Tue 10 Apr 2007
Bluetooth Dongle with CSR chipset and flash or external memory using Flash
Posted by hosh under Uncategorized[77] Comments
These are some Bluetooth dongle, which support changing firmware with dfutool and tuning with bccmd. There is no guarantee that they still support flashing and tuning when you buy them, because vendors often tend to change the hardware without further notice.
Fujitsu Siemens
BLUETOOTH V2.0 USB-Stick
Cellink BTA-6030 Bluetooth Adapter
Other Dongle which seem to work (see comments on this article. not verified.):
Toshiba PA3455U-1BTM
Linksys USBBT100
Aircable Host XR
April 15th, 2007 at 12:29 pm
Hi,
Linksys USB BT-100 is also compatible with the re-flash.
April 21st, 2007 at 7:02 pm
pretty interesting since it has external antenna. but i think this is not BT 2.0 + EDR?
Anyway feel free to add further dongle having CSR Chipset and support dfu.
April 25th, 2007 at 2:38 pm
Hi there
Fujitsu Siemens BLUETOOTH V2.0 USB-Stick:
—————————————–
Reading firmware -> possible
Backup firmware -> possible
Writing new firmware -> (i guess) impossible
Reading key entries -> possible
Change key entries > impossible
$ lsusb
Bus 002 Device 006: ID 0bf8:1003 Fujitsu Siemens Computers (!)
…
sudo hciconfig -a
hci0: Type: USB
BD Address: 00:XX:XX:XX:X:XX ACL MTU: 384:8 SCO MTU: 64:8
UP RUNNING PSCAN ISCAN
RX bytes:401 acl:0 sco:0 events:18 errors:0
TX bytes:317 acl:0 sco:0 commands:17 errors:0
Features: 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0×00 0×80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: ‘IBM-0′
Class: 0x3e0100
Service Classes: Networking, Rendering, Capturing, Object Transfer, Audio
Device Class: Computer, Uncategorized
HCI Ver: 2.0 (0×3) HCI Rev: 0x77b LMP Ver: 2.0 (0×3) LMP Subver: 0x77b
Manufacturer: Cambridge Silicon Radio (10)(!!!)
Due to the fact that the important keys are not changeable, no test of modifying firmware was done.
Cellink BTA-6030 Bluetooth Adapter
———————————-
not available anymore so no testing (bad luck)
Linksys USBBT100
—————-
Neither reading or writing is possible.
(Version 2. manufactured 46/2006)
+++
(2 different dongles tested, both Version 2. One was purchased in 2005, but the data on it are not known at this time of writing)
$ sudo ./bccmd -d hci0 pslist
Unsupported manufacturer
…
$ sudo hciconfig -a
hci0: Type: USB
BD Address: 00:16:B6:XX:XX:XX ACL MTU: 377:10 SCO MTU: 64:8
UP RUNNING PSCAN ISCAN
RX bytes:435 acl:0 sco:0 events:20 errors:0
TX bytes:325 acl:0 sco:0 commands:20 errors:0
Features: 0xff 0xfe 0x0d 0×38 0×08 0×08 0×00 0×00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: ‘IBM-0′
Class: 0x3e0100
Service Classes: Networking, Rendering, Capturing, Object Transfer, Audio
Device Class: Computer, Uncategorized
HCI Ver: 1.2 (0×2) HCI Rev: 0×0 LMP Ver: 1.2 (0×2) LMP Subver: 0×309
Manufacturer: Broadcom Corporation (15)
$ sudo ./dfutool -d hci0 archive LinksysBTFirmware.dfu
Can’t find any DFU devices
+++++++++++++++++++++++++++++++++++++++++++++++++++
All described dongles purchased on 04/07. Any other working dongles known ??? Or is there any other Hint. Thx in advance.
Greets
Andi
April 25th, 2007 at 7:05 pm
As you can see, the Linksys USBBT100 is a Broadcom version. bccmd won’t work with Broadcom since it is vendor specific and only works with CSR.
The command “hcitool revision hci0″ gives us further information about a chipset:
$ sudo hciconfig hci0 revision
hci0: Type: USB
BD Address: 00:DE:AD:BE:AF:00 ACL MTU: 384:8 SCO MTU: 64:8
HCI 19.2
Chip version: BlueCore4-External
Max key size: 56 bit
SCO mapping: HCI
BlueCore4-External is good and means that the Chip is connected to external memory, which should be flash memory. BlueCore4-ROM is bad. If you are unsure just open your dongle.
This is how my Fujitsu looks like. Your output of lsusb and hciconfig looks very good. The same here. The information about the vendor provided by lsusb are independent from the information of hciconfig. Just continue.
April 26th, 2007 at 1:16 am
Fujitsu Siemens BLUETOOTH V2.0 USB-Stick works by me.
i could change the product id and vendor keys and load new Firmware.
keys are stored in psi(0×0001) instead of psf(0×0002)
bccmd -d hci0 psset-s 0×0001 0x02bf 0×0002
bccmd -d hci0 psset-s 0×0001 0x02be 0x0a12
April 26th, 2007 at 3:34 pm
Hi all,
here´s how i managed to change key entries on a Fujitsu Siemens BLUETOOTH V2.0 USB-Stick:
Some checks and how the output should be:
$ sudo hciconfig -a hci0 revision
hci0: Type: USB
BD Address: 00:XX:XX:XX:XX:XX ACL MTU: 0:0 SCO MTU: 0:0
HCI 19.2
Chip version: BlueCore4-External //important thx to Martin
Max key size: 56 bit
SCO mapping: HCI
$ lsusb
Bus 005 Device 001: ID 0000:0000
Bus 004 Device 001: ID 0000:0000
Bus 003 Device 001: ID 0000:0000
Bus 002 Device 006: ID 0bf8:1003 Fujitsu Siemens Computers
Bus 002 Device 001: ID 0000:0000
Bus 001 Device 001: ID 0000:0000
$ sudo ./bccmd memtypes
psi (0×0001) = Flash memory (0)
psf (0×0002) = Flash memory (0)
psram (0×0008) = RAM (transient) (2)
In our case psi (0×0001) is important. Thx to Sven
Here we start changing keys
===========================
+++++++++++++++++++++++ 1 +++++++++++++++++++++++++++
$ sudo ./bccmd -d hci0 psget -s 0x000f 0x02be
USB vendor identifier: 0x0bf8 (3064) //original
$ sudo ./bccmd -d hci0 psset -s 0×0001 0x02be 0x0a12
(no output)
$ sudo ./bccmd -d hci0 psget -s 0x000f 0x02be
USB vendor identifier: 0x0a12 (2578) //new !
+++++++++++++++++++++++ 2 +++++++++++++++++++++++++++
$ sudo ./bccmd -d hci0 psget -s 0x000f 0x02bf
USB product identifier: 0×1003 (4099) //original
$ sudo ./bccmd -d hci0 psset -s 0×0001 0x02bf 0×0002
(no output)
$ sudo ./bccmd -d hci0 psget -s 0x000f 0x02bf
USB product identifier: 0×0002 (2) //new
+++++++++++++++++++++++++++++++++++++++++++++++++++++
$ lsusb
Bus 005 Device 001: ID 0000:0000
Bus 004 Device 001: ID 0000:0000
Bus 003 Device 001: ID 0000:0000
Bus 002 Device 003: ID 0a12:0002 Cambridge Silicon Radio, Ltd //new !
Bus 002 Device 001: ID 0000:0000
Bus 001 Device 001: ID 0000:0000
—————————————————+
Hope this may help somebody who also owned this dongle.
Greetings
Andi
May 4th, 2007 at 12:01 am
Hi,
i’ve a MSI BToes 2.0 ERD.
hciconfig hci0 revision
hci0: Type: USB
BD Address: 00:15:83:BA:84:8B ACL MTU: 0:0 SCO MTU: 0:0
Unified 21e
Chip version: BlueCore4-ROM
Max key size: 128 bit
SCO mapping: HCI
Can i use this dongle? Because it only has BlueCore4-ROM?
Thx
Asgard
May 4th, 2007 at 12:08 am
you can’t update the firmware because of the ROM. What you can do, is play around with your PSKEYs using bccmd.
But be careful! When you modify the keys, you might brick your dongle!
May 4th, 2007 at 8:13 am
HI,
thanks for the information!
What are the PSKEYs exactly for?
What can i do with this keys?
Thanks for your help!
Greetings
Asgard
May 4th, 2007 at 4:34 pm
PSKEYs are what you change with bccmd. check this site.
May 11th, 2007 at 11:46 am
Hi there,
i worked through the BlueCore BCCMD commands specification from CSR. One thing i´ m still wondering is how do you know on which memory block in the persistent store we had to change the ps-keys. Was it like trial and error or is there any reference to this? Maybe i´ ve overread something. At the moment this isn´ t clearly visible for me. I don´t get the differences between Implementation Configuration: psi and Factory Configuration: psf except the intension of these memory units. Maybe the different ACL numbers are an indicator ?
thx in advance for feedback.
Greetings Andi
May 11th, 2007 at 7:30 pm
i’m not quite sure. for me it was a little try and error. i think it might be firmware dependent which store to use. one firmware i was using completely ignored a certain pskey.
without looking into the spec – i believe psf is read-only, isn’t it? keep us up informed if you find something out.
May 15th, 2007 at 4:33 pm
!Corrected Version
Hi Martin and others,
i´ve read through the “BCCMD Commands” once again. Sadly CSR encrypted the document with 128 Bit rc4 so no copy-paste
Anyway, here are some interesting statements:
1. The database are primarily used to configure many elements of the firmware … [S.28]
2. PSI & PSF stores data in an EEPROM or in a flash-memory. [S.29]
3. MAYBE THE IMPORTANT THING: The values initially lies in the psi library, but a bccmd moves these values to the psf store … [S.30]
Maybe only the bccmd interpreter decides where to store the data on the chip? But actually this can´t be true. If we take a look at the bccmd help we see :
psset [-r] [-s ] [stores] [key] value
We had to set the where to write the key.
The Persistent store on the chip is subdivided in
1. psram (RAM) = 0×0008
2. psi (Flash or EEPROM) = 0×0001
3. psf (Flash or EPPROM) = 0×0002
4. psrom (ROM) = ——-
But if we use 0×000F the store will be searched as follows: psram,psi,psf and at last psrom …
Summary:
========
I think firmware not decides where to store a key. The psf storage holds no values by default. The behavior of a firmware can be changed with entries in the psf. The psi storage comes one step before the psf storage. Maybe this is also a hint for using psi … *confused*
Some comments ?
thx for reply
Greets
Andi
p.s. please delete my first two postings.
June 9th, 2007 at 9:03 pm
I can confirm that the USB Bluetooth V2.0 + EDR Toshiba adaptor (PA3455U-1BTM) works perfectly.
It uses the CSR BlueCore4-External chip and stores keys in PSI.
I have been able to set USB PID and VID, and upload new firmware.
July 11th, 2007 at 9:39 am
I tried different CSR bluetooth sticks without luck. The command bccmd with psset always returnS the following error:
Can’t execute command: No such device or address (6).
Is it a problem with my installation or do all the sticks I tried do not work for this?
July 12th, 2007 at 7:49 pm
Alex, I am not sure about the exact reason. Do you run bccmd as root? Do you have more than one dongle connected to your PC and forgot to use the -d option?
August 20th, 2007 at 9:45 pm
I am from the USA and have no access to buying the Fujitsu Siemens
BLUETOOTH V2.0 USB-Stick. Does any one know where I can buy one?
September 10th, 2007 at 4:57 pm
I’ve been trying to find DFU compatible bluetooth dongles here in the U.S. but with no luck, the closest thing I’ve come to is finding two BC4-ROM based ones. They support changes to the PSkeys and BTaddr, but for obvious reasons cannot be reflashed.
Does anyone know of any dongles available in the U.S. that have the BC4-Ext chip (BC417)? I’ve been searching for the better part of 6 months with no luck. All the ones that are listed as DFU compatible above are out of stock or no longer carried by U.S. retailers.
Any help would be much appreciated!
September 11th, 2007 at 9:34 pm
Hi, I have an interesting device that I’m messing with:
http://www.a7eng.com/products/embeddedblue/hci/eb502-HCI.htm
My output is as follows:
hci0: Type: USB
BD Address: 00:0C:84:00:37:EA ACL MTU: 192:8 SCO MTU: 64:8
HCI 18.2
Chip version: BlueCore02-External
Max key size: 56 bit
SCO mapping: HCI
sudo bccmd memtypes
psi (0×0001) = Flash memory (0)
psf (0×0002) = Flash memory (0)
psram (0×0008) = RAM (transient) (2)
hci0: Type: USB
BD Address: 00:0C:84:00:37:EA ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING PSCAN ISCAN
RX bytes:5882 acl:0 sco:0 events:258 errors:0
TX bytes:3113 acl:0 sco:0 commands:200 errors:0
Features: 0xff 0xff 0x8f 0×78 0×18 0×18 0×00 0×80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: ‘BlueZ (0)’
Class: 0×000100
Service Classes: Unspecified
Device Class: Computer, Uncategorized
HCI Ver: 1.2 (0×2) HCI Rev: 0x5df LMP Ver: 1.2 (0×2) LMP Subver: 0x5df
Manufacturer: Cambridge Silicon Radio (10)
but when I go to replace my vendor ID I get the following (no matter WHERE I try to put it)
sudo bccmd -d hci0 psset -s 0×0001 0x02bf 0×0002
Can’t execute command: No such device or address (6)
Any clues? or should I try a different dongle?
–Andrew
September 14th, 2007 at 11:09 am
Your Chip version: BlueCore02-External
Our Chip version: BlueCore4-External
I don´t have a BlueCore02-External based dongle so i can´t test it but I´m quite sure BlueCore02 has a another configuration than V4 has. Maybe the buildup of the store is totally different…
Try to look at the csr specs
Greets
Andi
September 14th, 2007 at 11:11 am
Maybe the buildup of the storage is totally different…
-> meant storage //sry
September 19th, 2007 at 2:15 pm
Hi to all,
i’ve tried to set the PSKEY_LC_MAX_TX_POWER with the lower value in the POWER TABLE, due to limit the transmitting power of the device. I’ve used the BlueZ bccmd -d hci1 psset 0×0017 0×0000 and it has produced the output message “Can’t execute command: No such device or address (6)”. With the psget command at the same key address i’ve obtained the correct value of 0x0a. The device is a Digicom with the CSR chipset:
root@tambuMacBook:/home/tambu/Desktop/bluez-utils-3.19/tools# ./hciconfig hci1 revision
hci1: Type: USB
BD Address: 00:02:72:42:0B:6B ACL MTU: 192:8 SCO MTU: 64:8
HCI 16.4
Chip version: BlueCore02-External
Max key size: 56 bit
SCO mapping: HCI
Any idea of what’s the problem and corresponding solution?
Thanks to all.
September 19th, 2007 at 8:13 pm
interesting: again, this is a BC02 chip – maybe we have a bug in bccmd here? anyone else who has a BC02?
September 19th, 2007 at 9:04 pm
I’ve tried to do the same in a BlueCore4-ext with the same result. I can read the keys but i can’t write them at all. The device is the internal of a Macbook. I’ve tried to do so under and Ubuntu 7.0.4 with Bluez-lib and Bluez-util installed with Synaptic tool, and using the bccmd of a “native” Bluez-util of the earliest version configured with the –enable-bccmd.
I’m interested to know if there are some usb dongles witch are able to set their internal keys without doing anything else. I’d like to know the exact product’s names to buy one of them. Thanks to all.
September 19th, 2007 at 9:58 pm
Ahh… crap! Be sure NOT to copy and paste! The x in hex numbers gets messed up in this blog. don’t know why.
September 25th, 2007 at 5:01 pm
I’ve tried to set one key with the bccmd psset command, but without having success. Any idea?? The dongle is the internal device on my MacBook, wich has a BlueCore4-ext chipset. i’ve tried any psstore but nothing works well.
Have you some alternatives to the dongles you’ve tried wich seems to work changing the keys? The Fujitsu and Toshiba were not available.
October 1st, 2007 at 4:22 pm
Marco: again, be sure not to copy and paste from this blog, the x in 0×00 isn’t the x your console expects to be. Just type it in manually.
Anyway the only working Dongles are the ones above. I am going to add the Aircable Host XR, but it’s quite expensive.
October 3rd, 2007 at 7:36 pm
Do we have any idea if the D-LINK DBT-122 works?I saw that the D-link dbt-120 works but i cant find it.
October 6th, 2007 at 1:46 pm
Mail from aircable
=====================
Hi Vincent,
The firmware is indeed upgradeable. But if you do, you probably kill it.
We have special modifications in the radio setting that only
work on this high powered hardware. If you miss a single
setting of this you lose the radio.
And we have done a lot to make the AIRcable Host XR this good.
I wouldn’t do that. We have the latest Bluetooth stack there.
There is nothing newer than that.
# hciconfig -a
hci0: Type: USB
BD Address: 00:50:C2:58:50:17 ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING PSCAN ISCAN AUTH
RX bytes:481474 acl:6894 sco:0 events:36863 errors:0
TX bytes:899372 acl:11014 sco:0 commands:10852 errors:0
Features: 0xff 0xff 0x8f 0xf8 0x1b 0xf8 0×00 0×80
Packet type: DM1 DH1 HV1
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: ‘AIRcable Host XR (0)’
Class: 0x3e0100
Service Classes: Networking, Rendering, Capturing
Device Class: Computer, Uncategorized
HCI Ver: 2.0 (0×3) HCI Rev: 0x103b LMP Ver: 2.0 (0×3) LMP Subver: 0x103b
Manufacturer: Cambridge Silicon Radio (10)
# hciconfig hci0 revision
hci0: Type: USB
BD Address: 00:50:C2:58:50:17 ACL MTU: 310:10 SCO MTU: 64:8
Build 4155
Chip version: BlueCore4-External
Max key size: 56 bit
SCO mapping: HCI
Regards
Juergen
Wireless Cables Inc.
October 9th, 2007 at 11:17 am
Dlink DBT-122 are Broadcom dongle.
I’ve found a Fujitsu Siemens Bluetooth v2.0 usb stick and i’d like to reduce the sensing coverage radius to 5-6mt instead of the nominal value. So i’ve set the pskey MAX_TRANSMITTING_POWER (0×017) and DEFAULT_TRASMITTING_POWER (0×021) to zero. i’ve tried to scan devices through hcitool command but i discover all devices also at 10mt and over.
I’ve tried to set also the Vendor and Product ID like you’ve wrote in this page, but with lsusb i retrieve always the factory values. I’ve tried to set the keys in all the stores available in 0×00 to 0x0f, but without success.
Any idea?
October 9th, 2007 at 11:06 pm
Did you get an error?
After you set the value, have you tried to read the value again? Did it change?
After you set the value, have you done a warm reset?
December 5th, 2007 at 4:54 am
Hi Martin,
I’m using a Fujitsu-Siemens Bluetooth V2 USB Stick (CSR) under BackTrack 2. I can change the vendor and product id’s without problems using bccmd. However I cannot use dfutool to backup or upgrade the firmware. Every time I try any dfutool operation, after selecting the device, I get the following error:
Can’t identify device with DFU mode
Any guidance will be really appreciated!
December 5th, 2007 at 11:10 am
Solved!
dfutool cannot work properly inside VMWare(v5.5.X). The native VMware USB port emulation (or pass through) interferes with the raw USB access required by dfutool.
December 5th, 2007 at 7:31 pm
For those in the U.S. looking for BC4-Ext based dongles, I just received this one it’s a d-link dbt-120:
http://www.bhphotovideo.com/c/product/311696-REG/D_Link_DBT_120_DBT_120_Wireless_Bluetooth_2_0.html
I haven’t plugged it into my linux box yet as I’m at work, but it’s looking promising, as it has a BC417 chipset and an ST flash chip, it’s the most promising dongle I’ve been able to find in the states yet. I’ll post back with results after I get it home and start working with it.
December 17th, 2007 at 4:02 am
In my previous post I talked about a dongle I had just received. I got it home and got to working on it and…It supports all of the necessary functions for altering the Product ID, Vendor ID, and firmware. If you are looking for a dongle to modify, I can attest that the DBT-120 HW Ver: C1 works 100%.
January 1st, 2008 at 12:37 am
[...] is for ethernet, bluedrift is for Bluetooth. Using a special Bluetooth dongle which is capable of being flashed, you are now able to automatically sniff Bluetooth traffic and extract OBEX data, e.g. electronic [...]
January 5th, 2008 at 6:53 pm
I’ve just bought one from reichelt.de which is a BlueCore4-External:
DELOCK 61478 (Bluetooth Dongle USB Class 2, EDR V2.0, 80m)
a good thing for just 15€ I think.
The other, a DELOCK 61273 unfortunately was a BlueCore4-ROM, even if it was cheaper (6€).
January 18th, 2008 at 11:46 am
I’ve just received several of the DELOCK 61478 dongles, and they all have the BlueCore4-ROM chipset, not the BlueCore4-External, as stated above. Be careful.
I ran hciconfig -a hci0 revision
under Linux Mint.
January 18th, 2008 at 6:17 pm
Further to my last post, I also just received a D-Link DBT-120 Rev C1 today. This does have the BlueCore4-External chipset.
January 19th, 2008 at 7:00 pm
My D-Link DBT-120 is now running as a BT sniffer – WOW! Observations: had to reflash the firmware a 2nd time before calibrate would work properly. The first time I flashed it I was running attached to a USB extension lead, maybe it didn’t like that. I ran DFUtool & bccmd from the Backtrack 2 live-cd, rather than try to get those commands going in Linux Mint. Next job is to fit an MMCX antenna socket…
January 26th, 2008 at 5:32 pm
You are right with the DELOCK Dongles, they changed them. Today I received another one and it is NOT BC4-External.
I’m sorry! – Now I have to look for another inexpensive “external” Type, I should have ordered more than one the first time.
March 27th, 2008 at 11:40 pm
OEM BC4-EXT
i will buy & test
Pawel
March 27th, 2008 at 11:40 pm
http://www.kamami.pl/?id_prod=11502
June 18th, 2008 at 9:01 am
Hey guys
I made a vid a while ago on upgrading the firmware of a fujitsu siemens v2.0 stick bc04-ext.
http://blip.tv/file/815749
And using the hardware in linux.
http://blip.tv/file/952892
July 29th, 2008 at 12:17 pm
a7eng eb502 usb bluetooth dongle.
uses bluecore2 external.
firmware IS upgradable
BUT
will not accept ANY firmware except the a7eng factory firmware.
so do NOT buy it.
And btw, using dfutool to extract the original firmware from the device, will work without errors BUT the firmware file (your buckup) will be actually corrupted, and u r not gonna be able to reload with original firmware.
September 3rd, 2008 at 12:24 am
Hi,
i´ve updated my Fujitsu Siemens V2.0 with AirSnifferDev56BC4.dfu , and my dongle is dead:) no reactions on bt3 or XP . what can i do ? Rgs.
September 4th, 2008 at 7:53 pm
child007> hehe, i did exactly same today;)
no reaction on bt3 or XP, bud you should be able to use sniffer.c ( or at least I am able). Maybe dev57 will help? you cam mail me to share progress.
September 7th, 2008 at 8:11 pm
Please notice:
Frontline seems to have somehow modified their PSKEYs or the Firmware layout. Therefore you can’t use new Firmware versions and flash them on your dongle. Seems to only work with older versions. As of now I can’t say for sure which version is the last one that works. Also have a look at this post.
December 10th, 2008 at 12:05 pm
Hi m8!
I can’t find Siemens dongle and DBT-120 is quite impossible to find!
Have u ever tried DBT-122?! Thank u for attention!
January 9th, 2009 at 6:35 pm
Narf – 2nd try …
Hello everybody!
I’ve destroyed my Fujitsu Stick with flashing AirSnifferDev59BC4.dfu. Before I checked the chipset – BC4-External.
Any ideas to reactivate the stick? Maybe by flashing it externally? – I have a backup dfu file.
I would appreciate your help a lot!! It was hard work to find and buy this stick.
Thanks in advance!
pììt
January 11th, 2009 at 11:21 pm
Hi piit!
I think AirSnifferDev59BC4.dfu is quite an new firmware. As I already pointed out before, frontline might have changed something in the layout of the firmware.
You can use the SPI connector to flash the dongle, but I do not know if there is an SPI connector on the Fujitsu dongle.
For flashing the bricked dongle have a look at this post: http://www.evilgenius.de/2007/06/11/de-bricking-your-bluetooth-dongle/
January 16th, 2009 at 4:41 pm
Hi hosh,
Thanks for your reply. After I’ve written my post I saw the article about de-bricking.
Unfortunately I can’t find some SPI pins. There are some testpoints but I don’t know the functions of them. Also I don’t have access to casira tool kit. So no chance to get this dongle back to life for me.
I’ve found and bought another Fujitsu dongle. Hopefully it arrives soon.
What is the latest correct Firmware to use? Could anyone provide this file?
Best regards,
pììt
January 25th, 2009 at 1:51 pm
If anybody else searches for the correct firmware … google is your friend … “Frontline.Bluetooth.Sniffer.v5.6.9.0.rar”
Best regards,
pììt
March 23rd, 2009 at 7:46 pm
Hi
I am looking for a BC4-External bt dongle.
I guess the Trendnet TBW-104UB is the one I need.
Can any one confirm?
Thanks
Regards
dhcmega
March 23rd, 2009 at 7:47 pm
device info:
lsusb
Bus 004 Device 002: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)
hciconfig -a hci0
hci0: Type: USB
BD Address: 00:11:F6:0A:F4:85 ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING PSCAN ISCAN
RX bytes:964 acl:0 sco:0 events:26 errors:0
TX bytes:351 acl:0 sco:0 commands:25 errors:0
Features: 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0×00 0×80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: ‘localhost.localdomain-0′
Class: 0×000104
Service Classes: Unspecified
Device Class: Computer, Desktop workstation
HCI Ver: 2.0 (0×3) HCI Rev: 0xc5c LMP Ver: 2.0 (0×3) LMP Subver: 0xc5c
Manufacturer: Cambridge Silicon Radio (10)
March 23rd, 2009 at 8:21 pm
How can I increase the working range? Besides gain atenna, firmware?
Thanks
dhcmega
March 29th, 2009 at 5:04 am
hi
anyone know where i can get airsnifferdev46bc2.dfu? i have AirSnifferDev56BC4.dfu but it dont work with my d-link 120 thanks…
April 1st, 2009 at 7:58 am
For those who have a BT-120. CHECK YOUR HARDWARE!
If you have a BC2 then use Airsnifferdev4Xbc2.dfu.
If you have a BC3 then use a……..4Xbc3.dfu.
And if you have a BC4 then use the file with bc4.dfu at the end.
I couldn’t get the bc4 to work, figured it was due to me having the bc2 hardware and viola!
Now how can I get this thing to capture raw data without specifying a master:slave combo?!!?!
Also, anyone working on a spectrum analyzer application for use with a modified dongle?
April 28th, 2009 at 8:13 pm
Would it be possible to use these kinds of modules for sniffing? These are BC4 with external flash.
http://www.seeedstudio.com/depot/serial-port-bluetooth-module-p-279.html
http://www.sureelectronics.net/goods.php?id=699
(These things can also be found on ebay for $17.99 from the same seller)
June 21st, 2009 at 3:34 pm
Hi,
I bought a D-Link DBT-120 revsion B4 (Bluecore2-External) and tried to flash it.
First I created a backup dfu.
I changed the product and vendor ID and it showed: UP RUNNING RAW and the RX/TX bytes rising.
Then I flashed it with airsnifferdev46bc2.dfu and it still showed: UP RUNNING RAW.
But after I re-plugged the dongle, it was dead …
Linux (Ubuntu and BT3) doesn’t show it in lsusb or hciconfig. And Windows XP only shows: USB device was not recognized (unknown device).
And I’m not able to re-flash it with my backup dfu: Can’t find any dfu devices
Anybody an idea why this happend? I thought the airsniffer with bc2 at the end is the right firmware…
Help would be great! Thanks.
June 26th, 2009 at 4:13 am
Used a DBT-120. Set the vendor and product ID with DFU. Did that on linux. Switched over to windows. Downloaded frontline. Went to update dongle firmware with the frontline maintenance utility: get USB error, blah blah could not be accessed. The device may be in use by another application. Ideas?
June 28th, 2009 at 2:36 pm
Hey jen,
I had the same problem with my second DBT-120 B4. I got the same error as you. I clicked OK and tried it again later. It worked at the second try.
This time I flashed it on windows with the airsnifferdev47bc2.dfu and … now it’s working ;D
July 13th, 2009 at 2:22 pm
Some quick observations:
* A new DeLock 61478 (BT V2.0 Class 2, ModelNo. MDB-C4.20-2) has BlueCore4-ROM – sadly unusable
* An old Belkin F8T003 has BlueCore2-Ext, but when flashing with v2 firmware everything looks fine – RAW capability, RX/TX packet counter increasing – but it does not sniffer (via frontline -e). Has anyone actually managed a successful sniffing with BlueCore2 hardware? So far I’ve only seen definitive proof for BlueCore4…
- mS
July 27th, 2009 at 12:52 pm
* The 3com 3REB96B has BlueCore2-Ext and has the same problems as the Belkin F8T003. I’d advise to keep clear of BlueCore2-Ext dongles, unless someone manages to patch the firmware…
August 8th, 2009 at 8:33 am
I am sorry I am not a programmer and Linux-expert.
Could someone list tool-names that run on windows?
I am not sure I even need to flash new firmware; although I would like tool-names for that.
But I am specifically interested in finding a windoze tool which displays signal-strength with good resolution, and reasonably fast update.
The signal-level display in the terrible Widcomm stack is really abysmal. Slooowwww update, and resolution is so bad it only has 4 levels…LOL
I am working on antenna tuning and positioning of various audio-links.
thanks much everyone,
grub
October 7th, 2009 at 4:08 pm
Hi,
I’m trying to set maximum transmit power bluetooth module (Free2Move 03GX). I know
bccmd Linux command, but using it, power didn’t change:
I’ve send
./bccmd psset 17 18
where 17 is pskey ‘Maximum transmit power’ and 18 is power value that
I want to set.
I’ve not any error but if I use my power
meter anything change.
(bccmd singlechan command work correctly)
Can you help me please? I’m student in Pisa
(Italy).
Thanks,
Alberto Vigolo
October 30th, 2009 at 11:39 am
i am in south africa and i am looking for bluecore1 dongle.is there anybody who hane it in south africa,i am really looking for it.
October 30th, 2009 at 12:07 pm
can someone write for me steps on changing the transmission range of bluecore4 from class 2 to class 3(less than 1m communication)
April 30th, 2010 at 7:38 am
There is any improvement of usability of the bluetooth device (BlueCore2DBT120) over the old firmwares? Not to sniff, but to use as a normal device, it would be somehow “upgraded” by this firmware? i actualy use the 18.2 HCI from apple 1.2 update and thats just terrible regarding a2dp (indeed has the hid function).
Can someone give a tip if installing this will serve for the user-only as an improvement? if not, where could i get the latest firmware to BlueCore2??
September 24th, 2010 at 4:06 pm
Hi guys,
I also have a D-link DBT-120 with bluecore02-ext and i confirm that I have patched successfully with bc2 firmware.
I also confirm testing it on windows for sniffing but I cannot make it work under linux for sniffing.
Any ideas?
Is it the fronline (or the csr_sniffer) code that does not work with bluecore02 devices?
February 13th, 2011 at 3:33 am
Out of my own research looking for something that was initially used in the same way as most of these dongles are hoped to be used. Hospitals use hand held scanners for bar codes, etc. Socket Communications is a company that supplies some hospitals with equipment to talk to these scanning devices wirelessly. They use a Scanner Companion for this, and it’s a bluetooth usb dongle with a BC04-EXT (BlueCore4 external (memory) chip. For this specific purpose of scanning for devices in a professional environment, Socket Communications had asked CSR to partner with them for the term of this product. BL4543-734<————–product/manufacturer #. You may find some that have a different model #, but this is the one that I know has the BC04-EXT.
Of course you can bash me for the history lesson, its the internet:)
August 1st, 2011 at 3:18 pm
Acid190,
i’ve bought the BL4543-734 but i tried to push firmware and it’s not went well, which firmware did you used for is, and can you send it to
roee83 at gmail dot com.
thanks alot!
August 2nd, 2011 at 9:31 am
did any one managed to make the sniffer of BL4543-734 if yes please send me the dfu file you used to roee83 at gamil dot com, thanks alot!
September 8th, 2011 at 9:43 am
[...] is valuable information about BlueCore2-ext dongles and BlueCore4-ext dongles on that blog and that forum [...]
November 7th, 2011 at 12:36 pm
linksys firmware…
[...]evilgenius » Bluetooth Dongle with CSR chipset and flash or external memory using Flash[...]…
January 22nd, 2012 at 6:42 pm
Hello,
Newbie question… What tool are you using to display a dongle’s chipset and internally, as posted above?
I have some ingles i’d like to check.
I’m up interested in repurposing cheap BT dongles for a project i have in mind. I’ll be needing to dissassemble / reassemble software changes to activate I/O pins on disconnect. Or else I’ll have to add a low power, small mcu to do the work (inelegant).
Any pointers to info on hacking the code on these chipsets, like the bluecore-4 ext, or KC-22 is greatly appreciated.
Thanks
Kevin
January 22nd, 2012 at 6:47 pm
Corrected!!!
Newbie questions… (1) What tool are you using to display a dongle’s chipset and internally, as posted above?
I have some dongles I’d like to check out.
I’m up interested in repurposing cheap BT dongles for a project I have in mind. I’ll be needing to dissassemble / reassemble software changes to activate I/O pins on disconnect of a BT pair. Or else I’ll have to add a low power, small mcu to do the work (inelegant, expensive, power hungry, real estate).
(2) Any pointers to information, how-to’s, tools, etc. on hacking the code of these chipsets, like the bluecore-4 ext, or KC-22, or others is greatly appreciated.
Thanks
Kevin