Skip to content

bluetooth: add missing HCI events, EIR elements, and SMP packet types#4987

Open
XenoKovah wants to merge 1 commit intosecdev:masterfrom
XenoKovah:missing-bluetooth
Open

bluetooth: add missing HCI events, EIR elements, and SMP packet types#4987
XenoKovah wants to merge 1 commit intosecdev:masterfrom
XenoKovah:missing-bluetooth

Conversation

@XenoKovah
Copy link
Copy Markdown
Contributor

@XenoKovah XenoKovah commented May 4, 2026

I've been using the following definitions on my fork for a long time, because I didn't know how to make unit tests. So @antoniovazquezblanco just upstreamed some of my stuff when he had time. Well I still don't know how to make unit tests, but Claude does if I just point it at pcaps/HCI logs. So this is now a PR of stuff I've confirmed was working long ago, but now it meets the ask for unit tests. Note: the packet definitions themselves aren't AI generated, I made them. But the unit tests are AI generated based on real pcaps/HCI logs I collected in field.

HCI events

  • HCI_Event_Connection_Request (code=0x04)
  • HCI_Event_Remote_Host_Supported_Features_Notification (code=0x3d)
  • HCI_Event_Vendor (vendor-specific debug) (code=0xff)
  • HCI_LE_Meta_LE_Read_Remote_Features_Complete (LE Meta event=0x04)

EIR/AD elements

  • EIR_RandomTargetAddress (type=0x18)
  • EIR_LERole (type=0x1c)
  • EIR_BroadcastName (type=0x30)
  • EIR_3DInformation (type=0x3d)

SMP

  • SM_Keypress_Notification (sm_command=0x0e)

Each packet has an entry in test/scapy/layers/bluetooth.uts with a sample drawn from a real HCI snoop log (BR/EDR Connection Request, Remote Host Supported Features Notification, LE Read Remote Features Complete, vendor-specific debug event, EIR 3D Information, EIR Broadcast Name) and synthetic round-trip build/parse tests for the remainder (which are rare and weren't present in any of the pcap/HCI logs.)

Checklist :

  • If you are new to Scapy: I have checked CONTRIBUTING.md (esp. section submitting-pull-requests)
  • I squashed commits belonging together
  • I added unit tests or explained why they are not relevant
  • I executed the regression tests (using tox)
  • This PR uses (partially) AI-generated code. If so:
    • I ensured the generated code follows the internal concepts of scapy (No, since I still haven't learned how your unit tests work.)
    • This PR has a test coverage > 90% (No, because I don't know how to do that)
    • I reviewed every generated line (No, since I still haven't learned how your unit tests work.)
    • If this PR contains more than 500 lines of code (excluding unit tests) I considered splitting this PR. (No, since I just want to push my forked stuff upstream.)
    • I considered interoperability tests with existing packages or utilities to ensure conformity of a newly generated protocol. (N/A AFAIK.)

I understand that failing to mention the use of AI may result in a ban. (We do not forbid it, but you must play fair. Be warned !)

Adds missing Bluetooth definitions from the spec.

@XenoKovah
bluetooth: add missing HCI events, EIR elements, and SMP packet types
90c9119 
New packet definitions covering frequently-seen Bluetooth Core 5.4 events
and Generic Access Profile data types that scapy did not yet decode:

  HCI events
  - HCI_Event_Connection_Request                        (code=0x04)
  - HCI_Event_Remote_Host_Supported_Features_Notification (code=0x3d)
  - HCI_Event_Vendor (vendor-specific debug)            (code=0xff)
  - HCI_LE_Meta_LE_Read_Remote_Features_Complete        (LE Meta event=0x04)

  EIR/AD elements
  - EIR_RandomTargetAddress                             (type=0x18)
  - EIR_LERole                                          (type=0x1c)
  - EIR_BroadcastName                                   (type=0x30)
  - EIR_3DInformation                                   (type=0x3d)

  SMP
  - SM_Keypress_Notification                            (sm_command=0x0e)

Each packet has an entry in test/scapy/layers/bluetooth.uts with a
sample drawn from a real HCI snoop log (BR/EDR Connection Request,
Remote Host Supported Features Notification, LE Read Remote Features
Complete, vendor-specific debug event, EIR 3D Information, EIR
Broadcast Name) and synthetic round-trip build/parse tests for the
remainder.
@codecov
Copy link
Copy Markdown

codecov Bot commented May 4, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.29%. Comparing base (8c5a9a8) to head (90c9119).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #4987   +/-   ##
=======================================
  Coverage   80.28%   80.29%           
=======================================
  Files         383      383           
  Lines       94703    94739   +36     
=======================================
+ Hits        76031    76068   +37     
+ Misses      18672    18671    -1
Files with missing lines Coverage Δ
scapy/layers/bluetooth.py 90.59% <100.00%> (+0.29%) ⬆️

... and 7 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

antoniovazquezblanco
antoniovazquezblanco reviewed May 4, 2026
View reviewed changes
Comment thread scapy/layers/bluetooth.py
name = "HCI_Remote_Host_Supported_Features_Notification"
fields_desc = [
LEMACField('bd_addr', None),
FlagsField('host_supported_features', 0, -64, _bluetooth_features)
Copy link
Copy Markdown
Contributor

@antoniovazquezblanco antoniovazquezblanco May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, @XenoKovah can you confirm that _bluetooth_features produces the adecuate flags for this field?

Copy link
Copy Markdown
Contributor Author

@XenoKovah XenoKovah May 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, looks like no they aren't correct. Despite its name I guess HCI_Remote_Host_Supported_Features_Notification only returns LMP extended features, not the baseline. But the tricky bit is they therefore could be interpreted as either page 1 or page 2 of LMP extended features (neither of which exist as definitions in scapy currently.) And even more annoying it seems like there's no way to know which interpretation is correct without keeping track statefully of what was asked for. I defer to you for the best way to say "this field could point at one of 2 possible structs"?

Copy link
Copy Markdown
Contributor

@polybassa polybassa May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not aware of the protocol, so I'm just throwing in ideas.

If you need to change the field type, you could to it in the answers function if this packet is a response to a request packet which was sent immediately before this packet.

Otherwise you could use sniff sessions to track states across streams.

Copy link
Copy Markdown
Contributor

@antoniovazquezblanco antoniovazquezblanco May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another option is to use a generic int based type and do not parse the flags... Ideally the options from @polybassa are best :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@polybassa polybassa polybassa left review comments

+1 more reviewer

@antoniovazquezblanco antoniovazquezblanco antoniovazquezblanco left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@XenoKovah @antoniovazquezblanco @polybassa