Sniffle – Bluetooth Sniffing Tool

Sniffle - Bluetooth Hacking and Sniffing Tool


Sniffle is a sniffer for Bluetooth 5 and 4.x (LE) using TI CC1352/CC26x2 hardware. This tool can be use for capturing bluetooth connections.

Sniffle has a number of useful features, including:

  • Support for BT5/4.2 extended length advertisement and data packets
  • Support for BT5 Channel Selection Algorithms #1 and #2
  • Support for all BT5 PHY modes (regular 1M, 2M, and coded modes)
  • Support for sniffing only advertisements and ignoring connections
  • Support for channel map, connection parameter, and PHY change operations
  • Support for advertisement filtering by MAC address and RSSI
  • Support for BT5 extended advertising (non-periodic)
  • Support for capturing advertisements from a target MAC on all three primary advertising channels using a single sniffer. This makes connection detection nearly 3x more reliable than most other sniffers that only sniff one advertising channel.
  • Easy to extend host-side software written in Python
  • PCAP export compatible with the Ubertooth


Building and Installation

Once the GCC, DSLite, and the SDK is installed and operational, building Sniffle should be straight forward. Just navigate to the fw directory and run make. If you didn’t install the SDK to the default directory, you may need to edit SIMPLELINK_SDK_INSTALL_DIR in the makefile.

To install Sniffle on a (plugged in) CC26x2 Launchpad using DSLite, run make load within the fw directory. You can also flash the compiled sniffle.out binary using the UniFlash GUI.

If building for or installing on a some variant of Launchpad orhter than CC26x2R, you must specify PLATFORM=xxx, either as an argument to make, or by defining it as an environment variable prior to invoking make. Supported values for PLATFORM are CC2642R1FCC2652R1FCC1352R1F3CC2652RB1F, and CC1352P1F3. Be sure to perform a make clean before building for a different platform.

Sniffer Usage

[[email protected] python_cli]$ ./ –help usage: [-h] [-s SERPORT] [-c {37,38,39}] [-p] [-r RSSI] [-m MAC] [-i IRK] [-a] [-e] [-H] [-l] [-q] [-Q PRELOAD] [-o OUTPUT]Host-side receiver for Sniffle BLE5 snifferoptional arguments: -h, –help show this help message and exit -s SERPORT, –serport SERPORT Sniffer serial port name -c {37,38,39}, –advchan {37,38,39} Advertising channel to listen on -p, –pause Pause sniffer after disconnect -r RSSI, –rssi RSSI Filter packets by minimum RSSI -m MAC, –mac MAC Filter packets by advertiser MAC -i IRK, –irk IRK Filter packets by advertiser IRK -a, –advonly Sniff only advertisements, don’t follow connections -e, –extadv Capture BT5 extended (auxiliary) advertising -H, –hop Hop primary advertising channels in extended mode -l, –longrange Use long range (coded) PHY for primary advertising -q, –quiet Don’t display empty packets -Q PRELOAD, –preload PRELOAD Preload expected encrypted connection parameter changes -o OUTPUT, –output OUTPUT PCAP output file name

Scanner Usage

usage: [-h] [-s SERPORT] [-c {37,38,39}] [-r RSSI] [-l]Scanner utility for Sniffle BLE5 snifferoptional arguments: -h, –help show this help message and exit -s SERPORT, –serport SERPORT Sniffer serial port name -c {37,38,39}, –advchan {37,38,39} Advertising channel to listen on -r RSSI, –rssi RSSI Filter packets by minimum RSSI -l, –longrange Use long range (coded) PHY for primary advertising

The scanner command line arguments work the same as the sniffer. The purpose of the scanner utility is to gather a list of nearby devices advertising, and actively issue scan requests for observed devices, without having the deluge of fast scrolling data you get with the sniffer utility. The hardware/firmware will enter an active scanning mode where it will report received advertisements, issue scan requests for scannable ones, and report received scan responses. The scanner utility will record and report observed MAC addresses only once without spamming the display. Once you’re done capturing advertisements, press Ctrl-C to stop scanning and report the results. The scanner will show the last advertisement and scan response from each target. Scan results will be sorted by RSSI in descending order.

Usage Examples

Sniff all advertisements on channel 38, ignore RSSI < -50, stay on advertising channel even when CONNECT_REQs are seen.

./ -c 38 -r -50 -a

Sniff advertisements from MAC 12:34:56:78:9A:BC, stay on advertising channel even when CONNECT_REQs are seen, save advertisements to data1.pcap.

./ -m 12:34:56:78:9A:BC -a -o data1.pcap

Sniff BT5 extended advertisements and connections from nearby (RSSI >= -55) devices.

./ -r -55 -e

Obtaining the IRK

If you have a rooted Android phone, you can find IRKs (and LTKs) in the Bluedroid configuration file. On Android 8.1, this is located at /data/misc/bluedroid/bt_config.conf. The LE_LOCAL_KEY_IRK specifies the Android device’s own IRK, and the first 16 bytes of LE_KEY_PID for every bonded device in the file indicate the bonded device’s IRK. Be aware that keys stored in this file are little endian, so the byte order of keys in this file will need to be reversed. For example, the little endian IRK 22BC0E3F2EACF08EE36B865553EA0B4E needs to be changed to 4E0BEA5355866BE38EF0AC2E3F0EBC22 (big endian) when being passed to Sniffle with the -i option.

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

15 + 11 =