GitHub/internalblue
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CLI 'adv' enables enhanced adv report that includes the channel

Browse Source
This commit is contained in:
Jiska Classen
2020-04-16 00:44:57 +02:00
parent 797455701b
commit be09a97d79
10 changed files with 105 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
doc/features.md
+2 -1
View File
@@ -30,4 +30,5 @@ On selected Broadcom Bluetooth chips:
* NiNo example
* MAC address filter example
* KNOB attack test for various devices, including Raspberry Pi 3+/4
* BLE reception statistics
* BLE reception statistics for active connections
* Enhanced BLE advertisement reports (channel, scan mode, antenna)
internalblue/cmds.py
+19 -1
View File
@@ -5,7 +5,7 @@
# All available CLI commands are defined in this file by
# creating subclasses of the Cmd class.
#
# Copyright (c) 2018 Dennis Mantz. (MIT License)
# Copyright (c) 2020 The InternalBlue Team. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
@@ -2100,3 +2100,21 @@ class CmdLaunch(Cmd):
self.internalblue.launchRam(args.address)
return True
class CmdEhancedAdv(Cmd):
keywords = ["adv"]
description = "Enables enhanced advertisement reports in the first half of the `Event Type` field."
parser = argparse.ArgumentParser(
prog=keywords[0],
description=description,
epilog="Aliases: " + ", ".join(keywords),
)
def work(self):
args = self.getArgs()
if not args:
return False
self.internalblue.enableEnhancedAdvReport()
return True
internalblue/core.py
+47 -1
View File
@@ -7,7 +7,7 @@
# It also implements methods to setup the TCP connection to the
# Android Bluetooth stack via ADB port forwarding
#
# Copyright (c) 2018 Dennis Mantz. (MIT License)
# Copyright (c) 2020 The InternalBlue Team. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
@@ -2096,8 +2096,54 @@ class InternalBlue(with_metaclass(ABCMeta, object)):
else:
log.warn("Diagnostic protocol requires modified Android driver!")
def enableEnhancedAdvReport(self):
# type: () -> bool
"""
Broadcom and Cypress chips can extend the "Event Type" field in LE Advertising
Reports with information on the channel, antenna, and scan mode.
Parsing this enhanced advertisement report is "documented" in the PacketDecoder
binary of Apple's PacketLogger, which is part of the Additional Tools for XCode.
The function parsing these is called `leAdvertisingEventTypeString` (XCode 11.4).
Usually, the Event Type field is set to 0x00-0x04, meaning ADV_IND..SCAN_RSP.
Additional fields:
channel = (event_type >> 4) & 7
antenna = event_type & 0x80
scan_mode = (event_type >> 3) & 3
The channel is a value 0--2, which corresponds to 37--39.
The antenna is 0 for BT and 1 for WLAN.
No idea about the scan mode ;)
The Broadcom and Cypress firmware sets these additional fields when the firmware
flag `bEnhancedAdvReport` is set. We do not know how to set it via VSC HCI and if that
is possible, so we set it by directly writing to RAM.
TODO: Also implement for the MacBook 2016, it's at 0x2037D0, but we don't know
the current LMP version, as it changes with each macOS patch level.
Won't Fix:
* The Nexus 5 BLE implementation is too old, `lculp_HandleScanReport` (0x184D0) and
`_scanTaskRxHeaderDone` (0x16E74) do not reference this flag yet.
* Also seems to be missing in the Nexus 6P/Samsung Galaxy S6 but didn't check as careful.
Returns true if the feature is supported and could be enabled.
"""
# Check if constants are defined in fw.py
if "ENHANCED_ADV_REPORT_ADDRESS" not in dir(self.fw):
log.warn(
"enableEnhancedAdvReport: 'ENHANCED_ADV_REPORT_ADDRESS' not in fw.py. FEATURE NOT SUPPORTED!"
)
return False
self.writeMem(self.fw.ENHANCED_ADV_REPORT_ADDRESS, b'\x01\x00\x00\x00')
def _setupSockets(self):
raise NotImplementedError()
def _teardownSockets(self):
raise NotImplementedError()
internalblue/fw/fw.py
+2
View File
@@ -98,6 +98,8 @@ class FirmwareDefinition:
TRACEPOINT_BODY_ASM_LOCATION: Address
TRACEPOINT_HOOK_ASM = None
ENHANCED_ADV_REPORT_ADDRESS: Address
class Firmware(object):
firmware: FirmwareDefinition
internalblue/fw/fw_0x1111.py
+10 -3
View File
@@ -1,8 +1,10 @@
# fw_0x420e.py
#!/usr/bin/env python
# fw_0x1111.py
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
# Copyright (c) 2020 The InternalBlue Team. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
@@ -22,11 +24,12 @@
from __future__ import absolute_import
from .fw import MemorySection, FirmwareDefinition
from .. import Address
class BCM4375B1(FirmwareDefinition):
# Firmware Infos
# Samsung S10/S10e/S10+
# Samsung S10/S10e/S10+/S20
FW_NAME = "BCM4375B1"
@@ -54,6 +57,10 @@ class BCM4375B1(FirmwareDefinition):
BLOC_HEAD = 0x20075C
BLOC_NG = True
# Enable enhanced advertisement reports (bEnhancedAdvReport)
# tested but by default the S10 only uses the LE Extended format, which is different...
ENHANCED_ADV_REPORT_ADDRESS = Address(0x20D176)
# Assembler snippet for tracepoints
# In contrast to the Nexus 5 patch, we uninstall ourselves automatically and use internal debug functions
# TODO S10e does no longer have a patch uninstall function... writemem works to remove patches, but copying
internalblue/fw/fw_0x2209.py
+6 -2
View File
@@ -1,13 +1,13 @@
#!/usr/bin/env python
# fw_0x6119.py
# fw_0x2209.py
#
# All firmware specific data such as address offsets are collected
# in the fw.py file. Later versions of the framework will provide
# multiple copies of this file in order to target different firmware
# and chip versions.
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
# Copyright (c) 2020 The InternalBlue Team. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
@@ -27,6 +27,7 @@
from __future__ import absolute_import
from .fw import MemorySection, FirmwareDefinition
from .. import Address
class BCM43430A1(FirmwareDefinition):
@@ -73,6 +74,9 @@ class BCM43430A1(FirmwareDefinition):
BLOC_HEAD = 0x200588 # g_dynamic_memory_GeneralUsePools
BLOC_NG = True # Next Generation Bloc Buffer
# Enable enhanced advertisement reports (bEnhancedAdvReport) - TODO untested
ENHANCED_ADV_REPORT_ADDRESS = Address(0x202980)
# Snippet for sendLcpPacket()
SENDLCP_CODE_BASE_ADDRESS = 0x21A000
SENDLCP_ASM_CODE = """
internalblue/fw/fw_0x220c.py
+6 -1
View File
@@ -2,7 +2,7 @@
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
# Copyright (c) 2020 The InternalBlue Team. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
@@ -22,6 +22,7 @@
from __future__ import absolute_import
from .fw import MemorySection, FirmwareDefinition
from .. import Address
class CYW20819A1(FirmwareDefinition):
@@ -69,3 +70,7 @@ class CYW20819A1(FirmwareDefinition):
LAUNCH_RAM = 0xF2884
HCI_EVENT_COMPLETE = 0x1179E
# Enable enhanced advertisement reports (bEnhancedAdvReport)
ENHANCED_ADV_REPORT_ADDRESS = Address(0x20294C)
internalblue/fw/fw_0x4208.py
+4 -1
View File
@@ -2,7 +2,7 @@
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
# Copyright (c) 2020 The InternalBlue Team. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
@@ -102,6 +102,9 @@ class CYW20735B1(FirmwareDefinition):
CONNECTION_MAX = 11 # g_bt_max_connections = 0 in firmware
CONNECTION_STRUCT_LENGTH = 0x168 # ??
# Enable enhanced advertisement reports (bEnhancedAdvReport)
ENHANCED_ADV_REPORT_ADDRESS = Address(0x2829AC)
# Snippet for fuzzLmp()
FUZZLMP_HOOK_ADDRESS = 0xB08D8 # execute standard SendLmpPdu HCI to fill parameters
FUZZLMP_CODE_BASE_ADDRESS = 0x271A00 # memory area of other WICED patches
internalblue/fw/fw_0x420e.py
+4 -1
View File
@@ -2,7 +2,7 @@
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
# Copyright (c) 2020 The InternalBlue Team. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
@@ -80,6 +80,9 @@ class CYW20739B1(FirmwareDefinition):
LAUNCH_RAM = 0x1AB218
HCI_EVENT_COMPLETE = 0x1A9D6
# Enable enhanced advertisement reports (bEnhancedAdvReport)
ENHANCED_ADV_REPORT_ADDRESS = Address(0x2829AE)
# Assembler snippet for tracepoints
# In contrast to the Nexus 5 patch, we uninstall ourselves automatically and use internal debug functions
TRACEPOINT_BODY_ASM_LOCATION = 0x00223100
internalblue/fw/fw_0x6119.py
+5 -1
View File
@@ -7,7 +7,7 @@
# multiple copies of this file in order to target different firmware
# and chip versions.
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
# Copyright (c) 2020 The InternalBlue Team. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
@@ -31,6 +31,7 @@
from __future__ import absolute_import
from .fw import MemorySection, FirmwareDefinition
from .. import Address
class BCM4345C0(FirmwareDefinition):
@@ -74,6 +75,9 @@ class BCM4345C0(FirmwareDefinition):
BLOC_HEAD = 0x200490 # g_dynamic_memory_GeneralUsePools
BLOC_NG = True # Next Generation Bloc Buffer
# Enable enhanced advertisement reports (bEnhancedAdvReport) - TODO untested
ENHANCED_ADV_REPORT_ADDRESS = Address(0x202CC4)
# Snippet for sendLcpPacket()
SENDLCP_CODE_BASE_ADDRESS = 0x21F000
SENDLCP_ASM_CODE = """