This repository contains the supplemental material to the article 'Identification and Analysis of Bluetooth Devices via Automata Learning' and to the paper 'Fingerprinting Bluetooth Low Energy via Active Automata Learning' of Andrea Pferscher and Bernhard K. Aichernig (Institute of Software Technology, Graz University of Technology).
This repository provides a framework that learns the behavioral model of a black-box Bluetooth Low Energy (BLE) device by active automata learning. The framework can learn the model of the connection procedure and the legacy pairing procedure. This repository also contains the learned models and learning results of the performed case study.
- Learned models (learned-automata/):
- Pairing procedure models (pairing-procedure/):
- CYBLE-416045-02 [PDF]
- nRF52832 [PDF]
- CC2650 [PDF]
- CYW43455 [PDF]
- CC2640R2 (no pairing request) [PDF]
- CC2640R2 (no length request) [PDF]
- CC2640R2 (no feature request) [PDF]
- CC2652R1 [PDF]
- Learning results (learning-results/):
- Firmware (firmware/)
- Nordic nRF52840 Dongle
- Nordic nRF52840 Development Kit: s140_nrf52_6.1.1_softdevice + nrf52840_dk_firmware
- Framework
- connection procedure experiment (ble_learning.py)
- connection procedure experiment (after connection) (ble_learning_connecting_start.py)
- pairing procedure experiment (ble_learning_pairing.py)
-
Nordic nRF52840 Dongle or Development Kit flashed with corresponding firmware
Flashing: You can use the programmer tool of the nRF Connect for Desktop application to flash the provided firmware on the Nordic nRF52840 Dongle or Nordic nRF52840 Development Kit.
For the development kit (possibly also for the dongle) you first have to write the s140_nrf52_6.1.1_softdevice file and then the nrf52840_dk_firmware.
The firmware is taken from the SweynTooth project.
-
Python 3.9
-
Python libraries pySerial, Scapy >=v2.4.5, Aalpy >=1.1.7 and Colorama, pycryptodome
Requirements installation:
sudo pip3 install -r requirements.txt
Only required for the learning of the pairing procedure:
-
Installation of python3.9-dev:
sudo apt-get install python3.9-dev
-
Installation of Security Manager interface:
cd libs/smp_server/;sudo python3.9 setup.py install
The learning procedure for learning the connection procedure of a Bluetooth Low Energy (BLE) device can be executed via (ble_learning.py). If you want to start learning after the connection request execute ble_learning_connecting_start.py instead. The learning of the pairing procedure can be started with ble_learning_pairing.py. All programs require the serial port name of the nRF52 device and the BLE address of the peripheral device (advertiser) that should be learned.
python3 ble_learning.py <serial_port> <advertiser_address> [<pcap|dot filename>]
Example:
python3 ble_learning.py /dev/ttyACM0 00:A0:50:00:00:03
The program outputs the learning results after a successful learning procedure and saves the learned model in the file LearnedModel.dot.
- SweynTooth: nRF52 driver, firmware and code snippets for BLE package construction
- AALpy: active automata learning library
- Scapy: BLE package parsing and composition
- Colorama: colored terminal text