39C3: Liberating ESP32 Bluetooth
Uncategorized
1
Posts
1
Posters
0
Views
-
39C3: Liberating ESP32 Bluetooth
Bluetooth is everywhere, but it’s hard to inspect. Most of the magic is done inside a Bluetooth controller chip, accessed only through a controller-specific Host-Controller Interface (HCI) protocol, and almost everything your code does with Bluetooth passes through a binary library that speaks the right HCI dialect. Reverse engineering these libraries can get us a lot more control of and information about what’s going on over the radio link.
That’s [Anton]’s motivation and goal in this reversing and documentation project, which he describes for us in this great talk at this year’s Chaos Communication Congress. In the end, [Anton] gets enough transparency about the internal workings of the Bluetooth binaries to transmit and receive data. He stops short of writing his own BT stack, but suggests that it would be possible, but maybe more work than one person should undertake.
So what does this get us? Low-level control of the BT controller in a popular platform like the ESP32 that can do both classic and low-energy Bluetooth should help a lot with security research into Bluetooth in general. He figured out how to send arbitrary packets, for instance, which should allow someone to write a BT fuzzing tool. Unfortunately, there is a sequence ID that prevents his work from turning the controller into a fully promiscuous BT monitor, but still there’s a lot of new ground exposed here.
If any of this sounds interesting to you, you’ll find his write-up, register descriptions, and more in the GitHub repository. This isn’t a plug-and-play Bluetooth tool yet, but this is the kind of groundwork on a popular chip that we expect will enable future hacking, and we salute [Anton] for shining some light into one of the most ubiquitous and yet intransparent corners of everyday tech.
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@DigiDavidex Solo per Chat Control?
-
@danzin @openmeteo @grunfink @FediFollows thank you! It comes from the API, as it's code 77, which is hail
-
@paoloredaelli Telegram fondamentalmente non l'ho mai usato 😁
Sto per chiudere WA e attualmente sto scrivendo a tutti i contatti per capire come rimanere con ciascuno.
A quelli più vicini sto mandando una mini avventura testuale a tema Alice con la quale li aiuto a scegliere tra Delta, Signal e SMS/mail. Coi familiari siamo già su Signal da mesi, insieme a una decina di amici. Altri due amici hanno scelto Matrix, che è la cosa che sto proponendo ai gruppi più strutturati.
-
@stefano @openmeteo @grunfink @FediFollows
Thank you so much, I love it!
There's a tiny translation mistake: in pt-br it says "granizo", meaning "hail", where I believe it should say "chuvisco", meaning "drizzle". I tried to figure out whether it comes from the API you use or your code, but wasn't able to.
If you can point me to the right place to report this, I'd be glad to!
Thanks again!
-
@tg9541 yes, exactly
-
@matz «se non me la dai sobria, magari me la dai 'mbriaca» devo dire che obiettivamente non suona altrettanto bene
-
This post did not contain any content.
-
@GustavinoBevilacqua @selzero could you even buy a non-Fiat car in Torino in the 1970 without the major coming personally at you and tearing out your residence registration or something? :D
