T-BEAR version 1.5
22Jul05


  T-BEAR: Transient Bluetooth Environment AuditoR

    Joshua Davis (jdavis[aht]transient-iss.com)
    Transient Infrastructure Security Solutions
    http://www.transient-iss.com


  0 - Disclaimer!

      You have perhaps decided to use this software to aid in an illegal
      activity.  I urge you to reconsider.  I hereby exacerbate myself
      from all blame for all unwholesome activities everywhere, and
      especially those having to do with this software.


  1 - Who?

      T-BEAR is maintained by Transient Infrastructure Security Solutions.
      The most recent version can be found at http://www.transient-iss.com.
      If you're interested in contributing, email me!


  2 - What?

      T-BEAR is a developing suite of applications designed to improve slash
      "audit" the security of Bluetooth environments.  By environment, we
      mean anything from a home PAN, to your PDA or cell phone.  The suite
      currently consists of the following utilities, all of which are either
      included in this package, or are under development (* indicates a
      tool included in this version):

      * tbear:       A graphical BT device locator.  'tbear -h' for options.

                     If you find that you're missing devices during a scan,
                     try adjusting the SLEEPTIME and BT_TIMEOUT values
                     in tbear.h.  I suggest leaving the defines at default
                     unless you have obvious problems.
         
	tbsniff:     A bluetooth 'sniffer' for use with gnuradio and the
                     USRP.  Captures BT data to a file.  You can then sort
                     through the data however you want; I provide btkbsniff
                     btvsniff, and chansniff to help out.

        tbscansniff: Print page scan and inquiry scan data from output of
                     btsniff.

        tbkbsniff:   Reads data from a btsniff capture file and recreates
                     key sequences as seen from bluetooth enabled
                     keyboards.  For encrypted traffic, decode options
                     are available.

        tbvsniff:    Designed to monitor voice data from BT headsets.
                     Decode options are available.

        tbcrackpin:  Attempts to crack a PIN associated with encrypted BT data.

      * tbsearch:    A BT hidden device locator.  Kind of like Redfang.
                     Redfang 2.5 implements the features I've put into
                     tbsearch, and then some.  Redfang 2.5 is without a
                     doubt better quality than tbsearch.  The direction
                     I'd like tbsearch to take is towards faster, more
                     efficient device location methods, since current
                     implementations (including Redfang) by their nature
                     can take *forever* to find a device.

                     To use tbsearch, you'll need thread support built
                     into your system (recent glibc w/ threads).

                     To use, simply run tbsearch with a list of hci devs you
                     wish to use on the command line.  For instance:
                     './tbsearch hci0 hci1 hci3'.

                     To enhance performance with your particular hard-
                     ware, you may want to adjust the timeout value in
                     tbsearch.c.

                     Thanks to redfang 2.5 and BluePrint for adding to my
                     BT OUI database.  Also, I add to the btoui in the
                     wild, meaning that an entry's name may be misleading.
                     (Ie. I put 'Samsung' instead of the chipset maker.)
                     Help me out by sending in corrections and additions.

      * tanya:       L2CAP BT DoS.  You may need to play with the defines
                     in the source.  It disables the BT stack on my
                     HP ipaq until the ipaq is reset... I'm not sure how
                     it affects other devices.  Experiment!  Tune
                     some defines and try things out.

                     Tanya works by simply throwing out fairly large
                     l2cap packets at a device as fast as it can...
                     no new technique here.  If you can crash a device
                     with l2ping flooding, but not with tanya, try
                     playing with packet length (-s command line option).


	Note that to use the GNURadio / USRP tools, you need to have
        GNURadio, and the hardware USRP installed.  The USRP will cost
        you hundreds of dollars... is it worth it?  Probably not.


  3 - When?

	If a program described above isn't in the package, rest assured that
	it's under development.  If programming something turns out to be
	a relative impossibility for some reason or another, the prog will
	be removed from the list in the next release.

	Releases will be issued when significant code advancement has taken
	place.


  4 - Where?

	http://www.transient-iss.com


  5 - Why?

	For kicks.


  5 - How?

	See the 'INSTALL' file, after you read the 'COPYING' file.


  6 - How much?

	Read the 'COPYING' file.


  7 - New in this version:

	- tbsearch works correctly with multiple devices
	- rid myself of the l2inject hassle
	- probably updated other stuff

