Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obtaining IF data #1

Closed
marcinguy opened this issue May 25, 2020 · 7 comments
Closed

Obtaining IF data #1

marcinguy opened this issue May 25, 2020 · 7 comments
Labels
help wanted Extra attention is needed

Comments

@marcinguy
Copy link
Contributor

Hi,

How did you obtain IF data i.e for Pixel2 https://github.com/francozappa/bias/blob/master/bias/IF_PIXEL2.json?

Any easy way to dump it from the device/retrieve it from the device?

Wondering how easy this is, to judge potential attack practicability.

I want to try possibly with Samsung mobile.

Thanks,
@francozappa
Copy link
Owner

Hi,

You can dump the data by observing the LMP packets that you receive when you try to connect/pair with the device that you want to impersonate. To observe the LMP packets you can use internalblue with a compatible device.

@francozappa francozappa added the help wanted Extra attention is needed label May 25, 2020
@marcinguy
Copy link
Contributor Author

@francozappa Thanks!

CYW920819 devboard

Is this the board you have used?

https://www.aliexpress.com/i/33033506158.html

How did you connect your computer to it?

https://www.cypress.com/file/462851/download

Peripherals

22 GPIOs
I2C, I2S, UART, and PCM interfaces
Two Quad-SPI interfaces
Auxiliary ADC with up to 15 analog channels
Programmable key scan 20 × 8 matrix
General-purpose timers and PWMs 
Real-time clock (RTC) and watchdog timer (WDT)

I don't see USB connector.....

via I2C????

@francozappa
Copy link
Owner

I've used different devices including the devboard that you linked connected via USB to my laptop. What you need is a device that is patched to support H4 forwarding to see LMP packets using the HCI interface as per https://github.com/seemoo-lab/internalblue/blob/master/doc/setup.md

Please reefer to the internalblue team if you need support to configure the device to work with internalblue

@marcinguy
Copy link
Contributor Author

Will do, thanks.

Ordered this board as per internalblue Guide.

CYW20735B1

https://www.mouser.de/ProductDetail/Cypress-Semiconductor/CYW920735Q60EVB-01?qs=qSfuJ%252Bfl%2Fd6ohu0rHi5aRA%3D%3D

FYI There is Micro USB connector on the left.

@marcinguy
Copy link
Contributor Author

@francozappa Sorry to make noise here, but maybe others will find it also useful. Well actually will try the same board as you.

Seems like you patched the Rom, want to spare me this.

Wondering if I have luck and the ROM will be the same as yours (Manufacturer number: CYW920819EVB-02). Did you use CYW920819EVB-02 or other?

Will try with this:

https://www.mouser.de/ProductDetail/Cypress-Semiconductor/CYW920819EVB-02?qs=%2Fha2pyFadugICnogBdJ27y6wc6auC18DiNMDVcMRKbY1cC%2FDSbgy9g%3D%3D

Seems like it is also supported by Internalblue

https://github.com/seemoo-lab/internalblue/blob/96912a5ee224015f7f5e22c57f724a84e491387e/internalblue/fw/fw_0x220c.py#L47

Opened the issue also there:

seemoo-lab/internalblue#27

@francozappa
Copy link
Owner

No worries @marcinguy

Yes I've used the CYW920819EVB-02 devboard and I've patched its Bluetooth firmware at runtime using Cypress's proprietary patchrom mechanisms via internalblue. With such devboard as an attack device you should be able to reuse the AF.json file in the BIAS repo and reproduce the attacks.

Let me know if you have any issue when reproducing the attacks.

@francozappa
Copy link
Owner

@marcinguy can you please create a PR with the IF files that you used for your attacks?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@francozappa @marcinguy