Recently I learned just how much of the Bluetooth protocol is performed by the Bluetooth adapter itself. This was disappointing for me, as I wish to hack about with the relevant encryption and authentication mechanisms. Life is not all bad, however. Cambridge Silicon Radio (CSR) makes some Bluetooth radios that read their firmware from an onboard flash chip, and some enterprising individuals (evilgenius.de, darkircop, PDF slides) have figured out how to extract, disassemble, reassemble (potentially modified), and reprogram these devices.
The motivation for all these people was to create a general-purpose sniffer, enabling creation of bluedrift. I would like to see the creation of some open source firmware for these devices, so I don’t have to bog through disassembled binary to find where to insert my own code. 🙂
Also, an interesting paper is Bluesniff: Eve meets Alice and Bluetooth