Sex-Toy-Hackin-Pope/Notes.md

# Notes
# Table of Contents

- [Notes](#notes)
- [Table of Contents](#table-of-contents)
  - [Start](#start)
  - [Methodology](#methodology)
    - [Bluetooth](#bluetooth)
      - [BTLE Sniffing](#btle-sniffing)
        - [On Computer](#on-computer)
        - [Resources](#resources)
        - [On Android Phone](#on-android-phone)
  - [Vibrator-Kh](#vibrator-kh)
    - [Product Pages](#product-pages)
    - [Manufacturer](#manufacturer)
      - [Hardware](#hardware)
      - [App](#app)
    - [Bluetooth](#bluetooth-1)
      - [Sniffing](#sniffing)
      - [BTLE](#btle)
    - [OSINT](#osint)
  - [Buttplug-Bullet](#buttplug-bullet)
    - [Product Pages](#product-pages-1)
    - [Images](#images)
  - [Media](#media)
    - [Both](#both)
      - [Video](#video)
    - [Vibrator-Kh](#vibrator-kh-1)
      - [Images](#images-1)
    - [Buttplug-Bullet](#buttplug-bullet-1)
      - [Images](#images-2)
  - [Wireshark](#wireshark)
  - [Todos](#todos)

## Start
Two Vibrators:
1. [Vibrator-Kh](#vibrator-kh) (Purple Bullet One)
2. [Buttplug-Bullet](#buttplug-bullet) (Black Buttplug One)
## Methodology
### Bluetooth
#### BTLE Sniffing
##### On Computer
**[nRF52840 USB-C Dongle](https://www.amazon.com/dp/B0DP6MVDZQ) with [nRF Sniffer for Bluetooth LE firmware](https://www.nordicsemi.com/Products/Development-tools/nrf-sniffer-for-bluetooth-le) installed dumped to [Wireshark](https://www.wireshark.org) on Windows 11 With a Pixel 9 Base Model Running Android (Bluetooth MAC: `CO:1C:6A:6E:58:96`)**  
[Sniffing Captures](Sniffs/Vibrator-Kh)
##### Resources
**Official**
1. [Official nRF52840 Dongle Page](https://www.nordicsemi.com/Products/Development-hardware/nRF52840-Dongle)
2. [Official nRF52840 SoC Page](https://www.nordicsemi.com/Products/nRF52840)
   1. [Product Specification/Datasheet (Parent)](https://docs.nordicsemi.com/bundle/ps_nrf52840/page/keyfeatures_html5.html)
   2. [SoC Docs](https://docs.nordicsemi.com/category/nrf52840-category)
3. [Official nRF Sniffer for Bluetooth LE firmware page (Parent)](https://www.nordicsemi.com/Products/Development-tools/nrf-sniffer-for-bluetooth-le)
**Community**
1. [Guide Largely Used](https://dojofive.com/blog/using-the-nordic-nrf-sniffer-for-ble/)
2. [Detailed Guide/Info (Parent)](https://wiki.makerdiary.com/nrf52840-mdk-usb-dongle/guides/ble-sniffer/)
3. [Guide With Hints on Snifing](https://novelbits.io/nordic-ble-sniffer-guide-using-nrf52840-wireshark/)
4. [Adafruit Guide](https://learn.adafruit.com/ble-sniffer-with-nrf52840/working-with-wireshark)
##### On Android Phone
Pixel 9 Base model used  
**Apps** (experimenting)
- [BlueTooth Termina eDebugger](https://play.google.com/store/apps/details?id=com.e.debugger&hl=en_US)
- [Bluefruit LE Connect](https://learn.adafruit.com/bluefruit-le-connect/) ([Google Play Store](https://play.google.com/store/apps/details?id=com.adafruit.bluefruit.le.connect&hl=en_US))

## Vibrator-Kh
### Product Pages
* [Amazon](https://www.amazon.com/dp/B0FHB5LCX4) ([Archive](https://archive.is/T7dsm))
### Manufacturer
#### Hardware
* [zero-tochu.com (Home Page)](https://www.zero-tochu.com) ([Archive]())
  * [Store](https://zerochu.com/?shpxid=d3b9436e-fb3d-4966-9092-be55f18e9d79) ([Archive](https://archive.is/TbgMc))
  * todo
#### App
* [zero-tochu.com](https://www.zero-tochu.com) ([Archive]())
  * [APK (zero-touchu.com)](https://www.zero-tochu.com/Zero%20Tochu%E9%9B%B6%E8%A7%A6-Enjoy%20Yourself%E4%B9%90%E4%BA%AB%E8%87%AA%E6%88%91.apk) ([Archive]())
  * [Google Play Store](https://play.google.com/store/apps/details?id=apk.zero.tochu) ([Archive]())
  * [Apple Store (iPhone)](https://apps.apple.com/us/app/zero-tochu%E9%9B%B6%E8%A7%A6/id6467008871) ([Archive]())
### Bluetooth
Phone MAC Address: `CO:1C:6A:6E:58:96`
Toy MAC Address: `13:25:AC:02:36:9C`  
#### Sniffing
* External
   * [ADV/IRQ/Connect/Scan Sniffs (PCAPNG) (2025-12-19-1835)](Sniffs/Vibrator-Kh/2025-12-19-1835-Vibrator-Kh-BTLE-Advertisement-and-Connect-Wireshark-nRF52840-Sniff.pcapng)
#### BTLE
**External**
* [Sniffing]()
### OSINT
- No MAC address assignment or OUI found for `13:25:AC:02:36:9C` is prolly random

## Buttplug-Bullet
### Product Pages
* [Amazon](https://www.amazon.com/dp/B0D5YDP6Y5) ([Archive](https://archive.is/7Jlxz))
* [APK Download](https://service.acvioo.com/pages/download/app)
* [App Manufacturer](https://kstert.vip/col.jsp?id=105)
* [Apple Store (iPad/iPhone)](https://apps.apple.com/us/app/kstert/id6476297297)
### Images

## Media
### Both
#### Video
[Both Charging via USB](Assets/Media/Video/2025-12-17-1842_Both-Charging.mp4)
### Vibrator-Kh
#### Images
![Vibrator-Kh Top Turned Off](Assets/Media/Images/Vibrator-Kh_Top_Off_2025-12-19-2039_4032x2268.jpg)
### Buttplug-Bullet
#### Images
![Buttplug-Bullet Top Turned Off](Assets/Media/Images/Buttplug-Bullet_Top_Off_2025-12-19-2040_2268x3582.jpg)

## Wireshark
- android developer options enabled
- enable hci snoop log
- run bug report
- do the shit
- save the bug report zip to downloads
- move bug report zip to box
- extract
- search for `btsnoop`
  - `\FS\data\misc\bluetooth\logs\btsnoop_hci.log`
  - `\FS\data\misc\bluetooth\logs\btsnoop_hci.log.filtered`
  - `\FS\data\misc\bluetooth\logs\btsnoop_hci.log.filtered.last`
- possible names
  - btsnoop_hci.log
  - btsnoop_hci.log.filtered
  - btsnoop_hci.log.last
- open in wireshark
- filter for the Vibrator-Kh `(_ws.col.def_src == "13:25:ac:02:36:9c (ZT BAR 1)") || (_ws.col.def_dst == "13:25:ac:02:36:9c (ZT BAR 1)")`

## Todos
1. Archive Pages
   1. Vibrator-Kh
      1. x Amazon
      2. APK Site
         1. o Homepage
         2. Product Pages
         3. x Store
      3. Google Play Store
      4. Apple Store
   2. Buttplug-Bullet
      1. x Amazon
      2. APK Site
      3. Google Play Store
      4. Apple Store
2. Find aliexpress vendor
3. Find manufacturers
   1. Hardware
   2. x APKs
      1. x Vibrator-Kh
      2. x Buttplug-Bullet
4. Media
   1. Images
      1. Vibrator-Kh
         1. External
         2. FCC?
         3. Teardown?
         4. OSINT?
      2. Buttplug-Bullet
         1. External
         2. FCC?
         3. Teardown?
         4. OSINT?
   2. Video
      1. x charging (both)
      2. pairing mode
         1. Vibrator-Kh
         2. Buttplug-Bullet
5. Get MAC Addresses
   1. x phone 
   2. x Vibrator-Kh
   3. Buttplug-Bullet
6. Sniff
   1. Vibrator-Kh
      1. External (nRF)
         1. BTLE
            1. Advertisement
            2. INQ results
            3. Scan results
            4. Connect
            5. External sniff
      2. Internal
         1. Decoded shit?
   2. Buttplug-Bullet
      1. BTLE
         1. Advertisement
         2. INQ results
         3. Scan results
         4. Connect
      2. BT Classic?
7. OSINT
   1. FCC
   2. existing work
   3. hardware
      1. bluetooth chip
      2. soc/mcu/etc