README.md 2.45 KB
Newer Older
Lars Almon's avatar
Lars Almon committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
btlemesh
========
This application extends BtleJack (https://github.com/virtualabs/btlejack) to support Bluetooth mesh.
We also ported the firmware to RIOT OS, so more platforms can be supported.

Usage
=====
Clone this repository, build and flash the application. Then the python host application can communicate with the board over the serial port.
Build, flash and start the application:

```
export BOARD=your_board
make
make flash
BOARD=your_board PORT=port_to_your_device make all flash
```
Example boards with Riot OS identifier:  
BBC micro:bit - microbit  
nRF52 DK      - nrf52dk  
nRF52480 DK   - nrf52840dk  
RuuviTag      - ruuvitag  

Python commands
===============
Sniffing existing connection:
```
btlejack -s
```

Sniffing for new connections (you can use any or a specific address):
```
btlejack -c any
```

Following a connection:
```
btlejack -f access_address
```

Jamming a specific connection:
```
btlejack -f access_address -j
```

Hijacking a specifc connection:
```
btlejack -f access_address -t
```

Sniffing data on advertising channels:
```
btlejack -a
```

Jamming advertising channels (for this you need three devices);
```
btlejack -a -j
```
Use -dt to set datatypes, which should be jammed. For example for mesh message and mesh beacon:
```
btlejack -a -j -dt 0x2a -dt 0x2b
```
Use -nid to set a nid of a friendship subnetwork, to terminate this friendship by jamming the friend poll messages:
```
btlejack -a -j -nid 0x5b 
```

Catch a friend establishment and recover the friend key material
```
btlejack -a -fk
```

Open a prompt to sniff, jam or send packets on advertising channels:
```
btlejack -a -pt
```
Prompt commands are sniff, jam, stop_jam, stop or s (also for stop).


To specify one or more devices add
```
-d port
```
Lars Almon's avatar
Lars Almon committed
84
otherwise btlejack will try to find them, but only searches for micro:bit. For all other boards you must set this value.
Lars Almon's avatar
Lars Almon committed
85
86

If only the version and depending on command that cached parameters are used is displayed after execution, abort and restart.
Lars Almon's avatar
Lars Almon committed
87
88
89
90
91
92
93
94
95

## Read our paper
* F. Álvarez, L. Almon, A. Hahn, M. Hollick. [Toxic Friends in Your Network: Breaking the Bluetooth Mesh Friendship Concept], Proceedings of the 5th Conference on Security Standards Research, SSR 2019, November 2019.


## Contact
* [Flor Álvarez](https://www.informatik.tu-darmstadt.de/seemoo/team_seemoo/flor_alvarez/) <falvarez@seemoo.tu-darmstadt.de>
* [Lars Almon](https://seemoo.de/lalmon) <lalmon@seemoo.tu-darmstadt.de>
* Ann-Sophie Hahn <ahahn@seemoo.tu-darmstadt.de>