Artifacts

Bluetooth Connected Device Artifcacts (Broadcom Widcomm)

Posted by:  /  Tags: , ,

Author Name
Matt Nelson
Submission Title
Bluetooth Connected Device Artifcacts (Broadcom Widcomm)
Artifact or Program Version
Broadcom Widcomm
Artifact Description
These artifacts contain information you can glean from the registry pertaining to connected bluetooth devices for the Broadcom Widcomm stack. The connected external Bluetooth devices are broken in to the Bluetooth device MAC addresses in the primary registry entry.

Extracted from the registry of a Windows 7 x64 system with a Broadcom 2070 Bluetooth radio device.
Registry Keys
-= Primary Registry Key =-

[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\….]


-= Connected Devices Artifacts =-


——————————————————————————
Example Device 1 – external host MAC (laptop named N3943874)
——————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\00:02:72:1f:b3:8b] <<< “Name”=hex:4e,33,39,34,33,38,37,34,00 <<<<< N3943874
“DevClass”=hex:3e,01,04
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00,00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000000
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000000
ProgramFilesShortcutRemovedByBTW”=dword:00000000
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,44,00,4f,00,\
52,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,30,00,36,00,31,\
00,00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000001
“BroadcomFeatures”=dword:00000003


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\00:02:72:1f:b3:8b\0] <<<< services add sub keys
“ServiceNameUTF8″=hex:46,69,6c,65,20,54,72,61,6e,73,66,65,72,00 <<<<< File Transfer
“UUID”=dword:00001106
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


—————————————————————————
Example Device 2 – external host MAC (phone named iPhone)
—————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38] <<<< host MAC
“Name”=hex:69,50,68,6f,6e,65,00 <<<<< iPhone
“DevClass”=hex:7a,02,0c
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000000
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000000
ProgramFilesShortcutRemovedByBTW”=dword:00000000
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,44,00,4f,00,\
52,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,30,00,33,00,35,\
00,00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000002
“BroadcomFeatures”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38\0] <<<< services add sub keys
“ServiceNameUTF8″=hex:41,56,52,43,50,20,44,65,76,69,63,65,00 <<<<< AVRCP Device
“UUID”=dword:0000110c
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38\1] <<<< services add sub keys
“ServiceNameUTF8″=hex:41,75,64,69,6f,20,53,6f,75,72,63,65,00 <<<<< Audio Source
“UUID”=dword:0000110a
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


———————————————————————————
Example Device 2 – external host MAC (device named Roku Player)
———————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\cc:6d:a0:3e:c8:7a] <<<<< Device MAC
“Name”=hex:52,6f,6b,75,20,50,6c,61,79,65,72,00 <<<<< Roku Player
“DevClass”=hex:00,04,24
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000001
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000001
ProgramFilesShortcutRemovedByBTW”=dword:00000001
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000000
“BroadcomFeatures”=dword:00000000

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment