Primary Use Case

This tool is primarily used by security researchers, developers, and engineers to monitor, analyze, and test Bluetooth Low Energy communications, including non-standard protocols. It enables detailed BLE packet sniffing with channel hopping tracking and flexible packet transmission for testing and development purposes.

Key Features

Full Software Defined Radio implementation of BLE PHY and upper layers in C

Supports BLE standard 1Mbps GFSK PHY and all ADV and DATA channel link layer packet formats in Core_V4.0

BLE sniffer (btle_rx) capable of automatic channel hopping tracking

Universal BLE packet transmitter (btle_tx) supporting standard and raw bit mode for arbitrary GFSK packets

Compatible with HackRF and bladeRF SDR hardware

Includes BTLE baseband algorithms in Python and Verilog with FPGA and open source PDK implementations

Configurable RX gain, LNA gain, and amplification settings for optimized performance

Matlab scripts included for algorithm evaluation and analysis

Insights & Recommendations

Users should carefully tune RX and LNA gain settings to avoid distortion and ensure optimal performance. Modifying HackRF driver source code can improve operation speed but requires recompilation of both the HackRF library and BTLE. The tool requires compatible SDR hardware (HackRF or bladeRF) and proper driver installation before use.

Installation

Ensure SDR hardware drivers and libraries (HackRF or bladeRF) are installed and configured
Clone the repository: git clone https://github.com/JiaoXianjun/BTLE.git
Navigate to host directory: cd BTLE/host
Create build directory: mkdir build
Enter build directory: cd build
Run cmake for HackRF (default): cmake ../
Or run cmake for bladeRF: cmake ../ -DUSE_BLADERF=1
Compile the project: make
Run the sniffer: ./btle-tools/src/btle_rx
Optionally, modify hackrf/host/libhackrf/src/hackrf.c for faster operation and recompile HackRF library

Usage

./btle-tools/src/btle_rx

Start BLE packet sniffing on default advertising channel 37

./btle-tools/src/btle_tx 37-DISCOVERY-TxAdd-1-RxAdd-0-AdvA-010203040506-LOCAL_NAME09-SDR/Bluetooth/Low/Energy r500

Transmit BLE discovery packets on advertising channel with specified device name

-h or --help

Print all arguments and usage information

-c or --chan <0~39>

Specify BLE channel number to sniff or transmit on (default 37)

-g or --gain <0-62 for HackRF, 0-66 for bladeRF>

Set receiver gain in dB for optimal signal reception

-l or --lnaGain <0-40> (HackRF only)

Set Low Noise Amplifier gain in dB

-b or --amp

Enable amplifier on HackRF (default off)

-a or --access <access address>

Set access address for data channel sniffing (default 8e89bed6 for ADV channels)

-k or --crcinit <crc init>

Set CRC initialization value for data channel sniffing (default 555555 for ADV channels)

-v or --verbose

Enable verbose mode for detailed error and status output

-r or --raw

Print raw 42 bytes after access address detection without parsing

-f or --freq_hz <frequency in Hz>

Override channel setting by specifying exact frequency

Smart Usage Notes

Leverage BTLE to simulate BLE-based attacks during red team exercises to assess BLE security posture.Integrate BTLE with SIEM tools to enhance detection of anomalous BLE traffic in enterprise environments.Use BTLE's raw bit transmission capability to test and harden BLE device firmware against protocol fuzzing.Employ BTLE for continuous monitoring of BLE communications in sensitive environments to detect rogue devices.Combine BTLE with automated scripts to perform scheduled BLE reconnaissance and vulnerability assessments.

OpenSec Atlas

BTLE

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like