search

Matheus-Garbelini / esp32_bluetooth_classic_sniffer

Active Bluetooth BR/EDR Sniffer/Injector as cheap as any ESP32 board can get. Works with Scapy ;-)
GNU General Public License v2.0
496 stars 56 forks source link

A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header #9

Open jsmif opened 1 year ago

jsmif commented 1 year ago

I bought a new ESP-WROVER-KIT. I am on a freshly upgrade Ubuntu 22.04 install, and all the build process worked fine, and the kit shows up as /dev/ttyUSB0 and /dev/ttyUSB1 fine too when I plug it in and power it on.

I got the following initial error, during flashing (presumably because sudo was needed but not mentioend in the instructions):

sudo ./firmware.py flash /dev/ttyUSB0
Generating project.checksum
Flashing firmware...
Warning! Ignore unknown configuration option `reset_before_after_flash` in section [env:esp32doit-devkit-v1-jtag]
Warning! Ignore unknown configuration option `reset_before_after_flash` in section [env:esp32doit-devkit-v1-serial]
Processing esp32doit-devkit-v1-serial (platform: espressif32@3.0.0; board: esp32doit-devkit-v1; framework: espidf; platform_packages: tool-esptool; upload_protocol: esptool; upload_port: /dev/ttyUSB1; monitor_port: /dev/ttyUSB1; monitor_speed: 4000000; monitor_filters: colorize, esp32_exception_decoder; build_flags: -w; upload_command: $PYTHONEXE $UPLOADER --chip esp32 --port $UPLOAD_PORT --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 $BUILD_DIR/bootloader.bin 0x8000 $BUILD_DIR/partitions.bin 0x10000 $BUILD_DIR/firmware.bin; extra_scripts: post:PlatformioScripts.py; reset_before_after_flash: true)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
before_upload(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Reset Done! EN pin toggled HIGH->LOW->HIGH
<lambda>(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
AVAILABLE: esp-prog, espota, esptool, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa
CURRENT: upload_protocol = esptool
MethodWrapper(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Using manually specified: /dev/ttyUSB0
/home/user/Downloads/esp32_bluetooth_classic_sniffer/runtime/install/bin/python3 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/packages/tool-esptoolpy/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/bootloader.bin 0x8000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/partitions.bin 0x10000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/firmware.bin
esptool.py v3.0
Serial port /dev/ttyUSB0
Connecting........_____....._____....._____....._____....._____....._____....._____

A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header
*** [upload] Error 2
================================================================================= [FAILED] Took 24.25 seconds =================================================================================

Environment                 Status    Duration
--------------------------  --------  ------------
esp32doit-devkit-v1-jtag    IGNORED
esp32doit-devkit-v1-serial  FAILED    00:00:24.250
============================================================================ 1 failed, 0 succeeded in 00:00:24.250 ============================================================================

However, even once I add sudo, I still can't seem to flash the board, due to a timeout error:

sudo ./firmware.py flash /dev/ttyUSB0
Generating project.checksum
Flashing firmware...
Warning! Ignore unknown configuration option `reset_before_after_flash` in section [env:esp32doit-devkit-v1-jtag]
Warning! Ignore unknown configuration option `reset_before_after_flash` in section [env:esp32doit-devkit-v1-serial]
Processing esp32doit-devkit-v1-serial (platform: espressif32@3.0.0; board: esp32doit-devkit-v1; framework: espidf; platform_packages: tool-esptool; upload_protocol: esptool; upload_port: /dev/ttyUSB1; monitor_port: /dev/ttyUSB1; monitor_speed: 4000000; monitor_filters: colorize, esp32_exception_decoder; build_flags: -w; upload_command: $PYTHONEXE $UPLOADER --chip esp32 --port $UPLOAD_PORT --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 $BUILD_DIR/bootloader.bin 0x8000 $BUILD_DIR/partitions.bin 0x10000 $BUILD_DIR/firmware.bin; extra_scripts: post:PlatformioScripts.py; reset_before_after_flash: true)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
before_upload(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Reset Done! EN pin toggled HIGH->LOW->HIGH
<lambda>(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
AVAILABLE: esp-prog, espota, esptool, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa
CURRENT: upload_protocol = esptool
MethodWrapper(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Using manually specified: /dev/ttyUSB0
/home/user/Downloads/esp32_bluetooth_classic_sniffer/runtime/install/bin/python3 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/packages/tool-esptoolpy/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/bootloader.bin 0x8000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/partitions.bin 0x10000 /home/user/Downloads/esp32_bluetooth_classic_sniffer/firmware/.pio/build/esp32doit-devkit-v1-serial/firmware.bin
esptool.py v3.0
Serial port /dev/ttyUSB0
Connecting........_____....._____....._____....._____....._____....._____....._____

A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header
*** [upload] Error 2
================================================================================= [FAILED] Took 24.25 seconds =================================================================================

Environment                 Status    Duration
--------------------------  --------  ------------
esp32doit-devkit-v1-jtag    IGNORED
esp32doit-devkit-v1-serial  FAILED    00:00:24.250
============================================================================ 1 failed, 0 succeeded in 00:00:24.250 ============================================================================
jsmif commented 1 year ago

Possible solution:

I noticed that this repository https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks referenced /dev/ttyUSB1 rather than /dev/ttyUSB0, even though presumably the custom firmware is flashed the same for both repos. I was able to flash the firmware from that repo, but only after holding the boot button, as mentioned on that repo (+ sudo, which again isn't mentioned).

So I then returned to the flash command from this repository with sudo, and /dev/ttyUSB1, and holding the button, and it seemed to succeed. I then did sudo ./BTSnifferBREDR.py --port=/dev/ttyUSB1 --target=TARGET_BDADDR --live-terminal, and I saw stuff. I don't know if it's the correct stuff that's indicative of a successful flash, but it seems to be?

Using options:
        Serial Port: /dev/ttyUSB1
        Serial Baud: 921600
        BT Host Program: ./host_stack/sdp_rfcomm_query
        Host BDAddress: ESP_BDADDR
        Target BDAddress: TARGET_BDADDR
[!] Reset Done! EN pin toggled HIGH->LOW->HIGH
[!] Waiting 0.8s...
[ESP32BT] Firmware version: 1.4.1
sh: 1: setserial: not found
HCI Bridge started on /dev/pts/4
ESP32BT driver started on /dev/ttyUSB1@921600
Starting ['./host_stack/sdp_rfcomm_query', '-u', '/dev/pts/4', '-a', 'TARGET_BDADDR']
Packet Log: logs/hci_dump.pklg
H4 device: /dev/pts/4
address=TARGET_BDADDR
Local version information:
- HCI Version    0x0008
- HCI Revision   0x030e
- LMP Version    0x0008
- LMP Subversion 0x030e
- Manufacturer 0x0060
Local name: 
BTstack up and running at ESP_BDADDR
Starting RFCOMM Query
TX --> BT_Baseband / Raw
TX --> BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_features_req
RX <-- BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_features_res
TX --> BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_features_req_ext
RX <-- BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_features_res_ext
TX --> BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_features_req_ext
RX <-- BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_features_res_ext
TX --> BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_version_req
RX <-- BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_version_res
TX --> BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_timing_accuracy_req
RX <-- BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_timing_accuracy_res
TX --> BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_host_connection_req
RX <-- BT_Baseband / BT_ACL_Hdr / Raw
RX <-- BT_Baseband / BT_ACL_Hdr / Raw
TX --> BT_Baseband / BT_ACL_Hdr / BT_LMP / LMP_accepted

(I assume the "Raw" is for a packet type that the software doesn't currently parse?)

The instructions say "# Change ttyUSB0 to match your port name" but they don't say how to determine what the correct device is (and it would be natural to think that if I have no other /dev/ttyUSB* devices on my system until I plug in the dev board, and if you're using USB0, then probably I should be using USB0.) Because basically an update to the instructions to specify how to find the right device + a mention of the holding down the boot button + sudo, is probably in order.

mr-slonn commented 1 year ago

esp32doit-devkit-v1-jtag IGNORED esp32doit-devkit-v1-serial FAILED 00:00:24.250

I have a similar error : https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks/issues/15

Matheus-Garbelini commented 1 year ago

Hi @mr-slonn @jsmif indeed the instructions for this repo assumes that one is using a simple esp32doit,ESP32-DevKitC or similar board that only has 1 serial port.

As braktooth project that you referenced requires wrover kit that has 2 serial ports the serial port is /dev/ttyUSB1 as you described. I'll add some note on this repo about this and the sudo addition.

(I assume the "Raw" is for a packet type that the software doesn't currently parse?)

Yes, the RAW is probably new LMP opcodes that the scapy layer does not implement (layers_bredr.py) You might need to see this packets on wireshark to confirm if they are indeed unknown.

jsmif commented 1 year ago

Thank you for clarifying. When you're updating the documentation, it'd be great if you could also add a couple words about how to compile and install the wireshark dissector. It just references InternalBlue's, but I think the paths and steps are not exactly the same. After guessing and testing, I think the correct procedure is 

cd dissectors
cmake ..
make

(But there's no make install?)

Matheus-Garbelini commented 1 year ago

@jsmif yes, I'll add some notes later. The installation of the dissector is done by script build.sh in dissectors folder, which is called by the main build.sh in the project root folder. This is to be transparent to the user as using cmake might fail often with the following error since this cmake is supposed to be put in wireshark official build tree:

Screenshot_20230510_201032

There might by a mismatch on your wireshark version (higher than 3.6) which can be adjusted here: https://github.com/Matheus-Garbelini/esp32_bluetooth_classic_sniffer/blob/master/dissectors/build.sh#L5

However, at the end logs should report the following: Screenshot_20230510_201210

This was tested on Ubuntu18.04, so your version of wireshark should be higher.

jsmif commented 1 year ago

Sorry, I should have been clear. It wasn't that Wireshark wasn't working for me (it was), it was just that I wanted to know how it was installed (since the documentation didn't mention it. I didn't realize the only reason I could read the pcapng logs created by this tool and Braktooth was because the custom wireshark was already installed.)