While testing some tools in Backtrack Linux I was working with some Bluetooth tools including btscanner, BlueProPro, bluediving, etc. and wanted to know more about the Bluetooth Class of Device/Class of Service also know as just Bluetooth CoD. Not only how it was formatted but also what exactly it meant and what it could tell me exactly about Bluetooth devices. In the end I feel I have a pretty good understanding of Bluetooth CoD and what it can tell you about various hardware devices even though it appears the standard for assigning CoD numbers is fairly loose most people appear to adhere to it somewhat. It should be noted that Bluetooth CoD is easily modified such as on Linux you can set it using hciconfig and thus could provide fasle information if you wanted to do so. Obviously not many people are going to understand this or know how to accomplish this so typically if you are scanning for Bluetooth devices you will be getting whatever the manufacturer has set when the item was manufactured. Below we describe more specifics about Bluetooth CoD including what the CoD hex means and some examples of Bluetooth CoD. Check out our Bluetooth Class list by clicking here.
Bluetooth Class of Device Explanation:
The Bluetooth CoD is made up of Major Service Class, Major Device Class, and Minor Service Class designations. Bluetooth CoD is also known as the Bluetooth Baseband and a great detailed list of CoD bit details as well as links to other Bluetooth related specifications can be found on the Bluetooth Special Interest Group’s website. Bluetooth CoD is not only known as Bluetooth Class of Device but also Bluetooth Class of Service or sometimes listed as “Class of Device/Class of Service”. The Bluetooth CoD is typically displayed in hex however it is formulated using binary so when working with Bluetooth it is always nice to have an easy way to convert hex to binary and binary to hex if you are interested in figuring out what the Bluetooth CoD is telling you. On OSX I suggest iota-calc Calculator which costs three dollars when purchased via the Mac App Store but provides a graphical method to convert binary to hex and vice vera. First lets see an example of information obtained from a Bluetooth scanner called btscanner.
Bluetooth Information Obtained Using Bluetooth Scanner
- Address: 00:02:72:22:22:22
- Found by: 00:25:BF:FF:FF:FF
- OUI owner: CC&C Technologies, Inc.
- First seen: 2013/01/12 10:57:09
- Last seen: 2013/01/12 10:57:09
- Name: WIN7ULT
- Vulnerable to:
- Clk off: 0x5ad9
- Class: 0x060104
- Computer/Desktop
- Services: Networking,Rendering
What we are going to concentrate on is everything including and after Class. We see the class is 0x060104 which appears to indicate a desktop computer that has networking and rendering capabilities. Lets now convert the Bluetooth Class to binary and then see what bits are active in the bitmask of the CoD binary. We are going to use iota-calc, which was mentioned above, to convert the hex to binary as shown below.
Convert Bluetooth Class Of Device From Hex To Binary:
Just copy and paste the class of device into iota-calc as shown above and then click the Bin button to convert the hex CoD to binary as shown below.
The “0b” at the beginning or technically the end of the binary number pictured in the iota-calc picture above simply indicates a binary number to iota-calc since the calculator can deal with different types of formats including Binary, Octal, Decimal, Hexadecimal, Characters, and 32/64 bit Hexadecimal. The Bluetooth CoD is always 24 bits so typically there will be X number of zero’s before the first numbers and in this example the full binary number is 000001100000000100000100. We have now converted the CoD from 0x060104 to 000001100000000100000100 so what does this binary number mean? The binary CoD provides us with lots of information by being broken down into sections we can determine Major Service Class, Major Device Class, and Minor Service Class. Remember that binary numbers are read from right to left and the first bit is numbered 0 not 1. The binary number is also considered the mask or bitmask and each bitis either off or on. Now that you understand the basics lets break down the Class of Device or CoD binary number to see which portions of the mask tell us each portion of information about the device.
Bluetooth Class Of Device Converted To Binary And Split:
- 1100000000100000100
- Bits 0-1: Format Type
- Bits 2-7: Minor Device Class
- Bits 8-12: Major Device Class
- Bits 13-23: Major Service Class
Bluetooth CoD: Format Type
This is a 2 bit mask so there are 4 possible values including 0, 1, 2, and 3 or 00, 01, 10, and 11.
Bluetooth CoD: Minor Device Class
The Minor Device Class is a 6 bit number that is determined based on Major Device Class. There are to many combinations to list all of the Minor Device Classes but it should be noted that its possible to have more than one Minor Device Class enabled but when this is the case the Major Device Class reported should be similar to the primary Minor Device Class. So for each Major Device Class there are a possible 64 Minor Device Class combinations as calculated by 6 possible bits.
Bluetooth CoD: Major Device Class
There are 5 bits in the Major Device Class for a total of 32 possible values. The current Major Device Class Values are Miscellaneous, Computer, Phone, LAN/Network Access Point, Peripheral, Imaging, Wearable, Toy, Health, Uncategorized, and Reserved.
Bluetooth CoD: Major Service Class
The Major Service Class is defined a bit different than the other fields as the Major Service Class is determined by a specific bit from bit 13 to bit 23 being active. I believe that there can be multiple Major Service Class bits activated to describe multiple functions of a single device. Below is the list that shows what it means for each bit to be set to 1 or on.
- CoD Major Service Class Bit 13: Limited Discoverable Mode [Ref #1]
- CoD Major Service Class Bit 14: (reserved)
- CoD Major Service Class Bit 15: (reserved)
- CoD Major Service Class Bit 16: Positioning (Location identification)
- CoD Major Service Class Bit 17: Networking (LAN, Ad hoc, …)
- CoD Major Service Class Bit 18: Rendering (Printing, Speaker, …)
- CoD Major Service Class Bit 19: Capturing (Scanner, Microphone, …)
- CoD Major Service Class Bit 20: Object Transfer (v-Inbox, v-Folder, …)
- CoD Major Service Class Bit 21: Audio (Speaker, Microphone, Headset service, …)
- CoD Major Service Class Bit 22: Telephony (Cordless telephony, Modem, Headset service, …)
- CoD Major Service Class Bit 23: Information (WEB-server, WAP-server, …)
So now with the above information detailed you should have a pretty good idea of what Bluetooth Class of Device means and how to extract information when you come across a 8 character hexadecimal CoD number. Below are I have listed another example using the information we have learned above.
Bluetooth Class Of Device For iPhone Explained
My iPhone 5’s Bluetooth CoD is 0x7a020c which translated to binary is 011110100000001000001100. So lets look at how the binary number breaks down below to see what Bluetooth services Apple has configured the iPhone 5 to communicate with.
- iPhone 5 CoD Format Type: 00
- iPhone 5 CoD Minor Device Class: 000011 – Smart Phone
- iPhone 5 CoD Major Device Class: 00010 – Phone
- iPhone 5 CoD Major Service Class: 01111010000 – Networking, Capturing, Object Transfer, Audio, and Telephony
All of the above makes sense because the iPhone 5 has each of the above capabilities.
Check out the QD Bluetooth Class list with Bluetooth device examples here.
Please post in the comments below if there is any more information that can be added to the above article not only for others but so I can learn more about the Bluetooth CoD specification.
Informative article on bluetooth CoD.
How do I identify bluetooth device
3c-74-e0-e6-f9
specifically if a Blackberry or iPhone?
Please see below.
Thanks.
Alex
How do I identify if the following Bluetooth address belongs to an iPhone or Blackberry or some other PDA?
3c-74-37-eO-e6-f9
I am not positive the “eO” is that or the number 0 – appears to be an uppercase letter “O”.
Thank you…sincerely for your help!
Kim
Hello Kim,
MAC addresses are always hexadecimal so would always be a zero. In this case the MAC address is from RIM or Blackberry. You can do a Google search for “MAC Address Lookup” and paste in the first 6 characters (vendor related) into the tool and it will tell you what hardware vendor owns that MAC range.
Thanks.
alex