Sex-Toy-Hackin-Pope/Notes.md

Notes

Table of Contents

• Notes
• Table of Contents
  • Start
  • Methodology
    • Bluetooth
      • BTLE Sniffing
        • On Computer
        • Resources
        • On Android Phone
  • Vibrator-Kh
    • Product Pages
    • Manufacturer
      • Hardware
      • App
    • Bluetooth
      • Sniffing
      • BTLE
    • OSINT
  • Buttplug-Bullet
    • Product Pages
    • Images
  • Media
    • Both
      • Video
    • Vibrator-Kh
      • Images
    • Buttplug-Bullet
      • Images
  • Wireshark
  • Todos

Start

Two Vibrators:

1. Vibrator-Kh (Purple Bullet One)
2. Buttplug-Bullet (Black Buttplug One)

Methodology

Bluetooth

BTLE Sniffing

On Computer

nRF52840 USB-C Dongle with nRF Sniffer for Bluetooth LE firmware installed dumped to Wireshark on Windows 11 With a Pixel 9 Base Model Running Android (Bluetooth MAC: CO:1C:6A:6E:58:96)
Sniffing Captures

Resources

Official

1. Official nRF52840 Dongle Page
2. Official nRF52840 SoC Page
   1. Product Specification/Datasheet (Parent)
   2. SoC Docs
3. Official nRF Sniffer for Bluetooth LE firmware page (Parent) Community
4. Guide Largely Used
5. Detailed Guide/Info (Parent)
6. Guide With Hints on Snifing
7. Adafruit Guide

On Android Phone

Pixel 9 Base model used
Apps (experimenting)

• BlueTooth Termina eDebugger
• Bluefruit LE Connect (Google Play Store)

Vibrator-Kh

Product Pages

• Amazon (Archive)

Manufacturer

Hardware

• zero-tochu.com (Home Page) (Archive)
  • Store (Archive)
  • todo

App

• zero-tochu.com (Archive)
  • APK (zero-touchu.com) (Archive)
  • Google Play Store (Archive)
  • Apple Store (iPhone) (Archive)

Bluetooth

Phone MAC Address: CO:1C:6A:6E:58:96 Toy MAC Address: 13:25:AC:02:36:9C

Sniffing

• External
  • ADV/IRQ/Connect/Scan Sniffs (PCAPNG) (2025-12-19-1835)

BTLE

External

• Sniffing

OSINT

• No MAC address assignment or OUI found for 13:25:AC:02:36:9C is prolly random

Buttplug-Bullet

Product Pages

• Amazon (Archive)
• APK Download
• App Manufacturer
• Apple Store (iPad/iPhone)

Images

Media

Both

Video

Both Charging via USB

Vibrator-Kh

Images

Buttplug-Bullet

Images

Wireshark

• android developer options enabled
• enable hci snoop log
• run bug report
• do the shit
• save the bug report zip to downloads
• move bug report zip to box
• extract
• search for btsnoop
  • \FS\data\misc\bluetooth\logs\btsnoop_hci.log
  • \FS\data\misc\bluetooth\logs\btsnoop_hci.log.filtered
  • \FS\data\misc\bluetooth\logs\btsnoop_hci.log.filtered.last
• possible names
  • btsnoop_hci.log
  • btsnoop_hci.log.filtered
  • btsnoop_hci.log.last
• open in wireshark
• filter for the Vibrator-Kh (_ws.col.def_src == "13:25:ac:02:36:9c (ZT BAR 1)") || (_ws.col.def_dst == "13:25:ac:02:36:9c (ZT BAR 1)")

Todos

1. Archive Pages
   1. Vibrator-Kh
      1. x Amazon
      2. APK Site
         1. o Homepage
         2. Product Pages
         3. x Store
      3. Google Play Store
      4. Apple Store
   2. Buttplug-Bullet
      1. x Amazon
      2. APK Site
      3. Google Play Store
      4. Apple Store
2. Find aliexpress vendor
3. Find manufacturers
   1. Hardware
   2. x APKs
      1. x Vibrator-Kh
      2. x Buttplug-Bullet
4. Media
   1. Images
      1. Vibrator-Kh
         1. External
         2. FCC?
         3. Teardown?
         4. OSINT?
      2. Buttplug-Bullet
         1. External
         2. FCC?
         3. Teardown?
         4. OSINT?
   2. Video
      1. x charging (both)
      2. pairing mode
         1. Vibrator-Kh
         2. Buttplug-Bullet
5. Get MAC Addresses
   1. x phone
   2. x Vibrator-Kh
   3. Buttplug-Bullet
6. Sniff
   1. Vibrator-Kh
      1. External (nRF)
         1. BTLE
            1. Advertisement
            2. INQ results
            3. Scan results
            4. Connect
            5. External sniff
      2. Internal
         1. Decoded shit?
   2. Buttplug-Bullet
      1. BTLE
         1. Advertisement
         2. INQ results
         3. Scan results
         4. Connect
      2. BT Classic?
7. OSINT
   1. FCC
   2. existing work
   3. hardware
      1. bluetooth chip
      2. soc/mcu/etc