search

RCayre / mirage

Mirage is a powerful and modular framework dedicated to the security analysis of wireless communications.
https://homepages.laas.fr/rcayre/mirage-documentation
MIT License
245 stars 42 forks source link

Data parsing error in BLEReadByGroupTypeResponse #17

Closed smrtnt closed 3 years ago

smrtnt commented 3 years ago

I am encoring an error when mirage is parsing the data in the function BLEReadByGroupTypeResponse. I am using a NXP board with the NXP_HTS example. The error occurs always at the same time. I have slightly modified the packet.py file to display the data that is raising the error.

Error parsing the following data:

b'\x01\x00\x04\x00\x01\x18\x06\x00\x0c\x00\x00\x18\x0e\x00\x1a\x00\t\x18\x1c\x00 '

Logs:

$ sudo mirage ble_mitm TARGET=00:60:37:8C:AC:E4 CONNECTION_TYPE=public INTERFACE1=hci1 INTERFACE2=hci2
[INFO] Module ble_mitm loaded !
[SUCCESS] HCI Device (hci1) successfully instanciated !
[SUCCESS] HCI Device (hci2) successfully instanciated !
[INFO] Entering SCAN stage ...
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=0A:B4:2E:CF:AA:2D | data=02011a03036ffd17166ffdf4dfb5d674c69ccab403b1010cbbfdcbf61be37e >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=6B:1E:95:E2:BB:B8 | data=02011a020a0c0aff4c001005031ccfe4f9 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=6B:1E:95:E2:BB:B8 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=59:78:A5:AB:DF:F6 | data=0201060aff4c001005471cd24b4a >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=59:78:A5:AB:DF:F6 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=00:60:37:8C:AC:E4 | data=0201060302091808084e58505f485453 >>
[SUCCESS] Found corresponding advertisement !
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=00:60:37:8C:AC:E4 | data= >>
[INFO] Entering CLONE stage ...
[INFO] Connecting to slave 00:60:37:8C:AC:E4...
[INFO] Updating connection handle : 72
[SUCCESS] Connected on slave : 00:60:37:8C:AC:E4
[INFO] Entering WAIT_CONNECTION stage ...
[INFO] Updating connection handle : 68
[SUCCESS] Master connected : 6B:1E:95:E2:BB:B8
[INFO] Slave disconnected !
[INFO] Changing HCI Device (hci1) Random Address to : 6B:1E:95:E2:BB:B8
[SUCCESS] BD Address successfully modified !
[INFO] Connecting to slave 00:60:37:8C:AC:E4...
[INFO] Updating connection handle : 71
[INFO] Entering ACTIVE_MITM stage ...
[INFO] Exchange MTU Request (from master) : mtu = 185
[INFO] Redirecting to slave ...
[INFO] Exchange MTU Response (from slave) : mtu = 247
[INFO] Redirecting to master ...
[INFO] Read By Group Type Request (from master) : startHandle = 0x1 / endHandle = 0xffff / uuid = 0x2800
[INFO] Redirecting to slave ...
BLEReadByGroupTypeResponse, data:
b'\x01\x00\x04\x00\x01\x18\x06\x00\x0c\x00\x00\x18\x0e\x00\x1a\x00\t\x18\x1c\x00 '
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/local/lib/python3.6/dist-packages/mirage-1.1-py3.6.egg/mirage/libs/wireless_utils/packetQueue.py", line 19, in run
    self._target(*(self._args))
  File "/usr/local/lib/python3.6/dist-packages/mirage-1.1-py3.6.egg/mirage/libs/wireless.py", line 206, in _task
    self._add(pkt)
  File "/usr/local/lib/python3.6/dist-packages/mirage-1.1-py3.6.egg/mirage/libs/wireless.py", line 185, in _add
    packet = self.convert(data)
  File "/usr/local/lib/python3.6/dist-packages/mirage-1.1-py3.6.egg/mirage/libs/ble.py", line 877, in convert
    data = packet[ATT_Read_By_Group_Type_Response].data
  File "/usr/local/lib/python3.6/dist-packages/mirage-1.1-py3.6.egg/mirage/libs/ble_utils/packets.py", line 671, in __init__
    self.decode()
  File "/usr/local/lib/python3.6/dist-packages/mirage-1.1-py3.6.egg/mirage/libs/ble_utils/packets.py", line 700, in decode
    endGroupHandle = struct.unpack('>H',data[pointer+2:pointer+4][::-1])[0]
struct.error: unpack requires a buffer of 2 bytes

[INFO] Master disconnected !
[INFO] Mirage process terminated !

Thanks for your help, Sam

RCayre commented 3 years ago

Hi, thanks for this issue. Can you monitor using hcidump the interface receiving the ReadByGroupTypeResponse ?

smrtnt commented 3 years ago

Hi, Thanks for this great tool. I did the experiment again and captured the trafic with hcidump.

HCI 1 dump: https://www.dropbox.com/s/i8i7xqnoitabicx/hci1_dump.pcap?dl=0 HCI 2 dump: https://www.dropbox.com/s/8e0kwku7fq8rid0/hci2_dump.pcap?dl=0

The BLE stack from NXP seems to support Bluetooth LE 5.0. I am using Bluetooth LE 4.0 USB dongles from Aliexpress.

Thanks for your help, Sam Logs:

sudo mirage ble_mitm TARGET=00:60:37:8C:AC:E4 INTERFACE1=hci1 INTERFACE2=hci2
[INFO] Module ble_mitm loaded !
[SUCCESS] HCI Device (hci1) successfully instanciated !
[SUCCESS] HCI Device (hci2) successfully instanciated !
[INFO] Entering SCAN stage ...
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=90:DD:5D:CE:F7:56 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=2C:03:D3:11:8E:DF | data=02011a03036ffd17166ffd38817bd7ceebb3e8184952bedc6c7e4aac114d92 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=70:64:97:FC:A4:20 | data=02011a020a0c0aff4c001005031c0a0a16 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=70:64:97:FC:A4:20 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=90:DD:5D:CE:F7:56 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=2C:03:D3:11:8E:DF | data=02011a03036ffd17166ffd38817bd7ceebb3e8184952bedc6c7e4aac114d92 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=90:DD:5D:CE:F7:56 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204012067190f0000013200000000000000000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204012067190f0000013200000000000000000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204012067190f0000013200000000000000000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=2C:03:D3:11:8E:DF | data=02011a03036ffd17166ffd38817bd7ceebb3e8184952bedc6c7e4aac114d92 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=67:44:EF:59:C4:3D | data=02011a0aff4c001005031c89870c >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=67:44:EF:59:C4:3D | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=61:4A:3D:5D:DD:42 | data=02011a020a070aff4c001005791c75919a >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=61:4A:3D:5D:DD:42 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=3C:91:80:C9:30:8E | data=0201021107fc9dd0b3cb84e0840642f3f7e1e0bfcb >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=3C:91:80:C9:30:8E | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=00:60:37:8C:AC:E4 | data=0201060302091808084e58505f485453 >>
[SUCCESS] Found corresponding advertisement !
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=00:60:37:8C:AC:E4 | data= >>
[INFO] Entering CLONE stage ...
[INFO] Connecting to slave 00:60:37:8C:AC:E4...
[INFO] Updating connection handle : 72
[SUCCESS] Connected on slave : 00:60:37:8C:AC:E4
[INFO] Entering WAIT_CONNECTION stage ...
[INFO] Updating connection handle : 68
[SUCCESS] Master connected : 70:64:97:FC:A4:20
[INFO] Slave disconnected !
[INFO] Changing HCI Device (hci1) Random Address to : 70:64:97:FC:A4:20
[SUCCESS] BD Address successfully modified !
[INFO] Connecting to slave 00:60:37:8C:AC:E4...
[INFO] Updating connection handle : 71
[INFO] Entering ACTIVE_MITM stage ...
[INFO] Exchange MTU Request (from master) : mtu = 185
[INFO] Redirecting to slave ...
[INFO] Exchange MTU Response (from slave) : mtu = 247
[INFO] Redirecting to master ...
[INFO] Read By Group Type Request (from master) : startHandle = 0x1 / endHandle = 0xffff / uuid = 0x2800
[INFO] Redirecting to slave ...
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/local/lib/python3.8/dist-packages/mirage-1.1-py3.8.egg/mirage/libs/wireless_utils/packetQueue.py", line 19, in run
    self._target(*(self._args))
  File "/usr/local/lib/python3.8/dist-packages/mirage-1.1-py3.8.egg/mirage/libs/wireless.py", line 206, in _task
    self._add(pkt)
  File "/usr/local/lib/python3.8/dist-packages/mirage-1.1-py3.8.egg/mirage/libs/wireless.py", line 185, in _add
    packet = self.convert(data)
  File "/usr/local/lib/python3.8/dist-packages/mirage-1.1-py3.8.egg/mirage/libs/ble.py", line 869, in convert
    return BLEReadByGroupTypeResponse(
  File "/usr/local/lib/python3.8/dist-packages/mirage-1.1-py3.8.egg/mirage/libs/ble_utils/packets.py", line 671, in __init__
    self.decode()
  File "/usr/local/lib/python3.8/dist-packages/mirage-1.1-py3.8.egg/mirage/libs/ble_utils/packets.py", line 697, in decode
    endGroupHandle = struct.unpack('>H',data[pointer+2:pointer+4][::-1])[0]
struct.error: unpack requires a buffer of 2 bytes
[INFO] Master disconnected !
[INFO] Mirage process terminated !
RCayre commented 3 years ago

Hello, Thank you very much ! the problem seems to be linked to ACL fragmentation, I wasn't aware of the fact that HCI packet could be fragmented. I have tried to write a patch but I can't reproduce the issue easily, so it's probably buggy. Can you try to replace ble.py in mirage/libs by the following one and perform the same experiment ? ble_patch.zip

smrtnt commented 3 years ago

Hello, I have applied the patch and everything seems to work now! Thank you very much. I did the same experiment again and captured the BLE traffic for your information.

HCI1 dump: https://www.dropbox.com/s/k5103ccw2yxx5l5/hci1_dump_2.pcap?dl=0 HCI2 dump: https://www.dropbox.com/s/cnu4yz0sw0ckzt1/hci2_dump_2.pcap?dl=0

Logs:

$ sudo mirage ble_mitm TARGET=00:60:37:8C:AC:E4 INTERFACE1=hci1 INTERFACE2=hci2
[INFO] Module ble_mitm loaded !
[SUCCESS] HCI Device (hci1) successfully instanciated !
[SUCCESS] HCI Device (hci2) successfully instanciated !
[INFO] Entering SCAN stage ...
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=90:DD:5D:CE:F7:56 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=35:F5:15:34:48:65 | data=02011a03036ffd17166ffd6a48011f4d3ac3d2557d8220d7f6ebbe3dee2e1a >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=64:80:B6:56:F9:AA | data=02011a020a0c0aff4c0010054b1c742db4 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=64:80:B6:56:F9:AA | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=90:DD:5D:CE:F7:56 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=7F:BE:D6:5A:1E:A1 | data=02011a0aff4c001005031ce4c6a6 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=7F:BE:D6:5A:1E:A1 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=35:F5:15:34:48:65 | data=02011a03036ffd17166ffd6a48011f4d3ac3d2557d8220d7f6ebbe3dee2e1a >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=64:80:B6:56:F9:AA | data=02011a020a0c0aff4c0010054b1c742db4 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=64:80:B6:56:F9:AA | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=90:DD:5D:CE:F7:56 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204012067190f0000013200000000000000000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204012067190f0000013200000000000000000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204010167fc039fee75b3fe039fee75b201000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=7F:BE:D6:5A:1E:A1 | data=02011a0aff4c001005031ce4c6a6 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=7F:BE:D6:5A:1E:A1 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=35:F5:15:34:48:65 | data=02011a03036ffd17166ffd6a48011f4d3ac3d2557d8220d7f6ebbe3dee2e1a >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=64:80:B6:56:F9:AA | data=02011a020a0c0aff4c0010054b1c742db4 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=64:80:B6:56:F9:AA | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=7F:BE:D6:5A:1E:A1 | data=02011a0aff4c001005031ce4c6a6 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=7F:BE:D6:5A:1E:A1 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=3C:91:80:C9:30:8E | data=0201021107fc9dd0b3cb84e0840642f3f7e1e0bfcb >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=3C:91:80:C9:30:8E | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204010167fc039fee75b3fe039fee75b201000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204010167fc039fee75b3fe039fee75b201000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204010167fc039fee75b3fe039fee75b201000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=35:F5:15:34:48:65 | data=02011a03036ffd17166ffd6a48011f4d3ac3d2557d8220d7f6ebbe3dee2e1a >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=64:80:B6:56:F9:AA | data=02011a020a0c0aff4c0010054b1c742db4 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=64:80:B6:56:F9:AA | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=90:DD:5D:CE:F7:56 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=7F:BE:D6:5A:1E:A1 | data=02011a0aff4c001005031ce4c6a6 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=7F:BE:D6:5A:1E:A1 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=90:DD:5D:CE:F7:56 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=64:80:B6:56:F9:AA | data=02011a020a0c0aff4c0010054b1c742db4 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=64:80:B6:56:F9:AA | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=35:F5:15:34:48:65 | data=02011a03036ffd17166ffd6a48011f4d3ac3d2557d8220d7f6ebbe3dee2e1a >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=90:DD:5D:CE:F7:56 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=7F:BE:D6:5A:1E:A1 | data=02011a0aff4c001005031ce4c6a6 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=7F:BE:D6:5A:1E:A1 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=64:80:B6:56:F9:AA | data=02011a020a0c0aff4c0010054b1c742db4 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=64:80:B6:56:F9:AA | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=35:F5:15:34:48:65 | data=02011a03036ffd17166ffd6a48011f4d3ac3d2557d8220d7f6ebbe3dee2e1a >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204012067190f0000013200000000000000000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204012067190f0000013200000000000000000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204012067190f0000013200000000000000000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:03:9F:EE:75:B3 | data=02011a1bff75004204010167fc039fee75b3fe039fee75b201000000000000 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:03:9F:EE:75:B3 | data=1b085b54565d2053616d73756e672037205365726965732028353029 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=7F:BE:D6:5A:1E:A1 | data=02011a0aff4c001005031ce4c6a6 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=7F:BE:D6:5A:1E:A1 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=90:DD:5D:CE:F7:56 | data=02011a020a0c0aff4c0010050114684fdc >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=90:DD:5D:CE:F7:56 | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=35:F5:15:34:48:65 | data=02011a03036ffd17166ffd6a48011f4d3ac3d2557d8220d7f6ebbe3dee2e1a >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=64:80:B6:56:F9:AA | data=02011a020a0c0aff4c0010054b1c742db4 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=64:80:B6:56:F9:AA | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:41:D7:01:33:C5 | data=02011a0bff4c0009060324c0a801a1 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=3C:91:80:C9:30:8E | data=0201021107fc9dd0b3cb84e0840642f3f7e1e0bfcb >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=3C:91:80:C9:30:8E | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=7F:BE:D6:5A:1E:A1 | data=02011a0aff4c001005031ce4c6a6 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=50:B1:C8:58:BE:EC | data=0201060aff4c001005471c2da124 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=50:B1:C8:58:BE:EC | data= >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=00:60:37:8C:AC:E4 | data=0201060302091808084e58505f485453 >>
[SUCCESS] Found corresponding advertisement !
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=00:60:37:8C:AC:E4 | data= >>
[INFO] Entering CLONE stage ...
[INFO] Connecting to slave 00:60:37:8C:AC:E4...
[INFO] Updating connection handle : 72
[SUCCESS] Connected on slave : 00:60:37:8C:AC:E4
[INFO] Entering WAIT_CONNECTION stage ...
[INFO] Updating connection handle : 68
[SUCCESS] Master connected : 64:80:B6:56:F9:AA
[INFO] Slave disconnected !
[INFO] Changing HCI Device (hci1) Random Address to : 64:80:B6:56:F9:AA
[SUCCESS] BD Address successfully modified !
[INFO] Connecting to slave 00:60:37:8C:AC:E4...
[INFO] Updating connection handle : 71
[INFO] Entering ACTIVE_MITM stage ...
[INFO] Exchange MTU Request (from master) : mtu = 185
[INFO] Redirecting to slave ...
[INFO] Exchange MTU Response (from slave) : mtu = 247
[INFO] Redirecting to master ...
[INFO] Read By Group Type Request (from master) : startHandle = 0x1 / endHandle = 0xffff / uuid = 0x2800
[INFO] Redirecting to slave ...
[INFO] Read By Group Type Response (from slave) : length = 6 / data = 01000400011806000c0000180e001a0009181c0020000f18220032000a18
[INFO] Redirecting to master ...
[INFO] Read By Group Type Request (from master) : startHandle = 0x33 / endHandle = 0xffff / uuid = 0x2800
[INFO] Redirecting to slave ...
[INFO] Error Response (from slave) : request = 0x10 / handle = 0x33 / ecode = 0xa
[INFO] Redirecting to master ...
[INFO] Read By Type Request (from master) : startHandle = 0x1 / endHandle = 0x4 / uuid = 0x2803
[INFO] Redirecting to slave ...
[INFO] Read By Type Response (from slave) : data = 070200200300052a
[INFO] Redirecting to master ...
[INFO] Find Information Request (from master) : startHandle = 0x4 / endHandle = 0x4
[INFO] Redirecting to slave ...
[INFO] Find Information Response (from slave) : format = 0x1 / data = 04000229
[INFO] Redirecting to master ...
[INFO] Write Request (from master) : handle = 0x4 / value = 0200
[INFO] Redirecting to slave ...
[INFO] Write Response (from slave)
[INFO] Redirecting to master ...
[INFO] Read By Type Request (from master) : startHandle = 0x6 / endHandle = 0xc / uuid = 0x2a00
[INFO] Redirecting to slave ...
[INFO] Read By Type Response (from slave) : data = 0d08004e58505f424c455f485453
[INFO] Redirecting to master ...
[INFO] Read By Type Request (from master) : startHandle = 0xe / endHandle = 0x1a / uuid = 0x2803
[INFO] Redirecting to slave ...
[INFO] Read By Type Response (from slave) : data = 070f002010001c2a12000213001d2a14001015001e2a17002a1800212a
[INFO] Redirecting to master ...
[INFO] Read By Type Request (from master) : startHandle = 0x19 / endHandle = 0x1a / uuid = 0x2803
[INFO] Redirecting to slave ...
[INFO] Error Response (from slave) : request = 0x8 / handle = 0x19 / ecode = 0xa
[INFO] Redirecting to master ...
[INFO] Read By Type Request (from master) : startHandle = 0x1c / endHandle = 0x20 / uuid = 0x2803
[INFO] Redirecting to slave ...
[INFO] Read By Type Response (from slave) : data = 071d00121e00192a
[INFO] Redirecting to master ...
[INFO] Read By Type Request (from master) : startHandle = 0x1f / endHandle = 0x20 / uuid = 0x2803
[INFO] Redirecting to slave ...
[INFO] Error Response (from slave) : request = 0x8 / handle = 0x1f / ecode = 0xa
[INFO] Redirecting to master ...
[INFO] Read By Type Request (from master) : startHandle = 0x22 / endHandle = 0x32 / uuid = 0x2803
[INFO] Redirecting to slave ...
[INFO] Read By Type Response (from slave) : data = 072300022400292a2500022600242a2700022800252a2900022a00272a2b00022c00262a2d00022e00282a2f00023000232a31000232002a2a
[INFO] Redirecting to master ...
[INFO] Find Information Request (from master) : startHandle = 0x11 / endHandle = 0x11
[INFO] Redirecting to slave ...
[INFO] Find Information Response (from slave) : format = 0x1 / data = 11000229
[INFO] Redirecting to master ...
[INFO] Find Information Request (from master) : startHandle = 0x16 / endHandle = 0x16
[INFO] Redirecting to slave ...
[INFO] Find Information Response (from slave) : format = 0x1 / data = 16000229
[INFO] Redirecting to master ...
[INFO] Find Information Request (from master) : startHandle = 0x19 / endHandle = 0x1a
[INFO] Redirecting to slave ...
[INFO] Find Information Response (from slave) : format = 0x1 / data = 190002291a000629
[INFO] Redirecting to master ...
[INFO] Find Information Request (from master) : startHandle = 0x1f / endHandle = 0x20
[INFO] Redirecting to slave ...
[INFO] Find Information Response (from slave) : format = 0x1 / data = 1f00042920000229
[INFO] Redirecting to master ...
[INFO] Write Request (from master) : handle = 0x16 / value = 0100

Thanks! Sam

RCayre commented 3 years ago

Perfect :) the patch is now merged in master branch.