search

seemoo-lab / internalblue

Bluetooth experimentation framework for Broadcom and Cypress chips.
678 stars 85 forks source link

Ios pcie #33

Closed robre closed 3 years ago

robre commented 3 years ago

internalblue-cli should work now with internalblued on pcie-iphones, such as iPhone 11. to build: make package and then install the deb on the phone with dpkg -I internalblued.deb

jiska2342 commented 3 years ago

-I is just for package info, -i installs the package.

Running this on an almost plain iPhone SE2 on iOS 13.5 produces the following output:

Fiti:~ root# dpkg -i com.ttdennis.internalblued_0.0.1-33+debug_iphoneos-arm.deb
Selecting previously unselected package com.ttdennis.internalblued.
(Reading database ... 3600 files and directories currently installed.)
Preparing to unpack com.ttdennis.internalblued_0.0.1-33+debug_iphoneos-arm.deb ...
/Library/LaunchDaemons/com.ttdennis.internalblued.plist: No such file or directory
Unpacking com.ttdennis.internalblued (0.0.1-33+debug) ...
Setting up com.ttdennis.internalblued (0.0.1-33+debug) ...
/var/lib/dpkg/info/com.ttdennis.internalblued.postinst: line 3: jtool: command not found
mv: cannot stat '/usr/bin/internalblued.arch_arm64': No such file or directory
/var/lib/dpkg/info/com.ttdennis.internalblued.postinst: line 5: jtool: command not found

Not sure in which package jtool is contained and also not sure about the jtool postinst options, because the A12+ architecture should be arm64e and not arm64.

Despite not properly copying the /Library/LaunchDaemons/com.ttdennis.internalblued.plist and this postinst bug, the .deb file installs internalblued and after manually launching it it runs as user mobile, despite starting it as root. However, this definitely looks a bit unintended and not cleaned up, and didn't start automatically in the background after installing.

When connecting via InternalBlue I get the following bug that indicates that the connection failed.

$ python3 -m internalblue.cli
...
[*] Connected to <MuxDevice: ID 1 ProdID 0x12a8 Serial 'b'...' Location 0x10074>
[!] Writing btsnooplog is not supported with iOS.
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
...
[CRITICAL] No connection to target device.

On the console output I get the following error, which indicates that the HCI version command is sent but no data gets returned. Not sure if this is a bug in the binary or a permission error due to the missing .plist.

Fiti:~ root# internalblued
2020-09-21 19:57:26.081 internalblued[13790:243146] Preference file not found, chosing standard value true
2020-09-21 19:57:26.081 internalblued[13790:243146] Starting proxy because it is enabled.
2020-09-21 19:57:26.082 internalblued[13790:243147] main.m: Entering proxy_fn()
2020-09-21 19:57:26.082 internalblued[13790:243147] Preference file not found, chosing standard port 1234
2020-09-21 19:57:26.082 internalblued[13790:243147] [*] Listening on port 1234
2020-09-21 19:57:26.082 internalblued[13790:243147] Created proxy server, waiting for connection
2020-09-21 19:57:26.082 internalblued[13790:243148] XPC server error: Connection invalid
2020-09-21 19:57:33.532 internalblued[13790:243147] Connection established, connecting PCIe transports
2020-09-21 19:57:34.539 internalblued[13790:243147] InternalBlue: PCIe Error creating BTI Transport
2020-09-21 19:57:34.539 internalblued[13790:243147] InternalBlue: PCIe Error creating HCI Transport
2020-09-21 19:57:34.540 internalblued[13790:243147] InternalBlue: PCIe Error creating ACL Transport
2020-09-21 19:57:34.540 internalblued[13790:243147] InternalBlue: PCIe Error creating SCO Transport
2020-09-21 19:57:34.540 internalblued[13790:243147] Transport Initialized:
2020-09-21 19:57:34.540 internalblued[13790:243147] BTI: 0
2020-09-21 19:57:34.540 internalblued[13790:243147] HCI: 0
2020-09-21 19:57:34.540 internalblued[13790:243147] ACL: 0
2020-09-21 19:57:34.540 internalblued[13790:243147] SCO: 0
2020-09-21 19:57:34.540 internalblued[13790:243147] PCIe transports created, starting proxy...
2020-09-21 19:57:34.540 internalblued[13790:243147] Allocating Buffers for Proxy Data
2020-09-21 19:57:34.540 internalblued[13790:243147] Starting Proxy Loop
2020-09-21 19:57:34.540 internalblued[13790:243147] Read Data from client. Size: 4
2020-09-21 19:57:34.540 internalblued[13790:243147] Sending Data to BT Chip
2020-09-21 19:57:34.540 internalblued[13790:243147] H4 Message Type: 0x1
2020-09-21 19:57:34.540 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:34.541 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:34.642 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:34.642 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:34.747 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:34.747 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:34.850 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:34.850 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:34.953 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:34.953 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:35.053 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:35.053 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:35.154 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:35.154 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:35.255 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:35.255 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:35.356 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:35.356 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:35.460 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:35.460 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:35.561 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:35.561 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:35.663 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:35.664 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:35.767 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:35.767 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:35.868 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:35.868 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:35.969 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:35.969 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:36.075 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:36.075 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:36.180 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:36.180 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:36.283 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:36.283 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:36.384 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:36.384 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:36.484 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:36.484 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:36.585 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:36.585 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:36.688 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:36.688 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:36.790 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:36.790 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:36.892 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:36.892 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:36.993 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:36.993 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:37.094 internalblued[13790:243147] ACTRead (HCI) Returned 0
2020-09-21 19:57:37.094 internalblued[13790:243147] ATCRead (HCI) to x: 0
2020-09-21 19:57:37.106 internalblued[13790:243147] Read Data from client. Size: 0
2020-09-21 19:57:37.106 internalblued[13790:243147] !!! Client read error
2020-09-21 19:57:37.106 internalblued[13790:243147] Freeing Transports!

I get this error no matter if I disabled Bluetooth in the settings or not.

jiska2342 commented 3 years ago

All right, got the jtool v1 from http://www.newosxbook.com/tools/jtool.html and copied it to /usr/bin/. This should probably go into the howto or just be shipped within the package.

It's still a bit weird:

Fiti:~ root# dpkg -i com.ttdennis.internalblued_0.0.1-33+debug_iphoneos-arm.deb
Selecting previously unselected package com.ttdennis.internalblued.
(Reading database ... 3600 files and directories currently installed.)
Preparing to unpack com.ttdennis.internalblued_0.0.1-33+debug_iphoneos-arm.deb ...
/Library/LaunchDaemons/com.ttdennis.internalblued.plist: Could not find specified service
Unpacking com.ttdennis.internalblued (0.0.1-33+debug) ...
Setting up com.ttdennis.internalblued (0.0.1-33+debug) ...
Selected architecture (arm64) starts at 81920 and spans 57728 bytes - written to /usr/bin/internalblued.arch_arm64

Even worse, tail -f /private/var/mobile/internalblued.log only outputs this when I connect with my local InternalBlue installation:

2020-09-21 21:49:00.330 internalblued[18353:320270] Connection established, connecting PCIe transports
2020-09-21 21:49:00.366 internalblued[18361:320342] Preference file not found, chosing standard value true
2020-09-21 21:49:00.366 internalblued[18361:320342] Starting proxy because it is enabled.
2020-09-21 21:49:00.367 internalblued[18361:320347] main.m: Entering proxy_fn()
                                          (I assume internalblued crashes and restarts here?)
2020-09-21 21:49:00.367 internalblued[18361:320347] Preference file not found, chosing standard port 1234
2020-09-21 21:49:00.367 internalblued[18361:320347] [*] Listening on port 1234
2020-09-21 21:49:00.367 internalblued[18361:320347] Created proxy server, waiting for connection

idevicesyslog shows a bit more output, indicating that internalblued crashes indeed.

Sep 21 21:54:28 internalblued[18361] <Notice>: Connection established, connecting PCIe transports
Sep 21 21:54:28 kernel(Sandbox)[0] <Error>: Sandbox: internalblued(18538) deny(1) file-read-data /usr/bin
Sep 21 21:54:28 internalblued[18538] <Notice>: Preference file not found, chosing standard value true
Sep 21 21:54:28 internalblued[18538] <Notice>: Starting proxy because it is enabled.
Sep 21 21:54:28 internalblued[18538] <Notice>: main.m: Entering proxy_fn()
Sep 21 21:54:28 internalblued[18538] <Notice>: Preference file not found, chosing standard port 1234
Sep 21 21:54:28 internalblued[18538] <Notice>: [*] Listening on port 1234
Sep 21 21:54:28 internalblued[18538] <Notice>: Created proxy server, waiting for connection
Sep 21 21:54:28 ReportCrash(CrashReporterSupport)[18539] <Notice>: cr_update: Parsing corpse data for process internalblued [pid 18361]
Sep 21 21:54:28 ReportCrash[18539] <Notice>: Formulating fatal report for corpse[18361] internalblued
Sep 21 21:54:28 osanalyticshelper(OSAnalytics)[18540] <Notice>: Saved type '109(<private>)' report (5 of max 25) at /var/mobile/Library/Logs/CrashReporter/internalblued-2020-09-21-215428.ips

This is the crash log:

Hardware Model:      iPhone12,8
Process:             internalblued [18361]
Path:                /usr/bin/internalblued
Identifier:          internalblued
Version:             ???
Code Type:           ARM-64 (Native)
Role:                Unspecified
Parent Process:      launchd [1]
Coalition:           com.ttdennis.internalblued [1370]

Date/Time:           2020-09-21 21:54:28.4175 +0200
Launch Time:         2020-09-21 21:49:00.3330 +0200
OS Version:          iPhone OS 13.5 (17F75)
Release Type:        User
Baseband Version:    1.06.00
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000008
VM Region Info: 0x8 is not in any region.  Bytes before following region: 4296015864
      REGION TYPE                      START - END             [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                 0000000100100000-0000000100108000 [   32K] r-x/r-x SM=COW  ...internalblued

Triggered by Thread:  1

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0:
0   libsystem_kernel.dylib              0x000000019ebdc784 0x19ebd8000 + 18308
1   libsystem_kernel.dylib              0x000000019ebdbba8 0x19ebd8000 + 15272
2   CoreFoundation                      0x000000019ed93314 0x19ece6000 + 709396
3   CoreFoundation                      0x000000019ed8e0a0 0x19ece6000 + 688288
4   CoreFoundation                      0x000000019ed8d8f4 0x19ece6000 + 686324
5   Foundation                          0x000000019f0d6b18 0x19f0cf000 + 31512
6   Foundation                          0x000000019f1119ec 0x19f0cf000 + 272876
7   internalblued                       0x0000000100105e1c 0x100100000 + 24092
8   libdyld.dylib                       0x000000019ec092dc 0x19ec08000 + 4828

Thread 1 Crashed:
0   libsystem_blocks.dylib              0x000000019ea358bc 0x19ea35000 + 2236
1   AppleConvergedTransport.dylib       0x00000001dab30a20 0x1dab26000 + 43552
2   AppleConvergedTransport.dylib       0x00000001dab30a20 0x1dab26000 + 43552
3   AppleConvergedTransport.dylib       0x00000001dab30058 0x1dab26000 + 41048
4   AppleConvergedTransport.dylib       0x00000001dab278a8 0x1dab26000 + 6312
5   internalblued                       0x0000000100106170 0x100100000 + 24944
6   internalblued                       0x00000001001064a0 0x100100000 + 25760
7   internalblued                       0x0000000100105a8c 0x100100000 + 23180
8   libsystem_pthread.dylib             0x000000019eb1d8fc 0x19eb1c000 + 6396
9   libsystem_pthread.dylib             0x000000019eb259d4 0x19eb1c000 + 39380

Thread 2:
0   libsystem_pthread.dylib             0x000000019eb259c0 0x19eb1c000 + 39360

Thread 3:
0   libsystem_pthread.dylib             0x000000019eb259c0 0x19eb1c000 + 39360

Thread 1 crashed with ARM Thread State (64-bit):
    x0: 0x00000001ec7d3230   x1: 0x0000000000000000   x2: 0x0000000000000000   x3: 0x0000000130806e80
    x4: 0x0000000130806ec0   x5: 0x0000000000000000   x6: 0x0000000000000000   x7: 0x0000000000000000
    x8: 0x00000000ec7d7158   x9: 0x000001a000000001  x10: 0x000000000000002e  x11: 0x0000000080000010
   x12: 0x0000000080000000  x13: 0x0000000080000000  x14: 0x00000000ffffffff  x15: 0x0000000000002d7b
   x16: 0x000000019ea3588c  x17: 0x0000000000002d7b  x18: 0x0000000000000000  x19: 0x00000001ec7d3230
   x20: 0x0000000130806df8  x21: 0x0000000000000000  x22: 0x0000000130806de8  x23: 0x000000016fd86f00
   x24: 0x0000000000000000  x25: 0x0000000000000000  x26: 0x0000000000000000  x27: 0x0000000000000000
   x28: 0x0000000000000000   fp: 0x000000016fd86e00   lr: 0xa130e801dab30a20
    sp: 0x000000016fd86de0   pc: 0x000000019ea358bc cpsr: 0x00000000
   esr: 0x56000080  Address size fault
jiska2342 commented 3 years ago

works for me :)