#WhisperPair exploiter for bruce

Hi guys! I recently heard abt whisperpair (https://whisperpair.eu/) na exploit which basically lets u hijack most bluetooth devices and i thought wouldnt it be cool if you could do that with bruce and so i did

https://github.com/rylena/whisperPairForBruce

heres my script feel free to use it and if theres any way for this to ber published on the bruce store that would be greatly appreciated

I've been precisely trying to work on that for like a week now but haven't yet managed to got it working. The biggest challenging being the limitations of the nimble library as we can't use both the nimble and the bluedroid stack togetter and to change to bluedroid stack would mean having to either refactor the rest of the ble functions or make the users having to restart devices after using one so they can use the other...not a good sollution...so im trying with what we already have...not easy...when I manage to get the devices to be scanned correctly I can't get a connection to be established...we shall see

yo same i tried doing it the exact same way as u were but then i realized i can just do it in javascript and it actually works

Yeah it probably does and it works better from an android phone as it has all what's needed baked in...but i haven't given up just yer

...that code is geting longer by the day tho haha

could u send me ur repo

would love to see how u did it so far

also pls pls pls test mine out

idk how well it works yet

Well ok id sure like to try yours. And we'll im just testing something out as changing my connection strategy so in like an hour or so I'll post the repo so you'll be able to see how it's going so far. The only reason I dont do it right away is precisely cause of this strategy change which if you go check now means you won't have the actual implementation yet

alrighty take ur time just send me repo when u think its ready

Yeah taking a bit longer as still facing some issues with the scan so cant test the rest...even if not ready, at least when the scan issue will be fixed I'll post it so you can take a look

Magnificent

i see i see

And i took a look at your code ...seems a good implementation indeed. Couldn't test it yet tho as im in the middle of editing some of mine and losing a few brain cells in the process haha but at least if I can get it to work that will be all good

lmao its fine

i really do want to test it now cus i just made some changes

i literally just commited them so in the enxt day or two or when ever ur free

pls try it out

Your telling me that a new version of this js is available?

yes

did u try the old one?

I'm tryin it rn

did it ... work?

did the old version work?

I'm tryin

alrighty

try the new version

should work better

When

rn

its out

Well it's stuck in starting ble scan

i seee

try connecting ur earbuds to ur phone

it should eventually pick it up

Ok

also make sure the earbuds are vulnerable to this

https://whisperpair.eu/

I don't think a cheap "SIKENAI LY-C400" is vulnerable tbh I don't really use earbuds I found some cheap ones laying around and decided to test it out

i seeeeee

u would need somethign with fast pair enabled

but a lot of cheap headphones do habe that

@stark pike if u do try it and it dosent work try the previous script

I did try the first version of your js and it was stuck at "starting BLE scan"

Yeah i know but first step is geting them to be detected and either i get none or just a few...so im trying to get it to detect all devices then ive already implement in the code to test if they have fastpair capabilities and are vulnerable. If so it will try the exploit...but for now I gotta pass thru the connection issue

It seems it's scanning ble

After how many seconds shall I esc?

yeah i forgot to put in something to autostop the ble it shouldve stopped when ti detects a vuln device

30 usually if ur near a vuln device

fixed that in version 2

i mean something is better then nothign

True that

does this work?

Yesssss

What does it do

Uhh

Latest beta btw

Yeah use the latest release.

I need some help everytime I run it it just puts my stick c plus 2 into it's booting screen

You need to update the script with the new version of Bruce, as the script is not working.

has anyone gotten this to work yet

From what I can see, no, and they haven't responded for days.

Well i have a set of exploits that i've been working on but needs testing.

Maybe other devs can help making it work better or at all but definitely would be apreciated if some ppl could test with working fastpair devices and others and feedback on it

https://github.com/Ninja-jr/Bruce_firmware/releases/tag/betaRelease

But what is it about? Could you explain?

Well it's a ble suite that uses or tests several exploits to gain access to the devices and achieve attacks...it highly depends on the device and patch level. Still not really fully tested...the base code seems to work but it would be great having people testing it and maybe other devs taking a look at the code...took me over 2 weeks to come down to it but thats where it's at now. There's a more detailed description here:

https://github.com/Ninja-jr/Bruce_firmware/blob/BLE_Suite/src%2Fmodules%2Fble%2FREADME.md

should i test this on my device and let you know if it worked?

Yes if you're open to test it...it'd be apreciated as i didnt had many devices to test it on with me so it would be great to see if the code works or if needs some more work

alright ill test it right now give me a second

Nevermind its too late right now, i need to sleep. ill do it tomorrow👍

ill report back on how good it is

does it work on adv?

lemme try

Ok no worries try it when you can

Normaly it should work...it compiled well for it. Only issue might be graphics tho I hope not.

no issue or errors at all

excited for final product 🫡

Well we shall see...i still have yo hope some other devs can check the code see if they see something that could be bettered then send a pr for it to eventually make it to the firmware 😜
Thznks for your feedback

Yoooo this is sick

My c++ is terrible so I’m pretty sure I won’t be able to help u

Oh wait nvm u got whisperpair working

LETS GOOO

Its all good. Even if just testing it some time when you have time and let me know what issues you got, that would already be great

Yea bet I’ll fork it when I get time

Well yes but be aware that for the mic listening thats pretty hard to implement on esp32 specially using the nimble stack instead of the native bluedroid one...but if it will be working fine it can be a vector for other exploits

how do i install the ble suite

@long bramble before asking, did you read the Wiki? https://wiki.bruce.computer/

Just like you would any other Bruce firmware as it's a bin based on the device branch but with the ble suite added in. If you have Launcher installed on your device it's even easier
The .bin files are here:

https://github.com/Ninja-jr/Bruce_firmware/releases/tag/betaRelease

I can't seem to find the ble suite bin or figure out how to add it, there are just the .h and .cpp files in the github

Go to that last link i sent. It has the compiled .bin files just flash the one of your device. Like i said, its not just the ble suite but the full beta version of Bruce with the ble suite added. So you can test it and if you want you can revert to the Bruce version you were on before

oh ok, i didn't realize the ones in that link already had everything on it, thank you

I flashed it on my m5 stick 2 c plus and on my t embed, it works perfectly!

i will be using this in the future!

10/10 it works excellent

Well, have you tested the attacks? I mean I tested some parts but dont own really compatible devices to test thus why I asked if more people could test it before i submit a PR

what specifically do you need me to test?

BLE suite works perfect for me

Well, as many attacks as you can test specially the whisperpair related ones. But whattever you can test will be great

Well you mean the attacks work? If they do then its great means i can go along and submit it. If you haven't tested the attacks and just the connections or the ui, then ill wait some more

also i have an unrelated question, in which language do i have to write code so that my m5 stick or t embed execute it on a Bluetooth keyboard? ( trying to create a screenlocker )

yes the attacks worked on one of my headphones

Well you can search for Ducky Script on google and learn how to write payloads. As most exploits like that be it on my ble suite or on bad ble or bad usb use thzt scripting method

They worked on one of my fake airpods, on my JBL headphones it failed though.

Great then 👍 that's very positive. Im not expecting them to work in all...but if they work on some thats great

Yeah JBL might be patched already then thats to expect

The main issue i have is, on the scan it will find my headphones maybe 2-3 out of 5 times

its not completely consistent

apart from that i think its great

Yeah i know...nimble has alot of constraints and so far that's the best i could get the scanner to work but maybe in the future that can be worked on.

Would be better and easier to use the bluedroid stack for that all but we can't use both at the same time plus that would mean having to refactoring all the existing ble code which i've no intention to do 😜

Thanks for your feedback tho really apreciated

also, i would suggest adding more common passwords for the bruteforcing on the BLE suite, maybe have two modes, one initializes the simple common passwords (1000, 9999 etc) and the other mode tries all passwords from 1-10000. Not completely sure if this would be possible, but would be cool

Yeah but that would be too resources intensive and might overflow the ble stack trying to pass so many codes that's the main reason that for now i decided to only use the really most common ones

yeah i had assumed so. im just testing all the modes right now ill give you more feedback in a little!

Ok thanks alot. Some might not work as they need specific hardware to work on but if some do at least ill be satisfied for now and will submit this

The BLE spam is phenominal on this, i previously used the newest bruce version and it sucked, with this its way better. everything in total that ive tested is great

im definitely going to continue using this

Great. Glad yo hear that

what about with android phones

have u tested it out

Samsung / Android & swiftpair are insanely good, almost instant and very consistant. Havent tried IOS since i dont own a IOS device

what .bin u using? and what device

only swiftpair and windows is working for me

They are using the bin from my test version with the ble suite implemented. Look up on the conversation. It includes a slightly improved version of the ble spam function (just forget the newest ios for now...we couldnt yet found the newest secret sauce to make it work, but all the rest (including ios up untill 16 work with the legacy methods...but all the others seem to work better)

Anyway i just submitted a PR so now we just have to wait for the maintainers to check it and eventually merge it

awesome thanks bro

I have just flashed it onto my device (a T-Embed CC1101 Plus), but when I start the BLE suite, it detects around ten different devices, all labeled as 'unknown.' Is this the expected behavior?

Sometimes yes if the device is more secured it wont broadcast its name to suspected devices...might be that the scanner might need some tweaking...but even with unknown on name you can still test and attack them as it captures their mac adress

this doesnt work on my t-embed 1101 plus, when i try to load the script my device restarts

i also installed launcher, put this bin on sd, but when i install through launcher nothing happens, dont get booted nor can select

Well just go to launcher settings and select restart then you get booted into Bruce. Go to ble then to ble suite and it will launch

yes, it doesnt boot me

You sure you selected the right device? Cause i have tembed cc1101 and thats what i used for my tests so it shall work

one sec ill record

Here

Am i doing something wrong?

figured it out, i first put the bin through web gui, maybe it somehow corrupted it, now when i reuploaded through usb it booted fine

weird... ble suite is missing

Wait the release got overwritten as i haven'5 created a tag im building a new .bin for you.tembed Cc1101, right?

yes sir

Here you have the correct .bin

Thank you

its error on 1.14 version

When will they update that repo?

My repo?

https://github.com/rylena/whisperPairForBruce

Oh this is my repo

Tbf I don’t rlly know how to fix it cus it works for me

If I could replicate it not working then I could probably fix it

Probably because you have an old version of Bruce

Oh

My god

I am so stupid

Everyone’s literally been telling me it dosent work in the beta

😭

Wait lemme try it

It doesn't work in either version 1.14 or the beta.

It works for me on 1.14

What device do you use? I have a Lilygo Tembed C1101 Plus and I have Bruce 1.14 and it doesn't work

Yep

It's impossible for it to work when the new firmware was released a week ago and the repo is over two weeks old.

File corrected, I hope you try it to see if it works with the new version of Bruce

Is this exploit ever gonna get integrated into bruce itself?^

@stark pike It would be cool if you made a program that had the pop up thing like when you do the spam but they could actually connect to it, and from there you could run ducky and badble scripts or media cmds

I loaded the file on to my lilygo but whenever I try to run it it just crashes

I think it's just something with the new version of bruce though

Probably due to the changes they are making in the interpreter. Probably need to wait some time till everything is settled up with it and if needed adapt the code but for now i suppose better wait a bit for the interpreter to be fully ready

That would mean full device emulation, real crypto integrated and strategies to make the target device believe we are some king of earbuds for example but then we would have hid capabilities...quite complicated but eventually feasible...but one single problem...most people won't press connect on a device they don't know. What I try to do in my ble suite is rather, on vulnerable devices, to force a connection without user interaction. Not test throughly but if it works is, in my opinion, the best method

I don't know if they told you, but you're awesome 👍

Thanks. I just like to fiddle a bit with stuff and try to see if i can somehow make it better 😜

im getting this when I try tk run it

but when I try this one it works but j cant pick up my quick connect device which is airpods so does that mean their not exploitable

Apple devices aren't vulnerable to the main whisperpair devices. It targets fastpair devices only

what counts as fast pair

Mostly android aimed devices like some Google earphones, some Sony and I think some jbl too

Here's a non exhaustive list that is 3 years old but gives you a good idea:

https://github.com/DiamondRoPlayz/FastPair-Models

thanks

ah so just devices that would pop up on something running android

In general, yes. For ios there's other exploits which we been trying to implement on the spam payloads as they have patched most recently

sick make a pr to the repo and ill merge it

can the device be connected to.a phone already or not

@boreal pulsar on what device does this work?

icl im not picking up anything when I use the scanner on it

Same problem

On my implementation or on the script?

Anyway im reworking my ble suite to add some more fastpair attacks...just runing thru some compilation errors i need to sort out cause nimble is very picky with the commands depending on version 😜 but ill get there...just meanwhile messed up my scan mechanism so reworking it too...tho on that version I shared a few days ago the scanner worked for me. It's just on this new version im working on now that I need to redo it as changed some stuff.

the script i dont get what you mean by the implementation

fair enough it seems like a good project just wished it actually worked for me so I can troll people with random sounds 🤣

I mean my ble suite of which i uploaded a bin here a few days ago.

ahh I haven't seen that

To send sounds...that's a whole other set of stuff...one has to integrate or use a streaming library that works with nimble...I personally abandoned that idea...even tried to patch ad2p and other bluedroid libraries to work on nimble but after a week couldn't find a working implementation and gave up on that

oh I only said that as I seen the play mp3 on the script my bad 🤣

Well maybe they found one library on Bruce code that can do that...I confess i haven't dug into all libraries so it might actually be there and I haven't just found it...if its the case id sure throw myself off a bridge after having tried all that stuff while something was already there haha (not literaly of course...i think you get the gist haha)

yeah i like the whisperpair stuff tbh its cool what it can do

Im interested on the whisper pairing but is it stable enough to mess with

its not really as i cant get it to connect to anything so hopefully it will get updated soon to work fully

For sure

hey are you rylena ? Are you livin dubai ?

Yea why do u ask and I’m Rylen

T embed

I’ve had my finals for the last few weeks so I didn’t have a chance to try fixing the script

I’m going to start on it tmr guys

So it works on the new update

U think it would work for CYD?

Prolly

I am.livin dubai

oh damn nice

How do i install this bin?

@steady notch before asking, did you read the Wiki? https://wiki.bruce.computer/

Well for now there's no bin yet tho

Oh, ok

What’s wrong with it

Gives u some syntax error now

what was the error? can you share the working one?

ask Grok/GPT to look it over for syntax. works for me all the time

yes i am not either. sits at scanning for BLE devices

Well the scan mechanism works for me...you first select the attack or test then you wait for both active and passive scan to run (15s each) and you select target. Make sure you're on the beta on the latest commit (the site one isnt updated on it yet)

It would be cool if it was part of the firmware

i am not on Beta, so that would be it. Thx!