This is highly experimental and should only be used by researchers who know exactly what they are doing. By using any of this information or source code you accept all associated risks. If you are unsure then please do not continue.
If everything works then will be able to connect the handset and the data it sends over the rfcomm socket will be outputted as a hex dump
There are various other features which can emulate one or both sides of the connection.
I used a Raspberry Pi 2 with Raspian jessie installed and two CSR 4.0 micro dongles. These are currently the best selling usb bluetooth dongles on amazon at approx 7 euros each. They identify as using the CSR8510 A10 chipset.
I think it should work on Debian jessie but the script relies on some defaults that are seen with the bluetooth subsystem. For example we already have a PNP service on handle 0x10000 that we can then use.
Bluetooth needs to be set up to provide the features we need
Use your favorite editor to edit: dbus-org.bluez.service
sudo nano /etc/systemd/system/dbus-org.bluez.service
Change the line which begins ExecStart to look like this:
ExecStart=/usr/lib/bluetooth/bluetoothd --compat --experimental
Insert a bluetooth dongle which is fairly recent. A CSR chipset BT 4.x dongle should work. You probably need to restart the bluetooth service or reboot to ensure the new settings are being used.
You need a patched version of sdptool to set uint16 attributes. I call this joh-sdptool
sudo apt-get install -y build-essential glib2.0-dev libdbus-1-dev libical-dev
sudo apt-get install -y libreadline-dev libudev-dev bluetooth libbluetooth-dev
mkdir work
cd work
wget http://www.kernel.org/pub/linux/bluetooth/bluez-5.45.tar.xz
tar -xJvf bluez-5.45.tar.xz
cd bluez-5.45
Copy the sdptool.patch file in to the bluez-5.45/tools folder
cp ../../sdptool.patch tools
cd tools
patch <sdptool.patch
cd ..
Now to compile bluez, it is really only sdptool and bdaddr we are interested in though
./configure --enable-experimental --enable-deprecated
make
Once compiled install it somewhere
sudo cp tools/sdptool /usr/local/bin/joh-sdptool
Check it works and your bluetooth is up and running
joh-sdptool browse local
If you get an error like:
Failed to connect to SDP server on FF:FF:FF:00:00:00: No such file or directory
Did you reboot after adjusting your bluetooth configuration? Try a reboot
If you are using two bluetooth dongles and you somehow manage to get sold two with the same mac address (which happened to me) then you can change the mac address of one of them using eg:
tools/bdaddr -i hciX 00:11:22:33:44:55
Now make sure you have python 2.x installed
sudo apt-get install -y python python-pip
Use pip to install: hexdump, logger, pybluez, pycrypto, requests
sudo pip install hexdump
sudo pip install logger
sudo pip install pybluez
sudo pip install pycrypto
sudo pip install requests
To start the script (replacing xx's with your actual pump mac address) See the older proxy section below for details on obtaining the mac.
sudo bash sight-proxy.sh xx:xx:xx:xx:xx:xx --mitm-proxy
Go through the pairing process on both of your devices at the same time but connect them to the proxy bluetooth names instead of each other so that the proxy sits between them. Press the confirm button on the pump device a few seconds before on the client. You should see data start appearing in the terminal and the decoded data will appear in the logs/app*.log file. Remember to un-pair and re-pair them directly with each other when you are finished.
sudo bash sight-proxy.sh emulate
Output should look similar to the proxy below except in the logs you will see:
<<<-----E
To indicate that the reply was generated by the emulator.
If you have problems discovering your emulated pump you may need to also as root edit /etc/machine-info and create a line which says:
PRETTY_HOSTNAME="PUMP32014627"
and then reboot the system. (Create the file if it doesn't exist) This may have an impact beyond just bluetooth naming so beware of that.
First you need to know the real mac address of your pump device. To get this, put it in to pairing mode and then try either
hcitool scan
or
hcitool inq
Until you can determine the mac address.
Then to start the script (replacing xx's with your actual mac address)
sudo bash sight-proxy.sh xx:xx:xx:xx:xx:xx
The shell script will set up some parameters, prepare the sdp records how they should look and launch the python script to provide the local rfcomm socket
If everything worked during setup then you should see a line which says:
Starting proxy
Waiting on channel 1
And then below this you should see exactly this:
Sequence
Attribute 0x0000 - ServiceRecordHandle
UINT32 0x00010000
Attribute 0x0001 - ServiceClassIDList
Sequence
UUID16 0x1200 - PnPInformation
Attribute 0x0005 - BrowseGroupList
Sequence
UUID16 0x1002 - PublicBrowseGroup
Attribute 0x0200
UINT16 0x0103
Attribute 0x0201
UINT16 0x173a
Attribute 0x0202
UINT16 0x0052
Attribute 0x0203
UINT16 0x0100
Attribute 0x0204
Bool True
Attribute 0x0205
UINT16 0x0002
Service Search failed: Invalid argument
Sequence
Attribute 0x0000 - ServiceRecordHandle
UINT32 0x00010001
Attribute 0x0001 - ServiceClassIDList
Sequence
UUID16 0x1101 - SerialPort
Attribute 0x0004 - ProtocolDescriptorList
Sequence
Sequence
UUID16 0x0100 - L2CAP
Sequence
UUID16 0x0003 - RFCOMM
UINT8 0x01
Attribute 0x0005 - BrowseGroupList
Sequence
UUID16 0x1002 - PublicBrowseGroup
Attribute 0x0006 - LanguageBaseAttributeIDList
Sequence
UINT16 0x656e
UINT16 0x006a
UINT16 0x0100
Attribute 0x0009 - BluetoothProfileDescriptorList
Sequence
Sequence
UUID16 0x1101 - SerialPort
UINT16 0x0100
Attribute 0x0100
String PUMP-MDL
Now you can take your handset, remove the current pairing and add a new device and select the Linux device and at that point you will start to see data appear in hexdump output! Good luck!
Logs will be stored in a created folder logs in the current directory.
The equipment manufacturer should be congratulated on an effective and elegant design with a well engineered execution.
The security model is good. Data is very well protected against eavesdropping, errors or other random glitches.
There is no way using any of the tools contained here to perform any unauthorized operation.
Only devices which have been intentionally paired by the user have the ability to make a connection.
The scripts are very simple prototypes without any error checking, it either works straight off or some missing component will completely prevent it from working.
Its possible my patches to sdptool are too simplistic and only work on little endian, so will work on raspberry pi but not on a PC - this needs checking
I have only tested this in a multi-dongle configuration, it may work with just a single dongle but I thought two was more likely to succeed.
Running this inside a virtual machine you may find that your host machine messes with the bluetooth adapater making it non-discoverable etc.
Currently this is a proof of concept only.