monitor lmp start fails on Nexus 6p

[JosiahOne]

I'm trying to use this PoC on a Nexus 6p on Android 8.1.0. I installed the custom BT stack from seemoo-lab here: https://github.com/seemoo-lab/internalblue/tree/master/android_bluetooth_stack/android8_1_0

I then installed internalblue from this repo. I am able to run internalblue and get a command prompt:

However, when I try to start monitoring LMP:

It fails with the following:

[CRITICAL] Uncaught exception ('module' object has no attribute 'LMP_MONITOR_BUFFER_BASE_ADDRESS'). Abort.
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/cli.py", line 71, in commandLoop
    if(not cmd_instance.work()):
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/cmds.py", line 420, in work
    monitorController.startMonitor()
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/cmds.py", line 339, in startLmpMonitor
    self.internalblue.startLmpMonitor(self._callback)
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/core.py", line 619, in startLmpMonitor
    log.info('LMP_MONITOR_BUFFER_BASE_ADDRESS: {0:#x}'.format(fw.LMP_MONITOR_BUFFER_BASE_ADDRESS))
AttributeError: 'module' object has no attribute 'LMP_MONITOR_BUFFER_BASE_ADDRESS'

Any suggestions?

[JosiahOne]

Looks like this is just because the 6P-based attack wasn't fully implemented. LMP_MONITOR_BUFFER_BASE_ADDRESS was never defined in fw_6p.py

If I comment out the log statement, things still fail badly:

[!] Received Stack-Dump Event (contains 10 registers):
[!] pc: 0x00201cc8   lr: 0x000464d3   sp: 0x002002a8   r0: 0x00201f55   r1: 0x00000000
    r2: 0x00000001   r3: 0x00212848   r4: 0x00000010   r5: 0x00000000   r6: 0x00000010
[!] Stack dump @0x00200000 written to internalblue_stackdump.bin!
[!] recvThreadFunc: The controller send a stack dump. stopping..
[*] Shutdown complete.
[!] Not running. call connect() first!
[!] Not running. call connect() first!
[CRITICAL] Uncaught exception ('NoneType' object has no attribute '__getitem__'). Abort.
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/cli.py", line 71, in commandLoop
    if(not cmd_instance.work()):
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/cmds.py", line 420, in work
    monitorController.startMonitor()
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/cmds.py", line 339, in startLmpMonitor
    self.internalblue.startLmpMonitor(self._callback)
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/core.py", line 642, in startLmpMonitor
    if not self.patchRom(fw.LMP_MONITOR_LMP_HANDLER_ADDRESS, patch):
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/core.py", line 1066, in patchRom
    self.patchRom(address - alignment, orig[:alignment] + patch[:4-alignment], slot)
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/core.py", line 1070, in patchRom
    table_addresses, table_values, table_slots = self.getPatchramState()
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/core.py", line 1021, in getPatchramState
    table_addresses.append(u32(table_addr_dump[i*4:i*4+4])<<2)
TypeError: 'NoneType' object has no attribute '__getitem__'

[francozappa]

Hey @JosiahOne

My repo provides the PoC of the KNOB attack only for the Nexus 5.

[JosiahOne]

Okay, I figured. Thanks for the quick response!