How To: Building a BlueSniper Rifle – Part 2



Exploring the Bluetooth apps

At this point, you have an operational Linux computer, with a few Bluetooth utilities built into the Linux distro you created. There is a decent command line Bluetooth scanner built into the BlueZ protocol stack that was compiled into the kernel. This scanner, called hcitool, will find all Bluetooth devices that have been placed in discoverable mode. The hcitool man page is here.Typing in "hcitool inq" will display the physical addresses, clock offsets and classes of found items. Typing in "hcitool scan" will display the physical address, make and model of the found devices.

With the "rubber duck" antenna attached, the Gumstix detected my paired Blackberry 7520 and Jabra headset from about 20 feet away (Figure 11). You can expect far greater ranges and more directionality once the Gumstix is connected to the high-gain antenna on the BlueSniper rifle itself.

Using hcitool to find devices
Figure 11:
Using hcitool to find devices
(click image to enlarge)

Careful inspection of Figure 11 reveals that each make / model description doesn't always map to the same MAC address. In other words, if you run "hcitool scan" multiple times in an environment with many paired Bluetooth devices, you will see different MAC addresses reported for each Bluetooth device. I'm not sure whether this is due to the way hcitool or Bluetooth itself works, but am highlighting it so that you won't think that something is wrong when you see it.

Note that due to the channel-hopping nature of Bluetooth, you will not get the instant gratification that you would get from Wi-Fi wardriving. It takes several seconds to detect discoverable devices. Note also that If you decide to "BlueSnipe" around town, you may be disappointed. Bluetooth scanning is still in early stages and there are few tools that can detect devices set to non-discoverable mode (more on this shortly).

Another command built into the BlueZ protocol stack is l2ping, which is the Bluetooth version of the venerable ping command. You will need to know the Bluetooth MAC address of an in-range device in order to l2ping it. Fortunately, the hcitool scan and inq commands provide MAC address info. Of course, if you didn't find any devices with hcitool, then l2ping will not do anything for you.

Here's how you'd ping a Bluetooth device with MAC address 01:02:03:ab:cd:ef:

l2ping -f 01:02:03:ab:cd:ef

If the ping is successful, you will receive a response back that looks similar to the one below. Do a control+c to stop the pings.

l2ping 01:02:03:ab:cd:ef Ping: 01:02:03:ab:cd:ef from .......  0 Bytes from 00:60:57:75:7C:36 id 200 time 37.89ms 0 Bytes from 00:60:57:75:7C:36 id 201 time 19.96ms 0 Bytes from 00:60:57:75:7C:36 id 202 time 12.25ms 0 Bytes from 00:60:57:75:7C:36 id 203 time 12.18ms 0 Bytes from 00:60:57:75:7C:36 id 204 time 11.80ms

For other devices just replace the 01:02:03:ab:cd:ef with the MAC address of the target device. The l2ping man page is here.