search

Matheus-Garbelini / braktooth_esp32_bluetooth_classic_attacks

A Series of Baseband & LMP Exploits against Bluetooth Classic Controllers
https://braktooth.com
437 stars 85 forks source link

Compatibility Question #29

Open kurazli opened 1 year ago

kurazli commented 1 year ago

I recently ordered a ESP-WROVER-KIT and received a revision 3, so I was wondering if the firmware and attacks are compatible with this hardware revision. Upon the firmware flash I receive the following output:

root@u18:~/src/braktooth_esp32_bluetooth_classic_attacks/release# python3 firmware.py flash /dev/ttyUSB1
Generating project.checksum
Flashing firmware...
Warning! Ignore unknown configuration option `reset_before_after_flash` in section [env:esp32doit-devkit-v1-jtag]
Warning! Ignore unknown configuration option `reset_before_after_flash` in section [env:esp32doit-devkit-v1-serial]
Processing esp32doit-devkit-v1-serial (platform: espressif32@3.0.0; board: esp32doit-devkit-v1; framework: espidf; platform_packages: toolchain-xtensa32@2.80400.210211, framework-espidf@3.40001.200521; upload_protocol: esptool; upload_port: /dev/ttyUSB1; monitor_port: /dev/ttyUSB1; monitor_speed: 4000000; monitor_filters: colorize, esp32_exception_decoder; build_flags: -w; upload_command: $PYTHONEXE $UPLOADER --chip esp32 --port $UPLOAD_PORT --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 $BUILD_DIR/bootloader.bin 0x8000 $BUILD_DIR/partitions.bin 0x10000 $BUILD_DIR/firmware.bin; extra_scripts: post:PlatformioScripts.py; reset_before_after_flash: true)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
before_upload(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Reset Done! EN pin toggled HIGH->LOW->HIGH
<lambda>(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
AVAILABLE: esp-prog, espota, esptool, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa
CURRENT: upload_protocol = esptool
MethodWrapper(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Using manually specified: /dev/ttyUSB1
/root/.platformio/penv/bin/python /root/.platformio/packages/tool-esptoolpy/esptool.py --chip esp32 --port /dev/ttyUSB1 --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 /root/src/braktooth_esp32_bluetooth_classic_attacks/release/.pio/build/esp32doit-devkit-v1-serial/bootloader.bin 0x8000 /root/src/braktooth_esp32_bluetooth_classic_attacks/release/.pio/build/esp32doit-devkit-v1-serial/partitions.bin 0x10000 /root/src/braktooth_esp32_bluetooth_classic_attacks/release/.pio/build/esp32doit-devkit-v1-serial/firmware.bin
esptool.py v3.0
Serial port /dev/ttyUSB1
Connecting....
Chip is ESP32-D0WD-V3 (revision 3)
Features: WiFi, BT, Dual Core, 240MHz, VRef calibration in efuse, Coding Scheme None
Crystal is 40MHz
MAC: 08:b6:1f:ed:39:b8
Uploading stub...
Running stub...
Stub running...
Changing baud rate to 460800
Changed.
Configuring flash size...
Auto-detected Flash size: 4MB
Compressed 25232 bytes to 15140...
Writing at 0x00001000... (100 %)
Wrote 25232 bytes (15140 compressed) at 0x00001000 in 0.4 seconds (effective 573.4 kbit/s)...
Hash of data verified.
Compressed 3072 bytes to 103...
Writing at 0x00008000... (100 %)
Wrote 3072 bytes (103 compressed) at 0x00008000 in 0.0 seconds (effective 1541.9 kbit/s)...
Hash of data verified.
Compressed 328416 bytes to 199214...
Writing at 0x00010000... (7 %)
Writing at 0x00014000... (15 %)
Writing at 0x00018000... (23 %)
Writing at 0x0001c000... (30 %)
Writing at 0x00020000... (38 %)
Writing at 0x00024000... (46 %)
Writing at 0x00028000... (53 %)
Writing at 0x0002c000... (61 %)
Writing at 0x00030000... (69 %)
Writing at 0x00034000... (76 %)
Writing at 0x00038000... (84 %)
Writing at 0x0003c000... (92 %)
Writing at 0x00040000... (100 %)
Wrote 328416 bytes (199214 compressed) at 0x00010000 in 4.5 seconds (effective 586.4 kbit/s)...
Hash of data verified.

Leaving...
Hard resetting via RTS pin...
after_upload(["upload"], [".pio/build/esp32doit-devkit-v1-serial/firmware.bin"])
Reset Done! EN pin toggled HIGH->LOW->HIGH
========================================================================================================================= [SUCCESS] Took 7.79 seconds =========================================================================================================================

Environment                 Status    Duration
--------------------------  --------  ------------
esp32doit-devkit-v1-jtag    IGNORED
esp32doit-devkit-v1-serial  SUCCESS   00:00:07.786
========================================================================================================================= 1 succeeded in 00:00:07.786 =========================================================================================================================

Does this look like a successful flash or am I missing something. After installing the requirements and I scan for devices and it will find my iPhone:

root@u18:~/src/release/wdissector# bin/bt_fuzzer --scan
Enabling Core dump: ulimit -c unlimited
Loading Model...
Model Loaded. Total States:169  Total Transistions:1299
Loop detection ENABLED
[Modules] Loading C++ Modules...
[Modules] --> repeated_host_connection.so loaded
[Modules] --> duplicated_encapsulated_payload.so loaded
[Modules] --> lmp_overflow_2dh1.so loaded
[Modules] --> noncomplicance_duplicated_encryption_request.so loaded
[Modules] --> knob.so loaded
[Modules] --> sdp_oversized_element_size.so loaded
[Modules] --> au_rand_flooding.so loaded
[Modules] --> lmp_invalid_transport.so loaded
[Modules] --> lmp_max_slot_overflow.so loaded
[Modules] --> truncated_lmp_accepted.so loaded
[Modules] --> paging_scan_disable.so loaded
[Modules] --> invalid_max_slot.so loaded
[Modules] --> feature_response_flooding.so loaded
[Modules] --> invalid_feature_page_execution.so loaded
[Modules] --> lmp_auto_rate_overflow.so loaded
[Modules] --> noncompliance_invalid_stop_encryption.so loaded
[Modules] --> truncated_sco_link_request.so loaded
[Modules] --> wrong_encapsulated_payload.so loaded
[Modules] --> sdp_unkown_element_type.so loaded
[Modules] --> duplicated_iocap.so loaded
[Modules] --> feature_req_ping_pong.so loaded
[Modules] --> lmp_overflow_dm1.so loaded
[Modules] --> invalid_timing_accuracy.so loaded
[Modules] --> invalid_setup_complete.so loaded
[Modules] 24/24 Modules Compiled / Loaded
[Python] Version 3.8.6 initialized
[PythonServer] Server Module "RESTServer.py" imported
[PythonServer] Server initialized at 127.0.0.1:3000
[Optimizer] Algorithm name: GPSO: Generational Particle Swarm Optimization [stochastic]
    C++ class name: pagmo::pso_gen

    Thread safety: basic

Extra info:
    Generations: 100
    Omega: 0.7298
    Eta1: 2.05
    Eta2: 2.05
    Maximum velocity: 0.5
    Variant: 5
    Topology: 2
    Topology parameter: 4
    Memory: false
    Seed: 123456789
    Verbosity: 1

Problem name: WDissector
    C++ class name: Fitness::problem_basic

    Global dimension:           683
    Integer dimension:          0
    Fitness dimension:          1
    Number of objectives:           1
    Equality constraints dimension:     0
    Inequality constraints dimension:   0
    Lower bounds: [0, 0, 0, 0, 0, ... ]
    Upper bounds: [0.2, 0.2, 0.2, 0.2, 0.2, ... ]
    Has batch fitness evaluation: false

    Has gradient: false
    User implemented gradient sparsity: false
    Has hessians: false
    User implemented hessians sparsity: false

    Fitness evaluations: 0

    Thread safety: basic

Extra info:
WDissector Fuzzing Engine.

[Optimizer] Initialized with X Size=683, Population Size=5
Access Documentation:
https://asset-sutd.gitlab.io/software/wireless-deep-fuzzer/
[ESP32BT] HCI Bridge ON: /dev/pts/3
[PythonServer] Server Started
UART Latency reduced to 125 us
[ESP32BT] Firmware version: 1.3.0
[ESP32BT] LMP Sniffing ENABLED
[ESP32BT] TX Packet interception ENABLED
[ESP32BT] [!] RX Bypass DISABLED
[ESP32BT] [!] Bypass on Demand DISABLED
[ESP32BT] [!] Role Switch ENABLED
[ESP32BT] Own BDADDR set to 3b:e3:1c:68:b0:45
[ESP32BT] Measuring UART Latency...
[ESP32BT] USB Latency:136 us [OK]
Serial port /dev/ttyUSB1@4000000 opened
BT Scanning Started (Inquiry)...
[ESP32BT] BDAddress: 88:a4:79:XX:XX:XX, Name: XXX, RSSI: -62, Class: Smartphone
BT Scanning Finished, got 1 result(s).
Merged logs saved to logs/Bluetooth/logs_merged.txt
Fuzzer Closed

However when I try to attach I will get the following output:

root@u18:~/src/release/wdissector# bin/bt_exploiter --host-port=/dev/ttyUSB1 --target=88:a4:XX:XX:XX:XX --exploit=au_rand_flooding
Logical Cores: 4
No SMT support
Assigned CPUSET:
CPU 0 Allowed
CPU 1 Allowed
CPU 2 Allowed
CPU 3 Allowed
sched_setscheduler: Current process set to realtime (RR Scheduler)
Thread priority is 99
/proc/sys/kernel/sched_rt_runtime_us = -1
Enabling Core dump: ulimit -c unlimited
Loading Model...
Model Loaded. Total States:169  Total Transistions:1299
Loop detection ENABLED
[Modules] Loading C++ Modules...
[Modules] --> repeated_host_connection.so loaded
[Modules] --> duplicated_encapsulated_payload.so loaded
[Modules] --> lmp_overflow_2dh1.so loaded
[Modules] --> noncomplicance_duplicated_encryption_request.so loaded
[Modules] --> knob.so loaded
[Modules] --> sdp_oversized_element_size.so loaded
[Modules] --> au_rand_flooding.so loaded
[Modules] --> lmp_invalid_transport.so loaded
[Modules] --> lmp_max_slot_overflow.so loaded
[Modules] --> truncated_lmp_accepted.so loaded
[Modules] --> paging_scan_disable.so loaded
[Modules] --> invalid_max_slot.so loaded
[Modules] --> feature_response_flooding.so loaded
[Modules] --> invalid_feature_page_execution.so loaded
[Modules] --> lmp_auto_rate_overflow.so loaded
[Modules] --> noncompliance_invalid_stop_encryption.so loaded
[Modules] --> truncated_sco_link_request.so loaded
[Modules] --> wrong_encapsulated_payload.so loaded
[Modules] --> sdp_unkown_element_type.so loaded
[Modules] --> duplicated_iocap.so loaded
[Modules] --> feature_req_ping_pong.so loaded
[Modules] --> lmp_overflow_dm1.so loaded
[Modules] --> invalid_timing_accuracy.so loaded
[Modules] --> invalid_setup_complete.so loaded
[Modules] 24/24 Modules Compiled / Loaded
[Modules] au_rand_flooding configured and ready!
[ESP32BT] HCI Bridge ON: /dev/pts/3
[ESP32BT] Firmware version: 1.3.0
[ESP32BT] LMP Sniffing ENABLED
[ESP32BT] TX Packet interception ENABLED
[ESP32BT] RX Bypass ENABLED
[ESP32BT] [!] Bypass on Demand DISABLED
[ESP32BT] [!] Role Switch ENABLED
[ESP32BT] Own BDADDR set to ba:fd:bd:63:1e:c4
[ESP32BT] Measuring UART Latency...
[ESP32BT] USB Latency:120 us [OK]
Serial port /dev/ttyUSB1@4000000 opened
[Monitor] ERROR: Could not open /ev/ttyUSB3@115200
Host BDAddress randomized to 4a:57:10:6c:34:95
[!] Global timeout started with 45 seconds
[BT Program] Starting program bin/sdp_rfcomm_query -u /dev/pts/3 -a 88:a4:XX:XX:XX:XX --iocap 3 --authreq 3 --bounding 1
Packet Log: logs/Bluetooth/hci_dump.pklg
H4 device: /dev/pts/3

address=88:a4:79:a6:b2:79
iocap=3
authreq=3
bouding=1
Local version information:
- HCI Version    0x0008
- HCI Revision   0x030e
- LMP Version    0x0008
- LMP Subversion 0x030e
- Manufacturer 0x0060
Unknown manufacturer / manufacturer not supported yet.
Local name: 
BTstack up and running on 4A:57:10:6C:34:95.
^CCTRL-C - SIGINT received, shutting down..
[Machine] Config Saved: configs/bt_config.json
Fuzzer Closed

Is the warning regarding ttyUSB3 expected behaviour? I was not able to find any typo with USB3 in the files provided.