LinuxCommandLibrary

crackle

Convert speech files to text

TLDR

Check whether the recorded BLE communications contain the packets necessary for recovering temporary keys (TKs)

$ crackle -i [path/to/input.pcap]
copy

Use brute force to recover the TK of the recorded pairing events and use it to decrypt all subsequent communications
$ crackle -i [path/to/input.pcap] -o [path/to/decrypted.pcap]
copy

Use the specified long-term key (LTK) to decrypt the recorded communication
$ crackle -i [path/to/input.pcap] -o [path/to/decrypted.pcap] -l [81b06facd90fe7a6e9bbd9cee59736a7]
copy

SYNOPSIS

crackle [-i <infile>] [-o <outfile>] [-x] [-r] [-k <ltk>] [-K <pairingfile>] [-s <session>] [-S] [-v] [-h]

PARAMETERS

-i, --input <file>
    Input PCAP or PCAPng file with BLE traffic

-o, --output <file>
    Output decrypted PCAP file

-x
    Output decrypted packets to stdout

-r
    Randomize IVs for each packet (for replay attacks)

-k, --ltk <key>
    Specify known LTK in hex (32 bytes)

-K, --pairing <file>
    Pairing file with EDIV/Rand/LTK data

-s, --session <id>
    Target specific session ID

-S, --list-sessions
    List discovered sessions

-v, --verbose
    Enable verbose output

-h, --help
    Show usage help

DESCRIPTION

Crackle is a specialized Linux tool for decrypting Bluetooth Low Energy (BLE) traffic captured in PCAP files. It targets the Link Layer encryption used in BLE, particularly vulnerable Just Works pairing modes where the Temporary Key (TK) is all zeros. By brute-forcing the 128-bit Long Term Key (LTK) derived from the TK and device-specific data, crackle recovers encryption keys to decrypt packets.

It processes PCAPng or PCAP files containing BLE Link Layer packets, identifies encrypted sessions, and attempts key recovery through high-speed AES-CCM decryption trials. Success depends on weak pairings without passkeys or out-of-band security. Output is a decrypted PCAP usable in Wireshark.

Primarily for security research, reverse engineering IoT devices, or penetration testing BLE implementations. Not for production or secure environments. Compiled from C source; supports Intel/AMD optimizations for speed.

CAVEATS

Only effective against Just Works pairings (TK=0); fails on secure methods. High CPU usage; may take hours. Not for encrypted secure connections. Ensure legal use for research only.

EXAMPLE USAGE

crackle -i capture.pcap -x -r | wireshark -k -i -
crackle -i input.pcap -o decrypted.pcap -v

BUILD NOTES

Requires libpcap-dev, cmake. git clone && cmake . && make. AVX for speed.

HISTORY

Developed by Mikael A. S. André in 2016. Open-sourced on GitHub (mikaelasselin/crackle). Gained popularity for BLE pentesting after Black Hat/DEF CON demos exposing IoT vulns. Actively maintained with AVX2 optimizations.

SEE ALSO

wireshark(1), tshark(1), btmon(8), hcitool(1)

Copied to clipboard