Tags: bluetooth pcap

Rating:

# Description
We are presented with a pcap file containing Bluetooth LE packages. We can see that we have many writes to memory with a specific value and offset.

# Plan
Extract the data, build a fake memory in an array and write the hex values there. Then see if we can read this

# Solution
Extract the values from the pcap using the following tshark command
bash
tshark -r btle.pcap -Y "btatt.opcode == 0x16" -T fields -e btatt.value -e btatt.offset > export


Then parse the file and add everything to the memory. Keep in mind that characters are hex encoded
python
mem = [" " for i in range(0,150)]

def write(value, offset):
count = 0
value = [value[i:i+2] for i in range(0, len(value), 2)]
for i in value:
mem[count+offset]=chr(int(i,base=16))
count += 1

with open("export") as file:
while (line := file.readline().rstrip()):
line = line.split(',')
write(line[0],int(line[1]))

print(''.join(mem))


This prints the flag  pctf{b1Ue_te3Th_is_ba4d_4_y0u_jUs7_4sk_HAr0lD_b1U3tO07h}, however since the flag format is pbctf we need to correct it as the tshark filter missed the first direct write of 'pb'

Original writeup (https://github.com/tttttx2/CTF_Writeups/blob/main/PBCTF-2021/BTLE.md).