Sniffing/logging your own Android Bluetooth traffic

Question

I recently bought chinesse device that connects via bluetooth with android phone / tablet. Since there is no application availible for windows / linux I want to create one for personal usage.

Usually phone connects to the device and exchanges some data. I connected PC to the device and looked into serial debugger and menaged to discover the protocol (one way only). Phone sends only one command to the device. But this time I'm not able to find out what it containts.

Is there any software that will allow me to look into data sent via bluetooth? I tried decompiling the app, but it looks really unfriendly.

Thanks.

it is laser rangefinder. Data you receive from it is simply d5 f0 ... ... milimiters_as_uint32 0d — peku33, May 27 '14 at 19:59

score 86 · Accepted Answer · edited Oct 22 '16 at 00:31

86

Android 4.4 (Kit Kat) does have a new sniffing capability for Bluetooth. You should give it a try.

If you don’t own a sniffing device however, you aren’t necessarily out of luck. In many cases we can obtain positive results with a new feature introduced in Android 4.4: the ability to capture all Bluetooth HCI packets and save them to a file.

When the Analyst has finished populating the capture file by running the application being tested, he can pull the file generated by Android into the external storage of the device and analyze it (with Wireshark, for example).

Once this setting is activated, Android will save the packet capture to /sdcard/btsnoop_hci.log to be pulled by the analyst and inspected.

Type the following in case /sdcard/ is not the right path on your particular device:

adb shell echo \$EXTERNAL_STORAGE

We can then open a shell and pull the file: $adb pull /sdcard/btsnoop_hci.log and inspect it with Wireshark, just like a PCAP collected by sniffing WiFi traffic for example, so it is very simple and well supported:

[source]

You can enable this by going to Settings->Developer Options, then checking the box next to "Bluetooth HCI Snoop Log."

edited Oct 22 '16 at 00:31

Leo supports Monica Cellio

5,926
2
22
34

answered May 27 '14 at 23:52

Stephan Branczyk

9,363
2
33
49

This part: "When the Analyst has finished populating the capture file by running the application being tested, he can pull the file generated by Android into the external storage of the device and analyze it (with Wireshark, for example).". Is the Analyst a software or simply referring to a person doing the analysis ? Either way, how do you populate the capture file and know when this is finished ? – George Profenza Jun 27 '14 at 13:58
@GeorgeProfenza It looks like the reference is to [this site](https://viaforensics.com/articles-presentations/bluetooth-packet-capture-android.html), in which they say to turn Bluetooth Packet Capture in the Developer Options. – Dang Khoa Jul 03 '14 at 14:55
@GeorgeProfenza, The analyst is a person. You populate it by importing/opening it into wireshark. Wireshark should open it immediately, but the speed will really depend on how big the log is and how long you've left the capture opened. When you first try it out, you should first try it for one minute or two. You wouldn't want to be overwhelmed with too much information. – Stephan Branczyk Jul 03 '14 at 16:06
@StephanBranczyk Thanks Stephan. I've fetched a log. I can see what devices are advertising themselves and this is nice, but this method doesn't allow you to sniff traffic(e.g. data being sent between two other bluetooth devices), you can only capture packets from devices paired with your android device – George Profenza Jul 04 '14 at 10:12
@GeorgeProfenza, I guess you're no longer talking about the laser range finders you purchased that pair with your android device. So that would be an entirely new problem and a new question. Wouldn't you think? – Stephan Branczyk Jul 04 '14 at 10:40
Stephan, I just wanted to flag that this solution is nice, but it has its limitations: it's not magic bullet, it can't replace a sniffer (completely). Thank you (+1) for clearing the information regarding the analyst earlier. You might've mistaken me to peku33 who added a comment regarding laser range finders :) – George Profenza Jul 04 '14 at 11:11
Ah ok, sorry about that. I did mistake you for Peku33. I can now see why someone who would google for this problem would find this question. The subject line Peku33 chose is ambiguous. I'll go ahead and rephase it. – Stephan Branczyk Jul 04 '14 at 18:27
I enabled the "Bluetooth HCI Snoop Log." no log file. I turned off bluetooth and on again, rebooted my phone and tried to z$ adb pull /sdcard/btsnoop_hci.log and also adb shell then ls /sdcard it is not get getting generated. What is wrong? – Jack Shultz Feb 11 '15 at 02:13
10

@JackShultz If you don't see btsnoop_hci.log created, open /etc/bluetooth/bt_stack.conf in a text editor, it contains the path to the file on your device. For me it was stored in /sdcard/Android/data/btsnoop_hci.log. – Mr. Bungle Mar 09 '15 at 13:14
1

I get an error: **adb: error: remote object '/sdcard/btsnoop_hci.log' does not exist** – IgorGanapolsky Apr 14 '17 at 14:35
1

@IgorGanapolsky adb shell echo \$EXTERNAL_STORAGE – Stephan Branczyk Apr 25 '17 at 15:41
@IgorGanapolsky, this will tell you what you should replace /sdcard/ with. – Stephan Branczyk Apr 25 '17 at 15:42
3

@StephanBranczyk That way of pulling **hci.log** may be obsolete on the newer devices (especially Nexus and Pixel). One now has to enable bug report shortcut from developer settings to obtain this log manually. – IgorGanapolsky Apr 25 '17 at 15:43
1

Did you have any luck retrieving logs in a Pixel device using the Bug Report feature? I can't seem to `adb pull` the `.log` file or receive it via email. Also, switching the dev option on and off, doesn't have any effect on `bt_stack.conf` contents. Has this feature been disabled in latest Android versions? – Nicolás Fantone Jun 06 '17 at 15:49
1

I wasn't able to get any of these methods to work with the Google Pixel. Main problem seems to be that the logging will never actually turn on: https://stackoverflow.com/a/30352487/35690 – Senseful Jul 04 '17 at 18:39

score 8 · Answer 2 · answered Mar 27 '17 at 12:43

8

Also, this might help finding the actual location the btsnoop_hci.log is being saved:

adb shell "cat /etc/bluetooth/bt_stack.conf | grep FileName"

answered Mar 27 '17 at 12:43

maximevince

81
1
2

When I try to pull this file, I get an error: **adb: error: remote object '/data/misc/bluetooth/logs/btsnoop_hci.log' does not exist** – IgorGanapolsky Apr 14 '17 at 14:39
This configuration file can also be found in a few other places such as `/system/etc/` and `/vendor/etc/` – DearVolt Jul 11 '17 at 20:26

score 2 · Answer 3 · answered Dec 21 '21 at 14:26

2

On a Xiaomi phone with Android 11, after enabling "Bluetooth HCI Snoop log" in developer settings the file seems to be written to

/data/misc/bluetooth/logs/btsnoop_hci.log (only accessible with root)

/sdcard/MIUI/debug_log/common/com.android.bluetooth/btsnoop_hci.log

In addition, it's possible to get the log by running adb bugreport zipname from the computer, as written here.

Note that the logging only turned on after a reboot for me.

answered Dec 21 '21 at 14:26

phiresky

406
4
15

The `adb bugreport zipname` did it for me, the log was in /data/misc where non-root adb does not have access to. – Guntram Blohm Jan 11 '23 at 18:51

score 0 · Answer 4 · answered Feb 11 '21 at 11:55

On Xiaomi Redmi Note 9s This configuration file can also be found /storage/emulated/0/MIUI/debug_log/common named as hci_snoop20210210214303.cfa hci_snoop20210211095126.cfa

With enabled 'Settings->Developer Options, then checking the box next to "Bluetooth HCI Snoop Log." '

I was used Total Commander for taking file from Internal storage

Sniffing/logging your own Android Bluetooth traffic

4 Answers4

Linked