ble_jam ======= Presentation ------------ **ble_jam** allows to use the jamming features implemented in BTLEJack or Ubertooth : it allows to jam a new connection ("newConnections" as *JAMMING_MODE*) or an existing connection ("existingConnections" as *JAMMING_MODE*). You can provide additional parameters for targeting a specific device, such as *TARGET* (if the mode is "newConnections") or *ACCESS_ADDRESS*, *CRC_INIT*, *CHANNEL_MAP* (if the mode is "existingConnections"). If the custom version of the BTLEJack firmware is in use, you can also use some additional jamming features allowing to reactively jam some specific advertisements. You can provide a specific target using the *TARGET* input parameter (the advertisements emitted by this target will be reactively jammed on the channel provided as the *CHANNEL* input parameter, allowing to corrupt the transmitted frames). You can also choose a custom jamming pattern by providing the *PATTERN* input parameter and its position in the Link Layer packet (*OFFSET*). This module needs `ble_sniff `_. If multiple interfaces are provided, the sniffers will be distributed on the three advertising channels. .. warning:: This attack is sometimes unstable, and may require multiple attempts. This module is *experimental* and is only provided as a proof of concept. Compatible devices ------------------ * `BTLEJack Device `_ * `Ubertooth Device `_ Input parameters ----------------- +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | Name | Default value | Possible values | Description | +========================================+=======================================+=============================================================+=================================================================================+ | INTERFACE | microbit0 | microbitX,ubertoothX | Primary interface to use | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | INTERFACEA | | microbitX,ubertoothX | Optionnal additional interface | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | INTERFACEB | | microbitX | Optionnal additional interface | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | TARGET | | | Target address | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | CHANNEL | 37 | 37\|38\|39 | Communication channel to jam | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | JAMMING_MODE | advertisements | newConnections\|existingConnections\|advertisements | Jamming strategy | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | ACCESS_ADDRESS | | 0xYYYY | Access address for an existing connection | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | CRC_INIT | | 0xYYYYYY | CRCInit for an existing connection | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | CHANNEL_MAP | | 0xYYYYYYYYYY | Channel Map for an existing connection | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | PATTERN | | | Pattern included in the Link Layer advertisements to reactively jam | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ | OFFSET | | | Position of pattern in the Link Layer advertisements | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+---------------------------------------------------------------------------------+ Output parameters ------------------ This module doesn't provide any output parameters. Usage ------ Jamming a new connection ^^^^^^^^^^^^^^^^^^^^^^^^^^ If you want to easily jam a new connection, please provides "newConnections" as value of the input parameter *JAMMING_MODE*, and optionally a target : :: $ sudo mirage ble_jam JAMMING_MODE=newConnections [INFO] Module ble_jam loaded ! [SUCCESS] BTLEJack device #0 successfully instantiated (firmware version : 3.14) [INFO] Custom Mirage Firmware used ! Advertisements sniffing and jamming will be supported. ┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐ │ Access Address │ CRCInit │ Channel Map │ Hop Interval │ Hop Increment │ ├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤ │ 0xcd5cdb3f │ 0x9b03c3 │ 0x1e007fffff │ 36 │ 9 │ └────────────────┴──────────┴──────────────┴──────────────┴───────────────┘ [PACKET] [ CH:37|CLK:1559493296.836213|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=7F:C2:DC:21:C2:B7 | dstAddr=FF:FF:60:A5:17:44 | accessAddress=0x3fdb5ccd| crcInit=0xc3039b| channelMap=0x1e007fffff| hopInterval=36| hopIncrement=9 >> [INFO] Recovering Hop Interval ... [...] Then, the module tries to jam the corresponding connection. Jamming an existing connection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Similarly, if you want to jam an existing connection, please sets "existingConnections" as value of the input parameter *JAMMING_MODE* : :: $ sudo mirage ble_jam JAMMING_MODE=existingConnections Then, the execution is quite similar to the previously described one. Jamming the advertisements transmitted by a specific device ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you want to jam the advertisements transmitted by a specific device, you need to have a custom version of BTLEJack installed on your Micro:Bit(s). Then you can use the "advertisements" mode as *JAMMING_MODE* and provide the BD address to jam (using the *TARGET* input parameter) : :: $ sudo mirage ble_jam JAMMING_MODE=advertisements TARGET=FF:FF:60:A5:17:44 [INFO] Module ble_jam loaded ! [SUCCESS] BTLEJack device #0 successfully instantiated (firmware version : 3.14) [INFO] Custom Mirage Firmware used ! Advertisements sniffing and jamming will be supported. [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 ^C[INFO] Mirage process terminated ! Jamming the advertisements containing a specific pattern ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you want to jam the advertisements containing a specific pattern, you need to have a custom version of BTLEJack installed on your Micro:Bit(s). Then you can use the "advertisements" mode as *JAMMING_MODE* and provide the pattern to jam (using the *PATTERN* and *OFFSET* input parameters) : :: $ sudo mirage ble_jam JAMMING_MODE=advertisements PATTERN=112233445566 OFFSET=8 [INFO] Module ble_jam loaded ! [SUCCESS] BTLEJack device #0 successfully instantiated (firmware version : 3.14) [INFO] Custom Mirage Firmware used ! Advertisements sniffing and jamming will be supported. [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 [INFO] Advertisement jammed on channel #37 ^C[INFO] Mirage process terminated !