Connecting the ESP-PROG (only) to USB, gives me /dev/ttyUSB0, and ttyUSB1, where USB1 is the ESP32.
Firmware:
Flashed the firmware to the ESP32 directly via USB.
The version-checker python script (found in the comments somewhere - send 0xEE) - reports firmware version v1.3.0
DNS:
While running requirements.sh, dnsmasq installs, but fails to start.
Also fails to start during system startup.
dnsmasq[877]: failed to create listening socket for port 53: Address already in use
Looks like I have systemd-resolve sitting on port 53.
Not sure if this 'error' is permissable or if I need to fix dnsmasq?
Config:
configs/bt_config.json - set SerialAutoDiscovery to false
Scanning:
bt_fuzzer scan works. I can pick up devices that are waiting to pair. Paired devices or in-use devices do not show up.
No errors logged during scan.
UART Latency reported as 125 us, though sometimes also around 240 us.
Questions:
1) Testing au_rand_flooding attack seems to hang my entire VM. Have to unplug the ESP-PROG+ESP32 before it comes back to life.
sudo bin/bt_exploiter --host-port=/dev/ttyUSB1 --target=xx:xx:xx:xx:xx:xx --exploit=au_rand_flooding
Any suggestions?
2) Testing invalid_max_slot attack does not hang VM. No effect observed.
sudo bin/bt_exploiter --host-port=/dev/ttyUSB1 --target=xx:xx:xx:xx:xx:xx --exploit=invalid_max_slot
Log chunk:
[Modules] 24/24 Modules Compiled / Loaded
[Modules] invalid_max_slot configured and ready!
[ESP32BT] HCI Bridge ON: /dev/pts/0
[ESP32BT] Firmware version: 1.3.0
[ESP32BT] LMP Sniffing ENABLED
[ESP32BT] TX Packet interception ENABLED
[ESP32BT] [!] RX Bypass DISABLED
[ESP32BT] [!] Bypass on Demand DISABLED
[ESP32BT] [!] Role Switch ENABLED
[ESP32BT] Own BDADDR set to xx:xx:xx:xx:xx:xx
[ESP32BT] Measuring UART Latency...
[ESP32BT] USB Latency:14116 us [OK]
Serial port /dev/ttyUSB1@4000000 opened
[Monitor] Port /dev/ttyUSB0@115200 Opened
...
Starting RFCOMM Query
[Baseband] TX --> FHS
[Baseband] RX <-- FHS
[Timeout] No Response received for 45 seconds
[Timeout] Target is not responding, check if target is still alive...
Host BDAddress randomized to xx:xx:xx:xx:xx:xx
[!] Global timeout started with 45 seconds
The log line-
[Monitor] Port /dev/ttyUSB0@115200 Opened...
Is that strange? ttyUSB0 is the ESP-PROG I believe...
4) Any advice on what what attack(s) I should be focusing on for a basic smartphone -> audio device scenario?
5) The scanning ONLY pics up devices in pairing mode. Is this a limitation of the scanning technique, or is something not working on my end?
Is it possible to detect devices that are already paired?
Do I need another tool for that? Bettercap?
6) In a basic smartphone -> audio device scenario, what should the target BDaddr be? The smartphone or the audio device? either?
Hi, I need some help- I got most of it working, but not able to test any of the attacks...
Setup: ESP32-WROOM32U + ESP-PROG VMWare + Ubuntu 18.04
Connecting the ESP-PROG (only) to USB, gives me /dev/ttyUSB0, and ttyUSB1, where USB1 is the ESP32.
Firmware: Flashed the firmware to the ESP32 directly via USB. The version-checker python script (found in the comments somewhere - send 0xEE) - reports firmware version v1.3.0
DNS: While running requirements.sh, dnsmasq installs, but fails to start. Also fails to start during system startup. dnsmasq[877]: failed to create listening socket for port 53: Address already in use Looks like I have systemd-resolve sitting on port 53. Not sure if this 'error' is permissable or if I need to fix dnsmasq?
Config: configs/bt_config.json - set SerialAutoDiscovery to false
Scanning: bt_fuzzer scan works. I can pick up devices that are waiting to pair. Paired devices or in-use devices do not show up. No errors logged during scan.
UART Latency reported as 125 us, though sometimes also around 240 us.
Questions: 1) Testing au_rand_flooding attack seems to hang my entire VM. Have to unplug the ESP-PROG+ESP32 before it comes back to life. sudo bin/bt_exploiter --host-port=/dev/ttyUSB1 --target=xx:xx:xx:xx:xx:xx --exploit=au_rand_flooding
Any suggestions?
2) Testing invalid_max_slot attack does not hang VM. No effect observed.
sudo bin/bt_exploiter --host-port=/dev/ttyUSB1 --target=xx:xx:xx:xx:xx:xx --exploit=invalid_max_slot Log chunk: [Modules] 24/24 Modules Compiled / Loaded [Modules] invalid_max_slot configured and ready! [ESP32BT] HCI Bridge ON: /dev/pts/0 [ESP32BT] Firmware version: 1.3.0 [ESP32BT] LMP Sniffing ENABLED [ESP32BT] TX Packet interception ENABLED [ESP32BT] [!] RX Bypass DISABLED [ESP32BT] [!] Bypass on Demand DISABLED [ESP32BT] [!] Role Switch ENABLED [ESP32BT] Own BDADDR set to xx:xx:xx:xx:xx:xx [ESP32BT] Measuring UART Latency... [ESP32BT] USB Latency:14116 us [OK] Serial port /dev/ttyUSB1@4000000 opened [Monitor] Port /dev/ttyUSB0@115200 Opened ... Starting RFCOMM Query
[Baseband] TX --> FHS [Baseband] RX <-- FHS [Timeout] No Response received for 45 seconds [Timeout] Target is not responding, check if target is still alive... Host BDAddress randomized to xx:xx:xx:xx:xx:xx [!] Global timeout started with 45 seconds
The log line- [Monitor] Port /dev/ttyUSB0@115200 Opened... Is that strange? ttyUSB0 is the ESP-PROG I believe...
3) I noticed somewhere in the comments, firmware of 1.4 mentioned? The firmware included in https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks/blob/master/esp32driver.zip is v1.3 I think the firmware in https://github.com/Matheus-Garbelini/esp32_bluetooth_classic_sniffer/tree/master/firmware is newer? Should I flash to this version? (v1.4?)
4) Any advice on what what attack(s) I should be focusing on for a basic smartphone -> audio device scenario?
5) The scanning ONLY pics up devices in pairing mode. Is this a limitation of the scanning technique, or is something not working on my end? Is it possible to detect devices that are already paired? Do I need another tool for that? Bettercap?
6) In a basic smartphone -> audio device scenario, what should the target BDaddr be? The smartphone or the audio device? either?
Thanks in advance.