💻 Research
How to Ubertooth BR/EDR Sniff
How to Ubertooth BR/EDR Sniff
Overview
I recently tried sniffing bluetooth packets via ubertooth.
As far as we know, ubertooth has provided sniffing capabilities for Bluetooth low energy (BLE), but in a recent update, firmware was developed to allow sniffing of Bluetooth packets for the Bluetooth Classic (BR/EDR) specification.
This is included in the release firmware (2020-12-R1), but it is not the default application, so you can build your own firmware and use the and flash it to your ubertooth device.
Build Firmware
Before building the firmware, download the official git repository and follow the steps below.
This step may require some essential packages to build the ubertooth firmware, which can be found in the documentation below.
https://ubertooth.readthedocs.io/en/latest/building_from_git.html
apt install gcc-arm-none-eabi libnewlib-arm-none-eabi
Flash Firmware
If the #Build Firmware step completed compilation for your firmware, you should have a btbr.dfu file in your current working location.
![[Figure 1] btbr.dfu (ubertooth/firmware/btbr/btbr.dfu)](https://prod-files-secure.s3.us-west-2.amazonaws.com/ddfb90e3-766a-4fa2-b58c-bd09d4b4e865/e3ac6bcb-1849-4b4d-822c-983393ee907a/btbr.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB46664OGHTNR%2F20260217%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260217T001650Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHgaCXVzLXdlc3QtMiJGMEQCIAuqofzYt8ZM1G0G2pueQ1szWn2yCqRinBCTEh9mmwypAiAuqTP2264QRIgt3TsvXj%2FH%2BFFYFmsl4fZDo6Fd45CkPyr%2FAwhAEAAaDDYzNzQyMzE4MzgwNSIMXbp2%2Fgn%2F4pPO3%2B8VKtwDqE%2FdUbnkpaictju91urhZsxHckjgKuFtrXAxq%2FWRqYdsySWeK7dRvFzGIs9FZJKG58kVG38rn%2Bo%2FrHf89PIXhIz6s020ix7bY2iVwC8c0tL7vOD%2Fv1%2By280R8hK3UIN4AeJuls4Nss9KhFRwoYtYGwL7X6mxCjxbyBB2FBu2UNHKDykjfMv9sNJmMjABWzAX4BHVDXWgWa9PFrgROUjxWYWYtiAkdpuX%2BTUWs57WVqUe%2BmMbgDrxEWo%2BiguqP3yAV3a23jwdem7EUAXPW0toOIXzL45HwIOUxfbm2ClA4TX23jnhTDL4U8ik%2FzMBRSwiCJ1gp%2BEnVx4CGdUYCkS5wSwLIWANh97cEX26adG4XLrOO9ciUEQ29t0XCXeP9MtdCMav7k2kfYh65U7GDXhmuZGtq37908Y3QRSplVBVosMIQ9FPnNEJdT18eHCegYt%2FDqWVJTRJs8tOV6iNEnJIKQEFfbSIkFqgN6V6wlH1cV36ClMzG5OS5dyzBbZilK5cxTy3WdqI6FkxAl50O1g6Rw7hiU6McrUjxS5%2Bcj%2BFAMb8hqj8g9L3qEtYwkS1mpINehyAC4dJJphxOzPTa3EIPkI2LmXAzEXD%2BQnxQxir4Sem4%2FRfCp%2FrUavcNJkw0MvOzAY6pgHrAt3DnyUtuxvUcmFLsWbyHBAmGCyIux1HPc1dzPxYLQTPRqQA2zXrpCyJ1UA3CMIhhHjH5pCVwvDRjewL2Y01LakRXuJnhz67ZRyDNlugEH7jAweNLxq8u1vLoTlRK3USrcR6kyaa4KPvLZDQ3XLAEn51VTnI65VdjmBDnBVa9g%2FD%2BXRFvXGPsVQbHZjiXfHwffQiOFExvIw%2Bti3S1WXQ1Zd8xEi3&X-Amz-Signature=30d70013f5d0da35d66f52c61ac5c6cfd560b8860b5e8ecf502e65b517c03a22&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)
Sniffing BR/EDR
If the firmware was flashed successfully, ubertooth-dfu will exit the detach log for the last time. Afterwards, the ubertooth device with the new firmware flashed will automatically connect.
Now that my ubertooth device is configured to sniff BR/EDR Bluetooth packets, I can run the tool with the following command.
ubertooth-btbr
![[Figure 2] ubertooth-btbr](https://prod-files-secure.s3.us-west-2.amazonaws.com/ddfb90e3-766a-4fa2-b58c-bd09d4b4e865/77a306d4-4398-4080-9a5b-2556ae7dc43d/ubertooth-btbr.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB46664OGHTNR%2F20260217%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260217T001650Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHgaCXVzLXdlc3QtMiJGMEQCIAuqofzYt8ZM1G0G2pueQ1szWn2yCqRinBCTEh9mmwypAiAuqTP2264QRIgt3TsvXj%2FH%2BFFYFmsl4fZDo6Fd45CkPyr%2FAwhAEAAaDDYzNzQyMzE4MzgwNSIMXbp2%2Fgn%2F4pPO3%2B8VKtwDqE%2FdUbnkpaictju91urhZsxHckjgKuFtrXAxq%2FWRqYdsySWeK7dRvFzGIs9FZJKG58kVG38rn%2Bo%2FrHf89PIXhIz6s020ix7bY2iVwC8c0tL7vOD%2Fv1%2By280R8hK3UIN4AeJuls4Nss9KhFRwoYtYGwL7X6mxCjxbyBB2FBu2UNHKDykjfMv9sNJmMjABWzAX4BHVDXWgWa9PFrgROUjxWYWYtiAkdpuX%2BTUWs57WVqUe%2BmMbgDrxEWo%2BiguqP3yAV3a23jwdem7EUAXPW0toOIXzL45HwIOUxfbm2ClA4TX23jnhTDL4U8ik%2FzMBRSwiCJ1gp%2BEnVx4CGdUYCkS5wSwLIWANh97cEX26adG4XLrOO9ciUEQ29t0XCXeP9MtdCMav7k2kfYh65U7GDXhmuZGtq37908Y3QRSplVBVosMIQ9FPnNEJdT18eHCegYt%2FDqWVJTRJs8tOV6iNEnJIKQEFfbSIkFqgN6V6wlH1cV36ClMzG5OS5dyzBbZilK5cxTy3WdqI6FkxAl50O1g6Rw7hiU6McrUjxS5%2Bcj%2BFAMb8hqj8g9L3qEtYwkS1mpINehyAC4dJJphxOzPTa3EIPkI2LmXAzEXD%2BQnxQxir4Sem4%2FRfCp%2FrUavcNJkw0MvOzAY6pgHrAt3DnyUtuxvUcmFLsWbyHBAmGCyIux1HPc1dzPxYLQTPRqQA2zXrpCyJ1UA3CMIhhHjH5pCVwvDRjewL2Y01LakRXuJnhz67ZRyDNlugEH7jAweNLxq8u1vLoTlRK3USrcR6kyaa4KPvLZDQ3XLAEn51VTnI65VdjmBDnBVa9g%2FD%2BXRFvXGPsVQbHZjiXfHwffQiOFExvIw%2Bti3S1WXQ1Zd8xEi3&X-Amz-Signature=8f04df7324ce0c8046fa9ab8cb78ec13d13a8b0803c515e97c32996e6eed5862&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)