Home
Projects
Blog
Toggle Cursor trail
LinkedIn
GitHub
Printables
Email Me
Switch to dark theme

Arbitary Bluetooth Address names with the TPLink UB500 using Bumble.

First Published: 2026-01-08

Last Updated: 2026-01-08

A.k.a the start of how to MITM bluetooth on Windows.

Intro

This blogpost is a byproduct of my attempts to port NXBT (or at least eh functionality) to Windows.
One consistent issue I had was the ability to change the bluetooth address of the adapter itself, as newer bluetooth chipsets load it from firmware and is not usually changable from userspace.
Very fortunately, when I was at the end of the road with my experimentation, on a random google, I found Xeno Kovah's presentation on new research into the Realtek RTL8761B which he presented in Hardwear 2025(1)(2).

Pre-requisites

This guide requires a RTL8761B family (RTL8761B, RTL8761BU) bluetooth chipset.
I personally have tested with a TPLink UB500 v2 usb bluetooth dongle.

Setup:

1. WinUSB Driver

Before we load the patched firmware, we have to make Windows use the WinUsb driver so that we can supply our own firmware.
  1. Firstly you will need to download zadig
  2. Then open zadig and choose the UB500 by selecting TP-Link Bluetooth USB Adapter from the dropdown.
    (If it doesn't show up, you may need to tick Options>List All Devices)
  3. Then make sure the WinUSB driver is selected and install the driver

2. Getting the firmware

Great, we have the correct driver, now we need the firmware.
  1. You can either use the first party tool bumble-rtk-fw-download to download the required firmware (Docs)
  2. Or you can directly download the firmware from the linux kernel git directly here.

2.x Pointing bumble to the firmware

If you choose to download the firmware directly, you need to now let Bumble find the firmware by either
  1. Setting the environment variable BUMBLE_RTK_FIRMWARE_DIR to the firmware's parent dir
    I found the easiest way for me was to just set it in the imports.
    import os

  os.environ["BUMBLE_RTK_FIRMWARE_DIR"] = (
    r"C:\EXAMPLE\DIRECTORY"
  )
  2. Or you can place it in same directory as your code.

3. Configuring Firmware to your custom BD Address

Now, we are ready to configure the firmware so that we can use any arbitary Bluetooth Address.
  1. First we download an existing modded firmware config from the research github repo's custom firmware folder.
    (Remember to take a look at the rest of the repo, it has some really interesting stuff.)
  2. After you have downloaded a config, unzip the archive and copy the config .bin file into the same directory as your firmware.
    Note:
    If you downloaded the firmware using bumble-rtk-fw-download, your directory would be %AppData%\Local\Google\bumble\firmware\realtek

4. Customising your BD Address

If you run your bumble code now, (Use any example if you don't have any code yet), if it is working, it should now have an address of either 11:22:33:44:55:66 or 00:11:22:33:44:55.
(Note: If it isn't working, you can try refresh it, by unpluging and repluging the bluetooth dongle, as it tends to 'hold' onto any firmware you give it).
Now to customise the address, you need to change the config with a hex editor of your choice.
  1. Firstly, you need a hex editor of your choice, (Personally I use HXD, but that isn't a particularly modern option)
  2. Open the config file in the hex editor, it should be extremely simple, either
    55 AB 23 87 09 00 30 00 06 55 44 33 22 11 00
    or
    55 AB 23 87 09 00 30 00 06 66 55 44 33 22 11
    To change the BD address, modify the last 6 bytes.
    55 AB 23 87 09 00 30 00 06
    XX XX XX XX XX XX
    Keep in mind that the address is inputed backwards.
    i.e. The BD address 98:76:54:32:10:09 would be inputed as
    55 AB 23 87 09 00 30 00 06
    09 10 32 54 76 98

  3. To see your new address in use, you may need to unplug and replug the device before the device utilises the new address

Conclusion

That's it, it is really quite simple, you can now use your UB500 or any other Realtek RTL8761B based bluetooth controller with a custom BD address.
Many thanks to Xeno Kovah and darkmentor's research into the RTL8761B which made this all possible.

On a side note, I stumbled upon this research while working on my project on emulating a Nintendo Switch Pro controller on Windows, mostly by trying to port the functionality from NXBT over from native Linux Bluez code over to Bumble the unfortunately named experimental Google bluetooth library.
I was unable to progress past an connection to a Switch which disconnects after a SDP declaration, but if someone else picks up the torch, I would be quite grateful.

Sources

  1. Reverse engineering Realtek RTL8761B* Bluetooth chips, to make better Bluetooth security tools & classes (©Dark Mentor LLC 2025)
    https://darkmentor.com/publication/2025-11-hardweario/
  2. Reverse engineering Realtek RTL8761B* Bluetooth chips, to make better Bluetooth security tools & classes (slides) (©Dark Mentor LLC 2025)
    https://darkmentor.com/2025-11-21_HardwearioNL2025_RTL8761B_RE_Slides_With_Builds.pdf
← Previous post:
Migrating a Proxmox Forbidden RouterNext Post: →
Setting up Vlans by port on the ICX6430-C12
This work is licensed under

CC BY 4.0

Creative Commons IconCreative Commons BY Icon
Profile Picture
linkedIn Profile LinkGitHub
JCHU634 Portfolio