search

seemoo-lab / internalblue

Bluetooth experimentation framework for Broadcom and Cypress chips.
683 stars 85 forks source link

[!] CONNECTION_MAX not defined in fw. #71

Open jsmif opened 1 year ago

jsmif commented 1 year ago

Describe the bug

I get the error "[!] CONNECTION_MAX not defined in fw." when I do "info connections"

Hardware and operating system

Mac Mini Late 2014 -> BCM20702B0, macOS Mojave (10.14.6)

To Reproduce

After launching internalblue:

> info connections
[!] CONNECTION_MAX not defined in fw.

(note: "set debug true" doesn't change result)

Additional context

What I'm actually trying to do is use sendlcp. But I am assuming that "info connections" is the command I need to issue to see active connections, to pass as -c parameters to other commands like sendlcp. I am seemingly able to connectle to a BLE device, but then when I run sendlcp (which says "Connection index, starts at 0 for first connection."), it fails (and trying -c other than 0 fails worse)

> connectle 58:2C:BF:5F:88:1B
> sendlcp -c 0 0xAA
usage: sendlcp [-h] [-c CONN_INDEX] data
sendlcp: error: argument -c/--conn_index: invalid auto_int value: '0'
> sendlcp -c 1 0xAA
Traceback (most recent call last):
  File "/Users/user/Downloads/internalblue/venv/lib/python3.11/site-packages/cmd2/cmd2.py", line 2399, in onecmd_plus_hooks
    stop = self.onecmd(statement, add_to_history=add_to_history)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/Downloads/internalblue/venv/lib/python3.11/site-packages/cmd2/cmd2.py", line 2852, in onecmd
    stop = func(statement)
           ^^^^^^^^^^^^^^^
  File "/Users/user/Downloads/internalblue/venv/lib/python3.11/site-packages/cmd2/decorators.py", line 382, in cmd_wrapper
    return func(*args_list, **kwargs)  # type: ignore[call-arg]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/Downloads/internalblue/internalblue/cli.py", line 1359, in do_sendlcp
    data = args.data.decode("hex")
           ^^^^^^^^^^^^^^^^
AttributeError: 'str' object has no attribute 'decode'
EXCEPTION of type 'AttributeError' occurred with message: 'str' object has no attribute 'decode'

Also, incidentally, how do I disconnect an existing connection?

jiska2342 commented 1 year ago

Hi :) InternalBlue can be considered just as an additional tool to send HCI commands in its raw form as documented in the Bluetooth specification. To connect/disconnect, you have to issue the according HCI commands.

Iterating active connections currently hold by the chip is implemented by running some assembly snippets on the Bluetooth firmware itself. As the error message states, you would have to define the according variables, which would need reversing your particular firmware version.

After connecting, you should see a connection handle being returned (might require using the debug mode to see the raw HCI reply). Not sure if it starts at 0 or is actually something like 0x40. The data has to be in the form of aa and not 0xAA.

jsmif commented 1 year ago

To connect/disconnect, you have to issue the according HCI commands.

OK, so to connect, one can use the connect or connectle commands, but to disconnect one has to go lookup the disconnect HCI opcode, got it.

As the error message states, you would have to define the according variables, which would need reversing your particular firmware version.

OK, so despite the bootup message saying :

[*] Chip identifier: 0x4196 (002.001.150)
[*] Using fw_0x4196.py"

It doesn't actually fully support that chip? How can I determine which chips are fully supported? (So I can go see if I have a machine that is fully supported. I already know I don't have a BCM20703)) Just the presence of CONNECTION_MAX in their corresponding .py files?

After connecting, you should see a connection handle being returned (might require using the debug mode to see the raw HCI reply).

I think you might be right about the debug mode being required. I left an SSH session open to the mac, and went off and did other things, and then came back later, and at some point it must have actually succeeded in the connection, because I saw new output implying a new connection was made at some point and the handle was 0xC. I don't normally see that immediately. But I'll keep trying with other devices until I get repeatable behavior.

(It seems like maybe that was just a coincidence of InternalBlue picking up some background BT connections that the Mac happened to make? Because I just re-launched InternalBlue and saw a connection success message before I had ever tried to connect to anything:

  /  _/__  / /____ _______  ___ _/ / _ )/ /_ _____
 _/ // _ \/ __/ -_) __/ _ \/ _ `/ / _  / / // / -_)
/___/_//_/\__/\__/_/ /_//_/\_,_/_/____/_/\_,_/\__/

type <help -v> for usage information!
[!] H4 Type 7 not supported by macOS Core!
> [*] [Connect Complete: Handle=0xc  Address=203caed2f1e6  status=Success]
jsmif commented 1 year ago

Also, is there any examples of the correct usage of sendlcp and sendlmp anywhere? I think I have a different bug too, but I want to try a known-good command before I report that separately.

jsmif commented 5 months ago

Just checking back in after a year to see if there's any documentation on sendlcp/sendlmp. Looks like no. Maybe a good task for new students