Intro

Flipper Zero is a flexible, portable and popular tool that implements different technologies:

  • NFC
  • Bluetooth
  • Transceiver
  • RFID

Focusing on Bluetooth, the device utilize the dual-core and multi-protocol STM32WB55RG. As researcher or pentester, sometimes, we need to change the Bluetooth MAC Address to impersonate, in the most of the cases, another device. By default, Flipper Zero does not offer this possibility.

How-To

First, we should be able to edit our Flipper Zero firmware and modify a file. Specifically, the gap.c that it is located in ble_glue folder. We must focus on the function gap_advertise_start. This function is called when we activate the Bluetooth service in our Flipper config navigation menu.


Figure 1: gap_advertise_start function

Inside of this function, the aci_gap_set_discoverable is set; with this our Flipper is discoverable. If we wish, we can add the advertising packet with aci_gap_update_adv_data(size,data). After this, now we can modify our Bluetooth MAC Address. For this purpose, we call the aci_hal_write_config_data function, it will write a specific configuration to the Bluetooth, in this case, the change of the Bluetooth MAC Address. This function is useful to set up directly some low level parameters for the system in the runtime.

uint8_t bdaddnew[] = {0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA};
aci_hal_write_config_data(CONFIG_DATA_PUBADDR_OFFSET, CONFIG_DATA_PUBADDR_LEN, bdaddnew);

Note that the Bluetooth specification uses bit-wise little endian format.

PoC: