Bluetooth (BTLE) sniffing really possible?

My goal is to instrument a connection between BTLE master and slave better than any of the dedicated BTLE sniffers out there. Adafruit BTLE Sniffer or NXP BTLE Sniffer

The purpose is to help diagnose many of the vexing incompatibilities amongst the large number of BTLE implementations, as well as understand how they react in an interference filled environment. Being able to answer questions like:
Which device failed to respond?
Was the timing or channel wrong?
Was there an interferer that caused the problem?

LimeSDR was advertised as being able to do bluetooth, but after trying the best example I can find: sdr-ble-demo, I’m left disappointed. But I’m very new to all this, and hoping for some suggestions. The main drawbacks I see are as follows, please correct me if I’m mistaken or suggest how they could be solved.

1. Hopping is not implemented. The example listens only on one channel, my understanding is that devices advertise on 3 channels, connect on the last channel that was heard, and then follow a specified sequence from the connect request from there. This implies being able to decode the Link Layer, and then hop to the correct channel in pretty close to real time. Is this feasible and how might it be implemented in something easy like Pothos?

2. Bandwidth seems insufficient for the band. To see the interference, ideally the whole band would be sampled, then extract the current interesting parts in software while doing synchronized spectrum analysis on the whole signal in parallel. Is there any SDR that can handle the whole 2.4G ISM band yet?

3. How can the quantitative and qualitative information be merged into a data stream that allows for good analytics? The other tools use wireshark as a decoder which is preferred, but I’m not sure how to link it to this spectral information in a synchronized way.

Thanks for your thoughts!

Hi

Just some quick remarks & hints:

Bluetooth low energy connections have interfame spacings of 150us. So having a connection with the LimeSDR is not possible unless you implement the controller on the FPGA (for modem) & FX3 or nios cpu inside the FPGA for logic. Worst case the end of the last packet before a frequency hop is 150us before the next packet. However XTRX which uses pci express and is also lime based https://www.crowdsupply.com/fairwaves/xtrx may support 150us latency depending on the host cpu & os, and should have the device bandwidth for 80mhz.

However most of the time the channel will be changed every x milliseconds (where x is > 7.5, typically 30, 50 or a few hundred). In these cases it might be possible to follow the connection if you are able to sniff the connection phase and determine the connection parameters.

It is possible somewhat to sample the whole 2.4 ghz band. I have been able to see the waterfall of 2000-2480 mhz on sdrangel, but it has some artifacts (high intensity areas) and dropped frames. If you make a dedicated application you may be able to solve this, for example by reducing the number of bits per sample.

I guess making the software required for a bluetooth sniffer using limesdr will require a significant amount of time especially if you want something stable and user friendly, so if you are not into this for the challenge (and want something usable) i would suggest pursuing other options.

Commercial products that does what you describe are markeded by Teledyne LeCroy and Ellisys among others, but they are much more expensive than the adafruit sniffer.