Ubertooth One Kali Linux Latest Tools / Firmware Setup Guide

The world is full of devices communicating with Bluetooth even if (or maybe especially if) you don’t realize it. Most “smart” devices are advertising some Bluetooth services (some of them even publicly writable without a password!). Even my treadmill is advertising writeable Bluetooth endpoints!

The Ubertooth One is a bluetooth and bluetooth low-energy (BTLE) capture device intended for developers and security researchers/auditors. It has an external antenna and is able to communicate at much further distances than most BTLE devices by both transmitting more powerfully and having a more sensitive antenna to listen to the response. To find out what is nearby and happening over the air this is the device you want to have.

In this guide I’ll show you how to get the latest Ubertooth tools on Kali Linux as well as update the firmware for the Ubertooth device and actually use the device!

Note that Kali is not required as I also ran these same instructions using Ubuntu 22.04 and did nothing differently. If it’s an apt-based distribution you should be fine.

Hardware Used

Great Scott Gadgets Ubertooth One Bluetooth Adapter / Capture Device
Great Scott Gadgets Ubertooth One Bluetooth Adapter / Capture Device

The Ubertooth One is a bluetooth and bluetooth low-energy (BTLE) capture device intended for developers and security researchers/auditors. It has an external antenna and is able to communicate at much further distances than most BTLE devices by both transmitting more powerfully and having a more sensitive antenna to listen to the response. Has additional features/capabilities (upgradeable through firmware) that a normal Bluetooth adapter cannot do.

Links: AliExpress*, Amazon.com*, Amazon.ca*, Amazon.com.au*, Amazon.co.jp*, Amazon.co.uk*, Amazon.de*, Amazon.es*, Amazon.fr*, Amazon.it*, Amazon.nl*, Amazon.pl*, Amazon.se*, Amazon.sg*

Ubertooth One Aluminum Enclosure & EMI Shield, Black
Ubertooth One Aluminum Enclosure & EMI Shield, Black

The Nooelec Ubertooth One enclosure gives a sturdy aluminum shield but more importantly an EMI shield to reduce interference.

Links: Amazon.com*, Amazon.ca*, Amazon.com.au*, Amazon.co.jp*, Amazon.co.uk*, Amazon.de*, Amazon.es*, Amazon.fr*, Amazon.it*, Amazon.nl*, Amazon.pl*, Amazon.se*, Amazon.sg*

Updating Ubertooth Tools

Kali Linux comes with a set of tools for Ubertooth but even the ones in the repository are outdated. The latest release at time of writing is 2020-12-R1. We can build the latest tools ourselves and this is the recommended way to keep the firmware version matched up with the tools version you have installed (the official recommendation from the developers).

Let’s start by installing some prerequisites:

sudo apt update && sudo apt install cmake libusb-1.0-0-dev git make gcc g++ libbluetooth-dev wget build-essential pkg-config python3-numpy python3-qtpy python3-distutils python3-setuptools wireshark wireshark-dev libwireshark-dev python3-protobuf python3-requests python3-numpy python3-serial python3-usb python3-dev python3-websockets librtlsdr0 libsqlite3-dev libprotobuf-dev libprotobuf-c-dev protobuf-compiler protobuf-c-compiler libsensors4-dev libwebsockets-dev libnl-3-dev libnl-genl-3-dev -y

Add root and your user account to the plugdev group (if not logged in as a root):

sudo adduser root plugdev
sudo adduser $LOGNAME plugdev

Before building the utilities we need to install the libbtbb packet capture library:

wget https://github.com/greatscottgadgets/libbtbb/archive/2020-12-R1.tar.gz -O libbtbb-2020-12-R1.tar.gz    
tar -xf libbtbb-2020-12-R1.tar.gz
cd libbtbb-2020-12-R1
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig
cd ../..

To download and install the Ubertooth tools:

wget https://github.com/greatscottgadgets/ubertooth/releases/download/2020-12-R1/ubertooth-2020-12-R1.tar.xz
tar -xf ubertooth-2020-12-R1.tar.xz
cd ubertooth-2020-12-R1/host
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig
cd ../../..

To update the Wireshark plugins:

cd libbtbb-2020-12-R1/wireshark/plugins/btbredr
mkdir build
cd build
cmake -DCMAKE_INSTALL_LIBDIR=/usr/lib/x86_64-linux-gnu/wireshark/libwireshark3/plugins ..
make
sudo make install
cd ../../../../..

cd libbtbb-2020-12-R1/wireshark/plugins/btbb
mkdir build
cd build
cmake -DCMAKE_INSTALL_LIBDIR=/usr/lib/x86_64-linux-gnu/wireshark/libwireshark3/plugins ..
make
sudo make install
cd ../../../../..

That’s it for the tools and plugins. Let’s move on to the firmware!

Update Ubertooth Firmware

You’ll definitely want to update your Ubertooth’s firmware. My Ubertooth came with firmware from 2015 (in 2021!). It’s also highly recommended that the version of firmware on your Ubertooth matches the version of the tools you are using.

To update the Ubertooth’s onboard firmware:

cd ubertooth-2020-12-R1/ubertooth-one-firmware-bin
sudo ubertooth-dfu -d bluetooth_rxtx.dfu -r
cd ../..

When I ran this the first time I initially got an error like this:

┌──(root@IntelNUC)-[~/ubertooth-2020-12-R1/ubertooth-one-firmware-bin]
└─# ubertooth-dfu -d bluetooth_rxtx.dfu -r
libUSB Error: Input/Output Error:  (-1)
Switching to DFU mode…
Checking firmware signature
………………………………….
………………………………….
………………………………….
……..
Detached

Despite this error my update was successful. You can verify this by checking your firmware version like this:

ubertooth-util -v
Firmware version: 2020-12-R1 (API:1.07)

Testing using ubertooth-spescan-ui

At this point we can run some tests and talk to the Ubertooth and make sure everything is working. Let’s pull up a visual representation of the spectrum to make sure our adapter is detecting Bluetooth activity:

ubertooth-specan-ui

It should load a new window that looks like this:

Ubertooth Spectrum Analyzer
Ubertooth Spectrum Analyzer

If everything is going well you should see a ton of activity like the above screenshot! Don’t worry too much about the specifics yet if that seems overwhelming. We just want to make sure you are seeing activity and that there’s not zero activity (indicating something isn’t working correctly).

Updating Kismet

Kismet has some pretty awesome tie ins with the Ubertooth and is definitely worth getting up to date. Here is a basic capture using the Ubertooth as a data source (Ubertooth placed in a window on an Intel NUC):

Kismet Ubertooth One BTLE Capture
Kismet Ubertooth One BTLE Capture

After about 30 minutes of capture the Ubertooth had seen over 234 devices! That’s unbelievable and was actually more than I was expecting to find despite undertaking this project with the suspicion that there were a lot of them out there. I’ll definitely have more to say about all of this in future articles. The last I_TL BTLE device is actually my treadmill!

The easiest way to update your Kismet is to build from source just like we did all of the Ubertooth tools and Wireshark plugins. This one will take a lot longer to compile than the other ones we have done previously since Kismet is a very large and complex application. Let’s do it:

git clone --recursive https://github.com/kismetwireless/kismet.git --depth=1
cd kismet
./configure
make -j$(nproc)
sudo make install
sudo ldconfig
sudo adduser $LOGNAME kismet
sudo adduser root kismet
sudo make plugins-install

That’s it. Now run Kismet and point your web browser to http://127.0.0.1:2501.

If this is your first time running Kismet here is a quick command to get the default Kismet generated login/password:

cat ~/.kismet/kismet_httpd.conf

This should reveal the login credentials to get into Kismet. If you click the gear in the top left select “Data Sources” and you should see the Ubertooth and your other devices such as your WiFi card in there. When you click a data source you should be able to enable it and it will start populating what Bluetooth activity is happening near you!

You may find references to an Ubertooth Kismet plugin but it is no longer used. The newer versions of Kismet support BTLE capture natively and the plugin no longer builds so don’t waste any time on it!

CLI Tools

ubertooth-util

This is the main utility to control the Ubertooth:

ubertooth-util - command line utility for Ubertooth Zero and Ubertooth One
 Common options:
         -v get firmware revision number
         -V get compile info
         -I identify ubertooth device by flashing all LEDs
         -d[0-1] get/set all LEDs
         -l[0-1] get/set USR LED
         -S stop current operation
         -r full reset
         -U<0-7> set ubertooth device to use
         -N print total number of Uberteeth and exit
 Radio options:
         -a[0-7] get/set power amplifier level
         -c[2400-2483] get/set channel in MHz
         -C[0-78] get/set channel
         -q[1-225 (RSSI threshold)] start LED spectrum analyzer
         -t intitiate continuous transmit test
         -z set squelch level
 Range test:
         -e start repeater mode
         -m display range test result
         -n initiate range test
 Miscellaneous:
         -f activate flash programming (DFU) mode
         -i activate In-System Programming (ISP) mode
         -b get hardware board id number
         -p get microcontroller Part ID
         -s get microcontroller serial number
         -x xmas lights

The most useful options are the -r option (reset the Ubertooth) but there are several other aspects of the Ubertooth’s behavior you may find useful in here!

ubertooth-scan

The ubertooth-scan utility scans for traditional Bluetooth devices. You can pair it with a normal Bluetooth adapter as well to do an advanced scan to find hidden devices as well:

ubertooth-scan - active(Bluez) device scan and inquiry supported by Ubertooth This tool uses a normal Bluetooth dongle to perform Inquiry Scans and Extended Inquiry scans of Bluetooth devices. It uses Ubertooth to discover undiscoverable devices and can use BlueZ to scan for discoverable devices. Usage: ubertooth-scan Use Ubertooth to discover devices and perform Inquiry Scan. ubertooth-scan -s -x     Use BlueZ and Ubertooth to discover devices and perform Inquiry Scan     and Extended Inquiry Scan.
 Options:
         -s hci Scan - use BlueZ to scan for discoverable devices
         -x eXtended scan - retrieve additional information about target devices
         -t scan Time (seconds) - length of time to sniff packets. [Default: 20s]
         -e max_ac_errors (default: 2, range: 0-4)
         -b Bluetooth device (hci0)
         -U<0-7> set Ubertooth device to use

The ‘ubertooth-scan -s -x’ combo is fantastic as it performs an extended inquiry scan to discover services on the Bluetooth device. This helps us figure out what they are and what capabilities they have.

ubertooth-btle

This is the main “fun” utility for BTLE devices. It has 3 different modes (follow -f, promiscuous -p, and no follow -n). Follow mode means it will try to attempt to keep up with Bluetooth connections and capture data packets. Here’s the full overview:

ubertooth-btle - passive Bluetooth Low Energy monitoring
Usage:
        -h this help

    Major modes:
        -f follow connections
        -n don't follow, only print advertisements
        -p promiscuous: sniff active connections

        -a[address] get/set access address (example: -a8e89bed6)
        -s<address> faux slave mode, using MAC addr (example: -s22:44:66:88:aa:cc)
        -t<address> set connection following target (example: -t22:44:66:88:aa:cc/48)
        -tnone unset connection following target

    Interference (use with -f or -p):
        -i interfere with one connection and return to idle
        -I interfere continuously

    Data source:
        -U<0-7> set ubertooth device to use

    Misc:
        -r<filename> capture packets to PCAPNG file
        -q<filename> capture packets to PCAP file (DLT_BLUETOOTH_LE_LL_WITH_PHDR)
        -c<filename> capture packets to PCAP file (DLT_PPI + DLT_BLUETOOTH_LE_LL)
        -A<index> advertising channel index (default 37)
        -v[01] verify CRC mode, get status or enable/disable
        -x<n> allow n access address offenses (default 32)

The interference mode help create the conditions necessary for data capture!

Conclusion

I wanted to write this because all the above information involved going to about 20 different web sites to piece together. I really would have liked to just set it all up at once like this so I figured I’d share it as well as record it for myself in the future as well!

The Ubertooth device is definitely delivering at helping me figure out what is going on over the airwaves in my own home. With hundreds of different devices sharing the airspace detectable in my home I now can investigate which ones are actually mine and secure them. Some of the devices like my treadmill have publicly writeable configuration attributes as an example. The Ubertooth lets you hunt these down and figure out what they’re doing and if anyone might be able to exploit them!

Wireless traffic of all kinds continues to get harder to detect as technology improves and time goes on. The scary part is if nefarious actors are utilizing these highly stealthy networks. Instances of IoT hacking continue to rise as these devices become more ubiquitous. This tool will help you investigate them and take control of your network airspace!

Other Resources

For the HackRF (also by Great Scott Gadgets) check out my Linux HackRF Guide or if you want to see it in action there is also my Use HackRF SDR to Lock / Unlock Car guide on replay attacks using the HackRF

You can also upgrade a HackRF to be completely portable: Upgrading HackRF One to PortaPack H2

My guide on how to build a Pwnagotchi to audit WiFi networks near you is also worth checking out!

guest

12 Comments
Inline Feedbacks
View all comments

You Are Awesome
You Are Awesome
7 months ago

You helped me so, so much. I was on the “20 different web sites” until I found this blog. Thank you so much!!!

Mark B.
Mark B.
11 months ago

thank you for the tutorial read. I was Wi-Fi hacked, been about a month now, first I thought these were hackers from far away, after some back and forth engaging, became 3 of them on my network against me just blocking the most and moving some important files, did recuperate all my email accounts except for my webhost at hostinger, they just been being dicks a few of them, hopefully my last email will fix that.

Did run a bt sniffer on the phone during a power outage and also noticed two Wi-Fi places with good signal and using another sniffer gave me the name of the bt type device not the average consumer would use. I could be wrong and it’s someone far away but they destroyed my one plus 7 pro, screen day DIE I am going to give it a try, two techs couldn’t but I already got the iPhone 11 Pro which they locked up as well up and running today. Plus all the bs can’t use my computers, even at my clinic. dentist in TJ, MX. I want to track these turds and take care of business.

They weren’t able to take any cash and I recuperated and locked with a USB key I ordered for my email accounts, except my access to my hosting was lost when they first jacked my Gmail account and stole my windows Authenticator app off my phone and everything else. Luckily I recuperated the Gmail account and locked it tight and had Gmail delete it while keeping my google business site set to a non gmail. Well that was when I had access to my site… so now accessing my google business site will take a bit since it’s on my old phone number and an email from my domain ROFL, both I have no access!

I need to get a new USA SIM of my number, already got two new numbers and another 2 local sims cards since it’s still active but they disabled or I might just port it out magicjack or an phone app. Had to buy the iphone13, holding strong so far. installing some new hardware tech for the house and office this week to keep it extra secure…

Had a CNS background before dentistry but forgot all that stuff but i think I will be fine with kali and those parts and parts…. Have a bt/Wi-Fi jammer on the way for my computer area just to be a bit safer.

And just read about kali yesterday so that my next project to do asap. Payback is going to be good….. won’t be hacking another pc with their hands at least from the accident that will happen.

Thanks, saw some small kali setups with the phone on eBay but I might buy a Linux specific refurbished laptop or pop it into my newest gaming laptop.

Who the hell did I piss off, has to be dental related, some competition… sheesh or someone in Asia from some of the names that first popped up on my Wi-Fi system in the beginning..,, Either way I will learn Kali, should be fun…

T. Young
T. Young
1 year ago

Hi James,

I hope you are well and I hope even more that you can help me. I am running the latest version of Kali Linux inside VirtualBox on a Windows 10 machine. I compiled/installed Kismet from source and installed all of the Ubertooth One software following the Build Guide instructions on github and updated the firmware on my Ubertooth One (1.07). The Ubertooth works using the utility, scan and btle commands. However, when I try to use the Ubertooth with Kismet (kismet -c ubertooth), I hear the sound of a USB device disconnecting and the red LED on the ubertooth turns off. There is no data being passed and an error message in Kismet. Running lsusb, I can still see the ubertooth but I can’t execute any commands. PLEASE HELP!!! I am a complete novice at this and I am at my wits end. Thanks for any assistance you can provide.

T. Young
T. Young
1 year ago

Thanks for getting back to me James. I’m running Kali as a VirtualBox machine on a Windows 10 host computer. Here is an overview

Kismet vers: 2021-00-GIT
ubertooth firmware: 2020-12-R1 (API 1.07)
ubertooth vers: 2020-12-R1

I ran ‘groups’ and I am in the kismet group

I have screen shots but I’m not sure how to include them in my post.

T. Young
T. Young
1 year ago

Hi James,
Unfortunately, none of the above seem to help. I already had the ubertooth in my USB filter list. I am getting the following message from kismet:

usb_claim_interface error -6
control message unsupported

I’m still hearing the USB disconnect sound and the red LED on the ubertooth goes out. I’ll try posting in the VirtualBox forums as well. Again, thanks for all your help

T. Young
T. Young
1 year ago

Thank you Sir!
I hate to say it, but I’m glad this wasn’t some isolated problem that I was having. You have been a tremendous help.