某租房App蓝牙门锁一键解锁实战分析<\/h1>

测试环境准备<\/h2>

设备<\/strong>: Pixel 3<\/li>
Android版本<\/strong>: 12<\/li>

Root工具<\/strong>: Magisk Delta 26.4-kitsune (26400)<\/li> <\/ul>
分析流程<\/h2>
一、获取安装包<\/h3>
首先需要提取目标App的安装包(APK文件)，可以通过以下方式获取：<\/p>

使用ADB命令从已安装设备提取<\/li>
从应用商店下载<\/li>
使用第三方APK提取工具<\/li> <\/ul>
二、反编译APK获取DEX<\/h3>
使用在线反编译网站或本地工具将APK转换为可分析的DEX\/JAR文件：<\/p>

jadx-gui<\/li>
Apktool<\/li>
dex2jar等工具<\/li> <\/ul>
三、使用jadx-gui分析源码<\/h3>

定位应用入口<\/strong>：<\/p>

确定App主包位置：com.xxxx.xxxxxxxxxxxx.application.MyApplication<\/code><\/li> <\/ul> <\/li>
搜索关键字符串<\/strong>：<\/p> 全局搜索"开锁成功"字符串<\/li> 通过提示词定位到蓝牙开锁相关代码区域<\/li> <\/ul> <\/li> 分析蓝牙模块<\/strong>：<\/p> 右键查看onScanSuccess<\/code>的查找用例<\/li> 选择可分析的代码路径(第二个用例)<\/li> 对unLockResultSuccess<\/code>函数使用Frida进行hook验证<\/li> <\/ul> <\/li> 深入分析解锁流程<\/strong>：<\/p> 查看unLockResultSuccess<\/code>接口实现<\/li> 定位到75行左右的函数调用处<\/li> 分析调用蓝牙解锁的核心代码<\/li> <\/ul> <\/li> <\/ol> 四、获取蓝牙密钥<\/h3> 定位AES解密代码<\/strong>：<\/p> 找到AESUtil.Decrypt<\/code>函数<\/li> 使用Frida hook该函数并打印参数<\/li> <\/ul> <\/li> 获取密钥<\/strong>：<\/p> 从hook结果中提取str2<\/code>参数(蓝牙密钥)<\/li> <\/ul> <\/li> <\/ol> 五、分析蓝牙通信流程<\/h3> 数据发送分析<\/strong>：<\/p> 定位AESUtil.Encrypt()<\/code>函数<\/li> 使用Frida hook加密函数<\/li> 分析hook结果发现App发送两次数据<\/li> <\/ul> <\/li> 通信流程解析<\/strong>：<\/p> App发送: 初始字符串"A" → AES加密 → 发送给门锁门锁返回: 加密数据"B" App处理: 解密"B" → 截取第7-14位(8位) → 构造新字符串 → AES加密 → 发送给门锁 → 开锁成功 <\/code><\/pre> <\/li> 数据格式细节<\/strong>：<\/p> 初始字符串: "01010100000000000000000000000000"<\/code><\/li> 返回数据处理: 截取解密后字符串的第7-14位(共8位)<\/li> 第二次发送数据格式: 02010501[8位数据]0000000000000000<\/code><\/li> <\/ul> <\/li> <\/ol> 六、蓝牙调试验证<\/h3> 使用蓝牙调试助手<\/strong>：<\/p> 发送第一个固定加密数据<\/li> 验证是否能收到门锁返回数据<\/li> <\/ul> <\/li> 验证结果<\/strong>：<\/p> 成功接收门锁返回数据，证明分析方向正确<\/li> <\/ul> <\/li> <\/ol> 七、实现自动化解锁<\/h3> 选择开发工具<\/strong>：<\/p> 使用AutoJS(需修改其AndroidManifest.xml添加蓝牙权限)<\/li> GitHub地址: https:\/\/github.com\/SuperMonster003\/AutoJs6<\/li> <\/ul> <\/li> 修改AutoJS权限<\/strong>：<\/p> <\/span> <\/span><\/span><uses-permission<\/span> android:name=<\/span>"android.permission.BLUETOOTH"<\/span>\/><\/span> <\/span><\/span><uses-permission<\/span> android:name=<\/span>"android.permission.BLUETOOTH_ADMIN"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre><\/li> 编写解锁脚本<\/strong>：<\/p> <\/li> <\/ol> \/\/ 1. 获取蓝牙适配器 <\/span><\/span><\/span><\/span>let<\/span> bluetoothAdapter<\/span> =<\/span> android<\/span>.bluetooth<\/span>.BluetoothAdapter<\/span>.getDefaultAdapter<\/span>(); <\/span><\/span> <\/span><\/span>\/\/ 2. 定义GATT回调 <\/span><\/span><\/span><\/span>let<\/span> gattCallback<\/span> =<\/span> new<\/span> android<\/span>.bluetooth<\/span>.BluetoothGattCallback<\/span>({ <\/span><\/span> onCharacteristicChanged<\/span>:<\/span> function<\/span>(gatt<\/span>, characteristic<\/span>) { <\/span><\/span> \/\/ 接收到特征数据变化时调用的回调 <\/span><\/span><\/span><\/span> let<\/span> receivedData<\/span> =<\/span> characteristic<\/span>.getValue<\/span>(); <\/span><\/span> \/\/ 处理接收到的数据... <\/span><\/span><\/span><\/span> } <\/span><\/span>}); <\/span><\/span> <\/span><\/span>\/\/ 3. 辅助函数 <\/span><\/span><\/span><\/span>function<\/span> createJavaByteArray<\/span>(hexString<\/span>) { <\/span><\/span> \/\/ 将十六进制字符串转换为Java字节数组 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>function<\/span> bytesToHexString<\/span>(bytes<\/span>) { <\/span><\/span> \/\/ 将字节数组转换为十六进制字符串 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>function<\/span> writeCharacteristic<\/span>(device<\/span>, serviceUuid<\/span>, charUuid<\/span>, data<\/span>) { <\/span><\/span> \/\/ 向设备的特征写入数据 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 4. 实现解锁流程 <\/span><\/span><\/span><\/span>function<\/span> unlockProcess<\/span>() { <\/span><\/span> \/\/ 连接蓝牙设备 <\/span><\/span><\/span><\/span> \/\/ 发送第一个加密数据 <\/span><\/span><\/span><\/span> \/\/ 接收并处理返回数据 <\/span><\/span><\/span><\/span> \/\/ 构造并发送第二个加密数据 <\/span><\/span><\/span><\/span> \/\/ 完成解锁 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre> 脚本部署<\/strong>：在AutoJS中创建快捷方式<\/li> 点击即可执行蓝牙解锁<\/li> <\/ul> <\/li> <\/ol> 技术要点总结<\/h2> 关键发现<\/strong>：<\/p> 成功提取蓝牙门锁的AES密钥<\/li> 解析出蓝牙通信的双向数据流程<\/li> 确定了数据加密前后的格式转换规则<\/li> <\/ul> <\/li> 安全漏洞<\/strong>：<\/p> 使用固定密钥，缺乏动态更新机制<\/li> 通信流程可被逆向重现<\/li> 无有效的防重放攻击措施<\/li> <\/ul> <\/li> 防御建议<\/strong>：<\/p> 实现动态密钥交换机制<\/li> 增加时间戳或随机数防重放<\/li> 加强通信数据加密强度<\/li> 加入设备身份双向认证<\/li> <\/ul> <\/li> <\/ol> 免责声明<\/h2> 本技术分析仅用于安全研究目的，请勿用于非法用途。任何不当使用造成的后果由使用者自行承担。实际测试应在合法授权范围内进行。<\/p>