Sniffing access addresses by matching on preamble nrf52

RE: Sniffing access addresses by matching on preamble nrf52

Amanda Hsieh — Mon, 26 Apr 2021 06:15:31 GMT

Hi,

No, I don't think that's possible. It needs to be known beforehand. For e.g. BLE advertising. all advertising packets use access address 0x8e89bed6 i.e. you configure the access address you want to send/receive on beforehand. But maybe that sniffer is just scanning through all the access address possible for a BLE connection. i.e. access address number 1: wait x milliseconds for a match, then next address, wait x milliseconds for match, then it goes through all address possible, looking for packets.

-Amanda H.

RE: Sniffing access addresses by matching on preamble nrf52

Bhamoss — Mon, 19 Apr 2021 13:57:16 GMT

Hi Amanda,

I am already working with the sniffer and even wrote my own uart driver for it as the firmware manages to have a huge byte loss rate over uart, which my driver tries to salvage and not discard the whole packet like your python API. It is not suitable for my problem for the following reason:

The sniffer can simply listen for advertisements and than choose to follow a connection if it also receives the connection request intended for the victim. This request holds the access address and that is how the sniffer is able to capture packets of that connection. It extracts the info it needs to follow the connection from the connection request and any subsequent control procedures. I do not have that.

As my initial question states "sniffing access addresses", I really mean sniffing the access address, I do not have the access address. I want to listen on a channel and capture ANY packet from ANY connection and thus ANY access address. I hope this clarifies my 2 previous posts. I do not need the full packet, just the first 4 bytes after the preamble (the access address) which can be achieved by setting a static packet length and matching on the preamble of a packet.

The repository I have been linking claims to have successfully achieved this on the Nrf51. It has more than 1000 stars and a defcon presentation was made, so I assume it works.

Please, I understand I do not have any previous posts and it looks like a beginner question, but I have been researching this chip and the lower layers of the BLE protocol for months. Judging by your answers I feel you do not grasp the depth of my question.

Again, my question is, can some hardware engineer who knows about the radio circuitry over at Nordic confirm this would be possible for the Nrf51 (as has been shown in the BTLEJack work).

Secondly, can they confirm whether it is or it is not possible on the Nrf52(840) in the same way? I have been working on that and trying many variations without success, leading me to believe something in the closed source hardware might have changed rendering this approach useless for this generation (nrf52). If not and thus it is possible in the same way as the Nrf51, I know I am at fault.

RE: Sniffing access addresses by matching on preamble nrf52

Amanda Hsieh — Mon, 19 Apr 2021 13:34:15 GMT

Hi,

Sorry for misunderstanding your question.

You could check out nRF Sniffer for Bluetooth LE.

-Amanda H.

RE: Sniffing access addresses by matching on preamble nrf52

Bhamoss — Mon, 19 Apr 2021 13:01:01 GMT

Hi Amanda,

I do not think you understand my question. I know very well how to operate the radio directly. My question is much deeper than that.

https://github.com/virtualabs/btlejack

This repository and its DefCon presentation claim you can use the radio (directly) by configuring the radio to listen for the preamble of a packet as access address (BASE0 and PREFIX0 = 0xAA or 0x55 with BALEN 0 or 1) so that the radio wakes up and captures because the preamble of any BLE4 packet will match this. If you set STATLEN=MAXLEN=10 and s0,len,s1 length = 0, after the end event, the bits off the access address should be in the receive buffer (possibly misaligned) as they are the next 4 octets after the preamble is sent.

Having elaborated on this, could you please reread my initial question in this light and provide me with an answer?

Thank you very much

RE: Sniffing access addresses by matching on preamble nrf52

Amanda Hsieh — Mon, 19 Apr 2021 11:45:25 GMT

Hi,

You can find the address configuration for the RADIO here:
https://infocenter.nordicsemi.com/topic/com.nordic.infocenter.nrf52832.ps.v1.1/radio.html?cp=2_1_0_22_3#concept_mdy_kcj_4r

We have an example of a BLE scanner using the radio directly. You can have a look at the radio_init() function to have an idea how to configure the radio to receive BLE packet. In this case the address is 0x8E89BED6, you can modify to match with the address needed in the test.

-Amanda H.