def scan_timeout(): global connecting, slave_addr_type connecting = False scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout)
def scan_timeout(): connecting = False end_connection = False scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 3, scan_timeout)
def scan_timeout(): global received_version_ind received_version_ind = False scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 2, scan_timeout)
def crash_timeout(): global slave_ever_connected if slave_ever_connected == True: print(Fore.RED + "No advertisement from " + advertiser_address.upper() + ' received\nThe device may have crashed!!!') driver.save_pcap() start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout)
def scan_timeout(): global timeout_scan, connecting connecting = False if not slave_connected: scan_req = BTLE() / BTLE_ADV(RxAdd=slave_txaddr) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req, force_pcap_save=True) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout)
def scan_timeout(): global connecting, switch_length_pkt, slave_addr_type scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) connecting = False start_timeout('scan_timeout', 2, scan_timeout) if switch_length_pkt: switch_length_pkt = 0 else: switch_length_pkt = 1
def scan_timeout(): global encryption_enabled global connecting connecting = False encryption_enabled = False start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout) print(Fore.YELLOW + 'Peripheral timed out (' + str(SCAN_TIMEOUT) + 's). Retrying...') scan_req = BTLE() / BTLE_ADV(RxAdd=slave_txaddr) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req)
def check_pulse_via_scan(driver, master_address, advertiser_address): global crash_timeout_fired crash_timeout_fired = False def crash_timeout(): global crash_timeout_fired log.error('Device not discovered during scan. Presumed dead....') crash_timeout_fired = True scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) # Yes, we're sending raw link layer messages in Python. Don't tell anyone as this is forbidden!!! log.info('Waiting activity from ' + advertiser_address) driver.send(scan_req) start_timeout('crash_timeout', 7, crash_timeout) # Internal vars none_count = 0 # verify alive while True: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: log.error('NRF52 Dongle not detected') sys.exit(0) continue # log.debug("Slave RX <--- " + pkt.summary()[7:]) if (BTLE_SCAN_RSP in pkt and pkt.AdvA == advertiser_address.lower()) or (BTLE_DATA in pkt): log.debug("Slave RX <--- " + pkt.summary()[7:]) log.info('Still kicking!!!') disable_timeout('crash_timeout') return True if crash_timeout_fired: log.error("No activity from device. Presumed dead....") return False
def scan_timeout(): global run_script, switch_pairing, connecting, encryption_enabled, enc_start_index, version_received, end_connection end_connection = False encryption_enabled = False version_received = False if switch_pairing and not enable_secure_connections: change_pairing() if not final_test: scan_req = BTLE() / BTLE_ADV(RxAdd=slave_txaddr) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) else: run_script = False
def check_pulse_via_mtu_exchange(driver, access_address): global crash_timeout_fired crash_timeout_fired = False def crash_timeout(): global crash_timeout_fired log.error('Device did not answer to MTU Request. Presumed dead....') crash_timeout_fired = True # Here we send a key size with 253, which is way higher than the usual 16 bytes for the pairing procedure att_mtu_req = BTLE(access_addr=access_address) / BTLE_DATA() / L2CAP_Hdr( ) / ATT_Hdr() / ATT_Exchange_MTU_Request(mtu=247) # Yes, we're sending raw link layer messages in Python. Don't tell anyone as this is forbidden!!! log.info('Waiting for activity') driver.send(att_mtu_req) # Send mtu request 1 time start_timeout('crash_timeout', 7, crash_timeout) # Internal vars none_count = 0 # verify alive while True: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: log.error('NRF52 Dongle not detected') sys.exit(0) continue # log.debug("Slave RX <--- " + pkt.summary()[7:]) if ATT_Exchange_MTU_Response in pkt and pkt.access_addr == access_address: log.debug("Slave RX <--- " + pkt.summary()[7:]) log.info('Still kicking!!!') disable_timeout('crash_timeout') return True if crash_timeout_fired: log.error("No activity from device. Presumed dead....") return False
def scan_timeout(): global connecting, miss_connections, slave_addr_type scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 2, scan_timeout) if connecting: connecting = False miss_connections += 1 if miss_connections >= 2: miss_connections = 0 print( Fore.RED + 'Something wrong is happening\n' 'We are receiving advertisements but no connection is possible\n' 'Check if the connection parameters are allowed by peripheral\n' 'or optionally check if device works normally with a mobile app again.' )
def send_pairing_request(): global access_address, pairing_iocap, paring_auth_request, master_address, advertiser_address if enable_secure_connections is False: paring_auth_request = 0x01 else: paring_auth_request = 0x01 | 0x08 # Secure connections master_address_raw = ''.join(map(lambda x: chr(int(x, 16)), master_address.split(':'))) slave_address_raw = ''.join(map(lambda x: chr(int(x, 16)), advertiser_address.split(':'))) BLESMPServer.set_pin_code('\x00' * 4) BLESMPServer.configure_connection(master_address_raw, slave_address_raw, 0, pairing_iocap, paring_auth_request) hci_res = BLESMPServer.pairing_request() if hci_res: # Pairing request pkt = BTLE(access_addr=access_address) / BTLE_DATA() / L2CAP_Hdr() / HCI_Hdr(hci_res)[SM_Hdr] driver.send(pkt) start_timeout('smp_timeout', SMP_TIMEOUT, smp_timeout)
ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 2, scan_timeout) # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, \ pcap_filename=os.path.basename(__file__).split('.')[0] + '.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 2, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while True: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: print(Fore.RED + 'NRF52 Dongle not detected') sys.exit(0)
def scan_timeout(): scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 2, scan_timeout)
initiator_key_distribution=0x07, responder_key_distribution=0x07) driver.send(pairing_req) # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='knob_ble_tester.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while True: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # Receive plain text Link Layer # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: print(Fore.RED + 'NRF52 Dongle not detected') sys.exit(0)
driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename=script_folder + '/../logs/non_compliance_data_during_enc_setup.pcap') except Exception as e: print(Fore.RED + str(e)) print(Fore.RED + 'Make sure the nRF52 dongle is properly recognized by your computer') exit(0) # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while run_script: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data if encryption_enabled: pkt = BTLE(data) pkt = receive_encrypted(pkt) # Decrypt Link Layer else: pkt = BTLE(data) # Receive plain text Link Layer
ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 3, scan_timeout) # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='Microchip_invalid_lcap_fragment.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 3, scan_timeout) start_timeout('crash_timeout', CRASH_TIMEOUT, crash_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) att_start_address = 0x0001 connection_idle_counter = 0 while True: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data)
else: print( Fore.RED + "Peripheral seems unresponsive (deadlock).\n" "Check if you can connect to the peripheral by other means (i.g., mobile app)" ) run_script = False # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 2, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while run_script: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: print(Fore.RED + 'NRF52 Dongle not detected') sys.exit(0)
else: fragment_start = False return pkt # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200', logs_pcap=True, pcap_filename='zero_ltk_capture.pcap') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', SCAN_TIMEOUT, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while run_script: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data if encryption_enabled: pkt = BTLE(data) pkt = receive_encrypted(pkt) # Decrypt Link Layer else: pkt = BTLE(data) # Receive plain text Link Layer # if packet is incorrectly decoded, you may not be using the dongle if pkt is None:
global connecting, slave_addr_type connecting = False scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 2, scan_timeout) # Open serial port of NRF52 Dongle driver = NRF52Dongle(serial_port, '115200') # Send scan request scan_req = BTLE() / BTLE_ADV(RxAdd=slave_addr_type) / BTLE_SCAN_REQ( ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) start_timeout('scan_timeout', 2, scan_timeout) print(Fore.YELLOW + 'Waiting advertisements from ' + advertiser_address) while True: pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: print(Fore.RED + 'NRF52 Dongle not detected') sys.exit(0)
def connect(driver, master_address, advertiser_address, access_address): # Internal vars none_count = 0 end_connection = False connecting = False global adv_timeout_fired adv_timeout_fired = False def adv_timeout(): global adv_timeout_fired log.error('Device not discovered during scan') adv_timeout_fired = True # Send scan request scan_req = BTLE() / BTLE_ADV() / BTLE_SCAN_REQ(ScanA=master_address, AdvA=advertiser_address) driver.send(scan_req) log.info('Scan Send') start_timeout('adv_timeout', 10, adv_timeout) while True: if adv_timeout_fired: return False pkt = None # Receive packet from the NRF52 Dongle data = driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: log.error('NRF52 Dongle not detected') sys.exit(0) continue elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt: # Print slave data channel PDUs summary log.debug("Slave RX <--- " + pkt.summary()[7:]) # --------------- Process Link Layer Packets here ------------------------------------ # Check if packet from advertised is received if pkt and (BTLE_SCAN_RSP in pkt) and pkt.AdvA == advertiser_address.lower(): disable_timeout('adv_timeout') connecting = True log.info(advertiser_address.upper() + ': ' + pkt.summary()[7:] + ' Detected') # Send connection request to advertiser conn_request = BTLE( ) / BTLE_ADV(RxAdd=pkt.TxAdd, TxAdd=0) / BTLE_CONNECT_REQ( InitA=master_address, AdvA=advertiser_address, AA=access_address, # Access address (any) crc_init=0x179a9c, # CRC init (any) win_size= 2, # 2.5 of windows size (anchor connection window size) win_offset= 1, # 1.25ms windows offset (anchor connection point) interval=16, # 20ms connection interval latency=0, # Slave latency (any) timeout=50, # Supervision timeout, 500ms (any) chM=0x1FFFFFFFFF, # Any hop=5, # Hop increment (any) SCA=0, # Clock tolerance ) # Yes, we're sending raw link layer messages in Python. Don't tell anyone as this is forbidden!!! driver.send(conn_request) elif BTLE_DATA in pkt and connecting == True: connecting = False log.info('Slave Connected (L2Cap channel established)') return True