android bluetooth l2cap data flow
just read code find data flow
sending_a_message.png
hciacl-l2cap_dataflow.png
add print in kernel and capture l2cap packet
I add follow print code in l2cap_sock.c, after compare with the capture file, we know that skb->len is l2cap packet length, skb->data is l2cap packet data
static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
{
struct hci_conn *hcon = chan->conn->hcon;
unsigned char buffer[0x1000];
unsigned char* p = buffer;
u16 flags;
//change to printk
printk("chan %p, skb %p len 0x%x priority %u", chan, skb, skb->len,
skb->priority);
int i=0;
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++
for(i=0;i<skb->len && p<buffer+sizeof(buffer)-2;i++){
sprintf(p,"0x%2x ",skb->data[i]);
p=p+5;
}
*p='\n';
*(p+1)='\0';
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
printk(buffer);
if (chan->hs_hcon && !__chan_is_moving(chan)) {
if (chan->hs_hchan)
hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
else
kfree_skb(skb);
return;
}
Screenshot from 2018-09-25 16-07-53.png
Screenshot from 2018-09-25 16-10-11.png
Screenshot from 2018-09-25 16-11-13.png
change the packet length and content
I add following code
int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len){
...
char* mydata="413x-send-data";
memcpy(skb->data+8,mydata,sizeof(mydata));
skb->len=0x10;
l2cap_do_send(chan, skb);
...
get bluetooth snoop from pixel, use wireshark to open it
Screenshot from 2018-09-25 17-50-13.png
