Sniffing and Decoding NRF24L01+ and Bluetooth LE Packets For Under $30 article points to an interesting hack: able to decode NRF24L01+ and Bluetooth Low Energy protocols using RTL-SDR (=a cheap USB digital TV tuner based digital radio). So cheap practicality anyone can obtain the equipment quickly. Some special hacking was needed because there are no RTL-SDR that would tune up to 2.4 GHz where Bluetooth works.
Sniffing and decoding NRF24L01+ and Bluetooth LE packets for under $30 is a long blog post that describes the journey to sniff and decode popular digital wireless protocols off the air for very cheap.The developer sees that this is first time BTLE can be decoded using a very cheap generic device. The description of the project can be found at http://blog.cyberexplorer.me/2014/01/sniffing-and-decoding-nrf24l01-and.html main software repository for this project is at https://github.com/omriiluz/NRF24-BTLE-Decoder. This looks like a really interesting hack to receive Bluetooth signals.
One of the challenges was that you can’t use rtl-sdr directly to receive Bluetooth signal because it is impossible using any version of the rtl-sdr that works up to 2.4 GHz. The highest you can buy reach 2.2Ghz. just shy of the 2.4Ghz we need. The only way to go this up is to convert the signal down to a frequency usable by the rtl-sdr. It was possible with MMDS LNB can be found for a variety of frequencies and LO frequencies, and one suitable cheap was designed to take 2.2-2.4Ghz signal and down convert it to around 400Mhz (where rtl-sdr can receive them). SDR# was used with the new radio setup to see if signals could be found on the right frequencies. It’s a clever kluge for capturing and reading 2.4 GHz traffic with a sub-2.2 GHz receiver.
The developer is sure that this software can be adapted to output the right format as input to the existing Bluetooth decoders such as Wireshark (Bluetooth stack is partially implemented and Wireshark can dissect several of the layers and protocols of the stack). That would be interesting to see. This hack was designed for Bluetooth LE, not any other Bluetooth variation. Please note that Bluetooth LE is a new technology, introduced in the Bluetooth 4.0 spec. It has absolutely nothing to do with bluetooth besides the name. Now that we have that out of the way, why is it cool? Well, it was made for low power, and the design shows. If you are interested more in it check also “Bit-Banging” Bluetooth Low Energy article.
There are also other ways to receive Bluetooth LE. Promiscuity is the nRF24L01+’s Duty blog posting describes a hack to convert a nRF24L01 into a promiscuous listening device. This achieves a very similar goal, but much cheaper.