This core is an implementation of the SAFER+ algorithm that's slightly modified to be compatible with the Bluetooth standard. It includes many optimizations such as using blockrams for the S-Boxes and utilizes the algebraic manipulation described in Cracking the Bluetooth PIN.

Bluetooth Pin Cracking Core

The bluetooth pin cracking core implements the basic bluetooth pin cracking attack by generating possible PINs and running then through SAFER+ to verify if they are correct or not. This uses the pipelined implementation of SAFER+ and loops the output of the pipeline back into itsself 7 times to perform all of the E21/E22/E1 functions. The max clock speed we've been able to run it at on an E-12 is 75MHz which results in ~10 million PINs per second compared to roughly 40k on a modern CPU.


Currently btpincrack has support for cracking PINs on your CPU or by offloading it to a Pico E-12 card. It supports importing Merlin capture files and will soon support importing CSV exports from the Frontline Test Equipment hardware.

3300 Sempron
2.16GHz Intel Duo

Pico E-12 (Virtex-4 LX25)

Copyright © 2006 - The OpenCiphers Project  <> Logo