Busting The Bluetooth® Myth – Getting RAW Access
aka “Transforming a consumer Bluetooth® Dongle into a Bluetooth® Sniffer”
During the last year, rumours had come to my
attention that apparently it is possible to
transform a standard 30USD Bluetooth®
dongle into a full-blown Bluetooth® sniffer.
Thinking you absolutely need Hardware to be
able to hop 79 channels 1600 times a second I
was rather suspicious about these claims.
This paper is the result of my research into this
area, answering the question whether it is
possible or not.
I used 4 different dongles during my tests, and
these used the very same chipset from CSR.
However I noted that the features they offer
were different and as such assumed that it
must be the firmware that offers most of
For an overview about what is actually
required to promiscuously sniff Bluetooth® I
downloaded commercial software that is freely
available to everyone and inspected the files
that come with the packages. Within the INI1
files I stumbled across drivers for a chip made
by CSR (Cambridge Silicon Radio). In a
specific section there are all the devices listed
including their unique USB® vendor ID (VID)
and product identifier (PID).
A regular CSR BlueCore2 device has the value:
By further analyzing the files available in the
commercial Bluetooth® sniffer package, I
recognized that the driver used within that
package identifies itself as:
The difference being only the digit at the end
of the VID. I now have the VID the commercial
sniffing tool seems to be expecting.
Analyzing Other Content
installation directory of
unnamed commercial Sniffer package, I
spotted .dfu3 files which appeared to be some
sort of firmware files.