is there any way to wirelessly detect a cell phone's model number?

I just realized I misread the log dates, and see now that the website is
still active.

thanks,
Isaac

"Isaac" wrote in message
...
Hi, thanks for the tip. That is a very interesting project this guys has
done. He seems cool, so maybe he'd be willing to help with a few quick
questions. The website is vintage 2007 so hopefully he is still active.

Thanks again!
Isaac

"danny burstein" wrote in message
...
In "Isaac"
writes:

I see. That is very encouraging.

Do you happen to know if there is a way to use these AT commands without
pairing first? Or, if there is another way to get the model info without
pairing.

You might want to contact the folk at:

http://www.bluetoothtracking.org/



--
__________________________________________________ ___
Knowledge may be power, but communications is the key

[to foil spammers, my address has been double rot-13 encoded]

After reading that info I found more carefully, I realize there is a catch.
That is, there seems to be two conditional words I don't clearly understand
in the following two sections:
1." Any device may perform an inquiry to find other devices to connect to,
and
any device can be configured to respond to such inquiries. "

Here is says "can be configured". Not sure if that means the user has to
enter a special option/mode setting to enable the "discoverable mode", or if
the "discoverable mode" the default mode when the Bluetooth radio is
enabled. Any idea?

2.However, if the
device trying to connect knows the *address* of the device, it always
responds
to direct connection requests and transmits the information shown in the
list above if requested. "

Here, I don't know what "address" they are mean in "if the device trying to
connect knows the *address* of the device"? Any idea what address they are
talking about? If it means a certain Bluetooth address, then is that
publicly known or is it secret. However, if it means a MAC address, then
that should be publicly available based on this website Bluetooth public
scanner data:
http://www.bluetoothtracking.org/

From this explaination, if I know what that "address" is I can query the
make/model info. I'm real close now, so any help to nail this near last
step will go a long way towards cracking this nut.

Much appreciated!
Isaac


"Isaac" wrote in message
...
Hey John,

The address blocks suggestion when over my head, but I think you are
definitely onto something with the Bluetooth name observation. I looked
into that and found out that this is the default case, but as you say can
be
change, which I assume few people do. Even better, though, I searched
this
further and found the below info, which indicates that any Bluetooth
device
will give, among other technical info, the make and model of the phone on
demand as part of a discovery mode inquiry. This is *exactly* what I
need!
It is not clear to me if the AT Commands will work or if it a certain
Bluetooth program script protocol. That is, do you happen to know what is
the method/mode to properly inquire and access this public Bluetooth
device
info during a discovery mode inquiry? Bluejacking or a modern, legit
version is interesting too if it is possible for my App to send the
prospective user a pop-up text message stating something like "Please wait
while we determine if your phone is supported"... then "your phone is
supported, please ....". However, sending text messages w/o pairing would
be icing on the cake, though.
Setting up connections
Any Bluetooth device in discoverable mode will transmit the following
information on demand:

a.. Device name
b.. Device class
c.. List of services
d.. Technical information (for example: device features, manufacturer,
Bluetooth specification used, clock offset)
Any device may perform an inquiry to find other devices to connect to, and
any device can be configured to respond to such inquiries. However, if the
device trying to connect knows the address of the device, it always
responds
to direct connection requests and transmits the information shown in the
list above if requested. Use of a device's services may require pairing or
acceptance by its owner, but the connection itself can be initiated by any
device and held until it goes out of range. Some devices can be connected
to
only one device at a time, and connecting to them prevents them from
connecting to other devices and appearing in inquiries until they
disconnect
from the other device.

Every device has a unique 48-bit address. However, these addresses are
generally not shown in inquiries. Instead, friendly Bluetooth names are
used, which can be set by the user. This name appears when another user
scans for devices and in lists of paired devices.

Most phones have the Bluetooth name set to the manufacturer and model of
the
phone by default. Most phones and laptops show only the Bluetooth names
and
special programs are required to get additional information about remote
devices. This can be confusing as, for example, there could be several
phones in range named T610 (see Bluejacking).


"John Henderson" wrote in message
...
Isaac wrote:

Are you aware of any partial access (i.e., "gray") security levels
whereby
you don't have to do full pairing but can get authorized for limited
connectivity (like some kind of a "sandbox" mode) to at least do some
basic
snip
I'm not aware of anything like that.

You might want to research whether or not Bluetooth addresses are
allocated and used in blocks such that individual addresses can
convey some information, perhaps in conjunction with the
protocol.

If you could rely on people not changing the Bluetooth name,
then that often carries model information. If I scan in a busy
place, I see recurring protocol, name combinations like:

200408 Nokia CK-7W
5A0204 SGH-A561

along with lots of customized names, of course.

John

Isaac wrote:

Hey John,

The address blocks suggestion when over my head, but I think you are
definitely onto something with the Bluetooth name observation. I looked
into that and found out that this is the default case, but as you say can be
change, which I assume few people do.

I'd estimate that more than half do personalize the name in my
part of the world.

Even better, though, I searched this
further and found the below info, which indicates that any Bluetooth device
will give, among other technical info, the make and model of the phone on
demand as part of a discovery mode inquiry. This is *exactly* what I need!
It is not clear to me if the AT Commands will work or if it a certain
Bluetooth program script protocol. That is, do you happen to know what is
the method/mode to properly inquire and access this public Bluetooth device
info during a discovery mode inquiry? Bluejacking or a modern, legit
version is interesting too if it is possible for my App to send the
prospective user a pop-up text message stating something like "Please wait
while we determine if your phone is supported"... then "your phone is
supported, please ....". However, sending text messages w/o pairing would
be icing on the cake, though.

You can open a socket and send some text to a Bluetooth phone.
On my Samsung phone at least, it disappears into a black hole.

You can also send some text in the form of a business card, which
is usually handled better.

Setting up connections
Any Bluetooth device in discoverable mode will transmit the following
information on demand:

a.. Device name
b.. Device class
c.. List of services
d.. Technical information (for example: device features, manufacturer,
Bluetooth specification used, clock offset)

Using the bluetooth.discover_devices() function followed by the
bluetooth.find_service() query to the specific discovered
addresses from the following Python module, I get no manufacturer
or model info returned in the dictionaries specified.

http://org.csail.mit.edu/pybluez/doc...viceDiscoverer

I get results like this from bluetooth.find_service() when
connecting to 00:23:39:9F:BA:8A.

Host: 00:23:39:9F:BA:8A
Name: Serial Server
Description: None
Protocol: RFCOMM
Provider: None
Port: 4
Service id: None
Service-classes: ['1101']
Profiles: [('1101', 256)]

That's my own Samsung phone's host address, so I have no qualms
about making it public. My Siemens and Sony Ericsson phones
likewise return no make or model info in this way.

If there's more to be found, I haven't found it.

John

"John Henderson" wrote in message
...
Isaac wrote:

Hey John,

The address blocks suggestion when over my head, but I think you are
definitely onto something with the Bluetooth name observation. I looked
into that and found out that this is the default case, but as you say can
be
change, which I assume few people do.

I'd estimate that more than half do personalize the name in my
part of the world.

bummer

snip
supported, please ....". However, sending text messages w/o pairing
would
be icing on the cake, though.

You can open a socket and send some text to a Bluetooth phone.
On my Samsung phone at least, it disappears into a black hole.

You can also send some text in the form of a business card, which
is usually handled better.

this could be helpful. Thanks.


Setting up connections
Any Bluetooth device in discoverable mode will transmit the following
information on demand:
snip
d.. Technical information (for example: device features, manufacturer,
Bluetooth specification used, clock offset)

Using the bluetooth.discover_devices() function followed by the
bluetooth.find_service() query to the specific discovered
addresses from the following Python module, I get no manufacturer
or model info returned in the dictionaries specified.

http://org.csail.mit.edu/pybluez/doc...viceDiscoverer

I get results like this from bluetooth.find_service() when
connecting to 00:23:39:9F:BA:8A.

Host: 00:23:39:9F:BA:8A
Name: Serial Server
Description: None
Protocol: RFCOMM
Provider: None
Port: 4
Service id: None
Service-classes: ['1101']
Profiles: [('1101', 256)]

That's my own Samsung phone's host address, so I have no qualms
about making it public. My Siemens and Sony Ericsson phones
likewise return no make or model info in this way.

If there's more to be found, I haven't found it.


I get the sense that what you point to above is a first step in that
direction. However, I did a little checking and it seems like there is a
standard way to get the make/model info under the SDP (Service discovery
protocol) that all Bluetooth devices must support. Check this out and let me
know what you think:
http://trifinite.org/Downloads/Blueprinting.pdf

It is vintage 2005 so it is a bit dated; however, it clearly states:

"With Blueprinting it is possible to determine the manufacturer, the device
model and the firmware version of the respective device. The complexity of
the introduced method is intentionally simple so that this procedure can be
executed on constrained devices that are not capable of calculating common
hashes such as MD5: the J2ME Connected Limited Device Configuration (CLDC)
Version 1.0 (as used in many mobile handsets) can perform it.
....
One of the purposes that Blueprinting could be used for is statistical
examination of different environments. This way, it is possible to create
statistics over manufacturer and device models in special places as it was
done in the CeBIT field trial report [1].
....
Blueprinting is combining the different information that Bluetooth-enabled
devices reveal in order to identify the manufacturer as well
as the model of the device.
.....
Therefore, for identifying a manufacturer's model, Blueprinting takes the
SDP [8] profiles, which can be queried from devices that offer services,
into account"

So, there seems to be a simple way to do it at least back in 2005. Do you
have any thoughts on this? I'll keep digging...

Thanks!
Isaac

See he
http://trifinite.org/trifinite_stuff...ng.html#method

where it says:
Service Discovery Protocol Records
Every Bluetooth-enabled device that offers services to other
Bluetooth-enabled devices does announce these services via the service
discovery protocol (SDP). So, remote devices can query devices upon the
offered capabilities. SDP records are returned to the querying device and
hold information on how to access the respective service. Our method now
hashes certain values out of the records and calculates a fingerprint value
that then is used in order to refer to the respective model.

===========

I wonder if this is reliable, or just a heuristic that does not always work.
I'll keep digging.

Thanks,
Isaac-



"John Henderson" wrote in message
...
Isaac wrote:

Hey John,

The address blocks suggestion when over my head, but I think you are
definitely onto something with the Bluetooth name observation. I looked
into that and found out that this is the default case, but as you say can
be
change, which I assume few people do.

I'd estimate that more than half do personalize the name in my
part of the world.

Even better, though, I searched this
further and found the below info, which indicates that any Bluetooth
device
will give, among other technical info, the make and model of the phone on
demand as part of a discovery mode inquiry. This is *exactly* what I
need!
It is not clear to me if the AT Commands will work or if it a certain
Bluetooth program script protocol. That is, do you happen to know what
is
the method/mode to properly inquire and access this public Bluetooth
device
info during a discovery mode inquiry? Bluejacking or a modern, legit
version is interesting too if it is possible for my App to send the
prospective user a pop-up text message stating something like "Please
wait
while we determine if your phone is supported"... then "your phone is
supported, please ....". However, sending text messages w/o pairing
would
be icing on the cake, though.

You can open a socket and send some text to a Bluetooth phone.
On my Samsung phone at least, it disappears into a black hole.

You can also send some text in the form of a business card, which
is usually handled better.

Setting up connections
Any Bluetooth device in discoverable mode will transmit the following
information on demand:

a.. Device name
b.. Device class
c.. List of services
d.. Technical information (for example: device features, manufacturer,
Bluetooth specification used, clock offset)

Using the bluetooth.discover_devices() function followed by the
bluetooth.find_service() query to the specific discovered
addresses from the following Python module, I get no manufacturer
or model info returned in the dictionaries specified.

http://org.csail.mit.edu/pybluez/doc...viceDiscoverer

I get results like this from bluetooth.find_service() when
connecting to 00:23:39:9F:BA:8A.

Host: 00:23:39:9F:BA:8A
Name: Serial Server
Description: None
Protocol: RFCOMM
Provider: None
Port: 4
Service id: None
Service-classes: ['1101']
Profiles: [('1101', 256)]

That's my own Samsung phone's host address, so I have no qualms
about making it public. My Siemens and Sony Ericsson phones
likewise return no make or model info in this way.

If there's more to be found, I haven't found it.

John

Isaac wrote:

I get the sense that what you point to above is a first step in that
direction. However, I did a little checking and it seems like there is a
standard way to get the make/model info under the SDP (Service discovery
protocol) that all Bluetooth devices must support. Check this out and let me
know what you think:
http://trifinite.org/Downloads/Blueprinting.pdf

That's a nice find.

It says that the manufacturer can be determined from the
Bluetooth address, as I suggested a few replies ago when I wrote:

"You might want to research whether or not Bluetooth addresses are
allocated and used in blocks such that individual addresses can
convey some information, perhaps in conjunction with the
protocol."

The model apparently gets interpolated from the likes of data
returned by the bluetooth.find_service() function from the
Python PyBluez module I mentioned. But it looks like you're going
to have to build and maintain your own lookup tables to enable
this. New model phones come out quite often.

You need to code up some programs and start experimenting with
the data you find.

John

"John Henderson" wrote in message
...
Isaac wrote:

I get the sense that what you point to above is a first step in that
direction. However, I did a little checking and it seems like there is a
standard way to get the make/model info under the SDP (Service discovery
protocol) that all Bluetooth devices must support. Check this out and let
me
know what you think:
http://trifinite.org/Downloads/Blueprinting.pdf

That's a nice find.

very glad this nailed it for you (and me!).


It says that the manufacturer can be determined from the
Bluetooth address, as I suggested a few replies ago when I wrote:

"You might want to research whether or not Bluetooth addresses are
allocated and used in blocks such that individual addresses can
convey some information, perhaps in conjunction with the
protocol."

Yeah, like I mentioned back then I did not understand what you meant.


The model apparently gets interpolated from the likes of data
returned by the bluetooth.find_service() function from the
Python PyBluez module I mentioned.

Awesome! This makes perfect sense now, and tracks with all the info I've
learned to date. Thanks a million!

But it looks like you're going
to have to build and maintain your own lookup tables to enable
this. New model phones come out quite often.
Yes, this is a bummer, though, because it is not clear how I could be sure
to get bluetooth addresses for every new phone constantly released. I
wonder if the manufacturers provide this info or maybe some online
dbase/service/resource. Again, you've been such a help!



You need to code up some programs and start experimenting with
the data you find.

Will do! Actually, if your interested, check this out:
http://trifinite.org/Downloads/bp_v01-3.zip

This seems like the *actual* Pearl code they used to identify Bluetooth
devices. Maybe that can work "out of the box".

This has all been very enlightening!

Cheers!
Isaac


John

Maybe the following is a much easier, more robust, approach. After reading
that info I found more carefully (see
http://en.wikipedia.org/wiki/Bluetoo...p_connections),
I realize there is a catch. That is, there seems to be two conditional words
I don't understand in the
following section:
1." Any device may perform an inquiry to find other devices to connect to,
and
any device can be configured to respond to such inquiries. "

Here it says "can be configured". Not sure if that means the user has to
enter a special option/mode setting to enable the "discoverable mode", or if
the "discoverable mode" the default mode when the Bluetooth radio is
enabled. Any idea?

2.However, if the
device trying to connect knows the *address* of the device, it always
responds to direct connection requests and transmits the information shown
in the list above if requested. "

Here, I don't know what "address" they are mean in "if the device trying to
connect knows the *address* of the device"? Any idea what address they are
talking about? If it means a certain Bluetooth (stack?) address, then is
that
publicly known or is it secret? However, if it means a MAC address, then
that should be publicly available based on this website Bluetooth public
scanner data:
http://www.bluetoothtracking.org/

From this explanation, if I know what that "address" is then I should be
able query the
make/model info if "discoverable mode" is enabled. This would be a far
easier and more robust approach than the base address interpolation method
you just figured out. So any help to nail this near last step will go a
long way towards cracking this nut.

Much appreciated!
Isaac


"Isaac" wrote in message
...
Hey John,

The address blocks suggestion when over my head, but I think you are
definitely onto something with the Bluetooth name observation. I looked
into that and found out that this is the default case, but as you say can
be change, which I assume few people do. Even better, though, I searched
this further and found the below info, which indicates that any Bluetooth
device will give, among other technical info, the make and model of the
phone on demand as part of a discovery mode inquiry. This is *exactly*
what I need! It is not clear to me if the AT Commands will work or if it a
certain Bluetooth program script protocol. That is, do you happen to know
what is the method/mode to properly inquire and access this public
Bluetooth device info during a discovery mode inquiry? Bluejacking or a
modern, legit version is interesting too if it is possible for my App to
send the prospective user a pop-up text message stating something like
"Please wait while we determine if your phone is supported"... then "your
phone is supported, please ....". However, sending text messages w/o
pairing would be icing on the cake, though.
Setting up connections
Any Bluetooth device in discoverable mode will transmit the following
information on demand:

a.. Device name
b.. Device class
c.. List of services
d.. Technical information (for example: device features, manufacturer,
Bluetooth specification used, clock offset)
Any device may perform an inquiry to find other devices to connect to, and
any device can be configured to respond to such inquiries. However, if the
device trying to connect knows the address of the device, it always
responds to direct connection requests and transmits the information shown
in the list above if requested. Use of a device's services may require
pairing or acceptance by its owner, but the connection itself can be
initiated by any device and held until it goes out of range. Some devices
can be connected to only one device at a time, and connecting to them
prevents them from connecting to other devices and appearing in inquiries
until they disconnect from the other device.

Every device has a unique 48-bit address. However, these addresses are
generally not shown in inquiries. Instead, friendly Bluetooth names are
used, which can be set by the user. This name appears when another user
scans for devices and in lists of paired devices.

Most phones have the Bluetooth name set to the manufacturer and model of
the phone by default. Most phones and laptops show only the Bluetooth
names and special programs are required to get additional information
about remote devices. This can be confusing as, for example, there could
be several phones in range named T610 (see Bluejacking).


"John Henderson" wrote in message
...
Isaac wrote:

Are you aware of any partial access (i.e., "gray") security levels
whereby
you don't have to do full pairing but can get authorized for limited
connectivity (like some kind of a "sandbox" mode) to at least do some
basic
snip
I'm not aware of anything like that.

You might want to research whether or not Bluetooth addresses are
allocated and used in blocks such that individual addresses can
convey some information, perhaps in conjunction with the
protocol.

If you could rely on people not changing the Bluetooth name,
then that often carries model information. If I scan in a busy
place, I see recurring protocol, name combinations like:

200408 Nokia CK-7W
5A0204 SGH-A561

along with lots of customized names, of course.

John

Isaac wrote:

Yes, this is a bummer, though, because it is not clear how I could be sure
to get bluetooth addresses for every new phone constantly released. I
wonder if the manufacturers provide this info or maybe some online
dbase/service/resource.

I think the best way to approach this is to become more or less
self-sufficient.

Constantly or periodically scan for new visible devices. That
will give you the Bluetooth addresses, the protocols, and
possibly the names (although my experience is that reading the
name requires the device to be "in view" for longer").

If you find any addresses for which you don't have a
manufacturer, approach the owner for that information (assuming
you can within the context of your application).

Will do! Actually, if your interested, check this out:
http://trifinite.org/Downloads/bp_v01-3.zip

This seems like the *actual* Pearl code they used to identify Bluetooth
devices. Maybe that can work "out of the box".

Agreed, that's what it looks like. But I find Perl a very
difficult language to comprehend.

John

Isaac wrote:

Here it says "can be configured". Not sure if that means the user has to
enter a special option/mode setting to enable the "discoverable mode", or if
the "discoverable mode" the default mode when the Bluetooth radio is
enabled. Any idea?

I think you'll find that late-model Bluetooth phones have
visibility/discoverability turned off by default. That is to
say, when Bluetooth is turned on they default to "page scan
mode" rather than "inquiry scan mode". To do otherwise would be
construed as a security flaw.

Here, I don't know what "address" they are mean in "if the device trying to
connect knows the *address* of the device"? Any idea what address they are
talking about?

It's the unique address of the Bluetooth device. It responds to
an inquiry scan with that and its protocol/class.

As I mentioned in an earlier post, my Samsung phone's Bluetooth
address is 00:23:39:9F:BA:8A, alternatively written without the
colons as 0023399FBA8A. It is sometimes called a MAC address.

If it means a certain Bluetooth (stack?) address, then is that
publicly known or is it secret? However, if it means a MAC address, then
that should be publicly available based on this website Bluetooth public
scanner data:
http://www.bluetoothtracking.org/

Only if the device in question got within Bluetooth range of
the monitoring device when inquiry scan mode was active.

From this explanation, if I know what that "address" is then I should be
able query the make/model info if "discoverable mode" is enabled.

You need visibility/discoverability/"inquiry scan mode" to be
turned on to even know the device is in your vicinity.

John