前言
Ubertooth One 是一款软硬件开源的蓝牙抓包器,我们本教程将采用:学习使用、分析代码、分析硬件设计、自己制作一款抓包器的路径来展开。
1、编译 Ubertooth tools
1.1、准备工作
Ubertooth 需要用到 Ubertooth tools,该工具依赖 libbtbb (蓝牙 baseband 库),这两个工程都需要自己编译,因此,第一步需要安装为了编译上述工程的工具:
Debian 10 / Ubuntu 20.04 / Kali
sudo apt install cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev wget
pkg-config python3-numpy python3-qtpy python3-distutils python3-setuptools
1.2、编译安装 libbtbb
Bluetooth baseband library (libbtbb) 主要用来解码蓝牙数据包,编译安装操作如下:
wget https://github.com/greatscottgadgets/libbtbb/archive/2020-12-R1.tar.gz -O libbtbb-2020-12-R1.tar.gz
tar -xf libbtbb-2020-12-R1.tar.gz
cd libbtbb-2020-12-R1
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig
1.3、编译安装 Ubertooth tools
Ubertooth 工程包含 host 端代码,主要提供:抓取蓝牙数据包、配置 Ubertooth、升级固件,编译安装操作如下:
wget https://github.com/greatscottgadgets/ubertooth/releases/download/2020-12-R1/ubertooth-2020-12-R1.tar.xz
tar -xf ubertooth-2020-12-R1.tar.xz
cd ubertooth-2020-12-R1/host
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig
1.4、Wireshark 插件
建议用 2.2+ 版本的 Wireshark,自带插件。下面我写了个脚本,可以一键运行并调用 Wireshark 进行抓包。
➜ bluetooth cat ubertooth_wireshark.sh
#!/bin/bash
sudo rm -rf /tmp/pipe
sudo mkfifo /tmp/pipe
echo the mac address is: $2
echo '''
HOW TO SET WIRESHARK:
1.Click Edit -> Preferences
2.Click Protocols -> DLT_USER
3.Click Edit (Encapsulations Table)
4.Click New
5.Under DLT, select "User 0 (DLT=147)" (adjust this selection as appropriate if the error message showed a different DLT number than 147)
6.Under Payload Protocol, enter: btle
7.Click OK
8.Click OK
'''
sudo killall wireshark
sudo wireshark -k -i /tmp/pipe &
echo "reset ubertooth"
sudo ubertooth-util -r
if [ "$2" != "NULL" ];then
echo "-t<address> set connection following target (example: -t22:44:66:88:aa:cc/48)"
sudo ubertooth-btle -t $2
fi
if [ "$1" == "-p" ];then
echo "-p promiscuous: sniff active connections"
sudo ubertooth-btle -p -I -c /tmp/pipe
elif [ "$1" == "-n" ];then
echo "-n don't follow, only print advertisements"
sudo ubertooth-btle -n -c /tmp/pipe
elif [ "$1" == "-f" ];then
echo "-f follow connections"
sudo ubertooth-btle -f -I -c /tmp/pipe
else
echo "INPUT_ERROR: sudo bash ubertooth_wireshark.sh -f BC:23:4C:00:00:01"
exit 1
fi
echo the mac address is: $2
1.5、更新固件
当完全安装好 Ubertooth tools 之后,需要将固件更新到和上面工具软件相匹配的版本(参考第2.1节)。
2、更新及开发固件
2.1、更新固件
获取最新版本的 Ubertooth,然后解压进入 ubertooth-one-firmware-bin 目录,之后运行:
$ ubertooth-dfu -d bluetooth_rxtx.dfu -r
Switching to DFU mode...
Checking firmware signature
........................................
........................................
................
设备将会自动进入 DFU 模式然后更新固件。
注:在处于非 DFU 模式,可以用 ubertooth-util -v 获取固件的信息。
2.2、开发固件
安装支持 ARM Cortex-M3 工具链:
sudo apt-get install gcc-arm-none-eabi libnewlib-arm-none-eabi
或这直接下载:https://launchpad.net/gcc-arm-embedded
编译:
cd firmware/bluetooth_rxtx/
make
烧写:
ubertooth-dfu -d bluetooth_rxtx.dfu -r
3、效果展示
运行抓包命令:
sudo bash ubertooth_wireshark.sh -f dc:23:4D:0c:2f:5f
自动调用 wireshark 显示数据:
附录
1.完整代码(GITHUB):https://github.com/greatscottgadgets/ubertooth
2.ubertooth 主页:https://greatscottgadgets.com/ubertoothone/
- : uBertooth 是一千元以下的开源蓝牙抓包器,实际使用存在一定的丢包率~
- 专业抓包,还要买 Ellisys 之类的几万或几十万的工具~
