- Ti Cc2540 Usb Cdc
- Cc2540 Usb Dongle
- Cc2540 Driver Arduino
- Usb Cc2540 Hid
- Cc2540 Driver Windows 7 Installer
- Cc2540 Driver Windows 7 64-bit
| Project CC2540 | |
|---|---|
| Reverse engineering the CC2540 BLE sniffer dongle | |
| Status | Stalled |
| Contact | bertrik |
| Last Update | 2018-05-13 |
- 3Analysis
- 4Protocol
- 4.2Reading BLE frames
Status
Business in a box exe. At this point (2017-05-09), the status is:
- it is pretty clear which commands the default sniffer firmware understands
- I wrote a little test program to dump raw BLE frames
- there is no plugin for WireShark yet
Realtek HD Audio Driver 2.68 for Windows 2000/2003 2012-04-01 Realtek HD Audio Driver 2.67 for 2000/2003 2011-12-16 Realtek HD Audio Driver 2.66 for 2000/XP/Server 2003 2011-10-22. Note: When you update the software package, it might not update the wireless adapter driver if it includes the same driver as the previous release. Not sure what to download? Confirm that you have Windows 7. operating system before installing. Check if your operating system is 32-bit or 64-bit.
Introduction
This page is about the CC2540 bluetooth low-energy sniffer dongle and getting it to work with Linux.A nice end result could be that it becomes possible to sniff directly in WireShark with this dongle.
I have such a 'WeBee' dongle that can be found for about E15,- on websites like Aliexpress.
It's supposedly a CC2540 (or compatible) dongle, the USB id is 0451:16b3.
Ti Cc2540 Usb Cdc
Interesting links:
Analysis
USB descriptor
When plugging this stick into a Linux machine, you can see it uses only one bulk endpoint.
Reading the identification from the stick with the 0xC0 command, results in the following 8-byte response
You can recognise the 2540 type number in there.
USB logs from Windows
Cc2540 Usb Dongle
This USB device does actually work with Windows:
I've captured a log of the communication over USB while the BLE is capturing bluetooth traffic from some iBeacon, using USB pcap.
In the logs, I cannot see any firmware blobs being downloaded to the stick.Probably the stick comes with a pre-loaded firmware of itself to do the BLE sniffing.
The USB control transfer request codes seem to match up with the code in https://github.com/christianpanton/ccsniffer/blob/master/ccsniffer.py
- 0xC0, GET_IDENT: returns some kind of identifier
- 0xC5, SET_POWER
- 0xC6, GET_POWER
- 0xC9, no idea, this appears in my USB logs but I can't find it in the python code
- 0xD0, START
- 0xD1, STOP
- 0xD2, SET CHAN
Protocol
In the windows sniffer software, it seems there are only two things communicated:
- towards the stick: which radio channel to sniff, and some other radio settings
- from the stick: raw sniffed BLE frames
Configuring the radio
This appears to be done using USB control transfers.
The following requests are sent:
| Request type | Request | Value | Index | Data | Description |
|---|---|---|---|---|---|
| 0x40 | 0xC5 | 0 | 4 | - | Set power |
| 0xC0 | 0xC6 | 0 | 0 | 0x00 | Get power |
| 0xC0 | 0xC6 | 0 | 0 | 0x04 | Get power |
| 0x40 | 0xC9 | 0 | 0 | - | ??? |
| 0x40 | 0xD2 | 0 | 0 | 0x27 | Set channel |
| 0x40 | 0xD2 | 0 | 1 | 0x00 | Set channel |
| 0x40 | 0xD0 | 0 | 0 | - | Start capture |
Request type 0x40 is a vendor-specific device request from host-to-device.Request type 0xC0 is a vendor-specific device request from device-to-host.
Reading BLE frames
This appears to be done using USB bulk input transfers.
I can see a lot of similarities between the USB log and the BLE sniffer log.
Each frame starts with a byte indicating the type of frame, following by two bytes indicating the length of the rest of the frame (encoded as little endian).
data frames
The bulk USB data starts off with two bytes indicating the length of the rest of the data.
Cc2540 Driver Arduino
In the example image on the right:
- 00: 0 means this is a data frame
- 31 00: length of rest of frame encoded in little endian = 49 bytes decimal
- 39 04 29 54: part of the time stamp
- 2c d6 be .: data frame contents
unknown frames (tick or 'alive'?)
The stick also returns 4-byte frames, alternating between
and
Interpretation:
- 01: 1 means this is a frame of type 1
- 01 00: length of the rest of the frame encoded in little endian = 1 byte
- 40 or C0: unknown data byte
Software
Usb Cc2540 Hid
Preliminary code can be found athttps://github.com/bertrik/cc2540
It connects to the dongle and dumps raw USB packets to stdout.
This software requires libusb-1.0-dev
Cc2540 Driver Windows 7 Installer
Cc2540 Driver Windows 7 64-bit
| Description | Type | OS | Version | Date |
|---|---|---|---|---|
| Chipset INF Utility Primarily for Intel® Chipset Products, this utility version 10.1.18383.8213 installs the Windows* INF files. See detailed description to find out if you need this file. | Driver | Windows 10, 32-bit* Windows 10, 64-bit* Windows Server 2019* 2 more | 10.1.18383.8213 Latest | 5/7/2020 |
| Intel® Management Engine Driver for Windows 8.1* and Windows® 10 Provides Intel® Management Engine Driver for Windows 8.1* and Windows® 10 Supporting 6th,7th and 8th Generation Intel® Core™ Processor Family (Sky Lake,Kaby Lake and Kaby Lake R). | Driver | Windows 10, 32-bit* Windows 10, 64-bit* Windows 8.1, 32-bit* Windows 8.1, 64-bit* | 1909.12.0.1236 Latest | 3/26/2019 |
| Intel® Management Engine Driver for Windows 7* Provides Intel® Management Engine Driver for Windows 7* for 6th,7th and 8th Generation Intel® Core™ Processor Family (Sky Lake,Kaby Lake and Kaby Lake R). | Driver | Windows 7, 32-bit* Windows 7, 64-bit* | 1909.12.0.1237 Latest | 3/26/2019 |
| Intel® USB 3.0 eXtensible Host Controller Driver for Intel® 8/9/100 Series and Intel® C220/C610 Chipset Family Installs Intel® USB 3.0 eXtensible Host Controller Driver (version 5.0.4.43v2) for Intel® 8 Series/C220 Series Chipset Families and 4th Generation Intel® Core™ Processor U-Series Platform. | Driver | Windows 7, 32-bit* Windows 7, 64-bit* Windows Server 2008 R2* | 5.0.4.43v2 Latest | 9/28/2018 |
| Intel® Graphics Media Accelerator Driver for Mobile Boards for Windows XP* 32. Intel® Graphics Media Accelerator Driver for Intel® Mobile Boards for Windows* XP 32. | Driver | Windows XP* | 14.36.4.5002 Latest | 11/25/2008 |
| Intel® Graphics Media Accelerator Driver for Windows* XP (zip) Installs graphic drivers version 14.25.50 for the integrated graphics controller of Intel® chipsets. This file is intended for use by Developers. | Driver | Windows XP* | 14.25.50. Latest | 1/23/2008 |
| Intel® Graphics Media Accelerator Driver for Windows Vista* 32(zip) Installs graphic drivers version 15.6 for the integrated graphics controller of Intel® chipsets. This file is intended for use by Developers. | Driver | Windows Vista* Windows Vista 32* | 15.6. Latest | 9/14/2007 |
| Intel® Graphics Media Accelerator Driver for Windows Vista* 64 (exe) Installs graphic drivers version 15.6 64 bit for the integrated graphics controller of Intel® chipsets. | Driver | Windows Vista 64* | 15.6. Latest | 9/13/2007 |
| Intel® Graphics Media Accelerator Driver for Windows Vista * 32 (exe) Installs graphics driver version 15.6 for the integrated graphics controller of Intel® chipsets. | Driver | Windows Vista* Windows Vista 32* | 15.6. Latest | 9/13/2007 |
| Intel® Graphics Media Accelerator Driver for Windows Vista* 64 (zip) Installs graphics driver version 15.6 64 bit for the integrated graphics controller of Intel® chipsets. This file is intended for use by Developers. | Driver | Windows Vista* | 15.6. Latest | 9/13/2007 |