0
00:00:00,000 --> 00:00:04,041
, 00:00:04:00 ,I'm here to talk about Blucat.

1
00:00:04,042 --> 00:00:06,166
, 00:00:06:03 ,Who's heard about Blucat so far?

2
00:00:06,167 --> 00:00:06,625
, 00:00:06:14

3
00:00:06,626 --> 00:00:07,666
, 00:00:07:15 ,Awesome.

4
00:00:07,667 --> 00:00:08,998
, 00:00:08:23

5
00:00:08,999 --> 00:00:11,583
, 00:00:11:13 ,I'm Joseph Paul Cohen.

6
00:00:11,584 --> 00:00:12,583
, 00:00:12:13 ,I'm a Ph.D.

7
00:00:12,584 --> 00:00:13,917
, 00:00:13:21 ,student at U Mass Boston.

8
00:00:13,918 --> 00:00:14,625
, 00:00:14:14 ,I do a side thing basically

9
00:00:14,626 --> 00:00:17,999
, 00:00:17:29 ,a Cybersecurity computer science education.

10
00:00:18,000 --> 00:00:21,998
, 00:00:21:23 ,Do a lot of machine learning and computer vision stuff so it's kind

11
00:00:21,999 --> 00:00:24,500
, 00:00:24:11 ,of dual tracks, right?

12
00:00:24,501 --> 00:00:26,041
, 00:00:26:00 ,So this is the fun stuff.

13
00:00:26,042 --> 00:00:28,374
, 00:00:28:08

14
00:00:28,375 --> 00:00:29,791
, 00:00:29:18 ,So I want to just have some questions

15
00:00:29,792 --> 00:00:31,875
, 00:00:31:20 ,to gauge the audience, right?

16
00:00:31,876 --> 00:00:33,958
, 00:00:33:22 ,So how many of you guys have used Bluetooth API

17
00:00:33,959 --> 00:00:37,998
, 00:00:37:24 ,whether it's blues, OSX or Windows or whatever?

18
00:00:37,999 --> 00:00:38,082
, 00:00:38:01

19
00:00:38,083 --> 00:00:39,124
, 00:00:39:02 ,Okay.

20
00:00:39,125 --> 00:00:40,082
, 00:00:40:01

21
00:00:40,083 --> 00:00:42,998
, 00:00:42:23 ,Who's used netcat to talk to a web server?

22
00:00:42,999 --> 00:00:42,999
, 00:00:42:29

23
00:00:43,000 --> 00:00:44,333
, 00:00:44:07 ,All right.

24
00:00:44,334 --> 00:00:45,333
, 00:00:45:07 ,So that's half.

25
00:00:45,334 --> 00:00:46,416
, 00:00:46:09 ,Okay.

26
00:00:46,417 --> 00:00:48,998
, 00:00:48:24 ,Who's created an outrageously complex script

27
00:00:48,999 --> 00:00:50,999
, 00:00:50:29 ,to do some task?

28
00:00:51,000 --> 00:00:52,291
, 00:00:52:06 ,Okay.

29
00:00:52,292 --> 00:00:55,998
, 00:00:55:24 ,So these are kind of all going to come together in this talk.

30
00:00:55,999 --> 00:00:56,166
, 00:00:56:03

31
00:00:56,167 --> 00:00:58,082
, 00:00:58:01 ,It seems like everyone is well versed.

32
00:00:58,083 --> 00:00:58,333
, 00:00:58:07

33
00:00:58,334 --> 00:01:00,998
, 00:01:00:25 ,The overview of sessions of this we're going to talk

34
00:01:00,999 --> 00:01:03,998
, 00:01:03:27 ,about streams and how they're awesome and fundamental

35
00:01:03,999 --> 00:01:06,998
, 00:01:06:23 ,and how Blucat how you can replace Blucat in line

36
00:01:06,999 --> 00:01:09,666
, 00:01:09:15 ,with wherever you use netcat.

37
00:01:09,667 --> 00:01:09,998
, 00:01:09:26

38
00:01:09,999 --> 00:01:13,625
, 00:01:13:14 ,Any situation you can think about using netcat over an IP address,

39
00:01:13,626 --> 00:01:16,666
, 00:01:16:15 ,with Blucat you replace the IP addresses with Macs

40
00:01:16,667 --> 00:01:19,998
, 00:01:19:27 ,and then you just have to be in range.

41
00:01:19,999 --> 00:01:20,124
, 00:01:20:02

42
00:01:20,125 --> 00:01:25,166
, 00:01:25:03 ,And we also have Blucat as Bluetooth and map so we do

43
00:01:25,167 --> 00:01:30,750
, 00:01:30:17 ,scanning and service discovery functions.

44
00:01:30,751 --> 00:01:35,291
, 00:01:35:06 ,And then basically, I wanted to talk about RF com and zoom cat.

45
00:01:35,292 --> 00:01:38,124
, 00:01:38:02 ,Those are understood by Blucat because they make sense.

46
00:01:38,125 --> 00:01:41,041
, 00:01:41:00 ,You have port numbers and you can talk to them directly.

47
00:01:41,042 --> 00:01:41,458
, 00:01:41:10

48
00:01:41,459 --> 00:01:44,291
, 00:01:44:06 ,And then we're going to look at some devices like Blucat

49
00:01:44,292 --> 00:01:47,998
, 00:01:47:24 ,and see how you examine other devices with Blucat.

50
00:01:47,999 --> 00:01:49,998
, 00:01:49:24

51
00:01:49,999 --> 00:01:55,333
, 00:01:55:07 ,How to prototype and stats and then if we have time, the architecture

52
00:01:55,334 --> 00:02:00,500
, 00:02:00:11 ,of how Blucat works on tons of architectures, right?

53
00:02:00,501 --> 00:02:01,998
, 00:02:01:28 ,So first, streams are awesome.

54
00:02:01,999 --> 00:02:03,416
, 00:02:03:09 ,So I hope everyone agrees.

55
00:02:03,417 --> 00:02:03,958
, 00:02:03:22

56
00:02:03,959 --> 00:02:06,998
, 00:02:06:26 ,You can take something like a file and you can turn it into stream

57
00:02:06,999 --> 00:02:09,958
, 00:02:09:22 ,and you can pipe it into VLC and abstract everything that has

58
00:02:09,959 --> 00:02:12,708
, 00:02:12:16 ,to do with a computer to a stream.

59
00:02:12,709 --> 00:02:17,917
, 00:02:17:21 ,So once it becomes a stream, really don't care where it goes.

60
00:02:17,918 --> 00:02:17,999
, 00:02:17:29

61
00:02:18,000 --> 00:02:19,998
, 00:02:19:25 ,But you know, we use streams every day when we talk

62
00:02:19,999 --> 00:02:21,541
, 00:02:21:12 ,to pal talk.

63
00:02:21,542 --> 00:02:23,416
, 00:02:23:09 ,So every time you go on.

64
00:02:23,417 --> 00:02:25,666
, 00:02:25:15

65
00:02:25,667 --> 00:02:26,998
, 00:02:26:24 ,Okay.

66
00:02:26,999 --> 00:02:32,458
, 00:02:32:10

67
00:02:32,459 --> 00:02:35,333
, 00:02:35:07 ,Well, Blucat was supposed to be on.

68
00:02:35,334 --> 00:02:38,998
, 00:02:38:24 ,But I was I didn't want to broadcast my Mac to everyone.

69
00:02:38,999 --> 00:02:40,291
, 00:02:40:06 ,But I did when I was pairing.

70
00:02:40,292 --> 00:02:42,917
, 00:02:42:21 ,Anyway, you have a computer.

71
00:02:42,918 --> 00:02:44,998
, 00:02:44:23 ,And it turns into a stream and you can turn it into pal talk

72
00:02:44,999 --> 00:02:46,791
, 00:02:46:18 ,and back, right?

73
00:02:46,792 --> 00:02:48,333
, 00:02:48:07 ,So that's how that kind of communication works

74
00:02:48,334 --> 00:02:50,998
, 00:02:50:26 ,like most things are based there.

75
00:02:50,999 --> 00:02:53,750
, 00:02:53:17 ,So you can put some kind of block in the middle and then you don't care

76
00:02:53,751 --> 00:02:56,082
, 00:02:56:01 ,what happens on the other side.

77
00:02:56,083 --> 00:02:56,333
, 00:02:56:07

78
00:02:56,334 --> 00:02:58,500
, 00:02:58:11 ,Inside this block, right?

79
00:02:58,501 --> 00:02:58,917
, 00:02:58:21

80
00:02:58,918 --> 00:03:00,583
, 00:03:00:13 ,The computer just talks to this thing and

81
00:03:00,584 --> 00:03:04,249
, 00:03:04:05 ,at the other side it's going to come out to pal talk and from that side,

82
00:03:04,250 --> 00:03:06,998
, 00:03:06:23 ,the responses go into this you know, blob and come

83
00:03:06,999 --> 00:03:09,208
, 00:03:09:04 ,out the other side to you.

84
00:03:09,209 --> 00:03:11,998
, 00:03:11:27 ,And you don't really have to care what's inside there.

85
00:03:11,999 --> 00:03:13,998
, 00:03:13:26 ,It gets abstracted with all the layers.

86
00:03:13,999 --> 00:03:16,166
, 00:03:16:03 ,So the Internet would work.

87
00:03:16,167 --> 00:03:17,374
, 00:03:17:08 ,Send some stream.

88
00:03:17,375 --> 00:03:19,416
, 00:03:19:09 ,It goes through a series of tubes and comes out the other side

89
00:03:19,417 --> 00:03:21,666
, 00:03:21:15 ,and you don't really care.

90
00:03:21,667 --> 00:03:21,917
, 00:03:21:21

91
00:03:21,918 --> 00:03:25,541
, 00:03:25:12 ,So you take a complicated process like routing all the way

92
00:03:25,542 --> 00:03:29,833
, 00:03:29:19 ,across the Internet and just forget about it.

93
00:03:29,834 --> 00:03:30,833
, 00:03:30:19 ,Right?

94
00:03:30,834 --> 00:03:31,999
, 00:03:31:29 ,Have someone else kind of take that initiative and you just deal

95
00:03:32,000 --> 00:03:34,541
, 00:03:34:12 ,with high level application stuff.

96
00:03:34,542 --> 00:03:34,750
, 00:03:34:17

97
00:03:34,751 --> 00:03:38,750
, 00:03:38:17 ,So you can abstract really complicated things and just kind of ignore that

98
00:03:38,751 --> 00:03:42,666
, 00:03:42:15 ,they exist no matter how dysfunctional they are.

99
00:03:42,667 --> 00:03:48,583
, 00:03:48:13 ,So it to really appreciate the usage of just talking to these services, right,

100
00:03:48,584 --> 00:03:51,998
, 00:03:51:24 ,we can take a look at HTTP.

101
00:03:51,999 --> 00:03:51,999
, 00:03:51:29

102
00:03:52,000 --> 00:03:54,625
, 00:03:54:14 ,So just want to go over this simple, make sure everyone's

103
00:03:54,626 --> 00:03:56,374
, 00:03:56:08 ,on the same page.

104
00:03:56,375 --> 00:03:56,917
, 00:03:56:21

105
00:03:56,918 --> 00:03:58,166
, 00:03:58:03 ,HTTP is awesome.

106
00:03:58,167 --> 00:03:59,500
, 00:03:59:11 ,Simple, human readable.

107
00:03:59,501 --> 00:04:02,998
, 00:04:02:23 ,You can know what's going on by reading traces.

108
00:04:02,999 --> 00:04:03,208
, 00:04:03:04

109
00:04:03,209 --> 00:04:05,416
, 00:04:05:09 ,Debugging is easy, you can look right at it in any kind

110
00:04:05,417 --> 00:04:08,291
, 00:04:08:06 ,of debugger and you don't have to read the spec, you can see

111
00:04:08,292 --> 00:04:09,998
, 00:04:09:28 ,all this stuff.

112
00:04:09,999 --> 00:04:12,833
, 00:04:12:19

113
00:04:12,834 --> 00:04:17,958
, 00:04:17:22 ,You can add custom stuff so it's not really so picky.

114
00:04:17,959 --> 00:04:17,999
, 00:04:17:29

115
00:04:18,000 --> 00:04:21,875
, 00:04:21:20 ,You know, with what inputs and outputs it does.

116
00:04:21,876 --> 00:04:22,208
, 00:04:22:04

117
00:04:22,209 --> 00:04:23,998
, 00:04:23:26 ,So it's very forgiving.

118
00:04:23,999 --> 00:04:27,875
, 00:04:27:20 ,Here's a diagram I didn't make from a browser.

119
00:04:27,876 --> 00:04:30,998
, 00:04:30:24 ,You can send an HTTP request to a server and you get a response

120
00:04:30,999 --> 00:04:34,583
, 00:04:34:13 ,and you can think of it as a tiny text file.

121
00:04:34,584 --> 00:04:34,998
, 00:04:34:26

122
00:04:34,999 --> 00:04:36,041
, 00:04:36:00 ,Bunch of strings.

123
00:04:36,042 --> 00:04:36,666
, 00:04:36:15

124
00:04:36,667 --> 00:04:39,041
, 00:04:39:00 ,And then you get back the same thing.

125
00:04:39,042 --> 00:04:40,041
, 00:04:40:00 ,Right?

126
00:04:40,042 --> 00:04:42,166
, 00:04:42:03 ,And that's the basic interaction, right?

127
00:04:42,167 --> 00:04:43,666
, 00:04:43:15 ,So you can experiment, you just type string get

128
00:04:43,667 --> 00:04:46,833
, 00:04:46:19 ,and you get back whatever response.

129
00:04:46,834 --> 00:04:48,041
, 00:04:48:00

130
00:04:48,042 --> 00:04:52,041
, 00:04:52:00 ,So here's one for DEF CON so we do get/HTTP tell it

131
00:04:52,042 --> 00:04:56,041
, 00:04:56:00 ,we want the DEF CON host and it's going to say okay

132
00:04:56,042 --> 00:05:01,333
, 00:05:01:07 ,with all the other headers and send us back the HTML.

133
00:05:01,334 --> 00:05:03,583
, 00:05:03:13 ,We can look at the underlying protocol but look

134
00:05:03,584 --> 00:05:07,708
, 00:05:07:16 ,at the ports it goes under based on the port on the server that

135
00:05:07,709 --> 00:05:09,998
, 00:05:09:24 ,is for HTTP, right?

136
00:05:09,999 --> 00:05:10,458
, 00:05:10:10

137
00:05:10,459 --> 00:05:13,124
, 00:05:13:02 ,So that's nice to inspect.

138
00:05:13,125 --> 00:05:17,458
, 00:05:17:10 ,And then if you think about it, the image of the matrix is true.

139
00:05:17,459 --> 00:05:17,958
, 00:05:17:22

140
00:05:17,959 --> 00:05:21,082
, 00:05:21:01 ,Everything is just streams flowing back and forth all the time.

141
00:05:21,083 --> 00:05:21,998
, 00:05:21:23

142
00:05:21,999 --> 00:05:25,124
, 00:05:25:02 ,So at some point maybe this will be how everything looks when you

143
00:05:25,125 --> 00:05:27,625
, 00:05:27:14 ,start looking at everything.

144
00:05:27,626 --> 00:05:30,791
, 00:05:30:18 ,So maybe everyone is right there, most likely.

145
00:05:30,792 --> 00:05:32,998
, 00:05:32:24 ,So what is Blucat?

146
00:05:32,999 --> 00:05:32,999
, 00:05:32:29

147
00:05:33,000 --> 00:05:35,124
, 00:05:35:02 ,So what is the point of this?

148
00:05:35,125 --> 00:05:38,917
, 00:05:38:21 ,So there are three main things I've been able to come up with reasons why.

149
00:05:38,918 --> 00:05:41,124
, 00:05:41:02 ,Debugging tool for Bluetooth applications.

150
00:05:41,125 --> 00:05:42,999
, 00:05:42:29 ,So, if you're writing a Bluetooth app, you can use it

151
00:05:43,000 --> 00:05:47,458
, 00:05:47:10 ,to debug your own application, you can see what's going on.

152
00:05:47,459 --> 00:05:50,208
, 00:05:50:04 ,Like did you modify the service record properly so that

153
00:05:50,209 --> 00:05:53,999
, 00:05:53:29 ,other devices can see that record, right?

154
00:05:54,000 --> 00:05:55,999
, 00:05:55:29 ,And then whatever process is handling the socket

155
00:05:56,000 --> 00:06:00,666
, 00:06:00:15 ,on the other side, you don't want to have a full blown client ready.

156
00:06:00,667 --> 00:06:03,541
, 00:06:03:12 ,You might just want to have a makeshift client to see what

157
00:06:03,542 --> 00:06:07,124
, 00:06:07:02 ,is going on or if you want to do some sort of emulation

158
00:06:07,125 --> 00:06:10,750
, 00:06:10:17 ,or testing with inputs that you wouldn't normally put

159
00:06:10,751 --> 00:06:14,166
, 00:06:14:03 ,into your client application, so, if you kind of want

160
00:06:14,167 --> 00:06:16,625
, 00:06:16:14 ,to fuzz your own app, you can do that

161
00:06:16,626 --> 00:06:20,082
, 00:06:20:01 ,with this and it's not a big overhead.

162
00:06:20,083 --> 00:06:20,291
, 00:06:20:06

163
00:06:20,292 --> 00:06:22,999
, 00:06:22:29 ,You can use it as a device exploration tool.

164
00:06:23,000 --> 00:06:26,750
, 00:06:26:17 ,So other people's devices, other people's services that are written.

165
00:06:26,751 --> 00:06:28,041
, 00:06:28:00 ,So your phone's services.

166
00:06:28,042 --> 00:06:29,750
, 00:06:29:17 ,Because there are tons of them.

167
00:06:29,751 --> 00:06:32,041
, 00:06:32:00 ,And they vary on different types of phones, you have old phones

168
00:06:32,042 --> 00:06:33,998
, 00:06:33:23 ,with insecure services, new phones

169
00:06:33,999 --> 00:06:36,999
, 00:06:36:29 ,with sophisticated services and different manufacturers have

170
00:06:37,000 --> 00:06:39,041
, 00:06:39:00 ,different services.

171
00:06:39,042 --> 00:06:39,958
, 00:06:39:22

172
00:06:39,959 --> 00:06:42,750
, 00:06:42:17 ,You can look at how those work and send random data and try

173
00:06:42,751 --> 00:06:44,833
, 00:06:44:19 ,to debug the protocol.

174
00:06:44,834 --> 00:06:47,998
, 00:06:47:26

175
00:06:47,999 --> 00:06:52,998
, 00:06:52:23 ,You can just scan and kind of do it in n map fashion.

176
00:06:52,999 --> 00:06:57,541
, 00:06:57:12 ,So kind of I have a format I'll put this to a CSV file so you can aggregate tons

177
00:06:57,542 --> 00:07:00,625
, 00:07:00:14 ,of information about Bluetooth devices which

178
00:07:00,626 --> 00:07:04,998
, 00:07:04:28 ,is interesting and I have cool graphs later So you can also use it

179
00:07:04,999 --> 00:07:09,166
, 00:07:09:03 ,as a component in building other applications.

180
00:07:09,167 --> 00:07:09,833
, 00:07:09:19

181
00:07:09,834 --> 00:07:13,082
, 00:07:13:01 ,So you can use the just like you'd use netcat to prototype

182
00:07:13,083 --> 00:07:15,625
, 00:07:15:14 ,an application, you can actually use Blucat

183
00:07:15,626 --> 00:07:18,124
, 00:07:18:02 ,to prototype an application and you don't have

184
00:07:18,125 --> 00:07:20,583
, 00:07:20:13 ,to care so much about the Bluetooth layer

185
00:07:20,584 --> 00:07:24,625
, 00:07:24:14 ,because you're handling that while it's deployed and your service runs

186
00:07:24,626 --> 00:07:29,041
, 00:07:29:00 ,as its own thing and runs in as standard in and standard out.

187
00:07:29,042 --> 00:07:31,082
, 00:07:31:01 ,Doesn't know that it's talking about RF.

188
00:07:31,083 --> 00:07:36,958
, 00:07:36:22 ,So simple in line replacement for a netcat example.

189
00:07:36,959 --> 00:07:37,999
, 00:07:37:29 ,So we have netcat.

190
00:07:38,000 --> 00:07:39,666
, 00:07:39:15 ,Machine name and a port and that's going to connect

191
00:07:39,667 --> 00:07:41,208
, 00:07:41:04 ,to some server.

192
00:07:41,209 --> 00:07:43,208
, 00:07:43:04 ,List in with netcat on part 123 and you can have

193
00:07:43,209 --> 00:07:47,208
, 00:07:47:04 ,a pipe going this way and it comes out that side.

194
00:07:47,209 --> 00:07:51,541
, 00:07:51:12 ,So that's like the main kind of demo of netcat.

195
00:07:51,542 --> 00:07:52,541
, 00:07:52:12 ,Right?

196
00:07:52,542 --> 00:07:54,500
, 00:07:54:11 ,So we can do the same thing with Blucat.

197
00:07:54,501 --> 00:07:57,208
, 00:07:57:04 ,We listen on RF channel 4 and then we connect

198
00:07:57,209 --> 00:08:02,708
, 00:08:02:16 ,to this Mac address on RF channel 4 and it establishes that

199
00:08:02,709 --> 00:08:07,875
, 00:08:07:20 ,same connection and you can do the same thing.

200
00:08:07,876 --> 00:08:10,291
, 00:08:10:06 ,You can send music or movies.

201
00:08:10,292 --> 00:08:13,998
, 00:08:13:27 ,Throughput is like 100k so it's not too good.

202
00:08:13,999 --> 00:08:14,249
, 00:08:14:05

203
00:08:14,250 --> 00:08:16,041
, 00:08:16:00 ,But it doesn't work with music, right?

204
00:08:16,042 --> 00:08:17,208
, 00:08:17:04 ,Maybe not flak.

205
00:08:17,209 --> 00:08:17,666
, 00:08:17:15

206
00:08:17,667 --> 00:08:20,500
, 00:08:20:11 ,So we can compare with nmap.

207
00:08:20,501 --> 00:08:24,666
, 00:08:24:15 ,So nmap is going to scan a bunch of stuff which is very useful.

208
00:08:24,667 --> 00:08:25,999
, 00:08:25:29 ,Everyone knows about that.

209
00:08:26,000 --> 00:08:29,708
, 00:08:29:16 ,So what's the equivalent for Blucat, right?

210
00:08:29,709 --> 00:08:30,708
, 00:08:30:16 ,We have two things.

211
00:08:30,709 --> 00:08:32,041
, 00:08:32:00 ,We can scan for device names which is what I was doing earlier,

212
00:08:32,042 --> 00:08:35,041
, 00:08:35:00 ,scanning everybody's advice names and have output.

213
00:08:35,042 --> 00:08:36,998
, 00:08:36:23

214
00:08:36,999 --> 00:08:39,541
, 00:08:39:12 ,So we have time stamp.

215
00:08:39,542 --> 00:08:39,791
, 00:08:39:18

216
00:08:39,792 --> 00:08:42,708
, 00:08:42:16 ,Device name and whether we're paired with it

217
00:08:42,709 --> 00:08:45,291
, 00:08:45:06 ,and whether the session is encrypted and

218
00:08:45,292 --> 00:08:50,583
, 00:08:50:13 ,whether what's fallen out is the RSSI of the connection, right?

219
00:08:50,584 --> 00:08:50,999
, 00:08:50:29

220
00:08:51,000 --> 00:08:52,291
, 00:08:52:06 ,All right.

221
00:08:52,292 --> 00:08:53,791
, 00:08:53:18

222
00:08:53,792 --> 00:08:56,625
, 00:08:56:14 ,So you can go farther in depth.

223
00:08:56,626 --> 00:09:00,833
, 00:09:00:19 ,You can list the services of each of those devices, right?

224
00:09:00,834 --> 00:09:04,750
, 00:09:04:17 ,Let you actually expect the stuff that's run on that device.

225
00:09:04,751 --> 00:09:06,998
, 00:09:06:25 ,You can think about these the same way you think

226
00:09:06,999 --> 00:09:09,791
, 00:09:09:18 ,about an IP address and ports.

227
00:09:09,792 --> 00:09:10,791
, 00:09:10:18 ,Same thing.

228
00:09:10,792 --> 00:09:14,998
, 00:09:14:23 ,You have a MAC address, IP, and then you have these channel

229
00:09:14,999 --> 00:09:19,666
, 00:09:19:15 ,numbers or PSMs for the L2 cat protocol.

230
00:09:19,667 --> 00:09:20,333
, 00:09:20:07

231
00:09:20,334 --> 00:09:23,833
, 00:09:23:19 ,And those are outlaid on the right.

232
00:09:23,834 --> 00:09:27,917
, 00:09:27:21 ,This thing returns the entire URL which says we're going

233
00:09:27,918 --> 00:09:32,999
, 00:09:32:29 ,to talk over the B2L2 cat protocol on PSM19 on nmap.

234
00:09:33,000 --> 00:09:34,999
, 00:09:34:29 ,You can paste that and go right to it.

235
00:09:35,000 --> 00:09:38,500
, 00:09:38:11 ,I'll go to that in detail.

236
00:09:38,501 --> 00:09:39,998
, 00:09:39:23 ,You can brute force scan.

237
00:09:39,999 --> 00:09:42,998
, 00:09:42:24 ,This takes a long time the way I've done it.

238
00:09:42,999 --> 00:09:45,291
, 00:09:45:06 ,So maybe it's faster with a little other implementations

239
00:09:45,292 --> 00:09:47,998
, 00:09:47:24 ,but this is a cross platform version.

240
00:09:47,999 --> 00:09:49,999
, 00:09:49:29 ,So we scan this thing, we scan RFcom channels first,

241
00:09:50,000 --> 00:09:52,166
, 00:09:52:03 ,we have bunch of open channels even

242
00:09:52,167 --> 00:09:55,998
, 00:09:55:28 ,if they're not advertised in service discovery we can find them

243
00:09:55,999 --> 00:09:57,708
, 00:09:57:16 ,this way.

244
00:09:57,709 --> 00:10:02,625
, 00:10:02:14 ,If we scan L works cat channels you can look at all the channels open

245
00:10:02,626 --> 00:10:08,374
, 00:10:08:08 ,from every possible L2 cap channel so even if they're not valid it will still try

246
00:10:08,375 --> 00:10:11,917
, 00:10:11:21 ,to see if the stack will allow it.

247
00:10:11,918 --> 00:10:17,041
, 00:10:17:00 ,This goes up to a high number and I've never really seen anything

248
00:10:17,042 --> 00:10:20,998
, 00:10:20:23 ,over I don't know, like 100.

249
00:10:20,999 --> 00:10:21,791
, 00:10:21:18

250
00:10:21,792 --> 00:10:24,374
, 00:10:24:08 ,So for the past three days I've been walking

251
00:10:24,375 --> 00:10:27,708
, 00:10:27:16 ,around with my bag scanning all the Bluetooth devices,

252
00:10:27,709 --> 00:10:29,958
, 00:10:29:22 ,these are all names.

253
00:10:29,959 --> 00:10:32,500
, 00:10:32:11 ,I put a nice word name bubble.

254
00:10:32,501 --> 00:10:32,999
, 00:10:32:29

255
00:10:33,000 --> 00:10:36,082
, 00:10:36:01 ,All this specific stuff is tiny but they're all iPhones,

256
00:10:36,083 --> 00:10:38,998
, 00:10:38:24 ,Mac Book Pros and BlackBerries.

257
00:10:38,999 --> 00:10:39,999
, 00:10:39:29

258
00:10:40,000 --> 00:10:42,917
, 00:10:42:21 ,Did you guys all see who sees their machine

259
00:10:42,918 --> 00:10:44,791
, 00:10:44:18 ,on this thing?

260
00:10:44,792 --> 00:10:44,998
, 00:10:44:24

261
00:10:44,999 --> 00:10:47,374
, 00:10:47:08 ,Who got invited to this talk during the week?

262
00:10:47,375 --> 00:10:50,374
, 00:10:50:08

263
00:10:50,375 --> 00:10:53,082
, 00:10:53:01 ,(Laughter) Everybody's afraid to raise their hand?

264
00:10:53,083 --> 00:10:56,625
, 00:10:56:14

265
00:10:56,626 --> 00:10:57,998
, 00:10:57:24 ,Scoreboard.

266
00:10:57,999 --> 00:10:58,998
, 00:10:58:24 ,That was fun.

267
00:10:58,999 --> 00:11:00,166
, 00:11:00:03 ,Left your Bluetooth on.

268
00:11:00,167 --> 00:11:00,416
, 00:11:00:09

269
00:11:00,417 --> 00:11:03,666
, 00:11:03:15 ,Who saw the scoreboard advertised for the Bluetooth talk?

270
00:11:03,667 --> 00:11:04,708
, 00:11:04:16 ,One?

271
00:11:04,709 --> 00:11:05,998
, 00:11:05:26

272
00:11:05,999 --> 00:11:08,166
, 00:11:08:03 ,Short amount of time.

273
00:11:08,167 --> 00:11:08,458
, 00:11:08:10

274
00:11:08,459 --> 00:11:10,249
, 00:11:10:05 ,I got statistics on this.

275
00:11:10,250 --> 00:11:13,416
, 00:11:13:09 ,So there are 92 unique names I found.

276
00:11:13,417 --> 00:11:13,708
, 00:11:13:16

277
00:11:13,709 --> 00:11:16,541
, 00:11:16:12 ,And sometimes devices won't send names.

278
00:11:16,542 --> 00:11:20,416
, 00:11:20:09 ,They kind of lag and then they disappear.

279
00:11:20,417 --> 00:11:22,625
, 00:11:22:14 ,But you definitely get their MAC address.

280
00:11:22,626 --> 00:11:23,917
, 00:11:23:21 ,I found 126 unique MACs.

281
00:11:23,918 --> 00:11:24,708
, 00:11:24:16

282
00:11:24,709 --> 00:11:28,958
, 00:11:28:22 ,There are ways to find device MACs.

283
00:11:28,959 --> 00:11:28,999
, 00:11:28:29

284
00:11:29,000 --> 00:11:30,041
, 00:11:30:00 ,This is blatant.

285
00:11:30,042 --> 00:11:32,833
, 00:11:32:19

286
00:11:32,834 --> 00:11:35,541
, 00:11:35:12 ,No one would leave their Bluetooth on, these are discoverable

287
00:11:35,542 --> 00:11:37,291
, 00:11:37:06 ,Bluetooth devices.

288
00:11:37,292 --> 00:11:42,291
, 00:11:42:06 ,I thought I'd find two and they'd be at the hotel, just staying, not knowing.

289
00:11:42,292 --> 00:11:46,998
, 00:11:46:26 ,So I sent these 126MACs, 13,000 pairing requests with an invite

290
00:11:46,999 --> 00:11:48,875
, 00:11:48:20 ,to my talk.

291
00:11:48,876 --> 00:11:50,625
, 00:11:50:14 ,So that was funny.

292
00:11:50,626 --> 00:11:54,458
, 00:11:54:10 ,People clapping were the ones invited?

293
00:11:54,459 --> 00:11:55,500
, 00:11:55:11 ,Okay.

294
00:11:55,501 --> 00:11:58,625
, 00:11:58:14

295
00:11:58,626 --> 00:12:01,875
, 00:12:01:20 ,So the reason I could do that is you can script Blucat.

296
00:12:01,876 --> 00:12:02,875
, 00:12:02:20 ,This is the point.

297
00:12:02,876 --> 00:12:06,998
, 00:12:06:25 ,I can write a program and that's a pain in the ass.

298
00:12:06,999 --> 00:12:08,833
, 00:12:08:19 ,Bash script makes everything easy.

299
00:12:08,834 --> 00:12:10,208
, 00:12:10:04 ,You don't have to care so much.

300
00:12:10,209 --> 00:12:12,998
, 00:12:12:23 ,If your name is on here, I think these are the coolest names

301
00:12:12,999 --> 00:12:15,208
, 00:12:15:04 ,out of all the names.

302
00:12:15,209 --> 00:12:18,208
, 00:12:18:04 ,Just to prove to myself these are not hotel guests so

303
00:12:18,209 --> 00:12:20,166
, 00:12:20:03 ,maybe the DoD.

304
00:12:20,167 --> 00:12:21,750
, 00:12:21:17

305
00:12:21,751 --> 00:12:24,124
, 00:12:24:02 ,So let's talk about URI molecules.

306
00:12:24,125 --> 00:12:28,333
, 00:12:28:07 ,This little URL I said before, it tells you about what you know

307
00:12:28,334 --> 00:12:30,791
, 00:12:30:18 ,about the service.

308
00:12:30,792 --> 00:12:33,958
, 00:12:33:22 ,HTTP and HTTPS is equivalent design.

309
00:12:33,959 --> 00:12:35,416
, 00:12:35:09

310
00:12:35,417 --> 00:12:38,291
, 00:12:38:06 ,We have three I care about in this program

311
00:12:38,292 --> 00:12:42,291
, 00:12:42:06 ,to use that kind of make sense and then the object is kind

312
00:12:42,292 --> 00:12:46,666
, 00:12:46:15 ,of pushing it to what this program kind of does.

313
00:12:46,667 --> 00:12:51,666
, 00:12:51:15 ,So the BTP, Bluetooth serial port profile which is also called RFcom makes

314
00:12:51,667 --> 00:12:55,833
, 00:12:55:19 ,the most sense for this Ncat replacement.

315
00:12:55,834 --> 00:12:59,333
, 00:12:59:07

316
00:12:59,334 --> 00:13:01,124
, 00:13:01:02 ,Serial port protocol, take stuff that used to work

317
00:13:01,125 --> 00:13:03,708
, 00:13:03:16 ,over serial ports and make them wireless.

318
00:13:03,709 --> 00:13:04,583
, 00:13:04:13

319
00:13:04,584 --> 00:13:06,541
, 00:13:06:12 ,That is easy.

320
00:13:06,542 --> 00:13:09,333
, 00:13:09:07 ,L2 cap is different.

321
00:13:09,334 --> 00:13:13,750
, 00:13:13:17 ,You have fixed width buffers that you send over, you negotiate like a size.

322
00:13:13,751 --> 00:13:15,374
, 00:13:15:08 ,So you can achieve the same thing.

323
00:13:15,375 --> 00:13:16,166
, 00:13:16:03

324
00:13:16,167 --> 00:13:19,124
, 00:13:19:02 ,But it's you know, redundant.

325
00:13:19,125 --> 00:13:22,458
, 00:13:22:10

326
00:13:22,459 --> 00:13:25,374
, 00:13:25:08 ,Object exchange is when you send files back and forth.

327
00:13:25,375 --> 00:13:25,791
, 00:13:25:18

328
00:13:25,792 --> 00:13:30,082
, 00:13:30:01 ,So these three things, if you have these in the URL string,

329
00:13:30,083 --> 00:13:34,041
, 00:13:34:00 ,then that's what they'll correspond to.

330
00:13:34,042 --> 00:13:35,041
, 00:13:35:00 ,All right?

331
00:13:35,042 --> 00:13:37,998
, 00:13:37:24 ,And you kind of have this weird Bluetooth stack.

332
00:13:37,999 --> 00:13:40,750
, 00:13:40:17

333
00:13:40,751 --> 00:13:44,750
, 00:13:44:17 ,So RFcom sits on top of L2 cap and then you have stuff that's

334
00:13:44,751 --> 00:13:49,875
, 00:13:49:20 ,out of range of Blucat which is audio, so that kind of stinks.

335
00:13:49,876 --> 00:13:50,416
, 00:13:50:09

336
00:13:50,417 --> 00:13:53,708
, 00:13:53:16 ,And then the other I don't know what that is.

337
00:13:53,709 --> 00:13:53,999
, 00:13:53:29

338
00:13:54,000 --> 00:13:57,750
, 00:13:57:17 ,You have limited range on a stack of Bluetooth.

339
00:13:57,751 --> 00:14:01,082
, 00:14:01:01 ,Let's go over these profiles a little bit more.

340
00:14:01,083 --> 00:14:05,833
, 00:14:05:19 ,So the SPP profile is designed to emulate RS232 serial ports.

341
00:14:05,834 --> 00:14:06,124
, 00:14:06:02

342
00:14:06,125 --> 00:14:07,416
, 00:14:07:09 ,A serial port protocol.

343
00:14:07,417 --> 00:14:07,998
, 00:14:07:25

344
00:14:07,999 --> 00:14:11,958
, 00:14:11:22 ,So it has the same major attributes of TCP.

345
00:14:11,959 --> 00:14:13,917
, 00:14:13:21 ,So you're expected to have in order delivery

346
00:14:13,918 --> 00:14:17,625
, 00:14:17:14 ,of all your messages and if it's not delivered you would expect it

347
00:14:17,626 --> 00:14:20,416
, 00:14:20:09 ,to retry or kill the connection.

348
00:14:20,417 --> 00:14:22,208
, 00:14:22:04 ,So you have guarantees.

349
00:14:22,209 --> 00:14:22,500
, 00:14:22:11

350
00:14:22,501 --> 00:14:24,708
, 00:14:24:16 ,And it only has about 30 ports.

351
00:14:24,709 --> 00:14:29,166
, 00:14:29:03 ,Depending on the stack, this varies what you can use and

352
00:14:29,167 --> 00:14:34,041
, 00:14:34:00 ,if you know port map, with will old run NIS advertised

353
00:14:34,042 --> 00:14:38,124
, 00:14:38:02 ,on port map, it runs the same way.

354
00:14:38,125 --> 00:14:40,374
, 00:14:40:08 ,You can't be guaranteed you can have a port.

355
00:14:40,375 --> 00:14:42,208
, 00:14:42:04 ,You can ask for something and if someone else is using it, it says no,

356
00:14:42,209 --> 00:14:44,583
, 00:14:44:13 ,I'll put you on a higher port.

357
00:14:44,584 --> 00:14:45,750
, 00:14:45:17

358
00:14:45,751 --> 00:14:48,791
, 00:14:48:18 ,So it's kind of a drawback which is why you kind of need the scanning

359
00:14:48,792 --> 00:14:51,791
, 00:14:51:18 ,to look at what port it actually ends up on.

360
00:14:51,792 --> 00:14:51,999
, 00:14:51:29

361
00:14:52,000 --> 00:14:54,791
, 00:14:54:18 ,It's the same consistently on a device.

362
00:14:54,792 --> 00:14:59,583
, 00:14:59:13 ,If you run N cat and you get channel 4 it will probably always be channel 4.

363
00:14:59,584 --> 00:15:03,500
, 00:15:03:11 ,Unless you reflash the device, put other services on it.

364
00:15:03,501 --> 00:15:05,625
, 00:15:05:14

365
00:15:05,626 --> 00:15:08,291
, 00:15:08:06 ,You can make it unreliable to UDP but that's not really in the interest

366
00:15:08,292 --> 00:15:09,998
, 00:15:09:23 ,of this stuff.

367
00:15:09,999 --> 00:15:10,998
, 00:15:10:28

368
00:15:10,999 --> 00:15:13,500
, 00:15:13:11 ,And then it has a default maximum packet size

369
00:15:13,501 --> 00:15:17,041
, 00:15:17:00 ,of 672 bytes so you can send them over in chunks.

370
00:15:17,042 --> 00:15:17,998
, 00:15:17:25

371
00:15:17,999 --> 00:15:20,249
, 00:15:20:05 ,RF com sits on top.

372
00:15:20,250 --> 00:15:20,541
, 00:15:20:12

373
00:15:20,542 --> 00:15:26,958
, 00:15:26:22 ,There's channel 3 in L2 cap which is RF com runs over all that

374
00:15:26,959 --> 00:15:31,666
, 00:15:31:15 ,and it has way more port numbers.

375
00:15:31,667 --> 00:15:34,998
, 00:15:34:24 ,So I scan up to 65,000 and then somewhere people advertise

376
00:15:34,999 --> 00:15:37,999
, 00:15:37:29 ,40,000 and it's all, like, the odd numbers which

377
00:15:38,000 --> 00:15:41,998
, 00:15:41:26 ,is weird that you just have odd port numbers.

378
00:15:41,999 --> 00:15:44,666
, 00:15:44:15 ,But it's weird protocol.

379
00:15:44,667 --> 00:15:46,124
, 00:15:46:02 ,So here's a list now.

380
00:15:46,125 --> 00:15:47,124
, 00:15:47:02 ,So you have TCP/UDP.

381
00:15:47,125 --> 00:15:48,208
, 00:15:48:04 ,We all know those.

382
00:15:48,209 --> 00:15:49,416
, 00:15:49:09 ,RF com.

383
00:15:49,417 --> 00:15:54,416
, 00:15:54:09

384
00:15:54,417 --> 00:15:58,041
, 00:15:58:00 ,L2 chap PSM, and then the odd numbered so you have

385
00:15:58,042 --> 00:16:00,833
, 00:16:00:19 ,reserved at the base.

386
00:16:00,834 --> 00:16:02,541
, 00:16:02:12 ,So these are the interesting ones.

387
00:16:02,542 --> 00:16:03,291
, 00:16:03:06

388
00:16:03,292 --> 00:16:06,998
, 00:16:06:25 ,And that's 4,000 of them spec says it goes up to 32.

389
00:16:06,999 --> 00:16:10,249
, 00:16:10:05 ,So it's kind of the lay of the land there.

390
00:16:10,250 --> 00:16:11,998
, 00:16:11:24

391
00:16:11,999 --> 00:16:15,998
, 00:16:15:25 ,So you can just a side note, you can look up MAC addresses

392
00:16:15,999 --> 00:16:19,583
, 00:16:19:13 ,the same way you look up IP addresses.

393
00:16:19,584 --> 00:16:20,999
, 00:16:20:29

394
00:16:21,000 --> 00:16:23,998
, 00:16:23:26 ,So that's kind of it gives you more information.

395
00:16:23,999 --> 00:16:26,291
, 00:16:26:06 ,But nothing really aligns properly.

396
00:16:26,292 --> 00:16:27,625
, 00:16:27:14 ,Like it doesn't say Apple incorporated like it would

397
00:16:27,626 --> 00:16:31,208
, 00:16:31:04 ,with network Mac so it doesn't tell you a lot of information.

398
00:16:31,209 --> 00:16:31,416
, 00:16:31:09

399
00:16:31,417 --> 00:16:36,082
, 00:16:36:01 ,All right of So getting back to Bluetooth, we can use

400
00:16:36,083 --> 00:16:40,458
, 00:16:40:10 ,the e option which is from N cat.

401
00:16:40,459 --> 00:16:41,791
, 00:16:41:18

402
00:16:41,792 --> 00:16:44,958
, 00:16:44:22 ,So we have two actors, green and blue.

403
00:16:44,959 --> 00:16:48,998
, 00:16:48:23

404
00:16:48,999 --> 00:16:53,750
, 00:16:53:17 ,We're launching Blucat with dash L for listen and it's going

405
00:16:53,751 --> 00:16:57,500
, 00:16:57:11 ,to choose any channel and bin bash.

406
00:16:57,501 --> 00:16:57,791
, 00:16:57:18

407
00:16:57,792 --> 00:17:02,998
, 00:17:02:27 ,I want to execute bin bash and set up standard in and standard out.

408
00:17:02,999 --> 00:17:05,166
, 00:17:05:03 ,Going to be wired right there.

409
00:17:05,167 --> 00:17:08,666
, 00:17:08:15 ,So we could then blue computer will list the services

410
00:17:08,667 --> 00:17:11,291
, 00:17:11:06 ,on that first machine.

411
00:17:11,292 --> 00:17:11,500
, 00:17:11:11

412
00:17:11,501 --> 00:17:14,958
, 00:17:14:22 ,It outputs that there's something to listen to on channel 4.

413
00:17:14,959 --> 00:17:15,998
, 00:17:15:23 ,We connect to that.

414
00:17:15,999 --> 00:17:17,416
, 00:17:17:09

415
00:17:17,417 --> 00:17:23,500
, 00:17:23:11 ,It's show that command to bash and bash is a program in high.

416
00:17:23,501 --> 00:17:24,958
, 00:17:24:22 ,So that's kind of a cool use.

417
00:17:24,959 --> 00:17:27,416
, 00:17:27:09 ,You can have a point to point remote access to some device,

418
00:17:27,417 --> 00:17:30,333
, 00:17:30:07 ,which is kind of cool if you hang a Raspberry Pi

419
00:17:30,334 --> 00:17:34,166
, 00:17:34:03 ,in the corner and connect to it without a wire.

420
00:17:34,167 --> 00:17:36,625
, 00:17:36:14

421
00:17:36,626 --> 00:17:39,999
, 00:17:39:29 ,I'm going to get more in depth with Bluetooth plumbing

422
00:17:40,000 --> 00:17:43,082
, 00:17:43:01 ,and how this can be put together.

423
00:17:43,083 --> 00:17:44,208
, 00:17:44:04

424
00:17:44,209 --> 00:17:47,541
, 00:17:47:12 ,So we have basic Bluetooth connect at the top.

425
00:17:47,542 --> 00:17:48,583
, 00:17:48:13 ,Netcat.

426
00:17:48,584 --> 00:17:50,500
, 00:17:50:11

427
00:17:50,501 --> 00:17:52,416
, 00:17:52:09 ,Identify a second URL and they're going to exchange a standard

428
00:17:52,417 --> 00:17:54,958
, 00:17:54:22 ,in and standard out like you normally would.

429
00:17:54,959 --> 00:17:58,583
, 00:17:58:13 ,On the left we have a terminal and on the right we did dash E option so it's

430
00:17:58,584 --> 00:18:02,124
, 00:18:02:02 ,going to pipe the standard out from the terminal to the standard

431
00:18:02,125 --> 00:18:03,998
, 00:18:03:28 ,in in bin bash.

432
00:18:03,999 --> 00:18:04,291
, 00:18:04:06

433
00:18:04,292 --> 00:18:06,998
, 00:18:06:25 ,So you kind of have remote control service

434
00:18:06,999 --> 00:18:08,998
, 00:18:08:25 ,over Bluetooth.

435
00:18:08,999 --> 00:18:10,625
, 00:18:10:14 ,All right?

436
00:18:10,626 --> 00:18:11,998
, 00:18:11:23 ,This works the over day.

437
00:18:11,999 --> 00:18:13,791
, 00:18:13:18 ,I just tested it other way.

438
00:18:13,792 --> 00:18:14,082
, 00:18:14:01

439
00:18:14,083 --> 00:18:16,625
, 00:18:16:14 ,You can have one process connect and launch

440
00:18:16,626 --> 00:18:19,998
, 00:18:19:23 ,a service immediately when it connects to the server and

441
00:18:19,999 --> 00:18:23,958
, 00:18:23:22 ,on the other side it connects to a different process so you can have

442
00:18:23,959 --> 00:18:26,999
, 00:18:26:29 ,two processes talk each other over a Bluetooth link and

443
00:18:27,000 --> 00:18:30,998
, 00:18:30:26 ,they never have to know anything about Bluetooth.

444
00:18:30,999 --> 00:18:32,917
, 00:18:32:21

445
00:18:32,918 --> 00:18:36,999
, 00:18:36:29 ,I'm going to go through a bunch of devices give a brief overview

446
00:18:37,000 --> 00:18:39,082
, 00:18:39:01 ,of how they work.

447
00:18:39,083 --> 00:18:41,708
, 00:18:41:16 ,Bluetooth has profiles when we look at this stuff, you can see profiles

448
00:18:41,709 --> 00:18:44,458
, 00:18:44:10 ,in these certain types of devices.

449
00:18:44,459 --> 00:18:47,583
, 00:18:47:13 ,So we're looking at a specific angle with Blucat.

450
00:18:47,584 --> 00:18:47,791
, 00:18:47:18

451
00:18:47,792 --> 00:18:50,998
, 00:18:50:24 ,But that's not the way devices want to look at each other, they want

452
00:18:50,999 --> 00:18:53,875
, 00:18:53:20 ,to look at each other and say you're a phone so you must have

453
00:18:53,876 --> 00:18:55,750
, 00:18:55:17 ,a hands free mode.

454
00:18:55,751 --> 00:18:56,041
, 00:18:56:00

455
00:18:56,042 --> 00:19:00,750
, 00:19:00:17 ,You can look at device classes, it will say I'm a laptop so I'm going

456
00:19:00,751 --> 00:19:03,998
, 00:19:03:25 ,to have laptop like services that you can see

457
00:19:03,999 --> 00:19:07,917
, 00:19:07:21 ,if I have and then go forward with that.

458
00:19:07,918 --> 00:19:10,998
, 00:19:10:26 ,So it's really crazy the way that they look up each other.

459
00:19:10,999 --> 00:19:14,249
, 00:19:14:05 ,But underneath, if you look at it from the raw implementation point

460
00:19:14,250 --> 00:19:17,999
, 00:19:17:29 ,of view, we have RF com and L2 channels or PSMs that you can

461
00:19:18,000 --> 00:19:20,998
, 00:19:20:26 ,connect to for these services.

462
00:19:20,999 --> 00:19:21,708
, 00:19:21:16

463
00:19:21,709 --> 00:19:24,998
, 00:19:24:24 ,In the case of an audio gateway, it will go

464
00:19:24,999 --> 00:19:28,541
, 00:19:28:12 ,to another service that has voice.

465
00:19:28,542 --> 00:19:29,541
, 00:19:29:12

466
00:19:29,542 --> 00:19:36,541
, 00:19:36:12 ,It's kind of a collection of services on Bluetooth that can pose a profile so,

467
00:19:36,542 --> 00:19:42,500
, 00:19:42:11 ,if we start looking at a printer, it's a Mac Office 3200 and it has

468
00:19:42,501 --> 00:19:46,999
, 00:19:46:29 ,a microlink nick in it on the Bluetooth.

469
00:19:47,000 --> 00:19:50,917
, 00:19:50:21 ,That doesn't tell us anything unless you know that micro link sells the HP

470
00:19:50,918 --> 00:19:55,998
, 00:19:55:23 ,and you can tell us it's HP but they probably don't exclusively.

471
00:19:55,999 --> 00:19:56,500
, 00:19:56:11

472
00:19:56,501 --> 00:19:58,998
, 00:19:58:26 ,So it's hard to gain information that way.

473
00:19:58,999 --> 00:20:01,500
, 00:20:01:11 ,But we can look at the services listed here.

474
00:20:01,501 --> 00:20:03,249
, 00:20:03:05 ,We know it's a printer because we can just read the name

475
00:20:03,250 --> 00:20:06,416
, 00:20:06:09 ,and device class will be will say I'm a printer.

476
00:20:06,417 --> 00:20:06,750
, 00:20:06:17

477
00:20:06,751 --> 00:20:10,750
, 00:20:10:17 ,And we can see that it has a serial port listed here, right?

478
00:20:10,751 --> 00:20:12,541
, 00:20:12:12 ,So it's on channel one.

479
00:20:12,542 --> 00:20:12,958
, 00:20:12:22

480
00:20:12,959 --> 00:20:16,291
, 00:20:16:06 ,So we can just try to connect with that with Blucat and type stuff

481
00:20:16,292 --> 00:20:20,541
, 00:20:20:12 ,and see what type of error it gives us, Bluetooth isn't good forgiving errors,

482
00:20:20,542 --> 00:20:22,998
, 00:20:22:24 ,but when people implement Bluetooth services,

483
00:20:22,999 --> 00:20:25,998
, 00:20:25:26 ,they just don't respond instead of give an error message,

484
00:20:25,999 --> 00:20:27,998
, 00:20:27:23 ,so it's tougher.

485
00:20:27,999 --> 00:20:29,208
, 00:20:29:04

486
00:20:29,209 --> 00:20:31,998
, 00:20:31:25 ,Blucat URL and put that URL in there with the Mac

487
00:20:31,999 --> 00:20:33,999
, 00:20:33:29 ,and channel number.

488
00:20:34,000 --> 00:20:38,500
, 00:20:38:11 ,And connect directly to this thing.

489
00:20:38,501 --> 00:20:42,541
, 00:20:42:12 ,It turns out this printer Blucat launches, it doesn't ask for authentication.

490
00:20:42,542 --> 00:20:43,998
, 00:20:43:26 ,It's usually the other side.

491
00:20:43,999 --> 00:20:44,166
, 00:20:44:03

492
00:20:44,167 --> 00:20:47,750
, 00:20:47:17 ,So you'd connect to the printer and the printer would be like yeah,

493
00:20:47,751 --> 00:20:49,750
, 00:20:49:17 ,that's all right.

494
00:20:49,751 --> 00:20:50,750
, 00:20:50:17 ,It's fine.

495
00:20:50,751 --> 00:20:52,041
, 00:20:52:00 ,I don't need to pair with you.

496
00:20:52,042 --> 00:20:54,458
, 00:20:54:10 ,Let you connect to the socket and print out.

497
00:20:54,459 --> 00:20:56,041
, 00:20:56:00 ,That's not the case with a lot of devices but printer

498
00:20:56,042 --> 00:20:58,998
, 00:20:58:26 ,is completely anonymous access, right?

499
00:20:58,999 --> 00:21:08,291
, 00:21:08:06 ,(Applause)    JOSEPH PAUL COHEN: I messed with people with this.

500
00:21:08,292 --> 00:21:14,166
, 00:21:14:03 ,I found out stationary was used and people were mad.

501
00:21:14,167 --> 00:21:14,374
, 00:21:14:08

502
00:21:14,375 --> 00:21:17,208
, 00:21:17:04 ,This is Alkatel.

503
00:21:17,209 --> 00:21:19,958
, 00:21:19:22

504
00:21:19,959 --> 00:21:23,750
, 00:21:23:17 ,Gives us device name, dial up networking so we can use it

505
00:21:23,751 --> 00:21:27,541
, 00:21:27:12 ,as a modem and we just have a serial port.

506
00:21:27,542 --> 00:21:28,333
, 00:21:28:07

507
00:21:28,334 --> 00:21:33,958
, 00:21:33:22 ,So, if we just connect to the serial port, this wasn't as easy as this.

508
00:21:33,959 --> 00:21:35,750
, 00:21:35:17 ,But you can connect to and it let's say so I had to pair

509
00:21:35,751 --> 00:21:37,917
, 00:21:37:21 ,with this phone, right?

510
00:21:37,918 --> 00:21:39,541
, 00:21:39:12 ,We're pretty safe unless we pair.

511
00:21:39,542 --> 00:21:43,166
, 00:21:43:03 ,There are pairing flaws people have been telling me the last couple days.

512
00:21:43,167 --> 00:21:46,998
, 00:21:46:26 ,So we type the AT Hayes commands to these things,

513
00:21:46,999 --> 00:21:50,208
, 00:21:50:04 ,get device manager, model.

514
00:21:50,209 --> 00:21:53,541
, 00:21:53:12 ,Those are all easy.

515
00:21:53,542 --> 00:21:55,500
, 00:21:55:11 ,Or you can just look at it from the name and we get

516
00:21:55,501 --> 00:21:59,666
, 00:21:59:15 ,the third one is because there's a date that it's talking to me.

517
00:21:59,667 --> 00:22:00,750
, 00:22:00:17 ,And at this point, I could have put more

518
00:22:00,751 --> 00:22:03,082
, 00:22:03:01 ,in but the guy I was playing with his phone, he shut

519
00:22:03,083 --> 00:22:06,082
, 00:22:06:01 ,off his phone once he started I'm like these commands are working,

520
00:22:06,083 --> 00:22:07,998
, 00:22:07:23 ,this is awesome.

521
00:22:07,999 --> 00:22:11,708
, 00:22:11:16 ,It's hard to find phones you can do this to because it's a really old phone.

522
00:22:11,709 --> 00:22:14,208
, 00:22:14:04 ,New phones aren't friendly for people who want to poke

523
00:22:14,209 --> 00:22:15,999
, 00:22:15:29 ,around on them.

524
00:22:16,000 --> 00:22:17,791
, 00:22:17:18 ,Probably for good reason.

525
00:22:17,792 --> 00:22:17,998
, 00:22:17:24

526
00:22:17,999 --> 00:22:20,041
, 00:22:20:00 ,We can look at anything that's Bluetooth.

527
00:22:20,042 --> 00:22:23,291
, 00:22:23:06

528
00:22:23,292 --> 00:22:26,791
, 00:22:26:18 ,If we look at WIImote, service records are empty,

529
00:22:26,792 --> 00:22:29,998
, 00:22:29:25 ,maybe it's trying to hide things but we can see

530
00:22:29,999 --> 00:22:34,041
, 00:22:34:00 ,up there that we have three services listed.

531
00:22:34,042 --> 00:22:35,041
, 00:22:35:00

532
00:22:35,042 --> 00:22:37,791
, 00:22:37:18 ,I think it's PSM11.

533
00:22:37,792 --> 00:22:40,999
, 00:22:40:29

534
00:22:41,000 --> 00:22:45,750
, 00:22:45:17 ,When we scan it, we actually find it's 1, 11, and 13.

535
00:22:45,751 --> 00:22:47,708
, 00:22:47:16 ,So 1 is a default one.

536
00:22:47,709 --> 00:22:47,998
, 00:22:47:24

537
00:22:47,999 --> 00:22:53,416
, 00:22:53:09 ,So 11 and 13 are the ones we can talk to this thing on.

538
00:22:53,417 --> 00:22:56,750
, 00:22:56:17 ,People have completely reverse engineered the WIImote stuff.

539
00:22:56,751 --> 00:23:01,917
, 00:23:01:21

540
00:23:01,918 --> 00:23:03,999
, 00:23:03:29 ,So we look at the nexus 4.

541
00:23:04,000 --> 00:23:04,791
, 00:23:04:18

542
00:23:04,792 --> 00:23:09,583
, 00:23:09:13 ,So we list the services on this and we see we have a headset gateway.

543
00:23:09,584 --> 00:23:10,875
, 00:23:10:20 ,No serial port protocol.

544
00:23:10,876 --> 00:23:11,998
, 00:23:11:28 ,So can't have fun with it.

545
00:23:11,999 --> 00:23:13,082
, 00:23:13:01 ,No dial up modem so we can't mess

546
00:23:13,083 --> 00:23:15,333
, 00:23:15:07 ,with that either.

547
00:23:15,334 --> 00:23:20,583
, 00:23:20:13 ,Fund ones to look at are BTPSPs, they're usually ASCII based

548
00:23:20,584 --> 00:23:25,917
, 00:23:25:21 ,except for an example I'll show in a minute.

549
00:23:25,918 --> 00:23:26,791
, 00:23:26:18

550
00:23:26,792 --> 00:23:29,249
, 00:23:29:05 ,So we can try to connect to one of those.

551
00:23:29,250 --> 00:23:30,998
, 00:23:30:24 ,Let's do the hands free one.

552
00:23:30,999 --> 00:23:34,998
, 00:23:34:24 ,The only one I can find a way to look at.

553
00:23:34,999 --> 00:23:35,750
, 00:23:35:17

554
00:23:35,751 --> 00:23:38,666
, 00:23:38:15 ,If you Google that in, you can find profiles and profiles

555
00:23:38,667 --> 00:23:43,291
, 00:23:43:06 ,will tell you kind of what some sort of established protocol for it is.

556
00:23:43,292 --> 00:23:44,875
, 00:23:44:20 ,Documentation is pretty bad and not uniform

557
00:23:44,876 --> 00:23:46,998
, 00:23:46:26 ,across all manufacturers.

558
00:23:46,999 --> 00:23:50,998
, 00:23:50:23 ,So I got this thing, I connected to it and the first thing I type now when

559
00:23:50,999 --> 00:23:54,917
, 00:23:54:21 ,I connect to the serial port protocol is type AT or AT+ and have it give me

560
00:23:54,918 --> 00:23:56,249
, 00:23:56:05 ,an error.

561
00:23:56,250 --> 00:23:59,791
, 00:23:59:18 ,If you say something weird AT star, it will kick you off.

562
00:23:59,792 --> 00:24:01,458
, 00:24:01:10

563
00:24:01,459 --> 00:24:03,708
, 00:24:03:16 ,To get an error is the first side there's somebody

564
00:24:03,709 --> 00:24:06,875
, 00:24:06:20 ,on the other side listening that we can there's some commands that must

565
00:24:06,876 --> 00:24:08,374
, 00:24:08:08 ,do something.

566
00:24:08,375 --> 00:24:08,958
, 00:24:08:22

567
00:24:08,959 --> 00:24:13,998
, 00:24:13:27 ,If they're reading all the profile stuff, you can see it has a lot

568
00:24:13,999 --> 00:24:19,416
, 00:24:19:09 ,of AT commands like the one that's the coolest ones is dials a number,

569
00:24:19,417 --> 00:24:22,416
, 00:24:22:09 ,you this works on Nexus4.

570
00:24:22,417 --> 00:24:25,998
, 00:24:25:26

571
00:24:25,999 --> 00:24:33,998
, 00:24:33:25 ,Maybe on an expensive phone, and it will call it, right?

572
00:24:33,999 --> 00:24:37,124
, 00:24:37:02 ,You can also list a number and list the services that are there.

573
00:24:37,125 --> 00:24:38,999
, 00:24:38:29 ,There's a way to talk to these things.

574
00:24:39,000 --> 00:24:42,666
, 00:24:42:15 ,They're just obscure and don't really advertise all the stuff.

575
00:24:42,667 --> 00:24:46,708
, 00:24:46:16 ,So it's difficult to kind of get information from these things.

576
00:24:46,709 --> 00:24:51,999
, 00:24:51:29 ,A thing that I did with Alex Whitmore an hour or two ago was look at the YAP,

577
00:24:52,000 --> 00:24:55,541
, 00:24:55:12 ,I thought it was access point.

578
00:24:55,542 --> 00:24:57,958
, 00:24:57:22 ,That's how I intuitively thought it was.

579
00:24:57,959 --> 00:25:00,124
, 00:25:00:02 ,It's the iPhone accessory protocol.

580
00:25:00,125 --> 00:25:07,958
, 00:25:07:22 ,I don't like iPhones but so the goal is how can you play stop, start,

581
00:25:07,959 --> 00:25:14,333
, 00:25:14:07 ,control the auto tracks on the phone, right?

582
00:25:14,334 --> 00:25:15,583
, 00:25:15:13 ,That would be cool if you could unplug

583
00:25:15,584 --> 00:25:19,998
, 00:25:19:25 ,from your computer or write an app that would interact with us.

584
00:25:19,999 --> 00:25:20,500
, 00:25:20:11

585
00:25:20,501 --> 00:25:22,998
, 00:25:22:23 ,It turns out there's a chance it could be

586
00:25:22,999 --> 00:25:25,166
, 00:25:25:03 ,the same interaction as the standard UR

587
00:25:25,167 --> 00:25:29,625
, 00:25:29:14 ,in the Apple connector so, if you just wire up into that.

588
00:25:29,626 --> 00:25:32,333
, 00:25:32:07 ,That's the hypothesis and it turns out so they're

589
00:25:32,334 --> 00:25:36,208
, 00:25:36:04 ,the regular way you do this over the hard wire, this

590
00:25:36,209 --> 00:25:40,416
, 00:25:40:09 ,is the same packet thing for saying I want you to play,

591
00:25:40,417 --> 00:25:42,998
, 00:25:42:23 ,I want you to stop.

592
00:25:42,999 --> 00:25:42,999
, 00:25:42:29

593
00:25:43,000 --> 00:25:46,833
, 00:25:46:19 ,So that's like well documented for the hard line stuff.

594
00:25:46,834 --> 00:25:47,500
, 00:25:47:11

595
00:25:47,501 --> 00:25:52,791
, 00:25:52:18 ,Sadly, it turns out Apple has a weird authentication coprocessor

596
00:25:52,792 --> 00:25:57,124
, 00:25:57:02 ,that's required to attach to this process.

597
00:25:57,125 --> 00:25:57,416
, 00:25:57:09

598
00:25:57,417 --> 00:26:02,541
, 00:26:02:12 ,So that makes it different than the actual wire line which makes it

599
00:26:02,542 --> 00:26:05,416
, 00:26:05:09 ,undoable with Blucat unless we can kind

600
00:26:05,417 --> 00:26:09,082
, 00:26:09:01 ,of process this stuff fast enough.

601
00:26:09,083 --> 00:26:12,208
, 00:26:12:04 ,But more research will be needed for this stuff.

602
00:26:12,209 --> 00:26:13,249
, 00:26:13:05 ,All right.

603
00:26:13,250 --> 00:26:16,082
, 00:26:16:01 ,So the next section is rapid prototyping with Blucat.

604
00:26:16,083 --> 00:26:18,458
, 00:26:18:10 ,So, if you want to make something really quick

605
00:26:18,459 --> 00:26:20,583
, 00:26:20:13 ,with bash, right?

606
00:26:20,584 --> 00:26:20,998
, 00:26:20:26

607
00:26:20,999 --> 00:26:22,999
, 00:26:22:29 ,So how to prototype.

608
00:26:23,000 --> 00:26:26,998
, 00:26:26:24 ,So this presentation was supposed to be given with a Bluetooth presenter.

609
00:26:26,999 --> 00:26:28,666
, 00:26:28:15

610
00:26:28,667 --> 00:26:30,500
, 00:26:30:11 ,That the only thing on the phone would be

611
00:26:30,501 --> 00:26:33,666
, 00:26:33:15 ,an app that just sends characters over a socket.

612
00:26:33,667 --> 00:26:36,374
, 00:26:36:08 ,So I press a button and it just sends a B or an F.

613
00:26:36,375 --> 00:26:40,333
, 00:26:40:07 ,And then on our laptop somebody is listening and goes

614
00:26:40,334 --> 00:26:45,082
, 00:26:45:01 ,into a script that's dispatching all the characters as they come

615
00:26:45,083 --> 00:26:51,041
, 00:26:51:00 ,in and will respectively press back or forward to move my slides.

616
00:26:51,042 --> 00:26:51,249
, 00:26:51:05

617
00:26:51,250 --> 00:26:53,999
, 00:26:53:29 ,So that's the basis of it.

618
00:26:54,000 --> 00:26:56,875
, 00:26:56:20 ,So we can go over how this works like a few lines.

619
00:26:56,876 --> 00:26:58,291
, 00:26:58:06 ,We launch Blucat.

620
00:26:58,292 --> 00:27:05,208
, 00:27:05:04 ,Do a keep alive, verbose to stay on this URL on my phone, on channel 4.

621
00:27:05,209 --> 00:27:05,708
, 00:27:05:16

622
00:27:05,709 --> 00:27:08,249
, 00:27:08:05 ,And then when we receive a connection,

623
00:27:08,250 --> 00:27:12,082
, 00:27:12:01 ,we just throw it to dispatcher.sh.

624
00:27:12,083 --> 00:27:15,999
, 00:27:15:29 ,Which simply looks like this.

625
00:27:16,000 --> 00:27:17,917
, 00:27:17:21 ,So we just well read input.

626
00:27:17,918 --> 00:27:22,041
, 00:27:22:00 ,If the input is an F, I go forward and press the key for forward.

627
00:27:22,042 --> 00:27:23,416
, 00:27:23:09

628
00:27:23,417 --> 00:27:25,625
, 00:27:25:14 ,It did work great all weekend.

629
00:27:25,626 --> 00:27:28,124
, 00:27:28:02

630
00:27:28,125 --> 00:27:29,999
, 00:27:29:29 ,So you can do other stuff.

631
00:27:30,000 --> 00:27:30,998
, 00:27:30:26 ,You can say on any input you can filter

632
00:27:30,999 --> 00:27:33,583
, 00:27:33:13 ,on different words and have it do anything.

633
00:27:33,584 --> 00:27:35,374
, 00:27:35:08 ,It's like the sky is the limit with everything you want to control

634
00:27:35,375 --> 00:27:37,041
, 00:27:37:00 ,on they device.

635
00:27:37,042 --> 00:27:37,958
, 00:27:37:22

636
00:27:37,959 --> 00:27:43,708
, 00:27:43:16 ,So that's kind of the basic way of prototyping so anyway you can think

637
00:27:43,709 --> 00:27:47,999
, 00:27:47:29 ,in the future to use that stream in the same concept,

638
00:27:48,000 --> 00:27:50,998
, 00:27:50:25 ,it's pretty easy to do.

639
00:27:50,999 --> 00:27:53,708
, 00:27:53:16 ,So I scanned for over the course of three months

640
00:27:53,709 --> 00:27:57,998
, 00:27:57:24 ,from the same desktop next to a computer lab.

641
00:27:57,999 --> 00:28:03,708
, 00:28:03:16 ,Every 5 minutes and every single Bluetooth device that was visible.

642
00:28:03,709 --> 00:28:08,998
, 00:28:08:27 ,I captured and stored and then wanted to run data analysis on it later.

643
00:28:08,999 --> 00:28:09,458
, 00:28:09:10

644
00:28:09,459 --> 00:28:11,416
, 00:28:11:09 ,I happened to write Blucat so it opens

645
00:28:11,417 --> 00:28:15,333
, 00:28:15:07 ,in the CSV format and we have tons of files and import those

646
00:28:15,334 --> 00:28:19,998
, 00:28:19:23 ,into a database or in R which I did and analyzed stuff.

647
00:28:19,999 --> 00:28:23,208
, 00:28:23:04 ,So kind of a shout out to R, it's awesome.

648
00:28:23,209 --> 00:28:24,541
, 00:28:24:12 ,Read this file.

649
00:28:24,542 --> 00:28:24,998
, 00:28:24:26

650
00:28:24,999 --> 00:28:30,291
, 00:28:30:06 ,And then filter based on the date convert them to dates

651
00:28:30,292 --> 00:28:37,708
, 00:28:37:16 ,and make a histogram based on dates and break them into 100 bins.

652
00:28:37,709 --> 00:28:38,416
, 00:28:38:09

653
00:28:38,417 --> 00:28:40,583
, 00:28:40:13 ,So we get this thing February to April.

654
00:28:40,584 --> 00:28:40,998
, 00:28:40:26

655
00:28:40,999 --> 00:28:46,500
, 00:28:46:11 ,And we can see this should be numbers but I didn't go back and regenerate

656
00:28:46,501 --> 00:28:48,416
, 00:28:48:09 ,this thing.

657
00:28:48,417 --> 00:28:50,666
, 00:28:50:15 ,So this is in the in the upwards this is high.

658
00:28:50,667 --> 00:28:54,249
, 00:28:54:05 ,2,000 scans that the magnitude of the stuff.

659
00:28:54,250 --> 00:28:54,541
, 00:28:54:12

660
00:28:54,542 --> 00:28:55,998
, 00:28:55:26 ,So you can see this dip.

661
00:28:55,999 --> 00:28:56,208
, 00:28:56:04

662
00:28:56,209 --> 00:28:58,625
, 00:28:58:14 ,So why is there a dip around March 23rd?

663
00:28:58,626 --> 00:29:03,291
, 00:29:03:06 ,So you can say why are people not walking around here.

664
00:29:03,292 --> 00:29:06,958
, 00:29:06:22 ,So we can teak a look filter more, just in between those date ranges

665
00:29:06,959 --> 00:29:09,958
, 00:29:09:22 ,for the month of March, right?

666
00:29:09,959 --> 00:29:10,082
, 00:29:10:01

667
00:29:10,083 --> 00:29:14,500
, 00:29:14:11 ,You can see it's really close around the 21st to the 25th.

668
00:29:14,501 --> 00:29:16,958
, 00:29:16:22

669
00:29:16,959 --> 00:29:19,249
, 00:29:19:05 ,So I was like why?

670
00:29:19,250 --> 00:29:21,998
, 00:29:21:26 ,Why did my script fail or something that was running?

671
00:29:21,999 --> 00:29:24,208
, 00:29:24:04 ,And then I looked and it's spring vacation, it's towards the end

672
00:29:24,209 --> 00:29:26,208
, 00:29:26:04 ,of spring vacation.

673
00:29:26,209 --> 00:29:27,166
, 00:29:27:03

674
00:29:27,167 --> 00:29:29,833
, 00:29:29:19 ,Made sense you can align the data collection

675
00:29:29,834 --> 00:29:33,333
, 00:29:33:07 ,with the fact students were coming to school.

676
00:29:33,334 --> 00:29:33,708
, 00:29:33:16

677
00:29:33,709 --> 00:29:36,041
, 00:29:36:00 ,This was at a university.

678
00:29:36,042 --> 00:29:36,291
, 00:29:36:06

679
00:29:36,292 --> 00:29:38,625
, 00:29:38:14 ,More scary I can look at just me.

680
00:29:38,626 --> 00:29:40,500
, 00:29:40:11 ,This is when I was in my office.

681
00:29:40,501 --> 00:29:41,500
, 00:29:41:11 ,Right?

682
00:29:41,501 --> 00:29:41,999
, 00:29:41:29 ,So you can do that for anybody and you kind

683
00:29:42,000 --> 00:29:44,249
, 00:29:44:05 ,of know their name because it's their Mac Book

684
00:29:44,250 --> 00:29:45,998
, 00:29:45:27 ,or their phone.

685
00:29:45,999 --> 00:29:46,291
, 00:29:46:06

686
00:29:46,292 --> 00:29:48,708
, 00:29:48:16 ,So and so's iPhone, right?

687
00:29:48,709 --> 00:29:49,917
, 00:29:49:21

688
00:29:49,918 --> 00:29:53,208
, 00:29:53:04 ,So this I guess I'm a slacker in March especially.

689
00:29:53,209 --> 00:29:56,998
, 00:29:56:26

690
00:29:56,999 --> 00:30:00,249
, 00:30:00:05 ,Now we can get into the architecture

691
00:30:00,250 --> 00:30:03,291
, 00:30:03:06 ,and design of Blucat.

692
00:30:03,292 --> 00:30:07,998
, 00:30:07:23 ,One awesome piece is I only really tested on Mac and Linux.

693
00:30:07,999 --> 00:30:12,082
, 00:30:12:01 ,But the Blucove library in which it sits runs on tons

694
00:30:12,083 --> 00:30:14,999
, 00:30:14:29 ,of platforms like Symbion and Android

695
00:30:15,000 --> 00:30:18,998
, 00:30:18:27 ,and Windows, if you want to use that.

696
00:30:18,999 --> 00:30:20,124
, 00:30:20:02

697
00:30:20,125 --> 00:30:21,998
, 00:30:21:27 ,Works on blue is great.

698
00:30:21,999 --> 00:30:24,458
, 00:30:24:10

699
00:30:24,459 --> 00:30:27,998
, 00:30:27:24 ,There's high blues but then you're stuck blues.

700
00:30:27,999 --> 00:30:28,124
, 00:30:28:02

701
00:30:28,125 --> 00:30:33,958
, 00:30:33:22 ,And you can't really use it on an Mac which or anything

702
00:30:33,959 --> 00:30:36,458
, 00:30:36:10 ,in the future.

703
00:30:36,459 --> 00:30:36,833
, 00:30:36:19

704
00:30:36,834 --> 00:30:38,998
, 00:30:38:23 ,You're stuck in the blues libraries.

705
00:30:38,999 --> 00:30:41,750
, 00:30:41:17

706
00:30:41,751 --> 00:30:45,124
, 00:30:45:02 ,Perfect so it's pretty small.

707
00:30:45,125 --> 00:30:47,875
, 00:30:47:20 ,I mean there are a bunch of Java files.

708
00:30:47,876 --> 00:30:48,998
, 00:30:48:25 ,This is Java based.

709
00:30:48,999 --> 00:30:50,374
, 00:30:50:08 ,You can view appropriately.

710
00:30:50,375 --> 00:30:52,082
, 00:30:52:01 ,But I like Java.

711
00:30:52,083 --> 00:30:52,291
, 00:30:52:06

712
00:30:52,292 --> 00:30:56,666
, 00:30:56:15 ,And then it kind of gets offloaded to a series of files that contain native

713
00:30:56,667 --> 00:31:00,583
, 00:31:00:13 ,libraries for whatever platform you're on, the business logic

714
00:31:00,584 --> 00:31:03,998
, 00:31:03:24 ,is all contained in the logic stuff and we call based

715
00:31:03,999 --> 00:31:07,998
, 00:31:07:24 ,on the different platforms different libraries.

716
00:31:07,999 --> 00:31:12,416
, 00:31:12:09 ,And kind of arrange everything appropriately.

717
00:31:12,417 --> 00:31:19,041
, 00:31:19:00 ,This is one main file and you can run on arm Linux, Mac 64 bit, Linux 32 bit,

718
00:31:19,042 --> 00:31:23,998
, 00:31:23:25 ,64 bit, ubuntu, fedora, all this stuff.

719
00:31:23,999 --> 00:31:24,750
, 00:31:24:17

720
00:31:24,751 --> 00:31:29,999
, 00:31:29:29 ,This is a diagram of how this interacts with everything.

721
00:31:30,000 --> 00:31:31,625
, 00:31:31:14 ,You run Blucat.

722
00:31:31,626 --> 00:31:35,791
, 00:31:35:18 ,It sits on top of Blucove and makes all those calls and if it's Mac it sits

723
00:31:35,792 --> 00:31:40,374
, 00:31:40:08 ,on Apple API or opens everything in blues if blues is available which

724
00:31:40,375 --> 00:31:44,998
, 00:31:44:26 ,will hit Linux and Bluetooth D and kernel modules and whatever Linux

725
00:31:44,999 --> 00:31:49,458
, 00:31:49:10 ,is running on that implemented blues, it will run fine on and that

726
00:31:49,459 --> 00:31:53,041
, 00:31:53:00 ,will actually hit the actual hardware.

727
00:31:53,042 --> 00:31:54,291
, 00:31:54:06

728
00:31:54,292 --> 00:31:58,998
, 00:31:58:26 ,So it's very versatile by design so a lot of people can use it This

729
00:31:58,999 --> 00:32:01,750
, 00:32:01:17 ,is an eye chart with the Blucove stack

730
00:32:01,751 --> 00:32:05,249
, 00:32:05:05 ,the way it interacts with everything.

731
00:32:05,250 --> 00:32:08,249
, 00:32:08:05 ,I don't want to go over it too much.

732
00:32:08,250 --> 00:32:12,998
, 00:32:12:27 ,But I want to talk about how the J and I libraries work.

733
00:32:12,999 --> 00:32:13,124
, 00:32:13:02

734
00:32:13,125 --> 00:32:18,999
, 00:32:18:29 ,So Blucove specifically offloads stuff using J and I libraries.

735
00:32:19,000 --> 00:32:20,666
, 00:32:20:15 ,Who's seen this before?

736
00:32:20,667 --> 00:32:23,041
, 00:32:23:00

737
00:32:23,042 --> 00:32:27,082
, 00:32:27:01 ,You can do business logic in Java.

738
00:32:27,083 --> 00:32:30,249
, 00:32:30:05

739
00:32:30,250 --> 00:32:31,998
, 00:32:31:27 ,Time oh, no.

740
00:32:31,999 --> 00:32:35,998
, 00:32:35:23

741
00:32:35,999 --> 00:32:37,998
, 00:32:37:25 ,(Applause.)    Okay, first of all.

742
00:32:37,999 --> 00:32:39,999
, 00:32:39:29 ,What the fuck is that on the screen?

743
00:32:40,000 --> 00:32:40,999
, 00:32:40:29 ,Holy shit.

744
00:32:41,000 --> 00:32:43,750
, 00:32:43:17 ,   Lots of people want to talk about lots of things.

745
00:32:43,751 --> 00:32:45,416
, 00:32:45:09 ,We're not going to let that happen.

746
00:32:45,417 --> 00:32:47,166
, 00:32:47:03 ,   Oh, my God is that boring.

747
00:32:47,167 --> 00:32:49,291
, 00:32:49:06

748
00:32:49,292 --> 00:32:51,998
, 00:32:51:25 ,Oh, it is a Bluetooth controller on it.

749
00:32:51,999 --> 00:32:53,208
, 00:32:53:04 ,Never mind, that's cool.

750
00:32:53,209 --> 00:33:04,082
, 00:33:04:01

751
00:33:04,083 --> 00:33:06,249
, 00:33:06:05 ,You all know the drill.

752
00:33:06,250 --> 00:33:07,249
, 00:33:07:05 ,Holy shit.

753
00:33:07,250 --> 00:33:08,249
, 00:33:08:05 ,Get up here, man.

754
00:33:08,250 --> 00:33:09,249
, 00:33:09:05 ,Wait a second.

755
00:33:09,250 --> 00:33:14,416
, 00:33:14:09 ,Weren't you just in the last track you were in?

756
00:33:14,417 --> 00:33:14,998
, 00:33:14:26

757
00:33:14,999 --> 00:33:18,583
, 00:33:18:13 ,   Is his name Sarah?

758
00:33:18,584 --> 00:33:19,583
, 00:33:19:13 ,What's your name.

759
00:33:19,584 --> 00:33:22,166
, 00:33:22:03 ,   Thomas waffles.

760
00:33:22,167 --> 00:33:24,750
, 00:33:24:17 ,Atomic waffles.

761
00:33:24,751 --> 00:33:25,791
, 00:33:25:18 ,Thank you.

762
00:33:25,792 --> 00:33:26,124
, 00:33:26:02

763
00:33:26,125 --> 00:33:28,958
, 00:33:28:22 ,Everybody, this is atomic waffles atomic waffles,

764
00:33:28,959 --> 00:33:31,041
, 00:33:31:00 ,this is everybody.

765
00:33:31,042 --> 00:33:36,666
, 00:33:36:15

766
00:33:36,667 --> 00:33:38,541
, 00:33:38:12 ,I'm lonely over here.

767
00:33:38,542 --> 00:33:40,041
, 00:33:40:00 ,   I'm sure you are.

768
00:33:40,042 --> 00:33:40,374
, 00:33:40:08

769
00:33:40,375 --> 00:33:43,124
, 00:33:43:02 ,   Where did you come from?

770
00:33:43,125 --> 00:33:44,998
, 00:33:44:24 ,   That's atomic waffles.

771
00:33:44,999 --> 00:33:46,583
, 00:33:46:13 ,Jesus, don't you pay attention.

772
00:33:46,584 --> 00:33:48,166
, 00:33:48:03 ,   I can just take the bottle.

773
00:33:48,167 --> 00:33:49,291
, 00:33:49:06

774
00:33:49,292 --> 00:33:52,041
, 00:33:52:00 ,   Slow down, champ.

775
00:33:52,042 --> 00:33:54,583
, 00:33:54:13

776
00:33:54,584 --> 00:33:57,750
, 00:33:57:17 ,What you're going for a second one already.

777
00:33:57,751 --> 00:33:59,917
, 00:33:59:21 ,All right, everybody, you know the drill.

778
00:33:59,918 --> 00:33:59,998
, 00:33:59:26

779
00:33:59,999 --> 00:34:01,541
, 00:34:01:12 ,Welcome to DEF CON!

780
00:34:01,542 --> 00:34:06,998
, 00:34:06:23

781
00:34:06,999 --> 00:34:08,541
, 00:34:08:12 ,We'll see you soon.

782
00:34:08,542 --> 00:34:15,998
, 00:34:15:26

783
00:34:15,999 --> 00:34:18,374
, 00:34:18:08 ,Waffles just got off the stage.

784
00:34:18,375 --> 00:34:19,374
, 00:34:19:08 ,Okay.

785
00:34:19,375 --> 00:34:20,374
, 00:34:20:08 ,We're on time.

786
00:34:20,375 --> 00:34:25,041
, 00:34:25:00 ,   JOSEPH PAUL COHEN: All right.

787
00:34:25,042 --> 00:34:30,249
, 00:34:30:05

788
00:34:30,250 --> 00:34:35,208
, 00:34:35:04 ,So we offload this stuff to J and I and the way that that gets set

789
00:34:35,209 --> 00:34:40,917
, 00:34:40:21 ,up to actually run on all these platforms really is a script.

790
00:34:40,918 --> 00:34:44,082
, 00:34:44:01 ,So it's like a dispatching script so we just kind of weekly match

791
00:34:44,083 --> 00:34:47,458
, 00:34:47:10 ,the OS type and Linux architecture.

792
00:34:47,459 --> 00:34:47,917
, 00:34:47:21

793
00:34:47,918 --> 00:34:49,333
, 00:34:49:07 ,And spit it out.

794
00:34:49,334 --> 00:34:51,625
, 00:34:51:14 ,So, if you want to use Blucat and it's not supported on architecture,

795
00:34:51,626 --> 00:34:54,958
, 00:34:54:22 ,I can just build all these libraries on your architecture and wire it

796
00:34:54,959 --> 00:34:57,333
, 00:34:57:07 ,in if you want to use it, right?

797
00:34:57,334 --> 00:34:58,374
, 00:34:58:08 ,Okay.

798
00:34:58,375 --> 00:34:59,500
, 00:34:59:11

799
00:34:59,501 --> 00:35:02,708
, 00:35:02:16 ,So send me an e mail if that is the case.

800
00:35:02,709 --> 00:35:03,708
, 00:35:03:16 ,All right.

801
00:35:03,709 --> 00:35:08,666
, 00:35:08:15 ,And we simply attach the libraries and run this main driver for the stuff.

802
00:35:08,667 --> 00:35:08,917
, 00:35:08:21

803
00:35:08,918 --> 00:35:11,833
, 00:35:11:19 ,And then one problem so, if you look at this file and you're like why

804
00:35:11,834 --> 00:35:15,541
, 00:35:15:12 ,is he filtering out the extended error, it's because some stacks output tons

805
00:35:15,542 --> 00:35:18,333
, 00:35:18:07 ,of debugging information and send it out and there's no way

806
00:35:18,334 --> 00:35:20,041
, 00:35:20:00 ,to shut it off.

807
00:35:20,042 --> 00:35:20,458
, 00:35:20:10

808
00:35:20,459 --> 00:35:23,998
, 00:35:23:26 ,So I just filter it and some NS auto release

809
00:35:23,999 --> 00:35:28,166
, 00:35:28:03 ,on a Mac this just fixes that Cool.

810
00:35:28,167 --> 00:35:28,541
, 00:35:28:12

811
00:35:28,542 --> 00:35:32,958
, 00:35:32:22 ,So how does J and I work inside the libraries.

812
00:35:32,959 --> 00:35:32,999
, 00:35:32:29

813
00:35:33,000 --> 00:35:35,708
, 00:35:35:16 ,So somewhere in this Blucove program when it runs

814
00:35:35,709 --> 00:35:38,500
, 00:35:38:11 ,detects the OS that it's running on and loads

815
00:35:38,501 --> 00:35:42,998
, 00:35:42:23 ,the specific native libraries for it, it's going to search everything

816
00:35:42,999 --> 00:35:46,998
, 00:35:46:25 ,in the load library path which is in default inside the jar file

817
00:35:46,999 --> 00:35:51,208
, 00:35:51:04 ,to find whatever stack that it should be running on.

818
00:35:51,209 --> 00:35:52,208
, 00:35:52:04 ,All right?

819
00:35:52,209 --> 00:35:56,208
, 00:35:56:04 ,So once that's loaded up, it then has these extra native functions

820
00:35:56,209 --> 00:35:59,208
, 00:35:59:04 ,and they're ready to call.

821
00:35:59,209 --> 00:36:00,917
, 00:36:00:21 ,So you make a call to this.

822
00:36:00,918 --> 00:36:01,458
, 00:36:01:10

823
00:36:01,459 --> 00:36:04,082
, 00:36:04:01 ,RF server, get channel ID.

824
00:36:04,083 --> 00:36:06,998
, 00:36:06:23 ,So this is something pretty low level thing you have to get the handle

825
00:36:06,999 --> 00:36:08,999
, 00:36:08:29 ,for this specific connection.

826
00:36:09,000 --> 00:36:09,541
, 00:36:09:12

827
00:36:09,542 --> 00:36:13,998
, 00:36:13:25 ,That gets offloaded to the C code or whatever, C++ whatever they want

828
00:36:13,999 --> 00:36:18,583
, 00:36:18:13 ,to use in the native library which is the like this with a J and I header

829
00:36:18,584 --> 00:36:22,166
, 00:36:22:03 ,to actually interact with that specific stack that you're

830
00:36:22,167 --> 00:36:24,458
, 00:36:24:10 ,running on, right?

831
00:36:24,459 --> 00:36:27,958
, 00:36:27:22 ,So you'll have to do this on every platform that it runs on.

832
00:36:27,959 --> 00:36:28,958
, 00:36:28:22 ,So I didn't do this.

833
00:36:28,959 --> 00:36:30,583
, 00:36:30:13 ,This is all the Blucove people which I don't have their logo

834
00:36:30,584 --> 00:36:32,917
, 00:36:32:21 ,is on a different page.

835
00:36:32,918 --> 00:36:33,041
, 00:36:33:00 ,They've done tons of work and it seems

836
00:36:33,042 --> 00:36:34,208
, 00:36:34:04 ,like they're working for different companies anyway so

837
00:36:34,209 --> 00:36:36,333
, 00:36:36:07 ,they're all getting paid and that's good.

838
00:36:36,334 --> 00:36:37,333
, 00:36:37:07 ,And thanks.

839
00:36:37,334 --> 00:36:38,875
, 00:36:38:20 ,(Applause.) Any questions?

840
00:36:38,876 --> 00:36:39,998
, 00:36:39:23 ,I can take questions.

841
00:36:39,999 --> 00:36:40,998
, 00:36:40:23 ,No?

842
00:36:40,999 --> 00:36:41,998
, 00:36:41:23 ,Okay, thank you.

843
00:36:41,999 --> 00:36:41,998
, 00:36:43:20 ,   Any I found that as long as the dongle is supported

844
00:36:41,999 --> 00:36:43,875
, 00:36:43:20 ,by the OS it's supported by this stuff.

845
00:36:43,876 --> 00:36:46,416
, 00:36:46:09 ,It calls the native all you need to know is their Mac.

846
00:36:46,417 --> 00:36:46,416
, 00:36:49:04 ,If you get that through service discovery,

847
00:36:46,417 --> 00:36:49,208
, 00:36:49:04 ,you're good or hack RF or Uber dude, that's another way.

848
00:36:49,209 --> 00:36:51,041
, 00:36:51:00 ,   All right, everybody, questions?

849
00:36:51,042 --> 00:36:52,666
, 00:36:52:15 ,He's got stickers to hand out.

850
00:36:52,667 --> 00:36:55,999
, 00:36:55:29 ,He will answer questions, they're going to be in the chillout cafe'.

851
00:36:56,000 --> 00:36:56,999
, 00:36:56:29 ,Hi.

852
00:36:57,000 --> 00:36:59,666
, 00:36:59:15 ,   I have stickers, anyone want Blucat stickers?

853
00:36:59,667 --> 00:37:00,551
, 00:37:04:17