def send_pairing_request(): global pairing_procedure, access_address, pairing_iocap, paring_auth_request, master_address, advertiser_address master_address_raw = ''.join(map(lambda x: chr(int(x, 16)), master_address.split(':'))) slave_address_raw = ''.join(map(lambda x: chr(int(x, 16)), advertiser_address.split(':'))) BLESMPServer.set_pin_code('\x00' * 4) BLESMPServer.configure_connection(master_address_raw, slave_address_raw, 0, pairing_iocap, paring_auth_request) hci_res = BLESMPServer.pairing_request() if hci_res: pairing_procedure = True # Pairing request pkt = BTLE(access_addr=access_address) / BTLE_DATA() / L2CAP_Hdr() / HCI_Hdr(hci_res)[SM_Hdr] driver.send(pkt)
def send_pairing_request(): global access_address, pairing_iocap, paring_auth_request, master_address, advertiser_address if enable_secure_connections is False: paring_auth_request = 0x01 else: paring_auth_request = 0x01 | 0x08 # Secure connections master_address_raw = ''.join(map(lambda x: chr(int(x, 16)), master_address.split(':'))) slave_address_raw = ''.join(map(lambda x: chr(int(x, 16)), advertiser_address.split(':'))) BLESMPServer.set_pin_code('\x00' * 4) BLESMPServer.configure_connection(master_address_raw, slave_address_raw, 0, pairing_iocap, paring_auth_request) hci_res = BLESMPServer.pairing_request() if hci_res: # Pairing request pkt = BTLE(access_addr=access_address) / BTLE_DATA() / L2CAP_Hdr() / HCI_Hdr(hci_res)[SM_Hdr] driver.send(pkt) start_timeout('smp_timeout', SMP_TIMEOUT, smp_timeout)
elif enable_secure_connections and not (pkt.authentication & 0x08): print( Fore.RED + 'Peripheral does not accept Secure Connections pairing\nEnding Test...' ) run_script = False disable_smp = True else: print(Fore.GREEN + "Legacy Pairing") if enable_anomaly: if enc_start_index >= enc_start_index_max: enc_start_index_max += 1 enc_start_index = 0 conn_ltk = BLESMPServer.get_ltk() conn_iv = '\x00' * 4 # set IVm (IV of master) conn_skd = '\x00' * 8 # set SKDm (session key diversifier part of master) enc_request = BTLE(access_addr=access_address) / BTLE_DATA( ) / CtrlPDU() / LL_ENC_REQ( ediv='\x00', rand='\x00', skdm=conn_iv, ivm=conn_skd) driver.send(enc_request) last_smp_summary = pkt.summary() if enable_secure_connections is False and SM_Confirm in pkt: switch_pairing = True elif enable_secure_connections and SM_Random in pkt: final_test = True
elif ATT_Exchange_MTU_Response in pkt: # Send version indication request pkt = BTLE(access_addr=access_address) / BTLE_DATA() / CtrlPDU( ) / LL_VERSION_IND(version='4.2') driver.send(pkt) elif LL_VERSION_IND in pkt: if version_request_number < 1: master_address_raw = ''.join( map(lambda x: chr(int(x, 16)), master_address.split(':'))) slave_address_raw = ''.join( map(lambda x: chr(int(x, 16)), advertiser_address.split(':'))) BLESMPServer.configure_connection(master_address_raw, slave_address_raw, 0, pairing_iocap, paring_auth_request) hci_res = BLESMPServer.pairing_request() if hci_res: pairing_procedure = True # Pairing request pkt = BTLE(access_addr=access_address) / BTLE_DATA( ) / L2CAP_Hdr() / HCI_Hdr(hci_res)[SM_Hdr] driver.send(pkt) version_request_number += 1 elif pairing_procedure and SM_Hdr in pkt: update_timeout('scan_timeout') # Handle pairing response and so on smp_answer = BLESMPServer.send_hci( raw(HCI_Hdr() / HCI_ACL_Hdr() / L2CAP_Hdr() / pkt[SM_Hdr]))
from scapy.all import * from scapy.layers.bluetooth import SM_Master_Identification from scapy.layers.bluetooth import SM_Identity_Information from scapy.layers.bluetooth import SM_Pairing_Request from scapy.layers.bluetooth import SM_Confirm from scapy.layers.bluetooth import SM_Random import BLESMPServer master_address = '5d:36:ac:90:0b:22' slave_address = '50:36:ac:90:0b:20' ia = ''.join(map(lambda x: chr(int(x, 16)), master_address.split(':'))) ra = ''.join(map(lambda x: chr(int(x, 16)), slave_address.split(':'))) BLESMPServer.set_iocap(0x03) # NoInputNoOutput BLESMPServer.configure_connection(ia, ra, 0, 0x03, 0) s = HCI_Hdr() / HCI_ACL_Hdr() / L2CAP_Hdr() / SM_Hdr() / SM_Pairing_Request() data = bytearray(raw(s)) # hci_res = BLESMPServer.send_hci(data) hci_res = BLESMPServer.pairing_request() if hci_res is not None: pkt = HCI_Hdr(hci_res) print(pkt.summary()) pkt.show() print('---------------------')
BTLE_DATA() / L2CAP_Hdr() / ATT_Hdr() / ATT_Exchange_MTU_Request(mtu=247) driver.send(pkt) elif ATT_Exchange_MTU_Response in pkt: # Send version indication request pkt = BTLE(access_addr=access_address) / BTLE_DATA() / CtrlPDU( ) / LL_VERSION_IND(version='4.2') driver.send(pkt) elif LL_VERSION_IND in pkt: master_address_raw = ''.join( map(lambda x: chr(int(x, 16)), master_address.split(':'))) slave_address_raw = ''.join( map(lambda x: chr(int(x, 16)), advertiser_address.split(':'))) BLESMPServer.configure_connection(master_address_raw, slave_address_raw, 0, pairing_iocap, paring_auth_request) hci_res = BLESMPServer.pairing_request() if hci_res: pairing_procedure = True # Pairing request pkt = BTLE(access_addr=access_address) / BTLE_DATA( ) / L2CAP_Hdr() / HCI_Hdr(hci_res)[SM_Hdr] driver.send(pkt) elif pairing_procedure and SM_Hdr in pkt: # Handle pairing response and so on smp_answer = BLESMPServer.send_hci( raw(HCI_Hdr() / HCI_ACL_Hdr() / L2CAP_Hdr() / pkt[SM_Hdr])) if smp_answer is not None and isinstance(smp_answer, list): for res in smp_answer: