Skip to content

Harden l2flood, document field test findings, add hcitool fallback#1

Open
suteny0r wants to merge 5 commits into
Ymsniper:mainfrom
suteny0r:main
Open

Harden l2flood, document field test findings, add hcitool fallback#1
suteny0r wants to merge 5 commits into
Ymsniper:mainfrom
suteny0r:main

Conversation

@suteny0r

@suteny0r suteny0r commented Jul 5, 2026

Copy link
Copy Markdown

Summary

  • l2flood robustness: Rewrote argument parsing (manual argv scan replacing getopt to fix GNU permutation issues), added BD_ADDR validation, usage text, and -h flag. Renamed stat() signal handler to avoid POSIX collision.
  • i686 PIE fix: Added -no-pie -fno-pie to Makefile CFLAGS to fix stack corruption on 32-bit Kali where PIE executables cause argc to receive garbage values.
  • Field test documentation: Tested l2flood against a K07 Bluetooth speaker. Documented that the actual disruption mechanism is ACL link preemption (not CPU overload as upstream README claims). l2flood blocks reconnection but cannot break existing connections. EMP mode causes persistent state requiring power cycle to recover.
  • hcitool scan fallback: bbf no longer hard-exits when ubertooth-rx is missing. Falls back to hcitool scan for discoverable devices.
  • README update: Added a section explaining that discoverable devices (most consumer BT gear) give full BD_ADDRs via standard scan, making UAP brute-forcing unnecessary.

Test plan

  • Build l2flood on i686 and x86_64, verify no segfault with no arguments
  • Run l2flood -h and verify usage output
  • Run l2flood with invalid BD_ADDR, verify error message
  • Run bbf with no arguments and no ubertooth-rx installed, verify hcitool scan fallback
  • Run bbf AA:BB:CC to confirm ubertooth-rx is not invoked when LAP is provided

Generated with Claude Code

suteny0r and others added 5 commits July 5, 2026 16:27
- Replace getopt with manual arg parsing to avoid GNU getopt permutation issues
- Add BD_ADDR format validation (rejects malformed addresses instead of segfaulting)
- Add bounds checking on all numeric options (-s, -t, -d, -n)
- Detect and report extra positional arguments with hint to use -i
- Add complete usage text with option descriptions and examples
- Add -h flag for help
- Rename stat() to sigint_handler() to avoid POSIX name collision
- Build with -no-pie to work around i686 PIE stack corruption bug in glibc

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Tested l2flood against K07 Bluetooth speaker. Key finding: the actual
disruption mechanism is ACL link preemption, not CPU overload as the
upstream README claims. l2flood blocks reconnection but cannot break
existing connections. EMP mode (-R) causes persistent state corruption
requiring a full power cycle to recover from.

Also documents the i686 PIE stack corruption bug and its fix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Most consumer Bluetooth devices are discoverable. A standard inquiry
scan (bluetoothctl/hcitool) returns the full BD_ADDR directly, making
UAP brute-forcing unnecessary. Added a section to the README explaining
this and when BBF + Ubertooth is actually needed.

Also added hcitool scan fallback in cli.py so bbf no longer hard-exits
when ubertooth-rx is missing -- it offers to scan for discoverable
devices instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
EMP mode previously spun silently when connect() failed (e.g., target
already connected to another device). Now prints the error on first
failure and on every new error type, throttled to every 50th attempt
for repeated errors. Reports attempt count on successful reconnect.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phone reconnected to K07 after stopping l2flood -R without resetting
either device.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Ymsniper

Ymsniper commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Thanks for all the work on this! The improvements look solid .
I'm noticing the diff is showing every line as changed, which is making it hard
to review the actual code logic. I think this is due to line ending differences
(CRLF vs LF), not a big deal, but it makes the review harder for me,
If you could please fix that so I could give it a proper review. Thanks!

@Ymsniper Ymsniper added the enhancement New feature or request label Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants