Issue registering HID Profile - Bluetooth BR/EDR

[xG3nesis]

Hi everyone!
I hope you're all doing great.

I'm new here and want to start by thanking you for creating this fantastic crate! 😊
I'm currently working on rewriting the Bluetooth PoC "hi_my_name_is_keyboard" in Rust.

In this PoC, Marc Newlin registers an HID profile and records the available services.

def register_hid_profile(iface, addr):
  dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
  bus = dbus.SystemBus()
  get_obj = lambda path, iface: dbus.Interface(bus.get_object("org.bluez", path), iface)
  addr_str = addr.replace(":", "_")
  path = "/org/bluez/%s/dev_%s" % (iface, addr_str)
  manager = get_obj("/org/bluez", "org.bluez.ProfileManager1")
  profile_path = "/test/profile"
  profile = Profile(bus, profile_path)
  hid_uuid = "00001124-0000-1000-8000-00805F9B34FB"
  with open("keyboard.xml", "r") as f:
    opts = { "ServiceRecord": f.read() }
  log.debug("calling RegisterProfile")
  manager.RegisterProfile(profile, hid_uuid, opts)
  loop = GLib.MainLoop()
  try:
    log.debug("running dbus loop")
    loop.run()
  except KeyboardInterrupt:
    log.debug("calling UnregisterProfile")
    manager.UnregisterProfile(profile)

When I'm attempting to do the same in Rust, i have an error which says : Error { Kind: NotPermitted, message: "UUID already registered" }. I don't see how is that possible because i haven't registered any UUID and by default i don't have it listed in my bluetooth services.

Here is a snippet of my code :

#[tokio::main(flavor = "current_thread")]
async fn main() -> bluer::Result<()> {
    let cli = Cli::parse();

    let session = Session::new().await?;
    let adapter = session.default_adapter().await?;
    adapter.set_powered(true).await?;
    adapter.set_pairable(false).await?;
    
    let agent = Agent {
        request_default: true,
        request_pin_code: None,
        display_pin_code: None,
        request_passkey: None,
        display_passkey: None,
        request_confirmation: None,
        request_authorization: None,
        authorize_service: None,
        ..Default::default()
    };

    let _handle_agent = session.register_agent(agent).await?;

    let uuid: Uuid = Uuid::parse_str("00001124-0000-1000-8000-00805F9B34FB").unwrap();

    let profile = Profile {
        uuid,
        name: Some("hid client".to_string()),
        role: Some(Role::Client),
        require_authentication: Some(false),
        require_authorization: Some(false),
        ..Default::default()
    };

    let mut hndl = session.register_profile(profile).await?;

    println!("Profile registered!");
   
[...]
}

Thank you in advance for your help.
Have a great day !

[surban]

Could you set the ServiceRecord to the same value you use in Python?

Also note that some options like role that seem minor can have a major effect and make bluetoothd reject a registration. Verify that you use the same values in both implementations.

You can also set RUST_LOG=bluer=debug to see all D-Bus messages.

[Vudentz]

That is because Classic HID UUID is registered by input plugin:

https://github.com/bluez/bluez/blob/master/profiles/input/manager.c#L45

So you will need to disable input plugin if you want to claim that UUID.

Anyway, Classic HID profile can be considered deprecated since the introduction of HID over GATT, so I strongly recommend registering that instead.

[xG3nesis]

Thank you for your prompt response, @surban and @Vudentz!

You're absolutely right, @surban—I forgot to include the recording of the custom services in the XML file.

@Vudentz, I noticed that changing just a single byte in the UUID resolves the error. Could you advise on the proper way to deactivate the plugin as you mentioned? Would creating a new agent with empty services help avoid the collision? What would you recommend, @surban and @Vudentz? I would like to have a single service which would be the HID profile.

Also, @Vudentz, I’m not sure if you’ve seen my earlier note: I’m working on rewriting a proof of concept (PoC) to exploit a vulnerability specific to Bluetooth BR/EDR technology.

Final question for you @surban, is there a way to customize the class of my adapter/session thanks to our blueR crate ?

[surban]

Could you advise on the proper way to deactivate the plugin as you mentioned? Would creating a new agent with empty services help avoid the collision? What would you recommend, @surban and @Vudentz?

I am not aware of any method to deactivate a bluetoothd plugin via the D-Bus API.

Final question for you @surban, is there a way to customize the class of my adapter/session thanks to our blueR crate ?

You can broadcast a custom advertisement. However, I am not sure how this effects Bluetooth BR/EDR. Most parameters in /etc/bluetooth/main.conf are not changeable by the D-Bus API since they are considered to be system configuration. So the only way to modify them is to change the configuration file and reload bluetoothd.

[xG3nesis]

Thank you for your support guys ! 👍
I've successfully implemented the PoC, and you can find more details about it in this repository: Rusty Injector GitHub.

I plan to refine it further in a future iteration to make it even more aligned with Rust's principles.