In order to interact with bluetooth low energy ensure you configure your dongle to be in low energy mode
# verify dongle is detected and in up state
hciconfig
# set to low energy mode
sudo btmgmt le on
hci0 Set Low Energy complete, settings: powered ssp br/edr le secure-conn
if you have to unplug the adapter for any reason you will need to set le mode again and ensure device is in an up state
sudo hciconfig hci0 up
sudo btmgmt le on
Scanning for BLE devices
when the scan occurs we will be flooded with information as it will scan on all three channels and advertisements happen frequently.
Use the BLE adapter's publicly assigned manufacturer assigned BLE address.
-i
hci0
The BLE adapter device descriptor.
-b
*BDADDR*
The BDADDR of the victim BLE device, D8:3A:DD:95:26:78 for the purposes of this demonstration.
-I
Enter gatttool in interactive mode.
connect
Connect to the specified device from the interactive session.
primary
Get the primary UUID's ("services") on the device.
you can see 0x0001 for the first attr handle and the individual values for the service end at address 0x0005 meaning there are 5 values for that service
for the second attr handle: 0x06 through 0x09 represents 4 service values.
Documentation for GATT Services
Good reference page
Interacting with Services
convert the response from hex to ascii
Enumerate Range of Service handles
we can iterate through this enumeration command from 0x000a to 0x001a
Writing to a Device
after enumerating the handles and getting the values with char-read-hnd we can write values altering the settings of the device
BLE Fuzzing
we can use blefuzz to fuzz ble
script does not accept cmdline args, all manual data input
modify this script to perform write operations
at the bottom you will see a large amount of read commands, you can modify to --char-write and --char-write-req using -a to specify the handle and -n to specify the value to write.
you can now automate any testing you want to perform.
Reverse Engineering BLE
many bluetooth le devices have an android and ios application which is utilized to control the device.
we should use the target application (android apps are better as they can be downloaded from APK Monk)
Android devices can dump all hci commands to a log file and the traffic can be captured in Wireshark
Turn on the HCI capture feature in Android
It is under the developer options, can exfil the file with ADB or just email it to yourself.
after opening pcap, filter on btatt
this will show us the bluetooth attribute protocol
it is all the data send and recieved between the ble device and the app
filter on the read request opcode btatt.opcode == 0x0a
filter on the write request opcode btatt.opcode == 0x12
it is simple to derive the valid handles this way
can also use tshark
in the last above command we can see the value btatt.value always is 06. so we can rule that out as a handle that controls a device setting. find the values that are different as those are likely the setting changes
to find these values see which wireshark btatt.value changes per packet
if handle 0x0031 has the same btatt.value each time, rule it out. look for ones where the data value in btatt.value changes each time or frequently
awk for your handles and then iterate through the last tshark command seeing the values and if they seem to be different alot
Reverse Engineering TSHARK HCI Summary
awk for the handles, iterate through them see the changing values
head was used to save space, dont do this in real life, you might miss stuff...
