Add several improvements, and merge PR2, PR6

Open Eliot-Roxbergh opened this issue 1 year ago • 0 comments

I merged PRs and added several improvements and documentation. I hope it could be of help to someone.

Changelog

Add proposed fixes https://github.com/haramel/l2fuzz/pull/2: "Don't show non-L2CAP profiles", add commandline mode, and minor fixes
Add proposed fixes https://github.com/haramel/l2fuzz/pull/6: minor bug fix, add gitignore, add requirements.txt

Remove .python-version to avoid forcing old Python
Use latest dependencies in requirements.txt, and add related fixes to ensure it builds on Ubuntu 24.04.

Use also manual connection scan (in addition to the SDP scan) when looking for services in commandline mode.
Add function ensure_bluetooth_up that restarts bluetooth until an adapter is found, as reset_bluetooth may not always bring the adapter back up.
Automatically run adb logcat on each hard crash, if possible, and save the last 5000 entries to .log file on disk.
This results in the original (.wrt) logfile per target port, as well as a new (.adb.log) file with the logcat dump for each hard crash.
To determine which run (.wrt file) resulted in a specific hard crash (.adb.log), grep for the timestamp in the filename to find the corresponding entry in the .wrt log for the run.
Add command "scan-only" to only list all discovered services in commandline mode, without fuzzing.
Add Bash script to automatically fuzz all ports that were discovered as open on target.
This was done in a Bash script to avoid using state from earlier fuzzing rounds as it otherwise would be run in the same single Python process.

Ignore several exceptions and try to continue anyway (add time.sleep, and restart bluetooth adapter or reset socket/state machine when necessary), to avoid fuzzing failing early. For some major unexpected exception the fuzzer will be retried up to five times (arbitrary number), until it gives up.
Instead of defaulting to PSM/port 1 on connection error, continue using the requested port, to avoid confusion. Note that you may want to troubleshoot this error still.

Instead of log truncation which deletes a lot of the logs, simple log everything but limit each run to 50 million packets (!) (as this limits the file to about 1-2GB).
Clarify print outs and comments regarding which crashes are "soft" and can be ignored, or "hard" which are the ones written to log.
Update log filename to contain the port that user requested (note: as normally, the program still scans other ports as well, which are still saved to this file, these packets are still differentiated by the psm field that holds the port used for that specific packet)
Save timestamp earlier after a crash to get slightly better precision.

Feb 21 '25 16:02 Eliot-Roxbergh