sniffing bluetooth between the wiimote and console

Has anyone had any luck finding the bluetooth MAC address for their wii console (not the wireless address you can get through System Info)? I'm trying to sniff the connection between wiimotes and console during normal play. The idea has been mentioned a few times, but I haven't seen anything working.

"hcitool scan" finds the wiimote fine, but I haven't had any luck picking up the console. I've tried pressing the sync button and disconnecting/reconnecting wiimotes from the home menu... neither seems to work.

So far I've figured out...

1. we can't get the console bdaddr's from a wiimote (via [abstrakraft.org])

Quote

bluetooth accessible eeprom is exactly the same [before and after pairing with the console]. This means the wii console address is stored some where else, maybe in the bluetooth chipset?

2. brute-force scanning of MAC addresses (with Nintendo's manufacturer code) is probably impractical - 16^6 possibilities. In principle you could use RedFang to just scan the addresses but it would take a few months.

3. reconstructing the MAC address by listening in on a single bluetooth channel might work, but it looks like you need special hardware (BlueSniff: Eve meets Alice and Bluetooth).

4. Wii-Linux looks like it comes with hciconfig... so you could, in principle, install the HomeBrew channel, run Wii-Linux and then get at the bdaddr that way. Has anyone tried this? It seems like the most promising route.

16^6 is only 16,777,216 possibilities... and most likely, it wouldn't be the LAST on tried...

if someone could code an app to try and force it, we could all do a few numbers

haha, if you read an old idea I posted once, you'll see I'm a fan of brute forcing...

Ha! It's totally impractical! It takes at least 1 second per guess (since you have to wait for the traffic to pass through the right channel). With ~17 million possibilities it looks like it would take ~193 days.

I did however try my other idea. I got wii-linux running and got the bdaddr that way. But I'm still not getting any packets from my sniffer - not quite sure what the problem is. I'll try again tomorrow.

193 days, divided up between several volunteers, maybe 10 or so... brings it down to around 20 days! not to bad...

Well... if anyone is following this - after figuring out the bdaddr for the console (Twilight Hack > HBC > wii-linux > hciconfig). I can successfully sniff the connection between a wiimote and the console using Frontline's software. So far It seems like everything is unencrypted. Here's a dump of the initial handshake if anyone is interested (WMWC_090212_auth.cfa). It might be useful for spoofing a wiimote or doing MITM. It's in Frontline's format, which is a bit irritating - no luck yet using csr_sniffer.

and, DrLucky... I know you like brute-forcing, but installing linux and running hciconfig is just so dang elegant! It took all of an hour!

Quote
nlindig
and, DrLucky... I know you like brute-forcing, but installing linux and running hciconfig is just so dang elegant! It took all of an hour!

ah, well, an hour beats 193 days divided by whatever any day! congrats

nlindig,

Great work. I see you think that we might not be paying attention to your talk but we read the articles, I just haven't found any good spot to comment yet.

Nlindig,
Any more progress on this? I was just thinking about how I could try to do something similar, or find someone to help do this. I'd love to understand what happens when you press the power on button on the balance board (or wiimote I guess).

Hey esteimle, I've been taking a bit of a break from this... but I might start back up soon. The dump that's posted above is as far as I've gotten. "That"'s what happens when you push the sync button on the wiimote! Just a matter of duplicating it.

Have you had any farther success with this? I sent you a PM with a link to a topic I started on a problem that it sounds like you might have some good insight on.