mkdir -p ~/esp
cd ~/esp
git clone --recursive https://github.com/espressif/esp-idf.git
. $HOME/esp/esp-idf/export.sh
cd ~
git clone https://github.com/hackgnar/ble_ctf.git
make menuconfig # enable Bluetooth and set serial connection, disable new warnings introduced in gcc 6-8
make
make flash
$ sudo bettercap
192.168.4.0/24 > 192.168.4.117 » ble.recon on
192.168.4.0/24 > 192.168.4.117 » [18:29:45] [ble.device.new] new BLE device BLECTF detected as 3C:71:BF:0C:76:9E (Espressif Inc.) -48 dBm.
192.168.4.0/24 > 192.168.4.117 » ble.show
┌─────────┬───────────────────┬────────────────┬──────────────────────────────────────────────┬─────────┬──────────┐
│ RSSI ▴ │ MAC │ Vendor │ Flags │ Connect │ Seen │
├─────────┼───────────────────┼────────────────┼──────────────────────────────────────────────┼─────────┼──────────┤
│ -34 dBm │ 67:53:33:b4:9b:16 │ Apple, Inc. │ LE + BR/EDR (controller), LE + BR/EDR (host) │ ✔ │ 18:29:48 │
│ -40 dBm │ 21:ca:e5:06:db:0e │ │ LE + BR/EDR (controller), LE + BR/EDR (host) │ ✖ │ 18:29:48 │
│ -43 dBm │ 5a:5e:a4:0a:24:ef │ Apple, Inc. │ LE + BR/EDR (controller), LE + BR/EDR (host) │ ✔ │ 18:29:48 │
│ -44 dBm │ 3c:71:bf:0c:76:9e │ Espressif Inc. │ BR/EDR Not Supported │ ✔ │ 18:29:48 │
│ -50 dBm │ 6f:5a:f3:f1:3d:38 │ Apple, Inc. │ BR/EDR Not Supported │ ✔ │ 18:29:48 │
│ -55 dBm │ 4a:aa:5f:e2:28:9c │ Apple, Inc. │ BR/EDR Not Supported │ ✔ │ 18:29:48 │
│ -60 dBm │ 5a:19:27:be:0f:24 │ Apple, Inc. │ LE + BR/EDR (controller), LE + BR/EDR (host) │ ✔ │ 18:29:48 │
│ -61 dBm │ 7f:84:f9:98:61:94 │ Google │ │ ✖ │ 18:29:48 │
│ -68 dBm │ 76:4d:1b:cb:98:3f │ Apple, Inc. │ BR/EDR Not Supported │ ✔ │ 18:29:48 │
│ -68 dBm │ a8:bb:cf:13:d0:03 │ Apple, Inc. │ BR/EDR Not Supported │ ✔ │ 18:29:48 │
│ -72 dBm │ 33:3f:9a:64:f2:3b │ Microsoft │ │ ✖ │ 18:29:48 │
│ -73 dBm │ 72:74:77:b8:d8:e0 │ Google │ │ ✖ │ 18:29:46 │
│ -76 dBm │ 3a:5d:22:70:34:da │ Apple, Inc. │ LE + BR/EDR (controller), LE + BR/EDR (host) │ ✖ │ 18:29:47 │
│ -76 dBm │ d0:03:4b:56:1f:92 │ Apple, Inc. │ LE + BR/EDR (controller), LE + BR/EDR (host) │ ✔ │ 18:29:48 │
└─────────┴───────────────────┴────────────────┴──────────────────────────────────────────────┴─────────┴──────────┘
$ gatttool -b 3c:71:bf:0c:76:9e --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
Score: 0/20
Identify services on device $ sudo bettercap
192.168.4.0/24 > 192.168.4.117 » ble.enum 3c:71:bf:0c:76:9e
[18:30:02] [sys.log] [inf] ble.recon connecting to 3c:71:bf:0c:76:9e ...
192.168.4.0/24 > 192.168.4.117 »
┌──────────────┬────────────────────────────┬───────────────────────────────┬───────────────────────────────────────────────────┐
│ Handles │ Service > Characteristics │ Properties │ Data │
├──────────────┼────────────────────────────┼───────────────────────────────┼───────────────────────────────────────────────────┤
│ 0001 -> 0005 │ Generic Attribute (1801) │ │ │
│ 0003 │ Service Changed (2a05) │ INDICATE │ │
│ │ │ │ │
│ 0014 -> 001c │ Generic Access (1800) │ │ │
│ 0016 │ Device Name (2a00) │ READ │ 2b00042f7481c7b056c4b410d28f33cf │
│ 0018 │ Appearance (2a01) │ READ │ Unknown │
│ 001a │ 2aa6 │ READ │ 00 │
│ │ │ │ │
│ 0028 -> ffff │ 00ff │ │ │
│ 002a │ ff01 │ READ │ Score: 0/20 │
│ 002c │ ff02 │ READ, WRITE │ Write Flags Here │
│ 002e │ ff03 │ READ │ d205303e099ceff44835 │
│ 0030 │ ff04 │ READ │ MD5 of Device Name │
│ 0032 │ ff05 │ READ, WRITE │ Write anything here │
│ 0034 │ ff06 │ READ, WRITE │ Write the ascii value "yo" here │
│ 0036 │ ff07 │ READ, WRITE │ Write the hex value 0x07 here │
│ 0038 │ ff08 │ READ │ Write 0xC9 to handle 58 │
│ 003a │ ff09 │ WRITE │ │
│ 003c │ ff0a │ READ, WRITE │ Brute force my value 00 to ff │
│ 003e │ ff0b │ READ │ Read me 1000 times │
│ 0040 │ ff0c │ READ, WRITE, NOTIFY │ Listen to me for a single notification │
│ 0042 │ ff0d │ READ │ Listen to handle 0x0044 for a single indication │
│ 0044 │ ff0e │ READ, WRITE, INDICATE │ Listen to handle 0x0044 for a single indication00 │
│ 0046 │ ff0f │ READ, WRITE, NOTIFY │ Listen to me for multi notifications │
│ 0048 │ ff10 │ READ │ Listen to handle 0x004a for multi indications │
│ 004a │ ff11 │ READ, WRITE, INDICATE │ Listen to handle 0x004a for multi indications00 │
│ 004c │ ff12 │ READ │ Connect with BT MAC address 11:22:33:44:55:66 │
│ 004e │ ff13 │ READ │ Set your connection MTU to 444 │
│ 0050 │ ff14 │ READ, WRITE │ Write+resp 'hello' │
│ 0052 │ ff15 │ READ, WRITE │ No notifications here! really? │
│ 0054 │ ff16 │ BCAST, READ, WRITE, NOTIFY, X │ So many properties! │
│ 0056 │ ff17 │ READ │ md5 of author's twitter handle │
│ │ │ │ │
└──────────────┴────────────────────────────┴───────────────────────────────┴───────────────────────────────────────────────────┘
$ gatttool -b 3c:71:bf:0c:76:9e --char-write-req -a 0x002c -n $(echo -n "12345678901234567890" | xxd -ps)
