decoding packets in secure connection (le audio) #73
Comments
|
The old legacy pairing process was insecure, so it could be cracked if you sniffed the pairing process. You can use Mike Ryan's "crackle" for this purpose: https://github.com/mikeryan/crackle Modern devices should be using LE Secure Connections, which uses a different Elliptic Curve Diffie-Hellman based pairing process that can't be cracked easily unless one of the sides is using known (debug) keys. You could still extract the derived LTK from a rooted Android phone, and then use crackle to decrypt. Regarding LE audio, be aware that Sniffle does not yet support Connected or Broadcast Isochronous Groups (CIG and BIG). Thus, you won't be able to capture the actual audio data at the moment with Sniffle. I do plan to implement this in the future, though I can't give any timelines. |
Actually, you can access the LTK on both Android and iOS without any rooting. The LTK is supplied by the Host, so by capturing the HCI commands, you'll be able to see the LTK on both establishing encryption the first time or upon reconnection. I've documented both procedures here: iOS: https://novelbits.s3.us-east-2.amazonaws.com/Developer+Guides/iOS+Bluetooth+Debugging+Guide.pdf |
Hi,
I purchased TI CC26x2R Launchpad Board, followed instructions and flashed version 1.9.1. I want to sniff packets of le audio protocol.
I can see using sniffle data being transferred but since the connection is secured (Secure connection) I can't see the real data.
I saw that some snifferes support decoding the data if pairing is made during the sniffing and ltk is being exchanged. I tried to find a way if wireshark could receive the ltk and then decode it, but did not find a way.
any suggestions how can I get the real data?
thanks
The text was updated successfully, but these errors were encountered: