GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Matheus-Garbelini → esp32_bluetooth_classic_sniffer

Matheus-Garbelini / esp32_bluetooth_classic_sniffer

Licence: GPL-2.0 license
Active Bluetooth BR/EDR Sniffer/Injector as cheap as any ESP32 board can get. Works with Scapy ;-)

Programming Languages

c
50402 projects - #5 most used programming language
Makefile
30231 projects
python
139335 projects - #7 most used programming language
HTML
75241 projects
objective c
16641 projects - #2 most used programming language
C++
36643 projects - #6 most used programming language

Labels

esp32snifferbluetoothbr-edrbluetooth-classicbraktoothpatching-framework

Projects that are alternatives of or similar to esp32 bluetooth classic sniffer

Btle Sniffer
Passively scan for Bluetooth Low Energy devices and attempt to fingerprint them
Stars: ✭ 87 (-74.93%)
Mutual labels:  sniffer, bluetooth
Blesniffer
A Bluetooth LE sniffer for CC2540 USB dongle and Mac.
Stars: ✭ 31 (-91.07%)
Mutual labels:  sniffer, bluetooth
Sniffrom
A tool for passive data capture and reconnaissance of serial flash chips. It is used in conjunction with a Saleae logic analyzer to reconstruct flash memory contents and extract contextual information about device operations.
Stars: ✭ 234 (-32.56%)
Mutual labels:  sniffer
AirPodsDesktop
☄️ AirPods desktop user experience enhancement program, for Windows and Linux (WIP)
Stars: ✭ 462 (+33.14%)
Mutual labels:  bluetooth
BTLinker
🔥空祖家的蓝牙连接封装库,适用于智能硬件蓝牙通讯
Stars: ✭ 64 (-81.56%)
Mutual labels:  bluetooth
bluetooth-terminal
ES6 class for serial communication with your own Bluetooth Low Energy (Smart) devices
Stars: ✭ 43 (-87.61%)
Mutual labels:  bluetooth
contact-tracer
A prototype contact tracer app for COVID-19 pandemic response
Stars: ✭ 50 (-85.59%)
Mutual labels:  bluetooth
Mysql Unsha1
Authenticate against a MySQL server without knowing the cleartext password
Stars: ✭ 191 (-44.96%)
Mutual labels:  sniffer
ESP32 Thing Plus
ESP32 Thing-compatible board using the WROOM module and a QWIIC connector.
Stars: ✭ 18 (-94.81%)
Mutual labels:  bluetooth
sniffer
Sniffer is an http packet capture tool, base on golang gopacket(libpcap)
Stars: ✭ 50 (-85.59%)
Mutual labels:  sniffer
ble
Bluetooth Low Energy for Linux / macOS
Stars: ✭ 264 (-23.92%)
Mutual labels:  bluetooth
RejsaRubberTrac
RejsaRubberTrac - A wireless thermal camera for monitoring tire temperatures
Stars: ✭ 77 (-77.81%)
Mutual labels:  bluetooth
onewheel-bluetooth
A python bluetooth data reader for the Onewheel (supporting Gemini firmware, and later).
Stars: ✭ 28 (-91.93%)
Mutual labels:  bluetooth
bt profile
BT Profile Switcher
Stars: ✭ 18 (-94.81%)
Mutual labels:  bluetooth
Pedalino
Smart wireless MIDI foot controller for guitarists and more.
Stars: ✭ 105 (-69.74%)
Mutual labels:  bluetooth
uberducky
Wireless USB Rubber Ducky triggered via BLE (make your Ubertooth quack!)
Stars: ✭ 80 (-76.95%)
Mutual labels:  bluetooth
Chameleonmini Rebooted
Chameleon Mini revE rebooted - Iceman Fork, the ChameleonMini is a versatile contactless smartcard emulator (NFC/RFID)
Stars: ✭ 208 (-40.06%)
Mutual labels:  sniffer
ESP-WROOM-Breakout
Breakouts for ESP8266 and ESP32 WiFi/WLAN + Bluetooth modules from Espressif (ESP-WROOM-02, ESP-WROOM-32)
Stars: ✭ 32 (-90.78%)
Mutual labels:  bluetooth
ganglion-ble
Web Bluetooth client for the Ganglion brain-computer interface by OpenBCI
Stars: ✭ 27 (-92.22%)
Mutual labels:  bluetooth
Web-Tracker
Stand alone program that Tracks/Logs all the opened websites in the Chrome Browser. Even incognito! *No need to install anything in browser*
Stars: ✭ 34 (-90.2%)
Mutual labels:  sniffer
View All Similar Projects ➔

BrakTooth ESP32 BR/EDR Active Sniffer/Injector

Simple "Monitor mode" for Bluetooth Classic. Sniff or inject BR/EDR Baseband packets in ESP32 BT connections.

This is a reverse engineered active BR/EDR sniffer and ESP32 patching framework, which can be used to explore the Bluetooth (BT) BR/EDR interaction between ESP32 controller and a remote target.

Differently than passive sniffers, which do not interact with the BT network (piconet), the active sniffer connects itself to the remote BT device (BR/EDR target) and allows testing the BT protocol down to the Baseband layer while guided by a BT host stack such as blue-kitchen. The BrakTooth sniffer supports cheap boards such as ESP32-DOIT ($4) or ESP32-DevKitC ($10).

Table of Contents

Simplified Setup Overview

poc_setup

1) Installation

A. Install Linux requirements (Ubuntu 18.04 / 20.04)
git clone https://github.com/Matheus-Garbelini/esp32_bluetooth_classic_sniffer
cd esp32_bluetooth_classic_sniffer
./requirements.sh # (sudo required) Installs latest wireshark and standalone python3 runtime
./build.sh 		  # Build BT Host programs and Wireshark h4bcm dissector
B. Flash custom firmware to ESP32

Before starting to use BrakTooth Sniffer, you need to upload a custom firmware to your ESP32 board:

./firmware.py flash /dev/ttyUSB0 # Change ttyUSB0 to match your port name

2) Usage Instructions

Usage: BTSnifferBREDR.py [OPTIONS]
Options:
  --port TEXT       Serial port name (/dev/ttyUSBx for Linux)
  --host TEXT       BDAddress of local host (default: E0:D4:E8:19:C7:68)
  --target TEXT     BDAddress of remote target (ex: a8:96:75:25:c2:ac)
  --live-wireshark  Opens Wireshark live session
  --live-terminal   Show a summary of each packet on terminal
  --bridge-only     Starts the HCI bridge without connecting any BT Host stack
  --help            Show this message and exit.

You can start the sniffer in as either master or slave role. If you use add --target argument, the sniffer will attempt a connection to your remote target. Otherwise, it will just wait for someone to connect to it.

Lastly, the --bridge-only only creates the HCI pseudo terminal (/dev/pts/x) so ESP32 can operate as a standard HCI BT controller. You can use this feature to connect any other BT host stack to ESP32.

Example 1 - Connect to remote target (Master Role)
./BTSnifferBREDR.py --port=/dev/ttyUSB0 --target=E0:D4:E8:19:C7:69 --live-terminal --live-wireshark

mode_master

Example 2 - Wait for BT connection (Slave Role)
./BTSnifferBREDR.py --port=/dev/ttyUSB0 --live-terminal --live-wireshark
Example 3 - HCI Bridge Mode (connect with other BT Host stack)
./BTSnifferBREDR.py --port=/dev/ttyUSB0 --bridge-only --live-terminal --live-wireshark

mode_bridge_only

3) Compile firmware from source (ESP32 Patching Framework)

The source code can be built directly from the ESP32 Firmware Patching Framework repository as follows:

cd firmware
./build_from_source.sh # clone submodule & build firmware with platformio environment 'sniffer-serial'
./firmware.py flash <serial port> # flash built firmware to ESP32 via serial port

The ESP32 firmware binaries (firmware.bin, bootloader.bin, partitions.bin) are copied to firmware folder upon successful build. Then, you can proceed to flash the firmware as described in step 1.B).

4) Customising BT Host programs (Profiles)

Since BrakTooth sniffer uses a BT host stack to guide connectivity, the following modified BlueKitchen examples are used:

  • host_stack/sdp_rfcomm_query - This program initiates connection with slave device and attempts to perform SDP scanning and pairing.
  • host_stack/spp_counter - This program wait for connections and establish a spp (serial port) connection with the master device.

You can modify or add BT profiles to the current programs by following the official documentation of BlueKitchen. Note that folder host_stack/bluekitchen/example/ already contain some profile examples.

Software Architecture of BrakTooth Sniffer

arch

The custom ESP32 BR/EDR Sniffer/Injector firmware communicates with the host system over a USB serial port and waits to receive custom commands or HCI commands. At startup, an HCI bridge is created to separate BrakTooth custom protocol from standard HCI commands sent or received from ESP32. Once the "RX/TX Sniffer" feature is enabled on the ESP32 firmware, Baseband packets are directly forwarded to BTSnifferBREDR.py script which simply decodes sniffed packets over the custom protocol and prints them via Scapy and/or dumps to Wireshark via live capture and to logs folder.

Features Overview

firmware_design

  • RX/TX Sniffer: Dumps Baseband packets and forwards them to the host. Supported packets:
    • Baseband Header
    • NULL/POLL from remote target
    • FHS (no scapy layer for now)
    • EIR (no dissection for now)
    • ACL Header
    • LMP
  • TX Interception: This allows the host PC to modify TX packets in real-time before over-the-air transmission from ESP32. It requires however, an ESP32 board with high-speed USB such as ESP-PROG or ESP-WROVER-KIT. Both of them have a FTD2232H USB to UART controller, which allows reduced USB pooling latency of 125us. (disabled for now, sorry).
  • TX Injector: This allows the host to inject BR/EDR packets immediately after the BT paging procedure and on every transmission slot (i.e. every 1.25ms) subjected to waits if there is something in ESP32 internal LMP queue. (disabled for now, sorry).
  • RX/TX Bypass: Effectively "blinds" ESP32 BT stack from receiving or transmitting LMP packets after the paging procedure. One can use this to construct a standalone LMP state machine on the host and with Scapy 🙂.​ This feature could enable something similar to what has been done in SweynTooth nRF52 dongle, but for BR/EDR.
  • ROM Patcher: Installs ROM hooks from inside the firmware.
  • HCI IN/OUT: Standard communication interface with the BT Host stack. A third-party stack such as bluekitchen.

Acknowledgements

The dissection of Baseband packets extends the InternalBlue Broadcom Wireshark Dissector. Specifically, the dissection extended the h4bcm Wireshark plugin to support a few more BT layers and our custom ESP32 metadata header. Thanks @jiska2342.

Thanks to all the following open-source projects:

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].