[Hackrf-dev] A BTLE (Bluetooth Low energy)/BT4.0 radio packet sender

Luke Berndt lukekb at gmail.com
Tue Aug 5 08:26:10 EDT 2014 

Nicely done! Does anyone know if it would be possible to get CrackLE running against this? It was designed for UberTooth so I am not sure if it needs some HW. 
https://github.com/mikeryan/crackle/



Sent from my iPhone

> On Aug 5, 2014, at 2:15 AM, Jiao Xianjun <putaoshu at gmail.com> wrote:
> 
> A BTLE (Bluetooth Low energy)/BT4.0 radio packet sender ( build based on hackrf_transfer: https://github.com/mossmann/hackrf  )
> 
> See project here: https://github.com/JiaoXianjun/   repo BTLE
> 
> All link layer packet formats are supported. (Chapter 2&3, PartB, Volume 6, Core_V4.0.pdf : https://www.google.fi/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCAQFjAA&url=https%3A%2F%2Fwww.bluetooth.org%2Fdocman%2Fhandlers%2Fdownloaddoc.ashx%3Fdoc_id%3D229737&ei=ui3gU4GkC-up0AW4q4GwBw&usg=AFQjCNFY1IFeFAAWwimnoaWMsIRZQvPDSw&sig2=wTgMMxNPJ52NHclpsQ4XhQ&bvm=bv.72197243,d.d2k  )
> 
> It can be used to transmit arbitrary pre-defined BTLE signal/packet sequence, such as raw bits to GFSK modulator, iBeacon packet, Connection establishment procedure packet in TI's website: http://processors.wiki.ti.com/index.php/BLE_sniffer_guide , or any other packets you want. Together with TI's packet sniffer, you will have full TX and RX abilities. See video demo 1 http://youtu.be/Y8ttV5AEb-g (outside China) or video demo 2 http://v.youku.com/v_show/id_XNzUxMDIzNzAw.html (inside China)
> 
> ----Build:
> 
>     cd host
>     mkdir build
>     cd build
>     cmake ../
>     make
>     sudo make install  (or not install, just use btle_tx in hackrf-tools/src)
> 
> ----Usage method 1:
> 
>     btle_tx packet1 packet2 ... packetX ...  rN
> 
> ----Usage method 2:
> 
>     btle_tx packets.txt
> 
> In method 2, just those command line parameters (packet1 ... rN) in method 1 are written/grouped in a .txt file as input of btle_tx tool. One parameter one line. A line start with "#" is regarded as comment. See packets.txt example in hackrf-tools/src.
> 
> "packetX" is one string which describes one packet. All packets compose a packets sequence.
> 
> "rN" means the sequence will be repeated for N times. If it is not specified, the sequence will only be sent once.
> 
> ----Format of packet descriptor "packetX"
>     
>     channel_number-packet_type-field-value-field-value-...-Space-value
> 
> Each descriptor string starts with BTLE channel number (0~39), then followed by packet_type (RAW/iBeacon/ADV_IND/ADV_DIRECT_IND/etc. See all format examples at the end), then followed by field-value pair which is packet_type specific, at last there is Space-value pair (optional) where the value specifies how many millisecond will be waited after this packet sent.
> 
> ----iBeacon example: (iBeacon principle: http://www.warski.org/blog/2014/01/how-ibeacons-work/ )
> 
>     ./btle_tx     37-iBeacon-AdvA-010203040506-UUID-B9407F30F5F8466EAFF925556B57FE6D-Major-0008-Minor-0009-TxPower-C5-Space-100     r100
> 
> Above command sends iBeacon packet and repeats it 100 times with 100ms time space (If you have "Locate" app in your iPhone/iPad, it will detect the packet and show the iBeacon info.). The packet descriptor string:
> 
>     37-iBeacon-AdvA-010203040506-UUID-B9407F30F5F8466EAFF925556B57FE6D-Major-0008-Minor-0009-TxPower-C5-Space-100
> 
> 37 -- channel 37 (one of BTLE Advertising channel 37 38 39)
> 
> iBeacon -- packet format key word which means iBeacon format. (Actually it is ADV_IND format in Core_V4.0.pdf)
> 
> AdvA -- Advertising address (MAC address) which is set as 010203040506 (See Core_V4.0.pdf)
> 
> UUID -- here we specify it as Estimote’s fixed UUID: B9407F30F5F8466EAFF925556B57FE6D
> 
> Major -- major number of iBeacon format. (Here it is 0008)
> 
> Minor -- minor number of iBeacon format. (Here it is 0009)
> 
> Txpower -- transmit power parameter of iBeacon format (Here it is C5)
> 
> Space -- How many millisecond will be waited after this packet sent. (Here it is 100ms)
> 
> ----Connection establishment example: (See "Connection establishment" part of http://processors.wiki.ti.com/index.php/BLE_sniffer_guide )
> 
>     ./btle_tx     37-ADV_IND-TxAdd-0-RxAdd-0-AdvA-90D7EBB19299-AdvData-0201050702031802180418-Space-1000        37-CONNECT_REQ-TxAdd-0-RxAdd-0-InitA-001830EA965F-AdvA-90D7EBB19299-AA-60850A1B-CRCInit-A77B22-WinSize-02-WinOffset-000F-Interval-0050-Latency-0000-Timeout-07D0-ChM-1FFFFFFFFF-Hop-9-SCA-5-Space-1000      9-LL_DATA-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-DATA-X-CRCInit-A77B22-Space-1000
>     
> Above simualtes a Connection establishment procedure between device 1 and device 2.
> 
> The 1st packet -- device 1 sends ADV_IND packet in channel 37.
> 
> The 2nd packet -- After device 2 (in scanning state) receives the ADV packet from device 1, device 2 sends CONNECT_REQ packet to request connection setup with device 1. In this request packet, there are device 2 MAC address (InitA), target MAC address (device 1 MAC address AdvA), Access address (AA) which will be used by device 1 in following packet sending in data channel, CRC initilization value for following device 1 sending packet, Hopping channel information (ChM and Hop) for data channel used by device 1, etc.
> 
> The 3rd packet -- device 1 send an empty Link layer data PDU in channel 9 (decided by hopping scheme) according to those connection request information received from device 2. (One "X" after field "DATA" means there is no data for this field )
> 
> Time space between packets are 1s (1000ms). Tune TI's packet sniffer to channel 37, then above establishment procedure will be captured.
> 
> ----Packet descriptor examples for all formats:
> 
> RAW packets: (All bits will be sent to GFSK modulator directly)
> 
>     13-RAW-AAD6BE898E5F134B5D86F2999CC3D7DF5EDF15DEE39AA2E5D0728EB68B0E449B07C547B80EAA8DD257A0E5EACB0B
> 
> ADVERTISING CHANNEL packets:
> 
>     37-IBEACON-AdvA-010203040506-UUID-B9407F30F5F8466EAFF925556B57FE6D-Major-0008-Minor-0009-TxPower-C5
>     37-ADV_IND-TxAdd-1-RxAdd-0-AdvA-010203040506-AdvData-00112233445566778899AABBCCDDEEFF
>     37-ADV_DIRECT_IND-TxAdd-1-RxAdd-0-AdvA-010203040506-InitA-0708090A0B0C
>     37-ADV_NONCONN_IND-TxAdd-1-RxAdd-0-AdvA-010203040506-AdvData-00112233445566778899AABBCCDDEEFF
>     37-ADV_SCAN_IND-TxAdd-1-RxAdd-0-AdvA-010203040506-AdvData-00112233445566778899AABBCCDDEEFF
>     37-SCAN_REQ-TxAdd-1-RxAdd-0-ScanA-010203040506-AdvA-0708090A0B0C
>     37-SCAN_RSP-TxAdd-1-RxAdd-0-AdvA-010203040506-ScanRspData-00112233445566778899AABBCCDDEEFF
>     37-CONNECT_REQ-TxAdd-1-RxAdd-0-InitA-010203040506-AdvA-0708090A0B0C-AA-01020304-CRCInit-050607-WinSize-08-WinOffset-090A-Interval-0B0C-Latency-0D0E-Timeout-0F00-ChM-0102030405-Hop-3-SCA-4
> 
> DATA CHANNEL packets:
> 
>     9-LL_DATA-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-DATA-X-CRCInit-A77B22
>     9-LL_CONNECTION_UPDATE_REQ-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-WinSize-02-WinOffset-000F-Interval-0050-Latency-0000-Timeout-07D0-Instant-0000-CRCInit-A77B22
>     9-LL_CHANNEL_MAP_REQ-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-ChM-1FFFFFFFFF-Instant-0001-CRCInit-A77B22
>     9-LL_TERMINATE_IND-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-ErrorCode-00-CRCInit-A77B22
>     9-LL_ENC_REQ-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-Rand-0102030405060708-EDIV-090A-SKDm-0102030405060708-IVm-090A0B0C-CRCInit-A77B22
>     9-LL_ENC_RSP-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-SKDs-0102030405060708-IVs-01020304-CRCInit-A77B22
>     9-LL_START_ENC_REQ-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-CRCInit-A77B22
>     9-LL_START_ENC_RSP-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-CRCInit-A77B22
>     9-LL_UNKNOWN_RSP-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-UnknownType-01-CRCInit-A77B22
>     9-LL_FEATURE_REQ-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-FeatureSet-0102030405060708-CRCInit-A77B22
>     9-LL_FEATURE_RSP-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-FeatureSet-0102030405060708-CRCInit-A77B22
>     9-LL_PAUSE_ENC_REQ-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-CRCInit-A77B22
>     9-LL_PAUSE_ENC_RSP-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-CRCInit-A77B22
>     9-LL_VERSION_IND-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-VersNr-01-CompId-0203-SubVersNr-0405-CRCInit-A77B22
>     9-LL_REJECT_IND-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-ErrorCode-00-CRCInit-A77B22
> 
> _______________________________________________
> HackRF-dev mailing list
> HackRF-dev at greatscottgadgets.com
> http://nine.pairlist.net/mailman/listinfo/hackrf-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nine.pairlist.net/pipermail/hackrf-dev/attachments/20140805/9eb48697/attachment.html>

More information about the HackRF-dev mailing list