Closed RayCxggg closed 3 years ago
Matheus-Garbelini
commented
3 years ago Hi @cxjcxggg unfortunately not. ESP32 (and Microchip) uses intellectual Property from Riviera Waves RF Subsystem for Bluetooth and Wi-Fi, so even if Espressif wants, they cannot share their source code due to legal reasons (NDA).
RayCxggg
commented
3 years ago Hi @Matheus-Garbelini , sad to know that. I am also interested in zephyr vulnerabilities you found. The zephyr project is open-source, does that mean I can have the source code which triggers the CVEs?
Matheus-Garbelini
commented
3 years ago @cxjcxggg yes, for zephyr you can find the specific merges here: https://docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10069
RayCxggg
commented
3 years ago @Matheus-Garbelini , I got it, thanks a lot!
RayCxggg
commented
3 years ago Hi @Matheus-Garbelini , it's me again. I won't open a new issue so that I won't bother you. I am trying to reproduce the invalid channel map vulnerability (CVE-2020-10069) on Zephyr project, it is fixed in zephyr v2.3.0, so I need to use v2.2.0 or v2.2.1. I successfully connected the nrf52840 dongle with the nrf52840 DK via bluetooth using bluetooth peripheral sample in the latest zephyr project. But when I try to build the sample in zephyr v2.2.0, some problems arose because of the different zephyr project version.
Therefore, I think I may also need to change the Zephyr SDK's version so that it could work with zephyr v2.2.0. But which one should I use? How can I reproduce the attack? Thank you so much.
Matheus-Garbelini
commented
3 years ago Hi, you can try using west to force update everything: https://boseji.com/docs/zephyr/tipstricks/update-zephyr-sdk/
Otherwise you need to follow the steps pointed by the older documentation for 2.2.0 here: https://docs.zephyrproject.org/2.2.0/getting_started/index.html#install-software-development-toolchain
The SDK version seems to be 0.11.2
Also, make sure to get zephyr version before the patch was introduced. They did a backport to other versions such as 2.2.0, so checkout a zephyr commit before sweyntooth fixes was introduced for 2.2.0.
The specific commits that fixed sweyntooth can be seen in their disclosure page for invalid channel map. You can then checkout the previous commit to that.
Regards.
On Thu, Mar 25, 2021, 11:58 PM cxjcxggg @.***> wrote:
Hi @Matheus-Garbelini https://github.com/Matheus-Garbelini , it's me again. I won't open a new issue so that I won't bother you. I am trying to reproduce the invalid channel map vulnerability (CVE-2020-10069) on Zephyr project, it is fixed in zephyr v2.3.0, so I need to use v2.2.0 or v2.2.1. I successfully connected the nrf52840 dongle with the nrf52840 DK via bluetooth using bluetooth peripheral sample in the latest zephyr project. But when I try to build the sample in zephyr v2.2.0, some problems arose because of the different sdk version. [image: 捕获] https://user-images.githubusercontent.com/63034168/112502667-3871fc00-8dc5-11eb-813a-2f047d7c025d.PNG
Therefore, I think I also need to change the Zephyr SDK's version so that it could work with zephyr v2.2.0. But which one should I use? How can I reproduce the attack? Thank you so much.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks/issues/20#issuecomment-806997818, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABRKRBE2U5PGVIEBUN24SF3TFNMSPANCNFSM4ZBPP3GA .
RayCxggg
commented
3 years ago Hi @Matheus-Garbelini , thanks for your help. I have addressed the issues about the zephyr project.
Then I set the nrf52840 dongle in DFU mode and use command nrfutil dfu usb-serial -p COM_PORT -pkg nRF52_driver_firmware.zip to flash the firmware, "Device programmed" is printed (the blue led goes off). So I replug the dongle (the green led begins to blink) and open the Bluetooth Low Energy app in the nRF Connect for Desktop, but encounter the problem as shown below.
So I try to manually flash the firmware with the Programmer app in nRF connect for Desktop, but still fails.
Close the Programmer and open the BLE app, but the device can't be opened.
I don't know which step goes wrong. Do I have to use the firmware you provide? I can establish BLE connection with my nrf52840 DK with sniffer hex on nrf52840 dongle. Can I run the invalid_channel_map.py with sniffer firmware?
Matheus-Garbelini
commented
3 years ago Hi @cxjcxggg I'm not sure what you are trying to do. The sniffer and our attacker firmware are different things.
If you see your led blinking green after flashing our firmware than you can run the exploits. Do not try to use it as an sniffer instead. Let me know how it goes.
Regards.
RayCxggg
commented
3 years ago Hi @Matheus-Garbelini , sorry for the confuse. I have finally successfully reproduced the vulnerability! Lol!
I always thought that I needed to connect the nrf52840 dongle to the peripheral before running the script. What I was trying to say yesterday is that I couldn't establish the bluetooth connection with the peripheral after flashing the firmware. So I actually got stuck because of misunderstanding about the way to use the script you provide.
Anyway, I am so excited. Appreciate your kindness a lot!
Regards.
Matheus-Garbelini
commented
3 years ago @cxjcxggg good to know. Use it with responsibility :smiley: :+1:
Division by zero is always funny.
Hi @Matheus-Garbelini , I want to dig a little bit deeper into CVE-2020-13594. I wonder how I can have the source code of the esp32 static Bluetooth library? They seem to be close-source. Did you have the source code during your work?