Bluetooth packets - Missing HCI events

[iliaIt]

Brief description

Sniffing bluetooth packets and the device's mac address from the raw load of the packets is not the same as the load that i get from hcidump. (The mac address is wrong in the SCAPY bluetooth packets)

Environment

• Scapy version: Version 2.4.3.dev454
• Python version: 2.7
• Operating System: Linux raspberrypi 4.19.75-v7+

How to reproduce

I am using this linux command to make a connection between my raspberry pi and my phone:
sudo hcitool cc 1C:39:47:75:BE:94
Then i sniff the packets with hcidump, and then i try again with the pkts = bt.sniff() too.

Actual result

As a result the device mac address in the raw load of all scapy packets is not correct or is not, what it should be!
Example of packets:

With hcidump the packet is this:
2020-04-09 13:43:23.218009 < HCI Command: Create Connection (0x01|0x0005) plen 13
bdaddr 1C:39:47:75:BE:94 ptype 0xcc18 rswitch 0x01 clkoffset 0x0000
Packet type: DM1 DM3 DM5 DH1 DH3 DH5

With scapy the packet is this:

pkts[0].show()
###[ HCI header ]###
type= Command
###[ HCI Command header ]###
opcode= 0x405
len= 13
###[ Raw ]###
load= '\x94\xbeuG9\x1c\x18\xcc\x02\x00\x00\x00\x01'

Expected result

The problem is the LOAD of the scapy packet:
hcidump -> bdaddr 1C:39:47:75:BE:94 ptype 0xcc18 rswitch 0x01 clkoffset 0x0000
scapy -> \x94\xbe uG9 \x1c \x18\xcc \x02 \x00\x00 \x00\x01
I suppose it should be -> \x94\xbe \x75 \x47 \x39 \x1c
As you can see the mac address is almost the same, but there are some wrong bytes.
Also i tried with another phone, and the result is the same:

With hcidump the packet is this:
2020-04-09 13:54:27.662396 < HCI Command: Create Connection (0x01|0x0005) plen 13
bdaddr B8:C1:11:1F:30:1E ptype 0xcc18 rswitch 0x01 clkoffset 0x0000
Packet type: DM1 DM3 DM5 DH1 DH3 DH5

With scapy the packet is this:

pkts[0].show()
###[ HCI header ]###
type= Command
###[ HCI Command header ]###
opcode= 0x405
len= 13
###[ Raw ]###
load= '\x1e0\x1f\x11\xc1\xb8\x18\xcc\x02\x00\x00\x00\x01'

Again the load is wrong:
hcidump -> bdaddr B8:C1:11:1F:30:1E ptype 0xcc18 rswitch 0x01 clkoffset 0x0000
scapy -> \x1e0\x1f\x11\xc1\xb8 \x18\xcc \x02 \x00\x00\x00\x01

This time only one byte is wrong! ( this -> 30:1E is represented like this -> \x1e0 )

I am not sure, if this is a real bug, but i think that some how the mac address is not correctly extracted. I hope that i am wrong! As i said the mac address is the same in all of the packet, but not correct!!! I hope this is useful for improving your software, if you need some more details just ask :) !

[gpotter2]

Hi,
could you share a pcap capture where Scapy's analysis is different from the hcidump/wireshark one?
Thanks

[iliaIt]

Hi,
test_files.zip
Sorry for the delay, the archive contains one file from the hcidump -w option and you can read it with the -r option, and the other file is pcap from scapy!
If you need anything else, feel free to ask :) !

[gpotter2]

The issue is that we haven't implemented all HCI Events.
Feel free to add a pull request for the types you are missing, then add it to

scapy/scapy/layers/bluetooth.py

Lines 1273 to 1278 in 85e0a50

	bind_layers(HCI_Event_Hdr, HCI_Event_Disconnection_Complete, code=0x5)
	bind_layers(HCI_Event_Hdr, HCI_Event_Encryption_Change, code=0x8)
	bind_layers(HCI_Event_Hdr, HCI_Event_Command_Complete, code=0xe)
	bind_layers(HCI_Event_Hdr, HCI_Event_Command_Status, code=0xf)
	bind_layers(HCI_Event_Hdr, HCI_Event_Number_Of_Completed_Packets, code=0x13)
	bind_layers(HCI_Event_Hdr, HCI_Event_LE_Meta, code=0x3e)

[JuanPotato]

Based on the latest Bluetooth v5.2 Core Specification, here is a list of all hci events. I've checked off the ones that are already implemented

• 0x01 - HCI_Inquiry_Complete
• 0x02 - HCI_Inquiry_Result
• 0x03 - HCI_Connection_Complete
• 0x04 - HCI_Connection_Request
• 0x05 - HCI_Disconnection_Complete
• 0x06 - HCI_Authentication_Complete
• 0x07 - HCI_Remote_Name_Request_Complete
• 0x08 - HCI_Encryption_Change
• 0x09 - HCI_Change_Connection_Link_Key_Complete
• 0x0A - HCI_Master_Link_Key_Complete
• 0x0B - HCI_Read_Remote_Supported_Features_Complete
• 0x0C - HCI_Read_Remote_Version_Information_Complete
• 0x0D - HCI_QoS_Setup_Complete
• 0x0E - HCI_Command_Complete
• 0x0F - HCI_Command_Status
• 0x10 - HCI_Hardware_Error
• 0x11 - HCI_Flush_Occurred
• 0x12 - HCI_Role_Change
• 0x13 - HCI_Number_Of_Completed_Packets
• 0x14 - HCI_Mode_Change
• 0x15 - HCI_Return_Link_Keys
• 0x16 - HCI_PIN_Code_Request
• 0x17 - HCI_Link_Key_Request
• 0x18 - HCI_Link_Key_Notification
• 0x19 - HCI_Loopback_Command
• 0x1A - HCI_Data_Buffer_Overflow
• 0x1B - HCI_Max_Slots_Change
• 0x1C - HCI_Read_Clock_Offset_Complete
• 0x1D - HCI_Connection_Packet_Type_Changed
• 0x1E - HCI_QoS_Violation
• 0x20 - HCI_Page_Scan_Repetition_Mode_Change
• 0x21 - HCI_Flow_Specification_Complete
• 0x22 - HCI_Inquiry_Result_with_RSSI
• 0x23 - HCI_Read_Remote_Extended_Features_Complete
• 0x2C - HCI_Synchronous_Connection_Complete
• 0x2D - HCI_Synchronous_Connection_Changed
• 0x2E - HCI_Sniff_Subrating
• 0x2F - HCI_Extended_Inquiry_Result
• 0x30 - HCI_Encryption_Key_Refresh_Complete
• 0x31 - HCI_IO_Capability_Request
• 0x32 - HCI_IO_Capability_Response
• 0x33 - HCI_User_Confirmation_Request
• 0x34 - HCI_User_Passkey_Request
• 0x35 - HCI_Remote_OOB_Data_Request
• 0x36 - HCI_Simple_Pairing_Complete
• 0x38 - HCI_Link_Supervision_Timeout_Changed
• 0x39 - HCI_Enhanced_Flush_Complete
• 0x3B - HCI_User_Passkey_Notification
• 0x3C - HCI_Keypress_Notification
• 0x3D - HCI_Remote_Host_Supported_Features_Notification
• 0x40 - HCI_Physical_Link_Complete
• 0x41 - HCI_Channel_Selected
• 0x42 - HCI_Disconnection_Physical_Link_Complete
• 0x43 - HCI_Physical_Link_Loss_Early_Warning
• 0x44 - HCI_Physical_Link_Recovery
• 0x45 - HCI_Logical_Link_Complete
• 0x46 - HCI_Disconnection_Logical_Link_Complete
• 0x47 - HCI_Flow_Spec_Modify_Complete
• 0x48 - HCI_Number_Of_Completed_Data_Blocks
• 0x4C - HCI_Short_Range_Mode_Change_Complete
• 0x4D - HCI_AMP_Status_Change
• 0x49 - HCI_AMP_Start_Test
• 0x4A - HCI_AMP_Test_End
• 0x4B - HCI_AMP_Receiver_Report
• 0x3E - HCI_LE_Meta
• 0x3E - 0x01 - HCI_LE_Connection_Complete
• 0x3E - 0x02 - HCI_LE_Advertising_Report
• 0x3E - 0x03 - HCI_LE_Connection_Update_Complete
• 0x3E - 0x04 - HCI_LE_Read_Remote_Features_Complete
• 0x3E - 0x05 - HCI_LE_Long_Term_Key_Request
• 0x3E - 0x06 - HCI_LE_Remote_Connection_Parameter_Request
• 0x3E - 0x07 - HCI_LE_Data_Length_Change
• 0x3E - 0x08 - HCI_LE_Read_Local_P-256_Public_Key_Complete
• 0x3E - 0x09 - HCI_LE_Generate_DHKey_Complete
• 0x3E - 0x0A - HCI_LE_Enhanced_Connection_Complete
• 0x3E - 0x0B - HCI_LE_Directed_Advertising_Report
• 0x3E - 0x0C - HCI_LE_PHY_Update_Complete
• 0x3E - 0x0D - HCI_LE_Extended_Advertising_Report
• 0x3E - 0x0E - HCI_LE_Periodic_Advertising_Sync_Established
• 0x3E - 0x0F - HCI_LE_Periodic_Advertising_Report
• 0x3E - 0x10 - HCI_LE_Periodic_Advertising_Sync_Lost
• 0x3E - 0x11 - HCI_LE_Scan_Timeout
• 0x3E - 0x12 - HCI_LE_Advertising_Set_Terminated
• 0x3E - 0x13 - HCI_LE_Scan_Request_Received
• 0x3E - 0x14 - HCI_LE_Channel_Selection_Algorithm
• 0x3E - 0x15 - HCI_LE_Connectionless_IQ_Report
• 0x3E - 0x16 - HCI_LE_Connection_IQ_Report
• 0x3E - 0x17 - HCI_LE_CTE_Request_Failed
• 0x3E - 0x18 - HCI_LE_Periodic_Advertising_Sync_Transfer_Received
• 0x3E - 0x19 - HCI_LE_CIS_Established
• 0x3E - 0x1A - HCI_LE_CIS_Request
• 0x3E - 0x1B - HCI_LE_Create_BIG_Complete
• 0x3E - 0x1C - HCI_LE_Terminate_BIG_Complete
• 0x3E - 0x1D - HCI_LE_BIG_Sync_Established
• 0x3E - 0x1E - HCI_LE_BIG_Sync_Lost
• 0x3E - 0x1F - HCI_LE_Request_Peer_SCA_Complete
• 0x3E - 0x20 - HCI_LE_Path_Loss_Threshold
• 0x3E - 0x21 - HCI_LE_Transmit_Power_Reporting
• 0x3E - 0x22 - HCI_LE_BIGInfo_Advertising_Report
• 0x4E - HCI_Triggered_Clock_Capture
• 0x4F - HCI_Synchronization_Train_Complete
• 0x50 - HCI_Synchronization_Train_Received
• 0x51 - HCI_Connectionless_Slave_Broadcast_Receive
• 0x52 - HCI_Connectionless_Slave_Broadcast_Timeout
• 0x53 - HCI_Truncated_Page_Complete
• 0x54 - HCI_Slave_Page_Response_Timeout
• 0x55 - HCI_Connectionless_Slave_Broadcast_Channel_Map_Change
• 0x56 - HCI_Inquiry_Response_Notification
• 0x57 - HCI_Authenticated_Payload_Timeout_Expired
• 0x58 - HCI_SAM_Status_Change

[JuanPotato]

I will be working on these

[gpotter2]

Thanks for looking into this.
Feel free to ask (here) if you have any question while implementing that.

[AaronDendy]

Having the packet implemented in scapy layers, where something like pkt["HCI_Connect_Complete"].address would indeed fix this, but it appears as though the original issue is just binary data being converted to a string.

In python 3 this can be verified:

pkts = rdpcap("scapy_test1.pcap")
hci_connect_complete = pkts[3].load  # 4th packet contains the address
bt_addr = hci_connect_complete[3:-2]  # missing scapy HCI event, manually strip the Bluetooth address out of packet
# reverse bytes (little endian), covert to hex string, remove "0x", add ':' between each couple
bt_addr = ':'.join('{0}'.format(hex(byte)[2:]) for byte in reversed(bt_addr))
print(bt_addr)

Which results in 1c:39:47:75:be:94, which is identical to wireshark. This is what leads me to believe this is just a string conversion of the binary data, since the uG9 in \x94\xbeuG9\x1c is just an ascii representation of \x75\x47\x39 or the 39:47:75 middle portion of the address.

[kenshinsamue]

Hi i'm trying to implement a new layer for Bluetooth, but when i execute the command scapy.all.sniff() it doesn't show the packet with packet.show() .. What i have implemented are both the class itself and the bind_layer method. its anything else where i have to implement?.