From owner-freebsd-bluetooth@freebsd.org Mon Jul 10 21:44:51 2017 Return-Path: Delivered-To: freebsd-bluetooth@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B79F7DB175B for ; Mon, 10 Jul 2017 21:44:51 +0000 (UTC) (envelope-from maksim.yevmenkin@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 9034079240 for ; Mon, 10 Jul 2017 21:44:51 +0000 (UTC) (envelope-from maksim.yevmenkin@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 8C60BDB175A; Mon, 10 Jul 2017 21:44:51 +0000 (UTC) Delivered-To: bluetooth@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8BC19DB1759 for ; Mon, 10 Jul 2017 21:44:51 +0000 (UTC) (envelope-from maksim.yevmenkin@gmail.com) Received: from mail-wr0-x22d.google.com (mail-wr0-x22d.google.com [IPv6:2a00:1450:400c:c0c::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 23F3C7923F for ; Mon, 10 Jul 2017 21:44:51 +0000 (UTC) (envelope-from maksim.yevmenkin@gmail.com) Received: by mail-wr0-x22d.google.com with SMTP id c11so156815992wrc.3 for ; Mon, 10 Jul 2017 14:44:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=09WnDRo0cxbA0gUD81skmvkSk5xy7HxR5tTtfgIDxh0=; b=H/eI7c8WChTmjpgCUjI3HpDi9jIXt3kR34b8N6CF2QzHBL/XVVlewsHISvyGjM7Qug uopc+Pi1ReViVSRkB2/yHtoyzovGjGUfSoedztzBYz1li2+iQA/mqImogZJAn1xKD3fN DDxLg+VOEQIcWp9H/EKIJ+HSXZ+X/DzpI40bYb3/tmVT42CWN5dU+IQIUdobmdfWNJX/ z8uyjnYPiFs79RbTDl1O2THcGy7kFQXi1m9f07gyLyW25SJdPjuvqLjJh0+RcI/d7qZs mM7P699uX1wKDRTB8KfsK96p5C51fuLs0sYsxy0V0CcP4YaWLW/lDLpaIfZfyG0O1/AC i/ZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=09WnDRo0cxbA0gUD81skmvkSk5xy7HxR5tTtfgIDxh0=; b=kBM4tiHFxUw9IVByofcS//xaR0A+I4duhhokD0vbwx5oo8xehvgPgb6k77DRsPFzva T+V6UzYs3CrAEOy7TJWtWVTYDFHPzBmXYcFPEoeVPNHTC/0WtzhGkQ9SpfzoBQghiQeN bXPrOZNJXHaPwk/LNJWWUmqihtAko2ORLbNpR8D0Y5N7YL6egPxyi7UiA4zj44pLgowT M9lBjmFYIIlMgZqo8HhZEK9/rWSU9smqr1fB26l/RBMNplHxybN/1dg8/5LatB5rqvaR WLifA7H8F1CtXlOLGW7P4RvWwgruZxtAm4WRcPq59hJmO/2OWTVpvb2xxyw70JfcppsL aEcg== X-Gm-Message-State: AIVw112Sq0x3Pez0lOvYNtUe5B5xIyN1WknGSwV9VsDWvkVtqKq61oHE FKIgcl+2RihMQvPUDulbgZORkOk3JursfuU= X-Received: by 10.80.178.100 with SMTP id o91mr112075edd.185.1499723089411; Mon, 10 Jul 2017 14:44:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.140.35 with HTTP; Mon, 10 Jul 2017 14:44:48 -0700 (PDT) In-Reply-To: References: <085c77b2-9f40-5a1f-0b49-86a24e561fce@aldan.algebra.com> <9DDD63D7-52A2-4995-98E4-D60CEE5EE106@gmail.com> <6e1f597c-7f85-1a37-a228-49da2d2f77dd@aldan.algebra.com> <4c47c36f-9161-7266-5cef-acb3e72d17fa@aldan.algebra.com> From: Maksim Yevmenkin Date: Mon, 10 Jul 2017 14:44:48 -0700 Message-ID: Subject: Re: Ubertooth (Re: How to listen quietly for other Bluetooth devices?) To: "Mikhail T." Cc: "freebsd-bluetooth@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-bluetooth@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Using Bluetooth in FreeBSD environments List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jul 2017 21:44:51 -0000 On Mon, Jul 10, 2017 at 10:06 AM, Maksim Yevmenkin wrote: > On Sun, Jul 9, 2017 at 4:11 PM, Mikhail T. wrote: >> On 09.07.2017 18:54, maksim yevmenkin wrote: >> >> Interesting... I personally have not seen this. Thank you for the pointer. >> It looks like custom hardware running custom firmware. This should be able >> to give full access to baseband. Still kinda pricey. Ubertooth one hardware >> sells for $120 at sparkfun. That's 3x price of raspberry pi 2/3 :) for a >> fraction of general usability :) could make an relatively inexpensive >> Bluetooth scanner though. >> >> They are using "bluez" to flush their own firmware into the dongle, it >> seems. I doubt, they make their own chipset -- it may be possible to flush >> the same firmware into a much cheaper dongle with the same chipset... > > hmm... i don't see it. sorry. may be i'm looking in the wrong place. > > so, yes, they have custom firmware that is flashed onto ubertooth-zero > or ubertooth-one dongle. my understanding is that those are not > off-the-shelf dongles. > > https://www.sparkfun.com/products/10573 is $120 (ubertooth-one) > > https://www.amazon.com/Great-Scott-Gadgets-WRL-10573-Ubertooth/dp/B007R9UPHA > (Amazon) > > yes, they are not making completely custom chip, they are reusing some > off-the-shelf components. however, final board it custom. in fact, i'm > not even 100% sure that ubertooth-one is a complete bluetooth dongle. > according to schematics they use CC2400 Single-Chip 2.4 GHz ISM Band > Transceiver and CC2591 2.4 GHz Range Extender strapped to LPC175x ARM > Cortex-M3 microcontroller. it may be just designed for the purpose of > scanning and may be injecting packets. > > there are references to a modded CSR firmware that can be flashed onto > off-the-shelf CSR dongle. however, even with modded firmware, it will > not act as full scanner. according to the posts it will sniff traffic > for known BD_ADDR. > > as far as porting it, i don't see what's the big deal. it seems like > it should be possible to port this. after 15 minutes of looking at source code, i'm convinced that it should be possible to get it working in freebsd. it looks like ubertooth-one is already shipped with at least bootloader programmed. it may even already contain something called bluetooth_rxtx. even if one can not build bluetooth_rxtx (i.e. firmware) on freebsd right out of the box, there is a pre-build binary available. to flash bluetooth_rxtx onto ubertoot-one one can use usb dfu tool. that's a standard protocol and even if freebsd does not have a tool available right away, a little bit of user space libusb programming is all that is needed finally, as soon as bluetooth_rxtx (i.e. firmware) is flashed onto ubertooth-one, it will answer to a limited set of vendor HCI commands. again, a little bit of user space libusb programming and it should be all set. again, keep in mind that ubertooth-one is NOT a bluetooth dongle. i suppose it is possible to turn it into one by writing code that would implement both baseband and HCI. but then again, unless there is a specific need, its more cost effective to pick up $5-$10 off-the-shelf real bluetooth dongle. a $120 bluetooth sniffer (even if it has limited functionality) could be useful to some people. to summarize: $120 in hardware and weekend (or less) of coding will produce dedicated bluetooth sniffer. it is not even required to modify any kernel parts. as long as ubertooth-one is recognized as ugenX device, its possible to use libusb to control it. ubertooth-one bootloader / firmware development is a bit more complicated due to a) cross-compile toolchain. however, if one already has cross-compile toolchain for that micro-controller, its a piece of cake. if not, building gcc-based cross-compile toolchain should be doable. b) intimate knowledge of programming rf transceivers, understanding of other-the-air low level protocols, etc. etc. with enough dedication its also should be doable. thanks! max