Mobile Systems & Intelligent Communication Lab

College of Engineering - Computer Science

BOSS Experiments

Common Bluetooth BOSS Devices

BOSS Slave and Master

Running Boss Slave 

Sample Trace

root@santosh-Latitude-3570:~/Boss# ubertooth-btle -S6b:8e:d3:d6:38:64 -U1

.... Initiating Advertising State -- BOSS ....

Set on Channel: 962 (h)
Advertising mode - BOSS
Got a Packet, BOSS SLAVE
systime=1531198024 freq=2426 addr=8e89bed6 delta_t=75195.967 ms rssi=-22
Raw pkt:d6 be 89 8e 05 22 6b 8e d3 d6 38 64 6b 8e d3 d6 38 55 d6 be 89 8e 55 55 55 07 37 04 7f 04 05 00 74 07 ff ff ff ff ff 0d 8f d2 38
Payload: 05 22 6b 8e d3 d6 38 64 6b 8e d3 d6 38 55 d6 be 89 8e 55 55 55 07 37 04 7f 04 05 00 74 07 ff ff ff ff ff 0d 8f d2 38
Advertising / AA 8e89bed6 (valid)/ 34 bytes
Channel Index: 38
Type: CONNECT_REQ
InitA: 64:38:d6:d3:8e:6b (public)
AdvA: 55:38:d6:d3:8e:6b (public)
AA: 8e89bed6
CRCInit: 555555
WinSize: 07 (7)
WinOffset: 0437 (1079)
Interval: 047f (1151)
Latency: 0005 (5)
Timeout: 0774 (1908)
ChM: ff ff ff ff ff
Hop: 13
SCA: 0, 251 ppm to 500 ppm

Data: 6b 8e d3 d6 38 64 6b 8e d3 d6 38 55 d6 be 89 8e 55 55 55 07 37 04 7f 04 05 00 74 07 ff ff ff ff ff 0d
CRC: 8f d2 38

Connection mode - BOSS
Slave connection is creat
Got a Packet, BOSS SLAVE
systime=1531198024 freq=2432 addr=8e89bed6 delta_t=62.536 ms rssi=-22
Raw pkt:d6 be 89 8e 01 00 a9 e4 8f
Payload: 01 00 a9 e4 8f
Data / AA 8e89bed6 (invalid) / 0 bytes
Channel Index: 13
LLID: 1 / LL Data PDU / empty or L2CAP continuation
NESN: 0 SN: 0 MD: 0

Data:
CRC: a9 e4 8f

Got a Packet, BOSS SLAVE
systime=1531198030 freq=2458 addr=8e89bed6 delta_t=6516.085 ms rssi=-20
Raw pkt:d6 be 89 8e 01 00 a9 e4 8f
Payload: 01 00 a9 e4 8f
Data / AA 8e89bed6 (invalid) / 0 bytes
Channel Index: 26
LLID: 1 / LL Data PDU / empty or L2CAP continuation
NESN: 0 SN: 0 MD: 0

Data:
CRC: a9 e4 8f

Got a Packet, BOSS SLAVE
systime=1531198034 freq=2408 addr=8e89bed6 delta_t=3853.776 ms rssi=-19
Raw pkt:d6 be 89 8e 01 00 a9 e4 8f
Payload: 01 00 a9 e4 8f
Data / AA 8e89bed6 (invalid) / 0 bytes
Channel Index: 2
LLID: 1 / LL Data PDU / empty or L2CAP continuation
NESN: 0 SN: 0 MD: 0

 

Running Boss Master

Sample Trace

root@santosh-Latitude-3570:~/Boss# ubertooth-btle -M6b:8e:d3:d6:38:64 -m6b:8e:d3:d6:38:55 -U0


InitA set to (master Adr): 6b:8e:d3:d6:38:64
H sending Control: 6b:8e:d3:d6:38:55:
AdvA set to (slave Adr): 6b:8e:d3:d6:38:55
Initiating state - BOSS
systime=1531198024 freq=2426 addr=8e89bed6 delta_t=65142.994 ms rssi=-22
Raw pkt:d6 be 89 8e 00 09 64 38 d6 d3 8e 6b 02 02 02 64 73 74
Payload: 00 09 64 38 d6 d3 8e 6b 02 02 02 64 73 74
Advertising / AA 8e89bed6 (valid)/ 9 bytes
Channel Index: 38
Type: ADV_IND
AdvA: 6b:8e:d3:d6:38:64 (public)
AdvData: 02 02 02
Type 02 (16-bit Service UUIDs, more available)

Data: 64 38 d6 d3 8e 6b 02 02 02
CRC: 64 73 74

Connection mode - BOSS
Master connection is crea
systime=1531198024 freq=2432 addr=8e89bed6 delta_t=264.910 ms rssi=-22
Raw pkt:d6 be 89 8e 01 00 a9 e4 8f
Payload: 01 00 a9 e4 8f
Data / AA 8e89bed6 (invalid) / 0 bytes
Channel Index: 13
LLID: 1 / LL Data PDU / empty or L2CAP continuation
NESN: 0 SN: 0 MD: 0

Data:
CRC: a9 e4 8f

BOSS & Commodity Devices

BOSS and Fitbit

  • Exchange control packets (ADV_IND and CONNECT_REQ). DONE
  • Receive a dump packet form Fitbit at data channel. SOMETIMES
  • Fixes needed:
    • T_IFS reported longer than 152micro secs by ElliSys.
    • At this point between iPhone and FitBit encryption negotiation (LLCP and L2CAP) then Encrypted traffic starts.

Sample Trace:

ubertooth-btle -Md5:29:62:c3:11:11 -m6b:8e:d3:d6:38:55
InitA set to (master Adr): d5:29:62:c3:11:11
H sending Control: 6b:8e:d3:d6:38:55:
AdvA set to (slave Adr): 6b:8e:d3:d6:38:55
Initiating state - BOSS
r ADVtype(as):40
, ADVtype(as):00
,systime=1514388336 freq=2402 addr=8e89bed6 delta_t=1168.626 ms rssi=-16
Raw pkt:d6 be 89 8e 40 24 11 11 c3 62 29 d5 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e 00 fb ab ad 08 16 0a 18 16 04 5e 00 03 b4 8e c8 
Payload: 40 24 11 11 c3 62 29 d5 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e 00 fb ab ad 08 16 0a 18 16 04 5e 00 03 b4 8e c8 
Advertising / AA 8e89bed6 (valid)/ 36 bytes
Channel Index: 37
Type: ADV_IND
AdvA: d5:29:62:c3:11:11 (random)
AdvData: 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e 00 fb ab ad 08 16 0a 18 16 04 5e 00 03
Type 01 (Flags)
00000110
LE General Discoverable Mode
BR/EDR Not Supported
Type 06 (128-bit Service UUIDs, more available)
adabfb00-6e7d-4601-bda2-bffaa68956ba
Type 16 (Service Data)
UUID: 180a, Additional: 16 04 5e 00 03
Data: 11 11 c3 62 29 d5 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e 00 fb ab ad 08 16 0a 18 16 04 5e 00 03
CRC: b4 8e c8
Connection mode - BOSS
Master connection is created
systime=1514388346 freq=2432 addr=8e89bed6 delta_t=10022.669 ms rssi=-68
Raw pkt:d6 be 89 8e ba 0e a5 f6 17 6e 9f fb 24 03 cf e3 08 c5 8a a1 db ef 65 
Payload: ba 0e a5 f6 17 6e 9f fb 24 03 cf e3 08 c5 8a a1 db ef 65 
Data / AA 8e89bed6 (invalid) / 14 bytes
Channel Index: 13
LLID: 2 / LL Data PDU / L2CAP start
NESN: 0 SN: 1 MD: 1
Data: a5 f6 17 6e 9f fb 24 03 cf e3 08 c5 8a a1
CRC: db ef 65

 

  • Conclusion: Successfully transitioned from control exchange to data exchange, but needs encryption implementation to carry on

BOSS and iPhone

  • BOSS master: capture advertising and reply with CONNECT_REQ, but nothing happen when data exchange starts.
  • BOSS slave: cannot capture a specific advertisement as the iPhones Bluetooth ID is not fixed as with the Ubertooth device
  • Suggestion: BOSS needs a scanning phase to capture iPhone Bluetooth ID then use it to capture advertising packets.
ahesham:~ ahesham$ ubertooth-btle -M58:3a:c3:33:3d:86 -m6b:8e:d3:d6:38:55 
InitA set to (master Adr): 58:3a:c3:33:3d:86
H sending Control: 6b:8e:d3:d6:38:55:
AdvA set to (slave Adr): 6b:8e:d3:d6:38:55
Initiating state - BOSS
r ADVtype(as):40
, ADVtype(as):00
,systime=1514386674 freq=2402 addr=8e89bed6 delta_t=283.895 ms rssi=-20
Raw pkt:d6 be 89 8e 40 14 86 3d 33 c3 3a 58 02 01 1a 0a ff 4c 00 10 05 07 10 5d b1 9c b5 41 ea 
Payload: 40 14 86 3d 33 c3 3a 58 02 01 1a 0a ff 4c 00 10 05 07 10 5d b1 9c b5 41 ea 
Advertising / AA 8e89bed6 (valid)/ 20 bytes
Channel Index: 37
Type: ADV_IND
AdvA: 58:3a:c3:33:3d:86 (random)
AdvData: 02 01 1a 0a ff 4c 00 10 05 07 10 5d b1 9c
Type 01 (Flags)
00011010
LE General Discoverable Mode
Simultaneous LE and BR/EDR to Same Device Capable (Controller)
Simultaneous LE and BR/EDR to Same Device Capable (Host)
Type ff (Manufacturer Specific Data)
Company: Apple, Inc.
Data: 10 05 07 10 5d b1 9c
Data: 86 3d 33 c3 3a 58 02 01 1a 0a ff 4c 00 10 05 07 10 5d b1 9c
CRC: b5 41 ea
Connection mode - BOSS
Master connection is crea
  • Conclusion: received ADV_IND and responded with a CONNECT_REQ but was never able to follow through data channels or show the ubertooth as a device on the iPhones discovered Bluetooth devices. The latter might be due to software and feature checks for something in the connection