find-lf
find-lf copied to clipboard
schollz
Add Bluetooth sniffing
Sniffing
Using a Raspberry Pi 3, compile BlueZ.
Then make sure Bluetooth adapter is up: sudo hciconfig hci0 up.
Then run btmon in the background: sudo btmon &
Then make a scan using: sudo hcitool lescan or sudo hcitool scan
Problem
The RSSI and Phone MAC address is only seen when the phone is on the Bluetooth screen. I.e., when any other process is running, it doesn't seem to allow the phone to be discoverable.
When I scan from the Pi3, sudo hcitool scan it gives me the following if I'm not on the Bluetooth screen:
$ sudo hcitool scan
Scanning ...
< HCI Command: Inquiry (0x01|0x0001) plen 5 [hci0] 97.534966
Access code: 0x9e8b33 (General Inquiry)
Length: 10.24s (0x08)
Num responses: 0
> HCI Event: Command Status (0x0f) plen 4 [hci0] 97.535425
Inquiry (0x01|0x0001) ncmd 1
Status: Success (0x00)
> HCI Event: Inquiry Complete (0x01) plen 1 [hci0] 107.777731
Status: Success (0x00)
However, if I goto the Bluetooth screen on my phone, then the scan sees the following:
$ sudo hcitool scan
Scanning ...
< HCI Command: Inquiry (0x01|0x0001) plen 5 [hci0] 120.701658
Access code: 0x9e8b33 (General Inquiry)
Length: 10.24s (0x08)
Num responses: 0
> HCI Event: Command Status (0x0f) plen 4 [hci0] 120.702118
Inquiry (0x01|0x0001) ncmd 1
Status: Success (0x00)
> HCI Event: Extended Inquiry Result (0x2f) plen 255 [hci0] 127.292361
Num responses: 1
Address: 34:FC:EF:41:E6:F7 (OUI 34-FC-EF)
Page scan repetition mode: R1 (0x01)
Page period mode: P0 (0x00)
Class: 0x5a020c
Major class: Phone (cellular, cordless, payphone, modem)
Minor class: Smart phone
Networking (LAN, Ad hoc)
Capturing (Scanner, Microphone)
Object Transfer (v-Inbox, v-Folder)
Telephony (Cordless telephony, Modem, Headset)
Clock offset: 0x32cb
RSSI: -73 dBm (0xb7)
Name (complete): VS985 4G LTE
16-bit Service UUIDs (complete): 11 entries
OBEX Object Push (0x1105)
OBEX File Transfer (0x1106)
Audio Source (0x110a)
A/V Remote Control Target (0x110c)
Headset AG (0x1112)
PANU (0x1115)
NAP (0x1116)
Handsfree Audio Gateway (0x111f)
Phonebook Access Server (0x112f)
PnP Information (0x1200)
Message Access Server (0x1132)
> HCI Event: Inquiry Complete (0x01) plen 1 [hci0] 130.945272
Status: Success (0x00)
< HCI Command: Remote Name Request (0x01|0x0019) plen 10 [hci0] 130.945509
Address: 34:FC:EF:41:E6:F7 (OUI 34-FC-EF)
Page scan repetition mode: R1 (0x01)
Page scan mode: Mandatory (0x00)
Clock offset: 0xb2cb
> HCI Event: Command Status (0x0f) plen 4 [hci0] 130.946235
Remote Name Request (0x01|0x0019) ncmd 1
Status: Success (0x00)
> HCI Event: Remote Host Supported Features (0x3d) plen 14 [hci0] 133.437920
Address: 34:FC:EF:41:E6:F7 (OUI 34-FC-EF)
Features: 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Secure Simple Pairing (Host Support)
LE Supported (Host)
Simultaneous LE and BR/EDR (Host)
Secure Connections (Host Support)
> HCI Event: Remote Name Req Complete (0x07) plen 255 [hci0] 133.440673
34:FC:EF:41:E6:F7 VS985 4G LTE
Status: Success (0x00)
Address: 34:FC:EF:41:E6:F7 (OUI 34-FC-EF)
Name: VS985 4G LTE
Another way for discovering, but it doesn't get around the above problem:
sudo apt-get install python-gi python-dbus
git clone https://github.com/pauloborges/bluez.git
cd bluez/test
sudo ./test-discovery
You could use the following app on Android to simulate a BLE beacon. Has the option for running in background https://play.google.com/store/apps/details?id=net.alea.beaconsimulator
