CC2540EMK-USB dongle Bluetooth LE Sniffer provides methods to capture raw Bluetooth LE frames. It captures not only Bluetooth LE advertisements but the complete data exchange between Bluetooth LE central (client) and peripheral (server) devices including but not limited with control and data frames. The BleSniffer demo application from Bluetooth Framework package shows how to do this.

PRE-REQUIREMENTS

HARDWARE

The BLE Sniffer requires CC2540 based Bluetooth LE USB dongle. It is recommended to use the CC2540EMK-USB TI dongle as it is shipped with pre-flashed required firmware. However you can use any China clone from AliExpress or any other CC2540 based USB dongle. The firmware can be found on the Texas Instruments site.

Drivers

It is required that the dongle uses WinUSB drivers. By default the dongle uses proprietary (Cebal) driver. Below you find the detailed instructions how to install WinUSB driver.

  • 1. Download Zadig.
  • 2. Start the Zaig application.
    Zadig Main Window
  • 3. Make sure that the List All Devices menu item is checked in the Options menu.
    Zadig List All Device Menu Item
  • 4. Select CC2540 USB Dongle in the drop down list box
    CC2540 USB Driver selection
  • 5. Make sure that the source driver is Cebal (blue circle on the picture above).
  • 6. Make sure that the target driver is WinUSB (green circle on the picture above).
  • 7. Click the Replace Driver button.
    Zadig WinUSB driver installing
  • 8. Once driver installation finished you will see the "The driver was installed successfully." message.
    Zadig WinUSB driver installed

Now you can use your CC2540 USB dongle to capture Bluetooth LE communications. To revert the original driver back:

  • 1. Open the Device Manager
  • 2. Find the CC2540 USB Dongle device under the USB Devices node.
  • 3. Delete the device.
  • 4. Refrsh devices. This re-found the device and installs the original Cebal driver.

How It Works

The BleSniffer demo application shows how to use the wclBleSniffer class. The BleSniffer can parse the following advertising PDUs (data PDUs and any other unknown packets are reported as raw):

  • ADV_IND
  • ADV_DIRECT_IND
  • ADV_NONCONN_IND
  • SCAN_REQ
  • SCAN_RSP
  • CONNECT_IND
  • ADV_SCAN_IND

At startup you should provide the advertising channel number. It can be channel 37, 38 or 39. Once connection request captured the sniffer will automatically follows the channel changes to capture control and data frames.