Artifacts

Posts Tagged ‘Broadcom’


Bluetooth Personal Area Network (PAN) Service Artifcacts (Broadcom Widcomm)

Posted by:  /  Tags: , ,

Author Name
Matt Nelson
Submission Title
Bluetooth Personal Area Network (PAN) Service Artifcacts (Broadcom Widcomm)
Artifact or Program Version
Broadcom Widcomm
Artifact Description
These artifacts contain information you can glean from the registry pertaining to network/PAN services available for the Broadcom Widcomm stack. Further investigation of these artifacts can reveal what was available to other systems. A follow-up post will detail the systems connected.


Extracted from the registry of a Windows 7 x64 system with a Broadcom 2070 Bluetooth radio device.
Registry Keys
-= Primary registry key =-


HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm


-= Bluetooth Services Definitions =-


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0001]
“Name”=”Bluetooth Serial Port”
“SecurityId”=dword:00000001
“UUID”=dword:00001101
“GUID”=”{00001101-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Establish a virtual serial port connection with a remote Bluetooth device. The connection can then be used by any application that supports the COM port number assigned.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0002]
“Name”=”Network Access”
“SecurityId”=dword:00000002
“UUID”=dword:00001102
“ModemInstalled”=dword:00000000
“GUID”=”{00001102-0000-1000-8000-00805F9B34FB}”
“RasConnection”=”BluetoothNullConnection”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Establish a network connection to a remote Bluetooth device. The connection may provide access to an external network or the Internet.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000
“UserName”=””
“Password”=””
“Autoconnect”=dword:00000001
“EnableAutoReconnect”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0003]
“Name”=”Dial-up Networking”
“SecurityId”=dword:00000003
“UUID”=dword:00001103
“ShowWizard”=dword:00000000
“ModemInstalled”=dword:00000000
“GUID”=”{00001103-0000-1000-8000-00805F9B34FB}”
“RasConnection”=”BluetoothConnection”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Connect to the Internet using a Bluetooth-enabled telephone, modem or other remote Bluetooth device that offers the Dial-up Networking service.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0004]
“Name”=”PIM Item Transfer”
“SecurityId”=dword:00000005
“UUID”=dword:00001105
“GUID”=”{00001105-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Exchange business cards with a remote Bluetooth device. Send Personal Information Manager (PIM) items such as calendar items, contacts, notes and messages to a remote Bluetooth device.”
“InstallOnDemand”=dword:00000001
“OPPType”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0005]
“Name”=”File Transfer”
“SecurityId”=dword:00000006
“UUID”=dword:00001106
“GUID”=”{00001106-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Browse another Bluetooth device’s Public Folder or send and receive files to and from another Bluetooth device.”
“InstallOnDemand”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0006]
“Name”=”Fax”
“SecurityId”=dword:0000000b
“UUID”=dword:00001111
“ModemInstalled”=dword:00000000
“GUID”=”{00001111-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Use the fax capabilities of a Bluetooth telephone, modem or other remote Bluetooth device that offers the fax service.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0007]
“GUID”=”{00001104-0000-1000-8000-00805F9B34FB}”
“Name”=”PIM Synchronization”
“SecurityId”=dword:00000004
“UUID”=dword:00001104
“AcceptBusinessCards”=dword:00000001
“AcceptCalendarItems”=dword:00000000
“AcceptEmailMessages”=dword:00000000
“AcceptNotes”=dword:00000000
“SaveInPIM”=dword:00000001
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Synchronize the Personal Information Manager (PIM) database on this computer with the PIM database on a remote Bluetooth device.”
“InstallOnDemand”=dword:00000001
“SyncBusinessCards”=dword:00000000
“SyncCalendarItems”=dword:00000000
“SyncEmailMessages”=dword:00000000
“SyncNotes”=dword:00000000
“PreferredProfile”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0008]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000008
“UUID”=dword:00001108
“Authentication”=dword:00000001
“Name”=”Headset”
“Encryption”=dword:00000001
“GUID”=”{00001108-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth headset or other remote Bluetooth device acting as a headset. When connected, the remote device can be used as a replacement for this computer’s local microphone and speakers for voice calls (PC telephony) or voice recognition applications.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0009]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:0000000c
“UUID”=dword:00001112
“Authentication”=dword:00000001
“Name”=”Audio Gateway”
“Encryption”=dword:00000001
“GUID”=”{00001112-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth-enabled phone or other remote Bluetooth device as an Audio Gateway. When connected, this computer replaces the remote device’s speakers and microphone.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0010]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000011
“UUID”=dword:00001126
“Authentication”=dword:00000001
“Name”=”Printer”
“Encryption”=dword:00000001
“GUID”=”{00001126-0000-1000-8000-00805F9B34FB}”
“Description”=”Add a Bluetooth-enabled printer to your list of available printers. This printer can then be used as if it was physically connected to this computer.”
“InstallOnDemand”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0011]
“Authorization”=dword:00000000
“SecurityID”=dword:00000012
“UUID”=dword:00001124
“Authentication”=dword:00000000
“Name”=”Human Interface Device”
“Encryption”=dword:00000000
“GUID”=”{00001124-0000-1000-8000-00805F9B34FB}”
“Description”=”Use a Bluetooth enabled mouse, keyboard or other interface device.”
“InstallOnDemand”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0012]
“Name”=”Image Push Client”
“SecurityId”=dword:00000014
“UUID”=dword:0000111b
“GUID”=”{0000111B-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Send image files to another Bluetooth device.”
“InstallOnDemand”=dword:00000001
“PutImageToPrinterTimeout”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0013]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000008
“UUID”=dword:0000110b
“Authentication”=dword:00000001
“Name”=”Stereo Audio”
“Encryption”=dword:00000001
“GUID”=”{0000110B-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth stereo headphone or speakers. When connected, the remote device replaces this computer’s speakers.”
“InstallOnDemand”=dword:00000000
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0014]
“Name”=”Hands-free Audio”
“Encryption”=dword:00000001
“GUID”=”{0000111E-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth headset or other remote Bluetooth device acting as a headset. When connected, the remote device can be used as a replacement for this computer’s local microphone and speakers for voice calls (PC telephony) or voice recognition applications.”
“InstallOnDemand”=dword:00000000
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000008
“UUID”=dword:0000111e
“Authentication”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0015]
“UUID”=dword:0000110a
“SecurityID”=dword:0000000c
“Auto”=dword:00000001
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Name”=”Audio Sink”
“Encryption”=dword:00000001
“GUID”=”{0000110A-0000-1000-8000-00805F9B34FB}”
“Description”=”Connect to the source of an audio stream like media player.”
“InstallOnDemand”=dword:00000000
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0016]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000006
“UUID”=dword:00001304
“Authentication”=dword:00000000
“Name”=”Video Sink”
“Encryption”=dword:00000000
“GUID”=”{00001304-0000-1000-8000-00805F9B34FB}”


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0017]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000006
“UUID”=dword:00001303
“Authentication”=dword:00000000
“Name”=”Video Source”
“Encryption”=dword:00000000
“GUID”=”{00001303-0000-1000-8000-00805F9B34FB}”

Bluetooth Connected Device Artifcacts (Broadcom Widcomm)

Posted by:  /  Tags: , ,

Author Name
Matt Nelson
Submission Title
Bluetooth Connected Device Artifcacts (Broadcom Widcomm)
Artifact or Program Version
Broadcom Widcomm
Artifact Description
These artifacts contain information you can glean from the registry pertaining to connected bluetooth devices for the Broadcom Widcomm stack. The connected external Bluetooth devices are broken in to the Bluetooth device MAC addresses in the primary registry entry.

Extracted from the registry of a Windows 7 x64 system with a Broadcom 2070 Bluetooth radio device.
Registry Keys
-= Primary Registry Key =-

[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\….]


-= Connected Devices Artifacts =-


——————————————————————————
Example Device 1 – external host MAC (laptop named N3943874)
——————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\00:02:72:1f:b3:8b] <<< “Name”=hex:4e,33,39,34,33,38,37,34,00 <<<<< N3943874
“DevClass”=hex:3e,01,04
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00,00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000000
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000000
ProgramFilesShortcutRemovedByBTW”=dword:00000000
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,44,00,4f,00,\
52,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,30,00,36,00,31,\
00,00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000001
“BroadcomFeatures”=dword:00000003


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\00:02:72:1f:b3:8b\0] <<<< services add sub keys
“ServiceNameUTF8″=hex:46,69,6c,65,20,54,72,61,6e,73,66,65,72,00 <<<<< File Transfer
“UUID”=dword:00001106
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


—————————————————————————
Example Device 2 – external host MAC (phone named iPhone)
—————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38] <<<< host MAC
“Name”=hex:69,50,68,6f,6e,65,00 <<<<< iPhone
“DevClass”=hex:7a,02,0c
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000000
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000000
ProgramFilesShortcutRemovedByBTW”=dword:00000000
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,44,00,4f,00,\
52,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,30,00,33,00,35,\
00,00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000002
“BroadcomFeatures”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38\0] <<<< services add sub keys
“ServiceNameUTF8″=hex:41,56,52,43,50,20,44,65,76,69,63,65,00 <<<<< AVRCP Device
“UUID”=dword:0000110c
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38\1] <<<< services add sub keys
“ServiceNameUTF8″=hex:41,75,64,69,6f,20,53,6f,75,72,63,65,00 <<<<< Audio Source
“UUID”=dword:0000110a
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


———————————————————————————
Example Device 2 – external host MAC (device named Roku Player)
———————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\cc:6d:a0:3e:c8:7a] <<<<< Device MAC
“Name”=hex:52,6f,6b,75,20,50,6c,61,79,65,72,00 <<<<< Roku Player
“DevClass”=hex:00,04,24
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000001
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000001
ProgramFilesShortcutRemovedByBTW”=dword:00000001
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000000
“BroadcomFeatures”=dword:00000000