lunar (1) ubertooth-rx.1.gz

Provided by: ubertooth_2018.12.R1-5.1_amd64 bug

NAME

       ubertooth-rx - Classic Bluetooth discovery, sniffing, and decoding

SYNOPSIS

              ubertooth-rx [ -l <lap> [ -u <uap ] ]
              ubertooth-rx -z

DESCRIPTION

       ubertooth-rx(1)  is  the  primary  interface  into  Classic  Bluetooth  (BR) functionality
       provided by Ubertooth. It has two main modes of operation: piconet  following  and  survey
       mode.  In  either  mode,  ubertooth-rx(1)  is able to discover undiscoverable devices. See
       [DISCOVERING UNDISCOVERABLE DEVICES][].

       In piconet following mode, the tool will follow the first piconet it fully identifies.  In
       survey  mode  the device will attempt to identify all piconets in a given area and display
       them after either a timeout or manual interruption.

       Piconet following is the main mode entered when no arguments are passed to the command  or
       a LAP and optionally a UAP are provided. If no arguments are passed, the tool will attempt
       to calculate the UAP for any observed LAPs. If a LAP is passed, the UAP will be calculated
       for  that  specific  LAP. Once a LAP and UAP have been recovered, the tool will attempt to
       recover the clock value, and if that succeeds it will follow that piconet.

       Survey mode, entered using -z, will record all LAPs and attempt to calculate the UAPs  for
       any  observed  LAPs.  This  mode  can  be  combined with a timeout using -t, and it can be
       interrupted at any time using ctrl-C.

EXAMPLES

       Follow the first piconet whose LAP, UAP, and clock are recovered from the air:

              ubertooth-rx

       For a given LAP, calculate the UAP and recover the clock, then follow:

              ubertooth-rx -l 112233

       For a given LAP and UAP, recover the clock then follow:

              ubertooth-rx -l 112233 -u ab

       Enter survey mode for 20 seconds, and print out the BD ADDRs of all observed piconets:

              ubertooth-rx -z -t 20

OPTIONS

       Major modes:

       •

       -l <lap> : Limit UAP recovery, clock recovery, and  piconet  following  to  a  given  LAP.
       Format is 3 bytes / 6 hex characters.

       •

       -u  <uap>  :  Limit  clock  recovery and piconet following to a given UAP. Must be used in
       conjunction with -l. Format is 1 byte / 2 hex characters.

       •

       -z : Survey mode: recover all LAP and UAP pairs and display them.  Will  run  indefinitely
       until interrupted with ctrl-C unless paired with -t.

       Options:

       •

       -i <input> : Input file. If not specified will perform live capture using Ubertooth.

       •

       -c  <0-79>  :  Fixed  channel for all major modes. If not specified will sweep through all
       channels.

       •

       -e <0-4> : Maximum access code bit errors. [Default: 2]

       •

       -t <seconds> : Timeout in seconds. If  not  specified  will  run  indefinitely.  Suggested
       values for -z: 20-60 seconds.

       Output options:

       • -r <file.pcapng> : Capture packets to PcapNG

       • -q <file.pcap> : Capture packets to PCAP

       • -d <file.bin> : Capture packets to binary file suitable for use with -i.

       Miscellaneous:

       •

       -V : Version information

       •

       -U<0-7> : Which Ubertooth device to use

DISCOVERING UNDISCOVERABLE DEVICES

       Classic  Bluetooth  piocnets are defined by the Lower Address Part (LAP) and Upper Address
       Part (UAP) of the master device. These are  elements  of  the  master  device's  Bluetooth
       Address (BD ADDR).

       Consider the following BD ADDR:

              22:44:66:88:AA:BB

       The  lower  address  part  (LAP) is the lower 24 bits, so 88:AA:BB. In the context of this
       tool, the value is written 88AABB. The upper address part is the next 8 bits, so  66.  The
       22:44  is called the Non-significant Address Part (NAP) and as you might imagine it is not
       significant.

       In piconet following mode, the tool will recover LAP values from the air  and  attempt  to
       calculate  the  UAP  from those. It will go on to follow the piconet if it can recover the
       clock value. In survey mode, the tool will simply recover LAP and UAP values.

       To convert LAP + UAP pairs back into Bluetooth addresses, do the reverse of the above. For
       example,  if  the  tool recovers a LAP of 36A2B4 and a UAP of 98, the associated Bluetooth
       address is ??:??:98:36:A2:B4. Any value can be substituted into  the  ??  slots  and  most
       Bluetooth  tools  will  still  work.  For  example,  hcitool  name  00:00:98:36:A2:B4 will
       establish a connection to the device and return its name.

       This attack works against discoverable and undiscoverable devices alike.

SEE ALSO

       ubertooth-scan(1): active device scanning and inquiry using Ubertooth and BlueZ

       ubertooth(7): overview of Project Ubertooth

       D. Spill and A. Bittau. "BlueSniff: Eve Meets Alice and Bluetooth."  USENIX WOOT 2007.

AUTHOR

       This manual page was written by Mike Ryan.

       ubertooth-rx(1) is Copyright (c) 2010-2017 Michael Ossmann,  Dominic  Spill,  and  others.
       This tool is released under the GPLv2. Refer to COPYING for further details.