Closed ghost closed 8 years ago
Hi,
it looks like the problem with reading text descriptor value (uuid 2901).
Can you try scanning services+characteristics without reading characteristics values?
node scan.js -r <peripheral>
If that works, the services file (devices/PERIPHERAL.srv.json) should be generated, and you can proceed with MITM. You can provide static characteristic values by hand if needed, by entering staticValue hook in services json file. The text descriptors (like in this case) are really rarely needed by central device.
One of the reasons for the problem might be device which requires authentication (pairing) for reading specific characteristic (in this case descriptor 2901) values, and in case we won't read the values it will not trigger the error.
For further diagnosis, try to run ws-slave in debug mode:
DEBUG=ws-slave node ws-slave
and at the same time run hcidump on the noble device:
hcidump -i <hcidev> -x -t
and post the result fragments of unsuccessful scanning here please.
Thank you for the speedy reply. I tried to do what you suggested, but unfortunately I'm still struggling to generate the services file.
Here's the hcidump: http://pastebin.com/RrctNGVc Thanks
I do not see proper connection in hcidump, neither the advertising results ("LE Advertising Report"). I would guess you may be trying to run it on a box with multiple BT4 devices attached. In such configuration, the low-level noble bluetooth-hci-socket device HCI requests do sometimes confuse devices (e.g. hci0 and hci1), even if you set properly NOBLE_HCI_DEVICE_ID. It may happen some commands are sent to one interface and some to the other. Do you see any HCI commands on the other interface at the same time? You may try to switch devices (set NOBLE_HCI_DEVICE_ID in config.env to 0 instead of 1), Unplugging/powering down (hciconfig hciX down) the other device may also help - for scanning functionality you need just one device. What device is it exactly? The only experience with Broadcom I have is the Raspberry Pi 3 embedded one, but based on 4.0 not 4.1 version support I guess this is not the case. Do you have a CSR-based dongle to try maybe?
You may also try to reset the the device (hciconfig hciX reset/down/up, re-plug...). Sometimes the firmware of the device is in improper state.
I have tried to modify the config.env file and restarted the device a number of times, but still no luck here.
I am wondering if the problem lies on my hardware rather than software though. So at the moment I am using two machines, both running Ubuntu 16.04. For both I am using this BT4 dongle from Plugable > http://plugable.com/products/usb-bt4le . Do I need to get some new CSR-based dongles?
Although I did not test these specific dongles, I would expect them to work properly. I did experience unstable behaviour with dongles other than CSR, but after changing MAC address, working from VM or forcing the firmware to broadcast with too short intervals. That involved rather the device emulator (bleno) functionality, not the noble (scanning, discovery).
You can try connecting to your peripheral device using Bluez command-line tools, specifically hcitool and gatttol directly. First, check if you are able to see peripheral advertisements:
# hcitool lescan
LE Scan ...
F6:AD:07:C5:56:66 (unknown)
F6:AD:07:C5:56:66 GATTack.io
EC:FE:7E:13:9F:95 (unknown)
EC:FE:7E:13:9F:95 LockECFE7E139F95
then, try to connect to the peripheral using gatttool:
# gatttool -I -b <peripheral_mac_address>
if that succeeds, try to read peripheral's services and characteristics (commands: primary, characteristics, char-desc...)
[EC:FE:7E:13:9F:95][LE]> connect
Attempting to connect to EC:FE:7E:13:9F:95
Connection successful
[EC:FE:7E:13:9F:95][LE]> primary
attr handle: 0x0001, end grp handle: 0x000b uuid: 00001800-0000-1000-8000-00805f9b34fb
attr handle: 0x000c, end grp handle: 0x000f uuid: 00001801-0000-1000-8000-00805f9b34fb
attr handle: 0x0010, end grp handle: 0x0013 uuid: 0000180f-0000-1000-8000-00805f9b34fb
attr handle: 0x0014, end grp handle: 0xffff uuid: da2b84f1-6279-48de-bdc0-afbea0226079
If that works, it means the problem is not with your hardware or system, but the node modules. We will be able to proceed with further diagnosis the, using hcidump and other debug logs.
I have tried what you recommended, it seems both my hardware and system are fine. I will try to capture hcidump again and paste the link. Hopefully I'll be able to see the traffic this time.
Thanks
Here's the hcidump:http://pastebin.com/y8jeVdC2
So I guess you were able to successfully receive advertisements, connect to your device and read its characteristics using command-line hcitool+gatttool? That would confirm your system+hardware is capable of it. But you are unable to do the same using GATTacker? First, scanning for advertisements (scan.js), then "cloning" the specific device (scan.js your_peripheral_id)?
So let's try to do the same using a simple example noble script:
node lib/noble/examples/peripheral-explorer.js <your_device_id>
If that works, it means noble is also working correctly in your system. That will allow us to narrow the problem.
BTW, have you turned the bluetoothd off? Generally it should not interfere with noble (rather bleno), but it won't hurt to switch it off. In Ubuntu that will be:
systemctl stop bluetooth
And then of course remember to bring the interface up again (bluetoothd will probably bring it down during shutdown).
hciconfig hci0 up
Regarding config.env - if you run each part of the tool on a separate system which has only one BT4 adapter, you do not need to specify NOBLE_HCI_DEVICE_ID nor BLENO_HCI_DEVICE_ID, and you can leave the default values commented. Noble script will use the only available one automatically. If you run ws-slave.js and scan.js on the same system, you can also leave the default WS_SLAVE 127.0.0.1.
Yes I can receive advertisements and when I use hcitool & gatttool I'm able to read characteristics.
With GATTacker I can scan for devices as well and obtain "scan.js" file. However, when I try to move on and clone the device that is when I get the error message "userDescriptionDescriptor.readValue..."
I have tried to run the simple noble script above, and It seems am getting a very similar error message. I also did turn off the bluetooth and run hciconfig interface up command.
Here is the hcidump: http://pastebin.com/PC8F1aNx
I will also send you a screenshot of the error message itself, if that might help to diagnose the problem. Thanks
This hcidump looks way much better. Proper connect, and services discovery. Looks like you found a bug in noble regarding descriptors - the discoverDescriptors does not return proper objects? It may be something specific to your device.
I just pushed a patch to GATTacker regarding the scanning without reading: https://github.com/securing/gattacker/commit/6982473ca48d3ca106f648b5c5988e078b8addd5 The command-line option was not parsed correctly, and it did read the values even if you run "scan -r". Try the current version.
That patch has done the trick. Thank you so much for your help. :)
The actual cause of the problem turned out to be incorrect function call syntax for current async module version, as spotted here: https://github.com/securing/gattacker/issues/4 Scanning peripherals with user descriptors (2901) and reading the values should now work.
I'm getting a "userDescriptionDescriptor.readValue is not a function" when I try to explore services and characteristics with command node scan peripheralAddr . I'm not sure what is causing the error and how to fix it. Would you be able to help please?