BLE CTF低功耗蓝牙CTF挑战
BLE_CTF低功耗蓝牙CTF挑战
在搜东西的时候发现了这个:ble_ctf · github,拿来做做玩玩呀
首先得把环境弄好,你得有一块 ESP32 的板子,淘宝买就行了,笔记本自带的蓝牙适配器如果不行的话(后面会说怎么判断)也得自己买一个蓝牙适配器,我用的是 CSR4.0 这个,直接去淘宝搜就行
注意,人家的 README 中说了,所有的 flag 都是 20 个字符
配置环境
pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple
pip install esptool
首先得安装 esptool 用来烧录 esp32
git clone https://github.com/hackgnar/ble_ctf
cd ble_ctf
esptool.py -p /dev/ttyUSB0 -b 460800 --before default_reset --after hard_reset --chip esp32 write_flash --flash_mode dio --flash_size 2MB --flash_freq 40m 0x1000 build/bootloader/bootloader.bin 0x8000 build/partition_table/partition-table.bin 0x10000 build/ble_ctf.bin
出现 connecting 的时候按住板子上的 boot 按键,直到进行下一步,再松开(有的开发板可能不需要,原因参考:https://www.yuque.com/hxfqg9/iot/at8vgh3vgkulxh3d)
kali 我用的官方的虚拟机(2024.3),遇到一些奇怪的问题可以试试重启蓝牙服务:service bluetooth restart
查看蓝牙设备:hciconfig
激活:hciconfig hci0 up
查看蓝牙信息:sudo hciconfig hci0 lestates,如果返回:Read LE supported states on hci0 returned status 1 表示你的蓝牙适配器不支持 BLE,正常的应该是这样的
另外补充一些情况:
# hciconfig hci0 up
Can't init device hci0: Operation not possible due to RF-kill (132)
运行 rfkill unblock all 再 hciconfig hci0 up 即可解决
扫描周围低功耗设备:hcitool lescan会看到一个名为 BLECTF 的设备
接下来,根据 README 使用 gatttool 来从设备上的句柄 42 中读取分数,一共 20 关,目前是 0 分
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
介绍一下 gatttool 的用法参考:https://blog.csdn.net/u010764600/article/details/119685484
GATT commands
--primary 发现GATT服务
--characteristics 发现设备上所有的characteristics
--char-read 读某个characteristics,需要指定一个handle(句柄)
--char-write 写某个characteristics,需要指定一个handle,使用Write Without Response的方式
--char-write-req 写某个characteristics,需要指定一个handle,使用Write Request的方式
--char-desc 发现所有的Characteristics Descriptor
--listen 监听Characteristics的notification或者indication
Primary Services/Characteristics arguments
-s, --start=0x0001 起始handle
-e, --end=0xffff 结束handle
-u, --uuid=0x1801 16比特或者128比特的UUID
Characteristics Value/Descriptor Read/Write arguments
-a, --handle=0x0001 通过handle来读写characteristic,后面接handle值
-n, --value=0x0001 写characteristic时候的参数,后面接具体的值
Application Options:
-i, --adapter=hciX 后面接设备描述, 如hci0等
-b, --device=MAC 远端设备的蓝牙地址
-t, --addr-type=[public | random] 远端设备蓝牙地址的类型,默认为public
-m, --mtu=MTU att协议的MTU大小
-p, --psm=PSM 制定gatt的PSM,默认值为0
-l, --sec-level=[low | medium | high] 安全等级,默认为low
-I, --interactive 交互式模式
第一关 0x002c
Flag one is a gift! You can only obtain it by reading this document or peaking at the source code. In short, this flag is to get you familiar with doing a simple write to a BLE handle. Do the following to get your first flag. Make sure you replace the MAC address in the examples below with your devices mac address!
First, check out your score:
gatttool -b de:ad:be:ef:be:f1 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
Next, lets sumbmit the following flag. gatttool -b de:ad:be:ef:be:f1 --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
Finaly, check out your score again to see your flag got accepted:
gatttool -b de:ad:be:ef:be:f1 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
送分题,这一关是教你怎么提交 flag 的,首先使用 --char-read 读取 0x2a 句柄的值,查看当前分数
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
然后使用 --char-write-req 向句柄 0x2c 提交 12345678901234567890 即可
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
再次查看分数已经是 1/20 了
第二关 0x002e
Check out the ascii value of handle 0x002e and submit it to the flag submision handle 0x002c. If you are using gatttool, make sure you convert it to hex with xxd. If you are using bleah, you can send it as a string value.
这一关想让你查看 0x002e 句柄的 ASCII 码值,然后提交给句柄 0x2c,那就是用 --char-read 了,同时后面用查看分数输出的命令把 ascii 转成字符串
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x002e|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
可以看到输出了一些一堆十六进制数,这就是 flag,提交到 0x2c 句柄即可
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "d205303e099ceff44835"|xxd -ps)
第三关 0x0030
Check out the ascii value of handle 0x0030. Do what it tells you and submit the flag you find to 0x002c.
这一关需要先读取 0x0030 这个句柄中的值,了解下一步要让我们做啥,查看后转为 ASCII 是:MD5 of Device Name,设备名称自然就是 BLECTF 了,取前其 MD5 值的 20 个字符,得到:5cd56d74049ae40f442e
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0030|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "5cd56d74049ae40f442e"|xxd -ps)
第四关 0x0016
Bluetooth GATT services provide some extra device attributes. Try finding the value of the Generic Access -> Device Name.
希望我们查看 Generic Access 服务的 Device Name,所以我们来看看都有哪些服务
gatttool -b 64:B7:08:61:C7:A2 --primary
然后当在网上搜索 Generic Access 的 uuid 就会得到 1800 这个编号,这时候需要了解一下蓝牙标准联盟给一些特殊的服务和特性固定的 UUID,参考:https://www.bluetooth.com/specifications/assigned-numbers/ 中的 PDF 文件
从图中可以看到 1800 这个服务所包含的一些特性是从0x14 到 0x1c 范围内,因此我们再查看 0x14 到 0x1c 范围内的句柄(--characteristics 查看所有特性,使用 --start 和 --end 限定范围)我们得到了三个特性
gatttool -b 64:B7:08:61:C7:A2 --characteristics --start=0x0014 --end=0x001c
其中 0x2a00 根据蓝牙联盟的文档是 Devices Name
所以我们读取 0x16 句柄,取其值的前 20 个字母
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0016|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "2b00042f7481c7b056c4"|xxd -ps)
第五关 0x0032
Read handle 0032 and do what it says. Notice that its not telling you to write to the flag handle as you have been. When you find the flag, go ahead and write it to the flag handle you have used in the past flags.
这一关让 先读 0x0032 句柄的内容是 Write anything here
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0032|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
那就随便写点东西,再次查看就是 flag 了
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x0032 -n $(echo -n "hello"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "3873c0270763568cf7aa"|xxd -ps)
第六关 0x0034
Follow the instructions found from reading handle 0x0034. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii
这一关先查看 0x0034 说:Write the ascii value "yo" here 要你把 yo 这个 ascii 写到 0x34 去,那这和写 flag 没啥区别,直接写即可
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0034|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x0034 -n $(echo -n "yo"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "c55c6314b3db0a6128af"|xxd -ps)
第七关 0x0036
Follow the instructions found from reading handle 0x0036. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii
查看 0x0036 句柄,说让我们写十六进制的 0x07 到该句柄,直接 -n 后面跟着 hex 即可
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0036|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x0036 -n 07
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "1179080b29f8da16ad66"|xxd -ps)
第八关 0x0038
Follow the instructions found from reading handle 0x0038. Pay attention to handles here. Keep in mind handles can be refrenced by integer or hex. Most tools such as gatttool and bleah allow you to specify handles both ways.
查看句柄 0x0038 得到提示:Write 0xC9 to handle 58 他想告诉我们可以大多数工具的句柄可以用十进制或十六进制表示
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0038|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 58 -n C9
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "f8b136d937fad6a2be9f"|xxd -ps)
第九关 0x003c
Take a look at handle 0x003c and do what it says. You should script up a solution for this one. Also keep in mind that some tools write faster than others.
句柄 0x003c 显示:Brute force my value 00 to ff 让我们对它进行暴力破解
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x003c|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
那直接用 python 写个循环就行了 python 中有一个 zfill 方法用来给字符串前面补 0,n.zfill(2) 表示 n 要是不足两个字符的话就左边补零
import os
import time
for i in range(256):
x = str(hex(i))[2:]
x = x.zfill(2)
payload = "gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x003c -n "+ x
print(payload)
time.sleep(0.5)
os.system(payload)
执行完成后再次查看 0x3c 这个句柄的值,得到 flag
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "933c1fcfa8ed52d2ec05"|xxd -ps)
第十关 0x003e
Talke a look at handle 0x003e and do what it says. Keep in mind that some tools have better connection speeds than other for doing reads and writes. This has to do with the functionality the tool provides or how it uses cached BT connections on the host OS. Try testing different tools for this flag. Once you find the fastest one, whip up a script or bash 1 liner to complete the task. FYI, once running, this task takes roughly 90 seconds to complete if done right.
先看一下 0x003e 说啥:Read me 1000 times 读 1000 次?还是用 python 循环执行系统命令不就行了?
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x003e|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
import os
import time
for i in range(1001):
payload = "gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x003e|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'"
#print(payload)
time.sleep(0.1)
os.system(payload)
读着读着 flag 就出来啦
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "6ffcd214ffebdc0d069e"|xxd -ps)
第十一关 0x0040
Check out handle 0x0040 and google search gatt notify. Some tools like gatttool have the ability to subsribe to gatt notifications
0x0040 这个句柄给出的提示信息是:Listen to me for a single notification,用 gatttool 监听从蓝牙发送过来通知(notification)的数据
涉及到 GATT 通知的概念,客户端(kali)可以向服务端(esp32)请求通知一项特征值,当该特征可用时服务端会通知客户端,通知(notification)不需要客户端回应 ACK
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0040|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x0040 -n 00 --listen
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "5ec3772bcd00cf06d8eb"|xxd -ps)
第十二关 0x0042
Check out handle 0x0042 and google search gatt indicate. For single response indicate messages, like this chalange, tools such as gatttool will work just fine.
0x0042 句柄说:Listen to handle 0x0044 for a single indication
ESP32 会发送指示(indication)给我们,指示(indication)与通知(notification)的区别在于指示需要回应 ACK
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0042|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x0044 -n 00 --listen
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "c7b86dd121848c77c113"|xxd -ps)
第十三关 0x0046
Check out handle 0x0046 and do what it says. Keep in mind that this notification clallange requires you to recieve multiple responses in order to complete.
0x0046 说:Listen to me for multi notifications
这一个监听的时候会发送多个通知,等一下就能看到 flag
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0046|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x0046 -n 00 --listen
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "c9457de5fd8cafe349fd"|xxd -ps)
第十四关 0x0048
Check out handle 0x0042(源文件应该写错了,0x0048) and google search gatt indicate. Keep in mind that this chalange will require you to parse multiple indicate responses in order to complete the chalange.
0x0048 说:Listen to handle 0x004a for multi indications
跟十二关一样,不过这次等的是指示(indications)就是等一会就出来了
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0048|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x004a -n 00 --listen
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "b6f3a47f207d38e16ffa"|xxd -ps)
第十五关 0x004c
Check out handle 0x004c and do what it says. Much like ethernet or wifi devices, you can also change your bluetooth devices mac address.
0x004c 这个句柄说:Connect with BT MAC address 11:22:33:44:55:66 希望我们用指定的 MAC 地址去连接
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x004c|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
网上搜到可以使用 bdaddr 去修改 MAC 地址,如果 make 的时候报错了,缺少 bluetooth/bluetooth.h 去安装依赖:
sudo apt-get install libbluetooth-dev
这个工具的 issue 说 CSR 的设备有个问题,如果修改不成功的话多试几次就好了,每次改完重新拔插一下适配器
./bdaddr -i 00:1A:7D:DA:71:0A 11:22:33:44:55:66
然后直接按照源码里的 flag 提交吧
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "aca16920583e42bdcf5f"|xxd -ps)
当使用 MAC 地址为:11:22:33:44:55:66 再读取 0x4c 就是 flag 啦
第十六关 0x004e
Read handle 0x0048(源文件应该写错了,0x004e)and do what it says. Setting MTU can be a tricky thing. Some tools may provide mtu flags, but they dont seem to really trigger MTU negotiations on servers. Try using gatttool's interactive mode for this task. By default, the BLECTF server is set to force an MTU size of 20. The server will listen for MTU negotiations, and look at them, but we dont really change the MTU in the code. We just trigger the flag code if you trigger an MTU event with the value specified in handle 0x0048. GLHF!
句柄 0x004e 说:Set your connection MTU to 444
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x004e|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
使用 -m 参数 指定 MTU 大小为 444,但是不起效果,使用交互模式指定,设置 mtu 为 444,再次读取 0x4e 得到 flag
# gatttool -I
[ ][LE]> connect 64:B7:08:61:C7:A2
Attempting to connect to 64:B7:08:61:C7:A2
Connection successful
[64:B7:08:61:C7:A2][LE]> mtu 444
MTU was exchanged successfully: 444
[64:B7:08:61:C7:A2][LE]> char-read-hnd 0x4e
Characteristic value/descriptor: 62 31 65 34 30 39 65 35 61 34 65 61 66 39 66 65 35 31 35 38
[64:B7:08:61:C7:A2][LE]> exit
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "b1e409e5a4eaf9fe5158"|xxd -ps)
第十七关 0x0050
Check out handle 0x0050 and do what it says. This chalange differs from other write chalanges as your tool that does the write needs to have write response ack messages implemente correctly. This flag is also tricky as the flag will come back as notification response data even though there is no "NOTIFY" property.
先看一下句柄 0x50 说:Write+resp 'hello' ,这里实际是要你区分一下 --char-write 和 --char-write-req 的区别,一个写完不要求,因为我一直是用的 --char-write-req 所以没啥体验感hhh
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0050|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x0050 -n $(echo -n "hello"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "d41d8cd98f00b204e980"|xxd -ps)
第十八关 0x0052
Take a look at handle 0x0052. Notice it does not have a notify property. Do a write here and listen for notifications anyways! Things are not always what they seem!
0x0052 句柄说:No notifications here! really?说是没有,实际还是可以监听得到
通过查看其属性值,char properties = 0x0a
据不同的权限(蓝牙核心规范V5.3 P1486)对应的权限应该是这样的,确实不带通知,只有读写
00001010 0x0a
00001000 0x08 write
00000010 0x02 read
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0052|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x0052 -n 00 --listen
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "fc920c68b6006169477b"|xxd -ps)
可以在源码中看到,虽然他设定的特性声明是 read 和 write
但在实际代码中仍然调用了 esp_ble_gatts_send_indicate 函数来发送通知
第十九关 0x0054
Check out all of the handle properties on 0x0054! Poke around with all of them and find pieces to your flag.
查看 0x54 的属性,值为 0x9b
根据不同的权限(蓝牙核心规范V5.3 P1486)对应的权限应该是这样的
10011011 0x9b
10000000 0x80 Extended Properties
00010000 0x10 Notify
00001000 0x08 write
00000010 0x02 read
00000001 0x01 Broadcast
读取 0x0054 给的提示是:So many properties!
随便写点东西,再读取一次获得一部分 flag
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0054|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x0054 -n 00
监听 0x54 再获得一部分 flag
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x0054 -n 00 --listen
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "fbb966958f07e4a0cc48"|xxd -ps)
第二十关 0x0056
Figure out the authors twitter handle and do what 0x0056 tells you to do!
看一下 0x0056 说:md5 of author's twitter handle
作者的 twitter 在 README 就有,取 md5('@hackgnar') 的前 20 个字符 d953bfb9846acc2e15ee
gatttool -b 64:B7:08:61:C7:A2 --char-read -a 0x0056|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "d953bfb9846acc2e15ee"|xxd -ps)
放一个总的 flag 表
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "d205303e099ceff44835"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "5cd56d74049ae40f442e"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "2b00042f7481c7b056c4"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "3873c0270763568cf7aa"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "c55c6314b3db0a6128af"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "1179080b29f8da16ad66"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "f8b136d937fad6a2be9f"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "933c1fcfa8ed52d2ec05"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "6ffcd214ffebdc0d069e"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "5ec3772bcd00cf06d8eb"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "c7b86dd121848c77c113"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "c9457de5fd8cafe349fd"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "b6f3a47f207d38e16ffa"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "aca16920583e42bdcf5f"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "b1e409e5a4eaf9fe5158"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "d41d8cd98f00b204e980"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "fc920c68b6006169477b"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "fbb966958f07e4a0cc48"|xxd -ps)
gatttool -b 64:B7:08:61:C7:A2 --char-write-req -a 0x002c -n $(echo -n "d953bfb9846acc2e15ee"|xxd -ps)
编译源码
如果想重新改一下源码,可以在 Docker 里面打包,官方的打包镜像好难用,有个老哥在 github 上建了一个,用这个把
docker pull 1c3t0rm/ble_ctf:fluproject
docker run --rm -it --privileged -v /dev:/dev 1c3t0rm/ble_ctf:fluproject
进去之后把原来的 ble_ctf 删了,把自己的源码放进去
docker cp ble_ctf 165e659e711e:/esp/ble_ctf
使用 make menuconfig 在 Component config 里面把蓝牙勾上
然后 make,完事之后 make flash 刷进去就行了,刷的时候也得注意出现 connecting 的时候按住板子上的 boot 按键