These are some Bluetooth dongle, which support changing firmware with dfutool and tuning with bccmd. There is no guarantee that they still support flashing and tuning when you buy them, because vendors often tend to change the hardware without further notice.
Fujitsu Siemens
BLUETOOTH V2.0 USB-Stick
Cellink BTA-6030 Bluetooth Adapter
Other Dongle which seem to work (see comments on this article. not verified.):
Toshiba PA3455U-1BTM
Linksys USBBT100
Aircable Host XR
Hi,
Linksys USB BT-100 is also compatible with the re-flash.
pretty interesting since it has external antenna. but i think this is not BT 2.0 + EDR?
Anyway feel free to add further dongle having CSR Chipset and support dfu.
Hi there
Fujitsu Siemens BLUETOOTH V2.0 USB-Stick:
—————————————–
Reading firmware -> possible
Backup firmware -> possible
Writing new firmware -> (i guess) impossible
Reading key entries -> possible
Change key entries > impossible
$ lsusb
Bus 002 Device 006: ID 0bf8:1003 Fujitsu Siemens Computers (!)
…
sudo hciconfig -a
hci0: Type: USB
BD Address: 00:XX:XX:XX:X:XX ACL MTU: 384:8 SCO MTU: 64:8
UP RUNNING PSCAN ISCAN
RX bytes:401 acl:0 sco:0 events:18 errors:0
TX bytes:317 acl:0 sco:0 commands:17 errors:0
Features: 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0x00 0x80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: ‘IBM-0’
Class: 0x3e0100
Service Classes: Networking, Rendering, Capturing, Object Transfer, Audio
Device Class: Computer, Uncategorized
HCI Ver: 2.0 (0x3) HCI Rev: 0x77b LMP Ver: 2.0 (0x3) LMP Subver: 0x77b
Manufacturer: Cambridge Silicon Radio (10)(!!!)
Due to the fact that the important keys are not changeable, no test of modifying firmware was done.
Cellink BTA-6030 Bluetooth Adapter
———————————-
not available anymore so no testing (bad luck)
Linksys USBBT100
—————-
Neither reading or writing is possible.
(Version 2. manufactured 46/2006)
+++
(2 different dongles tested, both Version 2. One was purchased in 2005, but the data on it are not known at this time of writing)
$ sudo ./bccmd -d hci0 pslist
Unsupported manufacturer
…
$ sudo hciconfig -a
hci0: Type: USB
BD Address: 00:16:B6:XX:XX:XX ACL MTU: 377:10 SCO MTU: 64:8
UP RUNNING PSCAN ISCAN
RX bytes:435 acl:0 sco:0 events:20 errors:0
TX bytes:325 acl:0 sco:0 commands:20 errors:0
Features: 0xff 0xfe 0x0d 0x38 0x08 0x08 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: ‘IBM-0’
Class: 0x3e0100
Service Classes: Networking, Rendering, Capturing, Object Transfer, Audio
Device Class: Computer, Uncategorized
HCI Ver: 1.2 (0x2) HCI Rev: 0x0 LMP Ver: 1.2 (0x2) LMP Subver: 0x309
Manufacturer: Broadcom Corporation (15)
$ sudo ./dfutool -d hci0 archive LinksysBTFirmware.dfu
Can’t find any DFU devices
+++++++++++++++++++++++++++++++++++++++++++++++++++
All described dongles purchased on 04/07. Any other working dongles known ??? Or is there any other Hint. Thx in advance.
Greets
Andi
As you can see, the Linksys USBBT100 is a Broadcom version. bccmd won’t work with Broadcom since it is vendor specific and only works with CSR.
The command “hcitool revision hci0” gives us further information about a chipset:
$ sudo hciconfig hci0 revision
hci0: Type: USB
BD Address: 00:DE:AD:BE:AF:00 ACL MTU: 384:8 SCO MTU: 64:8
HCI 19.2
Chip version: BlueCore4-External
Max key size: 56 bit
SCO mapping: HCI
BlueCore4-External is good and means that the Chip is connected to external memory, which should be flash memory. BlueCore4-ROM is bad. If you are unsure just open your dongle.
This is how my Fujitsu looks like. Your output of lsusb and hciconfig looks very good. The same here. The information about the vendor provided by lsusb are independent from the information of hciconfig. Just continue. 🙂
Fujitsu Siemens BLUETOOTH V2.0 USB-Stick works by me.
i could change the product id and vendor keys and load new Firmware.
keys are stored in psi(0x0001) instead of psf(0x0002)
bccmd -d hci0 psset-s 0x0001 0x02bf 0x0002
bccmd -d hci0 psset-s 0x0001 0x02be 0x0a12
Hi all,
here´s how i managed to change key entries on a Fujitsu Siemens BLUETOOTH V2.0 USB-Stick:
Some checks and how the output should be:
$ sudo hciconfig -a hci0 revision
hci0: Type: USB
BD Address: 00:XX:XX:XX:XX:XX ACL MTU: 0:0 SCO MTU: 0:0
HCI 19.2
Chip version: BlueCore4-External //important thx to Martin
Max key size: 56 bit
SCO mapping: HCI
$ lsusb
Bus 005 Device 001: ID 0000:0000
Bus 004 Device 001: ID 0000:0000
Bus 003 Device 001: ID 0000:0000
Bus 002 Device 006: ID 0bf8:1003 Fujitsu Siemens Computers
Bus 002 Device 001: ID 0000:0000
Bus 001 Device 001: ID 0000:0000
$ sudo ./bccmd memtypes
psi (0x0001) = Flash memory (0)
psf (0x0002) = Flash memory (0)
psram (0x0008) = RAM (transient) (2)
In our case psi (0x0001) is important. Thx to Sven
Here we start changing keys
===========================
+++++++++++++++++++++++ 1 +++++++++++++++++++++++++++
$ sudo ./bccmd -d hci0 psget -s 0x000f 0x02be
USB vendor identifier: 0x0bf8 (3064) //original
$ sudo ./bccmd -d hci0 psset -s 0x0001 0x02be 0x0a12
(no output)
$ sudo ./bccmd -d hci0 psget -s 0x000f 0x02be
USB vendor identifier: 0x0a12 (2578) //new !
+++++++++++++++++++++++ 2 +++++++++++++++++++++++++++
$ sudo ./bccmd -d hci0 psget -s 0x000f 0x02bf
USB product identifier: 0x1003 (4099) //original
$ sudo ./bccmd -d hci0 psset -s 0x0001 0x02bf 0x0002
(no output)
$ sudo ./bccmd -d hci0 psget -s 0x000f 0x02bf
USB product identifier: 0x0002 (2) //new
+++++++++++++++++++++++++++++++++++++++++++++++++++++
$ lsusb
Bus 005 Device 001: ID 0000:0000
Bus 004 Device 001: ID 0000:0000
Bus 003 Device 001: ID 0000:0000
Bus 002 Device 003: ID 0a12:0002 Cambridge Silicon Radio, Ltd //new ! 🙂
Bus 002 Device 001: ID 0000:0000
Bus 001 Device 001: ID 0000:0000
—————————————————+
Hope this may help somebody who also owned this dongle.
Greetings
Andi
Hi,
i’ve a MSI BToes 2.0 ERD.
hciconfig hci0 revision
hci0: Type: USB
BD Address: 00:15:83:BA:84:8B ACL MTU: 0:0 SCO MTU: 0:0
Unified 21e
Chip version: BlueCore4-ROM
Max key size: 128 bit
SCO mapping: HCI
Can i use this dongle? Because it only has BlueCore4-ROM?
Thx
Asgard
you can’t update the firmware because of the ROM. What you can do, is play around with your PSKEYs using bccmd.
But be careful! When you modify the keys, you might brick your dongle!
HI,
thanks for the information!
What are the PSKEYs exactly for?
What can i do with this keys?
Thanks for your help!
Greetings
Asgard
PSKEYs are what you change with bccmd. check this site.
Hi there,
i worked through the BlueCore BCCMD commands specification from CSR. One thing i´ m still wondering is how do you know on which memory block in the persistent store we had to change the ps-keys. Was it like trial and error or is there any reference to this? Maybe i´ ve overread something. At the moment this isn´ t clearly visible for me. I don´t get the differences between Implementation Configuration: psi and Factory Configuration: psf except the intension of these memory units. Maybe the different ACL numbers are an indicator ?
thx in advance for feedback.
Greetings Andi
i’m not quite sure. for me it was a little try and error. i think it might be firmware dependent which store to use. one firmware i was using completely ignored a certain pskey.
without looking into the spec – i believe psf is read-only, isn’t it? keep us up informed if you find something out.
!Corrected Version
Hi Martin and others,
i´ve read through the “BCCMD Commands” once again. Sadly CSR encrypted the document with 128 Bit rc4 so no copy-paste 🙁 Anyway, here are some interesting statements:
1. The database are primarily used to configure many elements of the firmware … [S.28]
2. PSI & PSF stores data in an EEPROM or in a flash-memory. [S.29]
3. MAYBE THE IMPORTANT THING: The values initially lies in the psi library, but a bccmd moves these values to the psf store … [S.30]
Maybe only the bccmd interpreter decides where to store the data on the chip? But actually this can´t be true. If we take a look at the bccmd help we see :
psset [-r] [-s ] [stores] [key] value
We had to set the where to write the key.
The Persistent store on the chip is subdivided in
1. psram (RAM) = 0×0008
2. psi (Flash or EEPROM) = 0×0001
3. psf (Flash or EPPROM) = 0×0002
4. psrom (ROM) = ——-
But if we use 0×000F the store will be searched as follows: psram,psi,psf and at last psrom …
Summary:
========
I think firmware not decides where to store a key. The psf storage holds no values by default. The behavior of a firmware can be changed with entries in the psf. The psi storage comes one step before the psf storage. Maybe this is also a hint for using psi … *confused*
Some comments ?
thx for reply
Greets
Andi
p.s. please delete my first two postings.
I can confirm that the USB Bluetooth V2.0 + EDR Toshiba adaptor (PA3455U-1BTM) works perfectly.
It uses the CSR BlueCore4-External chip and stores keys in PSI.
I have been able to set USB PID and VID, and upload new firmware.
I tried different CSR bluetooth sticks without luck. The command bccmd with psset always returnS the following error:
Can’t execute command: No such device or address (6).
Is it a problem with my installation or do all the sticks I tried do not work for this?
Alex, I am not sure about the exact reason. Do you run bccmd as root? Do you have more than one dongle connected to your PC and forgot to use the -d option?
I am from the USA and have no access to buying the Fujitsu Siemens
BLUETOOTH V2.0 USB-Stick. Does any one know where I can buy one?
I’ve been trying to find DFU compatible bluetooth dongles here in the U.S. but with no luck, the closest thing I’ve come to is finding two BC4-ROM based ones. They support changes to the PSkeys and BTaddr, but for obvious reasons cannot be reflashed.
Does anyone know of any dongles available in the U.S. that have the BC4-Ext chip (BC417)? I’ve been searching for the better part of 6 months with no luck. All the ones that are listed as DFU compatible above are out of stock or no longer carried by U.S. retailers.
Any help would be much appreciated!
Hi, I have an interesting device that I’m messing with:
http://www.a7eng.com/products/embeddedblue/hci/eb502-HCI.htm
My output is as follows:
hci0: Type: USB
BD Address: 00:0C:84:00:37:EA ACL MTU: 192:8 SCO MTU: 64:8
HCI 18.2
Chip version: BlueCore02-External
Max key size: 56 bit
SCO mapping: HCI
sudo bccmd memtypes
psi (0x0001) = Flash memory (0)
psf (0x0002) = Flash memory (0)
psram (0x0008) = RAM (transient) (2)
hci0: Type: USB
BD Address: 00:0C:84:00:37:EA ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING PSCAN ISCAN
RX bytes:5882 acl:0 sco:0 events:258 errors:0
TX bytes:3113 acl:0 sco:0 commands:200 errors:0
Features: 0xff 0xff 0x8f 0x78 0x18 0x18 0x00 0x80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: ‘BlueZ (0)’
Class: 0x000100
Service Classes: Unspecified
Device Class: Computer, Uncategorized
HCI Ver: 1.2 (0x2) HCI Rev: 0x5df LMP Ver: 1.2 (0x2) LMP Subver: 0x5df
Manufacturer: Cambridge Silicon Radio (10)
but when I go to replace my vendor ID I get the following (no matter WHERE I try to put it)
sudo bccmd -d hci0 psset -s 0x0001 0x02bf 0x0002
Can’t execute command: No such device or address (6)
Any clues? or should I try a different dongle?
–Andrew
Your Chip version: BlueCore02-External
Our Chip version: BlueCore4-External
I don´t have a BlueCore02-External based dongle so i can´t test it but I´m quite sure BlueCore02 has a another configuration than V4 has. Maybe the buildup of the store is totally different…
Try to look at the csr specs
Greets
Andi
Maybe the buildup of the storage is totally different…
-> meant storage //sry
Hi to all,
i’ve tried to set the PSKEY_LC_MAX_TX_POWER with the lower value in the POWER TABLE, due to limit the transmitting power of the device. I’ve used the BlueZ bccmd -d hci1 psset 0x0017 0x0000 and it has produced the output message “Can’t execute command: No such device or address (6)”. With the psget command at the same key address i’ve obtained the correct value of 0x0a. The device is a Digicom with the CSR chipset:
root@tambuMacBook:/home/tambu/Desktop/bluez-utils-3.19/tools# ./hciconfig hci1 revision
hci1: Type: USB
BD Address: 00:02:72:42:0B:6B ACL MTU: 192:8 SCO MTU: 64:8
HCI 16.4
Chip version: BlueCore02-External
Max key size: 56 bit
SCO mapping: HCI
Any idea of what’s the problem and corresponding solution?
Thanks to all.
interesting: again, this is a BC02 chip – maybe we have a bug in bccmd here? anyone else who has a BC02?
I’ve tried to do the same in a BlueCore4-ext with the same result. I can read the keys but i can’t write them at all. The device is the internal of a Macbook. I’ve tried to do so under and Ubuntu 7.0.4 with Bluez-lib and Bluez-util installed with Synaptic tool, and using the bccmd of a “native” Bluez-util of the earliest version configured with the –enable-bccmd.
I’m interested to know if there are some usb dongles witch are able to set their internal keys without doing anything else. I’d like to know the exact product’s names to buy one of them. Thanks to all.
Ahh… crap! Be sure NOT to copy and paste! The x in hex numbers gets messed up in this blog. don’t know why.
I’ve tried to set one key with the bccmd psset command, but without having success. Any idea?? The dongle is the internal device on my MacBook, wich has a BlueCore4-ext chipset. i’ve tried any psstore but nothing works well.
Have you some alternatives to the dongles you’ve tried wich seems to work changing the keys? The Fujitsu and Toshiba were not available.
Marco: again, be sure not to copy and paste from this blog, the x in 0x00 isn’t the x your console expects to be. Just type it in manually.
Anyway the only working Dongles are the ones above. I am going to add the Aircable Host XR, but it’s quite expensive.
Do we have any idea if the D-LINK DBT-122 works?I saw that the D-link dbt-120 works but i cant find it.
Mail from aircable
=====================
Hi Vincent,
The firmware is indeed upgradeable. But if you do, you probably kill it.
We have special modifications in the radio setting that only
work on this high powered hardware. If you miss a single
setting of this you lose the radio.
And we have done a lot to make the AIRcable Host XR this good.
I wouldn’t do that. We have the latest Bluetooth stack there.
There is nothing newer than that.
# hciconfig -a
hci0: Type: USB
BD Address: 00:50:C2:58:50:17 ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING PSCAN ISCAN AUTH
RX bytes:481474 acl:6894 sco:0 events:36863 errors:0
TX bytes:899372 acl:11014 sco:0 commands:10852 errors:0
Features: 0xff 0xff 0x8f 0xf8 0x1b 0xf8 0x00 0x80
Packet type: DM1 DH1 HV1
Link policy: RSWITCH HOLD SNIFF PARK
Link mode: SLAVE ACCEPT
Name: ‘AIRcable Host XR (0)’
Class: 0x3e0100
Service Classes: Networking, Rendering, Capturing
Device Class: Computer, Uncategorized
HCI Ver: 2.0 (0x3) HCI Rev: 0x103b LMP Ver: 2.0 (0x3) LMP Subver: 0x103b
Manufacturer: Cambridge Silicon Radio (10)
# hciconfig hci0 revision
hci0: Type: USB
BD Address: 00:50:C2:58:50:17 ACL MTU: 310:10 SCO MTU: 64:8
Build 4155
Chip version: BlueCore4-External
Max key size: 56 bit
SCO mapping: HCI
Regards
Juergen
Wireless Cables Inc.
Dlink DBT-122 are Broadcom dongle.
I’ve found a Fujitsu Siemens Bluetooth v2.0 usb stick and i’d like to reduce the sensing coverage radius to 5-6mt instead of the nominal value. So i’ve set the pskey MAX_TRANSMITTING_POWER (0x017) and DEFAULT_TRASMITTING_POWER (0x021) to zero. i’ve tried to scan devices through hcitool command but i discover all devices also at 10mt and over.
I’ve tried to set also the Vendor and Product ID like you’ve wrote in this page, but with lsusb i retrieve always the factory values. I’ve tried to set the keys in all the stores available in 0x00 to 0x0f, but without success.
Any idea?
Did you get an error?
After you set the value, have you tried to read the value again? Did it change?
After you set the value, have you done a warm reset?
Hi Martin,
I’m using a Fujitsu-Siemens Bluetooth V2 USB Stick (CSR) under BackTrack 2. I can change the vendor and product id’s without problems using bccmd. However I cannot use dfutool to backup or upgrade the firmware. Every time I try any dfutool operation, after selecting the device, I get the following error:
Can’t identify device with DFU mode
Any guidance will be really appreciated!
Solved!
dfutool cannot work properly inside VMWare(v5.5.X). The native VMware USB port emulation (or pass through) interferes with the raw USB access required by dfutool.
For those in the U.S. looking for BC4-Ext based dongles, I just received this one it’s a d-link dbt-120:
http://www.bhphotovideo.com/c/product/311696-REG/D_Link_DBT_120_DBT_120_Wireless_Bluetooth_2_0.html
I haven’t plugged it into my linux box yet as I’m at work, but it’s looking promising, as it has a BC417 chipset and an ST flash chip, it’s the most promising dongle I’ve been able to find in the states yet. I’ll post back with results after I get it home and start working with it.
In my previous post I talked about a dongle I had just received. I got it home and got to working on it and…It supports all of the necessary functions for altering the Product ID, Vendor ID, and firmware. If you are looking for a dongle to modify, I can attest that the DBT-120 HW Ver: C1 works 100%.
I’ve just bought one from reichelt.de which is a BlueCore4-External:
DELOCK 61478 (Bluetooth Dongle USB Class 2, EDR V2.0, 80m)
a good thing for just 15€ I think.
The other, a DELOCK 61273 unfortunately was a BlueCore4-ROM, even if it was cheaper (6€).
I’ve just received several of the DELOCK 61478 dongles, and they all have the BlueCore4-ROM chipset, not the BlueCore4-External, as stated above. Be careful.
I ran hciconfig -a hci0 revision
under Linux Mint.
Further to my last post, I also just received a D-Link DBT-120 Rev C1 today. This does have the BlueCore4-External chipset.
My D-Link DBT-120 is now running as a BT sniffer – WOW! Observations: had to reflash the firmware a 2nd time before calibrate would work properly. The first time I flashed it I was running attached to a USB extension lead, maybe it didn’t like that. I ran DFUtool & bccmd from the Backtrack 2 live-cd, rather than try to get those commands going in Linux Mint. Next job is to fit an MMCX antenna socket…
You are right with the DELOCK Dongles, they changed them. Today I received another one and it is NOT BC4-External.
I’m sorry! – Now I have to look for another inexpensive “external” Type, I should have ordered more than one the first time.
OEM BC4-EXT
i will buy & test 😉
Pawel
http://www.kamami.pl/?id_prod=11502
Hey guys
I made a vid a while ago on upgrading the firmware of a fujitsu siemens v2.0 stick bc04-ext.
http://blip.tv/file/815749
And using the hardware in linux.
http://blip.tv/file/952892
a7eng eb502 usb bluetooth dongle.
uses bluecore2 external.
firmware IS upgradable
BUT
will not accept ANY firmware except the a7eng factory firmware.
so do NOT buy it.
And btw, using dfutool to extract the original firmware from the device, will work without errors BUT the firmware file (your buckup) will be actually corrupted, and u r not gonna be able to reload with original firmware.
Hi,
i´ve updated my Fujitsu Siemens V2.0 with AirSnifferDev56BC4.dfu , and my dongle is dead:) no reactions on bt3 or XP . what can i do ? Rgs.
child007> hehe, i did exactly same today;)
no reaction on bt3 or XP, bud you should be able to use sniffer.c ( or at least I am able). Maybe dev57 will help? you cam mail me to share progress.
Please notice:
Frontline seems to have somehow modified their PSKEYs or the Firmware layout. Therefore you can’t use new Firmware versions and flash them on your dongle. Seems to only work with older versions. As of now I can’t say for sure which version is the last one that works. Also have a look at this post.
Hi m8!
I can’t find Siemens dongle and DBT-120 is quite impossible to find! 🙁
Have u ever tried DBT-122?! Thank u for attention! 🙂
Narf – 2nd try …
Hello everybody!
I’ve destroyed my Fujitsu Stick with flashing AirSnifferDev59BC4.dfu. Before I checked the chipset – BC4-External.
Any ideas to reactivate the stick? Maybe by flashing it externally? – I have a backup dfu file.
I would appreciate your help a lot!! It was hard work to find and buy this stick.
Thanks in advance!
pììt