something about the paper

[Wi1L-Y]

4 help

Sorry to be a bother. I read your paper titled as "Frankenstein_ Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets "​ and I am very interested in it. I have some questions about the paper. Could you provide an email address?

[bolek42]

Hi, I have dropped you an email from my @mailbox.org address. But if the question is not confidential (e.g. about new vulnerabilities) I'd encourage you to start a public discussion, because other people might have a similar question ;) best, JR

[Wi1L-Y]

Hi, I haven't got an email and I do not know the reason for that. About the question,when I debugging the execute.exe of CYW20735B1 which is generated by the Frankenstein, the rip jmp 0x20007 after patching. I want to know why this address is the target address and Is there an introduction to memory layout of CYW20735B1? best, W

[jiska2342]

Since this project is based on reverse engineering, there's not much documentation. We extracted some names of the memory sections and global variable names from Cypress WICED Studio 6.2. We also defined a memory map based on what we understood so far, which is available here: https://github.com/seemoo-lab/internalblue/blob/master/internalblue/fw/fw_0x4208.py#L45

Not sure why 0x20007 is created and how (@bolek42 is more into the whole executable generation process). If you're not missing a 0, it's some address in ROM within the function DHM_UpdateACLStats, so it doesn't really make sense...

[Wi1L-Y]

okay, Anyway, thank you for your answer. I will try my best to study it further later.

[Wi1L-Y]

Sorry to bother you again.

When I try to capture the BLE packets, I can only get the ADV packets not only using the ubertooth but also the nrf52840. So I want to know to get the data packets (such as ACL data).

Thank you !