Dear all,
fist of all, I'm new to linux and btlejack. Using Microbit with btlejack -s there is no output after "enumerating" even if I have several blutooth connections established.
I'm using a MX Linux and the Terminal.
What i my fault.
Version of btlejack after installation is v 1.3
Thanks in advance

I installed btlejack on a raspberry pi 3 using a micro:bit connected to it.
Sniffing a connection works well but trying to export the sniff to a file does not work.
It always creates the file with zero bytes.

• The command i use is:

btlejack -x pcap -o test.pcap -c <mac_add>

I also tried all -x options and I got the same issue.
Also if the -x and -o options are passed after the MAC address it is same behaviour.

Hello,
I have a problem similar to #14, but slightly different:
with the -c option I can capture the CONNECT_REQ and see all the fields (AA, CRC Init value, etc...).
But when I try the -f option with the -m and -p <hop_interval>, Btlejack stucks on "Computing hop interval" never ending.

I am using two Android smartphones and Btlejack on Ubuntu and only one Micro:bit.

Thanks in advance for any suggestion.

Is it possible to just jam normale Bluetooth devices, e.g. Bluetooth Speakers? It would be so great to just relax and have silence without these kids playing their loud music everywhere?

Btlejack should notify the user when a target connection synchronization is lost, instead of giving no more information.
The supervision timeout may be provided by the user, or a default value will be used.

Hi

I have setup three microbit devices to sniff connections for pentesting our BLE-application. I am able to find the connection and to sniff packets (though the first packet output takes a real long time > 10 minutes). But when I try to hijack the connection it seems like nothing happens after starting the hijacking:

BtleJack version 1.1

[i] Using cached parameters (created on 2018-08-23 08:52:21)
[i] Detected sniffers:

Sniffer #0: fw version 1.1
Sniffer #1: fw version 1.1
Sniffer #2: fw version 1.1

[i] Synchronizing with connection 0xb3460c11 ...
✓ CRCInit: 0xf044f7
✓ Channel map is provided: 0x1fffffffff
✓ Hop interval = 12
✓ Hop increment = 12
[i] Synchronized, hijacking in progress ...

I have waited for more than half an hour but nothing happens from here. Is there any possibility to have a more verbose output?

Regards
Frank

Add an option to specify the timeout to use when recovering channel map, because sometimes this step fails because of frequent channel map updates.

When I try to follow a connection, after executed -s command, it always stops at computing CRC init value and computes without an ending, but doesn't find anything. Is there any trick or suggestion on what to do?
And what exactly is the CRCInit value?
Thanks in advance!

We should be recommending

pip3 install XXXXX --user

this will install the package for the current user

README.md needs to be updated

Use the same approach as Sniffle's when target BDADDR is provided (i.e. follow advertisements along channels 37, 38 and 39) and wait for connection requests on each of them.

Hi there,

I want to do some research on BLE communication and just stumbled across btlejack. I'm more or less a total noob... just found a nRF51 dongle in our office and wanted to give it a try.

So far the installation on Raspbian was working properly and after mounting the dongle as a mass storage device it looks like btlejack -i copied / flashed the firmware as expected:

pi@raspberrypi:/media/MICROBIT $ btlejack -i
BtleJack version 1.3
[i] Flashing /media/MICROBIT ...
[i] Flashed 1 devices

Nevertheless I get an error after btlejack -s that no Micro:Bit device is found hence I tried to select the device directly with 'sudo btlejack -d /dev/sdb -s' which gave me the follwing error:

pi@raspberrypi:/media/MICROBIT $ sudo btlejack -d /dev/sdb/ -s
BtleJack version 1.3

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/serial/serialposix.py", line 265, in open
    self.fd = os.open(self.portstr, os.O_RDWR | os.O_NOCTTY | os.O_NONBLOCK)
NotADirectoryError: [Errno 20] Not a directory: '/dev/sdb/'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/btlejack", line 11, in <module>
    load_entry_point('btlejack==1.3.0', 'console_scripts', 'btlejack')()
  File "/usr/local/lib/python3.7/site-packages/btlejack/__init__.py", line 240, in main
    supervisor = CLIAccessAddressSniffer(verbose=args.verbose, devices=args.devices)
  File "/usr/local/lib/python3.7/site-packages/btlejack/ui.py", line 329, in __init__
    super().__init__(devices=devices)
  File "/usr/local/lib/python3.7/site-packages/btlejack/supervisors.py", line 88, in __init__
    self.interface = SingleSnifferInterface(devices[0], baudrate)
  File "/usr/local/lib/python3.7/site-packages/btlejack/jobs.py", line 24, in __init__
    self.link = Link(interface=device, baudrate=115200)
  File "/usr/local/lib/python3.7/site-packages/btlejack/link.py", line 57, in __init__
    self.interface = Serial(interface, baudrate, timeout=0)
  File "/usr/local/lib/python3.7/site-packages/serial/serialutil.py", line 240, in __init__
    self.open()
  File "/usr/local/lib/python3.7/site-packages/serial/serialposix.py", line 268, in open
    raise SerialException(msg.errno, "could not open port {}: {}".format(self._port, msg))
serial.serialutil.SerialException: [Errno 20] could not open port /dev/sdb/: [Errno 20] Not a directory: '/dev/sdb/'

Is the nRF51 dongle maybe not usable, is there any other problem or have I overlooked something?
Btw. Raspbian was freshly installed, Python 3.7.2 afterwards and followed by btlejack.

Thanks in advance.

macOS 10.12.6

$ pip install btlejack --user
Collecting btlejack
  Using cached https://files.pythonhosted.org/packages/1e/7a/73e21237fb5b1dbfc7c9982d45d8469f086ec0a4f921f93c9f6149915c33/btlejack-1.1.2.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/private/var/folders/b3/8p1bm4r536l454jvxngg8rrr0000gn/T/pip-install-4p0o_ezu/btlejack/setup.py", line 25, in <module>
        long_description = read('README.rst'),
      File "/private/var/folders/b3/8p1bm4r536l454jvxngg8rrr0000gn/T/pip-install-4p0o_ezu/btlejack/setup.py", line 9, in read
        return open(os.path.join(os.path.dirname(__file__), fname)).read()
      File "/opt/local/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/encodings/ascii.py", line 26, in decode
        return codecs.ascii_decode(input, self.errors)[0]
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 1523: ordinal not in range(128)

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /private/var/folders/b3/8p1bm4r536l454jvxngg8rrr0000gn/T/pip-install-4p0o_ezu/btlejack/

If I convert README.rst to ASCII with iconv -c -f UTF-8 -t ascii README.rst.bak > README.rst everything works fine.

We currently measure the advertisement interval and advertisement duration of a peripheral using BLE sniffers. I wonder if this could be achieved using btlejack.
Since btlejack can monitor every advertising channel by connecting 3 microbits, it would be very helpful if the tool can also capture and record advertisement packets.
For example, running something like the following captures the advertising PDUs
btlejack -a ea:07:03:6b:fc:88 -o
And the file can be interpreted to determine the advertisement parameters.

I am observing below error message while flashing the default firmware (btlejack-firmware-microbit.hex) that exists in the dist folder to Microbit go device.
https://github.com/virtualabs/btlejack-firmware/tree/2125e095d05f446fc2d7d050ca7e14b1db137759

Error message: In application programming write failed. P.S: I used windows machine to flash btle firmware using reset button

I even tried compiling the firmware manually on an Ubuntu (18.04.1) machine, but observing the error message.
ninja: build stopped: subcommand failed.
error: command ['ninja'] failed
Makefile:6: recipe for target 'ble400' failed
make: *** [ble400] Error 1

Is installing the latest version of firmware using -i flag have the same effect as the above manual method? I am not able to neither sniff nor connect to the BLE device.
btlejack -i
BtleJack version 1.3
[i] Flashing /media/naren/MICROBIT ...
[i] Flashed 1 devices

Please help me regarding this issue.

Details:
Device in possession: BBC Micro: Bit Go
https://www.amazon.in/BBC-BBC2546862-Micro-bit-go/dp/B01G8X7VM2

Firmware Details:

DAPLink Firmware - see https://mbed.com/daplink

HIC ID: 97969901
Auto Reset: 1
Automation allowed: 0
Overflow detection: 0
Daplink Mode: Interface
Interface Version: 0253
Bootloader Version: 0243
Local Mods: 0
USB Interfaces: MSD, CDC, HID, WebUSB
Bootloader CRC: 0x32eb3cfd
Interface CRC: 0x53375800
Remount count: 1
URL: https://microbit.org/device/?id=9901&v=0253

btlejack is not sniffing.

Thanks,
Naren

> btlejack -s
BtleJack version 1.1

Traceback (most recent call last):
  File "/usr/local/bin/btlejack", line 11, in <module>
    load_entry_point('btlejack==1.1.1', 'console_scripts', 'btlejack')()
  File "/usr/local/lib/python3.6/site-packages/btlejack/__init__.py", line 228, in main
    supervisor = CLIAccessAddressSniffer(verbose=args.verbose)
  File "/usr/local/lib/python3.6/site-packages/btlejack/ui.py", line 326, in __init__
    super().__init__()
  File "/usr/local/lib/python3.6/site-packages/btlejack/supervisors.py", line 86, in __init__
    self.interface = SingleSnifferInterface()
  File "/usr/local/lib/python3.6/site-packages/btlejack/jobs.py", line 24, in __init__
    self.link = Link(interface=device, baudrate=115200)
  File "/usr/local/lib/python3.6/site-packages/btlejack/link.py", line 42, in __init__
    if port.subsystem == 'usb':
AttributeError: 'ListPortInfo' object has no attribute 'subsystem'

macOS 10.13.5

Channel map update recovery based on channel mapping can take some time, and sometimes this process fails and give the user no other way to synchronize btlejack with an existing connection.

Implementing a dedicated channel map update sniffer, iterating over all the possible channels, would help capturing this type of packet if it is sent frequently by a master device.

Can this code be used to passively retransmit packets it sees? I would like to test some passive entry systems that rely on the proximity of the beacons. I'd like to capture them in a remote location and real time replay them (over ethernet) to a different location for example.

hello
i would like to know if the dongle
NRF52840-DONGLE (here : https://fr.farnell.com/nordic-semiconductor/nrf52840-dongle/module-bluetooth-v5-2mbps/dp/2902521?st=nrf52 ) runs well qith this software ? Thanks

When I tried to install btlejack on a Raspberry Pi Zero W, I followed the instructions from this Blog post: SSH into Pi Zero over USB.
This enables virtual ethernet over USB and allows to initially connect to the Pi Zero W, to set it up and install stuff like btlejack.
In order to use btlejack, I needed the USB port for the sniffers, and therefore configured the Pi Zero W to connect to WLAN, but I forgot to disable the virtual ethernet driver, i.e. I didn't remove dtoverlay=dwc2 and modules-load=dwc2,g_ether.
This basically broke btlejack completely, because this driver tried to use the sniffer USB connection, and all kinds of strange issues occurred: The Pi Zero W became completely unresponsive on ssh; when I tried this on a Pi 3 B+, the usb devices /dev/ttyACM0, /dev/ttyACM1, ... were blocked and couldn't be accessed by btlejack; and many more strange issues.

So I suggest adding a hint for Raspberry Pi users:

Hint for using btlejack on a Raspberry Pi:

If you have previously enabled virtual ethernet over USB (RNDIS), e.g. to setup a Raspberry Pi Zero W over USB, you need to disable this again (i.e. remove dtoverlay=dwc2 from boot/config.txt and modules-load=dwc2,g_ether from boot/cmdline.txt, then sudo reboot), because this would otherwise interfere with the sniffers' USB connections.

If i understood the documentation correctly, you need to hijack a connection first to be able to use discover, read and write commands.

Is there a way to connect to a device without hijacking the session?

Hello,
thank you a lot for this great sniffing tool for Bluetooth Low Energy Devices.

some short introduction to my problem: I have one RaspberryPi 3B (Jessie) running noble as a central device and the second RaspberryPi as a peripheral device running bleno. I installed btlejack on the third RaspberryPi and attached three Microbits to it for sniffing the BLE connection between two RaspberryPi's (Model 3B with the Bluetooth Version 4.1, BlueZ Version 5.50).

I have already made some good experiences with btlejack using one RaspberryPi as a peripheral and an Iphone running BLE App as a central: I could sniff the established connection and could follow all the packets being transmitted between my peripheral PaspberryPi and my central Iphone while writing the characteristics to my RaspberryPi via nRF-Connect IOS App. I also could hijack the connection.

The goal of my small project is to build a BLE application between two RaspberryPi's in the way, that they can temporary Exchange LL data packets (PDU's), there are some codes available for noble/bleno where we can connect the devices and send a data string in a loop with counter. I need to have packets transmitted all the time, so I can sniff this connection with btlejack and hijack it. After that I need to improve the connection security in Bluetooth LE 4.2 to prevent it from being hijacked with btlejack.

I have already tried lots of connection examples running Node.js libraries noble and bleno, and also tried to use hcitool and gatttool options, but I wonder why the transmitted packets while sending data string to my peripheral can be captured all the time if I am using one peripheral running noble and the central running iOS BLE App, but with two RaspberryPi's running bleno and noble I only can see the packets at the moment of the connection request and when the characteristics will be discovered.

After some seconds the characteristics of the connected peripheral were discovered, I get the message from btlejack "connection lost", although the data string from my central device will still be sent in the loop with counter to the central device.

When sniffing the connections with btlejack –s, I still can see the access address I got from the command btlejack –c any as the connection was established, but when I then try to follow this connection with btlejack –f I also get the reply „connection lost“.

Maybe I am missing something in my implementation? Maybe you could suggest the reason why the data exchange between two devices running noble and bleno can not be followed by btlejack in this case? I also set a longer timeout with -n function but did not see the difference.

Some code and outputs from bltejack:

1. Central device running noble to send a data string to the peripheral in short intervals:

pi@raspberrypi:~/ble/node_modules/noble $ sudo node central_sending_string.js
Scanning
Connecting to 'echo' b827ebdcc4bb
Connected to b827ebdcc4bb
Discovered services and characteristics
Sending:  'test string: 1'
Subscribed for echoCharacteristic notifications
Received: "test string: 1"
Sending:  'test string: 2'
Received: "test string: 2"
Sending:  'test string: 3'
Received: "test string: 3"
Sending:  'test string: 4'
Received: "test string: 4"
….

2. Peripheral device running bleno accepts the data string being sent from the central device:

pi@raspberrypi:~/ble/node_modules/bleno/examples/echo $ sudo node main.js
bleno - echo
on -> stateChange: poweredOn
on -> advertisingStart: success
EchoCharacteristic - onSubscribe
EchoCharacteristic - onWriteRequest: value = 7465737420737472696e673a2031
EchoCharacteristic - onWriteRequest: notifying
EchoCharacteristic - onWriteRequest: value = 7465737420737472696e673a2032
EchoCharacteristic - onWriteRequest: notifying
….

3. I found the access address of the connection with btlejack -c any and can see some packets still being transmitted with this access address:

pi@raspberrypi-sniffer:~ $ btlejack -s
BtleJack version 1.3
[i] Enumerating existing connections ...
[ - 53 dBm] 0x50656c18 | pkts: 1
[ - 48 dBm] 0x50656c18 | pkts: 2
[ - 47 dBm] 0x50656c18 | pkts: 3
[ - 48 dBm] 0x50656c18 | pkts: 4
[ - 47 dBm] 0x50656c18 | pkts: 5
[ - 47 dBm] 0x50656c18 | pkts: 6
[ - 46 dBm] 0x50656c18 | pkts: 7
^C[i] Quitting

4. following the connection of my devices: connection lost:

pi@raspberrypi-sniffer:~ $ btlejack -f 0x50656c18
BtleJack version 1.3
[i] Using cached parameters (created on 2019-07-09 14:55:11)
[i] Detected sniffers:
 > Sniffer #0: fw version 1.3
 > Sniffer #1: fw version 1.3
 > Sniffer #2: fw version 1.3
[i] Synchronizing with connection 0x50656c18 ...
✓ CRCInit: 0xd9cb7e
✓ Channel Map = 0x000003ffff
✓ Hop interval = 54
✓ Hop increment = 14
[i] Synchronized, packet capture in progress ...
LL Data: 12 17 13 00 04 00 1b 0c 00 74 65 73 74 20 73 74 72 69 6e 67 3a 20 37 39 38
[!] Connection lost.
[i] Quitting

Any help or ideas would be very appreciated, thank you very much!

I happen to have a lopy4 lying around, anyone managed to have it running there?

Kudos for the release btw, really cool!

Hello all,

I am using btlejack to inspect the security in Bluetooth Low Energy and it helped me a lot so far.
I am working with two RaspberryPis which are connected via BLE as a client and a server (using BlueZ protocol stack), and the third RaspberryPi with three Microbits is my btlejack-device.

Now I would like to send the Link Layer PDUs to the server when the connection was hijacked. The connection was not encrypted and I can discover all the services and characteristics and write new values to it. (When the connection is encrypted and was hijacked, I can not interact with the server because I am getting the MIC Authentication Error and the btlejack device disconnects immediately -"Error: CONNECTION TERMINATED DUE TO MIC FAILURE", but I think it is normal because the connection was encrypted and we cannot guess the MIC so easily).

In the description https://github.com/virtualabs/btlejack#ll-command it says that the Core Specification is needed as reference in case we want to use this command.
I was trying to create some Link Layer PDU (LL Data PDU, LL Control PDU) as described in Vol.6 Part B Section 2.4. and 2.4.1. in hex format, and it did not work yet. Sometimes I see the output of btmon on my BLE-server which is saying that some received packet has an unexpected continuation error, and I think that there is a problem in a payload. Or I don't see any output at all.
Do we need to put the header of the packet with LLID, NESN, SN, MD, RFU and Length as well? I tried to send it only with Payload (Opcode + CtrData), since I don't know most of the Header parameters.

Maybe someone could provide some practical example how we could send a simple link layer PDU? I would really appreciate it!

Thank you

I am trying to figure out why nothing ever gets written to the pcap file or FIFO. The tool clearly shows packets being received, but nothing ever gets written out.

The only time I ever get something written out is with the -c option, but all the packets are reported as malformed in Wireshark.

I am not too interested in the payloads for the most part, but expect the link layer frame headers to be available.

I am using the current HEAD on a BLE400

btlejack -d /dev/ttyUSB0 -v -s -w /tmp/sharkfin 
BtleJack version 2.0

[i] No output format supplied, pcap format will be used
[i] Waiting for wireshark ...
[i] Enumerating existing connections ...
[ - 80 dBm] 0x2cf057cf | pkts: 1
[ - 81 dBm] 0x2cf057cf | pkts: 2
[ - 77 dBm] 0x2cf057cf | pkts: 3
[ - 77 dBm] 0x2cf057cf | pkts: 4
[ - 77 dBm] 0x2cf057cf | pkts: 5
[ - 75 dBm] 0x2cf057cf | pkts: 6
[ - 89 dBm] 0x5065456c | pkts: 1
[ - 80 dBm] 0x2cf057cf | pkts: 7
[ - 73 dBm] 0x2cf057cf | pkts: 8
[ - 72 dBm] 0x2cf057cf | pkts: 9
[ - 78 dBm] 0x2cf057cf | pkts: 10
[ - 74 dBm] 0x2cf057cf | pkts: 11

I just reinstalled a raspberry pi with the last raspbian. I installed python3 and python3-pip.
And when I run sudo pip3 install btlejack I get this error:

Collecting btlejack
  Using cached https://files.pythonhosted.org/packages/1a/5b/e4cb52e4182d7992c292944f0ee1a1e4a0eeac56aaae122cbcd3ee4e20a0/btlejack-1.2.0.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-ed74slxh/btlejack/setup.py", line 26, in <module>
        long_description = read('README.rst'),
      File "/tmp/pip-build-ed74slxh/btlejack/setup.py", line 9, in read
        return open(os.path.join(os.path.dirname(__file__), fname)).read()
      File "/usr/lib/python3.5/encodings/ascii.py", line 26, in decode
        return codecs.ascii_decode(input, self.errors)[0]
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 2922: ordinal not in range(128)

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-ed74slxh/btlejack/

Hi,

btlejack currently falls back to -x pcap if an invalid option for -x is passed. It just took me a while to realize that I had typed ll_pcap rather than ll_phdr, and btlejack bailing an error (or printing a warning; but that would probably scroll out of sight easily) in that case would be nice.

Thanks,
Sebastian

Sorry, no issue, but a usage question...
It is recommended to use three BBC Micro:Bit devices to 'spy' on all three advertising channels simultanously.
Would I need to use three Adafruit Bluefruit LE Sniffers as well?

Hi

Issue
The discover command in a hijacked connection does not always work.

Steps to reproduce
Hijack a connection:

# btlejack -z -t -f 0x50656a9a
BtleJack version 2.0

[i] Stored connections cleared
[i] Detected sniffers:
 > Sniffer #0: fw version 2.0

[i] Synchronizing with connection 0x50656a9a ...
✓ CRCInit = 0x23297f
✓ Channel Map = 0x1fff0001ff
✓ Hop interval = 9
✓ Hop increment = 5
[i] Synchronized, hijacking in progress ...
[i] Connection successfully hijacked, it is all yours \o/
>> 16 09 05 00 04 00 1b 4b 00 63 00
>> 1a 09 05 00 04 00 1b 4b 00 64 00
>> 16 09 05 00 04 00 1b 4b 00 63 00
>> 1a 09 05 00 04 00 1b 4b 00 63 00

List characteristics shows a error instead of the characteristics:

>> 06 09 05 00 04 00 1b 4b 00 4c 00
btlejack> Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/btlejack-2.0.0-py3.8.egg/btlejack/__init__.py", line 355, in main
    supervisor.process_packets()
  File "/usr/lib/python3.8/site-packages/btlejack-2.0.0-py3.8.egg/btlejack/supervisors.py", line 38, in process_packets
    self.on_packet_received(pkt)
  File "/usr/lib/python3.8/site-packages/btlejack-2.0.0-py3.8.egg/btlejack/ui.py", line 663, in on_packet_received
    super().on_packet_received(packet)
  File "/usr/lib/python3.8/site-packages/btlejack-2.0.0-py3.8.egg/btlejack/supervisors.py", line 331, in on_packet_received
    self.on_ll_packet(packet)
  File "/usr/lib/python3.8/site-packages/btlejack-2.0.0-py3.8.egg/btlejack/ui.py", line 628, in on_ll_packet
    self._pt.on_ll_packet(packet)
  File "/usr/lib/python3.8/site-packages/btlejack-2.0.0-py3.8.egg/btlejack/ui.py", line 274, in on_ll_packet
    response = L2CAP.from_bytes(packet.data[12:]).payload.payload
AttributeError: 'NoneType' object has no attribute 'payload'

I get this error nearly everytime I use it. I rarely get the desired output.

Thanks & best regards,
Emanuel

Hello
I am using Raspberry PI with Microbit board to capture BLE connection. It works without problem, I write data into .pcap file and afterfords read it via Wireshark. But I would like to have opportinity to monitor all packets live.
I treid to make pipe, connect it in Wireshark, and send into that pipe .pcap file.

$ mkfifo /tmp/sharkfin
$ wireshark -k -i /tmp/sharkfin &
$ cat capture.pcap > /tmp/sharkfin &

The same time in this file I write captured data

$ sudo btlejack -c any -x nordic -o capture.pcap

Becouse of command cat, it is not like live, I have to start new session in Wireshark to see new packages every time. I thought, maybe can i send data directly in pipe without any files? somethink like that
$ sudo btlejack -c any -x nordic -o /tmp/sharkfin
Or do I have other ways?
Thanks in advance!

will this work?

Can you revert back to the original firmware after flashing with btlejack?

PyPI doesn't seem to have the latest release. It is still 1.3

Hi

First of all: Great tool! ;-)

Issue
When I hijack a connect, I can't see what I type.

Steps to Reproduce

Hijack a connection:

# btlejack -z -t -f 0x50657350
BtleJack version 2.0

[i] Stored connections cleared
[i] Detected sniffers:
 > Sniffer #0: fw version 2.0

[i] Synchronizing with connection 0x50657350 ...
✓ CRCInit = 0x92f653
✓ Channel Map = 0x1fffffffff
✓ Hop interval = 9
✓ Hop increment = 10
[i] Synchronized, hijacking in progress ...
[i] Connection successfully hijacked, it is all yours \o/
>> 1a 09 05 00 04 00 1b 4b 00 56 00
>> 16 09 05 00 04 00 1b 4b 00 56 00

Now, the btlejack> prompt appears but it does not show what I type.

>> 06 09 05 00 04 00 1b 4b 00 54 00
btlejack>

However, the commands are still executed when I press enter. It's just not shown.

Thanks & best regards,
Emanuel

Hey, I´m having an issue where btlejack cant hijack an bluetooth LE connection:

btlejack -f 0xaf9a9cde -t -m 0x1bff001fff -p 39

BtleJack version 2.0

[i] Detected sniffers:
 > Sniffer #0: fw version 3.14
 > Sniffer #1: fw version 3.14
 > Sniffer #2: fw version 3.14

[i] Synchronizing with connection 0xaf9a9cde ...
✓ CRCInit = 0x48ef4a
✓ Channel map is provided: 0x1bff001fff
✓ Hop interval = 39
✓ Hop increment = 8
[i] Synchronized, hijacking in progress ...
[!] Hijack failed.

And im not sure if the issue is myself or the connection or btlejack.
Can you explain why Hijacking does not work or what the issue could be?

EDIT: capturing the traffic works as expected with the same CRCInit, Channel Map, Hop interval and Hop increment values.

Having a problem when running discover after a hijack. "@> b'SP'" looks to be echoed back on to the cli and after about 30secs there is a "L2CAPException". It also takes a few attempts to hijack. Thanks in advance, love your work. Your DEFCON26 talk was awesome :)

BtleJack version 1.3

[i] Using cached parameters (created on 2019-08-05 20:50:20)
[i] Detected sniffers:

Sniffer #0: fw version 1.3

[i] Synchronizing with connection 0xaf9a9b29 ...
✓ CRCInit: 0xe85837
✓ Channel map is provided: 0x1ffffff800
\ Computing hop interval@> b'Recovering hop interval ...'
✓ Hop interval = 39
✓ Hop increment = 13
[i] Synchronized, hijacking in progress ...
[i] Connection successfully hijacked, it is all yours \o/
btlejack> discover
btlejack> @> b'SP'
Traceback (most recent call last):
File "/usr/local/bin/btlejack", line 10, in
sys.exit(main())
File "/usr/local/lib/python3.7/dist-packages/btlejack/init.py", line 329, in main
supervisor.process_packets()
File "/usr/local/lib/python3.7/dist-packages/btlejack/supervisors.py", line 38, in process_packets
self.on_packet_received(pkt)
File "/usr/local/lib/python3.7/dist-packages/btlejack/ui.py", line 610, in on_packet_received
super().on_packet_received(packet)
File "/usr/local/lib/python3.7/dist-packages/btlejack/supervisors.py", line 307, in on_packet_received
self.on_ll_packet(packet)
File "/usr/local/lib/python3.7/dist-packages/btlejack/ui.py", line 575, in on_ll_packet
self._pt.on_ll_packet(packet)
File "/usr/local/lib/python3.7/dist-packages/btlejack/ui.py", line 273, in on_ll_packet
response = L2CAP.from_bytes(packet.data[12:]).payload.payload
File "/usr/local/lib/python3.7/dist-packages/btlejack/dissect/l2cap.py", line 35, in from_bytes
raise L2CAPException()
btlejack.dissect.l2cap.L2CAPException

sorry, I couldn't resist. :)

you can hijack one of the two users that they are sending files to each other, and get inside their directory like dir , ls ,download upload files? from the device to ur kali linux xD?

Did someone test this with multiple devices? I tried this but only the first device get used.

BtleJack version 2.0

[i] Enumerating existing connections ...
^C[i] Quitting

And only one of the uart adapters is powered up and show traffic. It is not a power problem.

Hi,

After taking control of my lawnmower, btlejack does not respond to the commands (e.g. "discover"). Nothing really happens after that. Any ideas what it could be?

Good morning,

Would it be possible to confirm compatibility with certain hardware+operating system configurations?

I was thinking, for example, of using the following scenarios:

• Micro:Bit + Raspberry Pi 3 headless mobile controlled in SSH (Wifi or Bluetooth)
• Micro:Bit in OTG, with SSH connection from an Android smartphone

For now, everything seems to install correctly on a newly installed Raspbian on a Raspberry Pi 3.

The ultimate goal for me would be to see how to build a nomadic and headless system.

From your point of view would it possible to port your firmware to the ESP32 ?
BR

After the CONNEC_REQ, the pairing procedure (and some other packets), Btlejack always loose the connection.

I used crackle to analyze the packets and I noticed that the last packet captured before the the lost is always a LL_CONNECTION_UPDATE_REQ.

One way to recover the connection wolud be to run btlejack -f 0xxxxxxxxx immediately after, but I have only one Micro:bit and the params recovery is very slow (I have never seen it completed, because btlejack always stucks on hop increment).

Maybe it is necessary to modify the firmware code. Any advice?

I constantly get the error message:

The transfer timed out.

Any Ideas whats wrong here?
Content of DETAILS.TXT:

DAPLink Firmware - see https://mbed.com/daplink

Unique ID: 0000000051114e450017800d000000310000000097969901
HIC ID: 97969901
Auto Reset: 0
Automation allowed: 1
Overflow detection: 0
Daplink Mode: Bootloader
Bootloader Version: 0243
Git SHA: b403a07e3696cee1e116d44cbdd64446e056ce38
Local Mods: 0
USB Interfaces: MSD
Bootloader CRC: 0x32eb3cfd
Interface CRC: 0x07911068
Remount count: 4

Hi! Have you thought about adding a BLE-Relay feature? (Run two laptops, each equipped with a Micro:Bit and relay/hijack a connection by forwarding packets (via IP) between the two machines)

When using pip to install btlejack, it is not up to date with the commits made in this repository.

I have a problem that the "Computing hop increment" is never ending.

So the -i works fine:

$ btlejack -i
BtleJack version 1.1

[i] Flashing /Volumes/MICROBIT ...
[i] Flashed 1 devices

The -s as well:

$ btlejack -s
BtleJack version 1.1

[i] Enumerating existing connections ...
[...]
[ - 87 dBm] 0xaf9a8da1 | pkts: 50
[...]

But then I do -f and even after 20 minutes the "Computing hop increment" is not finishing:

$ btlejack -f 0xaf9a8da1
BtleJack version 1.1

[i] Detected sniffers:
 > Sniffer #0: fw version 1.1

[i] Synchronizing with connection 0xaf9a8da1 ...
✓ CRCInit = 0xbbc761
✓ Channel Map = 0x1f80680043
✓ Hop interval = 2
\ Computing hop increment^C[i] Quitting

When I aborted and tried again I actually got different Channel Map values (it was still the same BLE connection). Is that a problem (I'm not very familiar with the bluetooth protocol) or expected? Here's the output of the second run:

btlejack -f 0xaf9a8da1 -j
BtleJack version 1.1

[i] Using cached parameters (created on 2018-08-21 14:07:57)
[i] Detected sniffers:
 > Sniffer #0: fw version 1.1

[i] Synchronizing with connection 0xaf9a8da1 ...
✓ CRCInit: 0xbbc761
✓ Channel Map = 0x1fc3200000
✓ Hop interval = 2
/ Computing hop increment

It's an iphone 6 talking to a Bluetooth headset (no PIN pairing, I guess it's the "just works" protocol). I'm using btlejack on MacOS.

Does btlejack support Ubertooth one?
I am using Ubertooth to research BLE smart device. Btlejack seems to be very functional.

Is it possible to fix this issue with a software update or requires this new hardware?

If a software update from the manufacturers is enough, must both connected devices be patched?

Hi,
I was planning to play with a waveshare BLE4000 board and the walkthrough to the wiki.
Do you have some external link about programming the board with the SWD Programmer?

So far I have found this resource, but is not clear how to push the new firmware...
https://rlangoy.github.io/OpenOCD_MBED_FRONTEND/HWExample.htm