matheus-garbelini / sweyntooth_bluetooth_low_energy_attacks Goto Github PK

@Matheus-Garbelini ，
I cannot flash the hex program to the device by nRF Connect.

DFU failed: Error message for known extended error code from DFU target: The array of supported SoftDevices for the update does not contain the FWID of the current SoftDevice.
16:58:27.693 Device not found due to failure during DFU

OK, this is a weird one. It's been happening for a while, but I thought I was imagining things. Using the link_layer_length_overflow script (probably others as well), the script gets stuck with the following line being repeated endlessly

TX ---> BTLE_ADV / BTLE_SCAN_REQ

That is, until I open a second app that is also looking for advertisements. This could be our specific BLE Host Application, but it also works to simply open LightBlue on my phone. It clearly shows that our device is advertising, but the mere act of opening LightBlue unwedges the python script and it proceeds normally. I hope I've stated this clearly.

I glossed over this while doing the testing, but now that I'm writing up a report I need to be more formal, because anyone else running this test will get stuck without knowing this trick, and it isn't acceptable to have this mystery hanging about.

How would I go about figuring out what is going on here? I do have an Ellisys Bluetooth Tracker, but must admit that I'm not an expert on using it. If it is necessary to gain that knowledge to get to the bottom of it, then I'll have to do that.

Thanks for all your help so far. You've been really responsive.

Hi ,all
Traceback (most recent call last):
File "Telink_zero_ltk_installation.py", line 234, in
if (BTLE_SCAN_RSP in pkt or BTLE_ADV in pkt) and pkt.AdvA == advertiser_address.lower() and connecting == False:
File "/home/janlice/sweyntooth/sweyntooth_bluetooth_low_energy_attacks/libs/scapy/packet.py", line 368, in getattr
return self.payload.getattr(attr)
File "/home/janlice/sweyntooth/sweyntooth_bluetooth_low_energy_attacks/libs/scapy/packet.py", line 368, in getattr
return self.payload.getattr(attr)
File "/home/janlice/sweyntooth/sweyntooth_bluetooth_low_energy_attacks/libs/scapy/packet.py", line 368, in getattr
return self.payload.getattr(attr)
File "/home/janlice/sweyntooth/sweyntooth_bluetooth_low_energy_attacks/libs/scapy/packet.py", line 366, in getattr
fld, v = self.getfield_and_val(attr)
File "/home/janlice/sweyntooth/sweyntooth_bluetooth_low_energy_attacks/libs/scapy/packet.py", line 1585, in getfield_and_val
raise AttributeError(attr)
AttributeError: AdvA
I have faced a question ,when I do Telink_zero_ltk_installation.py, I found always have AttributeError: AdvA , Does anyone know what's going on?

I established the framework, I want to know is there any python file focused on BR/EDR connection. And do you have plan to test profiles based on BR/EDR connections?
Thank you.

I have created necessary environment on windows 10 to crash the cubiTag device by using the nRF52840 dongle, unfortunately i always received the following output.

can you please suggest something by looking out the screenshot.

I've managed to successfully DFU the Nordic dongle and retreive the MAC address of my DUT. I've created a python 2.7 environment to run in. However, when I try the first test, I get an internal error. Can you tell me what it means? I'm running this on Mac OS Catalina, but I don't think that has anything to do with this error. But maybe I'm wrong. Here's the error

(Base27) andy@Andrews-MacBook-Pro-2 sweyntooth_bluetooth_low_energy_attacks-master % python Telink_key_size_overflow.py /dev/tty.usbmodem143301 C1:0B:D7:A9:6B:81
Traceback (most recent call last):
File "Telink_key_size_overflow.py", line 12, in
from drivers.NRF52_dongle import NRF52Dongle
File "/Users/andy/Downloads/sweyntooth_bluetooth_low_energy_attacks-master/drivers/NRF52_dongle.py", line 8, in
from scapy.layers.bluetooth4LE import BTLE, NORDIC_BLE
File "/Users/andy/Downloads/sweyntooth_bluetooth_low_energy_attacks-master/libs/scapy/layers/bluetooth4LE.py", line 21, in
from scapy.layers.bluetooth import EIR_Hdr, L2CAP_Hdr
File "/Users/andy/Downloads/sweyntooth_bluetooth_low_energy_attacks-master/libs/scapy/layers/bluetooth.py", line 28, in
from scapy.sendrecv import sndrcv
File "/Users/andy/Downloads/sweyntooth_bluetooth_low_energy_attacks-master/libs/scapy/sendrecv.py", line 36, in
import scapy.route # noqa: F401
File "/Users/andy/Downloads/sweyntooth_bluetooth_low_energy_attacks-master/libs/scapy/route.py", line 194, in
conf.route = Route()
File "/Users/andy/Downloads/sweyntooth_bluetooth_low_energy_attacks-master/libs/scapy/route.py", line 27, in init
self.resync()
File "/Users/andy/Downloads/sweyntooth_bluetooth_low_energy_attacks-master/libs/scapy/route.py", line 35, in resync
self.routes = read_routes()
File "/Users/andy/Downloads/sweyntooth_bluetooth_low_energy_attacks-master/libs/scapy/arch/unix.py", line 82, in read_routes
netif = rt[4 + mtu_present + prio_present + refs_present + locked]
IndexError: list index out of range

Hi @Matheus-Garbelini ,

When I am running "python Telink_zero_ltk_installation.py /dev/ttyACM0 " in Fedora machine and initiating connection to our DUT, I am getting encryption error. Please find the below logs
TX ---> BTLE_ADV / BTLE_CONNECT_REQ
RX <--- BTLE_DATA / CtrlPDU / LL_VERSION_IND
TX ---> BTLE_DATA / CtrlPDU / LL_FEATURE_REQ
RX <--- BTLE_DATA / L2CAP_Hdr / SM_Hdr / SM_Security_Request
Slave requested authentication of 0xd
We are using authentication of 0x9
TX ---> BTLE_ADV / BTLE_SCAN_REQ
88:DA:1A:EB:8D:E6: BTLE_ADV / BTLE_ADV_IND Detected
TX ---> BTLE_ADV / BTLE_CONNECT_REQ
RX <--- BTLE_DATA / CtrlPDU / LL_VERSION_IND
TX ---> BTLE_DATA / CtrlPDU / LL_FEATURE_REQ
RX <--- BTLE_DATA / L2CAP_Hdr / SM_Hdr / SM_Security_Request
Slave requested authentication of 0xd
We are using authentication of 0x9
RX <--- BTLE_DATA / CtrlPDU / LL_FEATURE_RSP
TX ---> BTLE_DATA / CtrlPDU / LL_LENGTH_REQ
RX <--- BTLE_DATA / CtrlPDU / LL_LENGTH_RSP
TX ---> BTLE_DATA / L2CAP_Hdr / SM_Hdr / SM_Pairing_Request
RX <--- BTLE_DATA / L2CAP_Hdr / SM_Hdr / SM_Pairing_Response
TX ---> BTLE_DATA / CtrlPDU / LL_ENC_REQ
RX <--- BTLE_DATA / CtrlPDU / LL_ENC_RSP
Traceback (most recent call last):
File "Telink_zero_ltk_installation.py", line 338, in
conn_session_key = bt_crypto_e(conn_ltk[::-1], conn_skd[::-1])
File "Telink_zero_ltk_installation.py", line 116, in bt_crypto_e
return aes.encrypt(plaintext)
File "/usr/lib/python2.7/site-packages/Crypto/Cipher/blockalgo.py", line 244, in encrypt
return self._cipher.encrypt(plaintext)
TypeError: argument must be string or read-only buffer, not bytearray.

My Analysis here is, it is considering encrypt from Fedora library, not from our /lib/smp_server.
Can you please help me out.

Thanks
Charan

Hi @Matheus-Garbelini , I want to dig a little bit deeper into CVE-2020-13594. I wonder how I can have the source code of the esp32 static Bluetooth library? They seem to be close-source. Did you have the source code during your work?

Hello,

Sorry if I'm missing something in the documentation but are there 18 or 14 vulnerabilities? If there are 18, where are the other 4? If the extra folders present another vulnerabilities, then wouldn't it be 26 total? Please help me understand.

Thanks in advance!

Hi @Matheus-Garbelini, thanks to your great work!
I am new to BT CVE. How can I know which type of board or BT stack or constained device is vulnerable to a certain CVE?
Could you share the vulnerable peripherals you used to test this project as example?
Appreciate it !

Hello there,
I flashed the firmware as the guideline.

nrfutil dfu usb-serial -p /dev/ttyACM0 -pkg nRF52_driver_firmware.zip

It succeeds for the first time and leaves me a 100% progress bar.

However, the next time I plug my nrf52840, everything gets wrong...

The nrfconnect says like below

In addition, the script succeeded before now comes with below errors

h# nrfutil dfu usb-serial -p /dev/ttyACM0 -pkg ./sweyntooth_bluetooth_low_energy_attacks/nRF52_driver_firmware.zip
2020-11-16 10:34:41,980 No trigger interface found for device with serial number: D5DADB9ADEDF5D06, Product ID: 0x8029 and Vendor ID: 0x239A


Traceback (most recent call last):
  File "/home/lin/workplace/bluetooth/2.7env/bin/nrfutil", line 8, in <module>
    sys.exit(cli())
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/nordicsemi/__main__.py", line 1001, in usb_serial
    timeout)
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/nordicsemi/__main__.py", line 956, in do_serial
    dfu.dfu_send_images()
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/nordicsemi/dfu/dfu.py", line 121, in dfu_send_images
    self._dfu_send_image(self.manifest.softdevice)
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/nordicsemi/dfu/dfu.py", line 90, in _dfu_send_image
    self.dfu_transport.open()
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/nordicsemi/dfu/dfu_transport_serial.py", line 216, in open
    self.__set_prn()
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/nordicsemi/dfu/dfu_transport_serial.py", line 360, in __set_prn
    self.__get_response(DfuTransportSerial.OP_CODE['SetPRN'])
  File "/home/lin/workplace/bluetooth/2.7env/local/lib/python2.7/site-packages/nordicsemi/dfu/dfu_transport_serial.py", line 488, in __get_response
    raise NordicSemiException('No Response: 0x{:02X}'.format(resp[0]))
pc_ble_driver_py.exceptions.NordicSemiException: No Response: 0x44

I use the ubuntu18.04, with the latest JLINK and NRF Connect for desktop

The same error also occurs in my windows10 environment

I don't know how to do next to recover my dongle or fix this? Can you offer any advice?
Looking forward to any possible way out,

Hi Matheus,

Thanks for sharing the test scripts. I have however some comments related to your test suite.

I'm running your test suite and noticed several discrepancies between the script behavior and the description of the threat (https://asset-group.github.io/disclosures/sweyntooth/).

For instance, link_layer_lenght_overflow does not send a corrupted LL_VERSION_IND (LLCP), but it sends a corrupted ACL packet (SMP Pairing Request) which is more related to an L2CAP issue and LL.

In addition, LLID Deadlock seems not to send corrupted LLID value in any of the transmitted packet.

And I also experienced some issue in reproducing Zero LTK installation as the tester does not initiate the pairing procedure...

Best regards,
Guillaume

Sorry to bother you again!

Hi, maybe It is not appropriate to raise the question here.
These days I try to do more research on ble controller and I come into some problems. I have an Raspberry 4B now, I want to get its firmware and try to analysis it by static.
I try to use internalblue to get the firmware. But it stuck when using command "dumpmem", this problem I will try to solve it(or do you have some ideas?). The main problem is which program should be used to analysis the firmware( ida? )?

Or do there any other methods to get the firmware. It it a hard question for me because nobody around me do research on it .Hope to get the answer or some hints.

Best,
W

Howdy,

In knob_tester_ble.py (line 245) there is a misbehaving check that prints a colorful warning:

elif check_range(accepted_keys, 16, 17): print(Fore.RED + 'Peripheral accepts key size greater than 16. Non-compliance!!!')

The problem is that check_range returns True if accepted_keys is [16].

Hi Matheus,

When trying to test with non_compliance_dhcheck_skip.py I would need to install BLESMPServer.

But I'm having trouble compiling the BLESMPServer on Windows machine. stdint.h, sys/uio.h and many more files are missing.
Do you have a solution ?
Thanks,
Hung

Hello,

I would like to know what's the meaning of the LEDs color of NRF dongle?

I have trouble when using this firmwire. Sometimes, the NRF dongle's LEDs are both turning to light event I stoped receive of send packets. What's more, after this situation happens for a while, the NRF dongle can't receive or send packets any more.

How can I Position this problem？Could I get some more information about LEDS and LEDS color?

hi
The firmware nRF52_driver_firmware.hex is just adapt nRF52840？I flash the firmware in nRF52832 and it could not work

I am trying to run the llid_dealock.py test script and the program keeps hanging at the same spot. I have the nRF52840 dongle and have flashed the firmware as described by the ReadMe.txt file. After programming the dongle I tried running the test script with the command "python llid_dealock.py /dev/ttyACM0 21:A8:1F:DE:F0:E8" which didn't work due to permissions regarding ttyACM0. I ran the command "dmesg | grep tty" which returned a new port "ttyS4" which had the appropriate baud rate of the nRF dongle and only showed up after the dongle was programmed. Running "python llid_dealock.py /dev/ttyS4 21:A8:1F:DE:F0:E8" led to minor success. The script ran until it hung at the output "TX ---> BTLE_ADV / BTLE_SCAN_REQ" and continuously repeated the same output indefinitely, as seen in the image above.
I have ran through the script python file and I think the error is in the /drivers/NRF_dongle.py file at line 95 in the raw_receive class function declaration. "c = self.serial.read(1)" returns " b' ' ". The following 'if' statement is not triggered so raw_receive has no value. From what I can tell data has a value of 'None' in the llid_dealock.py which is preventing the script from completing the bluetooth attack.
I am running the script on a Ubuntu 18.04 machine with the nRF52840 dongle. I am using a FitBit Inspire HR to run the attack against in case that information is pertinent.

Hi,
first of all: great work with this research!

When I first tried to run CC_connection_req_crash.py I got undefined reference to method raw.
I had to import it manually by:
from scapy.compat import raw

Does it work straight out of the box for you?

Hi @Matheus-Garbelini ,

First of all, thanks for this work!

I try to send custom BLE packet by modifying the Python script, and sniff packets with Wireshark.

I find that:

1.When sending SCAN_REQ with a valid advertiser address (advertising address of a real peripheral), the LED of nRF52840 flashes blue, and Wireshark can sometimes sniff the sent packet.
Codes as follow

Logs as follow

Captured packets as follow

2.When sending SCAN_REQ with an invalid advertiser address (advertising address not used by peripherals), the LED of nRF52840 stays blue, and Wireshark can not sniff the sent packet.
Codes as follow

nRF52840 looks like

3.When sending custom ADV_NONCONN_IND, the LED of nRF52840 stays blue, and Wireshark can not sniff the sent packet.
Codes as follow

Pcap saved by wrpcap looks like

And the question is:
1.Why can nRF52840 send SCAN_REQ only with a valid advertiser address, is there any additional logic in the firmware?
2.What does it mean that the LED of nRF52840 stays blue, is that an abnormal state? How can I confirm that the packet is sent to the air successfully?
3.Can I send custom ADV_NONCONN_IND packet (more specifically, custom BLE mesh packet) with your firmware? If so, would you like to give me a hint about how to do?

Appreciate for your help.

Regards,
yan_xiao_xi

Hi,
thanks for this research! I'm currently trying to reproduce it, but only have an Adafruit feather nrf52 at hand. It has the same chip, but is connected with an USB-UART adapter and therefore shows up as /dev/ttyUSB0 (instead of /dev/ttyACM0 ).

When I try to flash it, I get the following error:

# adafruit-nrfutil dfu usb-serial -p /dev/ttyUSB0 -pkg nRF52_driver_firmware.zip 
2020-03-11 16:42:06,065 No trigger interface found for device with serial number: 018C5CD3, Product ID: 0xEA60 and Vendor ID: 0x10C4


Traceback (most recent call last):
  File "/bin/adafruit-nrfutil", line 11, in <module>
    load_entry_point('adafruit-nrfutil==0.5.3.post12', 'console_scripts', 'adafruit-nrfutil')()
  File "/usr/lib/python3.8/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3.8/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.8/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.8/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3.8/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/nordicsemi/__main__.py", line 993, in usb_serial
    do_serial(package, port, connect_delay, flow_control, packet_receipt_notification, baud_rate, serial_number, False,
  File "/usr/lib/python3.8/site-packages/nordicsemi/__main__.py", line 949, in do_serial
    dfu.dfu_send_images()
  File "/usr/lib/python3.8/site-packages/nordicsemi/dfu/dfu.py", line 119, in dfu_send_images
    self._dfu_send_image(self.manifest.softdevice)
  File "/usr/lib/python3.8/site-packages/nordicsemi/dfu/dfu.py", line 88, in _dfu_send_image
    self.dfu_transport.open()
  File "/usr/lib/python3.8/site-packages/nordicsemi/dfu/dfu_transport_serial.py", line 217, in open
    self.__get_mtu()
  File "/usr/lib/python3.8/site-packages/nordicsemi/dfu/dfu_transport_serial.py", line 366, in __get_mtu
    self.mtu = struct.unpack('<H', bytearray(response))[0]
TypeError: cannot convert 'NoneType' object to bytearray

I can run the Python2 scripts (after fixing some stupid tabs vs. spaces issues), but I don't see any advertisements.

# python2 link_layer_length_overflow.py /dev/ttyUSB0 C3:38:99:XX:XX:XX
Serial port: /dev/ttyUSB0
Advertiser Address: C3:38:99:XX:XX:XX
TX ---> BTLE_ADV / BTLE_SCAN_REQ
Waiting advertisements from c3:38:99:XX:XX:XX
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
[...snip...]

I'm new to Bluetooth hacking. Do you think your code will ever work with the Adafruit or is it easier to just buy the correct dongle?

Thanks, Klaus

Hi Matheus,

I have flashed driver.hex and softdevice.hex using nRFConnect App into nRF52840 Development kit. When I am running the any script in fedora OS, I am seeing the below issue
[root@cpu295 sweyntooth_bluetooth_low_energy_attacks-master]# python Telink_key_size_overflow.py /dev/ttyACM0 88:DA:1A:B6:82:DA
Serial port: /dev/ttyACM0
Advertiser Address: 88:DA:1A:B6:82:DA
TX ---> BTLE_ADV / BTLE_SCAN_REQ
Waiting advertisements from 88:da:1a:b6:82:da
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
TX ---> BTLE_ADV / BTLE_SCAN_REQ
^CTraceback (most recent call last):
File "Telink_key_size_overflow.py", line 80, in
data = driver.raw_receive()
File "/work/nlink_host/WSDK_2.6.0/Sandeep/sweyntooth_bluetooth_low_energy_attacks-master/drivers/NRF52_dongle.py", line 75, in raw_receive
c = self.serial.read(1)
File "/usr/lib/python2.7/site-packages/serial/serialposix.py", line 483, in read
ready, _, _ = select.select([self.fd, self.pipe_abort_read_r], [], [], timeout.time_left())
KeyboardInterrupt

Can you please help me to resolve this issue.

Thanks
Charan

According to the White Paper:

If the total length of the packet (i.e. LL Length) has
a value lower than L2CAP Length + 4 for a valid payload,
then the truncated bytes are copied beyond the underlying
reception buffer.

In the example (fig. 6 of the white paper) the L2CAP Length is set to 3, while LL Length is 5 (5 < 3+4) and the L2CAP reception buffer is overflown by two bytes (i.e. L2CAP Length+4−LL Length)

Trying to execute:
DA14580_exploit_att_crash.py
at line 139, the bytes to send are set to:
length_req = BTLE('7083329a02070000040010edea874aac'.decode('hex')) # att

In the packet above the L2CAP Length is set to 0 and LL Length to 7 (LL Length > L2CAP Length + 4). This is not in accordance with what stated in the paper (See Wireshark capture in the attachment).

I've tried to change the script, but I'm not able to calculate the CRC.
Thanks for the support.

Thank you for your open-source sharing.
When I use the examples, I always prompt NRF52-CMD-CHECKSUM-ERROR like this：

My Device is nRF52480 MDK USB Dongle，Use this method uf2boot to convert hex to UF2。Then updated firmware。

Hi, you have done an outstanding work.

When I reproducing the job, I run into a bit of trouble. I can only capture the adv packets either using ubertooth or nrf52840, which means I can not get other BLE packets such as "acl data". So I want to know how to get other BLE Interactive network message.

Thank you !

Hello @Matheus-Garbelini,
I am now trying to send broadcast packet to BLE device by using the firmware that you supply in this repository and it doesn't work. After reading some issues, it seems that this firmware doesn't implement broadcast function?

I am very interesting in the source code of the firmware. Could I please ask if it would be possible to obtain the source code for the purpose of analysis and potential modifications? Your assistance would be greatly appreciated.

Regards,
Xiaobye

I don’t know what kind of routine you used to test the device. I tested the esp32 myself, using the official gatt_server code. Most of the data packets captured by esp32_hci_desync.py are empty packets. Is it me? Is the reason for the wrong routine used? Here I would like to ask what routine you use, thank you!

Hi,

Thanks for this work. It is really interesting and useful!

I have noticed that you are using Scapy in our PoC. Could you consider acknowledging Scapy in the repository or in your paper?
We spend some of our free time maintaining Scapy, and that helps us make our work visible.

Thanks,
Guillaume

There is nothing in the report about Silicon Labs SoC's but have they been subject to testing from your side?
I'm specially interested in the Blue Gecko SoC's
As far as I can see they implemented some protection on another product

Cheers and keep up the good work!

Hello,

Sorry if I missed it, but is the firmware open source? If not can you at least give some hints what it's based on?

Thanks,
Aditya

Testing on a raspberry pi 4b running raspbian, with nRF dongle attached.

pi@pi1:~/Downloads/sweyntooth_bluetooth_low_energy_attacks $ sudo apt-get install python2.7
Reading package lists... Done
Building dependency tree       
Reading state information... Done
python2.7 is already the newest version (2.7.16-2+deb10u1).
python2.7 set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 398 not upgraded.

pi@pi1:~/Downloads/sweyntooth_bluetooth_low_energy_attacks $ sudo pip install -r requirements.txt
Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple
Requirement already satisfied: pyserial in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 1)) (3.4)
Collecting nrfutil (from -r requirements.txt (line 2))
  Using cached https://files.pythonhosted.org/packages/95/bd/c69458ec1b9f66b5874bcf7df60f4e768b5fa137663637241628bfdea135/nrfutil-5.2.0.tar.gz
Collecting pycryptodome (from -r requirements.txt (line 3))
  Using cached https://files.pythonhosted.org/packages/b8/2e/cf9cfd1ae6429381d3d9c14c8df79d91ae163929972f245a76058ea9d37d/pycryptodome-3.17.tar.gz
Requirement already satisfied: six in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 4)) (1.12.0)
Collecting behave~=1.0 (from nrfutil->-r requirements.txt (line 2))
  Using cached https://files.pythonhosted.org/packages/a8/6c/ec9169548b6c4cb877aaa6773408ca08ae2a282805b958dbc163cb19822d/behave-1.2.6-py2.py3-none-any.whl
Requirement already satisfied: click~=7.0 in /usr/lib/python2.7/dist-packages (from nrfutil->-r requirements.txt (line 2)) (7.0)
Collecting crcmod~=1.7 (from nrfutil->-r requirements.txt (line 2))
  Using cached https://files.pythonhosted.org/packages/6b/b0/e595ce2a2527e169c3bcd6c33d2473c1918e0b7f6826a043ca1245dd4e5b/crcmod-1.7.tar.gz
Collecting ecdsa~=0.13.0 (from nrfutil->-r requirements.txt (line 2))
  Using cached https://files.pythonhosted.org/packages/a6/81/2b170b460c84fdc8700cf08aa077ac6a9ff41f4ad3f05d0b3a64ba9f8f2e/ecdsa-0.13.3-py2.py3-none-any.whl
Requirement already satisfied: enum34~=1.0 in /usr/lib/python2.7/dist-packages (from nrfutil->-r requirements.txt (line 2)) (1.1.6)
Collecting intelhex~=2.2 (from nrfutil->-r requirements.txt (line 2))
  Using cached https://files.pythonhosted.org/packages/97/78/79461288da2b13ed0a13deb65c4ad1428acb674b95278fa9abf1cefe62a2/intelhex-2.3.0-py2.py3-none-any.whl
Collecting libusb1~=1.7 (from nrfutil->-r requirements.txt (line 2))
  Using cached https://files.pythonhosted.org/packages/e3/cb/f34ab448d097b5d09b5f6dfc23ddd43bef6f524ed72bd09c9ce6af3ab470/libusb1-1.10.1.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-install-obi53N/libusb1/setup.py", line 22, in <module>
        from html.parser import HTMLParser
    ImportError: No module named html.parser
    
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-obi53N/libusb1/