search

seemoo-lab / internalblue

Bluetooth experimentation framework for Broadcom and Cypress chips.
683 stars 85 forks source link

Connecting a Bluetooth LE returns Disconnect Complete #68

Open ADarkDividedGem opened 1 year ago

ADarkDividedGem commented 1 year ago

Describe the bug

Attempting to connect to my Bluetooth LE device just returns Disconnect Complete

Hardware and operating system

To Reproduce

pi@raspberrypi:~ $ sudo service bluetooth stop
pi@raspberrypi:~ $ sudo internalblue
[*] HCI device: hci0  [DC:A6:32:21:D0:A8]  flags=0<DOWN>
[*] No adb devices found.
[!] Device hci0 is DOWN!
[*] Trying to set hci0 to state 'UP' (requires root)
[*] Device with id=0 was set up successfully!
[*] Connected to hci0
[*] Chip identifier: 0x6119 (003.001.025)
[*] Using fw_0x6119.py
[*] Loaded firmware information for BCM4345C0.
[*] Try to enable debugging on H4 (warning if not supported)...
[*] Starting commandLoop for self.internalblue <internalblue.hcicore.HCICore object at 0x7f9ca88b20>
   ____     __                    _____  __
  /  _/__  / /____ _______  ___ _/ / _ )/ /_ _____
 _/ // _ \/ __/ -_) __/ _ \/ _ `/ / _  / / // / -_)
/___/_//_/\__/\__/_/ /_//_/\_,_/_/____/_/\_,_/\__/

type <help -v> for usage information!
> loglevel debug
[*] New log level: DEBUG
> connectle 30:1B:97:75:D3:42
[!] _sendThreadFunc: Send: 010d201960003000000042d375971b3001180028000000d00700000000
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.165167] HCI_EVT<0x0f EVENT Command_Status (len=4): 00010d20>
[!] sendHciCommand.recvFilterFunction: got response
> [!] _recvThreadFunc Recv: [2023-01-01 08:02:53.198567] HCI_EVT<0x3e EVENT LE_Meta_Event (len=19): 01004000000042d375971b3027000000d00700>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.202017] HCI_CMD0x%04x COMND LE_Read_Remote_Used_Features (len=2):  4000
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.203791] HCI_EVT<0x0f EVENT Command_Status (len=4): 00011620>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.307733] ACL_DATA
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.357129] HCI_EVT<0x3e EVENT LE_Meta_Event (len=12): 040040003d00000000000000>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.357924] ACL_DATA
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.358756] ACL_DATA
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.454447] HCI_EVT<0x3e EVENT LE_Meta_Event (len=11): 074000fb004808fb004808>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.607379] HCI_EVT<0x13 EVENT Number_Of_Completed_Packets (len=5): 0140000100>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:55.989300] ACL_DATA
[!] _recvThreadFunc Recv: [2023-01-01 08:02:55.990617] ACL_DATA
[!] _recvThreadFunc Recv: [2023-01-01 08:02:56.232797] HCI_EVT<0x13 EVENT Number_Of_Completed_Packets (len=5): 0140000100>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:58.009434] HCI_CMD0x%04x COMND Disconnect (len=3):  400013
[!] _recvThreadFunc Recv: [2023-01-01 08:02:58.010555] HCI_EVT<0x0f EVENT Command_Status (len=4): 00010604>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:58.037178] HCI_EVT<0x05 EVENT Disconnection_Complete (len=4): 00400016>
[*] [Disconnect Complete: Handle=0x40]
exit
[*] Shutdown complete.

Logs or screenshots

Additional context

The Bluetooth device appears in a LE Scan and returns information when asked:

pi@raspberrypi:~ $ sudo hcitool lescan
LE Scan ...
30:1B:97:75:D2:9B (unknown)
C6:F6:7F:1F:6A:5A (unknown)
C6:F6:7F:1F:6A:5A (unknown)
30:1B:97:75:D3:42 (unknown)
34:EE:3A:D4:59:3C (unknown)
30:1B:97:75:D3:42 BLE Device 3891BA
30:1B:97:75:D2:9B BLE Device 6523F1
pi@raspberrypi:~ $ sudo hcitool leinfo 30:1B:97:75:D3:42
Requesting information ...
        Handle: 64 (0x0040)
        LMP Version: 5.0 (0x9) LMP Subversion: 0x1c1c
        Manufacturer: Telink Semiconductor Co. Ltd (529)
        Features: 0x3d 0x00 0x00 0x00 0x00 0x00 0x00 0x00

It connects successfully using bluetoothctl and asks for the Passkey when pairing it

pi@raspberrypi:~ $ bluetoothctl
Agent registered
[bluetooth]# scan on
Discovery started
[CHG] Controller DC:A6:32:21:D0:A8 Discovering: yes
[NEW] Device 30:1B:97:75:D3:42 BLE Device 3891BA
[NEW] Device 30:1B:97:75:D2:9B BLE Device 6523F1
[NEW] Device A2:C5:46:00:00:1C Graeme's Armor
[bluetooth]# connect 30:1B:97:75:D3:42
Attempting to connect to 30:1B:97:75:D3:42
[CHG] Device 30:1B:97:75:D3:42 Connected: yes
Connection successful
[CHG] Device 30:1B:97:75:D3:42 ServicesResolved: yes
[CHG] Device 30:1B:97:75:D3:42 ServicesResolved: no
[CHG] Device 30:1B:97:75:D3:42 Connected: no
[bluetooth]# pair 30:1B:97:75:D3:42
Attempting to pair with 30:1B:97:75:D3:42
[CHG] Device 30:1B:97:75:D3:42 Connected: yes
[CHG] Device 30:1B:97:75:D3:42 ServicesResolved: yes
Request passkey
[agent] Enter passkey (number in 0-999999):
jiska2342 commented 1 year ago

This "works as intended": Since the Linux host is not aware of the LE connection handle, it closes the LE connection created by InternalBlue. Most operation systems act like this by default, with different timeouts.