#!/usr/bin/env python2
# Jiska Classen
# Get receive statistics on a Raspberry Pi 3 for BLE connection events
from pwn import *
from internalblue.hcicore import HCICore
internalblue = HCICore()
device_list = internalblue.device_list()
if len(device_list) == 0:
log.warn("No HCI devices connected!")
exit(-1)
internalblue.interface = device_list[0][1] # just use the first device
RX_DONE_HOOK_ADDRESS = 0x35fbc # _connTaskRxDone
HOOKS_LOCATION = 0x210500
ASM_HOOKS = """
// restore first 4 bytes of _connTaskRxDone
push {r4-r6,lr}
mov r4, r0
// fix registers for our own routine
push {r1-r7, lr}
mov r7, r0
// allocate vendor specific hci event
mov r2, 243
mov r1, 0xff
add r0, 2 // buffer starts at 2 with data (?)
ldr r1, =0x444e4152 // RAND
str r1, [r0]
add r0, 4 // advance buffer by 4
// send hci event
mov r0, r4 // back to buffer at offset 0
pop {r0-r4, lr}
b 0x268E // send_hci_event_without_free()
""" % (MEM_ROUNDS, MEM_RNG)
internalblue = HCICore()
internalblue.interface = internalblue.device_list()[0][
1] # just use the first device
# setup sockets
if not internalblue.connect():
internalblue.logger.critical("No connection to target device.")
exit(-1)
internalblue.logger.info("installing assembly patches...")
# Install the RNG code in RAM
code = asm(ASM_SNIPPET_RNG, vma=ASM_LOCATION_RNG)
if not internalblue.writeMem(
address=ASM_LOCATION_RNG, data=code, progress_log=None):
internalblue.logger.critical("error!")
exit(-1)
# bias.py
"""
Use it with internalblue
"""
#!/usr/bin/python2
from pwn import *
from internalblue.hcicore import HCICore
internalblue = HCICore()
internalblue.interface = internalblue.device_list()[0][1]
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
log.info("BEGIN patchrom.")
# patch1: make sure we always switch to master role
code1 = b"""
@Part 1: Make sure we always switch roles
mov r6, #0x0
sub sp, #0x18
add r0, #0xc
b 0x2e7ad
"""
addrcode1 = 0x2006d0
taddrcode1 = addrcode1 + 1 # 0x2006d1
# write code1 into addrcode1 (SRAM)