/* Sniff for LAPs. If a piconet is provided, use the given LAP to * search for UAP. */ static void cb_br_rx(void* args, usb_pkt_rx *rx, int bank) { btbb_packet *pkt = NULL; btbb_piconet *pn = (btbb_piconet *)args; char syms[BANK_LEN * NUM_BANKS]; int i; int8_t signal_level; int8_t noise_level; int8_t snr; int offset; uint32_t clkn; uint32_t lap = LAP_ANY; uint8_t uap = UAP_ANY; /* Sanity check */ if (rx->channel > (NUM_BREDR_CHANNELS-1)) goto out; /* Copy packet (for dump) */ memcpy(&usb_packets[bank], rx, sizeof(usb_pkt_rx)); unpack_symbols(rx->data, br_symbols[bank]); /* Do analysis based on oldest packet */ rx = &usb_packets[ (bank+1) % NUM_BANKS ]; uint64_t nowns = now_ns_from_clk100ns( rx ); determine_signal_and_noise( rx, &signal_level, &noise_level ); snr = signal_level - noise_level; /* WC4: use vm circbuf if target allows. This gets rid of this * wrapped copy step. */ /* Copy 2 oldest banks of symbols for analysis. Packet may * cross a bank boundary. */ for (i = 0; i < 2; i++) memcpy(syms + i * BANK_LEN, br_symbols[(i + 1 + bank) % NUM_BANKS], BANK_LEN); /* Look for packets with specified LAP, if given. Otherwise * search for any packet. Also determine if UAP is known. */ if (pn) { lap = btbb_piconet_get_flag(pn, BTBB_LAP_VALID) ? btbb_piconet_get_lap(pn) : LAP_ANY; uap = btbb_piconet_get_flag(pn, BTBB_UAP_VALID) ? btbb_piconet_get_uap(pn) : UAP_ANY; } /* Pass packet-pointer-pointer so that * packet can be created in libbtbb. */ offset = btbb_find_ac(syms, BANK_LEN, lap, max_ac_errors, &pkt); if (offset < 0) goto out; /* Copy out remaining banks of symbols for full analysis. */ for (i = 1; i < NUM_BANKS; i++) memcpy(syms + i * BANK_LEN, br_symbols[(i + 1 + bank) % NUM_BANKS], BANK_LEN); /* Once offset is known for a valid packet, copy in symbols * and other rx data. CLKN here is the 312.5us CLK27-0. The * btbb library can shift it be CLK1 if needed. */ clkn = (rx->clkn_high << 20) + (le32toh(rx->clk100ns) + offset + 1562) / 3125; btbb_packet_set_data(pkt, syms + offset, NUM_BANKS * BANK_LEN - offset, rx->channel, clkn); /* Dump to PCAP/PCAPNG if specified */ #if defined(USE_PCAP) if (h_pcap_bredr) { btbb_pcap_append_packet(h_pcap_bredr, nowns, signal_level, noise_level, lap, uap, pkt); } #endif if (h_pcapng_bredr) { btbb_pcapng_append_packet(h_pcapng_bredr, nowns, signal_level, noise_level, lap, uap, pkt); } /* When reading from file, caller will read * systime before calling this routine, so do * not overwrite. Otherwise, get current time. */ if (infile == NULL) systime = time(NULL); /* If dumpfile is specified, write out all banks to the * file. There could be duplicate data in the dump if more * than one LAP is found within the span of NUM_BANKS. */ if (dumpfile) { for(i = 0; i < NUM_BANKS; i++) { uint32_t systime_be = htobe32(systime); if (fwrite(&systime_be, sizeof(systime_be), 1, dumpfile) != 1) {;} if (fwrite(&usb_packets[(i + 1 + bank) % NUM_BANKS], sizeof(usb_pkt_rx), 1, dumpfile) != 1) {;} } } printf("systime=%u ch=%2d LAP=%06x err=%u clk100ns=%u clk1=%u s=%d n=%d snr=%d\n", (int)systime, btbb_packet_get_channel(pkt), btbb_packet_get_lap(pkt), btbb_packet_get_ac_errors(pkt), rx->clk100ns, btbb_packet_get_clkn(pkt), signal_level, noise_level, snr); i = btbb_process_packet(pkt, pn); if(i < 0) { follow_pn = pn; stop_ubertooth = 1; } out: if (pkt) btbb_packet_unref(pkt); }
/* * Sniff Bluetooth Low Energy packets. */ void cb_btle(void* args, usb_pkt_rx *rx, int bank) { lell_packet * pkt; btle_options * opts = (btle_options *) args; int i; u32 access_address = 0; static u32 prev_ts = 0; uint32_t refAA; int8_t sig, noise; UNUSED(bank); uint64_t nowns = now_ns_from_clk100ns( rx ); /* Sanity check */ if (rx->channel > (NUM_BREDR_CHANNELS-1)) return; if (infile == NULL) systime = time(NULL); /* Dump to sumpfile if specified */ if (dumpfile) { uint32_t systime_be = htobe32(systime); if (fwrite(&systime_be, sizeof(systime_be), 1, dumpfile) != 1) {;} if (fwrite(rx, sizeof(usb_pkt_rx), 1, dumpfile) != 1) {;} } lell_allocate_and_decode(rx->data, rx->channel + 2402, rx->clk100ns, &pkt); /* do nothing further if filtered due to bad AA */ if (opts && (opts->allowed_access_address_errors < lell_get_access_address_offenses(pkt))) { lell_packet_unref(pkt); return; } /* Dump to PCAP/PCAPNG if specified */ refAA = lell_packet_is_data(pkt) ? 0 : 0x8e89bed6; determine_signal_and_noise( rx, &sig, &noise ); #if defined(USE_PCAP) if (h_pcap_le) { /* only one of these two will succeed, depending on * whether PCAP was opened with DLT_PPI or not */ lell_pcap_append_packet(h_pcap_le, nowns, sig, noise, refAA, pkt); lell_pcap_append_ppi_packet(h_pcap_le, nowns, rx->clkn_high, rx->rssi_min, rx->rssi_max, rx->rssi_avg, rx->rssi_count, pkt); } #endif if (h_pcapng_le) { lell_pcapng_append_packet(h_pcapng_le, nowns, sig, noise, refAA, pkt); } u32 ts_diff = rx->clk100ns - prev_ts; prev_ts = rx->clk100ns; printf("systime=%u freq=%d addr=%08x delta_t=%.03f ms\n", systime, rx->channel + 2402, lell_get_access_address(pkt), ts_diff / 10000.0); int len = (rx->data[5] & 0x3f) + 6 + 3; if (len > 50) len = 50; for (i = 4; i < len; ++i) printf("%02x ", rx->data[i]); printf("\n"); lell_print(pkt); printf("\n"); lell_packet_unref(pkt); fflush(stdout); }
/* * Sniff Bluetooth Low Energy packets. */ void cb_btle(ubertooth_t* ut, void* args) { lell_packet* pkt; btle_options* opts = (btle_options*) args; int i; usb_pkt_rx* rx = ringbuffer_top_usb(ut->packets); // u32 access_address = 0; // Build warning static u32 prev_ts = 0; uint32_t refAA; int8_t sig, noise; // display LE promiscuous mode state changes if (rx->pkt_type == LE_PROMISC) { u8 state = rx->data[0]; void *val = &rx->data[1]; printf("--------------------\n"); printf("LE Promisc - "); switch (state) { case 0: printf("Access Address: %08x\n", *(uint32_t *)val); break; case 1: printf("CRC Init: %06x\n", *(uint32_t *)val); break; case 2: printf("Hop interval: %g ms\n", *(uint16_t *)val * 1.25); break; case 3: printf("Hop increment: %u\n", *(uint8_t *)val); break; default: printf("Unknown %u\n", state); break; }; printf("\n"); return; } uint64_t nowns = now_ns_from_clk100ns( ut, rx ); /* Sanity check */ if (rx->channel > (NUM_BREDR_CHANNELS-1)) return; if (infile == NULL) systime = time(NULL); /* Dump to sumpfile if specified */ if (dumpfile) { uint32_t systime_be = htobe32(systime); fwrite(&systime_be, sizeof(systime_be), 1, dumpfile); fwrite(rx, sizeof(usb_pkt_rx), 1, dumpfile); fflush(dumpfile); } lell_allocate_and_decode(rx->data, rx->channel + 2402, rx->clk100ns, &pkt); /* do nothing further if filtered due to bad AA */ if (opts && (opts->allowed_access_address_errors < lell_get_access_address_offenses(pkt))) { lell_packet_unref(pkt); return; } /* Dump to PCAP/PCAPNG if specified */ refAA = lell_packet_is_data(pkt) ? 0 : 0x8e89bed6; determine_signal_and_noise( rx, &sig, &noise ); #ifdef ENABLE_PCAP if (ut->h_pcap_le) { /* only one of these two will succeed, depending on * whether PCAP was opened with DLT_PPI or not */ lell_pcap_append_packet(ut->h_pcap_le, nowns, sig, noise, refAA, pkt); lell_pcap_append_ppi_packet(ut->h_pcap_le, nowns, rx->clkn_high, rx->rssi_min, rx->rssi_max, rx->rssi_avg, rx->rssi_count, pkt); } #endif if (ut->h_pcapng_le) { lell_pcapng_append_packet(ut->h_pcapng_le, nowns, sig, noise, refAA, pkt); } // rollover u32 rx_ts = rx->clk100ns; if (rx_ts < prev_ts) rx_ts += 3276800000; u32 ts_diff = rx_ts - prev_ts; prev_ts = rx->clk100ns; printf("systime=%u freq=%d addr=%08x delta_t=%.03f ms rssi=%d\n", systime, rx->channel + 2402, lell_get_access_address(pkt), ts_diff / 10000.0, rx->rssi_min - 54); int len = (rx->data[5] & 0x3f) + 6 + 3; if (len > 50) len = 50; for (i = 4; i < len; ++i) printf("%02x ", rx->data[i]); printf("\n"); lell_print(pkt); printf("\n"); lell_packet_unref(pkt); fflush(stdout); }