Skip to content

Latest commit



182 lines (112 loc) · 5.26 KB

File metadata and controls

182 lines (112 loc) · 5.26 KB


OSCS Status

BTLE-Radio is an open source software-defined radio (HackRF One) Bluetooth low energy software experiment kit. Implement BLE baseband using software definition. In the BLE protocol stack, it corresponds to the physical layer and the link layer.

Currently, it supports sniffing and parsing of air interface packets in three frequency bands, and sends packets in any frequency band, so stay tuned!

Refer to Bluetooth Core Specification v 5.3


Tested runtime environment (but not required) :


Install the HackRF driver and GNURadio components, and the default firmware of HACKRF ONE can be used.


There are many OSX installation problems, it is recommended to upgrade macport to the latest version. My test environment is OSX12.4.

Install hackrf driver

sudo port install hackrf

The GNURadio suite can be installed using the command, but it is recommended to download and install the DMG version.

sudo port install gnuradio

To use HackRF One on OSX platform, additionally install gr-osmosdr for GNURadio

sudo port install gr-osmosdr


Compile the hackrf driver

cd ~/hackrf_files && git clone
cd ~/hackrf_files/hackrf/host && mkdir build && cd build && cmake .. && make && sudo make install && sudo ldconfig

Install GNURadio Suite

 sudo aptitude install gnuradio

run gnuradio companion

sudo gnuradio-companion


Run BTLE-R (in development). Use python to customize the baseband logic, and currently can complete the frequency hopping of the broadcast channel.


usage: [-h] [-v] [-m MAC] [-c CH] [-t FILE]

Command Line Interface for BTLE-Radio Bluetooth Baseband Experiment Kit

optional arguments:
  -h, --help                Show this help message and exit
  -v, --version             Show version and exit
  -m MAC, --mac MAC         Filter packets by advertiser MAC
  -c CH, --channel CH       Monitor the broadcast channel CHA, the range is 0-39, the default is 37-39
  -t FILE, --transfer FILE  Send link layer data, data from JSON file [ Example in src/transfer/packets.txt ]


Monitor the content of all broadcast channels

 $ ./


Monitor the content of a broadcast channel of a mac address

 $ ./ --mac e4:00:20:44:7c:d4


Send BLE link layer packets, on any channel,Content format see packets.txt.

$ ./ -t transfer/packets.txt

After running the command, you can use LightBlue (or other BLE sniffer) to discover the broadcast with the name SDR/Bluetooth/Low/Energy. Sending other link layer signals is also supported.



My test environment is MacOSX. If an error occurs when running (especially when switching to Ubuntu), please use GNURadio Companion to rebuild the code, and then use again.

[For Debug and Dev]

Run GRC. The flow chart is mainly used to develop and debug BTLE-R. You can manually set the frequency band, AccessAddress, etc. in the parameters. If you need to perform automatic channel selection and connection tracking, please use BTLE-R directly.

To run the flow graph in GNURadioCompanion or run the python script, use the following command.

$ python3

A BLE sending interface is provided. Use the following commands to use this interface for secondary development.

$ python3 packets.txt


BTLE Air Interface Capture

  1. Advertising physical channel packets Capture

    • Advertising/Scanning PDUs Capture


    • Initiating PDUs Capture

      e.g. CONNECT_IND packet capture,parsing the packet can be used to obtain key information of the link connection, including frequency hopping algorithm (and ChannelMap), CRC initial data and Connect Interval, etc.



Link Layer Data Transfer



Sniffer Moudle Design


  • GFSKDemod (GNURadio Default)
  • BlE Packets Gain
  • Data Whiting/De-Whiting
  • CRC Check
  • PDU Parse(Only Advertising Physical Channel,so far)
  • Hop channel

Transfer Moudle Design


  • BLE_Radio_Source(Requires PDU, transmit channel, Access Address, CRCinit and other information)
    • LL_Data Package
    • CRC calculation
    • Data Whitening
    • Hop channel

In the Plan

  • Data Physical Channel
  • Channel Selection