├── README.md
├── LICENSE.md
├── fake_keyboard_record.xml
└── keyboard.py


/README.md:
--------------------------------------------------------------------------------
 1 | chipturner/bluetooth
 2 | =========
 3 | 
 4 | My Linux bluetooth playground.  So far, just a python script that can
 5 | make your linux machine act as a bluetooth keyboard for other
 6 | devices. More docs to come.
 7 | 
 8 | Useful links:
 9 | 
10 | I started here, but it was missing details:
11 | http://www.linuxuser.co.uk/tutorials/emulate-a-bluetooth-keyboard-with-the-raspberry-pi
12 | 
13 | So then I went here, and the associated book:
14 | http://people.csail.mit.edu/albert/bluez-intro/
15 | http://www.amazon.com/Bluetooth-Essentials-Programmers-Albert-Huang/dp/0521703751/
16 | 
17 | The USB HID spec was helpful in figuring out how to actually talk
18 | things like handshakes (which are necessary, and left out of the first
19 | link above).
20 | https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=246761
21 | 
22 | I stumbled across this, which was also helpful:
23 | https://code.google.com/p/androhid/source/checkout
24 | 
25 | Finally, the bluez source code was solid as well:
26 | http://www.bluez.org/
27 | http://www.bluez.org/development/git/
28 | 
29 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2016, Chip Turner
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without
 5 | modification, are permitted provided that the following conditions are met:
 6 | 
 7 | * Redistributions of source code must retain the above copyright notice, this
 8 |   list of conditions and the following disclaimer.
 9 | 
10 | * Redistributions in binary form must reproduce the above copyright notice,
11 |   this list of conditions and the following disclaimer in the documentation
12 |   and/or other materials provided with the distribution.
13 | 
14 | * Neither the name of bluetooth nor the names of its
15 |   contributors may be used to endorse or promote products derived from
16 |   this software without specific prior written permission.
17 | 
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
22 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | 


--------------------------------------------------------------------------------
/fake_keyboard_record.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8" ?>
  2 | 
  3 | <record>
  4 | 	<attribute id="0x0001">
  5 | 		<sequence>
  6 | 			<uuid value="0x1124" />
  7 | 		</sequence>
  8 | 	</attribute>
  9 | 	<attribute id="0x0004">
 10 | 		<sequence>
 11 | 			<sequence>
 12 | 				<uuid value="0x0100" />
 13 | 				<uint16 value="0x0011" />
 14 | 			</sequence>
 15 | 			<sequence>
 16 | 				<uuid value="0x0011" />
 17 | 			</sequence>
 18 | 		</sequence>
 19 | 	</attribute>
 20 | 	<attribute id="0x0005">
 21 | 		<sequence>
 22 | 			<uuid value="0x1002" />
 23 | 		</sequence>
 24 | 	</attribute>
 25 | 	<attribute id="0x0006">
 26 | 		<sequence>
 27 | 			<uint16 value="0x656e" />
 28 | 			<uint16 value="0x006a" />
 29 | 			<uint16 value="0x0100" />
 30 | 		</sequence>
 31 | 	</attribute>
 32 | 	<attribute id="0x0009">
 33 | 		<sequence>
 34 | 			<sequence>
 35 | 				<uuid value="0x1124" />
 36 | 				<uint16 value="0x0100" />
 37 | 			</sequence>
 38 | 		</sequence>
 39 | 	</attribute>
 40 | 	<attribute id="0x000d">
 41 | 		<sequence>
 42 | 			<sequence>
 43 | 				<sequence>
 44 | 					<uuid value="0x0100" />
 45 | 					<uint16 value="0x0013" />
 46 | 				</sequence>
 47 | 				<sequence>
 48 | 					<uuid value="0x0011" />
 49 | 				</sequence>
 50 | 			</sequence>
 51 | 		</sequence>
 52 | 	</attribute>
 53 | 	<attribute id="0x0100">
 54 | 		<text value="Linux KB" />
 55 | 	</attribute>
 56 | 	<attribute id="0x0101">
 57 | 		<text value="USB > BT Keyboard" />
 58 | 	</attribute>
 59 | 	<attribute id="0x0102">
 60 | 		<text value="Linux System" />
 61 | 	</attribute>
 62 | 	<attribute id="0x0200">
 63 | 		<uint16 value="0x0100" />
 64 | 	</attribute>
 65 | 	<attribute id="0x0201">
 66 | 		<uint16 value="0x0111" />
 67 | 	</attribute>
 68 | 	<attribute id="0x0202">
 69 | 		<uint8 value="0x40" />
 70 | 	</attribute>
 71 | 	<attribute id="0x0203">
 72 | 		<uint8 value="0x00" />
 73 | 	</attribute>
 74 | 	<attribute id="0x0204">
 75 | 		<boolean value="true" />
 76 | 	</attribute>
 77 | 	<attribute id="0x0205">
 78 | 		<boolean value="true" />
 79 | 	</attribute>
 80 | 	<attribute id="0x0206">
 81 | 		<sequence>
 82 | 			<sequence>
 83 | 				<uint8 value="0x22" />
 84 | 				<text encoding="hex" value="05010906a101850175019508050719e029e715002501810295017508810395057501050819012905910295017503910395067508150026ff000507190029ff8100c0050c0901a1018503150025017501950b0a23020a21020ab10109b809b609cd09b509e209ea09e9093081029501750d8103c0" />
 85 | 			</sequence>
 86 | 		</sequence>
 87 | 	</attribute>
 88 | 	<attribute id="0x0207">
 89 | 		<sequence>
 90 | 			<sequence>
 91 | 				<uint16 value="0x0409" />
 92 | 				<uint16 value="0x0100" />
 93 | 			</sequence>
 94 | 		</sequence>
 95 | 	</attribute>
 96 | 	<attribute id="0x020b">
 97 | 		<uint16 value="0x0100" />
 98 | 	</attribute>
 99 | 	<attribute id="0x020c">
100 | 		<uint16 value="0x0c80" />
101 | 	</attribute>
102 | 	<attribute id="0x020d">
103 | 		<boolean value="false" />
104 | 	</attribute>
105 | 	<attribute id="0x020e">
106 | 		<boolean value="true" />
107 | 	</attribute>
108 | 	<attribute id="0x020f">
109 | 		<uint16 value="0x0640" />
110 | 	</attribute>
111 | 	<attribute id="0x0210">
112 | 		<uint16 value="0x0320" />
113 | 	</attribute>
114 | </record>
115 | 


--------------------------------------------------------------------------------
/keyboard.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | import argparse
  4 | import bluetooth
  5 | import dbus
  6 | import itertools
  7 | import logging
  8 | import os
  9 | import subprocess
 10 | import sys
 11 | import time
 12 | 
 13 | HCI_KEYBOARD_CONTROL_PORT = 17
 14 | HCI_KEYBOARD_INTERRUPT_PORT = 19
 15 | 
 16 | def read_relative_file(name):
 17 |   full_path = os.path.join(os.path.dirname(sys.argv[0]), name)
 18 |   with open(full_path) as fh:
 19 |     return fh.read()
 20 | 
 21 | def init_adapter(interface, device_name):
 22 |   # TODO: switch to ctypes; bluetooth._bluetooth doesn't support the
 23 |   # APIs we need, sadly
 24 |   logging.info("Running hciconfig for " + interface)
 25 |   subprocess.call(["hciconfig", interface, "class", "0x002540"])
 26 |   subprocess.call(["hciconfig", interface, "name", device_name])
 27 |   subprocess.call(["hciconfig", interface, "piscan"])
 28 | 
 29 |   # Become discoverable by asking bluez to advertise our SDP for us
 30 |   logging.info("Advertising via sdb")
 31 |   bus = dbus.SystemBus()
 32 |   manager = dbus.Interface(bus.get_object("org.bluez", "/"), "org.bluez.Manager")
 33 |   adapter_path = manager.FindAdapter(interface)
 34 |   service = dbus.Interface(bus.get_object("org.bluez", adapter_path), "org.bluez.Service")
 35 |   service.AddRecord(read_relative_file("fake_keyboard_record.xml"))
 36 | 
 37 | def main():
 38 |   logging.basicConfig(format="%(asctime)s %(levelname)-8s %(message)s", level=logging.INFO)
 39 |   parser = argparse.ArgumentParser()
 40 |   parser.add_argument("--interface", help="interface, defaults to hci0", default="hci0")
 41 |   parser.add_argument("--reconnect", help="reconnect to this device (mac addr), otherwise become browsable")
 42 |   arguments = parser.parse_args()
 43 | 
 44 |   # HID mapping is weird.  this is just a subset.
 45 |   hid_byte_map = dict()
 46 |   for c in range(ord('a'), ord('z')):
 47 |     hid_byte_map[chr(c)] = c - ord('a') + 4
 48 |   hid_byte_map[' '] = 0x2c
 49 |   
 50 |   init_adapter(arguments.interface, "Linux Keyboard")
 51 | 
 52 |   # Either become browsable and answer, or reconnect.  Pairing seems
 53 |   # to be optional?
 54 |   target_addr = arguments.reconnect
 55 |   if not target_addr:
 56 |     logging.info("Listening for connection")
 57 |     control_listen_socket = bluetooth.BluetoothSocket(bluetooth.L2CAP)
 58 |     control_listen_socket.bind(("", HCI_KEYBOARD_CONTROL_PORT))
 59 |     control_listen_socket.listen(1)
 60 |     interrupt_listen_socket = bluetooth.BluetoothSocket(bluetooth.L2CAP)
 61 |     interrupt_listen_socket.bind(("", HCI_KEYBOARD_INTERRUPT_PORT))
 62 |     interrupt_listen_socket.listen(1)
 63 | 
 64 |     control_socket, control_info = control_listen_socket.accept()
 65 |     interrupt_socket, interrupt_info = interrupt_listen_socket.accept()
 66 | 
 67 |     logging.info("Connection established to %s (%s)" % (control_info, interrupt_info))
 68 |     connected = False
 69 |     while not connected:
 70 |       header = ord(control_socket.recv(1))
 71 |       msg_type, msg_data = (header >> 4), (header & 0b1111)
 72 |       logging.info("data is %02x %02x" % (msg_type, msg_data))
 73 |       if msg_type == 0x09:  # SET_IDLE
 74 |         logging.info("looks like windows")
 75 |         connected = True
 76 |       elif msg_type == 0x07:  # SET_PROTOCOL
 77 |         logging.info("looks like iphone")
 78 |         connected = True
 79 |       else:
 80 |         logging.fatal("aiee who knows")
 81 | 
 82 |   else:
 83 |     # just connect to the specified destination
 84 |     logging.info("Reconnecting to %s" % target_addr)
 85 |     control_socket = bluetooth.BluetoothSocket(bluetooth.L2CAP)
 86 |     control_socket.connect((target_addr, HCI_KEYBOARD_CONTROL_PORT))
 87 |     interrupt_socket = bluetooth.BluetoothSocket(bluetooth.L2CAP)
 88 |     interrupt_socket.connect((target_addr, HCI_KEYBOARD_INTERRUPT_PORT))
 89 | 
 90 |   # We have a connection, spam away!
 91 |   logging.info("Socket connected, sending handshake")
 92 |   control_socket.send(chr(0))
 93 |   logging.info("spamming chip!")
 94 | 
 95 |   for byte in itertools.cycle("chip "):
 96 |     hid_byte = hid_byte_map[byte]
 97 |     msg = "".join(chr(c) for c in (0xa1, 0x01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, hid_byte))
 98 |     interrupt_socket.send(msg)
 99 |     msg = "".join(chr(c) for c in (0xa1, 0x01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0))
100 |     interrupt_socket.send(msg)
101 |     time.sleep(0.05)
102 |     
103 | 
104 | if __name__ == '__main__':
105 |   sys.exit(main())
106 | 


--------------------------------------------------------------------------------