def send_pairing_request():
global pairing_procedure, access_address, pairing_iocap, paring_auth_request, master_address, advertiser_address
master_address_raw = ''.join(map(lambda x: chr(int(x, 16)), master_address.split(':')))
slave_address_raw = ''.join(map(lambda x: chr(int(x, 16)), advertiser_address.split(':')))
BLESMPServer.set_pin_code('\x00' * 4)
BLESMPServer.configure_connection(master_address_raw, slave_address_raw, 0,
pairing_iocap, paring_auth_request)
hci_res = BLESMPServer.pairing_request()
if hci_res:
pairing_procedure = True
# Pairing request
pkt = BTLE(access_addr=access_address) / BTLE_DATA() / L2CAP_Hdr() / HCI_Hdr(hci_res)[SM_Hdr]
driver.send(pkt)
def send_pairing_request():
global access_address, pairing_iocap, paring_auth_request, master_address, advertiser_address
if enable_secure_connections is False:
paring_auth_request = 0x01
else:
paring_auth_request = 0x01 | 0x08 # Secure connections
master_address_raw = ''.join(map(lambda x: chr(int(x, 16)), master_address.split(':')))
slave_address_raw = ''.join(map(lambda x: chr(int(x, 16)), advertiser_address.split(':')))
BLESMPServer.set_pin_code('\x00' * 4)
BLESMPServer.configure_connection(master_address_raw, slave_address_raw, 0,
pairing_iocap, paring_auth_request)
hci_res = BLESMPServer.pairing_request()
if hci_res:
# Pairing request
pkt = BTLE(access_addr=access_address) / BTLE_DATA() / L2CAP_Hdr() / HCI_Hdr(hci_res)[SM_Hdr]
driver.send(pkt)
start_timeout('smp_timeout', SMP_TIMEOUT, smp_timeout)
elif enable_secure_connections and not (pkt.authentication
& 0x08):
print(
Fore.RED +
'Peripheral does not accept Secure Connections pairing\nEnding Test...'
)
run_script = False
disable_smp = True
else:
print(Fore.GREEN + "Legacy Pairing")
if enable_anomaly:
if enc_start_index >= enc_start_index_max:
enc_start_index_max += 1
enc_start_index = 0
conn_ltk = BLESMPServer.get_ltk()
conn_iv = '\x00' * 4 # set IVm (IV of master)
conn_skd = '\x00' * 8 # set SKDm (session key diversifier part of master)
enc_request = BTLE(access_addr=access_address) / BTLE_DATA(
) / CtrlPDU() / LL_ENC_REQ(
ediv='\x00', rand='\x00', skdm=conn_iv, ivm=conn_skd)
driver.send(enc_request)
last_smp_summary = pkt.summary()
if enable_secure_connections is False and SM_Confirm in pkt:
switch_pairing = True
elif enable_secure_connections and SM_Random in pkt:
final_test = True
elif ATT_Exchange_MTU_Response in pkt:
# Send version indication request
pkt = BTLE(access_addr=access_address) / BTLE_DATA() / CtrlPDU(
) / LL_VERSION_IND(version='4.2')
driver.send(pkt)
elif LL_VERSION_IND in pkt:
if version_request_number < 1:
master_address_raw = ''.join(
map(lambda x: chr(int(x, 16)), master_address.split(':')))
slave_address_raw = ''.join(
map(lambda x: chr(int(x, 16)),
advertiser_address.split(':')))
BLESMPServer.configure_connection(master_address_raw,
slave_address_raw, 0,
pairing_iocap,
paring_auth_request)
hci_res = BLESMPServer.pairing_request()
if hci_res:
pairing_procedure = True
# Pairing request
pkt = BTLE(access_addr=access_address) / BTLE_DATA(
) / L2CAP_Hdr() / HCI_Hdr(hci_res)[SM_Hdr]
driver.send(pkt)
version_request_number += 1
elif pairing_procedure and SM_Hdr in pkt:
update_timeout('scan_timeout')
# Handle pairing response and so on
smp_answer = BLESMPServer.send_hci(
raw(HCI_Hdr() / HCI_ACL_Hdr() / L2CAP_Hdr() / pkt[SM_Hdr]))
from scapy.all import *
from scapy.layers.bluetooth import SM_Master_Identification
from scapy.layers.bluetooth import SM_Identity_Information
from scapy.layers.bluetooth import SM_Pairing_Request
from scapy.layers.bluetooth import SM_Confirm
from scapy.layers.bluetooth import SM_Random
import BLESMPServer
master_address = '5d:36:ac:90:0b:22'
slave_address = '50:36:ac:90:0b:20'
ia = ''.join(map(lambda x: chr(int(x, 16)), master_address.split(':')))
ra = ''.join(map(lambda x: chr(int(x, 16)), slave_address.split(':')))
BLESMPServer.set_iocap(0x03) # NoInputNoOutput
BLESMPServer.configure_connection(ia, ra, 0, 0x03, 0)
s = HCI_Hdr() / HCI_ACL_Hdr() / L2CAP_Hdr() / SM_Hdr() / SM_Pairing_Request()
data = bytearray(raw(s))
# hci_res = BLESMPServer.send_hci(data)
hci_res = BLESMPServer.pairing_request()
if hci_res is not None:
pkt = HCI_Hdr(hci_res)
print(pkt.summary())
pkt.show()
print('---------------------')
BTLE_DATA() / L2CAP_Hdr() / ATT_Hdr() / ATT_Exchange_MTU_Request(mtu=247)
driver.send(pkt)
elif ATT_Exchange_MTU_Response in pkt:
# Send version indication request
pkt = BTLE(access_addr=access_address) / BTLE_DATA() / CtrlPDU(
) / LL_VERSION_IND(version='4.2')
driver.send(pkt)
elif LL_VERSION_IND in pkt:
master_address_raw = ''.join(
map(lambda x: chr(int(x, 16)), master_address.split(':')))
slave_address_raw = ''.join(
map(lambda x: chr(int(x, 16)), advertiser_address.split(':')))
BLESMPServer.configure_connection(master_address_raw,
slave_address_raw, 0,
pairing_iocap,
paring_auth_request)
hci_res = BLESMPServer.pairing_request()
if hci_res:
pairing_procedure = True
# Pairing request
pkt = BTLE(access_addr=access_address) / BTLE_DATA(
) / L2CAP_Hdr() / HCI_Hdr(hci_res)[SM_Hdr]
driver.send(pkt)
elif pairing_procedure and SM_Hdr in pkt:
# Handle pairing response and so on
smp_answer = BLESMPServer.send_hci(
raw(HCI_Hdr() / HCI_ACL_Hdr() / L2CAP_Hdr() / pkt[SM_Hdr]))
if smp_answer is not None and isinstance(smp_answer, list):
for res in smp_answer:
