Skip to content

Dump and replay

securing edited this page Apr 6, 2017 · 2 revisions

Dump and replay

Starting from version 0.2.0 GATTacker supports dumping transmitted data to files and then replaying it. The replay is possible also using nRF Connect Android mobile application.

Dump files are saved in a path configured by DUMP_PATH in config.env (by default dump). Here the scanner saves log dump files with the contents of intercepted transmission, named by device MAC address.

Files format

Logs are saved in text format:

timestamp | type | service UUID (optional name) | characteristic UUID (optional name) | hex data (ascii data)

example:

2017.03.24 17:55:10.930 | > R | 180f (Battery Service) | 2a19 (Battery Level) | 50 (P)

type can be:

> R - received read
> N - received notification
< W - sent write request (without response)
< C - sent write command (with response)

Standard UUIDs are in short version. At this moment communication intercepted via hooks is not logged.

Example file of a sniffed smart lock communication (password 12345678) is attached in dump/f4b85ec06ea5.log.

Replay

It is possible to replay given log file. Of course prior to replay you may also modify the recorded file, or create your own from scratch.

Using GATTacker

The replay feature is experimental. Only write requests are replayed to device, reads and notifications are skipped. The script replay.js takes parameters: input file (GATTacker log) and target device MAC/Id. An optional parameter is a previously scanned device services file. Although not required, providing it will speed things a bit - the ws-slave GATTacker will not have to scan for services again. Example:

node replay -i dump/f4b85ec06ea5.log -p f4b85ec06ea5 -s devices/f4b85ec06ea5.srv.json

Using mobile application

The nRF Connect Android mobile application has "Macros" functionality, which allows to replay BLE transmission from input XML file.

In order to convert the GATTacker log format to nRF XML, use gattacker2nrf script. Syntax example:

node gattacker2nrf -i dump/f4b85ec06ea5.log > dump/f4b85ec06ea5.xml

The script takes input file in GATTacker log format and outputs nRF XML file to stdout. Next, you can import the file to nRF Connect, and run the macro. It will be visible in nRF Connect as "gattacker replay":

The optional "assert value" tags (expecting specific read/notify values) are by default commented:

<!-- <assert-value description="optional value condition" value="50" /> -->

More information about the nRF Connect macros and XML format:

https://github.com/NordicSemiconductor/Android-nRF-Connect/tree/master/documentation/Macros

Using WS proxy

Note: it is still possible to proxy-chain websocket data exchanged between GATTacker modules, and thus replay specific websocket requests with characteristic read or write - using websocket proxy (e.g. ZAP, Burp).

Clone this wiki locally