RPI3 KNOB PoC, error : _sendThreadFunc: No response from the firmware.

[ghost]

Hello I recently installed InternalBlue on my raspberry pi 3 (with the latest raspberry OS).
Everything seems to work fine, so I decide to try the KNOB_PoC.py script. When I run the script KNOB_PoC.py I got this :

[] HCI device: hci0 [B8:AA:BB:CC:7B:3D] flags=13
[] Connected to hci0
[] Chip identifier: 0x2209 (001.002.009)
[] Using fw_0x2209.py
[] Loaded firmware information for BCM43430A1.
[] Try to enable debugging on H4 (warning if not supported)...
[*] Installing patch which ensures that send_LMP_encryption_key_size_req is always len=1!
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=310204, len=20)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=310204, len=20)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=310204, len=20)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=310204, len=20)
[!] readMem: failed!

Can you help me solve this problem plz ? I don't know why the script failed...
I'v try downgrade the firmware but that doesn't work...

[jiska2342]

Since the chip is up, you most likely were running the Python script as normal user and not as root. Writing to the Bluetooth chip's RAM is a vendor-specific command that requires root privileges.

[ghost]

At first I executed the script as user but because I get this bug I run it again as root and I get the same problem...
I used this command for executing the script as root : sudo -E python KNOB_PoC.py
I used the -E because without the -E I get error on import of internalblue, I think it's because root doesn't have internalblue in his path.

btmon show this error : Invalid HCI Command Parameters (0x12). Because of that I tried to downgrade the firmware.
I followed this for downgrading :

cd /usr/lib/firmware/brcm/
cp BCM4345C0.hcd BCM4345C0_orig.hcd
wget https://github.com/RPi-Distro/bluez-firmware/blob/96eefffcccc725425fd83be5e0704a5c32b79e54/broadcom/BCM4345C0.hcd?raw=true
mv 'BCM4345C0.hcd?raw=true' BCM4345C0.hcd

After I try again the script as a user and as root but I get the same result.

Then I saw this line :

[*] Loaded firmware information for BCM43430A1.
I was downgrading BCM4345C0 but the script seems to take BCM43430A1 so I tried to downgrade the BCM43430A1 by replacing mine by this one : wget https://github.com/RPi-Distro/bluez-firmware/blob/96eefffcccc725425fd83be5e0704a5c32b79e54/broadcom/BCM43430A1.hcd?raw=true, but at the end I get the same error.

I recently retry and I get that : (everything is launch as root)

root@raspberrypi:~/internalblue/examples/rpi3# python KNOB_PoC.py
[] HCI device: hci0 [B8:27:EB:60:7B:3D] flags=5
[] Connected to hci0
[] Chip identifier: 0x2209 (001.002.009)
[] Using fw_0x2209.py
[] Loaded firmware information for BCM43430A1.
[] Try to enable debugging on H4 (warning if not supported)...
[*] Installing patch which ensures that send_LMP_encryption_key_size_req is always len=1!
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.7/threading.py", line 917, in _bootstrap_inner
self.run()
File "/usr/lib/python3.7/threading.py", line 865, in run
self._target(*self._args, **self._kwargs)
File "/usr/local/lib/python3.7/dist-packages/internalblue/hcicore.py", line 305, in _recvThreadFunc
if filter_function is None or filter_function(record):
File "/usr/local/lib/python3.7/dist-packages/internalblue/core.py", line 885, in recvFilterFunction
if u16(hcipkt.data[1:3]) == opcode:
File "/usr/local/lib/python3.7/dist-packages/internalblue/utils/packing.py", line 33, in u16
return struct.unpack('H', num)[0]
struct.error: unpack requires a buffer of 2 bytes

[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=310204, len=20)

[jiska2342]

Looks less like an issue in the PoC and more with the Broadcom firmware. In general, you should be able to run the hexdump and writemem commands at address 0x200400, no matter which chip is detected. Does that work?

I didn't try InternalBlue on the latest Raspberry Pi release so far. Other vendors started rolling out "patches" that disable the possibility to read/write the Bluetooth RAM. You can disable the patch by searching for an older .hcd file of your specific firmware online and replacing it in the file system.

[ghost]

Hexdump seems to work :

hexdump 0x200400
00200400: ef 3a 3e 19 68 1d 00 00 00 00 00 00 00 00 00 00 |·:>·|h···|····|····|
00200410: 09 22 18 92 4a 75 6e 20 20 32 20 32 30 31 34 00 |·"··|Jun | 2 2|014·|
00200420: 31 38 3a 35 39 3a 30 34 fa 02 3f 1f 6c 00 00 00 |18:5|9:04|··?·|l···|

But writemem give me this :

writemem --int 0x1 0x200400
[!] Warning: Address 0x00000001 (len=0x1) is not inside a RAM section.
[▖] Writing Memory: Write failed!

So writemem is not working but I don't know why... Do I have a command which can give me more info on why that doesn't work ?

I have download older .hcd but I still have the same error... I download the oldest BCM43430A1.hcd and the oldest BCM4345C0.hcd on the github of bluez but none of them change anything I still have the same error.

[jiska2342]

According to the hexdump command, 0x200400 is definitely inside a RAM section. This means that there was no correct firmware information file loaded during startup. According to the build date of the chip, you have an BCM43430A1. Note that after replacing the according .hcd file, you have to reboot the Raspberry Pi (or reload Bluetooth drivers) to get the new .hcd file loaded by the operating system. This is nothing that is done by InternalBlue.

I think your writeram command only failed because you swapped arguments. You were trying to write to address 0x00000001, which is in ROM, and will fail.

[ghost]

I tried again the writemem and you are right I was swapping the arguments, so I try again with the good arguments and that worked.

I also try to downgrade the firmware and reboot and that worked ! I was doing something wrong before, thanks a lot for your help !

[jiska2342]

Thanks for trying all these things :) Looks like the most recent Raspberry Pi Bluetooth firmware now also blocks writing to RAM. I will update this in the Linux notes.