Altering src/layers_bredr.py doesn't alter sent packets

[jsmif]

I wanted to confirm I could make simple edits to packets, so I started with one of the simplest, LMP_features_req (ultimately I will want to add in a LMP_name_req though). I grepped for LMP_features_req and from the hits it seemed like probably src/layers_bredr.py was in charge, since it had a constant that looked very similar to (but not exactly the same as?) the value seen in the packets. So I edited src/layers_bredr.py per the below, but this didn't make any changes to the observed packets in the pcap.

class LMP_features_req(Packet):
    name = "LMP_features_req"
    fields_desc = [FlagsField(
        "features", 0x8f7bffdb00000000, 64, _bluetooth_lmp_features)]

Then I tried replacing _bluetooth_lmp_features with _bluetooth_lmp_features_unused:

        "features", 0x8f7bffdb00000000, 64, _bluetooth_lmp_features_unused)]
...
                   ConditionalField(FlagsField("features0", 0, 64, _bluetooth_lmp_features_unused),

But that also didn't alter the observed LMP_features_req in the pcap.

Does this have to do with the fact that the "TX Interception" feature is listed as "(disabled for now, sorry)" on the front page? And consequently do packet changes require customizing the firmware? (If so, why is TX Interception currently disabled?)

[Matheus-Garbelini]

Hi @jsmif The project on this repo does not support modifying TX packets as Python itself is slow to process anything withing 625us.
Therefore, for modifying TX packets on the fly, we recommend using the Braktooth repo which uses C++ API:
https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks

There is even a tutorial on how to modify packets or inject them on this PDF:
Exploits Modules Tutorial

Overall it should be simpler to use than internalblue.
If you are into firmware reverse engineering and would like to know how this esp32 BT firmware works, you can
explore our ESP32 Patching framework which comes with the patched BT firmware source code: https://github.com/Matheus-Garbelini/esp32_firmware_patching_framework

[jsmif]

It's definitely way easier to use than InternalBlue (which doesn't even have example usage for their raw packet sending commands, which I've never gotten working). I'll ask further questions over on the braktooth repository.

[jsmif]

OK, sorry to re-open this, but the more I play with the Braktooth exploit repo, the more I'm unsure if that's actually the right solution to meet my goals. I want to basically just send a couple LMP packets in a row, and that's it. The Braktooth repo doesn't seem give me control over what packets are sent. It seems to be using whatever background activity happens as a result of sdp_rfcomm_query from bluekitchen interacting with the default ESP32 BT stack, right? I can manipulate that existing traffic, but I can't control exactly which packets are sent right?

It seems like I might be better off with the "RX/TX Bypass" functionality mentioned in the main README.md, and then sending raw bytes with Scapy. Can you say more about how that can actually be used?