Unable to get the ".srv " file of the ble device

[vaishakbhalli]

Hello, i am running ws-slave on pi 3 and the other end on Laptop(Kali).
i am able to get the ".adv file" and not the ".srv" file. I have run the "gatttool" and i'm able to see the primary sevices and the characteristics of the BLE device but didn't have the luck to find the "services" on the "ws-slave"(pi 3).Could you shed some information on the same?.

[jslawek]

Hi,

have you tried scanning the services without reading the characteristics values (scan -r option)?
In some cases - e.g. when device requires BLE link-layer auth (=encryption) to read specific characteristic value, the scan may "stall" at this point. Scanning without reading values should not trigger the auth - the services+characteristics are generally available without BLE bonding.

[vaishakbhalli]

i tried it just now with the "-r "but still not working.

[jslawek]

Can you also share logs of the ws-slave script? Hcidump of the interface ws-slave is working on would also be useful (hcidump -i hciX -X). You can compare hcidump of ws-slave vs gatttool on the same interface - you mentioned it worked.

BTW, the NOBLE_HCI_DEVICE_ID is for ws-slave. you don't need to set it for scan script - it just connects using websocket to the ws-slave. And you can configure it in config.env - in case you have multiple adapters on the same host. If you have only one adapter, you can leave default setting (commented).

[vaishakbhalli]

How do i save the hcidump to a file?

[vaishakbhalli]

Oops i will post the log file in a few mins.

[vaishakbhalli]

Here's the dump of hci using"gatttool"
=NewgatttoolDump.zip

[vaishakbhalli]

Here's the dump of hci using "ws-slave"
=ws-slavedump.zip

[jslawek]

Hi,

based on your hcidumps, it looks like there is a problem with initial connection to the device.
In your gatttool dump, after "LE Create Connection" follows "LE Meta (LE Connection Complete)", and connection is established. On the contrary, in the ws-slave dump after the "create connection" command, controller does not return the "connection complete" to host.
There may be several reasons for that.

For starters, you can try to:

• run ws-slave on a different laptop/host. So far I guess you ran ws-slave on localhost.You mentioned Raspberry - just set Raspberry IP as WS_SLAVE in config.env, and try again.
• try to explore the services+characteristics using node.js noble example script. This will help us to pinpoint the problem, as GATTacker uses noble to connect to devices:
  node_modules/noble/examples $ node peripheral-explorer.js <MAC>

[Silipwn]

Hello there, was facing the same error while trying to scan my smart watch for the services file, I'm running my ws-slave on my Laptop and the ws-master on the Raspberry Pi, it was possible for me to successfully perform a MiTM with a Bluetooth Bulb, not sure why it doens't work with the watch.

[jslawek]

Hi,
have you tried scanning the services without reading the characteristics values (scan -r option), like mentioned in the comments above?
The watch may use secure link-layer Bluetooth pairing. You can confirm it in the Bluetooth settings of your phone - whether it is on the list of paired devices. In such case, some characteristics may require prior "authentication" (pairing) to access. That's why scanning - that by default reads the characteristics values - will not work. You should be able to scan only services + characteristics UUIDS without reading values (-r), but in case the connection is link-layer encrypted, you won't be able to MITM it anyway (GATTacker does not support it).

[Silipwn]

scan -r option didn't work :| And I think the watch is listed on the list of paired devices. Thanks for the help.