search

RCayre / mirage

Mirage is a powerful and modular framework dedicated to the security analysis of wireless communications.
https://homepages.laas.fr/rcayre/mirage-documentation
MIT License
261 stars 48 forks source link

Slave disconnects during use of ble_mitm module (invalid command identifier in L2CAP) #12

Closed byte-arts closed 3 years ago

byte-arts commented 3 years ago

Hello,

i am trying to use the ble_mitm module of mirage. But the slave device mostly* disconnects after a short amount of time. If i connect fast enough with the master device, the mitm module works. But only until the slave disconnects.

I start the module with the following command (same results with activated master and slave spoofing):

sudo mirage ble_mitm TARGET=XX:XX:XX:XX:XX INTERFACE1=hci1 INTERFACE2=hci2 MASTER_SPOOFING=no SLAVE_SPOOFING=no CONNECTION_TYPE=random

Output is:

[INFO] Module ble_mitm loaded ! [SUCCESS] HCI Device (hci1) successfully instanciated ! [SUCCESS] HCI Device (hci2) successfully instanciated ! [INFO] Entering SCAN stage ... [PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=AA:AA:AA:AA:AA | data=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> [PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=BB:BB:BB:BB:BB | data=bbbbbbbbbbbbbbbbbbbbbbbbbbbbb >> ... [PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=XX:XX:XX:XX:XX | data=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> [SUCCESS] Found corresponding advertisement ! [PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=XX:XX:XX:XX:XX | data= >> [INFO] Entering CLONE stage ... [INFO] Connecting to slave XX:XX:XX:XX:XX... [INFO] Updating connection handle : 64 [SUCCESS] Connected on slave : XX:XX:XX:XX:XX [INFO] Entering WAIT_CONNECTION stage ... [INFO] Connection Parameter Update Request (from slave) : slaveLatency = 0 / timeoutMult = 600 / minInterval = 400 / maxInterval = 800 [INFO] Sending a response to slave ... [INFO] Slave disconnected !

So even without connecting the master device, the slave terminates the connection (Remote User Terminated Connection (0x13)).

I cannot verify if this is the reason, but i recognized that the command identifier in the L2CAP Connection Parameter Update Response Packet is invalid.

< ACL Data TX: Handle 64 flags 0x00 dlen 16 #701 2021.703324 LE L2CAP: Connection Parameter Update Request (0x12) ident 6 len 8 Min interval: 24 Max interval: 40 Slave latency: 0 Timeout multiplier: 42 > ACL Data RX: Handle 64 flags 0x02 dlen 10 #702 2022.026564 LE L2CAP: Connection Parameter Update Response (0x13) ident 0 len 2 Result: Connection Parameters accepted (0x0000)

From the specification (page 1047 - Core_v5.2):

Identifier (1 octet) The Identifier field is one octet long and matches responses with requests. The requesting device sets this field and the responding device uses the same value in its response. Within each signaling channel a different Identifier shall be used for each successive command. Following the original transmission of an Identifier in a command, the Identifier may be recycled if all other Identifiers have subsequently been used. RTX and ERTX timers are used to determine when the remote end point is not responding to signaling requests. On the expiration of a RTX or ERTX timer, the same identifier shall be used if a duplicate Request is re-sent as stated in Section 6.2. A device receiving a duplicate request on a particular signaling channel should reply with a duplicate response on the same signaling channel. A command response with an invalid identifier is silently discarded. Signaling identifier 0x00 is an illegal identifier and shall never be used in any command.

*mostly, because i got the ble_mitm module working with a peripheral example from the Zephyr project. The example device does not disconnect but prints a warning message:

bt_l2cap: Invalid ident value in L2CAP PDU

I am using Ubuntu 20.04 LTS with bluez 5.53 and the latest mirage version. Tested with 2 Asus BT-400 USB-Dongles.

If you need any further information let me know!

byte-arts commented 3 years ago

Ok i corrected the Command identifier for the Connection Parameter Update Request/Response and it works. For this I added a l2capCmdId field to the BLEConnectionParameterUpdateRequest and BLEConnectionParameterUpdateResponse, which stores the command identifier and can therefore be used for creating a valid response. Since the packet objects in mirage only contain payload data, i think its more a little hack to make it work... Any recommendation where to add the header field? Then i would create a pull request.

RCayre commented 3 years ago

Hello, thank you for signaling (and fixing !) this issue. You can create a pull request with your patch as it is right now, I'll try to correct it later to automatically select the right command ID in the stack itself.

byte-arts commented 3 years ago

So i created a pull request, with the changes that work for me. This is my first pull request, hopefully everything is correct!

RCayre commented 3 years ago

Thank you, it's perfect :)