首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 智能设备
    3. 发新帖
[原创]BrakTooth学习笔记
2023-4-15 16:22 12505

[原创]BrakTooth学习笔记

vasthao 活跃值
6
2023-4-15 16:22
12505

学习论文BRAKTOOTH: Causing Havoc on Bluetooth Link Manager via Directed Fuzzing的一些补充

Fuzzer

开源的渗透测试工具Ubertooth One使用的无线收发器CC2400决定了它不支持低功耗蓝牙BLE 2M PHY,也不支持经典蓝牙的EDR2和EDR3,现阶段固件实现也不支持协议Fuzzing。
BrakTooth使用Espressif ESP32,它支持蓝牙双模,射频IP不知道是自研IP还是采用CEVA官方的射频Ripple IP,如果是Ripple IP,它不支持低功耗蓝牙BLE 2M PHY,BLE Coded PHY需要由蓝牙IP提供BLE FEC支持,蓝牙IP不知道是采用CEVA版本8(BT 4.2)还是版本9(BT 5.0)的蓝牙IP。

Xtensa

实现Controller的MCU指令集采用Cadence收购TensilicaXtensa,只用了标量单元(矢量单元侧重DSP,与CEVA的DSP竞争),需要编写ghidra-xtensa处理器插件进行反编译。ABI使用寄存器窗口,与Sparc的实现类似,VMP使用的寄存器轮转与之也非常类似。

Register

由于CEVA蓝牙IP低功耗版本有某些版本的Controller源码流出,重点关注其经典蓝牙IP的Controller逆向。L3 UMAC(Controller)与L2 LMAC(BP)用Exchange Memory进行通信,LMAC固件CEVA官方ROM固化,相关指令集和ROM Patch未知,理论上有了物理层和链路层寄存器的定义和描述后,可以自己实现LMAC而不用官方实现的LMAC。逆向蓝牙厂商以静态库或ROM的方式实现的Controller,需要对EM(Exchange Memory)寄存器读写和链路层寄存器读写进行手动标注,版本不同相关寄存器也有差异,需要猜测。比如对BrakToothROM Patch框架中的源码reversed_ld_page_em_init函数进行标注如下(不一定对):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
/**
 * Frame Format
 *  - 0000x: Do not use.              
 *  - 00010: Master connect.        
 *  - 00011: Slave connect.           
 *  - 00100: Page.                    
 *  - 00101: Page scan.               
 *  - 00110: Master page response.    
 *  - 00111: Slave page response.     
 *  - 01000: Inquiry.                 
 *  - 01001: Inquiry response.        
 *  - 01010: Do not use.              
 *  - 01011: Do not use.              
 *  - 011xx: Do not use.              
 *  - 10xxx: Do not use.              
 *  - 11000: Master Broadcast.     
 *  - 11001: Broadcast Scan.           
 *  - 11010: Master Access window.
 *  - 11011: Slave Access window 1.  
 *  - 11100: Slave Access window 2.   
 *  - 11101: Do not use.              
 *  - 1111x: Do not use     
 */
 
#define EM_BT_CS_FMT_MST_CONNECT    0x02
#define EM_BT_CS_FMT_SLV_CONNECT    0x03
#define EM_BT_CS_FMT_PAGE           0x04
#define EM_BT_CS_FMT_PAGE_SCAN      0x05
#define EM_BT_CS_FMT_MST_PAGE_RSP   0x06
#define EM_BT_CS_FMT_SLV_PAGE_RSP   0x07
#define EM_BT_CS_FMT_INQUIRY        0x08
#define EM_BT_CS_FMT_INQ_RSP        0x09
#define EM_BT_CS_FMT_MST_BCST       0x18
#define EM_BT_CS_FMT_BCST_SCAN      0x19
#define EM_BT_CS_FMT_MST_ACC_WIN    0x1A
#define EM_BT_CS_FMT_SLV_ACC_WIN1   0x1B
#define EM_BT_CS_FMT_SLV_ACC_WIN2   0x1C
 
 
#define TX_LM_BUF_PTR (*((uint32_t *)0x3ffb23c2))
#define TX_PTR (*((uint32_t *)0x3ffb23ba))
#define TX_ACL_BUF_PTR (*((uint32_t *)0x3ffb23c0))
#define TX_PHEADER (*((uint32_t *)0x3ffb23be))
#define TX_HEADER (*((uint32_t *)0x3ffb23bc))
#define TX_DESCPTR (*((uint32_t *)0x3ffb1e0a))
#define ACL_DM_PRIO_CNTL (*((uint32_t *)0x3ffb1e50))
#define SCO_DM_PRIO_CNTL (*((uint32_t *)0x3ffb1e52))
#define FR_CNTL (*((uint32_t *)0x3ffb1dee))
#define PWR_CNTL (*((uint32_t *)0x3ffb1e04))
#define BDADDR0 (*((uint32_t *)0x3ffb1df8))
#define BDADDR1 (*((uint32_t *)0x3ffb1dfa))
#define BDADDR2 (*((uint32_t *)0x3ffb1dfc))
#define BCH0 (*((uint32_t *)0x3ffb1dfe))
#define BCH1 (*((uint32_t *)0x3ffb1e00))
#define RXMAXBUF_BCH2 (*((uint32_t *)0x3ffb1e02))
#define TXRX_CNTL (*((uint32_t *)0x3ffb1e06))
#define ACL_TX_STAT (*((uint32_t *)0x3ffb1e4c))
#define WIN_CNTL (*((uint32_t *)0x3ffb1e08))
#define BIT_OFF (*((uint32_t *)0x3ffb1df0))
#define CLK_OFF0 (*((uint32_t *)0x3ffb1df2))
#define CLK_OFF1 (*((uint32_t *)0x3ffb1df4))
#define LINK_CNTL (*((uint32_t *)0x3ffb1df6))
#define ACL_RX_STAT (*((uint32_t *)0x3ffb1e4e))
 
uint32_t reversed_ld_page_em_init(void)
{
    uint8_t bVar1;
    char cVar2;
    int iVar3;
    ushort *puVar4;
    int iVar5;
    ushort *puVar6;
    ushort *puVar7;
    ushort *puVar8;
 
    iVar5 = ld_page_env;
    bVar1 = *(uint8_t *)(ld_page_env + 0x41);
    iVar3 = (uint)bVar1 * 0x66;
 
    //FR_CNTL
    puVar4 = (ushort *)(&FR_CNTL + iVar3);
 
    //PWR_CNTL
    puVar8 = (ushort *)(&PWR_CNTL + iVar3);
 
    //em_bt_frcntl_format_setf(EM_BT_CS_FMT_PAGE)
   //FORMAT=FRCNTL[0:40x f f e 0=0b 1111 1111 1110 0000
   //4:Page
    *puVar4 = *puVar4 & 0xffe0 | 4;
 
    //em_bt_bdaddr0_setf
    *(uint16_t *)(&BDADDR0 + iVar3) = *(uint16_t *)(iVar5 + 0x28);
 
    //em_bt_bdaddr1_setf
    *(uint16_t *)(&BDADDR1 + iVar3) = *(uint16_t *)(iVar5 + 0x2a);
 
     //em_bt_bdaddr2_setf
    *(uint16_t *)(&BDADDR2 + iVar3) = *(uint16_t *)(iVar5 + 0x2c);
 
    //em_bt_bch0_setf
    *(uint16_t *)(&BCH0 + iVar3) = *(uint16_t *)(iVar5 + 0x44);
 
    //em_bt_bch1_setf
    *(uint16_t *)(&BCH1 + iVar3) = *(uint16_t *)(iVar5 + 0x46);
 
    //em_bt_rxmaxbuf_bch2_pack
    *(ushort *)(&RXMAXBUF_BCH2 + iVar3) = (ushort) * (uint8_t *)(iVar5 + 0x48) & 3;
 
    //em_bt_pwrcntl_txpwr_setf
    *puVar8 = (ushort)rwip_rf[44] | *puVar8 & 0xff00;
 
    //TXRX_CNTL
    puVar6 = (ushort *)(&TXRX_CNTL + iVar3);
    //em_bt_txrxcntl_txeir_setf
    *puVar6 = *puVar6 & 0xfff7;
 
    //ACL_TX_STAT
    puVar7 = (ushort *)(&ACL_TX_STAT + iVar3);
 
    //em_bt_acltxstat_txtog_setf
    *puVar7 = *puVar7 & 0x7fff;
 
    //em_bt_acltxstat_waitack_setf
    *puVar7 = *puVar7 & 0xfbff;
 
    //em_bt_acltxstat_lasttxseqn_setf
    *puVar7 = *puVar7 & 0xfffe;
 
    //em_bt_acltxstat_lasttxack_setf
    *puVar7 = *puVar7 & 0xfffd;
 
    //em_bt_acltxstat_fcrc_setf
    *puVar7 = *puVar7 & 0xdfff;
 
    //em_bt_acltxstat_fnak_setf
    *puVar7 = *puVar7 & 0xefff;
 
    //em_bt_pwrcntl_fh_en_setf
    *puVar8 = *puVar8 & 0x7fff | 0x8000;
 
    //em_bt_wincntl_pack
    *(uint16_t *)(&WIN_CNTL + iVar3) = 0x30;
 
    //em_bt_bitoff_pack
    *(uint16_t *)(&BIT_OFF + iVar3) = 0;
 
    //em_bt_clkoff0_setf
    *(uint16_t *)(&CLK_OFF0 + iVar3) = *(uint16_t *)(iVar5 + 0x3c);
 
    //em_bt_clkoff1_setf
    *(uint16_t *)(&CLK_OFF1 + iVar3) = 0;
 
     //em_bt_txrxcntl_rxthr_setf
    *puVar6 = *puVar6 & 0x1fff;
 
    //LINK_CNTL
    puVar7 = &LINK_CNTL + (uint)bVar1 * 0x33;
 
    //em_bt_linkcntl_aknena_setf
    *puVar7 = *puVar7 & 0x7fff;
 
    //em_bt_linkcntl_afhena_setf
    *puVar7 = *puVar7 & 0xbfff;
 
    //em_bt_linkcntl_whdsb_setf
    *puVar7 = *puVar7 & 0xefff;
 
    //em_bt_txrxcntl_txcrypt_setf
    *puVar6 = *puVar6 & 0xfffc;
 
    //em_bt_txrxcntl_rxcrypt_setf
    *puVar6 = *puVar6 & 0xfcff;
 
    //em_bt_txrxcntl_txbcry_setf
    *puVar6 = *puVar6 & 0xfffb;
 
    //em_bt_txrxcntl_rxbcry_setf
    *puVar6 = *puVar6 & 0xfbff;
 
     //em_bt_txrxcntl_stopmod_setf
    *puVar6 = *puVar6 & 0xff7f;
 
    cVar2 = *(char *)(iVar5 + 0x54);
 
    //em_bt_linkcntl_acledr_setf
    *puVar7 = *puVar7 & 0xf7ff;
 
    if (cVar2 == '\0') {
        iVar5 = ((uint) * (uint8_t *)(iVar5 + 0x41) & 0x7f) * 0x14;
 
        //em_bt_txheader_pack
        *(uint16_t *)(&TX_HEADER + iVar5) = 0x390;
 
        //em_bt_txpheader_pack
        *(uint16_t *)(&TX_PHEADER + iVar5) = 0x92;
 
         //em_bt_txaclbufptr_pack
        *(uint16_t *)(&TX_ACL_BUF_PTR + iVar5) = 0;
 
        //em_bt_txlmbufptr_pack
        *(uint16_t *)(&TX_LM_BUF_PTR + iVar5) = 0x262c;
 
        //em_bt_txptr_pack
        *(uint16_t *)(&TX_PTR + iVar5) = 0;
 
        hook_ld_page_em_init(iVar5);
 
        //em_bt_txdescptr_setf
        *(short *)(&TX_DESCPTR + iVar3) = (short)iVar5 + 0x23ba;
    }
    else {
 
        //em_bt_txdescptr_pack
        *(uint16_t *)(&TX_DESCPTR + iVar3) = 0;
    }
    if (false) {
        (**(code3 **)(r_plf_funcs_p + 0x14))("(((uint16_t)aclincpriostep << 13) & ~((uint16_t)0x0000E000)) == 0", "ld_page.c", 0xa33);
    }
    if (false) {
        (**(code3 **)(r_plf_funcs_p + 0x14))("(((uint16_t)aclminprio << 8) & ~((uint16_t)0x00001F00)) == 0", "ld_page.c", 0xa34);
    }
    if (false) {
        (**(code3 **)(r_plf_funcs_p + 0x14))("(((uint16_t)accurrentprio << 0) & ~((uint16_t)0x0000001F)) == 0", "ld_page.c", 0xa36);
    }
 
    //ACL_DM_PRIO_CNTL
    //aclincpriostep=ACL_DM_PRIO_CNTL[13:15]    0xa33
    //aclminprio=ACL_DM_PRIO_CNTL[8:12]    0xa34
    //reserved_05_07=ACL_DM_PRIO_CNTL[5:7](????aclconflict)    0xa35
    //aclcurrentprio=ACL_DM_PRIO_CNTL[0:4]    0xa36
    //em_acldmpriocntl_pack
    *(uint16_t *)(&ACL_DM_PRIO_CNTL + iVar3) = 0x2808;
 
    //SCO_DM_PRIO_CNTL
    //scoincpriostep=SCO_DM_PRIO_CNTL[13:15]
    //scominprio=SCO_DM_PRIO_CNTL[8:12]
    //reserved_05_07=SCO_DM_PRIO_CNTL[5:7](????scoconflict)
    //scocurrentprio=SCO_DM_PRIO_CNTL[0:4]
    //em_scodmpriocntl_pack
    *(uint16_t *)(&SCO_DM_PRIO_CNTL + iVar3) = 0;
 
    //em_bt_frcntl_pack
    *puVar4 = 0x5704;
 
    return 0x5704;
}

Bluetooth

推荐基于CEVA蓝牙IP相对比较好实现蓝牙渗透工具的蓝牙芯片:低功耗蓝牙有ON Semiconductor的RSL10/RSL15、Dialog的DA14531和Bouffalo Lab的BL702;蓝牙双模有Bouffalo Lab的BL618/BL606P和Beken的BK3288/Bk7256


[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

最后于 2023-4-16 14:43 被vasthao编辑 ,原因:
收藏
点赞0
打赏
分享
最新回复 (1)
秋狝
雪    币: 19270
活跃值: (28900)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
秋狝 2023-4-15 22:39
2
1
感谢分享
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回