
Sniffle
Sniffle is a sniffer for Bluetooth 5 and 4.x (LE) using TI CC1352/CC26x2 hardware. This tool can be use for capturing bluetooth connections.
Sniffle has a number of useful features, including:
- Support for BT5/4.2 extended length advertisement and data packets
- Support for BT5 Channel Selection Algorithms #1 and #2
- Support for all BT5 PHY modes (regular 1M, 2M, and coded modes)
- Support for sniffing only advertisements and ignoring connections
- Support for channel map, connection parameter, and PHY change operations
- Support for advertisement filtering by MAC address and RSSI
- Support for BT5 extended advertising (non-periodic)
- Support for capturing advertisements from a target MAC on all three primary advertising channels using a single sniffer. This makes connection detection nearly 3x more reliable than most other sniffers that only sniff one advertising channel.
- Easy to extend host-side software written in Python
- PCAP export compatible with the Ubertooth
Prerequisites
- TI CC26x2R Launchpad Board: https://www.ti.com/tool/LAUNCHXL-CC26X2R1
- or TI CC2652RB Launchpad Board: https://www.ti.com/tool/LP-CC2652RB
- or TI CC1352R Launchpad Board: https://www.ti.com/tool/LAUNCHXL-CC1352R1
- or TI CC1352P1 Launchpad Board: https://www.ti.com/tool/LAUNCHXL-CC1352P
- GNU ARM Embedded Toolchain: https://developer.arm.com/open-source/gnu-toolchain/gnu-rm/downloads
- TI CC26x2 SDK 5.10.00.48: https://www.ti.com/tool/download/SIMPLELINK-CC13X2-26X2-SDK
- TI DSLite Programmer Software
- Python 3.5+ with PySerial installed
Building and Installation
Once the GCC, DSLite, and the SDK is installed and operational, building Sniffle should be straight forward. Just navigate to the fw
directory and run make
. If you didn’t install the SDK to the default directory, you may need to edit SIMPLELINK_SDK_INSTALL_DIR
in the makefile.
To install Sniffle on a (plugged in) CC26x2 Launchpad using DSLite, run make load
within the fw
directory. You can also flash the compiled sniffle.out
binary using the UniFlash GUI.
If building for or installing on a some variant of Launchpad orhter than CC26x2R, you must specify PLATFORM=xxx
, either as an argument to make, or by defining it as an environment variable prior to invoking make. Supported values for PLATFORM
are CC2642R1F
, CC2652R1F
, CC1352R1F3
, CC2652RB1F
, and CC1352P1F3
. Be sure to perform a make clean
before building for a different platform.
Sniffer Usage
Scanner Usage
The scanner command line arguments work the same as the sniffer. The purpose of the scanner utility is to gather a list of nearby devices advertising, and actively issue scan requests for observed devices, without having the deluge of fast scrolling data you get with the sniffer utility. The hardware/firmware will enter an active scanning mode where it will report received advertisements, issue scan requests for scannable ones, and report received scan responses. The scanner utility will record and report observed MAC addresses only once without spamming the display. Once you’re done capturing advertisements, press Ctrl-C to stop scanning and report the results. The scanner will show the last advertisement and scan response from each target. Scan results will be sorted by RSSI in descending order.
Usage Examples
Sniff all advertisements on channel 38, ignore RSSI < -50, stay on advertising channel even when CONNECT_REQs are seen.
Sniff advertisements from MAC 12:34:56:78:9A:BC, stay on advertising channel even when CONNECT_REQs are seen, save advertisements to data1.pcap
.
Sniff BT5 extended advertisements and connections from nearby (RSSI >= -55) devices.
Obtaining the IRK
If you have a rooted Android phone, you can find IRKs (and LTKs) in the Bluedroid configuration file. On Android 8.1, this is located at /data/misc/bluedroid/bt_config.conf
. The LE_LOCAL_KEY_IRK
specifies the Android device’s own IRK, and the first 16 bytes of LE_KEY_PID
for every bonded device in the file indicate the bonded device’s IRK. Be aware that keys stored in this file are little endian, so the byte order of keys in this file will need to be reversed. For example, the little endian IRK 22BC0E3F2EACF08EE36B865553EA0B4E needs to be changed to 4E0BEA5355866BE38EF0AC2E3F0EBC22 (big endian) when being passed to Sniffle with the -i
option.