crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected.
With the STK and LTK, all communications between the master and the slave can be decrypted.
crackle has two major modes of operation: Crack TK and Decrypt with LTK.
This is the default mode used when providing crackle with an input file using -i.
In Crack TK mode, crackle brute forces the TK used during a BLE pairing event. crackle exploits the fact that the TK in Just Works(tm) and 6-digit PIN is a value in the range [0,999999] padded to 128 bits.
crackle employs several methods to perform this brute force: a very fast method if all pairing packets are present in the input file, and a slow method if a minimum set of packets is present.
$ crackle -i input.pcap -o decrypted.pcap
Decrypt with LTK
In Decrypt with LTK mode, crackle uses a user-supplied LTK to decrypt communications between a master and slave. This mode is identical to the decryption portion of Crack TK mode.