TK Bruteforce

[Santy99ab]

I have listen a pairing between 2 Bluetooth LE devices...
The pairing procedure uses the 6 digit-key algorithm (not just works), and i run crackle in mode -s and -v.
Crackle try to bruteforce the TK, but only try combinations with the first 3 digits, the last 3 digits it assume that are 000... I know that the TK is like "123456", so, crackle won't get the correct key because it doesn't use the last 3 digits.

I attach the execution where you can notice the problem:
crackle_execution-s.txt

Sorry of my English... bye!
PD: great tool Mike! it's very useful for my BLE security research. (:

[Santy99ab]

Sorry, didn't read it:

if (verbose && numeric_key % 1000 == 0) {
printf("Trying TK: %d\n", numeric_key);
}