Active Bluetooth BR/EDR Sniffer/Injector as cheap as any ESP32 board can get. Works with Scapy ;-)

License: GNU General Public License v2.0

Python 1.44% CMake 0.18% Shell 0.06% C 93.69% Makefile 1.49% TeX 0.08% Objective-C 0.57% Java 0.32% C++ 0.51% M4 0.03% Logos 0.01% GDB 0.01% HTML 1.41% Assembly 0.14% Dockerfile 0.01% SmPL 0.05% sed 0.02%

bluetooth bluetooth-classic br-edr braktooth esp32 patching-framework sniffer

esp32_bluetooth_classic_sniffer's People

Contributors

Stargazers

Watchers

esp32_bluetooth_classic_sniffer's Issues

SDP query failed 0x04, retrying...

hi
regardless of the target type i always get this message:

Starting RFCOMM Query
TX --> BT_Baseband / Raw
SDP query failed 0x04, retrying...
TX --> BT_Baseband / Raw
SDP query failed 0x04, retrying...
TX --> BT_Baseband / Raw
SDP query failed 0x04, retrying...
TX --> BT_Baseband / Raw
SDP query failed 0x04, retrying...
TX --> BT_Baseband / Raw

does it means that remote device is patched?

Does ESP32-DevKitCVIE (ESP32-DevKitC-VIEW ESP32-WROVER-IE) support?

Will it work with ESP32-DevKitCVIE (ESP32-DevKitC-VIEW ESP32-WROVER-IE)?

Cross-platform compatibility

It appears that Bluekitchen supports Windows and the serial connection should be agnostic of the system. Is there any reason that the sniffer could not run on a Windows system after minor modifications?

Attempting even the ES32_CMD_VERSION over a Window's COM port responds with malformed data, curious on what the difference between the two serial connections are?

import serial
import time

ESP32_CMD_VERSION = b'\xEE'

serial_port = 'COM8'


def reset_firmware(wait_reset=True, soft_reset=False):
    if soft_reset is False:
        ser = serial.Serial(serial_port, 921600, rtscts=False, dsrdtr=False)
        ser.rts = True
        ser.dtr = True
        ser.dtr = False
        ser.dtr = True
        ser.close()
        ser = None
        print('[!] Reset Done! EN pin toggled HIGH->LOW->HIGH')


def get_version():
    serial_con = serial.Serial(serial_port, 921600, rtscts=0, xonxoff=0, timeout=1)
    serial_con.write(ESP32_CMD_VERSION)
    version_string = serial_con.readline()
    print(version_string.decode('utf-8', errors='ignore'))


reset_firmware()
time.sleep(0.8)
get_version()

Same code works fine on Ubuntu, does not work on Windows

[INFO] ESP32-DOIT + FTD2232H

I don't know if the correct place. I'd to buy an ESP32 for test this sniffer, but I have some doubts.
If I buy a ESP32-DOIT or ESP32-DevKitC I can't test the feature "TX Interception" when it will be avaiable?
ESP-PROG has not ESP32 but only FTD2232, so I should buy also a ESP32, the best choice should be a ESP-WROVER-KIT but is too big, LCD is useless, so this choice is not very good for me.
Is there a board with only ESP32 + FTD2232? I can't find it so I think doesn't exist.
I have already a board with FTD2232, so if I buy a ESP32-DOIT and link with FTD2232, can I test TX Interception?

UnicodeDecodeError: 'utf-8' codec can't decode byte 0x91 in position 0: invalid start byte

I can't run the project I get an error please help:

sudo ./BTSnifferBREDR.py --port=/dev/ttyUSB0 --live-terminal
Using options:
Serial Port: /dev/ttyUSB0
Serial Baud: 921600
BT Host Program: ./host_stack/spp_counter
Host BDAddress: e0:d4:e8:19:c7:68
Target BDAddress: None
[!] Reset Done! EN pin toggled HIGH->LOW->HIGH
[!] Waiting 0.8s...
Traceback (most recent call last):
File "./BTSnifferBREDR.py", line 262, in
sniffer()
File "/home/user/Desktop/esp32_bluetooth_classic_sniffer/runtime/install/lib/python3.8/site-packages/click/core.py", line 1157, in call
return self.main(*args, **kwargs)
File "/home/user/Desktop/esp32_bluetooth_classic_sniffer/runtime/install/lib/python3.8/site-packages/click/core.py", line 1078, in main
rv = self.invoke(ctx)
File "/home/user/Desktop/esp32_bluetooth_classic_sniffer/runtime/install/lib/python3.8/site-packages/click/core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/user/Desktop/esp32_bluetooth_classic_sniffer/runtime/install/lib/python3.8/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
File "./BTSnifferBREDR.py", line 245, in sniffer
Sniffer.start()
File "./BTSnifferBREDR.py", line 118, in start
self.driver = ESP32BTDriver(self.serial_port, self.serial_baud)
File "/home/user/Desktop/esp32_bluetooth_classic_sniffer/src/ESP32BTDriver.py", line 87, in init
self.get_version()
File "/home/user/Desktop/esp32_bluetooth_classic_sniffer/src/ESP32BTDriver.py", line 142, in get_version
self.version = version_string.decode('utf-8').split('\n')[0]
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x91 in position 0: invalid start byte

cp: cannot stat '.pio/build/sniffer-serial/bootloader.bin': No such file or directory

When I run ./build_from_source.sh it seems to succeed, but then errors out on the 3 final copy actions:

Retrieving maximum program size .pio/build/esp32doit-devkit-v1-serial/firmware.elf
Building .pio/build/esp32doit-devkit-v1-serial/firmware.bin
Checking size .pio/build/esp32doit-devkit-v1-serial/firmware.elf
Advanced Memory Usage is available via "PlatformIO Home > Project Inspect"
RAM:   [=         ]  11.6% (used 38104 bytes from 327680 bytes)
Flash: [===       ]  31.3% (used 328270 bytes from 1048576 bytes)
esptool.py v3.0
================================================================================================ [SUCCESS] Took 70.13 seconds ================================================================================================

Environment                 Status    Duration
--------------------------  --------  ------------
esp32doit-devkit-v1-serial  SUCCESS   00:01:10.134
================================================================================================ 1 succeeded in 00:01:10.134 ================================================================================================
cp: cannot stat '.pio/build/sniffer-serial/bootloader.bin': No such file or directory
cp: cannot stat '.pio/build/sniffer-serial/partitions.bin': No such file or directory
cp: cannot stat '.pio/build/sniffer-serial/firmware.bin': No such file or directory

I do however see the files in the following path:

ls -la .pio/build/esp32doit-devkit-v1-serial/
total 368
drwxrwxr-x 2 user user   4096 May  9 15:11 .
drwxrwxr-x 3 user user   4096 May  9 14:49 ..
-rw-rw-r-- 1 user user  25200 May  9 15:10 bootloader.bin
-rw-rw-r-- 1 user user 328512 May  9 15:10 firmware.bin
-rw-rw-r-- 1 user user   3072 May  9 15:10 partitions.bin
-rw-r--r-- 1 user user    844 May  9 15:11 .sconsign38.dblite

Does the ./build_from_source.sh script need to be updated to use that path instead?

A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header

I bought a new ESP-WROVER-KIT. I am on a freshly upgrade Ubuntu 22.04 install, and all the build process worked fine, and the kit shows up as /dev/ttyUSB0 and /dev/ttyUSB1 fine too when I plug it in and power it on.

I got the following initial error, during flashing (presumably because sudo was needed but not mentioend in the instructions):

sudo ./firmware.py flash /dev/ttyUSB0
Generating project.checksum
Flashing firmware...
Warning! Ignore unknown configuration option `reset_before_after_flash` in section [env:esp32doit-devkit-v1-jtag]
Warning! Ignore unknown configuration option `reset_before_after_flash` in section [env:esp32doit-devkit-v1-serial]
Processing esp32doit-devkit-v1-serial (platform: [email protected]; board: esp32doit-devkit-v1; framework: espidf; platform_packages: tool-esptool; upload_protocol: esptool; upload_port: /dev/ttyUSB1; monitor_port: /dev/ttyUSB1; monitor_speed: 4000000; monitor_filters: colorize, esp32_exception_decoder; build_flags: -w; upload_command: $PYTHONEXE $UPLOADER --chip esp32 --port $UPLOAD_PORT --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 $BUILD_DIR/bootloader.bin 0x8000 $BUILD_DIR/partitions.bin 0x10000 $BUILD_DIR/firmware.bin; extra_scripts: post:PlatformioScripts.py; reset_before_after_flash: true)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
before_upload(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Reset Done! EN pin toggled HIGH->LOW->HIGH
<lambda>(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
AVAILABLE: esp-prog, espota, esptool, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa
CURRENT: upload_protocol = esptool
MethodWrapper(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Using manually specified: /dev/ttyUSB0
/home/user/Downloads/esp32_bluetooth_classic_sniffer/runtime/install/bin/python3 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/packages/tool-esptoolpy/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/bootloader.bin 0x8000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/partitions.bin 0x10000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/firmware.bin
esptool.py v3.0
Serial port /dev/ttyUSB0
Connecting........_____....._____....._____....._____....._____....._____....._____

A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header
*** [upload] Error 2
================================================================================= [FAILED] Took 24.25 seconds =================================================================================

Environment                 Status    Duration
--------------------------  --------  ------------
esp32doit-devkit-v1-jtag    IGNORED
esp32doit-devkit-v1-serial  FAILED    00:00:24.250
============================================================================ 1 failed, 0 succeeded in 00:00:24.250 ============================================================================

However, even once I add sudo, I still can't seem to flash the board, due to a timeout error:

sudo ./firmware.py flash /dev/ttyUSB0
Generating project.checksum
Flashing firmware...
Warning! Ignore unknown configuration option `reset_before_after_flash` in section [env:esp32doit-devkit-v1-jtag]
Warning! Ignore unknown configuration option `reset_before_after_flash` in section [env:esp32doit-devkit-v1-serial]
Processing esp32doit-devkit-v1-serial (platform: [email protected]; board: esp32doit-devkit-v1; framework: espidf; platform_packages: tool-esptool; upload_protocol: esptool; upload_port: /dev/ttyUSB1; monitor_port: /dev/ttyUSB1; monitor_speed: 4000000; monitor_filters: colorize, esp32_exception_decoder; build_flags: -w; upload_command: $PYTHONEXE $UPLOADER --chip esp32 --port $UPLOAD_PORT --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 $BUILD_DIR/bootloader.bin 0x8000 $BUILD_DIR/partitions.bin 0x10000 $BUILD_DIR/firmware.bin; extra_scripts: post:PlatformioScripts.py; reset_before_after_flash: true)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
before_upload(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Reset Done! EN pin toggled HIGH->LOW->HIGH
<lambda>(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
AVAILABLE: esp-prog, espota, esptool, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa
CURRENT: upload_protocol = esptool
MethodWrapper(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Using manually specified: /dev/ttyUSB0
/home/user/Downloads/esp32_bluetooth_classic_sniffer/runtime/install/bin/python3 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/packages/tool-esptoolpy/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/bootloader.bin 0x8000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/partitions.bin 0x10000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/firmware.bin
esptool.py v3.0
Serial port /dev/ttyUSB0
Connecting........_____....._____....._____....._____....._____....._____....._____

A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header
*** [upload] Error 2
================================================================================= [FAILED] Took 24.25 seconds =================================================================================

Environment                 Status    Duration
--------------------------  --------  ------------
esp32doit-devkit-v1-jtag    IGNORED
esp32doit-devkit-v1-serial  FAILED    00:00:24.250
============================================================================ 1 failed, 0 succeeded in 00:00:24.250 ============================================================================

Altering src/layers_bredr.py doesn't alter sent packets

I wanted to confirm I could make simple edits to packets, so I started with one of the simplest, LMP_features_req (ultimately I will want to add in a LMP_name_req though). I grepped for LMP_features_req and from the hits it seemed like probably src/layers_bredr.py was in charge, since it had a constant that looked very similar to (but not exactly the same as?) the value seen in the packets. So I edited src/layers_bredr.py per the below, but this didn't make any changes to the observed packets in the pcap.

class LMP_features_req(Packet):
    name = "LMP_features_req"
    fields_desc = [FlagsField(
        "features", 0x8f7bffdb00000000, 64, _bluetooth_lmp_features)]

Then I tried replacing _bluetooth_lmp_features with _bluetooth_lmp_features_unused:

        "features", 0x8f7bffdb00000000, 64, _bluetooth_lmp_features_unused)]
...
                   ConditionalField(FlagsField("features0", 0, 64, _bluetooth_lmp_features_unused),

But that also didn't alter the observed LMP_features_req in the pcap.

Does this have to do with the fact that the "TX Interception" feature is listed as "(disabled for now, sorry)" on the front page? And consequently do packet changes require customizing the firmware? (If so, why is TX Interception currently disabled?)

Can this sniff bluetooth classic pairing?

Creating a dissector for other Wireshark versions

I really like this tool but I'm struggling to get the dissector to work for other versions of Wireshark beyond 3.4. I've tried adjusting different values in files within the dissector folder but I haven't had any luck. Do you have any suggestions to get h4bcm.so working for some of the newer versions?

Error while flashing to esp

https://imgur.com/a/kvH9wwX

libbtstack.so: cannot open shared object file

Hi there,

got some issues running BTSnifferBREDR.
Any hint?

Parrot OS

Best regards

─[root@deadbeef-24296hg]─[/home/deadbeef/EagleEye/esp32_bluetooth_classic_sniffer]
└──╼ #./BTSnifferBREDR.py --port /dev/ttyUSB0 --live-wireshark
Using options:
Serial Port: /dev/ttyUSB0
Serial Baud: 921600
BT Host Program: ./host_stack/spp_counter
Host BDAddress: e0:d4:e8:19:c7:68
Target BDAddress: None
[Sniffer] [!] Starting Wireshark...
16:23:58.530 Main Warn QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[!] Reset Done! EN pin toggled HIGH->LOW->HIGH
[!] Waiting 0.8s...
[ESP32BT] Firmware version: 1.4.1
sh: 1: setserial: not found
HCI Bridge started on /dev/pts/2
ESP32BT driver started on /dev/ttyUSB0@921600
Starting ['./host_stack/spp_counter', '-u', '/dev/pts/2', '-a', 'None']
./host_stack/spp_counter: error while loading shared libraries: libbtstack.so: cannot open shared object file: No such file or directory

matheus-garbelini / esp32_bluetooth_classic_sniffer Goto Github PK

esp32_bluetooth_classic_sniffer's People

Contributors

Stargazers

Watchers

Forkers

esp32_bluetooth_classic_sniffer's Issues

Recommend Projects

Recommend Topics

Recommend Org