braktooth_esp32_bluetooth_classic_attacks icon indicating copy to clipboard operation
braktooth_esp32_bluetooth_classic_attacks copied to clipboard
verified publisher icon Matheus-Garbelini

Missing source code?

Open jiska2342 opened this issue 4 years ago • 4 comments

Hi,

thanks for publishing the tooling for the ESP32 :)

I finally had some time to take a look into the source code and realized that only the source for the exploits is available in wdexploiter/modules/exploits. However, the source code for wdexploiter/bin/bt_exploiter is missing. Thus, the ESP32 tooling allows to configure BLE packets according to the definitions but not adding any other undefined behavior.

Did I just miss the source code? It would be really interesting to have a binary patcher for the ESP32 firmware.

jiska2342 avatar Dec 20 '21 15:12 jiska2342

Hi @jiska2342, thanks for reaching out. The bt_exploiter is similar to the esp32 active sniffer as it connects to the board and receives LMP packets. However, it additionally loads the user-made code from exploits folder. So the binary patcher is not there.

  1. To add new new BR/EDR undefined cases (injecting/flooding or modifying other LMP packets), the user can create an arbitrary new_case_name.cpp file in wdexploiter/modules/exploits/ following API's template from other exploits and bt_exploiter will compile, load and run the new case (exploit) when it starts the next time with --exploit=new_case_name.cpp switch.
  2. If you mean adding undefined behavior direct to the firmware: The firmware is yet to be open-sourced on the esp32 active sniffer repo.. It has been postponed to early February (sorry about that), but I can send you the source by email if you don't mind the lack of documentation. The patching process is integrated into the normal user-code build tool (platformio) and the generated ELF file.
  3. A pseudo terminal is created on /dev/pts/x. This is to emulate a HCI serial port. You can then connect it to any BT stack that supports serial connection (e.g., bluez or other blukitchen profile programs) to guide the LMP communication.
  4. bt_exploiter cannot be open-sourced for now due to Keysight collaboration requirements, but the ESP32 firmware source code and binary patching framework can.

ESP32 also supports Wi-Fi and BLE. It would be interesting if the firmware could be extended to support active sniffing all of these 3 wireless technologies. Perhaps with coexistence enabled, even sniffing all at the same time.

Regards.

Matheus-Garbelini avatar Dec 22 '21 16:12 Matheus-Garbelini

Hi Matheus,

Thanks for sharing POC code, but i think firmware source for esp32 active sniffer is still not available. Is there any plan to make that code publically available?

Thanks and regards,

AKoo7 avatar Oct 10 '22 10:10 AKoo7

Hi @AKoo7 the firmware source code is publicly available here: https://github.com/Matheus-Garbelini/esp32_firmware_patching_framework

Matheus-Garbelini avatar Oct 10 '22 11:10 Matheus-Garbelini

Thanks Matheus, sorry i missed that somehow.

AKoo7 avatar Oct 10 '22 12:10 AKoo7