Closed whoot closed 1 year ago
Well, I'm currently thinking about two possible reasons:
Well, I'm currently thinking about two possible reasons:
* the channel map may have changed: channel map updates are not supported (yet) while jamming a connection
I can rule that out, because sniffing the traffic after failing to hijack the session still works with the same parameters.
* low supervision timeout: detecting a successfully jammed connection takes some time as btlejack waits for no packets sent by the master device, but if latency is low then this master device may consider the connection lost before btlejack does the same and start sending packets to keep the connection alive.
Ok so basically the master needs to stop sending packages to the slave to make this attack work?
I can rule that out, because sniffing the traffic after failing to hijack the session still works with the same parameters.
Allright, that means btlejack did not managed to jam this connection. A few ideas to improve the attack:
Ok so basically the master needs to stop sending packages to the slave to make this attack work?
This attack is based on jamming: btlejack jams every packet sent by the slave to the master (once it is synchronized), detects when the master considers the connection lost (no more packets from the master) and spoofs the master.
Placing the Mirco:Bit closer to the master device worked! However, I cant get any results:
btlejack -f 0x17242e08 -t -m 1fffffffff --hop-interval 40
BtleJack version 2.0
[i] Using cached parameters (created on 2019-10-28 12:43:04)
[i] Detected sniffers:
> Sniffer #0: fw version 2.0
> Sniffer #1: fw version 2.0
> Sniffer #2: fw version 2.0
[i] Synchronizing with connection 0x17242e08 ...
✓ CRCInit: 0xd2545f
✓ Channel map is provided: 0x1fffffffff
✓ Hop interval = 40
✓ Hop increment = 8
[i] Synchronized, hijacking in progress ...
[i] Connection successfully hijacked, it is all yours \o/
btlejack> discover
btlejack>
See #64, I've just answered this question in details.
Hey, I´m having an issue where btlejack cant hijack an bluetooth LE connection:
And im not sure if the issue is myself or the connection or btlejack. Can you explain why Hijacking does not work or what the issue could be?
EDIT: capturing the traffic works as expected with the same CRCInit, Channel Map, Hop interval and Hop increment values.