Finally and to say merry xmas here it is, how to turn an ordinary USB dongle with a Cambridge Silicon Radio chipset into the FTS4BT sniffing dongle
Before we begin I would like to say I do not hold any responsibility for anybody breaking their equipment. You are doing this at your own risk : but hey for $39 who cares
I have been reading upon this for a while now and I was reading one of max@remote-exploit papers where he had changed the firmware using the bluez utilities to make the dongle go into RAW mode or promiscuous mode.
EDIT
Seems I was a bit keen in this tutorial as it turns out this mod was not successful after all. The reason being that there are two types of bluecore-4 chipset, BlueCore-4 rom and BlueCore-4 external. The ROM chip has the firmware embedded on the chip and the EXT model has external memory for the firmware. You need to be able to update the firmware to allow sniffing in windows.
To find out if you have the right type of chipset, type ........
Code:
hciconfig hci* revision
And if you see EXT excellent but see ROM and you are no go. Saying that ROM chipsets will still go into RAW mode and the FTS4BT software reads the device as compatible but calibration crashed for me.
Also it must be in promiscuous mode because we see bytes via hciconfig and RAW on the modes ??? I'm looking into this more at the moment so as I learn more I will add.
First lets backup your old firmware with dfutool.
Code:
dfutool -d hci0 archive backold.dfu
Select the corresponding number to your card. Next lets fire up the card
This may not make sense now but it will very soon so pay attention lol. There are multiple places to read bytes on the stick. Depending on what card you are using these can be different. In general these are “Default” (0×0000), “param” (0×0008), “psi” (0×0001), “psf” (0×0002) and “psrom” (0×0004). If yours is different you cankeeptrying until you run out of numbers and then take the dongle back
Now we have have to hunt down the value of the USB product & vendor identifier.
To get the product ID type
Code:
bccmd psget -s 0x0000 0x02bf
And you shroud see
Code:
USB product identifier: 0x0001 (1)
And now the vendor ID
Code:
bccmd psget -s 0x0000 0x02be
From what I have read most of the time the stuff you need to edit is on psf 0×0002 but yours may be different. But theres only five it can be
Now lets write the new ID
Code:
bccmd psset -s 0×0000 0×02bf 0×0002
Now check the changes were made
Code:
bccmd psget -s 0x0000 0x02bf
And you should see now
Code:
USB product identifier: 0x0002 (2)
Sucsess !!!!!!
Now from what I have read 9 times out of ten you don't need to change your vendor ID but check to see if its 0×0a12 if not change that to.
Code:
bccmd psset -s 0×0000 0×02be 0×0a12
And you are done, there is support for *nux but I have yet to find it but you can see it sniffing if you keep retyping hciconfig hci0 you will see the tx and rx byte rising and you are in RAW mode
Code:
drgr33n ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:41281 acl:0 sco:0 events:0 errors:0
TX bytes:42532 acl:0 sco:0 commands:1971 errors:0
drgr33n ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:41293 acl:0 sco:0 events:0 errors:0
TX bytes:42535 acl:0 sco:0 commands:1972 errors:0
drgr33n ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:41305 acl:0 sco:0 events:0 errors:0
TX bytes:42538 acl:0 sco:0 commands:1973 errors:0
drgr33n ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:41317 acl:0 sco:0 events:0 errors:0
TX bytes:42541 acl:0 sco:0 commands:1974 errors:0
drgr33n ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:41329 acl:0 sco:0 events:0 errors:0
TX bytes:42544 acl:0 sco:0 commands:1975 errors:0
Now more and more stuff is coming out every month on this stuff so now it may seen pointless but give it 6 months and you will be laughing
Merry Christmas !