anelok: revisiting Bluetooth, Ubertooth

Werner Almesberger werner at almesberger.net
Fri Nov 22 07:14:21 EST 2013


Fortunately, there already is a project that tries to solve
specifically the problem of doing BT in an open-friendly way, and that
already has done a great amount of trailblazing. It's called
"Ubertooth":

http://ubertooth.sourceforge.net

Their motivation is that they want to be able to sniff BT traffic and
to inject artificial traffic, so they need a lot of flexibility. The
same flexibility can of course also be used to just implement a
regular stack.

They use a TI CC2400 transceiver chip. Now, looking at that chip [1,
2], three things catch the eye:

1) it's HUGE, 48-QFN, 7x7 mm. That's as big as the MCU. For
   comparison, the AT86RF232 comes in a 32-QFN package of only 5x5
   mm and we'll see later on that transceivers can be even smaller.

2) it's expensive, USD 4.73 @ 1000 units. AT86RF232: USD 2.03-2.30 @
   1000.

3) the produce page warns "Not Recommended for New Designs".

[1] http://www.ti.com/product/cc2400
[2] http://www.digikey.com/product-detail/en/CC2400RSUR/296-21512-1-ND/1304552

While it is quite possible to make products with obsolete chips, doing
so has the risk of sourcing getting increasingly messy. So let's try
to steer our Titanic on a southernly route instead of relying on the
strength of our lifeboats.

If there is one chip that can do it, there are usually more. So what
would they look like ? In other words, what are the radio requirements
for BT ? First of all, there's a number of different requirements. BT
1.2 and the new shooting star BTLE are fairly similar at that level,
so let's focus on them:

- Carrier frequency: 2.4 GHz band, channels in 1 MHz steps

- Modulation: GFSK

- Frequency deviation (modulation depth): +/- ~170 kHz (BT 1.2) or
  +/- 250 kHz (BTLE).

- Data rate: 1 Mbps

According to the experts, BTLE also has a considerably simpler
protocol architecture than regular BT. The downsides are that it is
still relatively new and not nearly as widely supported as BT and
that it's security architecture is a joke - just what we want for a
password safe. Here is a nice presentation that explains the basics
of BTLE and also the nearly Adobesque blunder they did with the key
exchange:

https://www.usenix.org/conference/woot13/bluetooth-low-energy-comes-low-security

The good news is that BTLE will improve with time, that radio
hardware that can talk BTLE is usually also capable of talking BT 1.2
(if someone gets around to implementing the stack. For the higher
layers, BlueZ may be of some use but there may be considerable evil
below it.), and that by doing most of the processing in software the
risk of getting cut off by some future protocol change is very low.

Next: chips !

- Werner



More information about the discussion mailing list


interactive