Hardware Setup
Ubertooth One Requirements
- Hardware: Ubertooth One board + USB cable
- Kernel support: Linux with libusb support
- Drivers: libusb-1.0 library (Linux:
apt-get install libusb-1.0-0-dev)
- Connection: Plug into USB port on Linux/Mac machine
Initial Hardware Check
# List connected Ubertooth devices
ubertooth-util -u
# Display device info and serial number
ubertooth-util -i
# Check board version and firmware date
ubertooth-util -d
Physical Setup Considerations
- Keep antenna away from high-RF interference areas
- Place device on non-conductive surface
- Maintain 6+ inches clearance from WiFi routers
- Use external antenna for better range (Ubertooth has internal antenna)
Firmware Updates
Check Current Firmware
# Display firmware version and build date
ubertooth-util -d
# Compare with latest release
git clone https://github.com/greatscottgadgets/ubertooth.git
cd ubertooth/firmware
git log --oneline | head -5
Firmware Update Process
# Clone Ubertooth repository
git clone https://github.com/greatscottgadgets/ubertooth.git
cd ubertooth/firmware
# Build firmware (requires arm-none-eabi-gcc)
make
# Flash to device (puts device in DFU mode)
ubertooth-util -f build/ubertooth_usb.elf
# Verify update
ubertooth-util -d
DFU Mode Recovery
# Enter DFU mode manually if flashing fails
# Hold DFU button while plugging in USB
# List devices in DFU mode
dfu-util -l
# Restore from binary backup
dfu-util -D ubertooth_usb.dfu -d 1d50:402b -a 0
Bluetooth Classic Monitoring
Ubertooth-rx (Packet Capture)
# Basic Bluetooth Classic packet capture
ubertooth-rx
# Capture with specific channel hop (37-39 are BLE advertising)
ubertooth-rx -c 37
# Capture and save to PCAP file
ubertooth-rx -o capture.pcap
# Capture with verbose output (show packet details)
ubertooth-rx -v
# Set LAP (Lower Address Part) to follow specific device
ubertooth-rx -l 0x123456
BTBB (Bluetooth Baseband) Analysis
# Use btbb tools with Ubertooth output
ubertooth-rx -o - | wireshark -k -i -
# Capture to file and analyze offline
ubertooth-rx -o capture.pcap
# Convert pcap to standard Bluetooth format
tcpdump -r capture.pcap -w bluetooth.pcap
Finding Bluetooth Devices
# Scan for Bluetooth Classic devices (Inquiry scan)
ubertooth-rx -i
# Follow specific device by LAP (requires knowing LAP)
ubertooth-rx -l 0x9e8b33
# Monitor frequency hopping sequence
ubertooth-rx -f
# Capture with correlation (improves reception)
ubertooth-rx -c
BLE Sniffing
Ubertooth-btle (BLE Packet Capture)
# Basic BLE sniffing (monitors advertising channels 37-39)
ubertooth-btle
# Sniff specific BLE channel
ubertooth-btle -c 37
# Capture to PCAP file
ubertooth-btle -o ble_capture.pcap
# Verbose output with RSSI and timing info
ubertooth-btle -v
# Follow specific BLE device by address
ubertooth-btle -a 001122aabbcc
# Hop with connected device (requires sync)
ubertooth-btle -s
BLE Connection Tracking
# Monitor advertisements from specific manufacturer
ubertooth-btle -f apple
# Capture only iBeacon advertisements
ubertooth-btle -f ibeacon
# Follow BLE connection establishment
ubertooth-btle -v -o connect.pcap
# Log RSSI for signal strength analysis
ubertooth-btle -o signal.pcap
BLE Advertising Channels
# Channel 37 (2402 MHz)
ubertooth-btle -c 37
# Channel 38 (2426 MHz)
ubertooth-btle -c 38
# Channel 39 (2480 MHz)
ubertooth-btle -c 39
# Cycle through all three advertising channels
ubertooth-btle # Default behavior
Spectrum Analysis
Ubertooth-specan (Spectrum Scanner)
# Basic spectrum analysis (2.4 GHz ISM band)
ubertooth-specan
# Save spectrum data to file
ubertooth-specan -o spectrum.data
# Display power levels across frequencies
ubertooth-specan -v
# Analyze specific frequency range
ubertooth-specan -s 2402 -e 2480
# Real-time graphing (requires gnuplot)
ubertooth-specan | gnuplot
Identifying Interference
# Long-duration spectrum capture to identify interferers
ubertooth-specan -o interference.data
# Check for WiFi channel overlap (1-6 MHz spacing)
# WiFi channels 1-13 overlap with Bluetooth band
# Monitor specific frequencies
ubertooth-specan -s 2412 -e 2472 # WiFi channels
ubertooth-specan -s 2402 -e 2480 # Full Bluetooth band
Device Discovery
Active Discovery
# Scan for Bluetooth Classic devices (requires active inquiry)
sudo hcitool scan
# Discover BLE devices with Ubertooth
ubertooth-btle -v
# Save discovered device addresses
ubertooth-btle -v -o devices.pcap
Passive Monitoring
# Monitor all traffic without connecting
ubertooth-rx
# Capture specific device class (hands-free, audio, etc)
ubertooth-rx -v
# Filter by signal strength (RSSI)
ubertooth-btle -v # Shows RSSI in output
# Capture packets and extract BD addresses
ubertooth-btle -v -o capture.pcap
tshark -r capture.pcap -T fields -e btle.bd_addr
# Parse Bluetooth Classic addresses
ubertooth-rx -o classic.pcap
tshark -r classic.pcap -T fields -e btbb.bd_addr
Following Connections
Connection Establishment Monitoring
# Capture BLE connection setup
ubertooth-btle -v -o connection.pcap
# Monitor Bluetooth Classic connection
ubertooth-rx -v -o pairing.pcap
# Log timing information for analysis
ubertooth-btle -v
Frequency Hopping Analysis
# Capture hopping pattern from established connection
ubertooth-btle -v -s
# Follow Bluetooth Classic hop sequence
ubertooth-rx -f -v
# Extract hop values for offline analysis
ubertooth-rx -v | grep -i hop
Connection Parameters
# Monitor connection interval (BLE)
ubertooth-btle -v # Shows in output
# Check supervision timeout values
ubertooth-btle -v -o params.pcap
# Analyze packet timing for latency
tshark -r capture.pcap -Y btle -T fields -e frame.time_delta
PCAP Export and Analysis
Exporting to PCAP
# Export Bluetooth Classic to PCAP
ubertooth-rx -o classic_capture.pcap
# Export BLE to PCAP
ubertooth-btle -o ble_capture.pcap
# Verify PCAP file validity
file classic_capture.pcap
tcpdump -r classic_capture.pcap -c 10
Wireshark Integration
# Open captured PCAP in Wireshark
wireshark classic_capture.pcap &
# Live capture with Wireshark (real-time display)
ubertooth-rx -o - | wireshark -k -i -
# BLE capture in Wireshark
ubertooth-btle -o - | wireshark -k -i -
# Filter Bluetooth packets in Wireshark
# Display filter: btbb || btle
# Advanced filtering: btle.bd_addr == 00:11:22:aa:bb:cc
TShark Analysis
# Extract specific fields from PCAP
tshark -r capture.pcap -T fields -e btle.bd_addr -e btle.advertising_address
# Count packets by type
tshark -r capture.pcap -T fields -e btle.pdu_type | sort | uniq -c
# Filter and export specific packets
tshark -r capture.pcap -Y "btle.advertising_address" -w filtered.pcap
# Statistical analysis
tshark -r capture.pcap -q -z io,stat,0
Pairing and Authentication
Monitoring Pairing Process
# Capture BLE pairing traffic
ubertooth-btle -v -o pairing.pcap
# Monitor Legacy Pairing (Bluetooth Classic)
ubertooth-rx -v -o legacy_pair.pcap
# Save pairing keys from capture (requires Wireshark)
wireshark pairing.pcap
Key Exchange Observation
# Capture Temporary Key (TK) exchange
ubertooth-btle -v
# Log Long Term Key (LTK) distribution
ubertooth-btle -v -o ltk.pcap
# Monitor Out-of-Band (OOB) authentication
ubertooth-btle -v
Just Works vs PIN Pairing
# Identify pairing method in capture
tshark -r pairing.pcap -Y btle.advertising
# Check for security features in pairing
tshark -r pairing.pcap -T fields -e btle.security
# Analyze pairing failure/timeout
ubertooth-btle -v
Common Attack Scenarios
Passive Eavesdropping
# Capture unencrypted BLE traffic
ubertooth-btle -v -o unenc.pcap
# Monitor Bluetooth Classic without encryption
ubertooth-rx -v
# Identify encrypted vs unencrypted packets
tshark -r capture.pcap -Y "btle.encrypted == 0"
Key Recovery
# Capture pairing process for key recovery
ubertooth-btle -v -o keys.pcap
# Monitor LTK distribution phase
ubertooth-btle -v
# Export keys for offline analysis
tshark -r keys.pcap -T fields -e btle.ltk
Jamming Detection
# Monitor signal disruption patterns
ubertooth-specan -o jam.data
# Detect frequency hopping interruption
ubertooth-rx -f -v
# Analyze packet loss indicators
ubertooth-btle -v
Replay Attack Preparation
# Capture command sequences
ubertooth-btle -v -o commands.pcap
# Record packet timing for replay
tshark -r commands.pcap -T fields -e frame.time_epoch
# Identify packet structure for modification
ubertooth-btle -v | grep -i "length\|opcode"
GATT Service Enumeration
# Capture GATT characteristic discovery
ubertooth-btle -v -o gatt.pcap
# Monitor service UUID scanning
tshark -r gatt.pcap -Y btle.advertising
# Extract GATT write operations
tshark -r gatt.pcap -T fields -e btle.access_address
Integration with Wireshark
Live Capture Setup
# Start live capture with Wireshark display
ubertooth-rx -o - | wireshark -k -i -
# BLE live capture
ubertooth-btle -o - | wireshark -k -i -
# Set Wireshark to pause on start (for filter setup)
wireshark &
# Then use File > Capture Options > Interface
Wireshark Filters
# Display only Bluetooth packets
btbb || btle
# Filter by address
btle.bd_addr == 00:11:22:aa:bb:cc
# Show only advertising packets
btle.pdu_type == 0
# Display connection requests
btle.pdu_type == 5
# Show encrypted packets only
btle.encrypted == 1
# Monitor specific GATT UUIDs
btatt.uuid == 180a # Device Information Service
Integration with Kismet
Kismet BLE Detection
# Start Kismet with Bluetooth datasource
kismet -c datasource=ubertooth:type=btle
# Configure Ubertooth in kismet.conf
echo "source=ubertooth:type=btle" >> kismet.conf
# Start Kismet daemon
kismetd
Kismet Analysis
# View detected BLE devices
kismet_client
# Export Kismet database (sqlite)
sqlite3 kismet.db "SELECT * FROM devices"
# Map Bluetooth device locations
kismet_client -n # Netxml export
Troubleshooting
Device Not Recognized
# Check USB connection
lsusb | grep 1d50
# List Ubertooth devices
ubertooth-util -u
# Reset device
ubertooth-util -r
# Check libusb installation
ldconfig -p | grep usb
Firmware Issues
# Verify firmware integrity
ubertooth-util -d
# Check for compilation errors
cd ubertooth/firmware && make clean && make
# Restore to known-good version
git checkout v1.0.0
Poor Reception
# Check signal strength
ubertooth-btle -v
# Adjust position relative to target device
# Move Ubertooth closer or reposition antenna
# Verify antenna connection
# Check internal/external antenna setting in hardware
# Scan for interference
ubertooth-specan
Permission Errors
# Add udev rule for Ubertooth
sudo cp ubertooth/host/ubertooth.rules /etc/udev/rules.d/
sudo udevadm control --reload-rules
sudo udevadm trigger
# Alternative: run with sudo
sudo ubertooth-btle
# Check device permissions
ls -la /dev/bus/usb/*/
Quick Reference
| Tool | Purpose | Output |
|---|
ubertooth-util | Device management & info | Firmware version, serial |
ubertooth-rx | Bluetooth Classic capture | PCAP file or live display |
ubertooth-btle | BLE sniffing | PCAP file or live packets |
ubertooth-specan | Spectrum analysis | Frequency power levels |
btbb | Baseband analysis | Packet decode tools |
Resources
