HowTo: Hack your DBT-120 to run in RAW mode.

Dre from TS/SCI Security wrote a post yesterday "Fun with WiFu and Bluesniffing." In his post he mentioned the lack of clarity on "how to" hack USB Bluetooth dongles due to the number of posts about problems. I posted in the comments that I have a D-Link DBT-120 Wireless Bluetooth 2.0 USB Adapter and hacked it to work in RAW mode. He asked if I could share how I did the hack on my Bluetooth dongle and provide the details. Here are the steps that I used to get my DBT-120 to run in RAW mode using the directions provided by Dr. Gr33n.

DISCLAIMER:
This post is provided for educational and testing purposes only. I am not responsible for any damaged BT adapters. I had issues trying to do this in BackTrack 3 VMware, so I used the USB version for this How-To.

REQUIREMENTS:
bt3final_usb.iso SHA1: 3aceedea0e8e70fff2e7f7a7f3039704014e980f
D-Link DBT-120 Wireless Bluetooth 2.0 USB Adapter I have a DBT-120 Rev. C1

UPDATES: I have been told that this procedure, using the 5x version of software bricks the dongle. Tom Bicer found a dongle recovery procedure on the Evil Genius blog. I have read that using the 5x software is a known problem so only follow this procedure if you have the 4x firmware.

DIRECTIONS:
Boot your BackTrack3 environment and after it's up and running connect your DBT-120. Follow the steps shown below.

CONSOLE:
bt ~ # hciconfig hci0 up
bt ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:17:9A:2B:45:2C ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING
RX bytes:217 acl:0 sco:0 events:0 errors:0
TX bytes:169 acl:0 sco:0 commands:12 errors:0
bt ~ # hciconfig hci0 down
bt ~ # dfutool -d hci0 archive dbt-120_backup.dfu
bt ~ # dir
Desktop/ airsnifferdev46bc4.dfu
dbt-120_backup.dfu
bt ~ # hciconfig hci0 up
bt ~ # bccmd psget -s 0x0000 0x02be
USB vendor identifier: 0x0a12 (2578)
bt ~ # bccmd psset -s 0x0000 0x02be 0x0a12
bt ~ # bccmd psget -s 0x0000 0x02be
USB vendor identifier: 0x0a12 (2578)
bt ~ # bccmd psget -s 0x0000 0x02bf
USB product identifier: 0x0001 (1)
bt ~ # bccmd psset -s 0x0000 0x02bf 0x0002
bt ~ # bccmd psget -s 0x0000 0x02bf
USB product identifier: 0x0002 (2)
bt ~ # hciconfig hci0 down
bt ~ # dfutool upgrade airsnifferdev46bc4.dfu
bt ~ # hciconfig hci0 up
bt ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:17:9A:2B:45:2C ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:217 acl:0 sco:0 events:0 errors:0
TX bytes:169 acl:0 sco:0 commands:12 errors:0
bt ~ #


CREDITS:

• Andre Gironda (Dre) from TS/SCI Security I would have never posted this if he didn't ask for clarification and proof that it was possible.


• Dr Gr33ns from Drgr33ns Blogs, Tutorials and Info. He posted directions and a video showing how to do this. I copied 99.999% of his work. I did this to show proof that his directions do work in my situation using my DBT-120.


• I would also like to thank all the bluetooth hackers that make this possible.