Overview¶
The RF Creations Protocol Analyser allows capture and analysis of LE, BR/EDR, HDT, Channel-Sounding, QBHSL, and mHDT Bluetooth traffic, 802.15.4 and logic analyser signals; detection of WiFi packets; and power measurements of other signals in the 2.4–2.5 GHz band ("Spectrum" data).
Getting started¶
If you are using blueSPY on Windows or macOS, all you need to do is download the correct build (with on Windows a choice of an installer or a portable zip file containing the software), plug in your Moreph, and start capturing.
On Linux, if your system has no GUI libraries (e.g. a server) you should download the 'headless' build; otherwise download the full build including the GUI. To use blueSPY you will need to create a udev rule to communicate with the Moreph as an ordinary user. Create
/etc/udev/rules.d/50-minimoreph.rules
with the following contents:
SUBSYSTEM=="usb", ATTRS{idVendor}=="2bbd", ATTRS{idProduct}=="00f3", MODE="0666"
Reboot, or run udevadm control --reload-rules && udevadm trigger as root. Then you can use it as an ordinary user.
Capturing¶
To capture traffic, you must have a Moreph 30 or a miniMoreph connected to your computer. When a Moreph is plugged in, or when the application is started, the bottom right of the status bar will display "Hardware Idle (#serial number)"; or "No Hardware Connected" if nothing is detected.
If the Moreph is not automatically detected, or you want to choose between multiple devices, use the "Connect" window to connect to a Moreph. If the Moreph is already running an application, you will need to Reboot it.
This window also allows you to add a licence to the Moreph, if you have been sent a new licence file for the device.
Once a Moreph is connected, the Capture Settings and Capture buttons will be enabled:
Connect¶
Open the Connect window, or disconnect the Moreph if it's already connected.
Capture¶
Starts and stops capture.
Restart Capture¶
During a capture, seamlessly stops capturing and starts a new capture file; no packets are missed, so all traffic will be present in either the first or second capture. After the new capture has started a Save dialog will appear to allow you to choose a filename at your leisure. NB: Currently, connection timing is not preserved across the "new segment" operation, so only use this button at a time when none of your DUTs are connected.
Auto-segmenting capture¶
If you want to leave blueSPY capturing for very long periods (e.g. multiple days), then the capture files are likely to become very large. To keep file-sizes more manageable, you can use the auto-segmenting feature; new capture files will be created at fixed time intervals (e.g. every 30 minutes). Any necessary context (e.g. the status of ongoing connections) will be stored as part of the capture-segment file.
Capture Settings¶
Use the Capture Settings window before starting a capture to select what data the Moreph should record. Each type of traffic can be enabled/disabled, and the time resolution of the Spectrum data can be selected; it is best to only capture the traffic you need, for the sake of capture file size if nothing else!
Not all combinations of packet types can be captured simultaneously due to hardware limitations; in addition, your licence may restrict which packets you can enable. If you have a licence which allows it, the following combinations of packets are possible:
-
QHS, Dukosi, Varjo, 802.15.4
-
Channel-sounding, 802.15.4
-
HDT, Channel-Sounding, 802.15.4
-
mHDT Classic, mHDT BLE-4M
Logic, Spectrum, WiFi, LE, and BR/EDR are supported in any of the combinations.
If that seems complicated, an alternative strategy: if a checkbox for a proprietary/unusual packet type is disabled, try unchecking all other checkboxes and enabling it, and then see which other checkboxes are still enabled.
When using the logic analyser, it is important to specify the source of the reference voltage. If you are connecting an external reference voltage to the VREF pin (voltages between 0.8V and 3.6V are supported), select "pod – External Reference Voltage". Otherwise, select "pod – Internal Reference Voltage"; the Moreph will supply 3.3V on VREF.
Although very fine resolution (5 µs) Spectrum capture is possible, using it leads to very large file sizes (many GB) and so it is best to disable Spectrum capture or set a longer time resolution if fine timing is not needed.
Logic, UART, I2S settings¶
To access the Logic or I2S settings tabs, the Logic or I2S checkboxes in the "Main enables" tab must be checked.
In the logic tab you can choose which logic lines to enable (some will be unavailable if they are being used for UART or I2S), and the "Logic Rate". Selecting a lower Logic Rate will result in a smaller capture file size, but may result in some edges being missed if capturing a high-speed signal (e.g. a >1 MHz clock).
In the UART tab you can enable up to four UARTs, and configure the baud rate and other settings. The name field will be used to label the UART traffic in the Timeline, Summary etc. One or more UARTs can be used to capture HCI traffic; to capture both Controller→Host and Host→Controller traffic, a second UART will be used.
There are many possible configurations of I2S and I2S-like digital audio data. To successfully capture I2S traffic, ensure that:
-
the reference voltage has been configured appropriately in the "Main enables" tab, and that you are supplying the external VREF if needed;
-
the configuration options in the "I2S settings" match your implementation. The diagram at the top of the tab provides a pictorial explanation of the effects of the various checkboxes.
Audiopod settings¶
To enable the audiopod settings tab, connect the audiopod to your Moreph, and provide power to the audiopod USB-C port. Then check the "audiopod" checkbox in the "Main enables" tab; if the Moreph cannot communicate with the audiopod, an error will be returned at this stage.
For more details of the audiopod settings, see Audiopod
Advanced settings¶
These settings can be accessed during an ongoing capture, and allow extra control over the sniffer's radio, and filtering of packets captured.
The sniffer Automatic Gain Control normally performs well, so in most scenarios we don't recommend that you override the AGC; there are two main reasons to use this control:
-
Capturing traffic over a cabled link, i.e. at high powers ( > 0 dBm). In this case the first packet on a link may be missed as the AGC adjusts, and the radio will perform better if you disable the AGC and specify the expected maximum power.
-
Capturing wanted distant/quiet traffic in the presence of louder interferers. Normally the AGC will adjust to ensure good reception of the loudest signals present, but if you want to force maximum sensitivity (at the risk of distortion/missed packets from the loudest devices), you can disable the AGC and set "Maximum Input Signal" to the minimum value.
Saving and Loading files¶
"Open" and "Save As" operate in the usual way, and are found in the File menu. A new capture always writes to a temporary file; afterwards the file can either be saved or discarded.
If you have added information to a file (e.g. adding decryption keys, adding Bookmarks, modifying device filtering) then the "Save" icon in the toolbar will change to show that you may want to save your changes:
vs
Save Advanced¶
"Save Advanced" can be used to save a portion of a large file, for instance by omitting Spectrum data, selecting a shortened time-period, or saving only some of the packets. A Moreph must be connected to "license" the file (see PcapNG files for more details). Save Advanced can also be used to create a version of the capture file which contains decrypted and dewhitened packets, e.g. for loading into Wireshark or some other pcapng tool.
NB: Saving a subset of the packets may result in a file in which the packets can no longer be parsed, e.g. if the beginning of a Connection is missed. To minimise filesize: disable all protocol filters in the Summary; enable the device filter to show only devices you need; select the time-range you need in Save Advanced, and use "Save Packets: Shown in Summary" (with "Save Spectrum" not checked).