search

seemoo-lab / internalblue

Bluetooth experimentation framework for Broadcom and Cypress chips.
678 stars 85 forks source link

HCI commands (readMem/writeMem) fail as soon as bluetooth scanning stops on Samsung S10e #74

Open KikMyaz opened 1 year ago

KikMyaz commented 1 year ago

First of all thank you so much for creating this project and sharing your research! This has all been incredibly helpful.

Bug Description readMem/writeMem only works for the first 10-15 seconds after Bluetooth is turned on (or when scanning is in operation). readMem fails 10 seconds after scanning is started, and internalblue produces the following error,

[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!

Hardware and OS BCM4375B1 (fw_0x1111.py) Samsung S10e (msm), Android 10, Kernel 4.14 (SELinux Permissive)

Logs/To Reproduce When scanning is off,

> hd 0x200400
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=200400, len=100)
...
[!] readMem: failed!
> info device
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=2026e2, len=6)
...
[!] readMem: failed!
File "$HOME/conda/lib/python3.11/site-packages/internalblue/cli.py", line 1441, in infoDevice
    bt_addr = self.readMem(self.internalblue.fw.BD_ADDR, 6)[::-1]
              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
TypeError: 'NoneType' object is not subscriptable
EXCEPTION of type 'TypeError' occurred with message: 'NoneType' object is not subscriptable

But as soon as I tap on Scan in Settings -> Connections -> Bluetooth,

> info device
[*] ### | Device ###
[*]     - Name:       Android
[*]     - ADB Serial: [REDACTED]
[*]     - Address:    [REDACTED]

Additional Context As Busybox netcat was used, I had to change all references to nc -l -p into netcat -l -p for everything to work. This was likely a GNU netcat vs. BSD netcat problem in the new Busybox binary.

KikMyaz commented 1 year ago

It is probably also worth noting that I had used internalblue/android /samsung_s10e_2019-06-04_vendor_firmware.zip. No modifications were made to VSC_Write_RAM. At the moment I can only get InternalBlue to work within 15 seconds after initiating bluetooth scan. I could automate a rescan with while true; do am start -n com.android.settings/com.samsung.android.settings.bluetooth.CheckBluetoothStateActivity; sleep 19; done but RAM patches seem to be lost after each rescan.

I also tried samsung_s10e_note20-5g_2021-01-21_bcm4375B1_semco.hcd with the VSC_Write_RAM patch in hci.py but this does not appear to be working at all. This might be because I am on Android 10 which is older than this firmware.