android bluetooth l2cap data flow

just read code find data flow

sending_a_message.png

hciacl-l2cap_dataflow.png

add print in kernel and capture l2cap packet

I add follow print code in l2cap_sock.c, after compare with the capture file, we know that skb->len is l2cap packet length, skb->data is l2cap packet data

static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
{
    struct hci_conn *hcon = chan->conn->hcon;
    unsigned char buffer[0x1000];
    unsigned char* p  = buffer;
    u16 flags;
    //change to printk
    printk("chan %p, skb %p len 0x%x priority %u", chan, skb, skb->len,
           skb->priority);
    int i=0;
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    for(i=0;i<skb->len && p<buffer+sizeof(buffer)-2;i++){
        sprintf(p,"0x%2x ",skb->data[i]);
        p=p+5;
    }
    *p='\n';
    *(p+1)='\0';
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    printk(buffer);
    if (chan->hs_hcon && !__chan_is_moving(chan)) {
        if (chan->hs_hchan)
            hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
        else
            kfree_skb(skb);

        return;
    }

Screenshot from 2018-09-25 16-07-53.png

Screenshot from 2018-09-25 16-10-11.png

Screenshot from 2018-09-25 16-11-13.png

change the packet length and content

I add following code

int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len){
...
char* mydata="413x-send-data";
memcpy(skb->data+8,mydata,sizeof(mydata));
skb->len=0x10;
l2cap_do_send(chan, skb);
...

get bluetooth snoop from pixel, use wireshark to open it

Screenshot from 2018-09-25 17-50-13.png