156 | 157 | 1. Service: `0xae30`, Characteristic: `0xae02` (**NOTIFY**), Desc: `0x2902` 158 | 159 | *Enables notification* 160 | 161 | 1. HEX: 162 | 163 | 0000 02 0e 00 09 00 05 00 04 00 12 09 00 01 00 164 | 0000 01 00 165 | 166 | 2. Plain Text: 167 | 168 | localhost () b7:26:a2:0d:ca:66 () ATT 14 Sent Write Request, Handle: 0x0009 (Unknown: Unknown: Client Characteristic Configuration) 169 | 170 | Frame 70: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) 171 | ... 172 | Bluetooth Attribute Protocol 173 | Opcode: Write Request (0x12) 174 | 0... .... = Authentication Signature: False 175 | .0.. .... = Command: False 176 | ..01 0010 = Method: Write Request (0x12) 177 | Handle: 0x0009 (Unknown: Unknown: Client Characteristic Configuration) 178 | [Service UUID: Unknown (0xae30)] 179 | [Characteristic UUID: Unknown (0xae02)] 180 | [UUID: Client Characteristic Configuration (0x2902)] 181 | Characteristic Configuration Client: 0x0001, Notification 182 | 0000 0000 0000 00.. = Reseved: 0x0000 183 | .... .... .... ..0. = Indication: False 184 | .... .... .... ...1 = Notification: True 185 | 186 | 2. Service: `0xae30`, Characteristic: `0xae04` (**NOTIFY**), Desc: `0x2902` 187 | 188 | *also enables notifications ...* 189 | 190 | 3. Service: `0xae30`, Characteristic: `0xae05` (**INDICATE**), Desc: `0x2902` 191 | 192 | *manipulations with led?* 193 | 194 | 1. HEX: 195 | 196 | 0000 02 0e 00 09 00 05 00 04 00 12 11 00 02 00 197 | 0000 02 00 198 | 199 | 2. Plain Text: 200 | 201 | Frame 78: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) 202 | ... 203 | Bluetooth Attribute Protocol 204 | Opcode: Write Request (0x12) 205 | 0... .... = Authentication Signature: False 206 | .0.. .... = Command: False 207 | ..01 0010 = Method: Write Request (0x12) 208 | Handle: 0x0011 (Unknown: Unknown: Client Characteristic Configuration) 209 | [Service UUID: Unknown (0xae30)] 210 | [Characteristic UUID: Unknown (0xae05)] 211 | [UUID: Client Characteristic Configuration (0x2902)] 212 | Characteristic Configuration Client: 0x0002, Indication 213 | 0000 0000 0000 00.. = Reseved: 0x0000 214 | .... .... .... ..1. = Indication: True 215 | .... .... .... ...0 = Notification: False 216 | 217 | 4. Exchange MTU Request, Client Rx MTU: 123 218 | 219 | 5. Service: `0xae30`, Characteristic: `0xae01` (**WRITE NO RESPONSE**) 220 | 221 | *First pre-printing write request.* 222 | 223 | 1. HEX: 224 | 225 | 0000 02 0e 00 19 00 15 00 04 00 52 06 00 51 78 a8 00 226 | 0010 01 00 00 00 ff 51 78 a3 00 01 00 00 00 ff 227 | 228 | 0000 51 78 a8 00 01 00 00 00 ff 51 78 a3 00 01 00 00 229 | 0010 00 ff 230 | 231 | 2. Plain Text: 232 | 233 | Frame 89: 30 bytes on wire (240 bits), 30 bytes captured (240 bits) 234 | ... 235 | Bluetooth Attribute Protocol 236 | Opcode: Write Command (0x52) 237 | 0... .... = Authentication Signature: False 238 | .1.. .... = Command: True 239 | ..01 0010 = Method: Write Request (0x12) 240 | Handle: 0x0006 (Unknown: Unknown) 241 | [Service UUID: Unknown (0xae30)] 242 | [UUID: Unknown (0xae01)] 243 | Value: 5178a80001000000ff5178a30001000000ff 244 | 245 | In HEX translation the value comes after `02 0e 00 19 00 15 00 04 00 52 06 00` unknown header. 246 | 247 | 6. Service: `0xae30`, Characteristic: `0xae01` (**WRITE NO RESPONSE**) 248 | 249 | *Second pre-printing write request* 250 | 251 | 1. HEX: 252 | 253 | 0000 02 0e 00 10 00 0c 00 04 00 52 06 00 51 78 bb 00 254 | 0010 01 00 01 07 ff 255 | 256 | The value also starts with `'51 78'`. 257 | 258 | 2. Plain Text: 259 | 260 | Frame 93: 21 bytes on wire (168 bits), 21 bytes captured (168 bits) 261 | ... 262 | Bluetooth Attribute Protocol 263 | Opcode: Write Command (0x52) 264 | 0... .... = Authentication Signature: False 265 | .1.. .... = Command: True 266 | ..01 0010 = Method: Write Request (0x12) 267 | Handle: 0x0006 (Unknown: Unknown) 268 | [Service UUID: Unknown (0xae30)] 269 | [UUID: Unknown (0xae01)] 270 | Value: 5178bb0001000107ff 271 | 272 | 7. Service: `0xae30`, Characteristic: `0xae01` (**WRITE NO RESPONSE**) 273 | 274 | *Start image transmission*. There is a chain of packets of 132 bytes each. 275 | 276 | Service: `0xae30`, Characteristic: `0xae01` (**WRITE NO RESPONSE**) 277 | 278 | Bluetooth Attribute Protocol 279 | Opcode: Write Command (0x52) 280 | 0... .... = Authentication Signature: False 281 | .1.. .... = Command: True 282 | ..01 0010 = Method: Write Request (0x12) 283 | Handle: 0x0006 (Unknown: Unknown) 284 | [Service UUID: Unknown (0xae30)] 285 | [UUID: Unknown (0xae01)] 286 | Value: 5178a30001000000ff5178a40001003399ff5178a6000b00aa551738445f5f5f44382ca1… 287 | 288 | HEX: 289 | 290 | `Value` starts with `'51 78'` 291 | 292 | 0000 02 05 00 7f 00 7b 00 04 00 52 06 00 51 78 a3 00 293 | 0010 01 00 00 00 ff 51 78 a4 00 01 00 33 99 ff 51 78 294 | 0020 a6 00 0b 00 aa 55 17 38 44 5f 5f 5f 44 38 2c a1 295 | 0030 ff 51 78 af 00 02 00 e0 2e 89 ff 51 78 be 00 01 296 | 0040 00 00 00 ff 51 78 bd 00 01 00 1e 5a ff 51 78 bf 297 | 0050 00 04 00 7f 7f 7f 03 a8 ff 51 78 bf 00 04 00 7f 298 | 0060 7f 7f 03 a8 ff 51 78 bf 00 04 00 7f 7f 7f 03 a8 299 | 0070 ff 51 78 bf 00 04 00 7f 7f 7f 03 a8 ff 51 78 bf 300 | 0080 00 04 00 7f 301 |
302 |336 | 337 | 1. Export image's packages as JSON (Good filter: `bluetooth.addr==b7:26:a2:0d:ca:66`) 338 | 339 | 2. Extract hex data with Python 340 | 341 | ```py 342 | with open('reverse_stuff/rfid-metka-picture.json') as j_file: 343 | pic_json = json.load(j_file) 344 | 345 | pic_hex = [val['_source']['layers']['btatt']['btatt.value'] for val in pic_json] 346 | pic_hex = [val.replace(':', '') for val in pic_hex] 347 | 348 | # from arry to str 349 | pic_hex = ''.join(pic_hex) 350 | 351 | with open('reverse_stuff/rfid-metka-picture.pichex', 'w') as h_file: 352 | h_file.write(pic_hex) 353 | ``` 354 | 355 |
356 |