Ken*_*abz 6 encryption bluetooth
简介:我在没有完全熟悉蓝牙堆栈和协议的情况下遇到这个问题,所以这可能需要几轮编辑,因为我的假设中的错误被揭示出来.
我正在尝试连接蓝牙设备,Scosche myTREK Pulse Monitor.我能够使用适用于Android的"官方"应用程序连接到设备,并使用了捕获蓝牙数据包输出hcidump.我可以通过链接密钥交换来阅读和理解连接过程; 然而,设备然后发送HCI Encrypt Change事件,之后大多数(但不是所有)分组被标记为ACL分组,并且难以解释.
基本问题是:蓝牙是否加密数据,有没有办法安全解密?这与转移到ACL数据包有关吗?
以下是hcidump给定连接提供的数据包输出示例,从链接密钥的传递开始.(>指监视器发送数据)
> HCI Event: Link Key Request (0x17) plen 6
0000: ** ** ** ** ** ** ??????
< HCI Command: Link Key Request Reply (0x01|0x000b) plen 22
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ???????????????
0010: ** ** ** ** ** ** ??????
> HCI Event: Command Complete (0x0e) plen 10
0000: 01 0b 04 00 ** ** ** ** ** ** ....??????
> HCI Event: Encrypt Change (0x08) plen 4
0000: 00 0c 00 01 ....
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 1 scid 0x0040
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 03 02 08 00 40 00 40 00 01 00 00 00 ........@.@.....
< ACL data: handle 12 flags 0x00 dlen 10
0000: 06 00 01 00 0a 01 02 00 02 00 ..........
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 16
L2CAP(s): Info rsp: type 2 result 0
Extended feature mask 0x0000
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 03 02 08 00 40 00 40 00 00 00 00 00 ........@.@.....
< ACL data: handle 12 flags 0x00 dlen 12
0000: 08 00 01 00 04 02 04 00 40 00 00 00 ........@...
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 16
L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 4
MTU 48
< ACL data: handle 12 flags 0x00 dlen 18
0000: 0e 00 01 00 05 03 0a 00 40 00 00 00 00 00 01 02 ........@.......
0010: 30 00 0.
> ACL data: handle 12 flags 0x02 dlen 14
L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 0
Success
> ACL data: handle 12 flags 0x02 dlen 36
L2CAP(d): cid 0x0040 len 32 [psm 0]
0000: 06 00 01 00 1b 35 11 1c 00 00 00 00 de ca fa de .....5......??·?
0010: de ca de af de ca ca fe 00 26 35 03 09 00 04 00 ???»????.&5.....
< ACL data: handle 12 flags 0x00 dlen 33
0000: 1d 00 40 00 07 00 01 00 18 00 15 35 13 35 11 09 ..@........5.5..
0010: 00 04 35 0c 35 03 19 01 00 35 05 19 00 03 08 12 ..5.5....5......
0020: 00 .
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Disconn req: dcid 0x0040 scid 0x0040
< ACL data: handle 12 flags 0x00 dlen 12
0000: 08 00 01 00 07 04 04 00 40 00 40 00 ........@.@.
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 3 scid 0x0041
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 03 05 08 00 40 00 41 00 00 00 00 00 ........@.A.....
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 16
L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 4
MTU 895
< ACL data: handle 12 flags 0x00 dlen 18
0000: 0e 00 01 00 05 06 0a 00 41 00 00 00 00 00 01 02 ........A.......
0010: 7f 03 ..
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 04 03 08 00 41 00 00 00 01 02 f5 03 ........A.....?.
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 18
L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 4
MTU 1013
此时,设备提供的有效负载在运行之间会有很大差异,更不用说在一次运行中.为简洁起见,我已将剩余的日志放在pastebin中:链接
是的,蓝牙通过无线方式加密数据.是的,这适用于ACL数据.但是您通过HCI接口看到的数据已经被解密.您的问题是您不知道如何解释ACL数据流.在ACL数据之上有几个级别的协议.除非您的设备记录他们的协议,否则您可能会失败.他们最有可能运行SPP(串口配置文件)或RFCOMM与Android应用程序通信.因此,您有以下嵌套协议层来解码SPP - > RFCOMM - > L2CAP - > ACL数据.
您的设备/应用程序也可能在SPP之上执行其他应用程序级加密.在那种情况下,你运气不好.
| 归档时间: |
|
| 查看次数: |
9098 次 |
| 最近记录: |