1UBERTOOTH-RX(1)                  User Commands                 UBERTOOTH-RX(1)
2
3
4

NAME

6       ubertooth-rx(1) - Classic Bluetooth discovery, sniffing, and decoding
7
8

SYNOPSIS

10              ubertooth-rx [ -l <lap> [ -u <uap ] ]
11              ubertooth-rx -z
12
13
14

DESCRIPTION

16       ubertooth-rx(1)  is  the  primary interface into Classic Bluetooth (BR)
17       functionality provided by Ubertooth. It has two main  modes  of  opera‐
18       tion:  piconet  following  and  survey  mode.  In  either  mode,  uber‐
19       tooth-rx(1) is able to discover undiscoverable devices. See  [DISCOVER‐
20       ING UNDISCOVERABLE DEVICES][].
21
22
23       In  piconet  following  mode, the tool will follow the first piconet it
24       fully identifies. In survey mode the device will  attempt  to  identify
25       all piconets in a given area and display them after either a timeout or
26       manual interruption.
27
28
29       Piconet following is the main mode entered when no arguments are passed
30       to  the command or a LAP and optionally a UAP are provided. If no argu‐
31       ments are passed, the tool will attempt to calculate the  UAP  for  any
32       observed  LAPs. If a LAP is passed, the UAP will be calculated for that
33       specific LAP. Once a LAP and UAP have been  recovered,  the  tool  will
34       attempt to recover the clock value, and if that succeeds it will follow
35       that piconet.
36
37
38       Survey mode, entered using -z, will record all LAPs and attempt to cal‐
39       culate the UAPs for any observed LAPs. This mode can be combined with a
40       timeout using -t, and it can be interrupted at any time using ctrl-C.
41
42

EXAMPLES

44       Follow the first piconet whose LAP, UAP, and clock are  recovered  from
45       the air:
46
47
48              ubertooth-rx
49
50
51
52       For a given LAP, calculate the UAP and recover the clock, then follow:
53
54
55              ubertooth-rx -l 112233
56
57
58
59       For a given LAP and UAP, recover the clock then follow:
60
61
62              ubertooth-rx -l 112233 -u ab
63
64
65
66       Enter  survey  mode  for  20 seconds, and print out the BD ADDRs of all
67       observed piconets:
68
69
70              ubertooth-rx -z -t 20
71
72
73

OPTIONS

75       Major modes:
76
77       ·
78
79
80       -l <lap> : Limit UAP recovery, clock recovery, and piconet following to
81       a given LAP. Format is 3 bytes / 6 hex characters.
82
83       ·
84
85
86       -u  <uap>  : Limit clock recovery and piconet following to a given UAP.
87       Must be used in conjunction with -l. Format is 1 byte / 2  hex  charac‐
88       ters.
89
90       ·
91
92
93       -z  : Survey mode: recover all LAP and UAP pairs and display them. Will
94       run indefinitely until interrupted with ctrl-C unless paired with -t.
95
96
97       Options:
98
99       ·
100
101
102       -i <input> : Input file. If not specified  will  perform  live  capture
103       using Ubertooth.
104
105       ·
106
107
108       -c  <0-79>  :  Fixed channel for all major modes. If not specified will
109       sweep through all channels.
110
111       ·
112
113
114       -e <0-4> : Maximum access code bit errors. [Default: 2]
115
116       ·
117
118
119       -t <seconds> : Timeout in seconds. If not specified  will  run  indefi‐
120       nitely. Suggested values for -z: 20-60 seconds.
121
122
123       Output options:
124
125       · -r <file.pcapng> : Capture packets to PcapNG
126
127       · -q <file.pcap> : Capture packets to PCAP
128
129       · -d  <file.bin> : Capture packets to binary file suitable for use with
130         -i.
131
132
133       Miscellaneous:
134
135       ·
136
137
138       -V : Version information
139
140       ·
141
142
143       -U<0-7> : Which Ubertooth device to use
144
145

DISCOVERING UNDISCOVERABLE DEVICES

147       Classic Bluetooth piocnets are defined by the Lower Address Part  (LAP)
148       and  Upper  Address Part (UAP) of the master device. These are elements
149       of the master device's Bluetooth Address (BD ADDR).
150
151
152       Consider the following BD ADDR:
153
154
155              22:44:66:88:AA:BB
156
157
158
159       The lower address part (LAP) is the lower 24 bits, so 88:AA:BB. In  the
160       context  of  this  tool, the value is written 88AABB. The upper address
161       part is the next 8 bits, so 66. The 22:44 is called the Non-significant
162       Address Part (NAP) and as you might imagine it is not significant.
163
164
165       In  piconet  following  mode, the tool will recover LAP values from the
166       air and attempt to calculate the UAP from those. It will go on to  fol‐
167       low  the piconet if it can recover the clock value. In survey mode, the
168       tool will simply recover LAP and UAP values.
169
170
171       To convert LAP + UAP  pairs  back  into  Bluetooth  addresses,  do  the
172       reverse of the above. For example, if the tool recovers a LAP of 36A2B4
173       and a UAP of 98, the associated Bluetooth address is ??:??:98:36:A2:B4.
174       Any value can be substituted into the ?? slots and most Bluetooth tools
175       will still work.  For  example,  hcitool  name  00:00:98:36:A2:B4  will
176       establish a connection to the device and return its name.
177
178
179       This  attack  works  against  discoverable  and  undiscoverable devices
180       alike.
181
182

SEE ALSO

184       ubertooth-scan(1): active device scanning and inquiry  using  Ubertooth
185       and BlueZ
186
187
188       ubertooth(7): overview of Project Ubertooth
189
190
191       D.  Spill  and  A.  Bittau. "BlueSniff: Eve Meets Alice and Bluetooth."
192       USENIX WOOT 2007.
193
194

AUTHOR

196       This manual page was written by Mike Ryan.
197
198

COPYRIGHT

200       ubertooth-rx(1) is Copyright (c)  2010-2017  Michael  Ossmann,  Dominic
201       Spill,  and  others.  This  tool  is released under the GPLv2. Refer to
202       COPYING for further details.
203
204
205
206Project Ubertooth                 March 2017                   UBERTOOTH-RX(1)