How to listen quietly for other Bluetooth devices?

maksim yevmenkin maksim.yevmenkin at gmail.com
Sun Jul 9 16:54:32 UTC 2017 

>> i'm not aware (not have i ever seen) of-the-shelf bluetooth dongle that is capable of going into "promiscuous" mode.
> Thank you, Max, for sharing your expertise... So, you are saying, the decision on whether to notify the host of a particular bit of traffic the dongle "hears" is controlled by the hard-coded logic on the dongle itself -- and can not be reprogrammed by the host?
> 
Host normally does not get to see past HCI (host controller interface). HCI defines set of commands, responses and events that can be sent and received. This set varies slightly from one Bluetooth specification version to another, however bulk of commands is mostly the same. 

The way host accesses HCI is via transport. Serial, USB etc. HCI transport specifies how HCI datagrams are transferred over particular low level transport interface. For example, with USB, HCI events are transferred over USB interrupt endpoint, ACL data are transferred as USB bulk transfers and SCO data as isochronous transfers. 

So, basically, host gets to access particular HCI transport (USB in your case) and gets to see HCI datagrams that are received over the transport. Host does not get direct access to baseband (radio). All access is indirect via HCI commands. 

Of course HCI has provision for so called "vendor" commands. Those are specific to each vendor and generally not documented. It is possible that some vendor may have implemented commands that allow low level access to baseband, however, I never saw anything like that. 
> Sad... Maybe, I will have to "broadcast" something in order to register responses.
> 
One possible way to do something like this is to instruct local Bluetooth devices to perform "periodic inquiry". This way local device will periodically perform inquiry scan and save results into "neighbor cache". Dumping "neighbor cache" periodically will give an approximate list of "discoverable devices" in RF proximity.

Of course timing is not going to be perfect (can't tell exactly when remote device was seen) but it's something. Also, remote device may choose to  not answer inquiry scan (not discoverable). In this case there is still and option to "page" remote device (try to open baseband connection) using remote device bd_addr

Thanks ! 
Max

More information about the freebsd-bluetooth mailing list