search

schollz / find-lf

Track the location of every Wi-Fi device (:iphone:) in your house using Raspberry Pis and FIND
https://www.internalpositioning.com/plugins/#using-find-without-an-app
GNU Affero General Public License v3.0
994 stars 123 forks source link

Add Bluetooth sniffing #3

Open schollz opened 7 years ago

schollz commented 7 years ago

Sniffing

Using a Raspberry Pi 3, compile BlueZ.

Then make sure Bluetooth adapter is up: sudo hciconfig hci0 up.

Then run btmon in the background: sudo btmon &

Then make a scan using: sudo hcitool lescan or sudo hcitool scan

(Source)

Problem

The RSSI and Phone MAC address is only seen when the phone is on the Bluetooth screen. I.e., when any other process is running, it doesn't seem to allow the phone to be discoverable.

When I scan from the Pi3, sudo hcitool scan it gives me the following if I'm not on the Bluetooth screen:

$ sudo hcitool scan
Scanning ...
< HCI Command: Inquiry (0x01|0x0001) plen 5                                            [hci0] 97.534966
        Access code: 0x9e8b33 (General Inquiry)
        Length: 10.24s (0x08)
        Num responses: 0
> HCI Event: Command Status (0x0f) plen 4                                              [hci0] 97.535425
      Inquiry (0x01|0x0001) ncmd 1
        Status: Success (0x00)
> HCI Event: Inquiry Complete (0x01) plen 1                                           [hci0] 107.777731
        Status: Success (0x00)

However, if I goto the Bluetooth screen on my phone, then the scan sees the following:

$ sudo hcitool scan
Scanning ...
< HCI Command: Inquiry (0x01|0x0001) plen 5                                           [hci0] 120.701658
        Access code: 0x9e8b33 (General Inquiry)
        Length: 10.24s (0x08)
        Num responses: 0
> HCI Event: Command Status (0x0f) plen 4                                             [hci0] 120.702118
      Inquiry (0x01|0x0001) ncmd 1
        Status: Success (0x00)
> HCI Event: Extended Inquiry Result (0x2f) plen 255                                  [hci0] 127.292361
        Num responses: 1
        Address: 34:FC:EF:41:E6:F7 (OUI 34-FC-EF)
        Page scan repetition mode: R1 (0x01)
        Page period mode: P0 (0x00)
        Class: 0x5a020c
          Major class: Phone (cellular, cordless, payphone, modem)
          Minor class: Smart phone
          Networking (LAN, Ad hoc)
          Capturing (Scanner, Microphone)
          Object Transfer (v-Inbox, v-Folder)
          Telephony (Cordless telephony, Modem, Headset)
        Clock offset: 0x32cb
        RSSI: -73 dBm (0xb7)
        Name (complete): VS985 4G LTE
        16-bit Service UUIDs (complete): 11 entries
          OBEX Object Push (0x1105)
          OBEX File Transfer (0x1106)
          Audio Source (0x110a)
          A/V Remote Control Target (0x110c)
          Headset AG (0x1112)
          PANU (0x1115)
          NAP (0x1116)
          Handsfree Audio Gateway (0x111f)
          Phonebook Access Server (0x112f)
          PnP Information (0x1200)
          Message Access Server (0x1132)
> HCI Event: Inquiry Complete (0x01) plen 1                                           [hci0] 130.945272
        Status: Success (0x00)
< HCI Command: Remote Name Request (0x01|0x0019) plen 10                              [hci0] 130.945509
        Address: 34:FC:EF:41:E6:F7 (OUI 34-FC-EF)
        Page scan repetition mode: R1 (0x01)
        Page scan mode: Mandatory (0x00)
        Clock offset: 0xb2cb
> HCI Event: Command Status (0x0f) plen 4                                             [hci0] 130.946235
      Remote Name Request (0x01|0x0019) ncmd 1
        Status: Success (0x00)
> HCI Event: Remote Host Supported Features (0x3d) plen 14                            [hci0] 133.437920
        Address: 34:FC:EF:41:E6:F7 (OUI 34-FC-EF)
        Features: 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 0x00
          Secure Simple Pairing (Host Support)
          LE Supported (Host)
          Simultaneous LE and BR/EDR (Host)
          Secure Connections (Host Support)
> HCI Event: Remote Name Req Complete (0x07) plen 255                                 [hci0] 133.440673
        34:FC:EF:41:E6:F7       VS985 4G LTE
        Status: Success (0x00)
        Address: 34:FC:EF:41:E6:F7 (OUI 34-FC-EF)
        Name: VS985 4G LTE

Another way for discovering, but it doesn't get around the above problem:

sudo apt-get install python-gi python-dbus
git clone https://github.com/pauloborges/bluez.git
cd bluez/test
sudo ./test-discovery
mukowman commented 6 years ago

You could use the following app on Android to simulate a BLE beacon. Has the option for running in background https://play.google.com/store/apps/details?id=net.alea.beaconsimulator