diff --git a/scapy/layers/bluetooth.py b/scapy/layers/bluetooth.py
index 56310becd8deedfeca0ed79a2e31810a2ded330b..8d80bdccb5a82b3ca979244faf8df34d9db12b2c 100644
--- a/scapy/layers/bluetooth.py
+++ b/scapy/layers/bluetooth.py
@@ -26,6 +26,13 @@ class XLEShortField(LEShortField):
def i2repr(self, pkt, x):
return lhex(self.i2h(pkt, x))
+class XLELongField(LEShortField):
+ def __init__(self, name, default):
+ Field.__init__(self, name, default, "<Q")
+ def i2repr(self, pkt, x):
+ return lhex(self.i2h(pkt, x))
+
+
class LEMACField(Field):
def __init__(self, name, default):
Field.__init__(self, name, default, "6s")
@@ -88,7 +95,8 @@ class L2CAP_CmdHdr(Packet):
ByteEnumField("code",8,{1:"rej",2:"conn_req",3:"conn_resp",
4:"conf_req",5:"conf_resp",6:"disconn_req",
7:"disconn_resp",8:"echo_req",9:"echo_resp",
- 10:"info_req",11:"info_resp"}),
+ 10:"info_req",11:"info_resp", 18:"conn_param_update_req",
+ 19:"conn_param_update_resp"}),
ByteField("id",0),
LEShortField("len",None) ]
def post_build(self, p, pay):
@@ -101,7 +109,7 @@ class L2CAP_CmdHdr(Packet):
if other.id == self.id:
if self.code == 1:
return 1
- if other.code in [2,4,6,8,10] and self.code == other.code+1:
+ if other.code in [2,4,6,8,10,18] and self.code == other.code+1:
if other.code == 8:
return 1
return self.payload.answers(other.payload)
@@ -175,6 +183,19 @@ class L2CAP_InfoResp(Packet):
def answers(self, other):
return self.type == other.type
+
+class L2CAP_Connection_Parameter_Update_Request(Packet):
+ name = "L2CAP Connection Parameter Update Request"
+ fields_desc = [ LEShortField("min_interval", 0),
+ LEShortField("max_interval", 0),
+ LEShortField("slave_latency", 0),
+ LEShortField("timeout_mult", 0), ]
+
+
+class L2CAP_Connection_Parameter_Update_Response(Packet):
+ name = "L2CAP Connection Parameter Update Response"
+ fields_desc = [ LEShortField("move_result", 0), ]
+
class ATT_Hdr(Packet):
name = "ATT header"
@@ -216,11 +237,18 @@ class ATT_Find_By_Type_Value_Response(Packet):
name = "Find By Type Value Response"
fields_desc = [ StrField("handles", ""), ]
+class ATT_Read_By_Type_Request_128bit(Packet):
+ name = "Read By Type Request"
+ fields_desc = [ XLEShortField("start", 0x0001),
+ XLEShortField("end", 0xffff),
+ XLELongField("uuid1", None),
+ XLELongField("uuid2", None)]
+
class ATT_Read_By_Type_Request(Packet):
name = "Read By Type Request"
fields_desc = [ XLEShortField("start", 0x0001),
XLEShortField("end", 0xffff),
- XLEShortField("uuid", None), ]
+ XLEShortField("uuid", None)]
class ATT_Read_By_Type_Response(Packet):
name = "Read By Type Response"
@@ -311,6 +339,19 @@ class SM_Master_Identification(Packet):
name = "Master Identification"
fields_desc = [ XLEShortField("ediv", 0),
StrFixedLenField("rand", '\x00' * 8, 8), ]
+
+class SM_Identity_Information(Packet):
+ name = "Identity Information"
+ fields_desc = [ StrFixedLenField("irk", '\x00' * 16, 16), ]
+
+class SM_Identity_Address_Information(Packet):
+ name = "Identity Address Information"
+ fields_desc = [ ByteEnumField("atype", 0, {0:"public"}),
+ LEMACField("address", None), ]
+
+class SM_Signing_Information(Packet):
+ name = "Signing Information"
+ fields_desc = [ StrFixedLenField("csrk", '\x00' * 16, 16), ]
class EIR_Hdr(Packet):
@@ -483,6 +524,16 @@ class HCI_Cmd_LE_Create_Connection(Packet):
LEShortField("timeout", 42),
LEShortField("min_ce", 0),
LEShortField("max_ce", 0), ]
+
+class HCI_Cmd_LE_Connection_Update(Packet):
+ name = "LE Connection Update"
+ fields_desc = [ LEShortField("conn_handle", 64),
+ LEShortField("conn_interval_min", 0),
+ LEShortField("conn_interval_max", 0),
+ LEShortField("conn_latency", 0),
+ LEShortField("timeout", 600),
+ LEShortField("min_ce_len", 0),
+ LEShortField("max_ce_len", 0),]
class HCI_Cmd_LE_Create_Connection_Cancel(Packet):
name = "LE Create Connection Cancel"
@@ -514,6 +565,13 @@ class HCI_Cmd_LE_Set_Advertise_Enable(Packet):
name = "LE Set Advertise Enable"
fields_desc = [ ByteField("enable", 0) ]
+class HCI_Cmd_LE_Start_Encryption_Request(Packet):
+ name = "LE Start Encryption"
+ fields_desc = [ LEShortField("handle", 0),
+ StrFixedLenField("rand", None, 8),
+ XLEShortField("ediv", 0),
+ StrFixedLenField("ltk", '\x00' * 16, 16), ]
+
class HCI_Cmd_LE_Long_Term_Key_Request_Negative_Reply(Packet):
name = "LE Long Term Key Request Negative Reply"
fields_desc = [ LEShortField("handle", 0), ]
@@ -621,6 +679,11 @@ bind_layers( HCI_Command_Hdr, HCI_Cmd_LE_Set_Scan_Enable, opcode=0x200c)
bind_layers( HCI_Command_Hdr, HCI_Cmd_Disconnect, opcode=0x406)
bind_layers( HCI_Command_Hdr, HCI_Cmd_LE_Create_Connection, opcode=0x200d)
bind_layers( HCI_Command_Hdr, HCI_Cmd_LE_Create_Connection_Cancel, opcode=0x200e)
+bind_layers( HCI_Command_Hdr, HCI_Cmd_LE_Connection_Update, opcode=0x2013)
+
+
+bind_layers( HCI_Command_Hdr, HCI_Cmd_LE_Start_Encryption_Request, opcode=0x2019)
+
bind_layers( HCI_Command_Hdr, HCI_Cmd_LE_Long_Term_Key_Request_Reply, opcode=0x201a)
bind_layers( HCI_Command_Hdr, HCI_Cmd_LE_Long_Term_Key_Request_Negative_Reply, opcode=0x201b)
@@ -630,7 +693,6 @@ bind_layers( HCI_Event_Hdr, HCI_Event_Command_Complete, code=0xe)
bind_layers( HCI_Event_Hdr, HCI_Event_Command_Status, code=0xf)
bind_layers( HCI_Event_Hdr, HCI_Event_Number_Of_Completed_Packets, code=0x13)
bind_layers( HCI_Event_Hdr, HCI_Event_LE_Meta, code=0x3e)
-
bind_layers( HCI_Event_Command_Complete, HCI_Cmd_Complete_Read_BD_Addr, opcode=0x1009)
bind_layers( HCI_Event_LE_Meta, HCI_LE_Meta_Connection_Complete, event=1)
@@ -648,6 +710,7 @@ bind_layers(EIR_Hdr, EIR_Raw)
bind_layers( HCI_ACL_Hdr, L2CAP_Hdr, )
bind_layers( L2CAP_Hdr, L2CAP_CmdHdr, cid=1)
+bind_layers( L2CAP_Hdr, L2CAP_CmdHdr, cid=5) #LE L2CAP Signaling Channel
bind_layers( L2CAP_CmdHdr, L2CAP_CmdRej, code=1)
bind_layers( L2CAP_CmdHdr, L2CAP_ConnReq, code=2)
bind_layers( L2CAP_CmdHdr, L2CAP_ConnResp, code=3)
@@ -657,6 +720,8 @@ bind_layers( L2CAP_CmdHdr, L2CAP_DisconnReq, code=6)
bind_layers( L2CAP_CmdHdr, L2CAP_DisconnResp, code=7)
bind_layers( L2CAP_CmdHdr, L2CAP_InfoReq, code=10)
bind_layers( L2CAP_CmdHdr, L2CAP_InfoResp, code=11)
+bind_layers( L2CAP_CmdHdr, L2CAP_Connection_Parameter_Update_Request, code=18)
+bind_layers( L2CAP_CmdHdr, L2CAP_Connection_Parameter_Update_Response, code=19)
bind_layers( L2CAP_Hdr, ATT_Hdr, cid=4)
bind_layers( ATT_Hdr, ATT_Error_Response, opcode=0x1)
bind_layers( ATT_Hdr, ATT_Exchange_MTU_Request, opcode=0x2)
@@ -666,6 +731,7 @@ bind_layers( ATT_Hdr, ATT_Find_Information_Response, opcode=0x5)
bind_layers( ATT_Hdr, ATT_Find_By_Type_Value_Request, opcode=0x6)
bind_layers( ATT_Hdr, ATT_Find_By_Type_Value_Response, opcode=0x7)
bind_layers( ATT_Hdr, ATT_Read_By_Type_Request, opcode=0x8)
+bind_layers( ATT_Hdr, ATT_Read_By_Type_Request_128bit, opcode=0x8)
bind_layers( ATT_Hdr, ATT_Read_By_Type_Response, opcode=0x9)
bind_layers( ATT_Hdr, ATT_Read_Request, opcode=0xa)
bind_layers( ATT_Hdr, ATT_Read_Response, opcode=0xb)
@@ -683,6 +749,10 @@ bind_layers( SM_Hdr, SM_Random, sm_command=4)
bind_layers( SM_Hdr, SM_Failed, sm_command=5)
bind_layers( SM_Hdr, SM_Encryption_Information, sm_command=6)
bind_layers( SM_Hdr, SM_Master_Identification, sm_command=7)
+bind_layers( SM_Hdr, SM_Identity_Information, sm_command=8)
+bind_layers( SM_Hdr, SM_Identity_Address_Information, sm_command=9)
+bind_layers( SM_Hdr, SM_Signing_Information, sm_command=0x0a)
+
class BluetoothL2CAPSocket(SuperSocket):
desc = "read/write packets on a connected L2CAP socket"
@@ -770,7 +840,7 @@ class BluetoothUserSocket(SuperSocket):
self.send(cmd)
while True:
r = self.recv()
- if r.code == 0xe and r.opcode == opcode:
+ if r.type == 0x04 and r.code == 0xe and r.opcode == opcode:
if r.status != 0:
raise BluetoothCommandError("Command %x failed with %x" % (opcode, r.status))
return r