def setUpClass(cls): c = config.loadConfig() attack='Dos' cls.comPortNRF = c['TESTBED']['COM_PORT_NRF'] cls.advertiser_address = c['TESTBED']['ADVERTISER_ADDRESS'] cls.master_address = c['TESTBED']['MASTER_ADDRESS'] cls.access_address = int(c['TESTBED']['ACCESS_ADDRESS'], 16) cls.connection = c['TESTBED']['CONNECTION_TO_DATABASE'] cls.version = c['TESTBED']['DATABASE_VERSION'] log.info('Advertiser Address: ' + cls.advertiser_address.upper()) # Open serial port of NRF52 Dongle cls.driver = NRF52Dongle(cls.comPortNRF, '115200') date = str(datetime.datetime.today()).split()[0].encode('ascii', 'ignore') # Chooce from test.conf file type of database to insert data if str(c['TESTBED']['DATABASE_VERSION']) == 'SQL': insert_data_to_link_layer_tests(cls.advertiser_address, cls.master_address, cls.access_address, date, attack, cls.comPortNRF) elif str(c['TESTBED']['DATABASE_VERSION']) == 'MONGODB': client = insert_data_to_collection_info_tests(attack) close_connection_to_database(client) elif str(c['TESTBED']['DATABASE_VERSION']) == 'BOTH': insert_data_to_link_layer_tests(cls.advertiser_address, cls.master_address, cls.access_address, date, attack, cls.comPortNRF) client = insert_data_to_collection_info_tests(attack) close_connection_to_database(client) else: print('Continue with no database') pass
def setUp(self): c = config.loadConfig() attack='Silent Length Overflow' self.master_address = '5d:36:ac:90:0b:22' self.access_address = 0x9a328370 self.comPortNRF = c['TESTBED']['COM_PORT_NRF'] self.advertiser_address = c['TESTBED']['ADVERTISER_ADDRESS'] self.connection = c['TESTBED']['CONNECTION_TO_DATABASE'] log.info('Advertiser Address: ' + self.advertiser_address.upper()) # Open serial port of NRF52 Dongle self.driver = NRF52Dongle(self.comPortNRF, '115200') self.crash_timeout_flag = False date = str(datetime.datetime.today()).split()[0].encode('ascii', 'ignore') # Choose from test.conf file type of database to insert data if str(c['TESTBED']['DATABASE_VERSION']) == 'SQL': insert_data_to_link_layer_tests(self.advertiser_address, self.master_address, self.access_address, date, attack, self.comPortNRF) elif str(c['TESTBED']['DATABASE_VERSION']) == 'MONGODB': client = insert_data_to_collection_info_tests(attack) close_connection_to_database(client) elif str(c['TESTBED']['DATABASE_VERSION']) == 'BOTH': insert_data_to_link_layer_tests(self.advertiser_address, self.master_address, self.access_address, date, attack, self.comPortNRF) client = insert_data_to_collection_info_tests(attack) close_connection_to_database(client) else: print('Continue with no database') pass
def change_pairing(): global switch_pairing, enable_secure_connections, enc_start_index_max, enable_anomaly switch_pairing = False print(Fore.GREEN + "[!] Tests with legacy pairing finished," " switching to Secure Connections on next connection") enable_secure_connections = True enc_start_index_max = 0 enable_anomaly = False # Open serial port of NRF52 Dongle try: driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename=script_folder + '/../logs/non_compliance_data_during_enc_setup.pcap') except Exception as e: print(Fore.RED + str(e)) print(Fore.RED + 'Make sure the nRF52 dongle is properly recognized by your computer') exit(0) # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout)
start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout) def scan_timeout(): global connecting, end_connection, slave_addr_type connecting = False end_connection = False scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 3, scan_timeout) # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='Microchip_invalid_lcap_fragment.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 3, scan_timeout) start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) att_start_address = 0x0001 connection_idle_counter = 0
def scan_timeout(): if not slave_connected: scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) send(scan_req) timeout_scan = Timer(5, scan_timeout) timeout_scan.daemon = True timeout_scan.start() # Default master address master_address = '5d:36:ac:90:0b:22' access_address = 0x9a328370 # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) send(scan_req) # Start the scan timeout to resend packets timeout_scan = Timer(5, scan_timeout) timeout_scan.daemon = True timeout_scan.start() timeout = Timer(5.0, crash_timeout) timeout.daemon = True timeout.start() c = False print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address)
conn_request.hop = 0 send(scan_req) timeout_scan = Timer(2.0, scan_timeout) timeout_scan.daemon = True timeout_scan.start() # Default master address master_address = '5d:36:ac:90:0b:22' access_address = 0x9a328370 # Open serial port of NRF52 Dongle driver = NRF52Dongle( serial_port, '115200', logs_pcap=True, pcap_filename='Microchip_and_others_non_compliant_connection.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) send(scan_req) # Start the scan timeout to resend packets timeout_scan = Timer(2.0, scan_timeout) timeout_scan.daemon = True timeout_scan.start() timeout = Timer(5.0, crash_timeout) timeout.daemon = True timeout.start()
if not slave_connected: scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) send(scan_req) timeout_scan = Timer(5, scan_timeout) timeout_scan.daemon = True timeout_scan.start() # Default master address master_address = '5d:36:ac:90:0b:22' access_address = 0x9a328370 # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='CC2540_connection_req_crash.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) send(scan_req) # Start the scan timeout to resend packets timeout_scan = Timer(5, scan_timeout) timeout_scan.daemon = True timeout_scan.start() timeout = Timer(5.0, crash_timeout) timeout.daemon = True timeout.start() c = False
fragment += raw(pkt[BTLE_DATA].payload) if pkt[BTLE_DATA].len >= fragment_left: fragment_start = False pkt = BTLE(fragment + '\x00\x00\x00') pkt.len = len(pkt[BTLE_DATA].payload) # update ble header length return pkt else: return None else: fragment_start = False return pkt # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='zero_ltk_capture.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while run_script: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data
def send_pairing_request(): pairing_req = BTLE(access_addr=access_address) / BTLE_DATA() / L2CAP_Hdr( ) / SM_Hdr() / SM_Pairing_Request(iocap=pairing_iocap, oob=0, authentication=paring_auth_request, max_key_size=current_key_size, initiator_key_distribution=0x07, responder_key_distribution=0x07) driver.send(pairing_req) # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='knob_ble_tester.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while True: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data
def scan_timeout(): global timeout_scan, connecting connecting = False if not slave_connected: scan_req = BTLE() / BTLE_ADV(RxAdd=slave_txaddr) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req, force_pcap_save=True) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='logs/zephyr_invalid_sequence.pcap') driver.set_log_tx(1) # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req, force_pcap_save=True) # Start the scan timeout to resend packets start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while run_script: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive()
fragment_start = False pkt = BTLE(fragment + '\x00\x00\x00') pkt.len = len(pkt[BTLE_DATA].payload) # update ble header length return pkt else: return None else: fragment_start = False return pkt # Open serial port of NRF52 Dongle try: driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename=script_folder + '/../logs/dhcheck_skip_capture.pcap') except Exception as e: print(Fore.RED + str(e)) print(Fore.RED + 'Make sure the nRF52 dongle is properly recognized by your computer') exit(0) # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=slave_txaddr) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address)
conn_rx_packet_counter += 1 try: mic = raw_pkt[6 + length:-3] # Get mic from payload and exclude crc aes.verify(mic) return BTLE(aa + chr(header) + chr(length) + dec_pkt + b'\x00\x00\x00') except Exception as e: print(Fore.RED + "MIC Wrong: " + str(e)) return BTLE(aa + chr(header) + chr(length) + dec_pkt + b'\x00\x00\x00') # Open serial port of NRF52 Dongle try: driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename=script_folder + '/../logs/non_compliance_nonzero_ediv_rand.pcap') except Exception as e: print(Fore.RED + str(e)) print(Fore.RED + 'Make sure the nRF52 dongle is properly recognized by your computer') exit(0) # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout)
scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) send(scan_req) timeout_scan = Timer(5, scan_timeout) timeout_scan.daemon = True timeout_scan.start() already_connected = False # Default master address master_address = '5d:36:ac:90:0b:22' access_address = 0x9a328370 # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='CC2540_truncated_connection_success.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) send(scan_req) # Start the scan timeout to resend packets timeout_scan = Timer(5, scan_timeout) timeout_scan.daemon = True timeout_scan.start() timeout = Timer(5.0, crash_timeout) timeout.daemon = True timeout.start() c = False
print(Fore.RED + "No advertisement from " + advertiser_address.upper() + ' received\nThe device may have crashed!!!') driver.save_pcap() disable_timeout('scan_timeout') def scan_timeout(): scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 2, scan_timeout) # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, \ pcap_filename=os.path.basename(__file__).split('.')[0] + '.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 2, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while True: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data
def change_pairing(): global switch_pairing, enable_secure_connections, enc_start_index_max, enable_anomaly switch_pairing = False print(Fore.GREEN + "[!] Tests with legacy pairing finished," " switching to Secure Connections on next connection") enable_secure_connections = True enc_start_index_max = 0 enable_anomaly = False # Open serial port of NRF52 Dongle try: driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename=script_folder + '/../logs/anomaly_unexpected_encryption_start.pcap') except Exception as e: print(Fore.RED + str(e)) print(Fore.RED + 'Make sure the nRF52 dongle is properly recognized by your computer') exit(0) # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout)
global timeout_scan, connecting connecting = False if not slave_connected: scan_req = BTLE() / BTLE_ADV(RxAdd=slave_txaddr) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) timeout_scan = Timer(2.0, scan_timeout) timeout_scan.daemon = True timeout_scan.start() # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='logs/invalid_channel_map.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) # Start the scan timeout to resend packets timeout_scan = Timer(2.0, scan_timeout) timeout_scan.daemon = True timeout_scan.start() timeout = Timer(5.0, crash_timeout) timeout.daemon = True timeout.start()
dec_pkt = aes.decrypt(raw_pkt[6:-4 - 3]) # get payload and exclude 3 bytes of crc conn_rx_packet_counter += 1 try: mic = raw_pkt[6 + length:-3] # Get mic from payload and exclude crc aes.verify(mic) return BTLE(aa + chr(header) + chr(length) + dec_pkt + '\x00\x00\x00') except Exception as e: print(Fore.RED + "MIC Wrong: " + e) return BTLE(aa + chr(header) + chr(length) + dec_pkt + '\x00\x00\x00') # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='logs/esp32_hci_desync.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while run_script: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data