Shortcuts on this page
r m x toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# SPDX-License-Identifier: GPL-2.0-only
2# This file is part of Scapy
3# See https://scapy.net/ for more information
4# Copyright (C) Philippe Biondi <phil@secdev.org>
5# Copyright (C) Airbus DS CyberSecurity
6# Authors: Jean-Michel Picod, Arnaud Lebrun, Jonathan Christofer Demay
8"""Bluetooth 4LE layer"""
10import struct
12from scapy.compat import orb, chb
13from scapy.config import conf
14from scapy.data import (
15 DLT_BLUETOOTH_LE_LL,
16 DLT_BLUETOOTH_LE_LL_WITH_PHDR,
17 PPI_BTLE,
18)
19from scapy.packet import Packet, bind_layers
20from scapy.fields import (
21 BitEnumField,
22 BitField,
23 ByteEnumField,
24 ByteField,
25 Field,
26 FlagsField,
27 LEIntField,
28 LEShortEnumField,
29 LEShortField,
30 MACField,
31 PacketListField,
32 SignedByteField,
33 X3BytesField,
34 XByteField,
35 XIntField,
36 XLEIntField,
37 XLELongField,
38 XLEShortField,
39 XShortField,
40)
41from scapy.contrib.ethercat import LEBitEnumField, LEBitField
43from scapy.layers.bluetooth import EIR_Hdr, L2CAP_Hdr
44from scapy.layers.ppi import PPI_Element, PPI_Hdr
46from scapy.utils import mac2str, str2mac
48####################
49# Transport Layers #
50####################
53class BTLE_PPI(PPI_Element):
54 """Cooked BTLE PPI header
56 See ``ppi_btle_t`` in
57 https://github.com/greatscottgadgets/libbtbb/blob/master/lib/src/pcap.c
58 """
59 name = "BTLE PPI header"
60 fields_desc = [
61 ByteField("btle_version", 0),
62 # btle_channel is a frequency in MHz. Named for consistency with
63 # other users.
64 LEShortField("btle_channel", None),
65 ByteField("btle_clkn_high", None),
66 LEIntField("btle_clk_100ns", None),
67 SignedByteField("rssi_max", None),
68 SignedByteField("rssi_min", None),
69 SignedByteField("rssi_avg", None),
70 ByteField("rssi_count", None)
71 ]
74class BTLE_RF(Packet):
75 """Cooked BTLE link-layer pseudoheader.
77 https://www.tcpdump.org/linktypes/LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR.html
78 """
79 name = "BTLE RF info header"
81 _TYPES = {
82 0: "ADV_OR_DATA_UNKNOWN_DIR",
83 1: "AUX_ADV",
84 2: "DATA_M_TO_S",
85 3: "DATA_S_TO_M",
86 4: "CONN_ISO_M_TO_S",
87 5: "CONN_ISO_S_TO_M",
88 6: "BROADCAST_ISO",
89 7: "RFU",
90 }
92 _PHY = {
93 0: "1M",
94 1: "2M",
95 2: "Coded",
96 3: "RFU",
97 }
99 fields_desc = [
100 ByteField("rf_channel", 0),
101 SignedByteField("signal", -128),
102 SignedByteField("noise", -128),
103 ByteField("access_address_offenses", 0),
104 XLEIntField("reference_access_address", 0),
105 LEBitField("dewhitened", 0, 1),
106 LEBitField("sig_power_valid", 0, 1),
107 LEBitField("noise_power_valid", 0, 1),
108 LEBitField("decrypted", 0, 1),
109 LEBitField("reference_access_address_valid", 0, 1),
110 LEBitField("access_address_offenses_valid", 0, 1),
111 LEBitField("channel_aliased", 0, 1),
112 LEBitEnumField("type", 0, 3, _TYPES),
113 LEBitField("crc_checked", 0, 1),
114 LEBitField("crc_valid", 0, 1),
115 LEBitField("mic_checked", 0, 1),
116 LEBitField("mic_valid", 0, 1),
117 LEBitEnumField("phy", 0, 2, _PHY),
118 ]
121##########
122# Fields #
123##########
125class BDAddrField(MACField):
126 def __init__(self, name, default, resolve=False):
127 MACField.__init__(self, name, default)
128 if resolve:
129 conf.resolve.add(self)
131 def i2m(self, pkt, x):
132 if x is None:
133 return b"\0\0\0\0\0\0"
134 return mac2str(':'.join(x.split(':')[::-1]))
136 def m2i(self, pkt, x):
137 return str2mac(x[::-1])
140class BTLEChanMapField(XByteField):
141 def __init__(self, name, default):
142 Field.__init__(self, name, default, "<Q")
144 def addfield(self, pkt, s, val):
145 return s + struct.pack(self.fmt, self.i2m(pkt, val))[:5]
147 def getfield(self, pkt, s):
148 return s[5:], self.m2i(pkt, struct.unpack(self.fmt, s[:5] + b"\x00\x00\x00")[0]) # noqa: E501
151class BTLEFeatureField(FlagsField):
152 def __init__(self, name, default):
153 super(BTLEFeatureField, self).__init__(
154 name, default, -64,
155 ['le_encryption',
156 'conn_par_req_proc',
157 'ext_reject_ind',
158 'slave_init_feat_exch',
159 'le_ping',
160 'le_data_len_ext',
161 'll_privacy',
162 'ext_scan_filter',
163 'le_2m_phy',
164 'tx_mod_idx',
165 'rx_mod_idx',
166 'le_coded_phy',
167 'le_ext_adv',
168 'le_periodic_adv',
169 'ch_sel_alg',
170 'le_pwr_class'
171 'min_used_channels',
172 'conn_cte_req',
173 'conn_cte_rsp',
174 'connless_cte_tx',
175 'connless_cte_rx',
176 'antenna_switching_cte_aod_tx',
177 'antenna_switching_cte_aoa_rx',
178 'cte_rx',
179 'periodic_adv_sync_transfer_tx',
180 'periodic_adv_sync_transfer_rx',
181 'sleep_clock_accuracy_updates',
182 'remote_public_key_validation',
183 'cis_central',
184 'cis_peripheral',
185 'iso_broadcaster',
186 'synchronized_receiver',
187 'connected_iso_host_support',
188 'le_power_control_request',
189 'le_power_control_request',
190 'le_path_loss_monitoring',
191 'periodic_adv_adi_support',
192 'connection_subrating',
193 'connection_subrating_host_support',
194 'channel_classification']
195 )
198class BTLEPhysField(FlagsField):
199 def __init__(self, name, default):
200 super(BTLEPhysField, self).__init__(
201 name, default, -8,
202 ['phy_1m', 'phy_2m', 'phy_coded']
203 )
206##########
207# Layers #
208##########
210class BTLE(Packet):
211 name = "BT4LE"
212 fields_desc = [
213 XLEIntField("access_addr", 0x8E89BED6),
214 X3BytesField("crc", None)
215 ]
217 @staticmethod
218 def compute_crc(pdu, init=0x555555):
219 def swapbits(a):
220 v = 0
221 if a & 0x80 != 0:
222 v |= 0x01
223 if a & 0x40 != 0:
224 v |= 0x02
225 if a & 0x20 != 0:
226 v |= 0x04
227 if a & 0x10 != 0:
228 v |= 0x08
229 if a & 0x08 != 0:
230 v |= 0x10
231 if a & 0x04 != 0:
232 v |= 0x20
233 if a & 0x02 != 0:
234 v |= 0x40
235 if a & 0x01 != 0:
236 v |= 0x80
237 return v
239 state = swapbits(init & 0xff) + (swapbits((init >> 8) & 0xff) << 8) + (swapbits((init >> 16) & 0xff) << 16) # noqa: E501
240 lfsr_mask = 0x5a6000
241 for i in (orb(x) for x in pdu):
242 for j in range(8):
243 next_bit = (state ^ i) & 1
244 i >>= 1
245 state >>= 1
246 if next_bit:
247 state |= 1 << 23
248 state ^= lfsr_mask
249 return struct.pack("<L", state)[:-1]
251 def post_build(self, p, pay):
252 # Switch payload and CRC
253 crc = p[-3:]
254 p = p[:-3] + pay
255 p += crc if self.crc is not None else self.compute_crc(p[4:])
256 return p
258 def post_dissect(self, s):
259 self.raw_packet_cache = None # Reset packet to allow post_build
260 return s
262 def pre_dissect(self, s):
263 # move crc
264 return s[:4] + s[-3:] + s[4:-3]
266 def hashret(self):
267 return struct.pack("!L", self.access_addr)
270class BTLE_ADV(Packet):
271 # BT Core 5.2 - 2.3 ADVERTISING PHYSICAL CHANNEL PDU
272 name = "BTLE advertising header"
273 fields_desc = [
274 BitEnumField("RxAdd", 0, 1, {0: "public",
275 1: "random"}),
276 BitEnumField("TxAdd", 0, 1, {0: "public",
277 1: "random"}),
278 # 4.5.8.3.1 - LE Channel Selection Algorithm #2
279 BitEnumField("ChSel", 0, 1, {1: "#2"}),
280 BitField("RFU", 0, 1), # Unused
281 BitEnumField("PDU_type", 0, 4, {0: "ADV_IND",
282 1: "ADV_DIRECT_IND",
283 2: "ADV_NONCONN_IND",
284 3: "SCAN_REQ",
285 4: "SCAN_RSP",
286 5: "CONNECT_IND",
287 6: "ADV_SCAN_IND"}),
288 XByteField("Length", None),
289 ]
291 def post_build(self, p, pay):
292 p += pay
293 if self.Length is None:
294 if len(pay) > 2:
295 l_pay = len(pay)
296 else:
297 l_pay = 0
298 p = p[:1] + chb(l_pay & 0xff) + p[2:]
299 if not isinstance(self.underlayer, BTLE):
300 self.add_underlayer(BTLE)
301 return p
304class BTLE_DATA(Packet):
305 name = "BTLE data header"
306 fields_desc = [
307 BitField("RFU", 0, 3), # Unused
308 BitField("MD", 0, 1),
309 BitField("SN", 0, 1),
310 BitField("NESN", 0, 1),
311 BitEnumField("LLID", 0, 2, {1: "continue", 2: "start", 3: "control"}),
312 ByteField("len", None),
313 ]
315 def post_build(self, p, pay):
316 if self.len is None:
317 p = p[:-1] + chb(len(pay))
318 return p + pay
321class BTLE_ADV_IND(Packet):
322 name = "BTLE ADV_IND"
323 fields_desc = [
324 BDAddrField("AdvA", None),
325 PacketListField("data", None, EIR_Hdr)
326 ]
329class BTLE_ADV_DIRECT_IND(Packet):
330 name = "BTLE ADV_DIRECT_IND"
331 fields_desc = [
332 BDAddrField("AdvA", None),
333 BDAddrField("InitA", None)
334 ]
337class BTLE_ADV_NONCONN_IND(BTLE_ADV_IND):
338 name = "BTLE ADV_NONCONN_IND"
341class BTLE_ADV_SCAN_IND(BTLE_ADV_IND):
342 name = "BTLE ADV_SCAN_IND"
345class BTLE_SCAN_REQ(Packet):
346 name = "BTLE scan request"
347 fields_desc = [
348 BDAddrField("ScanA", None),
349 BDAddrField("AdvA", None)
350 ]
352 def answers(self, other):
353 return BTLE_SCAN_RSP in other and self.AdvA == other.AdvA
356class BTLE_SCAN_RSP(Packet):
357 name = "BTLE scan response"
358 fields_desc = [
359 BDAddrField("AdvA", None),
360 PacketListField("data", None, EIR_Hdr)
361 ]
363 def answers(self, other):
364 return BTLE_SCAN_REQ in other and self.AdvA == other.AdvA
367class BTLE_CONNECT_REQ(Packet):
368 name = "BTLE connect request"
369 fields_desc = [
370 BDAddrField("InitA", None),
371 BDAddrField("AdvA", None),
372 # LLDATA
373 XIntField("AA", 0x00),
374 X3BytesField("crc_init", 0x0),
375 XByteField("win_size", 0x0),
376 XLEShortField("win_offset", 0x0),
377 XLEShortField("interval", 0x0),
378 XLEShortField("latency", 0x0),
379 XLEShortField("timeout", 0x0),
380 BTLEChanMapField("chM", 0),
381 BitField("SCA", 0, 3),
382 BitField("hop", 0, 5),
383 ]
386BTLE_Versions = {
387 6: '4.0',
388 7: '4.1',
389 8: '4.2',
390 9: '5.0',
391 10: '5.1',
392 11: '5.2',
393}
396BTLE_Corp_IDs = {
397 0xf: 'Broadcom Corporation',
398 0x59: 'Nordic Semiconductor ASA'
399}
402BTLE_BTLE_CTRL_opcode = {
403 0x00: 'LL_CONNECTION_UPDATE_REQ',
404 0x01: 'LL_CHANNEL_MAP_REQ',
405 0x02: 'LL_TERMINATE_IND',
406 0x03: 'LL_ENC_REQ',
407 0x04: 'LL_ENC_RSP',
408 0x05: 'LL_START_ENC_REQ',
409 0x06: 'LL_START_ENC_RSP',
410 0x07: 'LL_UNKNOWN_RSP',
411 0x08: 'LL_FEATURE_REQ',
412 0x09: 'LL_FEATURE_RSP',
413 0x0A: 'LL_PAUSE_ENC_REQ',
414 0x0B: 'LL_PAUSE_ENC_RSP',
415 0x0C: 'LL_VERSION_IND',
416 0x0D: 'LL_REJECT_IND',
417 0x0E: 'LL_SLAVE_FEATURE_REQ',
418 0x0F: 'LL_CONNECTION_PARAM_REQ',
419 0x10: 'LL_CONNECTION_PARAM_RSP',
420 0x14: 'LL_LENGTH_REQ',
421 0x15: 'LL_LENGTH_RSP',
422 0x16: 'LL_PHY_REQ',
423 0x17: 'LL_PHY_RSP',
424 0x18: 'LL_PHY_UPDATE_IND',
425 0x19: 'LL_MIN_USED_CHANNELS',
426 0x1A: 'LL_CTE_REQ',
427 0x1B: 'LL_CTE_RSP',
428 0x1C: 'LL_PERIODIC_SYNC_IND',
429 0x1D: 'LL_CLOCK_ACCURACY_REQ',
430 0x1E: 'LL_CLOCK_ACCURACY_RSP',
431 0x1F: 'LL_CIS_REQ',
432 0x20: 'LL_CIS_RSP',
433 0x21: 'LL_CIS_IND',
434 0x22: 'LL_CIS_TERMINATE_IND',
435 0x23: 'LL_POWER_CONTROL_REQ',
436 0x24: 'LL_POWER_CONTROL_RSP',
437 0x25: 'LL_POWER_CHANGE_IND',
438 0x26: 'LL_SUBRATE_REQ',
439 0x27: 'LL_SUBRATE_IND',
440 0x28: 'LL_CHANNEL_REPORTING_IND',
441 0x29: 'LL_CHANNEL_STATUS_IND',
442}
445class BTLE_EMPTY_PDU(Packet):
446 name = "Empty data PDU"
449class BTLE_CTRL(Packet):
450 name = "BTLE_CTRL"
451 fields_desc = [
452 ByteEnumField("opcode", 0, BTLE_BTLE_CTRL_opcode)
453 ]
456class LL_CONNECTION_UPDATE_IND(Packet):
457 name = 'LL_CONNECTION_UPDATE_IND'
458 fields_desc = [
459 XByteField("win_size", 0),
460 XLEShortField("win_offset", 0),
461 XLEShortField("interval", 6),
462 XLEShortField("latency", 0),
463 XLEShortField("timeout", 50),
464 XLEShortField("instant", 6),
465 ]
468class LL_CHANNEL_MAP_IND(Packet):
469 name = 'LL_CHANNEL_MAP_IND'
470 fields_desc = [
471 BTLEChanMapField("chM", 0xFFFFFFFFFE),
472 XLEShortField("instant", 0),
473 ]
476class LL_TERMINATE_IND(Packet):
477 name = 'LL_TERMINATE_IND'
478 fields_desc = [
479 XByteField("code", 0x0),
480 ]
483class LL_ENC_REQ(Packet):
484 name = 'LL_ENC_REQ'
485 fields_desc = [
486 XLELongField("rand", 0),
487 XLEShortField("ediv", 0),
488 XLELongField("skdm", 0),
489 XLEIntField("ivm", 0),
490 ]
493class LL_ENC_RSP(Packet):
494 name = 'LL_ENC_RSP'
495 fields_desc = [
496 XLELongField("skds", 0),
497 XLEIntField("ivs", 0),
498 ]
501class LL_START_ENC_REQ(Packet):
502 name = 'LL_START_ENC_REQ'
503 fields_desc = []
506class LL_START_ENC_RSP(Packet):
507 name = 'LL_START_ENC_RSP'
510class LL_UNKNOWN_RSP(Packet):
511 name = 'LL_UNKNOWN_RSP'
512 fields_desc = [
513 XByteField("code", 0x0),
514 ]
517class LL_FEATURE_REQ(Packet):
518 name = "LL_FEATURE_REQ"
519 fields_desc = [
520 BTLEFeatureField("feature_set", 0)
521 ]
524class LL_FEATURE_RSP(Packet):
525 name = "LL_FEATURE_RSP"
526 fields_desc = [
527 BTLEFeatureField("feature_set", 0)
528 ]
531class LL_PAUSE_ENC_REQ(Packet):
532 name = "LL_PAUSE_ENC_REQ"
535class LL_PAUSE_ENC_RSP(Packet):
536 name = "LL_PAUSE_ENC_RSP"
539class LL_VERSION_IND(Packet):
540 name = "LL_VERSION_IND"
541 fields_desc = [
542 ByteEnumField("version", 8, BTLE_Versions),
543 LEShortEnumField("company", 0, BTLE_Corp_IDs),
544 XLEShortField("subversion", 0)
545 ]
548class LL_REJECT_IND(Packet):
549 name = "LL_REJECT_IND"
550 fields_desc = [
551 XByteField("code", 0x0),
552 ]
555class LL_SLAVE_FEATURE_REQ(Packet):
556 name = "LL_SLAVE_FEATURE_REQ"
557 fields_desc = [
558 BTLEFeatureField("feature_set", 0)
559 ]
562class LL_CONNECTION_PARAM_REQ(Packet):
563 name = "LL_CONNECTION_PARAM_REQ"
564 fields_desc = [
565 XShortField("interval_min", 0x6),
566 XShortField("interval_max", 0x6),
567 XShortField("latency", 0x0),
568 XShortField("timeout", 0x0),
569 XByteField("preferred_periodicity", 0x0),
570 XShortField("reference_conn_evt_count", 0x0),
571 XShortField("offset0", 0x0),
572 XShortField("offset1", 0x0),
573 XShortField("offset2", 0x0),
574 XShortField("offset3", 0x0),
575 XShortField("offset4", 0x0),
576 XShortField("offset5", 0x0),
577 ]
580class LL_CONNECTION_PARAM_RSP(Packet):
581 name = "LL_CONNECTION_PARAM_RSP"
582 fields_desc = [
583 XShortField("interval_min", 0x6),
584 XShortField("interval_max", 0x6),
585 XShortField("latency", 0x0),
586 XShortField("timeout", 0x0),
587 XByteField("preferred_periodicity", 0x0),
588 XShortField("reference_conn_evt_count", 0x0),
589 XShortField("offset0", 0x0),
590 XShortField("offset1", 0x0),
591 XShortField("offset2", 0x0),
592 XShortField("offset3", 0x0),
593 XShortField("offset4", 0x0),
594 XShortField("offset5", 0x0),
595 ]
598class LL_REJECT_EXT_IND(Packet):
599 name = "LL_REJECT_EXT_IND"
600 fields_desc = [
601 XByteField("reject_opcode", 0x0),
602 XByteField("error_code", 0x0),
603 ]
606class LL_PING_REQ(Packet):
607 name = "LL_PING_REQ"
610class LL_PING_RSP(Packet):
611 name = "LL_PING_RSP"
614class LL_LENGTH_REQ(Packet):
615 name = ' LL_LENGTH_REQ'
616 fields_desc = [
617 XLEShortField("max_rx_bytes", 251),
618 XLEShortField("max_rx_time", 2120),
619 XLEShortField("max_tx_bytes", 251),
620 XLEShortField("max_tx_time", 2120),
621 ]
624class LL_LENGTH_RSP(Packet):
625 name = ' LL_LENGTH_RSP'
626 fields_desc = [
627 XLEShortField("max_rx_bytes", 251),
628 XLEShortField("max_rx_time", 2120),
629 XLEShortField("max_tx_bytes", 251),
630 XLEShortField("max_tx_time", 2120),
631 ]
634class LL_PHY_REQ(Packet):
635 name = "LL_PHY_REQ"
636 fields_desc = [
637 BTLEPhysField('tx_phys', 0),
638 BTLEPhysField('rx_phys', 0),
639 ]
642class LL_PHY_RSP(Packet):
643 name = "LL_PHY_RSP"
644 fields_desc = [
645 BTLEPhysField('tx_phys', 0),
646 BTLEPhysField('rx_phys', 0),
647 ]
650class LL_PHY_UPDATE_IND(Packet):
651 name = "LL_PHY_UPDATE_IND"
652 fields_desc = [
653 BTLEPhysField('tx_phy', 0),
654 BTLEPhysField('rx_phy', 0),
655 XShortField("instant", 0x0),
656 ]
659class LL_MIN_USED_CHANNELS_IND(Packet):
660 name = "LL_MIN_USED_CHANNELS_IND"
661 fields_desc = [
662 BTLEPhysField('phys', 0),
663 ByteField("min_used_channels", 2),
664 ]
667class LL_CTE_REQ(Packet):
668 name = "LL_CTE_REQ"
669 fields_desc = [
670 LEBitField('min_cte_len_req', 0, 5),
671 LEBitField('rfu', 0, 1),
672 LEBitField("cte_type_req", 0, 2)
673 ]
676class LL_CTE_RSP(Packet):
677 name = "LL_CTE_RSP"
678 fields_desc = []
681class LL_PERIODIC_SYNC_IND(Packet):
682 name = "LL_PERIODIC_SYNC_IND"
683 fields_desc = [
684 XLEShortField("id", 251),
685 LEBitField("sync_info", 0, 18 * 8),
686 XLEShortField("conn_event_count", 0),
687 XLEShortField("last_pa_event_counter", 0),
688 LEBitField('sid', 0, 4),
689 LEBitField('a_type', 0, 1),
690 LEBitField('sca', 0, 3),
691 BTLEPhysField('phy', 0),
692 BDAddrField("AdvA", None),
693 XLEShortField("sync_conn_event_count", 0),
694 ]
697class LL_CLOCK_ACCURACY_REQ(Packet):
698 name = "LL_CLOCK_ACCURACY_REQ"
699 fields_desc = [
700 XByteField("sca", 0),
701 ]
704class LL_CLOCK_ACCURACY_RSP(Packet):
705 name = "LL_CLOCK_ACCURACY_RSP"
706 fields_desc = [
707 XByteField("sca", 0),
708 ]
711class LL_CIS_REQ(Packet):
712 name = 'LL_CIS_REQ'
713 fields_desc = [
714 XByteField("cig_id", 0),
715 XByteField("cis_id", 0),
716 BTLEPhysField('phy_c_to_p', 0),
717 BTLEPhysField('phy_p_to_c', 0),
718 LEBitField('max_sdu_c_to_p', 0, 12),
719 LEBitField('rfu1', 0, 3),
720 LEBitField('framed', 0, 1),
721 LEBitField('max_sdu_p_to_c', 0, 12),
722 LEBitField('rfu2', 0, 4),
723 LEBitField('sdu_interval_c_to_p', 0, 20),
724 LEBitField('rfu3', 0, 4),
725 LEBitField('sdu_interval_p_to_c', 0, 20),
726 LEBitField('rfu4', 0, 4),
727 XLEShortField("max_pdu_c_to_p", 0),
728 XLEShortField("max_pdu_p_to_c", 0),
729 XByteField("nse", 0),
730 X3BytesField("subinterval", 0x0),
731 LEBitField('bn_c_to_p', 0, 4),
732 LEBitField('bn_p_to_c', 0, 4),
733 ByteField("ft_c_to_p", 0),
734 ByteField("ft_p_to_c", 0),
735 XLEShortField("iso_interval", 0),
736 X3BytesField("cis_offset_min", 0x0),
737 X3BytesField("cis_offset_max", 0x0),
738 XLEShortField("conn_event_count", 0),
739 ]
742class LL_CIS_RSP(Packet):
743 name = 'LL_CIS_RSP'
744 fields_desc = [
745 X3BytesField("cis_offset_min", 0x0),
746 X3BytesField("cis_offset_max", 0x0),
747 XLEShortField("conn_event_count", 0),
748 ]
751class LL_CIS_IND(Packet):
752 name = 'LL_CIS_IND'
753 fields_desc = [
754 XIntField("AA", 0x00),
755 X3BytesField("cis_offset", 0x0),
756 X3BytesField("cig_sync_delay", 0x0),
757 X3BytesField("cis_sync_delay", 0x0),
758 XLEShortField("conn_event_count", 0),
759 ]
762class LL_CIS_TERMINATE_IND(Packet):
763 name = 'LL_CIS_TERMINATE_IND'
764 fields_desc = [
765 ByteField("cig_id", 0x0),
766 ByteField("cis_id", 0x0),
767 ByteField("error_code", 0x0),
768 ]
771class LL_POWER_CONTROL_REQ(Packet):
772 name = 'LL_POWER_CONTROL_REQ'
773 fields_desc = [
774 ByteField("phy", 0x0),
775 SignedByteField("delta", 0x0),
776 SignedByteField("tx_power", 0x0),
777 ]
780class LL_POWER_CONTROL_RSP(Packet):
781 name = 'LL_POWER_CONTROL_RSP'
782 fields_desc = [
783 LEBitField("min", 0, 1),
784 LEBitField("max", 0, 1),
785 LEBitField("rfu", 0, 6),
786 SignedByteField("delta", 0),
787 SignedByteField("tx_power", 0x0),
788 ByteField("apr", 0x0),
789 ]
792class LL_POWER_CHANGE_IND(Packet):
793 name = 'LL_POWER_CHANGE_IND'
794 fields_desc = [
795 ByteField("phy", 0x0),
796 LEBitField("min", 0, 1),
797 LEBitField("max", 0, 1),
798 LEBitField("rfu", 0, 6),
799 SignedByteField("delta", 0),
800 ByteField("tx_power", 0x0),
801 ]
804class LL_SUBRATE_REQ(Packet):
805 name = 'LL_SUBRATE_REQ'
806 fields_desc = [
807 LEShortField("subrate_factor_min", 0x0),
808 LEShortField("subrate_factor_max", 0x0),
809 LEShortField("max_latency", 0x0),
810 LEShortField("continuation_number", 0x0),
811 LEShortField("timeout", 0x0),
812 ]
815class LL_SUBRATE_IND(Packet):
816 name = 'LL_SUBRATE_IND'
817 fields_desc = [
818 LEShortField("subrate_factor", 0x0),
819 LEShortField("subrate_base_event", 0x0),
820 LEShortField("latency", 0x0),
821 LEShortField("continuation_number", 0x0),
822 LEShortField("timeout", 0x0),
823 ]
826class LL_CHANNEL_REPORTING_IND(Packet):
827 name = 'LL_SUBRATE_IND'
828 fields_desc = [
829 ByteField("enable", 0x0),
830 ByteField("min_spacing", 0x0),
831 ByteField("max_delay", 0x0),
832 ]
835class LL_CHANNEL_STATUS_IND(Packet):
836 name = 'LL_CHANNEL_STATUS_IND'
837 fields_desc = [
838 LEBitField("channel_classification", 0, 10 * 8),
839 ]
842# Advertisement (37-39) channel PDUs
843bind_layers(BTLE, BTLE_ADV, access_addr=0x8E89BED6)
844bind_layers(BTLE, BTLE_DATA)
845bind_layers(BTLE_ADV, BTLE_ADV_IND, PDU_type=0)
846bind_layers(BTLE_ADV, BTLE_ADV_DIRECT_IND, PDU_type=1)
847bind_layers(BTLE_ADV, BTLE_ADV_NONCONN_IND, PDU_type=2)
848bind_layers(BTLE_ADV, BTLE_SCAN_REQ, PDU_type=3)
849bind_layers(BTLE_ADV, BTLE_SCAN_RSP, PDU_type=4)
850bind_layers(BTLE_ADV, BTLE_CONNECT_REQ, PDU_type=5)
851bind_layers(BTLE_ADV, BTLE_ADV_SCAN_IND, PDU_type=6)
853# Data channel (0-36) PDUs
854# LLID=1 -> Continue
855bind_layers(BTLE_DATA, L2CAP_Hdr, LLID=2)
856bind_layers(BTLE_DATA, BTLE_CTRL, LLID=3)
857bind_layers(BTLE_DATA, BTLE_EMPTY_PDU, {'len': 0, 'LLID': 1})
858bind_layers(BTLE_CTRL, LL_CONNECTION_UPDATE_IND, opcode=0x00)
859bind_layers(BTLE_CTRL, LL_CHANNEL_MAP_IND, opcode=0x01)
860bind_layers(BTLE_CTRL, LL_TERMINATE_IND, opcode=0x02)
861bind_layers(BTLE_CTRL, LL_ENC_REQ, opcode=0x03)
862bind_layers(BTLE_CTRL, LL_ENC_RSP, opcode=0x04)
863bind_layers(BTLE_CTRL, LL_START_ENC_REQ, opcode=0x05)
864bind_layers(BTLE_CTRL, LL_START_ENC_RSP, opcode=0x06)
865bind_layers(BTLE_CTRL, LL_UNKNOWN_RSP, opcode=0x07)
866bind_layers(BTLE_CTRL, LL_FEATURE_REQ, opcode=0x08)
867bind_layers(BTLE_CTRL, LL_FEATURE_RSP, opcode=0x09)
868bind_layers(BTLE_CTRL, LL_PAUSE_ENC_REQ, opcode=0x0A)
869bind_layers(BTLE_CTRL, LL_PAUSE_ENC_RSP, opcode=0x0B)
870bind_layers(BTLE_CTRL, LL_VERSION_IND, opcode=0x0C)
871bind_layers(BTLE_CTRL, LL_REJECT_IND, opcode=0x0D)
872bind_layers(BTLE_CTRL, LL_SLAVE_FEATURE_REQ, opcode=0x0E)
873bind_layers(BTLE_CTRL, LL_CONNECTION_PARAM_REQ, opcode=0x0F)
874bind_layers(BTLE_CTRL, LL_CONNECTION_PARAM_RSP, opcode=0x10)
875bind_layers(BTLE_CTRL, LL_REJECT_EXT_IND, opcode=0x11)
876bind_layers(BTLE_CTRL, LL_PING_REQ, opcode=0x12)
877bind_layers(BTLE_CTRL, LL_PING_RSP, opcode=0x13)
878bind_layers(BTLE_CTRL, LL_LENGTH_REQ, opcode=0x14)
879bind_layers(BTLE_CTRL, LL_LENGTH_RSP, opcode=0x15)
880bind_layers(BTLE_CTRL, LL_PHY_REQ, opcode=0x16)
881bind_layers(BTLE_CTRL, LL_PHY_RSP, opcode=0x17)
882bind_layers(BTLE_CTRL, LL_PHY_UPDATE_IND, opcode=0x18)
883bind_layers(BTLE_CTRL, LL_MIN_USED_CHANNELS_IND, opcode=0x19)
884bind_layers(BTLE_CTRL, LL_CTE_REQ, opcode=0x1A)
885bind_layers(BTLE_CTRL, LL_CTE_RSP, opcode=0x1B)
886bind_layers(BTLE_CTRL, LL_PERIODIC_SYNC_IND, opcode=0x1C)
887bind_layers(BTLE_CTRL, LL_CLOCK_ACCURACY_REQ, opcode=0x1D)
888bind_layers(BTLE_CTRL, LL_CLOCK_ACCURACY_RSP, opcode=0x1E)
889bind_layers(BTLE_CTRL, LL_CIS_REQ, opcode=0x1F)
890bind_layers(BTLE_CTRL, LL_CIS_RSP, opcode=0x20)
891bind_layers(BTLE_CTRL, LL_CIS_IND, opcode=0x21)
892bind_layers(BTLE_CTRL, LL_CIS_TERMINATE_IND, opcode=0x22)
893bind_layers(BTLE_CTRL, LL_POWER_CONTROL_REQ, opcode=0x23)
894bind_layers(BTLE_CTRL, LL_POWER_CONTROL_RSP, opcode=0x24)
895bind_layers(BTLE_CTRL, LL_POWER_CHANGE_IND, opcode=0x25)
896bind_layers(BTLE_CTRL, LL_SUBRATE_REQ, opcode=0x26)
897bind_layers(BTLE_CTRL, LL_SUBRATE_IND, opcode=0x27)
898bind_layers(BTLE_CTRL, LL_CHANNEL_REPORTING_IND, opcode=0x28)
899bind_layers(BTLE_CTRL, LL_CHANNEL_STATUS_IND, opcode=0x29)
902conf.l2types.register(DLT_BLUETOOTH_LE_LL, BTLE)
903conf.l2types.register(DLT_BLUETOOTH_LE_LL_WITH_PHDR, BTLE_RF)
905bind_layers(BTLE_RF, BTLE)
907bind_layers(PPI_Hdr, BTLE_PPI, pfh_type=PPI_BTLE)