600x600_8
$ blucat services
#Listing all services
+,702C1F168502, "[Refrigerator] Samsung", Trusted:false, Encrypted:false
-,"Generic Access Profile", "", btl2cap://702C1F168502:001f
-,"Audio Source", "", btl2cap://702C1F168502:0019
-,"AVRCP TG", "", btl2cap://702C1F168502:0017
-,"Generic Attribute Profile", "", btl2cap://702C1F168502:001f
#Scanning RFCOMM Channels 1-30
btspp://702C1F168502:1 -\> Failed to open connection(3)
btspp://702C1F168502:2 -\> Failed to open connection(3)
btspp://702C1F168502:3 -\> Failed to open connection(3)
btspp://702C1F168502:4 -\> Failed to open connection(3)
btspp://702C1F168502:5 -\> Failed to open connection(3)
btspp://702C1F168502:6 -\> Failed to open connection(3)
btspp://702C1F168502:7 -\> Failed to open connection(3)
btspp://702C1F168502:8 -\> Failed to open connection(3)
btspp://702C1F168502:9 -\> Failed to open connection(3)
btspp://702C1F168502:10 -\> Failed to open connection(3)
btspp://702C1F168502:11 -\> Failed to open connection(3)
btspp://702C1F168502:12 -\> Failed to open connection(3)
btspp://702C1F168502:13 -\> Failed to open connection(3)
btspp://702C1F168502:14 -\> Failed to open connection(3)
btspp://702C1F168502:15 -\> Failed to open connection(3)
btspp://702C1F168502:16 -\> Failed to open connection(3)
btspp://702C1F168502:17 -\> Failed to open connection(3)
btspp://702C1F168502:18 -\> Failed to open connection(3)
btspp://702C1F168502:19 -\> Failed to open connection(3)
btspp://702C1F168502:20 -\> Failed to open connection(3)
btspp://702C1F168502:21 -\> Failed to open connection(3)
btspp://702C1F168502:22 -\> Failed to open connection(3)
btspp://702C1F168502:23 -\> Failed to open connection(3)
btspp://702C1F168502:24 -\> Failed to open connection(3)
btspp://702C1F168502:25 -\> Failed to open connection(3)
btspp://702C1F168502:26 -\> Failed to open connection(3)
btspp://702C1F168502:27 -\> Failed to open connection(3)
btspp://702C1F168502:28 -\> Failed to open connection(3)
btspp://702C1F168502:29 -\> Failed to open connection(3)
btspp://702C1F168502:30 -\> Failed to open connection(3)
#Scanning L2CAP Channels 0-65000
btl2cap://702C1F168502:0 -> Open Channel!!! BluetoothL2CAPClientConnection
btl2cap://702C1F168502:1 -> Open Channel!!! BluetoothL2CAPClientConnection
btl2cap://702C1F168502:2 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:4 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:5 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:6 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:7 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:8 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:9 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:10 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:11 -> Open Channel!!! BluetoothL2CAPClientConnection
btl2cap://702C1F168502:12 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:13 -\> Failed to open connection(2) [0xe00002c1]
btl2cap://702C1F168502:14 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:15 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:16 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:17 -> Open Channel!!! BluetoothL2CAPClientConnection
btl2cap://702C1F168502:18 -\> Failed to open connection(2) [0xe00002c7]
btl2cap://702C1F168502:19 -> Open Channel!!! BluetoothL2CAPClientConnection

Screen Shot 2015-01-10 at 5.06.59 PM

Here is a scan of the Moto 360 Wearable running Android.

+,544A16XXXXXX, "Moto 360 XXXX", Trusted:false, Encrypted:false
-,"Android Network User", "", btl2cap://544A16XXXXXX:000f
-,"AV Remote Control Target", "", btl2cap://544A16XXXXXX:0017
-,"Advanced Audio", "", btl2cap://544A16XXXXXX:0019
-,"", "", btl2cap://544A16XXXXXX:001f
-,"", "", btl2cap://544A16XXXXXX:0017
-,"", "", btl2cap://544A16XXXXXX:001f

Screen Shot 2014-10-06 at 2.45.09 PM

So I recently heard about the FireChat application and was interested because it was very similar to a project that I worked on using blucat “Wireless Message Dissemination via Selective Relay over Bluetooth

I was told about this analysis done by “nameless” that used blucat so I figured I would put it here and quote some of the printouts. Find the article here: http://breizh-entropy.org/~nameless/random/posts/firechat_and_nearby_communication/ (Backup link)

$ blucat services 3C8BFE5CD677  
Listing all services
+,3C8BFE5CD677, "nameless", Trusted:false, Encrypted:false
-,"Headset Gateway", "", btspp://3C8BFE5CD677:2
-,"Handsfree Gateway", "", btspp://3C8BFE5CD677:3
-,"AV Remote Control Target", "", btl2cap://3C8BFE5CD677:0017
-,"Advanced Audio", "", btl2cap://3C8BFE5CD677:0019
-,"", "", btl2cap://3C8BFE5CD677:0017
-,"Android Network Access Point", "", btl2cap://3C8BFE5CD677:000f
-,"MAP SMS/MMS", "", btgoep://3C8BFE5CD677:4
-,"MAP EMAIL", "", btgoep://3C8BFE5CD677:5
-,"OBEX Phonebook Access Server", "", btgoep://3C8BFE5CD677:19
-,"OBEX Object Push", "", btgoep://3C8BFE5CD677:12
-,"", "", btspp://3C8BFE5CD677:15
-,"FireChat", "", btspp://3C8BFE5CD677:6

Here are some protocol views of the application that “nameless” found.

$ blucat -url btspp://3C8BFE5CD677:15
[received] {"t":246039.375,"uuid":"!'AX.]!F!+:KIGJO","user":"plopinou","msg":"Lorem ipsum","firechat":"Nearby","name":"plop"}
$ blucat -url btspp://3C8BFE5CD677:15
[...]
[sent] {"t":246040.0,"uuid":"123456","user":"teletrollix","msg":"trololo","firechat":"Nearby","name":"generalol"}
$ blucat -url btspp://3C8BFE5CD677:15
[...]
[received] {"t":254533.78125,"uuid":"=G95udh9s}#uhE","user":"plopinou","msg":"Plop","firechat":"hdhdusuwhwhsudusbshsiw","name":"plop"}
$ blucat -url btspp://3C8BFE5CD677:15
[...]
[received] {"t":246494.15625,"uuid":"zn4!Q#4S~#X5,-mQ","user":"plopinou","msg":"Hey joe","firechat":"Everyone","name":"plop"}
[sent]     {"t":246500.0,"uuid":"jhzfjff","user":"teletrollix","msg":"IMPOSSIBRU","firechat":"Everyone","name":"generalol"}

google_glass_grey-580-90

Here is a scan of a pair of Google Glasses taken in August 2013

#Listing all services
+,F88FCAAAAAAA, "NAME REMOVED's Glass", Trusted:false, Encrypted:false
-,"Handsfree", "", btspp://F88FCAAAAAAA:13
-,"Glass Identity", "", btspp://F88FCAAAAAAA:14

wiimote-762302
$ blucat services
 #Listing all services
 +,001B7A2879AA, "Nintendo RVL-CNT-01", Trusted:false, Encrypted:false, NA
 -,"", "", null
 -,"Nintendo RVL-CNT-01", "", btl2cap://001B7A2879AA:0011
 -,"", "", null

 

 

$ blucat scan 001B7A2879AA
 #Scanning RFCOMM Channels 1-30
 #Scanning L2CAP Channels 0-65000
 btl2cap://001B7A2879AA:1 -> Open Channel!!!
 btl2cap://001B7A2879AA:11 -> Open Channel!!!
 btl2cap://001B7A2879AA:13 -> Open Channel!!!

alcatel-onetouch-665
9471ACAAAAAA, "Alcatel one touch 665A", ...
"AUDIO Gateway", "", btspp://9471ACDBACAD:1
"OBEX Object Push", "", btgoep://9471ACDBACAD:4
"Serial Port0", "", btspp://9471ACDBACAD:11
"Dial-up Networking", "", btspp://9471ACDBACAD:9
"Voice gateway", "", btspp://9471ACDBACAD:2

This devices accepts AT Hayes commands on channel 11

$ ./blucat -url btspp://9471ACAAAAAA:11
AT+CGMI
+CGMI: Alcatel
OK
AT+CGMM
+CGMM: one touch 665A
OK
AT+CGMR
+CGMR: Alcatel 010 04, 2012/03/05 14:56
OK

6300
30F306AAAAAA, "Officejet 6300 series", Trusted:false, ...
 "OBEX Object Push", "", btgoep://30F306598203:2
 "Serial Port", "", btspp://30F306598203:1
 "Basic Printing", "", btgoep://30F306598203:4
 "Basic Imaging", "", btgoep://30F306598203:3

To print ASCII to this printer connect like this:

$./blucat -url btspp://30F306598203:1

Nexus-4
$ blucat services
 #Listing all services
 +,00000000CAFE, "The Engineer", Trusted:true, Encrypted:false, NA
 -,"OBEX Message Access SMS/MMS Server", "", btgoep://00000000CAFE:16
 -,"OBEX Phonebook Access Server", "", btgoep://00000000CAFE:19
 -,"OBEX Object Push", "", btgoep://00000000CAFE:12
 -,"Headset Gateway", "", btspp://00000000CAFE:2
 -,"OBEX Message Access E-Mail Server", "", btgoep://00000000CAFE:17
 -,"Handsfree Gateway", "", btspp://00000000CAFE:3

Trying to connect to it on it’s Handsfree channel responds to some AT Hayes commands

$ ./blucat -url btspp://00000000CAFE:3 -v
 #Waiting for connection
 #Connected
 AT
 AT+

ERROR
 AT*

#Error: Connection is closed

Now we can try some commands that work:

AT+CNUM 
"16175555555",129,,4

AT+CIND=?
("call",(0,1)),("callsetup",(0-3)),("service",(0-
1)),("signal",(0-5)),("roam",(0,1)),("battchg",(0-
5)),("callheld",(0-2))