def scan_timeout():
global connecting, slave_addr_type
connecting = False
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout)
def scan_timeout():
connecting = False
end_connection = False
scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address,
AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 3, scan_timeout)
def scan_timeout():
global received_version_ind
received_version_ind = False
scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address,
AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 2, scan_timeout)
def crash_timeout():
global slave_ever_connected
if slave_ever_connected == True:
print(Fore.RED + "No advertisement from " +
advertiser_address.upper() +
' received\nThe device may have crashed!!!')
driver.save_pcap()
start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout)
def scan_timeout():
global timeout_scan, connecting
connecting = False
if not slave_connected:
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_txaddr) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req, force_pcap_save=True)
start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout)
def scan_timeout():
global connecting, switch_length_pkt, slave_addr_type
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
connecting = False
start_timeout('scan_timeout', 2, scan_timeout)
if switch_length_pkt:
switch_length_pkt = 0
else:
switch_length_pkt = 1
def scan_timeout():
global encryption_enabled
global connecting
connecting = False
encryption_enabled = False
start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout)
start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout)
print(Fore.YELLOW + 'Peripheral timed out (' + str(SCAN_TIMEOUT) +
's). Retrying...')
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_txaddr) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
def check_pulse_via_scan(driver, master_address, advertiser_address):
global crash_timeout_fired
crash_timeout_fired = False
def crash_timeout():
global crash_timeout_fired
log.error('Device not discovered during scan. Presumed dead....')
crash_timeout_fired = True
scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address,
AdvA=advertiser_address)
# Yes, we're sending raw link layer messages in Python. Don't tell anyone as this is forbidden!!!
log.info('Waiting activity from ' + advertiser_address)
driver.send(scan_req)
start_timeout('crash_timeout', 7, crash_timeout)
# Internal vars
none_count = 0
# verify alive
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
log.error('NRF52 Dongle not detected')
sys.exit(0)
continue
# log.debug("Slave RX <--- " + pkt.summary()[7:])
if (BTLE_SCAN_RSP in pkt
and pkt.AdvA == advertiser_address.lower()) or (BTLE_DATA
in pkt):
log.debug("Slave RX <--- " + pkt.summary()[7:])
log.info('Still kicking!!!')
disable_timeout('crash_timeout')
return True
if crash_timeout_fired:
log.error("No activity from device. Presumed dead....")
return False
def scan_timeout():
global run_script, switch_pairing, connecting, encryption_enabled, enc_start_index, version_received, end_connection
end_connection = False
encryption_enabled = False
version_received = False
if switch_pairing and not enable_secure_connections:
change_pairing()
if not final_test:
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_txaddr) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout)
else:
run_script = False
def check_pulse_via_mtu_exchange(driver, access_address):
global crash_timeout_fired
crash_timeout_fired = False
def crash_timeout():
global crash_timeout_fired
log.error('Device did not answer to MTU Request. Presumed dead....')
crash_timeout_fired = True
# Here we send a key size with 253, which is way higher than the usual 16 bytes for the pairing procedure
att_mtu_req = BTLE(access_addr=access_address) / BTLE_DATA() / L2CAP_Hdr(
) / ATT_Hdr() / ATT_Exchange_MTU_Request(mtu=247)
# Yes, we're sending raw link layer messages in Python. Don't tell anyone as this is forbidden!!!
log.info('Waiting for activity')
driver.send(att_mtu_req) # Send mtu request 1 time
start_timeout('crash_timeout', 7, crash_timeout)
# Internal vars
none_count = 0
# verify alive
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
log.error('NRF52 Dongle not detected')
sys.exit(0)
continue
# log.debug("Slave RX <--- " + pkt.summary()[7:])
if ATT_Exchange_MTU_Response in pkt and pkt.access_addr == access_address:
log.debug("Slave RX <--- " + pkt.summary()[7:])
log.info('Still kicking!!!')
disable_timeout('crash_timeout')
return True
if crash_timeout_fired:
log.error("No activity from device. Presumed dead....")
return False
def scan_timeout():
global connecting, miss_connections, slave_addr_type
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 2, scan_timeout)
if connecting:
connecting = False
miss_connections += 1
if miss_connections >= 2:
miss_connections = 0
print(
Fore.RED + 'Something wrong is happening\n'
'We are receiving advertisements but no connection is possible\n'
'Check if the connection parameters are allowed by peripheral\n'
'or optionally check if device works normally with a mobile app again.'
)
def send_pairing_request():
global access_address, pairing_iocap, paring_auth_request, master_address, advertiser_address
if enable_secure_connections is False:
paring_auth_request = 0x01
else:
paring_auth_request = 0x01 | 0x08 # Secure connections
master_address_raw = ''.join(map(lambda x: chr(int(x, 16)), master_address.split(':')))
slave_address_raw = ''.join(map(lambda x: chr(int(x, 16)), advertiser_address.split(':')))
BLESMPServer.set_pin_code('\x00' * 4)
BLESMPServer.configure_connection(master_address_raw, slave_address_raw, 0,
pairing_iocap, paring_auth_request)
hci_res = BLESMPServer.pairing_request()
if hci_res:
# Pairing request
pkt = BTLE(access_addr=access_address) / BTLE_DATA() / L2CAP_Hdr() / HCI_Hdr(hci_res)[SM_Hdr]
driver.send(pkt)
start_timeout('smp_timeout', SMP_TIMEOUT, smp_timeout)
ScanA=master_address,
AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 2, scan_timeout)
# Open serial port of NRF52 Dongle
driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, \
pcap_filename=os.path.basename(__file__).split('.')[0] + '.pcap')
# Send scan request
scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(
ScanA=master_address,
AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 2, scan_timeout)
print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address)
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
print(Fore.RED + 'NRF52 Dongle not detected')
sys.exit(0)
def scan_timeout():
scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(
ScanA=master_address,
AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 2, scan_timeout)
initiator_key_distribution=0x07,
responder_key_distribution=0x07)
driver.send(pairing_req)
# Open serial port of NRF52 Dongle
driver = NRF52Dongle(serial_port,
'115200',
logs_pcap=True,
pcap_filename='knob_ble_tester.pcap')
# Send scan request
scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address,
AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout)
print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address)
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data) # Receive plain text Link Layer
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
print(Fore.RED + 'NRF52 Dongle not detected')
sys.exit(0)
driver = NRF52Dongle(serial_port,
'115200',
logs_pcap=True,
pcap_filename=script_folder +
'/../logs/non_compliance_data_during_enc_setup.pcap')
except Exception as e:
print(Fore.RED + str(e))
print(Fore.RED +
'Make sure the nRF52 dongle is properly recognized by your computer')
exit(0)
# Send scan request
scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ(ScanA=master_address,
AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout)
start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout)
print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address)
while run_script:
pkt = None
# Receive packet from the NRF52 Dongle
data = driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
if encryption_enabled:
pkt = BTLE(data)
pkt = receive_encrypted(pkt) # Decrypt Link Layer
else:
pkt = BTLE(data) # Receive plain text Link Layer
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 3, scan_timeout)
# Open serial port of NRF52 Dongle
driver = NRF52Dongle(serial_port,
'115200',
logs_pcap=True,
pcap_filename='Microchip_invalid_lcap_fragment.pcap')
# Send scan request
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 3, scan_timeout)
start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout)
print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address)
att_start_address = 0x0001
connection_idle_counter = 0
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
else:
print(
Fore.RED + "Peripheral seems unresponsive (deadlock).\n"
"Check if you can connect to the peripheral by other means (i.g., mobile app)"
)
run_script = False
# Open serial port of NRF52 Dongle
driver = NRF52Dongle(serial_port, '115200')
# Send scan request
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 2, scan_timeout)
print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address)
while run_script:
pkt = None
# Receive packet from the NRF52 Dongle
data = driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
print(Fore.RED + 'NRF52 Dongle not detected')
sys.exit(0)
else:
fragment_start = False
return pkt
# Open serial port of NRF52 Dongle
driver = NRF52Dongle(serial_port,
'115200',
logs_pcap=True,
pcap_filename='zero_ltk_capture.pcap')
# Send scan request
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout)
print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address)
while run_script:
pkt = None
# Receive packet from the NRF52 Dongle
data = driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
if encryption_enabled:
pkt = BTLE(data)
pkt = receive_encrypted(pkt) # Decrypt Link Layer
else:
pkt = BTLE(data) # Receive plain text Link Layer
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
global connecting, slave_addr_type
connecting = False
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 2, scan_timeout)
# Open serial port of NRF52 Dongle
driver = NRF52Dongle(serial_port, '115200')
# Send scan request
scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ(
ScanA=master_address, AdvA=advertiser_address)
driver.send(scan_req)
start_timeout('scan_timeout', 2, scan_timeout)
print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address)
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
print(Fore.RED + 'NRF52 Dongle not detected')
sys.exit(0)
def connect(driver, master_address, advertiser_address, access_address):
# Internal vars
none_count = 0
end_connection = False
connecting = False
global adv_timeout_fired
adv_timeout_fired = False
def adv_timeout():
global adv_timeout_fired
log.error('Device not discovered during scan')
adv_timeout_fired = True
# Send scan request
scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address,
AdvA=advertiser_address)
driver.send(scan_req)
log.info('Scan Send')
start_timeout('adv_timeout', 10, adv_timeout)
while True:
if adv_timeout_fired:
return False
pkt = None
# Receive packet from the NRF52 Dongle
data = driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
log.error('NRF52 Dongle not detected')
sys.exit(0)
continue
elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt:
# Print slave data channel PDUs summary
log.debug("Slave RX <--- " + pkt.summary()[7:])
# --------------- Process Link Layer Packets here ------------------------------------
# Check if packet from advertised is received
if pkt and (BTLE_SCAN_RSP
in pkt) and pkt.AdvA == advertiser_address.lower():
disable_timeout('adv_timeout')
connecting = True
log.info(advertiser_address.upper() + ': ' +
pkt.summary()[7:] + ' Detected')
# Send connection request to advertiser
conn_request = BTLE(
) / BTLE_ADV(RxAdd=pkt.TxAdd, TxAdd=0) / BTLE_CONNECT_REQ(
InitA=master_address,
AdvA=advertiser_address,
AA=access_address, # Access address (any)
crc_init=0x179a9c, # CRC init (any)
win_size=
2, # 2.5 of windows size (anchor connection window size)
win_offset=
1, # 1.25ms windows offset (anchor connection point)
interval=16, # 20ms connection interval
latency=0, # Slave latency (any)
timeout=50, # Supervision timeout, 500ms (any)
chM=0x1FFFFFFFFF, # Any
hop=5, # Hop increment (any)
SCA=0, # Clock tolerance
)
# Yes, we're sending raw link layer messages in Python. Don't tell anyone as this is forbidden!!!
driver.send(conn_request)
elif BTLE_DATA in pkt and connecting == True:
connecting = False
log.info('Slave Connected (L2Cap channel established)')
return True
