-
-
[原创]某蓝牙适配器逆向概述
-
发表于: 2天前
-
某蓝牙适配器逆向概述
看了Tarlogic研究团队在39C3(The 39th Chaos Communication Congress)的Liberating Bluetooth on the ESP32议题有感而发
Why Not the ESP32?
关于ESP32的蓝牙相关逆向,有BrakTooth: Causing Havoc on Bluetooth Link Manager via Directed Fuzzing的BR/EDR逆向和ESPwn32: Hacking with ESP32 System-on-Chips
的BLE逆向,还有39C3大会议题Liberating Bluetooth on the ESP32的BLE逆向。
虽然ESP32蓝牙支持双模,但它还是有些问题的,它的BLE是4.2版本,不完全兼容BLE5.0,并且它的CEVA蓝牙4.2 IP的BLE LMAC官方中断寄存器配置有些问题,官方参考实现的BLE UMAC的事件调度很一般,最好是找蓝牙硬件版本至少是5.0的CEVA双模IP的芯片进行逆向。
某蓝牙适配器的蓝牙芯片的硬件版本就是5.0,对其ROM固件进行逆向后的相关汇总,由于该蓝牙芯片采用CEVA蓝牙5.0双模IP,实际上是逆向CEVA蓝牙5.0双模IP的物理层和链路层的相关资料。
Architecture
Dual Mode
架构如下(图片来自CEVA Bluetooth Product Brief):
BLE 4.2
架构如下(图片来自CEVA Bluetooth Product Brief):
BLE 5.0
和BLE 4.2的区别是Bit Stream多了LE Coded FEC。
BR/EDR
和BLE 4.2的区别架构是没有Resolve Address List和White List Search,Bit Stream不一样,多了Audio Path,音频路径Audio Path有可能是ESCO<-->CVSD<-->PCM <-->MIC/Speakers或ESCO<-->Audio DSP<-->Audio ADC/Audio DAC<-->MIC/Speakers,BLE 4.2 Event Scheduler和Event Controller在BR/EDR称之为Frame Scheduler和Frame Controller,4.2版本
BR/EDR的Frame Scheduler和BLE的Event Scheduler并不兼容,5.0版本开始兼容,5.1版本统称Activity Scheduler。
PHY
Radio
使用自定义版本,频率合成采用的PLL不知道是不是ADPLL。
Modem
使用官方版本,官方有好多个版本,蓝牙4.x可能有2个,蓝牙5.x可能有2-3个,蓝牙6.x可能还有1个,本芯片大概采用官方蓝牙4.x版本的BlueJay Modem,官方蓝牙4.x版本的另外一个是Ripple Modem,有一个常见的实现是Ripple Radio和BlueJay Modem的组合,本芯片应该是采用自定义Radio和BlueJay Modem的组合。
MAC
LMAC
Radio Contoller
有三个部分:共用的Dual Mode、BR/EDR和BLE。基址?0000000H(隐去首地址),标记的寄存器偏移如下:
| Offset | Mode |
|---|---|
| 0x0000 | Dual Mode |
| 0x0400 | BR/EDR |
| 0x0800 | BLE |
Hardware Version
硬件版本是5.0,定义如下:
| Mode | Type | Release | Upgrade | Build |
|---|---|---|---|---|
| BR/EDR | 0x09 | 0x00 | 0x10 | 0x00 |
| BLE | 0x09 | 0x00 | 0x1A | 0x00 |
Interrupt
中断寄存器定义如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 | //蓝牙4.2版本8 //BR/EDR的Interrupt Control Register和BLE的Interrupt Control Register不能形成Union Type //BR/EDR的Frame Scheduler和BLE的Event Scheduler无法兼容 typedef struct { uint32_t clknintmsk: 1; uint32_t rxintmsk: 1; uint32_t slpintmsk: 1; uint32_t audioint0msk: 1; uint32_t audioint1msk: 1; uint32_t audioint2msk: 1; uint32_t frsyncintmsk: 1;//[6:6] umac linkdriver ld_fm_prog_push uint32_t mtoffint0msk: 1; uint32_t mtoffint1msk: 1; uint32_t finetgtintmsk: 1; uint32_t grosstgtintmsk: 1; uint32_t errorintmsk: 1; uint32_t mwswcitxintmsk: 1; uint32_t mwswcirxintmsk: 1; uint32_t frameintmsk: 1; uint32_t frameapfaintmsk: 1; uint32_t swintmsk: 1; uint32_t sketintmsk: 1; uint32_t reserved_18_31: 14; }bt_v8_lmac_intcntl; typedef struct { uint32_t cscntintmsk: 1; uint32_t rxintmsk: 1; uint32_t slpintmsk: 1; uint32_t eventintmsk: 1;//[3:3] umac le linkdriver lld_event_schedule uint32_t cryptintmsk: 1; uint32_t errorintmsk: 1; uint32_t grosstgtimintmsk: 1; uint32_t finetgtimintmsk: 1; uint32_t eventapfaintmsk: 1; uint32_t swintmsk: 1; uint32_t audioint0msk: 1; uint32_t audioint1msk: 1; uint32_t audioint2msk: 1; uint32_t reserved_13_14: 2; uint32_t cscntdevmsk: 1; uint32_t reserved_16_31: 16; }ble_v8_lmac_intcntl; //ESP32 蓝牙双模4.2 ROM #define r_ld_fm_prog_push_ptr 0x4003a9d4 #define r_lld_evt_schedule_ptr 0x40047908 // 蓝牙5.0版本9 //BR/EDR的Interrupt Control Register和BLE的Interrupt Control Register可以形成Union Type //BR/EDR的Frame Scheduler和BLE的Event Scheduler可以兼容 typedef struct { uint32_t clknintmsk: 1; uint32_t reserved_01_01: 1; uint32_t rxintmsk: 1;//umac sch_prog_push uint32_t slpintmsk: 1; uint32_t startfrmintmsk: 1;//umac sch_prog_push uint32_t endfrmintmsk: 1;//umac sch_prog_push uint32_t skipfrmintmsk: 1;//umac sch_prog_push uint32_t cryptintmsk: 1; uint32_t errorintmsk: 1; uint32_t grosstgtintmsk: 1; uint32_t finetgtintmsk: 1; uint32_t timestampintmsk: 1; uint32_t swintmsk: 1; uint32_t audioint0msk: 1; uint32_t audioint1msk: 1; uint32_t audioint2msk: 1; uint32_t frsyncintmsk: 1;//umac sch_prog_push uint32_t mtoffint0msk: 1; uint32_t mtoffint1msk: 1; uint32_t mwswcitxintmsk: 1; uint32_t mwswcirxintmsk: 1; uint32_t reserved_21_23: 3; uint32_t clknintsrval: 4; uint32_t clknintsrmsk: 3; uint32_t reserved_31_31: 1; }bt_v9_lmac_intcntl; typedef struct { uint32_t clknintmsk: 1; uint32_t txintmsk: 1;//umac sch_prog_push uint32_t rxintmsk: 1;//umac sch_prog_push uint32_t slpintmsk: 1; uint32_t startevtintmsk: 1;//umac sch_prog_push uint32_t endevtintmsk: 1;//umac sch_prog_push uint32_t skipevtintmsk: 1;//umac sch_prog_push uint32_t cryptintmsk: 1; uint32_t errorintmsk: 1; uint32_t grosstgtimintmsk: 1; uint32_t finetgtimintmsk: 1; uint32_t timestamptgtintmsk: 1; uint32_t swintmsk: 1; uint32_t audioint0msk: 1; uint32_t audioint1msk: 1; uint32_t audioint2msk: 1; uint32_t reserved_16_23: 8; uint32_t clknintsrval: 4; uint32_t clknintsrmsk: 3; uint32_t reserved_31_31: 1; }ble_v9_lmac_intcntl; //ESP32-C3 BLE 5.0 ROM #define r_sch_prog_push_ptr 0x40001540 //蓝牙5.1版本10 //BR/EDR的Frame Scheduler和BLE的Event Scheduler统称Activity Scheduler //新增一个共用的中断控制寄存器,配置在Dual Mode //FIFO中断很关键 //从RSL15 Hardware Reference的6.3.3节BB Controller Interrupts学习了解该中断 typedef struct { uint32_t clknintmsk: 1; uint32_t slpintmsk: 1; uint32_t cryptintmsk: 1; uint32_t swintmsk: 1; uint32_t finetgtintmsk: 1; uint32_t timestamptgt1intmsk: 1; uint32_t timestamptgt2intmsk: 1; uint32_t reserved_07_14: 8; uint32_t fifointmsk: 1;//umac sch_prog_fifo uint32_t reserved_16_23: 8; uint32_t clknintsrval: 4; uint32_t clknintsrmsk: 3; uint32_t reserved_31_31: 1; }dm_v10_lmac_intcntl1; typedef struct { uint32_t startactintstat: 1; uint32_t endactintstat: 1; uint32_t skipactintstat: 1; uint32_t txintstat: 1; uint32_t rxintstat: 1; uint32_t isotxintstat: 1; uint32_t isorxintstat: 1; uint32_t reserved_07_14: 8; uint32_t actflag: 1;//0:BR/EDR Enable 1:BLE Enable uint32_t reserved_16_23: 8; uint32_t current_et_idx: 4; uint32_t skip_et_idx: 4; }dm_v10_lmac_actfifostat; |
Exchange Memory
Event Scheduler访问ET(Exchange Table),Event Controller访问CS(Control Structures),Packet Controller访问TX Descriptors/RX Descriptors,ET结构如下(图片来自RSL10 Hardware Reference):
该结构属于BR/EDR ET,和BLE ET形成Union Type。
ET 控制结构如下(图片来自RSL15 Hardware Reference):
TX EM寄存器访问类似四重指针访问:ET-->CS-->TX Descriptors--> TX Data Buffer;RX EM寄存器访问类似三重指针访问:Radio Contoller ET_CURRENTRXDESCPTR-->RX Descriptors-->RX Data Buffer。
标记的寄存器偏移如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 | #define BASE (0x00000000) #define EM_OFFSET (0x00010000) #define EM_BASE (BASE+EM_OFFSET) //// Exchange Table #define EM_ET_OFFSET (0x0000) /// Frequency Table #define EM_FT_OFFSET (0x0100) ////Unknown #define EM_UNKNOWN_OFFSET (0x0150) ////BLE Encryption #define EM_BLE_AES_OFFSET (0x0156) ////BLE Control Structures #define EM_BLE_CS_OFFSET (0x0176) ////BLE White List #define EM_BLE_WL_OFFSET (0x0662) ////BLE Resolve Address List #define EM_BLE_RAL_OFFSET (0x06D2) ////BLE RX Descriptors #define EM_BLE_RX_DESC_OFFSET (0x076E) ////BLE TX Descriptors #define EM_BLE_TX_DESC_OFFSET (0x07E6) ////BLE LLCP TX Buffers #define EM_BLE_LLCPTXBUF_OFFSET (0x0C7E) ////BLE Advertising Extended TX Buffer #define EM_BLE_ADVEXTHDRTXBUF_OFFSET (0x0EBE) ////BLE Advertising Data TX Buffers #define EM_BLE_ADVDATATXBUF_OFFSET (0x11B2) ////BLE Aux Connect Req TX Buffer #define EM_BLE_AUXCONNECTREQTXBUF_OFFSET (0x4D3A) ////BLE ACL RX Buffers #define EM_BLE_DATARXBUF_OFFSET (0x4DA0) ////BLE ACL TX Buffers #define EM_BLE_ACLTXBUF_OFFSET (0x56A0) ////BR/EDR Encryption #define EM_BT_E0_OFFSET (0x64A0) ////BR/EDR Control Structures #define EM_BT_CS_OFFSET (0x64B0) ////BR/EDR RX Descriptors #define EM_BT_RXDESC_OFFSET (0x6948) ////BR/EDR TX Descriptors #define EM_BT_TXDESC_OFFSET (0x6980) ////BR/EDR LMP RX Buffers #define EM_BT_LMPRXBUF_OFFSET (0x6A34) ////BR/EDR LMP TX Buffers #define EM_BT_LMPTXBUF_OFFSET (0x6A84) ////BR/EDR ISCAN FHS TX Buffer #define EM_BT_ISCANFHSTXBUF_OFFSET (0x6BD4) ////BR/EDR PAGE FHS TX Buffer #define EM_BT_PAGEFHSTXBUF_OFFSET (0x6BE8) ////BR/EDR EIR TX Buffer #define EM_BT_EIRTXBUF_OFFSET (0x6BFC) ////BR/EDR SAM Local SubMap Buffer #define EM_BT_LOCAL_SAM_SUBMAP_OFFSET (0x6CEC) ////BR/EDR SAM Peer Map Buffer #define EM_BT_PEER_SAM_MAP_OFFSET (0x6CFA) ////BR/EDR Sync Train Packet TX Buffer #define EM_BT_STPTXBUF_OFFSET (0x6EBA) ////BR/EDR ACL RX Buffers #define EM_BT_ACLRXBUF_OFFSET (0x6ED6) ////BR/EDR ACL TX Buffers #define EM_BT_ACLTXBUF_OFFSET (0x86EE) ////BR/EDR Audio Buffers #define EM_BT_AUDIOBUF_OFFSET (0xAB12) |
本芯片的BLE计算CS数据(0x0662-0x0176)=0xE0x5A,CS数量0xE个,CS大小0x5A。 ESP32的BLE计算CS数据(0x480-0x0B8)=0xB0x58,CS数量0xB个,CS大小0x58。
本芯片的BR/EDR计算CS数据 (0x6948-0x64B0)=0xC0x62, ESP32的BR/EDR计算CS数据 (0x2382-0x1DEE)=0xE0x66。 CS数量从0xE变成0xC,因此本芯片BR/EDR应该不支持CSB,5.0 BR/EDR的EM CS可能是少了acl_dmprio_cntl和esco_dmprio_cntl这两个寄存器,CS大小由0x66变成0x62 ?BLE和BR/EDR的共存功能废除?5.1 BR/EDR的EM CS好像还少了某个寄存器使得CS大小变成0x60,5.1以后的版本BR/EDR硬件功能冻结,CS固定大小0x60?
UMAC
ROM
BR/EDR有Classic Link Driver(LD)、Classic Link Controller (LC)和Classic Link Manager (LM)模块;BLE有LE Link Driver(LLD)、LE Link Controller(LLC)和LE Link Manager(LLM)模块。重点关注Link Driver,通过配置EM寄存器和LMAC通信。通过JTAG得到UMAC ROM固件,如果需要新增UMAC功能,需要进行ROM Patch,或者标记完成物理层PHY和链路层LMAC的寄存器后重新实现Controller UMAC。
HCI
USB
好像是采用Synopsys的DWC USB 2.0 IP,可惜只支持USB 2.0全速,不支持USB2.0高速,USB2.0全速的1ms时隙大于蓝牙625us的时隙,无法实时通信。
What can’t be done?
由于蓝牙跳频和同步字的原因,要想完全无侵入抓去蓝牙空口包是很困难的,可能需要物理层PHY和链路层MAC的密切配合,通过逆向得到的资料很难实现这个要求,ESP32不行,本蓝牙芯片也不行。
Future work
对采用CEVA蓝牙硬件版本至少是5.2版本的双模IP,带有USB 2.0高速的蓝牙芯片的逆向
References
- BrakTooth: Causing Havoc on Bluetooth Link Manager via Directed Fuzzing
- ESPwn32: Hacking with ESP32 System-on-Chips
- Liberating Bluetooth on the ESP32
- ESP-IDF
- ESP-ROM-ELFS
- ESP32 Firmware Patching Framework
- CEVA Bluetooth Product Brief
- RSL10 Hardware Reference
- RSL15 Hardware Reference
[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
|
|
|---|---|
