Kaydedildi:
| Yazar: | |
|---|---|
| Materyal Türü: | Recurso digital |
| Dil: | |
| Baskı/Yayın Bilgisi: |
Zenodo
2026
|
| Konular: | |
| Online Erişim: | https://doi.org/10.5281/zenodo.19897655 |
| Etiketler: |
Etiketle
Etiket eklenmemiş, İlk siz ekleyin!
|
İçindekiler:
- <p>Bluetooth security research lives in three historically-separate tool lineages: standards-level attack proofs of concept, single-layer protocol fuzzers, and below-HCI instrumentation frameworks built from scratch for one chipset family. Practitioners assessing an automotive in-vehicle infotainment (IVI) system must stitch these together by hand, yielding non-reproducible assessments that miss an informationally richer view of the controller side. Even when a host-side probe can detect a CVE by side-effect, host-only tooling cannot read controller RAM or capture LMP. DarkFirmware originated as a reverse-engineering scaffold by Dark Mentor LLC and extended by us into a 4-hook RTL8761B controller-firmware interception platform with 2,866 RE'd functions. It is also the only path to active exploitation of LMP-resident bugs (KNOB / BIAS / BLUFFS / BrakTooth-class) and to triggering raw-ACL flaws (BlueFrag).</p> <p>We present Blue-Tap, a unified Bluetooth pentest framework deployable on commodity USB hardware. Blue-Tap contributes: (1) a 4-hook below-HCI interception platform for the Realtek RTL8761B, released as our open-source DarkFirmware fork that extends the upstream Dark Mentor LLC project with the hook architecture, 6 in-flight modification modes, expanded reverse engineering (slot stride 0x2B8, encryption flag at +0x26, link-key COMB_KEY XOR offset +0x51), and a 16-script assessment toolkit, all exposed to the Blue-Tap module surface via a Python integration layer with post-reset HCI re-resolution; (2) a coverage-guided fuzzer spanning 14 corpus-backed protocols and 16 transport-mapped surfaces with 7,400+ pre-generated seeds, protocol-aware field-weight tracking, response-diversity coverage, and behavioural crash deduplication; (3) 25 CVE detection modules covering 27 unique CVE IDs (2017–2026), 11 non-CVE vulnerability checks, 29 DoS probes (10 CVE-backed), 9 active-exploitation modules, and 7 post-exploitation modules behind structured evidence; and (4) a typed RunEnvelope data contract with atomic session persistence yielding bit-identical reports across runs.</p>