Issues in finding pairing
sgript opened this issue · 17 comments
Hi there,
So I've been trying to use crackle to find and decrypt a pairing between my Pebble smartwatch and iPhone. Here's the pcap attached:
I used Ubertooth's command to try catch a pairing: ubertooth-btle -f -c capture.pcap
However when running crackle -i capture.pcap -o foo.pcap, I get this issue:
No connect packet found
No pairing request found
No pairing response found
Not enough confirm values found (0, need 2)
Not enough random values found (0, need 2)
No LL_ENC_REQ found
No LL_ENC_RSP found
Giving up due to 7 errors
If anyone could share some insight for this as I'm still beginning, would be very helpful.
your command is right ,but you shuld know that ubertooth default channel is 37 ,but ble default channel is 37 38 39 ,so your packet is not right .
Kay887 commented Aug 9, 2017
Hi Mike,
I have the same issue. I am able to see the LL_ENC_REQ and the pairing messages in Wiresharl but crackle gives me the error that there are no requests found. So do I keep changing the advertising channel to a 37,38 or a 39 till I get the right packet
I am sorry. I am relatively new to this. Would really appreciate some help.
Hi Mike,
I have the same issue. I am able to see the LL_ENC_REQ and the pairing messages in Wiresharl but crackle gives me the error that there are no requests found. So do I keep changing the advertising channel to a 37,38 or a 39 till I get the right packet? I am sorry. I am relatively new to this. Would really appreciate some help.
@sgript your PCAP contains no pairing packets. Refer to the FAQ entry: https://github.com/mikeryan/crackle/blob/master/FAQ.md#crackle-is-complaining-about-missing-packets-why-cant-i-crack
@Kay887 can you attach a PCAP?
Using crackle master I am able to crack several of the key exchanges in your files. The following files work:
37/test12.pcap
38/test1.pcap
Make sure you're using the master branch from GitHub
Thanks for the reply. So I should download the version on the master branch of GitHub?. Cool. Thanks. Will give it a try and let you know.
git clone https://github.com/mikeryan/crackle.git
cd crackle
make
./crackle -i <your_file.pcap>
Thanks for the quick reply. Will give it a try!!!! :)
Thank you so so very much for the help. It worked!!!!!
Appreciate it!!!!
Just wanted to ask you one question:
While I was decrypting the packets, I found different LTKs for different communication. I wanted to know does the LTK keep changing for every communication? If I unpair the device and pair them again, would there be a different LTK generated for that specific communication or will it be the same for different communication?
Sorry for silly question
I watched one of your videos I guess it was Shmoocon where in you have talked about injection using ubertooth to faux slave mode. I tried doing that, the tx led glows very lightly but when I perform hcitool lescan, for some reason the fake mac address does not reflect in the list. It does show the BLE device I am using but not the mac address created using ubertooth.
Another thing I wanted to ask you is when you talked about packet injection, is it possible to inject BLE packets into an ongoing communication between 2 BLE devices?
Thanks
Thanks for the reply. Just one last thing, what is the ubertooth-tx used for?
Hello Mike I sent you alot of Email but you didn't reply.
I have my Android App talking to my BLE (BTLC1000) I am able to light the LED on and off via BLE. Now I want to fuzz my BLE Device. You said in one of your presentation that it is possible to do that with PyBT if I got it right. But the thing is there is not documentation about PyBT. Can you please help me or give me some tipps?
Thank you