Intrepidus Group
Insight

Ubertooth: Bluetooth Address Breakdown

Posted: January 29, 2012 – 2:03 pm | Author: | Filed under: Tools, Wireless

The IG crew is just heading back from ShmooCon, which reminds me of last year’s awesome talk on the Ubertooth One. Intrepidus backed the kickstarter project and, as promised, got 2 Ubertooths. We recently started playing with it, and have a couple of tips and a supplementary script.

We originally followed the post here to get the Ubertooth set up on BackTrack 5, but then had some trouble keeping the device connected and sniffing reliably (similar to our experience with the Proxmark III — sensing a trend here ;) ) After updating the firmware and setting this up on an Ubuntu host, the device works flawlessly. I honestly don’t remember if these are my comments in the commands below or if I found it somewhere on the internetz. I apologize if I stole your commands:

cd ubertooth/trunk/host/bluetooth_rxtx/
./ubertooth-util -f #puts the device in flash mode. lights should blink prettily.
cd ../usb_dfu/
./ubertooth-dfu write /path/to/firmware/bluetooth_rxtx.bin #this is the standard firmware. there are other special ones. suit yourself.
../bluetooth_rxtx/ubertooth-util detach

The “Getting Started” section of the Ubertooth site gives a pretty good idea of what the device can do. We found that the Ubertooth sits on one Bluetooth channel (out of the 79) and sniffs the LAP out of the Bluetooth packets. A little bit on Bluetooth address breakdown (This image is from section 3.2 of this paper):

Bluetooth address breakdown

Bluetooth MAC addresses are comprised of 3 pieces: the Lower Address Part (LAP), Upper Address Part (UAP), and the Non-significant Address Part (NAP). The picture above illustrates this nicely. The Ubertooth can sniff the LAP out of the air, and use the error checking field in the Bluetooth packets to figure out the UAP (ubertooth-lap and ubertooth-nap, respectively).

The NAP (and UAP) are assigned on a per-vendor bases by the IEEE. That means the UAP is available through both the Ubertooth and the IEEE database of NAP+UAP addresses. Using both these resources (and matching up the UAP from both), we can figure out the first 2 NAP bytes pretty quickly! Of course it’s also possible to figure it out if we haven’t calculated the NAP (by appending the LAP to everything we can pull from the IEEE database and ping each one sequentially).

Automating stuff is fun. Here’s my (sloppy) script to figure out the NAP using first the short method, then the long if that one fails: https://github.com/intrepidusgroup/napfinder

– Max

Both comments and trackbacks are currently closed.

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24681 items have been purified.