Reverse engineering Realtek RTL8761B* Bluetooth chips, to make better Bluetooth security tools & classes | Dark Mentor LLC We hold this truth to be self-evident&#58; SUFFERING BUILDS STRENGTH! In this talk I will walk you through the trials, tribulations, and triumph(!) of the worst debugging setup I've ever hacked together, which I used to reverse engineer the Realtek RTL8761B* family of Bluetooth chips.<p>This work was done because Bluetooth security tools are in an abominable state. We use "CSR4" (Cambridge Silicon Radio) dongles that don't support packets newer than Bluetooth 4.0 (released in 2010!), just to be able to spoof the Bluetooth Device Address (BDADDR) for MitM attacks.<p>Veronica Kovah & I have been creating Bluetooth security classes for <a href="https://ost2.fyi/">OpenSecurityTraining2</a>. And we wanted to use better hardware; ideally something that supports BT 5.4 (released in 2023). So I bought a bunch of cheap dongles off Amazon, and found that most of them used the same RTL8761B chip. So the goal was clear&#58; at a minimum, figure out a way to spoof the BDADDR on these dongles. But I also a set out a nice-to-have stretch goal - to figure out how to use these dongles to send custom LMP packets (which are architecturally not meant to be under full user control.) That way, could replace a bulky and expensive $55 dev board (that is only used for BT Classic), with a cheap and small $14 USB dongle (which has a better antenna to boot!) This would make Blue2thprinting (released at Hardwear.io 2023), and thus Bluetooth reconnaissance & vulnerability assessment, cheaper & better.<p>Bloodied (but not broken) by the ordeal, I achieved my goals and stretch goals. And given that there are no public descriptions of how Realtek Bluetooth chips work, I look forward to sharing hitherto-unknown information about how to navigate and understand these mostly-16-bit-MIPS-code systems. And I'll discuss how their ROM-"patch"ing firmware update mechanism works, how you can patch it to change its code too, and the security implications thereof.

Video released for "Reverse engineering Realtek RTL8761B* Bluetooth chips, to make better Bluetooth security tools & classes" (from @hardwear-io.bsky.social). Slides & video link here:
darkmentor.com/publication/...

And also thanks to our Gold Sponsors, 3mdeb, Binarly @binarly.bsky.social, Dark Mentor @darkmentor.com, Hex-Rays @hex-rays.bsky.social, NCCGroup @nccgroupinfosec.bsky.social ...

🧵I originally started working on Blue2thprinting to try and figure out where @veronicakovah.bsky.social's over-the-air exploits against Texas Instruments & Silicon Labs (darkmentor.com/publication/...) applied...

📣"Bluetooth 2222: Bluetooth reconnaissance with Blue2thprinting" is now released!📣
ost2.fyi/BT2222

This class teaches you about the 30+ data types that the Blue2thprinting software can collect for when you're trying to determine what a device is, and whether it has any known vulnerabilities.

🧵Those "hacked" crosswalk buttons last week were most likely just things that hadn't changed the default password (from "1234"), and then someone used the Polara app to upload new audio. Today I decompiled the Android app and added the UUIDs to CLUES: github.com/darkmentorll...

Sometimes @veronicakovah.bsky.social is too humble, to her detriment... I wanted her to say "and we're Bluetooth hackers!" but she said that felt too cocky (despite the fact that she has multiple over the air BT RCE firmware exploits... ¯\_(ツ)_/¯)

"Blueooth Low Energy: Full Stack Attack" Trailer Hardwear.io YouTube video by DarkMentorLLC

In this video @xenokovah.bsky.social and I give a quick overview of some of the material covered in our "Bluetooth Low Energy: Full Stack Attack" class, which will be delivered at the upcoming hardwear.io USA May 27-29 hardwear.io/usa-2025/tra...

www.youtube.com/watch?v=uuyX...

Bluetooth Low Energy - Full Stack Attack | Dark Mentor LLC 4 day class covering the full Bluetooth Low Energy (BLE) protocol stack from the bottom (PHY) up to the top (GATT). The core of the class is built around playing with a game application on an Android ...

Bluetooth Low Energy - Full Stack Attack 4-day public and private training outline here: darkmentor.com/training/ble...

Bluetooth Low Energy - Full Stack Attack | Veronica & Xeno Kovah | hardwear.io USA 2025 In this training by Veronica Kovah & Xeno Kovah, you will learn how to use fault-injection to do just that. You will learn how to use techniques such as crowbar glitching, spiking and electro-magnetic...

. @VeronicaKovah.bsky.app and I have a new class on Bluetooth Low Energy security which we're teaching at @hardwear-io.bsky.app May 27-29: hardwear.io/usa-2025/tra.... In the class we walk through the entire BLE stack to show you where all the bodies (and attack surfaces) are buried.💀

🔵🦷🔒📈🆙🧵‼️
Bluetooth Security Timeline Update Thread!
👇

My talk "Crowdsourcing Bluetooth identity, to understand Bluetooth vulnerability" is now posted here darkmentor.com/publication/..., and the @districtcon.bsky.social video has also been posted www.youtube.com/watch?v=pJgi...

The ESP32 "backdoor" that wasn't | Dark Mentor LLC 4 day class covering the full Bluetooth Low Energy (BLE) protocol stack from the bottom (PHY) up to the top (GATT). The core of the class is built around playing with a game application on an Android phone, talking via Bluetooth to an IoT-type piece of hardware, and analyzing the communication between them. The 4th day is focused on assessing a cutomized Ultra-Vulnerable Peripheral firmware, running on Zephyr RTOS, which has had vulnerabilities introduced into it which are representative of vulnerabilities found in the past across many other platforms.

I’ve posted a detailed explanation of why the claimed ESP32 Bluetooth chip “backdoor” is not a backdoor. It’s just a poor security practice, which is found in other Bluetooth chips by vendors like Broadcom, Cypress, and Texas Instruments too. https://darkmentor.com/blog/esp32_non-backdoor/

@shmoocon.bsky.social is dead. Long live ShmooCon!

But what’s past is prolog and I’m off to check the vibe at @districtcon.bsky.social today (and speak tomorrow) and see if it’s picking up the baton.

Workshop: Blue2thprinting: identifying the form and function of the Bluetooth devices // Xeno Kovah Right now you are enveloped in the warming glow of dozens to hundreds of Bluetooth devices. Aren’t you curious what all those little critters are?! In this workshop we’ll use the Blue2thprinting tools to poke at these apparitions and get a sense of what they are and what they want from us!

@veronicakovah.bsky.social and I have too much material for our 4-day BLE training at RingZer0. So I made a separate free workshop. If you’re in attendance you’ll get to go deep into BLE device identification and 2thprinting! ringzer0.training/bootstrap25-workshop-blu...

Last bump for @veronicakovah.bsky.social and my “Bluetooth Low Energy: Full Stack Attack” training March 18th-21st in Austin TX at RingZer0! ringzer0.training/bootstrap25-bluetooth-lo...

These interactions between the BT host and controller is just 3 slides!

🔵🦷Bluetooth Timeline darkmentor.com/bt.html update thread!🧵
Bringing you 7 new talks from 2024 (including one from today @ CCC!) and 7 from prior years
👇

This training will be bottom-up from the PHY all the way to the GATT layer of BLE, discussing all sorts of vulnerabilities that have been found in the various layers.

Bluetooth Low Energy - Full Stack Attack | Veronica & Xeno Kovah | hardwear.io USA 2025 In this training by Veronica & Xeno Kovah, you will learn how to use fault-injection to do just that. You will learn how to use techniques such as crowbar glitching, spiking and electro-magnetic fault...

@veronicakovah.bsky.social and @xenokovah.bsky.social Kovah will be presenting their new training "Bluetooth Low Energy - Full Stack Attack" for the second time ever at hardwear.io in Santa Clara CA May 27-29th 2025. hardwear.io/usa-2025/tra...

This is a bottom-up training from the PHY to the GATT layer of BLE. The final day will be focused on vulnerability assessment of a customized Ultra-Vulnerable Peripheral (UVP) running a custom Zephyr RTOS firmware on a Nordic nRF52840 dongle, with vulnerabilities introduced for students to find.

Bluetooth Low Energy - Full Stack Attack It's pretty fun to hack things wirelessly. And hey, it turns out there's literally *billions* of Bluetooth Low Energy (BLE) things sold per year, so let's learn how to hack those!

@veronicakovah.bsky.social and @xenokovah.bsky.social will be presenting for the first time ever their new training "Bluetooth Low Energy - Full Stack Attack" at RingZer0 Training in Austin TX March 18-21 2025. ringzer0.training/bootstrap25-...

@xenokovah.bsky.social will be presenting "Crowdsourcing Bluetooth identity, to understand Bluetooth vulnerability" at districtcon.bsky.social Feb 22nd 2025 in Washington DC www.districtcon.org/bios-and-tal...

A year of updates to the Blue2thprinting code, including a new crowdsourcing capability.

2024-03-23 @xenokovah.bsky.social created "Architecture 1005: RISC-V Assembly" ost2.fyi/Arch1005 and donated the material under a CC-BY-SA license to @opensectraining.bsky.social

Blue2thprinting (blue-[tooth)-printing]: answering the question of 'WTF am I even looking at?!' | Dark Mentor LLC If one wants to know (for attack or defense) whether a Bluetooth (BT) device is vulnerable to unauthenticated remote over-the-air exploits, one needs to be able to query what firmware or OS the target...

2023-11-02 @xenokovah.bsky.social presented "Blue2thprinting (blue-[tooth)-printing]: answering the question of 'WTF am I even looking at?!'" at Hardwear.io, and subsequently at H2HC and ShmooCon

The extended-cut (1.5h) video & slides are available here darkmentor.com/publication/...

Open Wounds: The last 5 years have left Bluetooth to bleed | Dark Mentor LLC Over the past 20 years there have been 3 waves of Bluetooth (BT) security research. The first wave peaked in 2004, and rather abruptly ended after 2005. Then for a long time there was very low interes...

2023-10-19 @xenokovah.bsky.social presented "Open Wounds: The last 5 years have left Bluetooth to bleed" at Hack.lu.

The conference video & slides are available here darkmentor.com/publication/...

It Was Harder to Sniff Bluetooth Through My Mask During the Pandemic... | Dark Mentor LLC During the pandemic I took up Bluetooth (BT) sniffing as a way to get out of the house. I didn’t know what was out there for BT devices, but it felt important to know what the implications were of the...

2023-08-24 @xenokovah.bsky.social presented "It Was Harder to Sniff Bluetooth Through My Mask During the Pandemic..." at HITB PKT, and subsequently Hacktivity, HackFest.ca, NoHat, and SecTor.

The extended-cut (2h!) video & slides are available here darkmentor.com/publication/...

2023-03-27 @xenokovah.bsky.social created "Vulnerabilities 1002: C-Family Software Implementation Vulnerabilities 2" ost2.fyi/Vulns1002 and donated the material under a CC-BY-SA license to @opensectraining.bsky.social

2022-12-26 @xenokovah.bsky.social created "Hardware 1101: Intel SPI Analysis" ost2.fyi/HW1101 and donated the material under a CC-BY-SA license to @opensectraining.bsky.social

2022-05-19 @xenokovah.bsky.social created "Vulnerabilities 1001: C-Family Software Implementation Vulnerabilities 1" ost2.fyi/Vulns1001 and donated the material under a CC-BY-SA license to @opensectraining.bsky.social

2021-11-04 @xenokovah.bsky.social created "Architecture 4001: x86-64 Intel Firmware Attack & Defense" ost2.fyi/Arch4001 and donated the material under a CC-BY-SA license to @opensectraining.bsky.social

2021-07-16 @xenokovah.bsky.social created "Architecture 2001: x86-64 OS Internals" ost2.fyi/Arch2001 and donated the material under a CC-BY-SA license to @opensectraining.bsky.social