.:. [About] .:. [Blog] .:. [Twitter] .:. [Mastodon] .:. [GitHub] .:. [GameBoy Dev] .:.

[:< ANDROID BLUETOOTH SNOOPERY -- UNROOTED! >:]

android_hax.1[get_hci_logs]

android_hax.0[intro] -- <<<    >>> -- android_hax.2[hci_analysis]

Description

We're just getting setup in this part. We'll be putting the phone into developer mode, generating some bluetooth logs, extracting them, and reading them! The next one will be on trying to make sense of these packets. You can skip ahead to that if you'd like!

I honestly wanted to start with this project because your device does not need to be rooted inorder to do it. Furthermore, sometimes Android devices need to be connected to the internet for some time before they become OEM unlockable. I've read that there are some tricks around this wait period on some devices, and I'd encourage you to try these too, but if you don't feel like it (like me), then we can do this in the meantime!

Materials

* an android device
* another bluetooth pairable device

Prep your phone for debugging:

To start we're going to need to get the phone into Developer Mode. Methods for doing this varies depending on device, so it may be worth looking it up, but generally you can do it by:
* Navigating to Settings -> About Phone
* Scrolling to Build Number, which can usually be found at the very bottom of the About Phone menu
* Tapping Build number 7x
* Enter your pin


Once your phone is in Developer Mode you will have access to the Developer Options, which can be found in System -> Advanced -> Developer Options.
It's here that you're going to need to enable bluetooth hci snoop logs via Enable Bluetooth HCI snoop log -> Enable, and USB Debugging found under Debugging.

And with that, you're phone is ready to go! You may have to reboot it for all changes to take effect :shrug:?

Generate some logs!

You can now easily generate some logs by pairing your phone with another bluetooth device!

Getting the logs:

Now that we've generated some logs, we're ready to get them from our phone.
Here's how:
1. Install adb
sudo apt install adb
2. Plug your phone into your computer -- you may be prompted to approve USB debugging with this device from your phone.
  - select Allow
3. Check if your device is connected
adb devices
  - This should return something like:
  List of devices attached
  XD1233TUM0    device
4. Get the bug report, which returns a txt file and a zip:
adb bugreport <whatever you want the name of the generated zip file to be>
Once adb has done it's thing, this should leave you with a zip file named via your previous instruction. Once you unzip this file, there will be another file named something like "bugreport-yadayada.txt".
In some cases you may be able to find your snoop file, titled btsnoop_hci.log, in the zip file. If not, you will need to extract the snoop logs via btsnooz.py, which at the time of writing this, can be found here.
Extract your btsnoop log by running the following command:
python3 btsnooz.py bugreport-yadayada.txt > BTSNOOP.log


If this doesn't seem to be working, double check the android docs for further reading.

And there you have it! You've successfully extracted some bluetooth logs!
Open this log file in wireshark if you want to get a better read of it.

There's still a bunch in here that I can't make heads or tails of though, and this is where our paths will fork. Since we are both almost definitely looking at different packets our experiences are going to differ; so in the next part I'll be documenting more of my thought process and approach to reversing / getting a handle on these logs.
android_hax.0[intro] -- <<<    >>> -- android_hax.2[hci_analysis]