btreplay Tutorial

Create dump

A dump can be recorded using the -b option of btmon. The best way to record a suitable dump is to disable the Bluetooth controller before recording. That way btmon also records the initialisation sequence.

# sudo btmon -b testdump
<plug in / enable Bluetooth contoller>
<connect Bluetooth mouse>
<move mouse around>

Replay dump

First make sure the VHCI driver is loaded:

# sudo modprobe hci_vhci
# ls /dev | grep vhci

Now the dump can be replayed with btreplay. When the same machine is used to replay the dump, it is recommended to unplug / disable the Bluetooth controller to avoid conflicts.

The simplest way to use the Bluetooth Replayer is to run

# sudo btreplay testdump

Some scenarios require minimal delay during the execution to be replayed correctly (such as the example above). One solution is to use the delta timing mode that adds delays according to the time difference between packets in the dump file.

# sudo btreplay -d delta testdump

Running btreplay with a dump from another machine can cause some issues with the initialisation sequence. The host might send out packets in a different order. btreplay will show several packets marked as “[Unknown] ! Wrong opcode” and the replay process can get stuck. When these packets are not relevant to the actual scenario, they can be ignored using a config file. For example, they can be passed on to the emulator. To do so, set the action for these packet types to ‘emulate’ in a config file.

Example config contents:

HCI_CMD_0x03|0x0001 action=emulate
HCI_CMD_0x03|0x0018 action=emulate

and run btreplay with this config file.

# sudo btreplay -d delta -c testconfig testdump