Sunday 19 September 2010

Bluetooth mayhem -- part III -- bluejay

Uploaded a revision to bluejay bluetooth scanner;
Download link below

VIDEO of an update again ;

File download;

 Regrettably, the mayhem I was able to enjoy with bluetooth has basically been limited to scanning..

All in all a rather disappointing outcome after quite a bit of time spent trying to get somewhere.

I have tried to get the famous bluebugger & bluesnarfer to work, however the phones I have to test on do not seem to be vulnerable to the standard attacks and the tools do not seem to be well suited to Backtrack 4 without some serious tweaking.

The bluetooth headsets I got don't seem to show up on any of the scans I do, so I couldn't even test carwhisper either.
Am going to continue to pick up cheapo headsets though as I would love to at least get something working...

There is a serious lack of information on using bluetooth tools with backtrack 4 and I had hoped to be able to contribute to getting some more information out there, however for the time being I have to admit defeat on this one...

The plus side of things is that it motivated me to write my own bluetooth scanner :D

Considering that tools like ghettotooth are still included in backtrack 4, I saw no harm in making something similar, may even propose for it to be included if I am feeling cocky...

So after a lot of trial and error and a hell of a lot of google, my first bash script ;  bluejay

Hopefully someone finds it fun to use, I had a lot of fun (along with frustration...) writing it.
Although I am  sure many looking at the code will probably sh1t themselves laughing, its my first attempt at any bash scripting with a bit of scavenging from teh interwebz... so hey  ;)

bluejay was written with backtrack 4 in mind, and is untested on any other platform.

(based on using Backtrack 4)

1. Download file from below link to a location of your choice (for instance /root/ ).
Download link ;
See download link for bluejay v0.3 at top of page.

2. Make a directory called "bluejay" in /pentest/bluetooth/;
mkdir /pentest/bluetooth/bluejay
Creating the directory /pentest/bluetooth/bluejay/ is required as bluejay puts temp files in that location.
(Latest version of bluejay will ask if you want to and create directory automatically if you choose to continue)

3. Copy or move the file into the created directory;
mv /root/bluejay /pentest/bluetooth/bluejay/bluejay

4. If you can't run bluejay, you may have to change file permissions ;
chmod 755 /pentest/bluetooth/bluejay/bluejay

5. Then run it ! ;
cd /pentest/bluetooth/bluejay/
./bluejay -h 


./bluejay -h


 ./bluejay -d
Result of listing devices when only 1 bluetooth interface present ;

Result of listing devices when multiple bluetooth interfaces are installed ;


With only 1 bluetooth interface installed, bluejay automatically chooses this interface,
usually hci0, and starts the scan ;

./bluejay -s

When starting a single scan with multiple interfaces installed, bluejay will prompt for an interface to
be entered ;

./bluejay -s


With only 1 bluetooth interface installed, bluejay will automatically take the first one it finds,
usually hci0, and start the scan.
When quitting with Ctrl C, bluejay then prompts whether to save the scan results to log or not (y/n)

If choosing not to save, number of found devices is printed to screen and program exits.

./bluetooth -c
(followed by Ctrl C  and "n"  to not save results to log)

If you choose to save the scan results, then bluejay will print the number of devices discovered on screen and
save the results to a logfile in /pentest/bluetooth/bluejay/

Saving the scan results to log ;

When starting continuous scans with multiple bluetooth interfaces installed,
bluejay will prompt you to enter the bluetooth interface you want to scan with.

./bluejay -c
followed by entering interface hci1 in this case
then Quitting with Ctrl C and choosing not to save scan results "n"

I am lazy and got fed up with the typing in of the interface names..
So if you just hit Enter where you are prompted to enter the interface to scan with, bluejay will
automatically choose the first interface it finds (usually hci0) and start scanning with that.

./bluejay -c
Quit with Ctrl C and "n" to not save the scan results.

Le VoilĂ  !!
The logging side of things is regretfully far from perfect;
If clock offset changes, or if name is cached then the BDADDR will show up more than once in the log.
Am working on a revision v0.3 which will hopefully sort a few things out. It was still a fun project though ;)

I am sure there are loads of ways to make it smoother and quicker, comments with advice and on errors
encountered when using it are appreciated.

Despite the fact that I have more or less given up hope on been able to have the same amount of fun with
bluetooth as can be had with wireless, it is an interesting area to look at and I would appreciate any comments
which may assist with bluetooth hacking.


  1. nice to see some one is trying to get this working. i did try once a while ago to accomplish the same thing. have nokia 6310i which is said to have vulnerabilities. went as far as connecting to the phone, but still the button had to be pressed on the phone in order to connect successfully. and that was the end. i could not delete the phonebook or do other stuff. i think we are far from connecting undetectable and making calls))
    in general, nice blog. read all ur info. keep up the good work!

  2. Thanks for the comment !
    It is a little disappointing to find that there is so little info now available on the whole bluetooth thing.

    I did have fun trying though, but still not sure whether that outweighed the frustration ;)


Google Analytics Alternative