BLE sniffing with UbertoothOne

This time, I'd like to try monitoring smartlock's BLE packets with Ubertooth One.

Smartlock


 use this dongle and Ubertooth One


Find BLE device 
check BLE dongle is connected.
➜  ~ sudo hciconfig
hci0: Type: BR/EDR  Bus: USB
 BD Address: 00:1A:7D:DA:71:13  ACL MTU: 310:10  SCO MTU: 64:8
 UP RUNNING PSCAN 
 RX bytes:622 acl:0 sco:0 events:38 errors:0
 TX bytes:952 acl:0 sco:0 commands:38 errors:0

Let's find BLE devices 
➜  ~ sudo hcitool lescan
LE Scan ...
30:F8:3F:06:4F:6F (unknown)
30:F8:3F:06:4F:6F (unknown)
30:F8:3F:06:4F:6F (unknown)
18:62:E4:46:60:AB (unknown)  <------
18:62:E4:46:60:AB BlueFPL    <------
30:F8:3F:06:4F:6F (unknown)
30:F8:3F:06:4F:6F (unknown)
30:F8:3F:06:4F:6F (unknown)

Then, trying gatttool.
Peripheral is defined by service and characteristic.
Each service contains charateristics which contains data.
➜  ~ sudo gatttool -I -b 18:62:E4:46:60:AB
[   ][18:62:E4:46:60:AB][LE]> connect
[CON][18:62:E4:46:60:AB][LE]> primary
[CON][18:62:E4:46:60:AB][LE]> 
attr handle: 0x0001, end grp handle: 0x0008 uuid: 0000fee7-0000-1000-8000-00805f9b34fb
attr handle: 0x0009, end grp handle: 0x0013 uuid: 00001800-0000-1000-8000-00805f9b34fb
attr handle: 0x0014, end grp handle: 0x0017 uuid: 00001801-0000-1000-8000-00805f9b34fb
attr handle: 0x0018, end grp handle: 0xffff uuid: f000ffc0-0451-4000-b000-000000000000
[   ][18:62:E4:46:60:AB][LE]> characteristics
Command failed: disconnected
[   ][18:62:E4:46:60:AB][LE]> connect
[CON][18:62:E4:46:60:AB][LE]> characteristics
[CON][18:62:E4:46:60:AB][LE]> 
handle: 0x0002, char properties: 0x08, char value handle: 0x0003, uuid: 000036f5-0000-1000-8000-00805f9b34fb
handle: 0x0005, char properties: 0x10, char value handle: 0x0006, uuid: 000036f6-0000-1000-8000-00805f9b34fb
handle: 0x000a, char properties: 0x02, char value handle: 0x000b, uuid: 00002a00-0000-1000-8000-00805f9b34fb
handle: 0x000c, char properties: 0x02, char value handle: 0x000d, uuid: 00002a01-0000-1000-8000-00805f9b34fb
handle: 0x000e, char properties: 0x0a, char value handle: 0x000f, uuid: 00002a02-0000-1000-8000-00805f9b34fb
handle: 0x0010, char properties: 0x08, char value handle: 0x0011, uuid: 00002a03-0000-1000-8000-00805f9b34fb
handle: 0x0012, char properties: 0x02, char value handle: 0x0013, uuid: 00002a04-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x20, char value handle: 0x0016, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0019, char properties: 0x1c, char value handle: 0x001a, uuid: f000ffc1-0451-4000-b000-000000000000
handle: 0x001d, char properties: 0x1c, char value handle: 0x001e, uuid: f000ffc2-0451-4000-b000-000000000000

Reading characteristic value. 
[   ][18:62:E4:46:60:AB][LE]> connect
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x0002
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 08 03 00 f5 36 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x0005
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 10 06 00 f6 36 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x000a
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 02 0b 00 00 2a 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x000c
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 02 0d 00 01 2a 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x000e
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 0a 0f 00 02 2a 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x0010
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 08 11 00 03 2a 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x0012
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 02 13 00 04 2a 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x0015
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 20 16 00 05 2a 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x0019
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 1c 1a 00 00 00 00 00 00 00 00 b0 00 40 51 04 c1 ff 00 f0 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x001d
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 1c 1e 00 00 00 00 00 00 00 00 b0 00 40 51 04 c2 ff 00 f0 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x0001
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: e7 fe 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x0009
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 00 18 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x0014
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 01 18 
[CON][18:62:E4:46:60:AB][LE]> char-read-hnd 0x0018
[CON][18:62:E4:46:60:AB][LE]> 
Characteristic value/descriptor: 00 00 00 00 00 00 00 b0 00 40 51 04 c0 ff 00 f0 
[CON][18:62:E4:46:60:AB][LE]>


Capturing BLE packets
Then, it's time to use Ubertooth One.
Create a pipe
➜  ~ sudo mkfio /tmp/pipe

Setting wireshark capture interface to /tmp/pipe


Starting Ubertooth One. 
➜  ~ sudo ubertooth-btle -f -t 18:62:E4:46:60:AB -c /tmp/pipe

When opening lock via application on smartphone,
We could observe ATT write request packets.



But this smartlock seem to be not vulnerable to replay attack.
I'll try it in another time...!!
In my environment, Ubertooth One must be located physically between smartphone and smartlock.


With Attify Badge and AttifyOS make IoT Hacking easy.
Attify OS
Ubertooth One

If you are interested in IoT Hacking,

Comments

Post a Comment

Popular posts from this blog

Firmware dumping via SPI

Image
I tried firmware dumping via SPI with Attify badge and Attify OS. Target camera is this one.. This camera seems to be famous among the IoT hackers. You would find many IoT hacking blogs about this camera. After the preview, I have extracted board. This time, I'd like to focus on Flash memory. It looks mxic mx25l12835f. From model number, we can find data-sheet. MX25L12835F . Now, let's connect flash memory pin and Attify Badge. Attify badge pin layout is.. D0 : SCK D1 : MISO  D2 : MOSI  D3 : CS  I have connected flash memory and Attify badge like this. D0 - SCLK(6) D1 - SI(5)  D2 - SO(2)  D3 - CS(1)  GND - GND(4)  3.3V - VCC(8)  3.3V - RESET(7)  3.3V - WP(3)  We dont need to connect power plug to camera. It is supplied via badge. For testing, trying spiflash.py and -i parameter. According to the python code, it returns ChipID. This command can be used for connectivity tesingt. "00 00 00" or "FF FF FF" seem to mean fai
Read more

BochsでMBR debugging

Image
今回は前回取り出したPetyaに書き換えられてしまったMBRをBochsで動かしてみよう。 https://ja.wikipedia.org/wiki/Bochs Bochsはここから入手できる。 http://bochs.sourceforge.net/getcurrent.html Bochsも前に出てきたVMware同様PCエミュレータなのだけど、 こいつはMBRのdebugができてしまうんだ。 OSが起動するより前のコードを追えるってわけだね。 そりゃ面白そうだ~笑 キモは設定ファイルの書き方くらいかなと。 サンプルの設定ファイルがあるのでチェックしてみて。 Bochs-2.6.9\bochsrc-sample.txt   多分もっとシンプルにもできるんだと思うんだけど、、 筆者のはこんな感じ。 romimage: file=$BXSHARE/BIOS-bochs-latest vgaromimage: file=$BXSHARE/VGABIOS-lgpl-latest megs: 16 ata0: enabled=1, ioaddr1=0x1f0, ioaddr2=0x3f0, irq=14 ata0-master: type=disk, path="petya.img", mode=flat, cylinders=1, heads=16, spt=63 boot: disk vga: extension=vbe mouse: enabled=0 log: nul logprefix: %t%e%d panic: action=fatal error: action=report info: action=report debug: action=ignore   こいつをファイル名を変えてbochsrcとして保存。.txtもいらない。 Bochs-2.6.9\bochsrc 設定ファイルのポイントは赤文字のところ!! path="" には取り出したMBRのパスを記入する。 そして、もうひとつ重要なのが、Bochsに読み込ませるディスクイメージのサイズは512の倍数でなければいけないんだ。 どういうこっちゃ??なのだけど、、 切り出したMBRをバイナリエディタで読み
Read more