) [USB 1.1 / BT 1.1 / Class 1] dongle. External antenna mod
Ambicom FrankenDongle mod - 'class 2 USB Bluetooth dongle with antenna connector'
Zoom 4310BF USB dongle mod - 'class 1 USB Bluetooth 2.0 dongle with pigtail'
BluezJeans? - 'clothing for use with GreenPlaque'
Yagi Antenna and Bluetooth dongle
My Bluetooth Sniper Weapon. Nice designed device based on Linksys dongle + YAGI
Conceptronic CBT200U2 [2.0/2.0+EDR/Class1] antenna connector mod
 # interesting antennas:
http://www.usbwifi.orcon.net.nz, wokfi how-to
Ez-12 Parabolic Reflector, template

usefull tools/commands:
lsusb -v - linux tool to list USB devices

hciconfig from BlueZ - configure Bluetooth devices
    hciconfig hciN -a - get extended info about hciN device
    hciconfig hciN commands - display supported commands
    hciconfig hciN features - display device features
    hciconfig hciN revision - display revision information

bccmd from BlueZ - utility for the CSR BCCMD interface
   bccmd -d hciN buildname - get the full build name
   bccmd -d hciN memtypes - get memory types
   bccmd -d hciN pslist - list all PS keys
   bccmd -d hciN psread - read all PS keys

hcidump from BlueZ - reads raw HCI data coming from and going to a Bluetooth device (which can be specified with the option -i, default is the first available one) and prints to screen commands, events and data in a human-readable form.
    hcidump -i hciN -t -X -V - prints a lot of data

firmware
dfutool from BlueZ - device firmware upgrade utility
   dfutool verify <dfu-file> - display information about the firmware file
   dfutool modify <dfu-file> - change DFU specific values in the firmware file
   dfutool -d hci0 upgrade <dfu-file> - upgrade the device with a new firmware
   dfutool -d hci0 archive <dfu-file> - archive the current firmware of the device
xap2.zip - tools for reverse engineering CSR Firmware. the tools include firmware extractor, disassembler, assembler and tool to do a diff to see if there are any differences between the resulting firmware and the original one.
   q. write a firmware for CSR based device, which might include raw access for sniffing
   and will be able to transmit raw packets.

device visibility
hciconfig hciN piscan - enable page and inquiry scan visibility
hciconfig hciN noscan - disable page and inquiry scan visibility
hciconfig hciN iscan - enable inquiry scan, disable page scan visibility
hciconfig hciN pscan - enable page scan, disable inquiry scan visibility

change the name and class of device
   set local name to name fue: hciconfig hciN name <fue>
   set class of device to 0x00000: hciconfig hciN class <0x00000>
   ~ web-based Bluetooth Class of Device/Service (CoD) Generator
   ~ change the CoD of your Bluetooth enabled PalmOS device - BTClass
      q. smartphones?

change the VID&PID
   set usb vendor id to 0x0a12: bccmd -d hciN psset -s 0x0001 0x02be 0x0a12
   set usb product id to 0x0001: bccmd -d hciN psset -s 0x0001 0x02bf 0x0001
   ~ List of USB ID's http://www.linux-usb.org/usb.ids

change the BT device address (BD_ADDR)
bccmd from BlueZ, set the bluetooth address to 01:02:03:04:05:06:
      bccmd -d hciN psset -r bdaddr 0x04 0x00 0x06 0x05 0x03 0x00 0x02 0x01
      setbtaddr.py - python wrapper for the bccmd command to set the btaddr
setbd-affix.c Tool to Set Ericsson ROK 101 008 Bluetooth Address using Affix stack
setbd-bluez.c set BD_ADDR on Ericsson ROK 101 008 using bluez
setbd-gumstix-bluez.c Bluez tool to set BD_ADDR on Infineon ROK 104 001
bdaddr from BlueZ for some Ericsson, CSR, Texas Instruments, Zeevo, ST Microelectronics:
      bdaddr -i hciN <new_addr>
~ public OUI listing - http://standards.ieee.org/regauth/oui/index.shtml

q. change bb_addr on smartphones?
q. digital signal generator? noise generator for make a DoS to all devices in range?


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - hcitool from BlueZ
   hcitool -i hciN inq - inquire remote devices. for each discovered device, Bluetooth device address, clock offset and class are printed.
   hcitool -i hciN scan --info --class - inquire remote devices. for each discovered device, Bluetooth device address, device name, clock offset, class, version and supported features are printed.
   hcitool -i hciN info bdaddr - print device name, version and supported features of remote device with Bluetooth address bdaddr.

Bluelog is a Bluetooth site survey tool, designed to tell you how many discoverable devices there are in an area as quickly as possible. Bluelog differs from most Bluetooth scanners in that it prioritizes speed of reporting over anything else (i.e. it doesn't spend time trying to pull detailed data from a device) and doesn't require any user intervention to function. As the name implies, its primary function is to log discovered devices to file rather than to be used interactively. Bluelog could run on a system unattended for long periods of time to collect data. In addition to basic scanning, Bluelog also has a unique feature called "Bluelog Live", which puts results in a constantly updating Web page which you can serve with your HTTP daemon of choice. Download 0.9.8, web

btscanner is a tool designed specifically to extract as much information as possible from a Bluetooth device without the requirement to pair. A detailed information screen extracts HCI and SDP information, and maintains an open connection to monitor the RSSI and link quality. btscanner also contains a complete listing of the IEEE OUI numbers and class lookup tables. Can use multiple dongles when scanning. Finds non-discoverable Bluetooth devices by brute-forcing device's Bluetooth address. Linux, BlueZ. download v2.1, web

Fine Tooth Comb is a bluetooth detection program for FreeBSD 5.x. It will run a periodic inquiry, report on devices that try to connect to the detecting system, and optionally attempt a brute force connection scan to find other bluetooth devices. download v0.1, web

BluetoothView is a small utility that runs in the background, and monitor the activity of Bluetooth devices around you. For each detected Bluetooth device, it displays the following information: Device Name, Bluetooth Address, Major Device Type, Minor Device Type, First Detection Time, Last Detection Time, and more. BluetoothView can also notify you when a new Bluetooth device is detected, by displaying a balloon in your taskbar or by playing a small beep sound. by Nir Sofer. download v1.11, web

bluediving
BTbrowser
btCrawler

redfang finds non-discoverable Bluetooth devices by brute-forcing the last six bytes of the device's Bluetooth address and doing a read_remote_name(); supports multiple threads for substantial speed gains using multiple devices (maximum theoretical limit of 127 USB devices). Linux, BlueZ. download v2.5

greenplaque - bluetooth multi-dongle discovery scanner. linux, BlueZ. download v1.5, web

bluetracker.py - script for tracking link quality and rssi (recieved signal strength) for specified remote bluetooth enabled device. download v0.2

*** air sniffing ***

   pdf Busting The Bluetooth Myth - Getting RAW Access. Max Moser, 2007
   txt Bluetooth Sniffing For Less, 2007
   txt BlueSniff: Eve meets Alice and Bluetooth. Dominic Spill & Andrea Bittau, 2007

   gr-bluetooth.tar.gz a build tree with examples, Makefiles, etc that demonstrate how to
   write signal processing blocks for the GNU Radio system. download, web

   frontline.c.zip opensource air sniffer by sorbo. download


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
pdf Analysis of the E0 Encryption System. Fluhrer, Lucks, 1999.
pdf Correlation Properties of the Bluetooth Combiner Generator. Hermelin, Nyberg, 1999.
pdf An Algebraic Attack on the Bluetooth Key Stream Generator. Armknecht, 2002.
pdf A Linearization Attack on the Bluetooth Key Stream Generator. Armknecht, 2002.
pdf Improved key recovery of level 1 of the Bluetooth Encryption System. Fluhrer, 2002.
pdf Cryptanalysis of Bluetooth Keystream Generator Two-level E0. Yi Lu, Vaudenay, 2004.
pdf Faster Correlation Attack on Bluetooth Keystream Generator E0. Yi Lu, Vaudenay, 2004.
pdf The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption. Yi Lu, Meier, Vaudenay, 2005.
pdf Cracking the Bluetooth PIN. Yaniv Shaked, Avishai Wool, 2005.
pdf A uniform framework for cryptanalysis of the Bluetooth E0 cipher. O. Levy, A. Wool, 2005
pdf Cryptanalysis of the Bluetooth E0 cipher using OBDD's. Y. Shaked and A. Wool, 2006
pdf Shake well before use: two implementations for implicit context authentication. Rene Mayrhofer and Hans Gellersen, 2007

btpincrack the bluetooth pin cracking core implements the basic bluetooth pin cracking attack by generating possible PINs and running then through SAFER+ to verify if they are correct or not. This uses the pipelined implementation of SAFER+ and loops the output of the pipeline back into itsself 7 times to perform all of the E21/E22/E1 functions. download v0.3 web

BTcrack is a PIN Brute force Proof of Concept tool, BTCrack is aimed at reconstructing the Passkey and the Link key from captured Pairing exchanges. Win32. web download v1.1

bluesquirrel - set of tools and scripts for automation of scaning for devices, breaking pairing relashionships between them, sniffing pairing procedure with frontline.c, cracking PIN and linkkey with btpincrack, and then emulating (spoofing) connection. for sniffing you need dongle with FTS4BT firmware. download v0.1

BT Info by Marek Bialoglowy is a program to control and read informations from other phone. after pairing you can read sms, make calls and other things on a remote phone. require MIDP 2.0, CLDC 1.0, JSR-82. download jar v1.08, web

txt Bluetooth social engineering. Marek Bialoglowy, 2005.
txt BlueBump - use social engineering to get connection to unauthorised channels
txt Backdoor in Nokia 3610, 7650
txt BlueDump - cause a Bluetooth device to 'dump' it's stored link key
txt BlueChop is an attack that disrupts any established bluetooth piconet
txt Fake bluetooth access point
txt Nokia Symbian 60 "Bluetooth Nickname" remote restart
txt Mode3 Abuse
txt TheftOfLinkKey - Notes on using a hijacked Bluetooth Link Key to spoof connections
txt Static Bluetooth PIN codes
txt Playing with Ericsson ROK 101 008, Nokia 3660 and Jabra BT110


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - txt Channel Identifiers

l2ping from BlueZ - send L2CAP echo request and receive answer
   l2ping [-i ] [-s size] [-c count] [-t timeout] [-f] [-r] bd_addr
   -f - kind of flood ping, reduces the delay time between packets to 0
   -r - Reverse ping (gnip?). Send echo response instead of echo request

l2cap-packet.c - L2CAP packetgenerator
   l2cap-packet -a <bdaddr> -c <l2cap_code> -i <l2cap_ident> -p <payload> -s <l2cap_headersize>

psm_scan from BT Audit - find open L2CAP PSMs by scanning a certain range
   psm_scan -s [<start_psm>] [-e <end_psm>] <bd_addr> -o

BSS (Bluetooth Stack Smasher) is a L2CAP layer fuzzer. download v0.8, web

txt BlueSmack - L2CAP 'Ping of Death'
txt DoS in Nokia 7650, 6600, Siemens V55, Motorola S55
txt Another Nokia N70 Bluetooth remote Denial of Service
txt Buffer Overrun (BlueSmack) in Toshiba Bluetooth Stack for Windows <= 4.0.23
txt Sony/Ericsson L2CAP Length Field DoS. Sony/Ericsson K600i, V600i, K750i, W800i code
txt BlueZ hcidump <= 1.29 L2CAP Length Field DoS code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
rfcomm_scan from BT Audit - find open RFCOMM channels by scanning a certain range
   rfcomm_scan -s [<start_channel>] [-e <end_channel>] <bd_addr> -o

atshell.c AT-shell over rfcomm

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - txt Assigned Numbers - Service Discovery

sdptool from BlueZ: sdptool records addr, or BTbrowser, or bluediving

Hands-Free Audio Gateway / Hands-free Profile (HFP), 0x111F
txt Widcomm BTW <= 4.0.1.1500 for Windows Remote Audio Eavesdropping. DMA[2005-1214a]
txt Hijacking Headsets for Fun and Profit. Plantronics M2500, Anycom Stereo Headset
txt Motorola Blueline attack - AT level access to the phone. Motorola PEBL U6, V600, E398
Car Whisperer ( download v 0.2 / web ) with realtime audio patch, or already patched
   carwhisperer from bluediving

OBEX File Transfer / File Transfer Profile (FTP), 0x1106
+ Object Push / Object Push Profile (OPP), 0x1105

BlueZObex-Maemo - BlueZ OBEX tools compiled to be used on a Nokia 770 Tablet PC. download
OpenOBEX Free open source implementation of the Object Exchange (OBEX) protocol. web
ObexFTP ObexFTP library provides access to the PUSH, GOEP and SYNCH services. web
BlueSpam - PalmOS tool that searches for bluetooth devices and spams them with small text if they support OBEX download v0.4.3, web
obexstress.py - script for testing remote OBEX service for some potential vulnerabilities. tests available commands on remote device, may find directory transversing, tests if some characters in file name can cause a DoS, tests if long file name can cause a DoS. download v0.1

txt BlueSnarf - get an unauthorized access to the remote data by OBEX Push
   BlueSnarf++ - full read/write access when connecting to the OBEX Push Profile txt
   use Blooover II or Bluediving or bluesnarfer to implement it
   vulnerable: Ericsson T68(20R1B,20R2A013,20R2B013,20R2F004,20R5C001);
   Sony Ericsson R520m(20R2G), T68i(20R1B,20R2A013,20R2B013,20R2F004,20R5C001),
   T610(20R1A081,20R1L013,20R3C002,20R4C003,20R4D001), Z1010,
   Z600(20R2C007,20R2F002,20R5B001); Nokia 6310(04.10,04.20,4.07,4.80,5.22,5.50),
   6310i(4.06,4.07,4.80,5.10,5.22,5.50,5.51), 8910, 8910i
txt Nokia 7610, 3210 ":" and "\" denial of service in OBEX
txt Nokia N70/N73 OBEX Implementation Denial of Service (":" and "\" etc)
txt Motorola P2K Platform setpath() overflow in OBEX File Transfer. Motorola PEBL U6, V600
txt Bluetooth dot dot attack against HP Ipaq 2215, Apple OSX
txt HeloMoto - take control of the device by means of AT-commands using OBEX Push.
   use helomoto or helomoto-maemo for Nokia 770 Tablet PC. web
   vulnerable: Motorola V80, V5xx, V6xx and E398
txt Nokia 9500 vCard Viewer Remote Denial of Service Vulnerability
txt Sony Ericsson P900 Beamer Malformed File Name Handling DoS Vulnerability
txt Widcomm 1.4.2 remote code execution vulnerability in "PIM Item Transfer"
txt BluePIMped. Exploiting The Widcomm BTStackServer.
   vulnerable: Ambicom btysb1.4.2w.zip 1.4.2 Build 10, Actiontec Bluetooth Software (ver 1.1),
   Belkin Bluetooth Software 1.4.2 Build 10.
   BluePIMped.diff - 'ussp-push-0.4 patch - exploit for Widcomm BTStackServer 1.4.2'
txt Notes on the Ipaq version of the Widcomm overflow. Ipaq 2215, WIDCOMM BTW-CE 1.4.1
txt AmbiCom Object Push Buffer Overflow. AmbiCom Blue Neighbors <= V2.50 Build 2500. DMA[2006-0115a]
txt Toshiba Bluetooth Stack <=v4.00.23(T) Directory Transversal. DMA[2006-0112a]
txt Widcomm BTW < 3.0.1.905 Directory Transversal. DMA[2005-0412a]
txt IVT BlueSoleil 1.4 Directory Transversal. DMA[2005-0401a]
txt Bluetooth 'flooded with prompts' DoS by OBEX Push
txt Sending file biggest than free space on remote device can cause a DoS

Serial Port / Serial Port Profile (SP), 0x1101
txt BlueBug - creates a serial profile connection to the device without authorization
   use Blooover II or Bluediving or bluebugger or blueserial-maemo for Nokia 770 Tablet PC
   vulnerable: Nokia 6310i(4.06,4.07,4.80,5.10,5.22,5.50,5.51); Motorola V600, V80;
   Sony Ericsson T610(20R1A081)

HID / Human Interface Device(HID) Profile, 0x0011
txt HID Attack (attacking HID host implementations)
   hidattack - basic example on how to attack HID servers. download v0.1, web

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
txt Affix-2.1.1 Kernel. Nokia Affix Bluetooth Integer Underflow. DMA[2005-0423a]
txt Affix-3.2.0 btsrv. Nokia Affix Bluetooth btsrv poor use of popen(). DMA[2005-0826a]
txt Affix-3.2.0 btftp client. Nokia Affix Bluetooth btftp client buffer overflow. DMA[2005-0712a]
txt Linux Kernel < 2.4.33.5 Bluetooth Null Pointer Deference Denial Of Service Vulnerability
txt Linux kernel < 2.6.11.5 bluetooth stack local root exploit
txt Red-M 1050. Multiple Red-M 1050 Blue Tooth Access Point Vulnerabilities
txt Sobexsrv-1.0pre3. Scripting/Secure OBEX Server format str vulnerability. DMA[2005-1202a]
txt Where and how bluetooth stacks storing linkkeys?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -