Bluetooth Low Energy

• In order to interact with bluetooth low energy ensure you configure your dongle to be in low energy mode

# verify dongle is detected and in up state
hciconfig
# set to low energy mode
sudo btmgmt le on 
hci0 Set Low Energy complete, settings: powered ssp br/edr le secure-conn 

• if you have to unplug the adapter for any reason you will need to set le mode again and ensure device is in an up state

sudo hciconfig hci0 up
sudo btmgmt le on

Scanning for BLE devices

• when the scan occurs we will be flooded with information as it will scan on all three channels and advertisements happen frequently.

• Look for unique addresses, easy to bash script

sudo hcitool -i hci0 lescan
4C:CE:83:6B:73:1D (unknown)
D8:3A:DD:95:26:78 (unknown)
D8:3A:DD:95:26:78 tens
30:C6:F7:9D:09:BA 51c7928b

• you can also capture to a file and then uniq -c

sudo hcitool -i hci0 lescan > lescan.txt
cat lescan.txt | sort | uniq -c

GATT Tool to Connect to Devices

• you can see 0x0001 for the first attr handle and the individual values for the service end at address 0x0005 meaning there are 5 values for that service

• for the second attr handle: 0x06 through 0x09 represents 4 service values.

Documentation for GATT Services

• Good reference page

Interacting with Services

• convert the response from hex to ascii

Enumerate Range of Service handles

• we can iterate through this enumeration command from 0x000a to 0x001a

Writing to a Device

• after enumerating the handles and getting the values with char-read-hnd we can write values altering the settings of the device

BLE Fuzzing

• we can use blefuzz to fuzz ble

• script does not accept cmdline args, all manual data input

• modify this script to perform write operations

• at the bottom you will see a large amount of read commands, you can modify to --char-write and --char-write-req using -a to specify the handle and -n to specify the value to write.

• you can now automate any testing you want to perform.

Reverse Engineering BLE

• many bluetooth le devices have an android and ios application which is utilized to control the device.

• we should use the target application (android apps are better as they can be downloaded from APK Monk)

• we can use JadX to reconstruct the Java source code.

GitHub - skylot/jadx: Dex to Java decompilerGitHub

• with the source code up search for strings

  • BluetoothGattCallback

  • BluetoothGattDescriptor

  • Bluetooth

Reverse Engineering BLE with PCAP

• Android devices can dump all hci commands to a log file and the traffic can be captured in Wireshark

• Turn on the HCI capture feature in Android

  • It is under the developer options, can exfil the file with ADB or just email it to yourself.

• after opening pcap, filter on btatt

  • this will show us the bluetooth attribute protocol

• it is all the data send and recieved between the ble device and the app

• filter on the read request opcode btatt.opcode == 0x0a

• filter on the write request opcode btatt.opcode == 0x12

• it is simple to derive the valid handles this way

• can also use tshark

• in the last above command we can see the value btatt.value always is 06. so we can rule that out as a handle that controls a device setting. find the values that are different as those are likely the setting changes

• to find these values see which wireshark btatt.value changes per packet

  • if handle 0x0031 has the same btatt.value each time, rule it out. look for ones where the data value in btatt.value changes each time or frequently

• awk for your handles and then iterate through the last tshark command seeing the values and if they seem to be different alot

Reverse Engineering TSHARK HCI Summary

• awk for the handles, iterate through them see the changing values

• head was used to save space, dont do this in real life, you might miss stuff...

• 0x0034 is the handle we want!