Software-defined radio for bluetooth packet sniffing?

I own a pair of bluetooth headphones that I’ve been using for the past couple years. They work mostly alright but there are a couple things I’m that annoy me that I’m potentially interested in modifying. I’d like to decompile and study the firmware on my own but the firmware isn’t available for download anywhere except in the manufacturer’s propietary smartphone app (yuck). I’ve asked their customer support and there is no alternative, not even usb or bluetooth from any kind of PC. To this end, does anyone have any hardware that can inspect bluetooth traffic between other nearby devices? A HackRF One should work but is a bit pricey for me. I have an RTL SDR Blog V3 but its frequency range is too low. Thanks in advance for any resources or tips.

What kind of features?

Considering that you own both ends of the link, sniffing the packets would probably be way more challenging than necessary. Dealing with RF should always be the method of last resort.

Is the smartphone app Java? That can be fairly readily decompiled.

What microcontroller is the headset using? If they haven’t locked the firmware, it can be pulled off and inspected with Ghidra. Depending on how complicated your hardware is, there might even be some general purpose open source firmware for the same family of microcontroller that can be modified to suit your needs. The ultimate solution in owning your own devices.

1 Like

Re: features, lots of little things. An annoying and spurious low battery chime that I want to disable. A volume mapping which is still uncomfortably loud at zero. Touch gestures on the headset that rarely work that I might try and calibrate. Active noise cancelling with a very small number of simplified options in the smartphone app that I want to poke around with more. Lots of weird idling and lagging when turning on and off that I also want to look at.

Thanks for the tip about packet sniffing, admittedly it’s not something I’m super experienced with but I’ve used WireShark a small amount.

Re: is the app Java, I’m using it on iOS but I can look for an Android download, thanks for that lead.

Re: what microcontroller? I just opened up the headset and looked for spec sheets on the visible chips, seems to be a “BlueCore CSR8670 BGA” bluetooth audio SOC doing the work, and all I can find about the microcontroller that’s an onboard is “16-bit RISC 80MHz MCU”. Literally no other information, not even an ISA named :smiley: “It contains a single-cycle multiplier”. Probably some proprietary instruction set so there go all my plans :smiley: :smiley: :smiley:.

Thanks for the discussion, Jarret

Do you use GNU+Linux on your primary, meaning portable or stationary but not mobile, computer? If yes then you can try using anbox to run the Android application for your headset on your primary computer without having to emulate a whole computer to run Android and also without having to use Android development tools to run the application in a simulated environment if that is even feasible with only the build of the application provided to end users outside of the company selling the headset. I do not know of something like anbox for macOS but apparently Windows 11 includes or at least was planned to include an Android runtime but I cannot try this feature of Windows 11 because none of my own computers run Windows 11 because Microsoft removed some features of Windows 10 that I use from Windows 11, such as having seconds in the digital clock on the taskbar without having to find something like TClockEx that works with a 64-bit Explorer and also the ability to have the taskbar not on the bottom although apparently I may still be able to have the taskbar on the top by manually editing the registry key that controls that configuration but then presumably Microsoft no longer tests having the taskbar not on the bottom because they removed the discoverable GUI for moving the taskbar from the bottom.

Sounds like somebody is a Windows fan. Thanks for the tip about anbox, I’ll remember that for the future. As mentioned above, the headset seems to have a propietary and completely undocumented microcontroller architecture so whole idea of reverse engineering the firmware is a non-starter for me.