Page 1 of 1

Bluetooth sniffing and packet decoding

Posted: Sat Aug 16, 2014 2:52 am
by N2TOH
I'm looking to determine what all the outputs are from the SONY NSG-MR5U remote control are, this thing is a nifty remote control for an interactive TV set top box. I find the remote to be more interesting then the actual product. but at usual SONY is very tight lipped about their product specs. as such it seems to only way to gain the information is by reverse engineering the product.

other options would be welcome.

Re: Bluetooth sniffing and packet decoding

Posted: Sat Aug 16, 2014 6:35 am
by jump
Sniffing Bluetooth with an SDR is really a tough job because of the 80 MHz bandwidth and the really fast channel hopping system.
It would require 3 bladeRF for the task and I am not sure that USB3 would not become the bottleneck.

You should first try to avoid dealing with the air protocol by pairing the remote with your computer and sniff bluetooth packets with wireshark.
This way you would be able to see what kind of services the device exposes. There is a lot of tools under Linux to play with bluetooth devices (just grab a Kali Linux ISO as most of the tools are already there)

Re: Bluetooth sniffing and packet decoding

Posted: Mon Aug 18, 2014 6:42 am
by N2TOH
that's the problem it will not pair to a computer, best I could do is pair it with it's SONY set top box.

Re: Bluetooth sniffing and packet decoding

Posted: Mon Aug 18, 2014 1:43 pm
by jump
According to what I have read, the remote is using a Bluetooth 3.0 chipset so you'll need a Bluetooth 3.0 or 4.0 chipset to pair with the remote.
Bluetooth also allows several pairing methods and you'll have to figure out which one is being enforced by the remote.
It is a bit painful to do, but you have everything you need under Linux to spoof a device and make that remote think your computer is the set top box and pair with it.

If you really want to sniff the air protocol, consider the Ubertooth option but depending on the security mode that is being used by the remote, you may not be able to see packets in clear. In addition, I honestly don't know the capability of Ubertooth to follow High Speed connections (that's what has been introduced with Bluetooth 3.0 specs). But I doubt that a remote requires more than 1 Mbps.

And if you really want to try bladeRF to sniff Bluetooth, you can give a try at GNU Radio and gr-bluetooth. I have a GNU Radio 3.7 compatible version in my github account: https://github.com/jmichelp/gr-bluetooth
But keep in mind that even at full bandwidth you will only see a bit less than 50% and the communication (36 MHz out of 80 MHz)