Ubertooth One Guide

This guide shows how to install/setup Ubertooth one, a 2.4 GHz wireless development platform device, and its plugins. This tutorial will detail on how to sniff Bluetooth Low Energy packets and how to crack the encryption of a BLE connection.
Please note that all the information provided is only tested on Ubuntu 20.04 TLS. For other operating systems, you may need to make some changes. Ubertooth one documentation can be found here.

Step 1: Install Prerequisites and Ubertooth

• Prerequisites
  There are some prerequisites that need to be installed before building libbtbb and the Ubertooth tools:

 sudo apt install cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev wget \
  pkg-config python3-numpy python3-qtpy python3-distutils python3-setuptools

• libbtbb

the Bluetooth baseband library (libbtbb) needs to be built for the Ubertooth tools to decode Bluetooth packets:

wget https://github.com/greatscottgadgets/libbtbb/archive/2020-12-R1.tar.gz -O libbtbb-2020-12-R1.tar.gz
tar -xf libbtbb-2020-12-R1.tar.gz
cd libbtbb-2020-12-R1
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig

• Ubertooth

Ubertooth contains host code for sniffing Bluetooth packets, configuring the Ubertooth and updating firmware. All three are built and installed by default using the following method:

wget https://github.com/greatscottgadgets/ubertooth/releases/download/2020-12-R1/ubertooth-2020-12-R1.tar.xz
tar -xf ubertooth-2020-12-R1.tar.xz
cd ubertooth-2020-12-R1/host
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig

Step 2: Update Firmware

Plug the Ubertooth one using a USB port. Go to the directory that you have installed Ubertooth, and update the firmware by:

cd ubertooth-2020-12-R1/ubertooth-one-firmware-bin
$ ubertooth-dfu -d bluetooth_rxtx.dfu -r

You should see something like:

Step 3: Capturing Packets

• Test

Make sure your Ubertooth One is plugged in and execute:

ubertooth-rx

You should see a continuous output that looks like:

You should see various random LAPs detected. In the output ch represents the channel used by the device referenced in the LAP value. The channel hopping is clearly comprehensible. Clkn indicates the master’s clock, while s references the signal strength and n state the value of noise. Following that the snr value represents the signal-to-noise ratio.
Due to uncertainties in identifying Bluetooth packets without prior knowledge of an address, it is normal for this process to identify false positives. Error correction should mitigate this problem, but a small number of false positives may still be seen. When you see the same LAP detected more than once, that is very likely an actual Bluetooth transmission. Once you have seen a LAP multiple times, you can be confident that it is a genuine Bluetooth piconet. To find the next byte of the address, the UAP, we can use:

ubertooth-rx -l [LAP] 

In this mode ubertooth-rx only detects packets from the given piconet and uses them to determine the next byte of the address and some of the internal clock value.

• spectrum

you can also see the ubertooth spectrum analysis with:

ubertooth-specan-ui

you should see something like this:

• BTLE

Once a BLE connection is established (on the advertising channel the device has been listening to), Ubertooth will follow the hops along the data channels capturing the transmissions between the devices. Per default, Ubertooth can be used to follow any connection it observes randomly. Naturally, the device can be restricted to observe a specific device by providing the BD_ADDR of the device in question. The general syntax of the corresponding command looks like:

ubertooth-btle -f <BD_ADDR> 

for my Sumup device, the command looks like this:

ubertooth-btle -f E9:DF:3F:18:73:64

This will produce a continuous output in the console:

Furthermore, it is possible to redirect the output into a file or a pipe. To achieve this, the syntax requires this generic command:

ubertooth-btle -f <BD_ADDR> -c <file or pipe> 

Which is as following for the Sumup device output in a pipe:

ubertooth-btle -f E9:DF:3F:18:73:64 -c /tmp/pipe

or .pcap file:

ubertooth-btle -f E9:DF:3F:18:73:64 -c btle.cap

you can generate .pcap output as well.

Step 4: Wireshark

• Plugin

Users of Wireshark version 2.2+ do not need to build any plugins at all and may skip this section. I did not need this section, but if you do, find the relevant steps here.

• Capturing

Make a pipe as follows:

mkfifo /tmp/pipe

Pipe is a buffer for inter-process communication. One process can send data to it, and another process can read it.
In the Wireshark, Open Capture Options => Manage Interface => Pipes => New Pipe => add “/tmp/pipe” => save => close => start

In a terminal, run ubertooth-btle:

ubertooth-btle -f -c /tmp/pipe

You should see packets in the Wireshark. More details can be found here.

Step 5: Kismet

Kismet-Ubertooth identifies not only the LAP but also the 8 bit Upper Address Part (UAP) of detected devices as it is able. This is done by analysing the timing and other characteristics of multiple packets over time.

• Uninstall previous versions

first uninstall any kismet version you have by:

sudo rm -rfv /usr/local/bin/kismet* /usr/local/share/kismet* /usr/local/etc/kismet* /usr/src/kismet

• Install dependencies

sudo apt install build-essential git libwebsockets-dev pkg-config zlib1g-dev libnl-3-dev libnl-genl-3-dev libcap-dev libpcap-dev libnm-dev libdw-dev libsqlite3-dev libprotobuf-dev libprotobuf-c-dev protobuf-compiler protobuf-c-compiler libsensors4-dev libusb-1.0-0-dev python3 python3-setuptools python3-protobuf python3-requests python3-numpy python3-serial python3-usb python3-dev python3-websockets librtlsdr0 libubertooth-dev libbtbb-dev

• Install Kismet

I highly recommend to clone it from the git as the downloaded .tar.xf versions can not build (It is a common issue. It turns out that sometimes the website version is not updated and can make trouble).

cd /usr/src 
git clone https://www.kismetwireless.net/git/kismet.git
cd kismet 
./configure 
make 

You can accelerate the process by adding -j #, depending on how many CPUs you have. To automatically compile on all the available cores:

make -j$(nproc)

If you encounter errors about missing header files (foo.h not found for example), try removing all .d files and running make again:

rm *.d

Then continue by:

make plugins
sudo make suidinstall

Finally, you need to add the pcapng log type to the configurations. The log config file is in a different place in the new version. In /usr/local/etc: you can see a kismet.conf file that contains all the configurations. If you open this file, you can see that the logging configuration is set to be in the kismet_logging.conf. if you nano it, you can add any logging file you want to the kismet logging system. The default one is .kismet that cannot be opened via Wireshark. So, we need to add a log type understood by Wireshark, pcapng:

Log_types: kismet,pcapng 

In the log_prefix you can also set the path where you want your logs to be stored. You probably want to remove the kismet log type from the above since we do not use it.

• Run Kismet Web Server

To start the Kismet web server, run:

kismet

Then, open http://localhost:2501/ to set it up. You need to set a username and password for your login.

• Add Ubertooth Device

To add the Ubertooth device to the Kismet, run:

kismet -c ubertooth  

If you look into your terminal, you can see that a log file has been generated. If you open the Kismet web server on http://localhost:2501/, you should be able to select Ubertooth in the datasource in the devices.

Note: In the Ubertooth One tutorials, it was mentioned to install the kismet plugin for Ubertooth. But as I looked into the latest versions, it seems like it is supported by default. But for any reason if you think you should still do this step, either watch this video or follow these steps. I followed the video and still cannot $make && make install in the /ubertooth-2020-12-R1/host/kismet/plugin-ubertooth. But still, I get the .pcapng log file that can be used later.

Step 6: Crackle

Crackle is a tool that attempts to decrypt BLE Encryption. Crackle is the right tool if you have captured a connection based on BLE Legacy Pairing. It cannot decrypt LE Secure Connections based transmissions. The capture must include the pairing process otherwise it's not going to work. Capturing a pairing process is difficult, so you have to keep trying!

• Install crackle
  Run the following commands:

git clone https://github.com/mikeryan/crackle.git 
cd crackle 
make

• Exploit BLE

Now that you have your output log file either by BTLE or Kismet (.pcap or .pcapng), you can use the latest version of the tool by executing this command:

./crackle -i <your_file.pcapng>