• State Not Answered
  • Replies 5 replies
  • Subscribers 88 subscribers
  • Views 2271 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 268403
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Sniffing access addresses by matching on preamble nrf52

Bhamoss

The BLEJack nrf51 sniffer firmware is a BLE sniffer/jammer/hijacker. If you google you will find the repo and the defcon presentation.

The author claims you can sniff access addresses by setting the radio to listen for an access address that matches the preamble of a BLE 4 packet.

The repo has more than 1000 stars so I assume his firmware works, but I do not have the hardware to test it out myself.

As a part of my Master's thesis I need to do the same for the Nrf52840. I have tried the same approach in numerous variations and hardware setups using the nordic dongles. However, this does not seem to work. The radio does match on access addresses, but the contents of the first 10 static length received bytes seem to be purely random (I tested many weeks, with many setups, including trying to catch the advertising AA on the advertising channels.).

1) Is it indeed possible to configure the radio on the Nrf51 to capture the access address of a packet in that way? Hardware and software-wise?

2) Is it possible on the Nrf52 as well? Hardware and software-wise?

Since the radio configuration is very simple and short and I have tried many variations, I am now questioning whether or not the chip is capable of it.

Parents Reply Children
  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    I do not think you understand my question. I know very well how to operate the radio directly. My question is much deeper than that.

    https://github.com/virtualabs/btlejack

    This repository and its DefCon presentation claim you can use the radio (directly) by configuring the radio to listen for the preamble of a packet as access address (BASE0 and PREFIX0 = 0xAA or 0x55 with BALEN 0 or 1) so that the radio wakes up and captures because the preamble of any BLE4 packet will match this. If you set STATLEN=MAXLEN=10 and s0,len,s1 length = 0, after the end event, the bits off the access address should be in the receive buffer (possibly misaligned) as they are the next 4 octets after the preamble is sent.

    Having elaborated on this, could you please reread my initial question in this light and provide me with an answer?

    Thank you very much

  • 0 in reply to Bhamoss

    Hi, 

    Sorry for misunderstanding your question. 

    You could check out nRF Sniffer for Bluetooth LE

    -Amanda H.

  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    I am already working with the sniffer and even wrote my own uart driver for it as the firmware manages to have a huge byte loss rate over uart, which my driver tries to salvage and not discard the whole packet like your python API. It is not suitable for my problem for the following reason:

    The sniffer can simply listen for advertisements and than choose to follow a connection if it also receives the connection request intended for the victim. This request holds the access address and that is how the sniffer is able to capture packets of that connection. It extracts the info it needs to follow the connection from the connection request and any subsequent control procedures. I do not have that.

    As my initial question states "sniffing access addresses", I really mean sniffing the access address, I do not have the access address. I want to listen on a channel and capture ANY packet from ANY connection and thus ANY access address. I hope this clarifies my 2 previous posts. I do not need the full packet, just the first 4 bytes after the preamble (the access address) which can be achieved by setting a static packet length and matching on the preamble of a packet.

    The repository I have been linking claims to have successfully achieved this on the Nrf51. It has more than 1000 stars and a defcon presentation was made, so I assume it works.

    Please, I understand I do not have any previous posts and it looks like a beginner question, but I have been researching this chip and the lower layers of the BLE protocol for months. Judging by your answers I feel you do not grasp the depth of my question.

    Again, my question is, can some hardware engineer who knows about the radio circuitry over at Nordic confirm this would be possible for the Nrf51 (as has been shown in the BTLEJack work).

    Secondly, can they confirm whether it is or it is not possible on the Nrf52(840) in the same way? I have been working on that and trying many variations without success, leading me to believe something in the closed source hardware might have changed rendering this approach useless for this generation (nrf52). If not and thus it is possible in the same way as the Nrf51, I know I am at fault.

  • 0 in reply to Bhamoss

    Hi, 

    No, I don't think that's possible. It needs to be known beforehand. For e.g. BLE advertising. all advertising packets use access address 0x8e89bed6 i.e. you configure the access address you want to send/receive on beforehand. But maybe that sniffer is just scanning through all the access address possible for a BLE connection. i.e. access address number 1: wait x milliseconds for a match, then next address, wait x milliseconds for match, then it goes through all address possible, looking for packets. 

     -Amanda H.

Related