Update nearly all examples to Python3

Two problems were fixed:
__future__ imports must be the first import of a file, otherwise python
just refuses the file

The Address Type was used but not correctly imported (and not properly
defined as a NewType, just a Type Alias)

README.md

@@ -196,10 +196,10 @@ All steps on a plain Ubuntu 18.04:
     make
     make install
 
-Packets required on a current (July 2019) Raspian:
+Packets required on a current (March 2020) Raspbian:
      
      sudo apt-get --allow-releaseinfo-change update
-     sudo apt-get install git python-setuptools binutils-arm-none-eabi adb python-pip python-dev gcc libffi-dev
+     sudo apt-get install git python3-setuptools binutils-arm-none-eabi adb python3-pip python3-dev gcc libffi-dev
 
 
 

examples/eval_cyw20735/KNOB_PoC.py

@@ -1,11 +1,9 @@
-#!/usr/bin/python2
+#!/usr/bin/env python3
 
 # Jiska Classen, Secure Mobile Networking Lab
-
-
-from pwn import *
+from internalblue import Address
 from internalblue.hcicore import HCICore
-
+from internalblue.utils.pwnlib_wrapper import log, asm
 
 
 """
@@ -32,10 +30,10 @@ log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req i
 
 # modify function lm_SendLmpEncryptKeySizeReq
 patch = asm("mov r2, #0x1", vma=0x7402A)  # connection struct key entropy
-internalblue.patchRom(0x7402A, patch)
+internalblue.patchRom(Address(0x7402A), patch)
 
 # modify global variable for own setting
-internalblue.writeMem(0x280F13, '\x01')  # global key entropy
+internalblue.writeMem(0x280F13, b'\x01')  # global key entropy
 
 
 internalblue.shutdown()

examples/nexus5/BLE_Reception_PoC.py

@@ -1,14 +1,14 @@
-#!/usr/bin/env python2
+#!/usr/bin/env python3
 
 # Jiska Classen
 
 # Get receive statistics on a Nexus 5 for BLE connection events
 
 from builtins import range
-from pwn import *
 from internalblue.adbcore import ADBCore
 import internalblue.hci as hci
 import internalblue.cli as cli
+from internalblue.utils.pwnlib_wrapper import log, asm, u8, u16
 
 internalblue = ADBCore(serial=False)
 device_list = internalblue.device_list()

examples/nexus5/CVE_2018_5383_Invalid_Curve_Attack_PoC.py

@@ -1,10 +1,9 @@
 #!/usr/bin/env python2
 
 # Dennis Mantz
-
-from pwn import *
+from internalblue import Address
 from internalblue.adbcore import ADBCore
-
+from internalblue.utils.pwnlib_wrapper import log, asm
 #internalblue = core.InternalBlue()
 
 internalblue = ADBCore()
@@ -15,9 +14,9 @@ if len(device_list) == 0:
 internalblue.interface = device_list[0][1] # just use the first device
 
 
-PK_RECV_HOOK_ADDRESS = 0x2FED8
-PK_SEND_HOOK_ADDRESS = 0x030098
-GEN_PRIV_KEY_ADDRESS = 0x48eba
+PK_RECV_HOOK_ADDRESS = Address(0x2FED8)
+PK_SEND_HOOK_ADDRESS = Address(0x030098)
+GEN_PRIV_KEY_ADDRESS = Address(0x48eba)
 HOOKS_LOCATION = 0xd7800
 ASM_HOOKS = """
 b pk_recv_hook

examples/nexus5/KNOB_PoC.py

@@ -1,15 +1,13 @@
-#!/usr/bin/python2
+#!/usr/bin/python3
 
 # Jiska Classen, Secure Mobile Networking Lab
-
-
-from pwn import *
+from internalblue import Address
 from internalblue.adbcore import ADBCore
 import internalblue.cli as cli
 import internalblue.cmds as cmd
 import internalblue.hci as hci
 from internalblue.cmds import auto_int
-
+from internalblue.utils.pwnlib_wrapper import log, asm, u8, p16, u16
 
 
 """
@@ -36,10 +34,10 @@ log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req i
 
 # modify function lm_SendLmpEncryptKeySizeReq
 patch = asm("mov r2, #0x1", vma=0x5AED0)  # connection struct key entropy
-internalblue.patchRom(0x5AED0, patch)
+internalblue.patchRom(Address(0x5AED0), patch)
 
 # modify global variable for own setting
-internalblue.writeMem(0x203797, '\x01')  # global key entropy
+internalblue.writeMem(0x203797, b'\x01')  # global key entropy
 
 
 log.info("-----------------------KNOB-----------------------\n"
@@ -67,7 +65,7 @@ class CmdKnob(cmd.Cmd):
 
     def work(self):
         args = self.getArgs()
-        internalblue.sendHciCommand(0x1408, p16(args.hnd))
+        internalblue.sendHciCommand(hci.HCI_COMND.Encryption_Key_Size, p16(args.hnd))
         return True
 
 

examples/nexus5/LMP_MAC_Address_Filter.py

@@ -1,10 +1,10 @@
-#!/usr/bin/python2
+#!/usr/bin/env python3
 
 # Jiska Classen, Secure Mobile Networking Lab
-
-from pwn import *
+from internalblue import Address
 from internalblue.adbcore import ADBCore
-
+from internalblue.utils.pwnlib_wrapper import log, asm
+from binascii import unhexlify
 """
 Filter connections by MAC address before entering LMP dispatcher.
 Enter MAC addresses you trust into whitelist.
@@ -12,8 +12,8 @@ Enter MAC addresses you trust into whitelist.
 """
 WHITELIST = ["aabbccddeeff", "133713371337", "affedeadbeef"]
 
-WHITELIST_BYTES = ''.join(WHITELIST).decode("hex")[::-1]  # change mac addr byte order
-HOOK_LMP_FILTER = 0x3f3f4               # This function is in ROM
+WHITELIST_BYTES = unhexlify(''.join(WHITELIST))[::-1]  # change mac addr byte order
+HOOK_LMP_FILTER = Address(0x3f3f4)               # This function is in ROM
 ASM_LOCATION_LMP_FILTER = 0x00211900    # 0xD5900
 ASM_SNIPPET_LMP_FILTER = """
 b lmp_dispatcher_filter

examples/nexus5/NiNo_PoC.py

@@ -1,12 +1,12 @@
-#!/usr/bin/python2
+#!/usr/bin/env python3
 
 # Jiska Classen, Secure Mobile Networking Lab
 
 import sys
 
-from pwn import *
+from internalblue import Address
 from internalblue.adbcore import ADBCore
-
+from internalblue.utils.pwnlib_wrapper import log, asm
 
 
 """
@@ -40,7 +40,7 @@ TODO
 """
 
 
-HOOK_IO_CAP_RESP = 0x303D4 # we just change the complete simple pairing state machine
+HOOK_IO_CAP_RESP = Address(0x303D4) # we just change the complete simple pairing state machine
 ASM_LOCATION_IO_CAP_RESP = 0x00211800 #0xd7800
 ASM_SNIPPET_IO_CAP_RESP = """
         //restore original 8 bytes of instructions which we overwrite by patching a branch into it

examples/nexus6p/KNOB_PoC.py

@@ -3,13 +3,12 @@
 # Jiska Classen, Secure Mobile Networking Lab
 
 
-from pwn import *
 from internalblue.adbcore import ADBCore
 import internalblue.cli as cli
 import internalblue.cmds as cmd
 import internalblue.hci as hci
 from internalblue.cmds import auto_int
-
+from internalblue.utils.pwnlib_wrapper import u8, p16, u16, log
 
 """
 This is a standalone PoC for the KNOB attack on a Nexus 6P.
@@ -39,7 +38,7 @@ log.info("Installing patch which ensures that send_LMP_encryption_key_size_req i
 # this somehow crashes on the Nexus 6P, but the global variable seems to be sufficient :)
 
 # modify global variable for own setting
-internalblue.writeMem(0x204147, '\x01')  # global key entropy
+internalblue.writeMem(0x204147, b'\x01')  # global key entropy
 
 
 log.info("-----------------------KNOB-----------------------\n"
@@ -67,7 +66,7 @@ class CmdKnob(cmd.Cmd):
 
     def work(self):
         args = self.getArgs()
-        internalblue.sendHciCommand(0x1408, p16(args.hnd))
+        internalblue.sendHciCommand(hci.HCI_COMND.Encryption_Key_Size, p16(args.hnd))
         return True
 
 

examples/rpi3/BLE_Reception_PoC.py

@@ -1,12 +1,11 @@
-#!/usr/bin/env python2
+#!/usr/bin/env python3
 
 # Jiska Classen
 
 # Get receive statistics on a Raspberry Pi 3 for BLE connection events
-
-from pwn import *
+from internalblue import Address
 from internalblue.hcicore import HCICore
-
+from internalblue.utils.pwnlib_wrapper import log, asm
 
 internalblue = HCICore()
 device_list = internalblue.device_list()
@@ -16,7 +15,7 @@ if len(device_list) == 0:
 internalblue.interface = device_list[0][1] # just use the first device
 
 
-RX_DONE_HOOK_ADDRESS = 0x35fbc  # _connTaskRxDone
+RX_DONE_HOOK_ADDRESS = Address(0x35fbc)  # _connTaskRxDone
 HOOKS_LOCATION = 0x210500
 ASM_HOOKS = """
 

examples/rpi3/KNOB_PoC.py

@@ -1,9 +1,8 @@
-#!/usr/bin/python2
+#!/usr/bin/python3
 
 # Jiska Classen, Secure Mobile Networking Lab
-
-
-from pwn import *
+from internalblue import Address
+from internalblue.utils.pwnlib_wrapper import log, asm
 from internalblue.hcicore import HCICore
 
 
@@ -32,10 +31,10 @@ log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req i
 
 # modify function lm_SendLmpEncryptKeySizeReq
 patch = asm("mov r2, #0x1", vma=0x689F0)  # connection struct key entropy
-internalblue.patchRom(0x689F0, patch)
+internalblue.patchRom(Address(0x689F0), patch)
 
 # modify global variable for own setting
-internalblue.writeMem(0x204127, '\x01')  # global key entropy
+internalblue.writeMem(0x204127, b'\x01')  # global key entropy
 
 
 internalblue.shutdown()

examples/rpi3p_rpi4/BLE_Reception_PoC.py

@@ -1,12 +1,11 @@
-#!/usr/bin/env python2
+#!/usr/bin/env python3
 
 # Jiska Classen
 
 # Get receive statistics on a Raspberry Pi 3 for BLE connection events
-
-from pwn import *
+from internalblue import Address
 from internalblue.hcicore import HCICore
-
+from internalblue.utils.pwnlib_wrapper import log, asm
 
 internalblue = HCICore()
 device_list = internalblue.device_list()
@@ -16,7 +15,7 @@ if len(device_list) == 0:
 internalblue.interface = device_list[0][1] # just use the first device
 
 
-RX_DONE_HOOK_ADDRESS = 0x56622  # _connTaskRxDone
+RX_DONE_HOOK_ADDRESS = Address(0x56622)  # _connTaskRxDone
 HOOKS_LOCATION = 0x210500
 ASM_HOOKS = """
 

examples/rpi3p_rpi4/KNOB_PoC.py

@@ -1,11 +1,9 @@
-#!/usr/bin/python2
+#!/usr/bin/python3
 
 # Jiska Classen, Secure Mobile Networking Lab
-
-
-from pwn import *
+from internalblue import Address
 from internalblue.hcicore import HCICore
-
+from internalblue.utils.pwnlib_wrapper import log, asm
 
 
 """
@@ -32,10 +30,10 @@ log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req i
 
 # modify function lm_SendLmpEncryptKeySizeReq
 patch = asm("mov r2, #0x1", vma=0x3B3D4)  # connection struct key entropy
-internalblue.patchRom(0x3B3D4, patch)
+internalblue.patchRom(Address(0x3B3D4), patch)
 
 # modify global variable for own setting
-internalblue.writeMem(0x204A5F, '\x01')  # global key entropy
+internalblue.writeMem(0x204A5F, b'\x01')  # global key entropy
 
 
 internalblue.shutdown()

examples/s8/BLE_Reception_PoC.py

@@ -1,15 +1,14 @@
-#!/usr/bin/env python2
+#!/usr/bin/env python3
 
 # Jiska Classen
 
 # Get receive statistics on a Samsung Galaxy S8 for BLE connection events
 
 from builtins import range
-from pwn import *
 from internalblue.adbcore import ADBCore
 import internalblue.hci as hci
 import internalblue.cli as cli
-
+from internalblue.utils.pwnlib_wrapper import log, asm, u8, u16
 internalblue = ADBCore(serial=True)
 device_list = internalblue.device_list()
 if len(device_list) == 0:

examples/s8/KNOB_PoC.py

@@ -1,11 +1,9 @@
-#!/usr/bin/python2
+#!/usr/bin/python3
 
 # Jiska Classen, Secure Mobile Networking Lab
-
-
-from pwn import *
+from internalblue import Address
 from internalblue.adbcore import ADBCore
-
+from internalblue.utils.pwnlib_wrapper import log, asm
 
 
 """
@@ -32,10 +30,10 @@ log.info("Installing patch which ensures that send_LMP_encryptoin_key_size_req i
 
 # modify function lm_SendLmpEncryptKeySizeReq
 patch = asm("mov r2, #0x1", vma=0x530F6)  # connection struct key entropy
-internalblue.patchRom(0x530F6, patch)
+internalblue.patchRom(Address(0x530F6), patch)
 
 # modify global variable for own setting
-internalblue.writeMem(0x255E8F, '\x01')  # global key entropy
+internalblue.writeMem(0x255E8F, b'\x01')  # global key entropy
 
 
 internalblue.shutdown()

internalblue/__init__.py

@@ -17,8 +17,7 @@ from typing import (
     Dict,
 )
 
-# Address = NewType("Address", int)
-Address = int
+Address = NewType("Address", int)
 ConnectionNumber = NewType("ConnectionNumber", int)
 ConnectionIndex = NewType("ConnectionIndex", int)
 

internalblue/cmds.py

@@ -1784,7 +1784,7 @@ class CmdBreakpoint(Cmd):
             return True
 
         log.info("Inserting breakpoint at 0x%x..." % args.address)
-        self.internalblue.patchRom(args.address, "\x00\xbe\x00\x00")
+        self.internalblue.patchRom(args.address, b'\x00\xbe\x00\x00')  # on ARM, hex code for a break point is 0xBE00
 
         return True
 

internalblue/fw/fw_0x220c.py

@@ -23,7 +23,24 @@
 from __future__ import absolute_import
 from .fw import MemorySection, FirmwareDefinition
 
+
 class CYW20819A1(FirmwareDefinition):
+    """
+    CYW20819 is a Cypress evaluation board, the newest one that is currently available.
+
+    Known issues:
+
+    * `Launch_RAM` does not terminate and crashes the board.
+
+      To get this working anyway:
+      The `Launch_RAM` handler HCI callback is at `0xF2884` and it can be overwritten with the
+      address of the memory snippet you want to launch. For example, at `0x219000` there is some
+      free memory. Put the function there. Then:
+
+      `internalblue.patchRom(0xF2884, b'\x01\x90\x21\x00'):  # 0x219001 when you write code to 0x219000`
+
+    """
+
     # Firmware Infos
     # Evaluation Kit CYW920819
     FW_NAME = "CYW20819A1"
@@ -47,3 +64,4 @@ class CYW20819A1(FirmwareDefinition):
     PATCHRAM_NUMBER_OF_SLOTS = 256
     PATCHRAM_ALIGNED = False
     # only seems to work 4-byte aligned here ...
+

internalblue/fw/fw_0x220e.py

@@ -22,9 +22,8 @@
 #   liability, whether in an action of contract, tort or otherwise, arising from,
 #   out of or in connection with the Software or the use or other dealings in the
 #   Software.
-
-from .fw import MemorySection, FirmwareDefinition
 from __future__ import absolute_import
+from .fw import MemorySection, FirmwareDefinition
 
 
 class BCM20702A1(FirmwareDefinition):

internalblue/fw/fw_0x4208.py

@@ -22,6 +22,7 @@
 
 from __future__ import absolute_import
 from .fw import MemorySection, FirmwareDefinition
+from .. import Address
 
 
 class CYW20735B1(FirmwareDefinition):

internalblue/fw/fw_0x420e.py

@@ -20,8 +20,9 @@
 #   out of or in connection with the Software or the use or other dealings in the
 #   Software.
 
-from .fw import MemorySection, FirmwareDefinition
 from __future__ import absolute_import
+from .fw import MemorySection, FirmwareDefinition
+from .. import Address
 
 
 class CYW20739B1(FirmwareDefinition):

internalblue/fw/fw_0x420e_iphone.py

@@ -20,8 +20,8 @@
 #   out of or in connection with the Software or the use or other dealings in the
 #   Software.
 
-from .fw import MemorySection, FirmwareDefinition
 from __future__ import absolute_import
+from .fw import MemorySection, FirmwareDefinition
 
 
 class BCM4347B1(FirmwareDefinition):

internalblue/fw/fw_0x617e.py

@@ -20,8 +20,8 @@
 #   out of or in connection with the Software or the use or other dealings in the
 #   Software.
 
-from .fw import MemorySection, FirmwareDefinition
 from __future__ import absolute_import
+from .fw import MemorySection, FirmwareDefinition
 
 
 class BCM4345B0(FirmwareDefinition):

internalblue/hci.py

@@ -30,6 +30,7 @@ from builtins import hex
 from builtins import range
 from builtins import object
 from enum import Enum
+from datetime import datetime
 
 from internalblue.utils.pwnlib_wrapper import (
     p8,
@@ -931,7 +932,7 @@ class StackDumpReceiver(object):
 
     def __init__(self, data_directory="."):
         self.data_directory = data_directory
-        self.stack_dump_filename = data_directory + "/internalblue_stackdump.bin"
+        self.stack_dump_filename = data_directory + ("/internalblue_stackdump_%s.bin" % datetime.now())
 
     def recvPacket(self, record):
         hcipkt = record[0]
@@ -963,14 +964,16 @@ class StackDumpReceiver(object):
         followed by the actual ram dump (at this address)
         """
         addr = u32(data[:4])
-        if self.memdump_addr == None:
+        if self.memdump_addr is None:
             self.memdump_addr = addr
-        self.memdumps[addr - self.memdump_addr] = data[4:]
+        self.memdumps[addr - self.memdump_addr] = bytes(data[4:])  # convert from bytearray to bytes
         log.debug("Stack dump handling addr %08x", addr - self.memdump_addr)
 
     def finishStackDump(self):
-        return  # FIXME flat not working on dict in python 3 like this
-        dump = flat(self.memdumps)
+        """
+        Write the stack dump to a file once it is finished.
+        """
+        dump = flat(self.memdumps)  # flatten, as we have one entry per address chunk
         log.warn(
             "Stack dump @0x%08x written to %s!"
             % (self.memdump_addr, self.stack_dump_filename)

internalblue/ioscore.py

@@ -35,13 +35,22 @@ class iOSCore(InternalBlue):
         self.serial = False
         self.doublecheck = True
         self.buffer = b""
-        self.mux = USBMux()
+
+        try:
+            self.mux = USBMux()
+        # on Linux, this can result in ConnectionRefusedError if no iOS device is present
+        except ConnectionRefusedError:
+            self.muxconnecterror = True
 
     def device_list(self):
         """
         Get a list of connected devices
         """
 
+        # prevent access on non-available socket if usbmuxd failed
+        if self.muxconnecterror:
+            return []
+
         if self.exit_requested:
             self.shutdown()
 

internalblue/utils/pwnlib_wrapper.py

@@ -25,7 +25,7 @@ from pwn import log
 from pwnlib.term import text
 from pwnlib.ui import options, yesno
 from pwnlib.util.packing import flat
-from pwnlib.asm import disasm
+from pwnlib.asm import disasm, asm
 from pwnlib.util.fiddling import isprint, unbits, bits_str, bits
 
 

setup.py

@@ -16,6 +16,7 @@ setup(
         "internalblue/objects",
         "internalblue/utils",
     ],
+    python_requires='>=3.6',
     install_requires=["pwntools>=4.0.1", "pyelftools", "future"],
     extras_require={"macoscore": ["pyobjc"], "ipython": ["IPython"]},
     tests_require=["nose", "pytest", "pwntools>=4.2.0.dev0"],