seemoo-lab / internalblue Goto Github PK

Hello, I hope this is the right place to ask.

I have some questions about how to make the PoC run on my RPi. I have seen a related issue. I have followed the advice in downgrading the Broadcom driver, but I fear I have missed a step or found the wrong firmware.

The output from running the Python script says my firmware is BCM43430A1. I have seen in other places the advice to run this command to see if the firmware loads properly dmesg | grep -i bluetooth but mine doesn't output any information about the firmware

The full output of running the script is this:

[*] Connected to hci0
[*] Chip identifier: 0x2209 (001.002.009)
[*] Using fw_0x2209.py
[*] Loaded firmware information for BCM43430A1.
[*] Try to enable debugging on H4 (warning if not supported)...
[*] Installing patch which ensures that send_LMP_encryption_key_size_req is always len=1!
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=310204, len=20)

How can I solve this issue? I can provide any additional info as needed, including the link where I found the firmware. Thanks!

Describe the bug

Attempting to connect to my Bluetooth LE device just returns Disconnect Complete

Hardware and operating system

• Raspberry Pi 4 Model B Rev 1.1
• Debian GNU/Linux 11 (bullseye)

To Reproduce

pi@raspberrypi:~ $ sudo service bluetooth stop
pi@raspberrypi:~ $ sudo internalblue
[*] HCI device: hci0  [DC:A6:32:21:D0:A8]  flags=0<DOWN>
[*] No adb devices found.
[!] Device hci0 is DOWN!
[*] Trying to set hci0 to state 'UP' (requires root)
[*] Device with id=0 was set up successfully!
[*] Connected to hci0
[*] Chip identifier: 0x6119 (003.001.025)
[*] Using fw_0x6119.py
[*] Loaded firmware information for BCM4345C0.
[*] Try to enable debugging on H4 (warning if not supported)...
[*] Starting commandLoop for self.internalblue <internalblue.hcicore.HCICore object at 0x7f9ca88b20>
   ____     __                    _____  __
  /  _/__  / /____ _______  ___ _/ / _ )/ /_ _____
 _/ // _ \/ __/ -_) __/ _ \/ _ `/ / _  / / // / -_)
/___/_//_/\__/\__/_/ /_//_/\_,_/_/____/_/\_,_/\__/

type <help -v> for usage information!
> loglevel debug
[*] New log level: DEBUG
> connectle 30:1B:97:75:D3:42
[!] _sendThreadFunc: Send: 010d201960003000000042d375971b3001180028000000d00700000000
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.165167] HCI_EVT<0x0f EVENT Command_Status (len=4): 00010d20>
[!] sendHciCommand.recvFilterFunction: got response
> [!] _recvThreadFunc Recv: [2023-01-01 08:02:53.198567] HCI_EVT<0x3e EVENT LE_Meta_Event (len=19): 01004000000042d375971b3027000000d00700>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.202017] HCI_CMD0x%04x COMND LE_Read_Remote_Used_Features (len=2):  4000
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.203791] HCI_EVT<0x0f EVENT Command_Status (len=4): 00011620>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.307733] ACL_DATA
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.357129] HCI_EVT<0x3e EVENT LE_Meta_Event (len=12): 040040003d00000000000000>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.357924] ACL_DATA
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.358756] ACL_DATA
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.454447] HCI_EVT<0x3e EVENT LE_Meta_Event (len=11): 074000fb004808fb004808>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:53.607379] HCI_EVT<0x13 EVENT Number_Of_Completed_Packets (len=5): 0140000100>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:55.989300] ACL_DATA
[!] _recvThreadFunc Recv: [2023-01-01 08:02:55.990617] ACL_DATA
[!] _recvThreadFunc Recv: [2023-01-01 08:02:56.232797] HCI_EVT<0x13 EVENT Number_Of_Completed_Packets (len=5): 0140000100>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:58.009434] HCI_CMD0x%04x COMND Disconnect (len=3):  400013
[!] _recvThreadFunc Recv: [2023-01-01 08:02:58.010555] HCI_EVT<0x0f EVENT Command_Status (len=4): 00010604>
[!] _recvThreadFunc Recv: [2023-01-01 08:02:58.037178] HCI_EVT<0x05 EVENT Disconnection_Complete (len=4): 00400016>
[*] [Disconnect Complete: Handle=0x40]
exit
[*] Shutdown complete.

Logs or screenshots

Additional context

The Bluetooth device appears in a LE Scan and returns information when asked:

pi@raspberrypi:~ $ sudo hcitool lescan
LE Scan ...
30:1B:97:75:D2:9B (unknown)
C6:F6:7F:1F:6A:5A (unknown)
C6:F6:7F:1F:6A:5A (unknown)
30:1B:97:75:D3:42 (unknown)
34:EE:3A:D4:59:3C (unknown)
30:1B:97:75:D3:42 BLE Device 3891BA
30:1B:97:75:D2:9B BLE Device 6523F1
pi@raspberrypi:~ $ sudo hcitool leinfo 30:1B:97:75:D3:42
Requesting information ...
        Handle: 64 (0x0040)
        LMP Version: 5.0 (0x9) LMP Subversion: 0x1c1c
        Manufacturer: Telink Semiconductor Co. Ltd (529)
        Features: 0x3d 0x00 0x00 0x00 0x00 0x00 0x00 0x00

It connects successfully using bluetoothctl and asks for the Passkey when pairing it

pi@raspberrypi:~ $ bluetoothctl
Agent registered
[bluetooth]# scan on
Discovery started
[CHG] Controller DC:A6:32:21:D0:A8 Discovering: yes
[NEW] Device 30:1B:97:75:D3:42 BLE Device 3891BA
[NEW] Device 30:1B:97:75:D2:9B BLE Device 6523F1
[NEW] Device A2:C5:46:00:00:1C Graeme's Armor
[bluetooth]# connect 30:1B:97:75:D3:42
Attempting to connect to 30:1B:97:75:D3:42
[CHG] Device 30:1B:97:75:D3:42 Connected: yes
Connection successful
[CHG] Device 30:1B:97:75:D3:42 ServicesResolved: yes
[CHG] Device 30:1B:97:75:D3:42 ServicesResolved: no
[CHG] Device 30:1B:97:75:D3:42 Connected: no
[bluetooth]# pair 30:1B:97:75:D3:42
Attempting to pair with 30:1B:97:75:D3:42
[CHG] Device 30:1B:97:75:D3:42 Connected: yes
[CHG] Device 30:1B:97:75:D3:42 ServicesResolved: yes
Request passkey
[agent] Enter passkey (number in 0-999999):

Hi, I have a question about the internalblue.
In the project "frankenstein", there is a sentence "If you are running on a native Linux and want to access the raw HCI device, you need superuser rights.". However, when i want to run it on Ubuntu18.04, something error and it says "Not running on a Broadcom or Cypress chip!". So how should I run it on the Ubuntu18.04? Do I need to delete the version check?

Hi all, I've setup bluez with Raspbian OS on top of Raspberry Pi 3 b+ but when I run the internal blue script I get the following errors:

Using python2:

$ sudo python2 internalblue/cli.py
Traceback (most recent call last):
  File "internalblue/cli.py", line 36, in <module>
    import internalblue.utils.pwnlib_wrapper as pwnlib
ImportError: No module named internalblue.utils.pwnlib_wrapper

Using Python3

$ sudo python3 internalblue/cli.py
[!] Pwntools does not support 32-bit Python.  Use a 64-bit release.
Traceback (most recent call last):
  File "internalblue/cli.py", line 41, in <module>
    from .adbcore import ADBCore
SystemError: Parent module '' not loaded, cannot perform relative import

I've reinstalled pwntools by running:

internalblue# pip3 install .
Processing /x/y/z/internalblue
  Requirement already satisfied (use --upgrade to upgrade): internalblue==0.4 from file:///home/pi/Desktop/internalblue in /usr/local/lib/python3.5/dist-packages
Requirement already satisfied: future in /usr/local/lib/python3.5/dist-packages (from internalblue==0.4)
Requirement already satisfied: pwntools>=4.0.1 in /usr/local/lib/python3.5/dist-packages (from internalblue==0.4)
Requirement already satisfied: pyelftools in /usr/local/lib/python3.5/dist-packages (from internalblue==0.4)
Requirement already satisfied: tox>=1.8.1 in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: pip>=6.0.8 in /usr/lib/python3/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: capstone>=3.0.5rc2 in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: python-dateutil in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: pyserial>=2.7 in /usr/lib/python3/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: psutil>=3.3.0 in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: intervaltree>=3.0 in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: requests>=2.0 in /usr/lib/python3/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: pygments>=2.0 in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: sortedcontainers in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: unicorn>=1.0.2rc1 in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: pysocks in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: mako>=1.0.0 in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: paramiko>=1.15.2 in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: ropgadget>=5.3 in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: packaging in /usr/local/lib/python3.5/dist-packages (from pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: virtualenv>=16.0.0 in /usr/local/lib/python3.5/dist-packages (from tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: toml>=0.9.4 in /usr/local/lib/python3.5/dist-packages (from tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
Collecting six<2,>=1.14.0 (from tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
  Downloading https://files.pythonhosted.org/packages/65/eb/1f97cb97bfc2390a276969c6fae16075da282f5058082d4cb10c6c5c1dba/six-1.14.0-py2.py3-none-any.whl
Requirement already satisfied: filelock<4,>=3.0.0 in /usr/local/lib/python3.5/dist-packages (from tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: pluggy<1,>=0.12.0 in /usr/local/lib/python3.5/dist-packages (from tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: py<2,>=1.4.17 in /usr/local/lib/python3.5/dist-packages (from tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: importlib-metadata<2,>=0.12; python_version < "3.8" in /usr/local/lib/python3.5/dist-packages (from tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: MarkupSafe>=0.9.2 in /usr/lib/python3/dist-packages (from mako>=1.0.0->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: bcrypt>=3.1.3 in /usr/local/lib/python3.5/dist-packages (from paramiko>=1.15.2->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: cryptography>=2.5 in /usr/local/lib/python3.5/dist-packages (from paramiko>=1.15.2->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: pynacl>=1.0.1 in /usr/local/lib/python3.5/dist-packages (from paramiko>=1.15.2->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: pyparsing>=2.0.2 in /usr/local/lib/python3.5/dist-packages (from packaging->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: importlib-resources<2,>=1.0; python_version < "3.7" in /usr/local/lib/python3.5/dist-packages (from virtualenv>=16.0.0->tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: distlib<1,>=0.3.0 in /usr/local/lib/python3.5/dist-packages (from virtualenv>=16.0.0->tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: appdirs<2,>=1.4.3 in /usr/local/lib/python3.5/dist-packages (from virtualenv>=16.0.0->tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: zipp>=0.5 in /usr/local/lib/python3.5/dist-packages (from importlib-metadata<2,>=0.12; python_version < "3.8"->tox>=1.8.1->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: cffi>=1.1 in /usr/local/lib/python3.5/dist-packages (from bcrypt>=3.1.3->paramiko>=1.15.2->pwntools>=4.0.1->internalblue==0.4)
Requirement already satisfied: pycparser in /usr/local/lib/python3.5/dist-packages (from cffi>=1.1->bcrypt>=3.1.3->paramiko>=1.15.2->pwntools>=4.0.1->internalblue==0.4)
Installing collected packages: six
  Found existing installation: six 1.12.0
    Not uninstalling six at /usr/lib/python3/dist-packages, outside environment /usr
Successfully installed six-1.14.0

Also, I've installed and tested hcitool and bluetoothctl it worked perfectly... from here

As far as enabling diagnostics is concerned there's no vendor_diag in hci0 on raspbian OS.

What am I doing wrong here? Can someone shed some light on this?

Thanks for reading.

I want the controller to send arbitrary messages to the host（controller is bluetooth‘s hardware，host is my computer），
such as sending L2cap connection messages before the HCI_ACL connection is established. Can internalblue achieve this function?

Hi,

I want to ask why I am getting disconnection all the time. It appears the internal blue is conflicting for some reason. and I removed the bcm4335c0.hcd file from Nexus 5 the as well as. while sending the Lmp packets it always shows command failed. Please look into this issue.

Thank you

Hello,
I'm trying to use internalblue to dump its firmware and patch a samsung galaxy s20 B4375B1 chip. However, the dumpmem command systematically fails at 80% with the following traceback :

> dumpmem -f ~/samsunggalaxys20/firmware.bin
[*] No template found. Need to read ROM sections as well!
[ ] Initialize internal memory image: receiving data... 2031476 / 2523133 Bytes (80%)
[!] Received S10 Stack-Dump Event (contains 35 registers):
[!] pc: 0x0000b344   lr: 0x0000b3cb   sp: 0x00308000   r0: 0x00307f78   r1: 0x000000f9
r2: 0x00287b48   r3: 0x00000071   r4: 0x00308000   r5: 0x00287bd0   r6: 0x00000000

Exception in thread Thread-4:
Traceback (most recent call last):
  File "/usr/lib64/python3.9/threading.py", line 950, in _bootstrap_inner
    self.run()
  File "/usr/lib64/python3.9/threading.py", line 888, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/local/lib/python3.9/site-packages/internalblue/adbcore.py", line 266, in _recvThreadFunc
    callback(record)
  File "/usr/local/lib/python3.9/site-packages/internalblue/hci.py", line 948, in recvPacket
    self.handleS10StackDump(hcipkt)
  File "/usr/local/lib/python3.9/site-packages/internalblue/hci.py", line 1192, in handleS10StackDump
    self.finishStackDump()
  File "/usr/local/lib/python3.9/site-packages/internalblue/hci.py", line 970, in finishStackDump
    dump = flat(self.memdumps)  # flatten, as we have one entry per address chunk
TypeError: flat() missing 1 required positional argument: 'filler'
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=307f76, len=7ffff)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=307f76, len=7ffff)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=307f76, len=7ffff)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=307f76, len=7ffff)
[!] readMem: failed!
EXCEPTION of type 'TypeError' occurred with message: 'cannot convert 'NoneType' object to bytes'
To enable full traceback, run the following command: 'set debug true'

Hi

I have a CYW920819EVB-02 board and want to use it to perform KNOB attack. However, I notice that there isn't any code suitable for this board. I wonder if I can just run the code for CYW20735?

Many thanks

Does anyone encountered this error on raspeberry pi 4 b 64bit version when running internalblue cli? I followed all the installation process in the documentation but still this error shows up.

Describe the bug

pip install -e .[macoscore,binutils] fails with "ERROR: Failed building wheel for unicorn" on macOS Mojave

Hardware and operating system

MacOS Mojave (10.14.6), with Mac Mini Late 2014 -> BCM20702B0

To Reproduce

 brew install binutils-arm.rb
Running `brew update --auto-update`...
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/core).
==> New Formulae
forgit                                                                                                                         gitoxide

Error: Failed to load cask: binutils-arm.rb
Cask 'binutils-arm' is unreadable: wrong constant name #<Class:0x00007f887240f4a0>
Warning: Treating binutils-arm.rb as a formula.
Warning: You are using macOS 10.14.
We (and Apple) do not provide support for this old version.
It is expected behaviour that some formulae will fail to build in this old version.
It is expected behaviour that Homebrew will be buggy and slow.
Do not create any issues about this on Homebrew's GitHub repositories.
Do not create any issues even if you think this message is unrelated.
Any opened issues will be immediately closed without response.
Do not ask for help from Homebrew or its maintainers on social media.
You may ask for help in Homebrew's discussions but are unlikely to receive a response.
Try to figure out the problem yourself and submit a fix as a pull request.
We will review it but may or may not accept it.

==> Fetching binutils-arm
==> Downloading https://ftpmirror.gnu.org/binutils/binutils-2.38.tar.gz
Already downloaded: /Users/user/Library/Caches/Homebrew/downloads/48422b8a58563d53727c87f6122970e3af0ed66fa8d19c6668f447c0f89227fb--binutils-2.38.tar.gz
Warning: A newer Command Line Tools release is available.
Update them from Software Update in System Preferences.

If that doesn't show you any updates, run:
  sudo rm -rf /Library/Developer/CommandLineTools
  sudo xcode-select --install

Alternatively, manually download them from:
  https://developer.apple.com/download/all/.
You should download the Command Line Tools for Xcode 11.3.1.

==> ./configure --prefix=/usr/local/Cellar/binutils-arm/2.38 --target=arm-unknown-linux-gnu --disable-static --disable-multilib --disable-nls --disable-werror
==> make MAKEINFO=true -j
==> make MAKEINFO=true install
==> rm -rf /usr/local/Cellar/binutils-arm/2.38/share/info
🍺  /usr/local/Cellar/binutils-arm/2.38: 139 files, 15.7MB, built in 3 minutes 11 seconds
==> Running `brew cleanup binutils-arm`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).

(venv) umm:internalblue user$ pip install -e .\[macoscore,binutils\]
Obtaining file:///Users/user/Downloads/internalblue
  Preparing metadata (setup.py) ... done
Requirement already satisfied: future in ./venv/lib/python3.11/site-packages (from internalblue==0.4) (0.18.3)
Requirement already satisfied: cmd2 in ./venv/lib/python3.11/site-packages (from internalblue==0.4) (2.4.3)
Requirement already satisfied: pure-python-adb in ./venv/lib/python3.11/site-packages (from internalblue==0.4) (0.3.0.dev0)
Collecting pwntools>=4.0.1 (from internalblue==0.4)
  Downloading pwntools-4.9.0-py2.py3-none-any.whl (11.7 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 11.7/11.7 MB 1.0 MB/s eta 0:00:00
Collecting pyelftools (from internalblue==0.4)
  Downloading pyelftools-0.29-py2.py3-none-any.whl (174 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 174.3/174.3 kB 622.6 kB/s eta 0:00:00
Requirement already satisfied: pyobjc in ./venv/lib/python3.11/site-packages (from internalblue==0.4) (9.1.1)
Collecting paramiko>=1.15.2 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading paramiko-3.1.0-py3-none-any.whl (211 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 211.2/211.2 kB 702.3 kB/s eta 0:00:00
Collecting mako>=1.0.0 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading Mako-1.2.4-py3-none-any.whl (78 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 78.7/78.7 kB 402.4 kB/s eta 0:00:00
Collecting capstone>=3.0.5rc2 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading capstone-5.0.0rc2.tar.gz (2.6 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.6/2.6 MB 1.0 MB/s eta 0:00:00
  Preparing metadata (setup.py) ... done
Collecting ropgadget>=5.3 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading ROPGadget-7.3-py3-none-any.whl (32 kB)
Collecting pyserial>=2.7 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading pyserial-3.5-py2.py3-none-any.whl (90 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 90.6/90.6 kB 479.2 kB/s eta 0:00:00
Collecting requests>=2.0 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading requests-2.29.0-py3-none-any.whl (62 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.5/62.5 kB 328.6 kB/s eta 0:00:00
Requirement already satisfied: pip>=6.0.8 in ./venv/lib/python3.11/site-packages (from pwntools>=4.0.1->internalblue==0.4) (23.1.2)
Collecting pygments>=2.0 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading Pygments-2.15.1-py3-none-any.whl (1.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.1/1.1 MB 981.5 kB/s eta 0:00:00
Collecting pysocks (from pwntools>=4.0.1->internalblue==0.4)
  Downloading PySocks-1.7.1-py3-none-any.whl (16 kB)
Collecting python-dateutil (from pwntools>=4.0.1->internalblue==0.4)
  Downloading python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 247.7/247.7 kB 643.1 kB/s eta 0:00:00
Collecting packaging (from pwntools>=4.0.1->internalblue==0.4)
  Downloading packaging-23.1-py3-none-any.whl (48 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.9/48.9 kB 219.8 kB/s eta 0:00:00
Collecting psutil>=3.3.0 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading psutil-5.9.5-cp36-abi3-macosx_10_9_x86_64.whl (245 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 245.3/245.3 kB 622.6 kB/s eta 0:00:00
Collecting intervaltree>=3.0 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading intervaltree-3.1.0.tar.gz (32 kB)
  Preparing metadata (setup.py) ... done
Collecting sortedcontainers (from pwntools>=4.0.1->internalblue==0.4)
  Downloading sortedcontainers-2.4.0-py2.py3-none-any.whl (29 kB)
Collecting unicorn>=1.0.2rc1 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading unicorn-2.0.1.post1.tar.gz (2.8 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.8/2.8 MB 1.0 MB/s eta 0:00:00
  Preparing metadata (setup.py) ... done
Collecting six>=1.12.0 (from pwntools>=4.0.1->internalblue==0.4)
  Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting rpyc (from pwntools>=4.0.1->internalblue==0.4)
  Downloading rpyc-5.3.1-py3-none-any.whl (74 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 74.0/74.0 kB 422.2 kB/s eta 0:00:00
Collecting colored-traceback (from pwntools>=4.0.1->internalblue==0.4)
  Downloading colored-traceback-0.3.0.tar.gz (3.8 kB)
  Preparing metadata (setup.py) ... done
Requirement already satisfied: attrs>=16.3.0 in ./venv/lib/python3.11/site-packages (from cmd2->internalblue==0.4) (23.1.0)
Requirement already satisfied: pyperclip>=1.6 in ./venv/lib/python3.11/site-packages (from cmd2->internalblue==0.4) (1.8.2)
Requirement already satisfied: wcwidth>=0.1.7 in ./venv/lib/python3.11/site-packages (from cmd2->internalblue==0.4) (0.2.6)
Requirement already satisfied: pyobjc-core==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-AddressBook==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-AppleScriptKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-ApplicationServices==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Automator==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CFNetwork==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Cocoa==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreAudio==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreAudioKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreData==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreMIDI==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreServices==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreText==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-DiscRecording==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-DiscRecordingUI==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-DiskArbitration==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-DVDPlayback==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-ExceptionHandling==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-InstallerPlugins==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-IOBluetooth==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-IOBluetoothUI==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-LatentSemanticMapping==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-LaunchServices==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-OSAKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-PreferencePanes==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Quartz==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-ScreenSaver==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Security==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-SecurityFoundation==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-SecurityInterface==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-SearchKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-SyncServices==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-SystemConfiguration==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-WebKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-AppleScriptObjC==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreLocation==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreWLAN==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-ImageCaptureCore==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-IOSurface==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-NetFS==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-OpenDirectory==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-ServiceManagement==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-iTunesLibrary==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-AVFoundation==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreMedia==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreMediaIO==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-IMServicePlugIn==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-StoreKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-SceneKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-libdispatch==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-libxpc==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-AudioVideoBridging==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Accounts==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-EventKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-GameCenter==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Social==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-GameKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-VideoToolbox==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-AVKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-GameController==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-MapKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-MediaAccessibility==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-MediaLibrary==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-MediaToolbox==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-SpriteKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CloudKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreBluetooth==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CryptoTokenKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-FinderSync==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-LocalAuthentication==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-MultipeerConnectivity==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-NotificationCenter==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Contacts==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-ContactsUI==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Metal==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-MetalKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-ModelIO==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-NetworkExtension==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Photos==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-PhotosUI==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-SafariServices==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-GameplayKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Intents==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-MediaPlayer==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-ColorSync==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreML==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CoreSpotlight==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-ExternalAccessory==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-MetalPerformanceShaders==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Vision==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-AdSupport==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-BusinessChat==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-NaturalLanguage==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Network==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-UserNotifications==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-VideoSubscriberAccount==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-CalendarStore==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-Collaboration==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-DictionaryServices==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-FSEvents==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-InputMethodKit==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-InstantMessage==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Requirement already satisfied: pyobjc-framework-ScriptingBridge==9.1.1 in ./venv/lib/python3.11/site-packages (from pyobjc->internalblue==0.4) (9.1.1)
Collecting MarkupSafe>=0.9.2 (from mako>=1.0.0->pwntools>=4.0.1->internalblue==0.4)
  Downloading MarkupSafe-2.1.2-cp311-cp311-macosx_10_9_x86_64.whl (13 kB)
Collecting bcrypt>=3.2 (from paramiko>=1.15.2->pwntools>=4.0.1->internalblue==0.4)
  Downloading bcrypt-4.0.1-cp36-abi3-macosx_10_10_universal2.whl (473 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 473.4/473.4 kB 879.8 kB/s eta 0:00:00
Collecting cryptography>=3.3 (from paramiko>=1.15.2->pwntools>=4.0.1->internalblue==0.4)
  Downloading cryptography-40.0.2-cp36-abi3-macosx_10_12_x86_64.whl (2.8 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.8/2.8 MB 1.0 MB/s eta 0:00:00
Collecting pynacl>=1.5 (from paramiko>=1.15.2->pwntools>=4.0.1->internalblue==0.4)
  Downloading PyNaCl-1.5.0-cp36-abi3-macosx_10_10_universal2.whl (349 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 349.9/349.9 kB 797.6 kB/s eta 0:00:00
Collecting charset-normalizer<4,>=2 (from requests>=2.0->pwntools>=4.0.1->internalblue==0.4)
  Downloading charset_normalizer-3.1.0-cp311-cp311-macosx_10_9_x86_64.whl (123 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 123.7/123.7 kB 546.9 kB/s eta 0:00:00
Collecting idna<4,>=2.5 (from requests>=2.0->pwntools>=4.0.1->internalblue==0.4)
  Downloading idna-3.4-py3-none-any.whl (61 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.5/61.5 kB 314.4 kB/s eta 0:00:00
Collecting urllib3<1.27,>=1.21.1 (from requests>=2.0->pwntools>=4.0.1->internalblue==0.4)
  Downloading urllib3-1.26.15-py2.py3-none-any.whl (140 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 140.9/140.9 kB 615.6 kB/s eta 0:00:00
Collecting certifi>=2017.4.17 (from requests>=2.0->pwntools>=4.0.1->internalblue==0.4)
  Downloading certifi-2022.12.7-py3-none-any.whl (155 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 155.3/155.3 kB 664.5 kB/s eta 0:00:00
Collecting plumbum (from rpyc->pwntools>=4.0.1->internalblue==0.4)
  Downloading plumbum-1.8.1-py3-none-any.whl (126 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 126.7/126.7 kB 524.8 kB/s eta 0:00:00
Collecting cffi>=1.12 (from cryptography>=3.3->paramiko>=1.15.2->pwntools>=4.0.1->internalblue==0.4)
  Downloading cffi-1.15.1-cp311-cp311-macosx_10_9_x86_64.whl (179 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 179.2/179.2 kB 646.2 kB/s eta 0:00:00
Collecting pycparser (from cffi>=1.12->cryptography>=3.3->paramiko>=1.15.2->pwntools>=4.0.1->internalblue==0.4)
  Downloading pycparser-2.21-py2.py3-none-any.whl (118 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 118.7/118.7 kB 543.1 kB/s eta 0:00:00
Building wheels for collected packages: capstone, intervaltree, unicorn, colored-traceback
  Building wheel for capstone (setup.py) ... done
  Created wheel for capstone: filename=capstone-5.0.0rc2-py3-none-macosx_10_14_x86_64.whl size=2306126 sha256=fcf4d8ac4ab1daf7f76a405b634fe9c2a97a3a4c69887e49498680b11624c547
  Stored in directory: /Users/user/Library/Caches/pip/wheels/44/52/03/d5d67f9fdb666e1997c2f0991575ce8b14e45fecfd9b398ede
  Building wheel for intervaltree (setup.py) ... done
  Created wheel for intervaltree: filename=intervaltree-3.1.0-py2.py3-none-any.whl size=26099 sha256=a688ee6c48e644c69164983ac3a01f5ed9f3c89bb18ccef1f00f983a2b5c8799
  Stored in directory: /Users/user/Library/Caches/pip/wheels/31/d7/d9/eec6891f78cac19a693bd40ecb8365d2f4613318c145ec9816
  Building wheel for unicorn (setup.py) ... error
  error: subprocess-exited-with-error
  
  × python setup.py bdist_wheel did not run successfully.
  │ exit code: 1
  ╰─> [1 lines of output]
      error: [Errno 2] No such file or directory: 'cmake'
      [end of output]
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
  ERROR: Failed building wheel for unicorn
  Running setup.py clean for unicorn
  Building wheel for colored-traceback (setup.py) ... done
  Created wheel for colored-traceback: filename=colored_traceback-0.3.0-py3-none-any.whl size=4608 sha256=f163bda109e202f98f740940d6fac5ba38ccf1e68df728fd2532de97a41abe35
  Stored in directory: /Users/user/Library/Caches/pip/wheels/45/a9/5f/635d7d8d70eb182fd22f2b0bebce713206e172769bea9f106a
Successfully built capstone intervaltree colored-traceback
Failed to build unicorn
ERROR: Could not build wheels for unicorn, which is required to install pyproject.toml-based projects

Additional context

While the brew install had warnings, the "pip install -e .[macoscore,binutils] " seemed to be going fine, until it ran into the unicorn issue.

Note, I had successfully run "pip install -e .[macoscore]" without binutils and run internal blue previously, but then I went back and wanted to try to remove the warning about no pwntools.

Hi,

Will this board work with Internalblue:

https://www.mouser.de/ProductDetail/Cypress-Semiconductor/CYW920819EVB-02?qs=%2Fha2pyFadugICnogBdJ27y6wc6auC18DiNMDVcMRKbY1cC%2FDSbgy9g%3D%3D

Seems like this is 02 revision.

Seems like it is also supported by Internalblue

Not sure if in this revision.

Want to use it for: https://github.com/francozappa/bias tests.

Thanks,

Hi,

I have an issue connecting to the Evaluation board CYW20735. The jumpers on the board are set as default and the demo application from WICED can be successfully downloaded to board. But it seems that Internalblue does not identify it as Cypress chipset. I print out the vendor ID, and it is 29 (0x1D). The screenshot is attached below:

Do I do something wrong or forget to set something? I appreciate your help in advance!

Respectfully,
Ruoyu

Hello. Thank you for creating many PoCs and releasing.

• name: Question
• about: CVE_2018_5383_Invalid_Curve_Attack_PoC.py
• title: Installing patch for GEN_PRIV_KEY failed
• labels: Nexus5, android6_0_1, CVE-2018-5383
• assignees: ''

Executing the script on Nexus5(android6_0_1) as follows, it caught a critical log. What should I do? (python2 or 3?)

$ python3 ./CVE_2018_5383_Invalid_Curve_Attack_PoC.py 
[*] Found multiple adb devices
[*] Connected to 03946575437f3025
[*] Chip identifier: 0x6109 (003.001.009)
[*] Using fw_0x6109.py
[*] Loaded firmware information for BCM4335C0.
[*] Try to enable debugging on H4 (warning if not supported)...
[*] Writing hooks to 0xd7800...
[*] Installing hook patches...
[*]   - Hook public key receive path to replace y-coordinate with zero
[*] patchRom: Reusing slot for address 0x2fed8: 113
[*]   - Hook public key send path to replace y-coordinate with zero
[*] patchRom: Reusing slot for address 0x30098: 114
[*]   - Hook private key generation function to always produce even private key
[!] patchRom: patch (b'\x00\x00\x8e\xf0\xa2\xfc') must be a 32-bit dword!
[CRITICAL] Installing patch for GEN_PRIV_KEY failed!

FYI, I installed internalblue as follows according to doc/setup.md and could execute KNOB.py

  $ sudo apt update && sudo apt upgrade -y 
　$ sudo apt install python3-pip
　$ pip install --upgrade https://github.com/seemoo-lab/internalblue/archive/master.zip
　$ pip install cmd2 pure-python-adb pwntools pyelftools
　$ cd internalblue/android/android6_0_1/
　$ adb push bluetooth.default.so /sdcard/bluetooth.default.so
　$ adb shell 'su -c "mount -o remount,rw /system"'
　$ adb shell 'su -c "cp /sdcard/bluetooth.default.so /system/lib/hw/bluetooth.default.so"'
　$ adb shell 'su -c "chmod 644 /system/lib/hw/bluetooth.default.so"'
　$ adb shell 'su -c "chown root:root /system/lib/hw/bluetooth.default.so"'
　$ cd ../../examples/nexus5/
　$ ./KNOB_PoC.py

/verifsec

Hi,

I want to run some profiles based on BIAS and KNOB. I wonder if upper layer protocol can work with Internalblue?

Many thanks.

Hello I recently installed InternalBlue on my raspberry pi 3 (with the latest raspberry OS).
Everything seems to work fine, so I decide to try the KNOB_PoC.py script. When I run the script KNOB_PoC.py I got this :

[] HCI device: hci0 [B8:AA:BB:CC:7B:3D] flags=13
[] Connected to hci0
[] Chip identifier: 0x2209 (001.002.009)
[] Using fw_0x2209.py
[] Loaded firmware information for BCM43430A1.
[] Try to enable debugging on H4 (warning if not supported)...
[*] Installing patch which ensures that send_LMP_encryption_key_size_req is always len=1!
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=310204, len=20)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=310204, len=20)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=310204, len=20)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=310204, len=20)
[!] readMem: failed!

Can you help me solve this problem plz ? I don't know why the script failed...
I'v try downgrade the firmware but that doesn't work...

Describe the bug

Hi
I have tried to use dumpmem command on Raspberry Pi 4b, but the Internalblue CLI hang up after Received Data: complete message exists.

Hardware and operating system

Raspberry Pi 4b latest version with internal HCI bluetooth controller (BCM4345C0)

To Reproduce

dumpmem command

Logs or screenshots

[*] HCI device: hci0  [DC:A6:32:B7:20:10]  flags=5<UP RUNNING>
[*] Found multiple adb devices
 [?] Please specify device:
    => 1) hci: DC:A6:32:B7:20:10 (hci0) <UP RUNNING>
       2) adb: 07a6d474012a4eab (Nexus 5)
[*] Connected to hci0
[*] Chip identifier: 0x6119 (003.001.025)
[*] Using fw_0x6119.py
[*] Loaded firmware information for BCM4345C0.
[*] Try to enable debugging on H4 (warning if not supported)...
[*] Starting commandLoop for reference <internalblue.hcicore.HCICore object at 0xb5a9f230>
> dumpmem
[*] No template found. Need to read ROM sections as well!
[*] Writing chip-specific template to /root/.internalblue/memdump_BCM4345C0_template.bin...
[+] Initialize internal memory image: Received Data: complete
> q
[*] Shutdown complete.
[*] Goodbye
pi@xiaolu-pi4b-A:~ $ ls
aircrack-ng-1.6  bt-tester     internalblue-py2    ofono-1.21
bluez-5.54       internalblue  libbtbb-2018-12-R1  ubertooth-2018-12-R1
pi@xiaolu-pi4b-A:~ $

Additional context

Another BCM20702A1 chip (USB Controller) works ok.

Hi,
I would like to know which raspberry pi version is comfortable for running the internal Blue. Because I tried with the raspberry pi version 4 and the latest raspbian image, but I am not able to capture the pairing packets.

Thanks in advance.

when using Frankenstein for a new device, I want to get the snap of it. I try to use "xmit_state" command, but there should be a function address and I cannot get it now.
Is there any methods to acquire the address ?

Hi,
i'm trying to adapt the BLE PoC for the CYW20735 evaluation board, but I'm a bit confused. I don't understand why multiple functions are hooked, _connTaskRxDone won't be enough ? What's the difference with the hook used for nexus 5 ?

Thanks a lot for this great work !

Hi~
I have already watched your excellent 35C3 talk Dissecting Broadcom Bluetooth and try to do the similar task on my own Nexus 5. However I received some python error when I try to connect to my phone. I have already sync the AOSP with branch android-5.1.1_r3 and recompile the bluetooth stack bluetooth.default.so with bdroid_CFLAGS='-DBT_NET_DEBUG=TRUE' parameter. The Nexus 5 can enable bluetooth in the system settings properly after I push the new dymanic library file to the path /system/lib/hw/. So where went wrong?
Additional information:
OS version: Ubuntu 18.04 LTS amd64
Python version: 2.7.15rc1
Nexus 5 Android version: Android 5.1.1

And here is the traceback:

[*] Running hcitool with sudo...
[*] Found one HCI device, hci: B4:6D:83:86:70:21 (hci0)
 [?] Please specify device:
    => 1) adb: 07a6d474012a4eab (Nexus 5)
       2) hci: B4:6D:83:86:70:21 (hci0)
[*] Connected to 07a6d474012a4eab
[!] sendHciCommand: waiting for response timed out!
Traceback (most recent call last):
[!] _sendThreadFunc: No response from the firmware.
  File "/usr/local/bin/internalblue", line 11, in <module>
    load_entry_point('internalblue==0.1', 'console_scripts', 'internalblue')()
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/cli.py", line 130, in internalblue_cli
    if not reference.connect():
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/core.py", line 659, in connect
    self.initialize_fimware()
  File "/usr/local/lib/python2.7/dist-packages/internalblue-0.1-py2.7.egg/internalblue/core.py", line 679, in initialize_fimware
    if (u8(version[9]) != 0x00 or u8(version[8]) != 0x0f):
TypeError: 'NoneType' object has no attribute '__getitem__'

Hi, first of all thank you for this interesting research.
I'm trying to use InternalBlue with my Sony Z3 Compact, which from what I understand it should have the same bluetooth chip as the Nexus 5.
I need this tool to experiment with the KNOB attack (https://github.com/francozappa/knob) but i'm having several problems, including the lack of the possibility to see LMP messages from Wireshark.

I have compiled and flashed on the device Android AOSP 6.0.1 following both your guide and the specific one from Sony.
I also compiled the bluetooth.default.so and flashed with the Debugging Features enabled.

At this moment InternalBlue seems to connect properly to the device (see the attached screens) but when I open the monitor i can't see any message on the LMP protocol layer.

I also attach the Wireshark capture.
https://drive.google.com/open?id=1LJSv2HaEm92DLKmY7TtRAAe2VNDiGCtu

What am I doing wrong?
Many thanks in advance,
Alessandro

I am getting a python error (TypeError: can't concat str to bytes)
at line 1196 in core..py. Can you please help me fix ?
I am running a Nexus5 (Android 6.0.1) pairded to an iPhone X

bobwilmes@bobwilmes:~$ adb devices

• daemon not running; starting now at tcp:5037
• daemon started successfully
  List of devices attached
  0759f01913d7c4c2 device

bobwilmes@bobwilmes:$ cd internalblue
bobwilmes@bobwilmes:/internalblue$ ls
android_bluetooth_stack dummymemdump.bin examples internalblue internalblue_thesis_dennis_mantz.pdf ios-internalblued linux_bluez macos-framework mypy.ini README.md setup.py tests
bobwilmes@bobwilmes:/internalblue$ ls examples/nexus5
BLE_Reception_PoC.py CVE_2018_5383_Invalid_Curve_Attack_PoC.py KNOB_PoC.py LMP_MAC_Address_Filter.py NiNo_PoC.py
bobwilmes@bobwilmes:/internalblue$ sudo python3 examples/nexus5
[sudo] password for bobwilmes:
/usr/bin/python3: can't find 'main' module in 'examples/nexus5'
bobwilmes@bobwilmes:/internalblue$ sudo python3 examples/nexus5/KNOB_PoC.py
[] Found multiple adb devices
[] Connected to 0759f01913d7c4c2
[] Chip identifier: 0x6109 (003.001.009)
[] Using fw_0x6109.py
[] Loaded firmware information for BCM4335C0.
[] Try to enable debugging on H4 (warning if not supported)...
[] Installing patch which ensures that send_LMP_encryptoin_key_size_req is always len=1!
[] patchRom: Choosing next free slot: 113
Traceback (most recent call last):
File "examples/nexus5/KNOB_PoC.py", line 42, in
internalblue.writeMem(0x203797, '\x01') # global key entropy
File "/usr/local/lib/python3.6/dist-packages/internalblue/core.py", line 1196, in writeMem
p32(write_addr) + data[byte_counter : byte_counter + blocksize],
TypeError: can't concat str to bytes
bobwilmes@bobwilmes:/internalblue$

I'm currently facing an issue when connecting my rooted nexus 5 on raspberry pi 4 and running the internalblue I already push the patched bluetooth.default.so file via adb and still this error persist I can't figured out what's really the issue here. Thanks in advance.

I have installed internalblue on Nexus5 and connected it to a device. But when I am giving
sendlmp 01 -d 02
I am getting this weird error:
sendlmp: error: argument opcode: invalid auto_int value: '01'
Any helps please?

Hi,

It's a very capable framework and it's much easier to deal with the firmware and low-level Bluetooth packets.

It works well unless when I was using the framework to send an LMP packet to another device. I encountered some errors and couldn't send the packet.

I was using the Nexus 5 phone (Android 6.0.1) with the library from this repo bluetooth.default.so. I can connect to the chip from my laptop and run some commands (like hexdump, trace add). When I connected to a device and send an LMP packet, the following error occurred. I got an error with error status 2.

I captured all the traffics via monitor start with Wireshark and it could be accessed in the link:
https://drive.google.com/open?id=1oUN3fm3ln33NPhmZ-2NeufH-3Adc6fAx

I've also tried with the evaluation board CYW920735 and Raspberry Pi 3 Model B. I got error status 0x12 from both of these two devices.

What might be the problem?

Thanks in advance.

Thank you for creating this extraordinary software and releasing it publicly.

Is it possible to modify incoming LMP messages before they are parsed by the chip? I'd particularly like to modify received LMP_features_res packets.

Hi, please its urgent so when i try to perform Knob attack everytime i get the same issue i.e.,

[] Found multiple adb devices
[] Connected to 035be4a421519e6f
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] initialize_fimware: Failed to send a HCI command to the Bluetooth driver.
adb: Check if you installed a custom bluetooth.default.so properly on your
Android device. bluetooth.default.so must contain the string 'hci_inject'.
hci: You might have insufficient permissions to send this type of command.
[!] connect: Failed to initialize firmware!

I do not know how to resolve it. My setup :- I am Using Nexus5 rooted phone with Lineage14.1 os install. I also copy paste the Bluetooth.default.so file into /system/lib/hw directory. I followed the same steps given in the nexus5 folder.

Hi,

I have tried to run the command with python(python2).

~/internalblue$ sudo python -m internalblue.cli

I got the following error.

Could you please let me know what is the solution for this issue?

Describe the bug

Internalblue won't build properly with cmd2 version 0.8.5 or 2.4.0

Hardware and operating system

Ubuntu 20.04

To Reproduce

python3 -m internalblue.cli

Logs or screenshots

Traceback (most recent call last): File "/usr/lib/python3.8/runpy.py", line 193, in _run_module_as_main return _run_code(code, main_globals, None, File "/usr/lib/python3.8/runpy.py", line 86, in _run_code exec(code, run_globals) File "/home/ubuntu/Desktop/internalblue/internalblue/cli.py", line 48, in <module> from cmd2 import fg, style ImportError: cannot import name 'fg' from 'cmd2' (/home/ubuntu/.local/lib/python3.8/site-packages/cmd2/__init__.py)

Additional context

Hello,

I noticed that when using the CYW920819EVB-02 dev board with internalblue on linux, the chip identifier has a strange value of 0x2305, and the initialisation then falls back to using default fw.py file.

I browsed trough the available files and identified that the fw_0x220c.py should contain the values for this board, thus I copied the file and renamed it to fw_0x2305.py to get matched with the board. However I am not sure that this approach is correct as well as the values.

My questions thus is, why does the chip identifier differ?

Thank you very much!

Any chance that support for RaspberryPi 400 / BCM4345C3 (0x6606) will be added?

I am using a rooted Nexus 5 running an otherwise unmodified factory Android 6.0.1. I am testing with master (1abc8c7 as of this writing).

I followed the instructions to install the patched bluetooth.default.so from the android6_0_1 subdirectory, but I am unable to enable Bluetooth after doing so. The following error appears in logcat output:

dlopen failed: cannot locate symbol "__android_log_error_write" referenced by "/system/lib/hw/bluetooth.default.so"...

The above error goes away if I replace bluetooth.default.so with the factory version, but obviously I can't use internalblue with the factory version.

I plan to conduct braktooth attacks on the rooted android device and would like to monitor the LMP packets. Is this possible, if yes, which device would you suggest for this exercise?

Hi,

The Bluetooth stack crashes when we do hexdump from Rasp Pi starting from 0x260000. The log:

[*] No adb devices found.
[*] HCI device: hci0  [B8:27:EB:0F:72:E3]  flags=13<UP RUNNING PSCAN>
[*] Connected to hci0
[*] Chip identifier: 0x2209 (001.002.009)
[*] Using fw_0x2209.py
[*] Loaded firmware information for BCM43430A1.
[*] Try to enable debugging on H4 (warning if not supported)...
[!] _sendThreadFunc: Sending to socket failed, reestablishing connection.
    With HCI sockets, some HCI commands require root!
> 
> hexdump -l 16 0x260000
[!] Received Evaluation Stack-Dump Event (contains 10 registers):
[!] pc: 0x0006b4e4   lr: 0x0006b575   sp: 0x0021f728   r0: 0x00260000   r1: 0x00000010
    r2: 0x0021f76e   r3: 0x80000000   r4: 0x00000000   r5: 0x002117b4   r6: 0x0001c025
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=260000, len=10)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=260000, len=10)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=260000, len=10)
[!] _sendThreadFunc: No response from the firmware.
[!] sendHciCommand: waiting for response timed out!
[!] readMem: No response to readRAM HCI command! (read_addr=260000, len=10)
[!] readMem: failed!
[!] Command failed: hexdump -l 16 0x260000
> exit
[*] Shutdown complete.
[*] Goodbye

Thank you!

Python 2 is being deprecated in a month, some distributions, e.g. Fedora, started to remove python2-related packages from the default installations. Would be awesome to migrate this tool too.

I've flashed a different sample code on CYW920735Q60EVB-01, how can I go back to the original HCI firmware so I can use internalblue again

I've got this error unexpectedly, when I tapped "up arrow" key in cli while running InternalBlue. So this case should be properly handled...

Traceback:
[CRITICAL] Uncaught exception (can't concat str to bytes). Abort.
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/readline.py", line 398, in readline
keymap.handle_input()
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/keymap.py", line 24, in handle_input
self.send(key.get())
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/keymap.py", line 52, in send
cb(self.trace)
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/readline.py", line 205, in history_prev
set_buffer(history[history_idx], '')
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/readline.py", line 148, in set_buffer
redisplay()
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/readline.py", line 120, in redisplay
ret = complete_hook(buffer_left, buffer_right)
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/completer.py", line 45, in complete
w = self._get_word(buffer_left)
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/completer.py", line 32, in _get_word
if left[i] in self.delims:
TypeError: 'in ' requires string as left operand, not int

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/internalblue-0.4-py3.6.egg/internalblue/cli.py", line 81, in commandLoop
pwnlib.term.readline.readline(prompt="> ").strip().decode("utf-8")
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/readline.py", line 412, in readline
line = buffer_left + buffer_right + '\n'
TypeError: can't concat str to bytes

Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/readline.py", line 398, in readline
keymap.handle_input()
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/keymap.py", line 24, in handle_input
self.send(key.get())
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/keymap.py", line 52, in send
cb(self.trace)
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/readline.py", line 205, in history_prev
set_buffer(history[history_idx], '')
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/readline.py", line 148, in set_buffer
redisplay()
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/readline.py", line 120, in redisplay
ret = complete_hook(buffer_left, buffer_right)
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/completer.py", line 45, in complete
w = self._get_word(buffer_left)
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/completer.py", line 32, in _get_word
if left[i] in self.delims:
TypeError: 'in ' requires string as left operand, not int

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/bin/internalblue", line 11, in
load_entry_point('internalblue==0.4', 'console_scripts', 'internalblue')()
File "/usr/local/lib/python3.6/dist-packages/internalblue-0.4-py3.6.egg/internalblue/cli.py", line 163, in internalblue_entry_point
return internalblue_cli(sys.argv[1:])
File "/usr/local/lib/python3.6/dist-packages/internalblue-0.4-py3.6.egg/internalblue/cli.py", line 308, in internalblue_cli
commandLoop(reference, init_commands=args.commands)
File "/usr/local/lib/python3.6/dist-packages/internalblue-0.4-py3.6.egg/internalblue/cli.py", line 81, in commandLoop
pwnlib.term.readline.readline(prompt="> ").strip().decode("utf-8")
File "/usr/local/lib/python3.6/dist-packages/pwntools-4.2.0b0-py3.6.egg/pwnlib/term/readline.py", line 412, in readline
line = buffer_left + buffer_right + '\n'
TypeError: can't concat str to bytes

Hi.......im using LSW Kali.....
after installing deps and setup i tried to run the program......

but all i got was this

`dak47@ASUS:~$ sudo python2 -m internalblue.cli
[sudo] password for dak47:

/ /_ / /____ _______ ___ / / _ )/ / _____
/ // _ / __/ -) / _ / _ `/ / _ / / // / -)
/////_/_// ////_,////_,/_/

type for usage information!

dpkg-query: no path found matching pattern bin/armeabilinux*-as*
[!] pwntools cannot find binutils for arm architecture. Disassembling will not work!
dpkg-query: no path found matching pattern bin/armeabilinux*-as*
[!] pwntools cannot find binutils for arm architecture. Disassembling will not work!
[ERROR] './adb' does not exist
[*] No adb devices found.
Traceback (most recent call last):
File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main
"main", fname, loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
exec code in run_globals
File "/usr/local/lib/python2.7/dist-packages/internalblue/cli.py", line 171, in
internalblue_cli()
File "/usr/local/lib/python2.7/dist-packages/internalblue/cli.py", line 132, in internalblue_cli
devices.extend(connection_method.device_list())
File "/usr/local/lib/python2.7/dist-packages/internalblue/hcicore.py", line 115, in device_list
for dev in self.getHciDeviceList():
File "/usr/local/lib/python2.7/dist-packages/internalblue/hcicore.py", line 47, in getHciDeviceList
s = socket.socket(socket.AF_BLUETOOTH, socket.SOCK_RAW, socket.BTPROTO_HCI)
File "/usr/lib/python2.7/socket.py", line 191, in init
_sock = _realsocket(family, type, proto)
socket.error: [Errno 97] Address family not supported by protocol
dak47@ASUS:~$`

Some ideas?

Hello,

I am trying to use the provided example for the KNOB attack on a Raspberry Pi 3 (BCM43430A1), running the latest Raspbian version. I followed all installation instructions and running the KNOB_PoC.py script on my Raspberry Pi 3 works fine.
When pairing the RPI3 with an old IPhone 3GS everything seems to work fine, the device does not warn about the encryption key size and establishes a connection successfully.
When pairing with an IPhone SE (2016), IOS gives a warning that an insecure connection is about to be established, but after allowing the connection establishment, everything works fine and the devices are connected.
While there seems to be no issue with IOS, I am not able to connect any Android device after installing the KNOB patch. I tried connecting a Motorola MotoG3 (the same that was used in the original KNOB attack) and a Samsung Galaxy S3, which is even older and should therefore also be vulnerable to the KNOB attack. The problem occurs when trying to connect after pairing, and on every connection that is initiated by either device after a successful pairing. Without the KNOB patch everything works fine with these Android devices.

During Pairing i get the following Error Message:
Connection Failed - GDBus.Error.org.bluez.Error.Failed: Resource temporarily unavailable. Try to connect manually.

btmon gives the following output while pairing:

It always seems that there is a short time interval where the devices are connected, but they seem to disconnect immediately. After pairing it seems as if the MotoG3 is rejecting the reduced key size which I suppose should not be the case as the device should be vulnerable. On every further connection request it seems as if the connection is aborted before the key exchange starts.

btmon gives the following output when trying to connect:

I have no idea what to do to make the devices connect successfully, so help would be appreciated here.

In addition to that I am not able to get wireshark or btmon to follow LMP packets in detail, to see what the actual problem is. I tried both the wireshark plugin from this repository (h4bcm_wireshark_dissector) and the wireshark plugin from the original KNOB repository but there are no LMP packets in the capture.
I also tried to enable diagnostics for BlueZ (with echo 1 > /sys/kernel/debug/bluetooth/hci0/vendor_diag) but the file vendor_diag does not exist.

Do you have any suggestions on how to make LMP packets visible either using wireshark or some other tool?

Thank you in advance.

Hi,

I am a CS PhD@Purdue. We are playing with Bluetooth firmware these days. We have two questions as following:

1. According to the help (and the code), exec (func CmdExec in cmds.py) is for "Writing assembler instructions to RAM and jumps there". I am wondering how to write the epilogue of the assembler instructions we jump to. That is, how we decide where to branch (return) at the end, without crashing firmware(on CR3). I have tried 0x201, which is the entry point. But apparently, it does not work.
   P.S. the desired return address does not necessarily to be the "true" one (the PC address before jumping). I just wanna to branch to somewhere without crashing the core.

2. According to the Cypress datasheet and the source code of Broadcom Bluetooth drivers(linux:115L, android: 634L), before patching (sending write memory commands), hci_downlaod_minidriver (0xfc2e) will be sent. However, I do not see such command passing to Bluetooth chip in the internalblue framework. Could you explain why you dont have to enter the minidriver mode?

Could you give us some help? Really appreciate your help!
Ruoyu

Hello, I was wondering about the LMP packet injection feature. It's mentioned that in some firmwares it's possible to send invalid LMP. Is InternalBlue only limited to LMP or Bluetooth Low Energy Link Layer can also be injected with invalid raw packets?
Thanks

I just compiled the bluetooth debug library for LineageOS 14.1, the steps are slightly different than for AOSP:

Follow the build setup steps according to https://wiki.lineageos.org/devices/hammerhead/build until the Start the build section. Then do:

cd system/bt/
bdroid_CFLAGS='-DBT_NET_DEBUG=TRUE' mma -j4

flex crashes on Ubuntu 18.04 - workaround:

export LC_ALL=C

https://stackoverflow.com/questions/49301627/android-7-1-2-armv7

var OI_HCIIfc_DataReceived = base.add(0xee5a4); // iOS 14.1, iPhone 12
// var OI_HCIIfc_DataReceived = base.add(0xed9f8); // iOS 14.8, iPhone 8
// var OI_HCIIfc_DataReceived = base.add(0xed0b8); // iOS 14.4, iPhone 8
How exactly can i calculate the these base address values of my ios 13.5 , iphone 8.

Appereance of table in that table is not appropriate

Describe the bug

I get the error "[!] CONNECTION_MAX not defined in fw." when I do "info connections"

Hardware and operating system

Mac Mini Late 2014 -> BCM20702B0, macOS Mojave (10.14.6)

To Reproduce

After launching internalblue:

> info connections
[!] CONNECTION_MAX not defined in fw.

(note: "set debug true" doesn't change result)

Additional context

What I'm actually trying to do is use sendlcp. But I am assuming that "info connections" is the command I need to issue to see active connections, to pass as -c parameters to other commands like sendlcp. I am seemingly able to connectle to a BLE device, but then when I run sendlcp (which says "Connection index, starts at 0 for first connection."), it fails (and trying -c other than 0 fails worse)

> connectle 58:2C:BF:5F:88:1B
> sendlcp -c 0 0xAA
usage: sendlcp [-h] [-c CONN_INDEX] data
sendlcp: error: argument -c/--conn_index: invalid auto_int value: '0'
> sendlcp -c 1 0xAA
Traceback (most recent call last):
  File "/Users/user/Downloads/internalblue/venv/lib/python3.11/site-packages/cmd2/cmd2.py", line 2399, in onecmd_plus_hooks
    stop = self.onecmd(statement, add_to_history=add_to_history)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/Downloads/internalblue/venv/lib/python3.11/site-packages/cmd2/cmd2.py", line 2852, in onecmd
    stop = func(statement)
           ^^^^^^^^^^^^^^^
  File "/Users/user/Downloads/internalblue/venv/lib/python3.11/site-packages/cmd2/decorators.py", line 382, in cmd_wrapper
    return func(*args_list, **kwargs)  # type: ignore[call-arg]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/Downloads/internalblue/internalblue/cli.py", line 1359, in do_sendlcp
    data = args.data.decode("hex")
           ^^^^^^^^^^^^^^^^
AttributeError: 'str' object has no attribute 'decode'
EXCEPTION of type 'AttributeError' occurred with message: 'str' object has no attribute 'decode'

Also, incidentally, how do I disconnect an existing connection?

Hello,
First I want to express my thanks to everyone that has helped support this awesome project. I'm so excited to try this, but I'm not very experienced so it's possible I'm making a lot of rookie mistakes.

I'm using a rooted Nexus 5 running Android 6.0.1. Build number is M4B30Z

I followed the instructions detailed in the android_bluetooth_stack README, using the pre-compiled android6_0_1. I did no building of my own. I ran the "git apply" command before pushing the .so file and running the other adb commands.

I installed the h4bcm_wireshark_dissector following the instructions on that git page.

I didn't encounter any errors while following those steps so I assume I did them right.

USB debugging and HCI snoop logs are both enabled.

When I run internalblue, I can open wireshark through "monitor start" after selecting my adb interface. I don't see any LMP traffic when initiating a pair request or scan from the Nexus5.

When I try to connect using the internalblue "connect" command I get errors and the program exits. Screenshots provided below.

Once again, I'm sorry if this is a total newbie mistake, I'm just not sure what's going on.

Describe the bug

Hello, i'm trying to use it on sony z3 compact, so i installed lineage 14.1 and installed bluetooth.default.so for nexus 5 as it has the same broadcom chip, but when i try to use connect command i get error.

Hardware and operating system

Sony z3c with lineageos 14.1 from https://volatilesystems.org/dl/lineageos/14.1/z3c/ and this bluetooth stack https://github.com/seemoo-lab/internalblue/tree/master/android/lineageos14_1_hammerhead .

To Reproduce

Logs or screenshots

Python log:

% ./internalblue .local/bin debian
dpkg-query: no path found matching pattern bin/armeabilinux*-as*
Could not find 'as' installed for ContextType(arch = 'thumb', bits = 32, endian = 'little')
Try installing binutils for this architecture:
https://docs.pwntools.com/en/stable/install/binutils.html
[!] pwntools cannot find binutils for arm architecture. Disassembling will not work!
dpkg-query: no path found matching pattern bin/armeabilinux*-as*
Could not find 'as' installed for ContextType(arch = 'thumb', bits = 32, endian = 'little')
Try installing binutils for this architecture:
https://docs.pwntools.com/en/stable/install/binutils.html
[!] pwntools cannot find binutils for arm architecture. Disassembling will not work!
[] HCI device: hci0 [00:1A:7D:DA:71:11] flags=5
[] Found multiple adb devices
[🍺] Please specify device:
1) hci: 00:1A:XX:XX:XX:XX (hci0)
2) adb: YT910ZTYAT (Xperia Z3C)
Choice [1]
2
[] Connected to YT910ZTYAT
[] Chip identifier: 0x6109 (003.001.009)
[] Using fw_0x6109.py
[] Loaded firmware information for BCM4335C0.
[] Try to enable debugging on H4 (warning if not supported)...
[] Starting commandLoop for self.internalblue <internalblue.adbcore.ADBCore object at 0x7fdac5990208>

/ /_ / /____ _______ ___ / / _ )/ / _____
/ // _ / __/ -) / _ / _ `/ / _ / / // / -)
/////_/_// ////_,////_,/_/

type <help -v> for usage information!

monitor start
[] HCI Monitor started.
connect 1c:23:XX:XX:XX:XX
[] [Connection Create initiated]
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.7/threading.py", line 917, in _bootstrap_inner
self.run()
File "/usr/lib/python3.7/threading.py", line 865, in run
self._target(*self._args, **self._kwargs)
File "/home/user/.local/lib/python3.7/site-packages/internalblue/adbcore.py", line 240, in _recvThreadFunc
hci.parse_hci_packet(record_data),
File "/home/user/.local/lib/python3.7/site-packages/internalblue/hci.py", line 918, in parse_hci_packet
return HCI.from_data(data)
File "/home/user/.local/lib/python3.7/site-packages/internalblue/hci.py", line 570, in from_data
return HCI_UART_TYPE_CLASS[uart_type].from_data(data[1:])
File "/home/user/.local/lib/python3.7/site-packages/internalblue/hci.py", line 644, in from_data
return HCI_Sco(handle, ps, u8(data[2]), data[3:])
File "/home/user/.local/lib/python3.7/site-packages/internalblue/utils/packing.py", line 17, in u8
return struct.unpack('B', num)[0]
TypeError: a bytes-like object is required, not 'int'

Android Logcat:
01-15 10:30:29.338 6638 6666 W %s legacy transmit of command. Use transmit_command instead.: transmit_downward
01-15 10:30:33.038 968 1113 D lights.msm8974: led [solid] = 6000ff00
01-15 10:30:33.096 968 1302 E BatteryStatsService: no controller energy info supplied
01-15 10:30:33.096 968 1302 E BatteryStatsService: no controller energy info supplied
01-15 10:30:33.097 968 3575 E BatteryStatsService: power: Missing API
01-15 10:30:33.142 968 1302 E BatteryStatsService: modem info is invalid: ModemActivityInfo{ mTimestamp=0 mSleepTimeMs=0 mIdleTimeMs=0 mTxTimeMs[]=[0, 0, 0, 0, 0] mRxTimeMs=0 mEnergyUsed=0}
01-15 10:30:34.378 6638 6665 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
01-15 10:30:34.450 6638 6669 W bt_btm : btm_acl_created hci_handle=12 link_role=1 transport=1
01-15 10:30:34.450 6638 6669 W bt_l2cap: L2CAP got conn_comp for unknown BD_ADDR
01-15 10:30:42.454 6638 6658 E bt_hci : command_timed_out hci layer timeout waiting for response to a command. opcode: 0x41d
01-15 10:30:42.454 6638 6658 E %s restarting the bluetooth process.: command_timed_out
01-15 10:30:42.455 6638 6658 I %s : ssr_cleanup
01-15 10:30:42.457 6638 6658 E bt_hci : hci_cmd_timeout: SOC Status is reset
01-15 10:30:42.457 6638 6658 E bt_hci :
01-15 10:30:42.524 2535 2535 D BluetoothInputDevice: Proxy object disconnected
01-15 10:30:42.524 2535 2535 D HidProfile: Bluetooth service disconnected
01-15 10:30:42.524 2535 2535 D BluetoothPan: BluetoothPAN Proxy object disconnected
01-15 10:30:42.524 2535 2535 D PanProfile: Bluetooth service disconnected
01-15 10:30:42.524 2535 2535 D BluetoothMap: Proxy object disconnected
01-15 10:30:42.524 2535 2535 D MapProfile: Bluetooth service disconnected
01-15 10:30:42.524 2535 2535 D BluetoothA2dp: Proxy object disconnected
01-15 10:30:42.525 2535 2535 D BluetoothPbap: Proxy object disconnected
01-15 10:30:42.525 2535 2535 D PbapServerProfile: Bluetooth service disconnected
01-15 10:30:42.525 968 2316 W BluetoothManagerService: Profile service for profile: ComponentInfo{com.android.bluetooth/com.android.bluetooth.hfp.HeadsetService} died.
01-15 10:30:42.527 968 968 D BluetoothManagerService: BluetoothServiceConnection, disconnected: com.android.bluetooth.btservice.AdapterService
01-15 10:30:42.527 968 968 D BluetoothManagerService: BluetoothServiceConnection, disconnected: com.android.bluetooth.gatt.GattService
01-15 10:30:42.527 968 968 D BluetoothA2dp: Proxy object disconnected
01-15 10:30:42.527 968 968 D AudioService: mConnectedBTDevicesList size 0
01-15 10:30:42.527 2535 5070 D BluetoothHeadset: Proxy object disconnected
01-15 10:30:42.527 2535 2535 D HeadsetProfile: Bluetooth service disconnected
01-15 10:30:42.527 968 2316 D BluetoothHeadset: Proxy object disconnected
01-15 10:30:42.528 2505 2530 D BluetoothHeadset: Proxy object disconnected
01-15 10:30:42.528 968 2316 D BluetoothHeadset: Proxy object disconnected
01-15 10:30:42.528 2150 2150 D BluetoothInputDevice: Proxy object disconnected
01-15 10:30:42.528 968 2316 D BluetoothHeadset: Proxy object disconnected
01-15 10:30:42.528 2150 2150 D HidProfile: Bluetooth service disconnected
01-15 10:30:42.529 2150 2150 D BluetoothPan: BluetoothPAN Proxy object disconnected
01-15 10:30:42.529 2150 2150 D PanProfile: Bluetooth service disconnected
01-15 10:30:42.530 2150 2150 D BluetoothMap: Proxy object disconnected
01-15 10:30:42.530 2150 2150 D MapProfile: Bluetooth service disconnected
01-15 10:30:42.531 968 1306 E BluetoothManagerService: MESSAGE_BLUETOOTH_SERVICE_DISCONNECTED(1)
01-15 10:30:42.531 968 1306 D BluetoothManagerService: Broadcasting onBluetoothServiceDown() to 5 receivers.
01-15 10:30:42.531 2150 2150 D BluetoothA2dp: Proxy object disconnected
01-15 10:30:42.531 968 1306 D BluetoothAdapter: onBluetoothServiceDown: Sending callbacks to 0 clients
01-15 10:30:42.531 968 1306 D BluetoothAdapter: onBluetoothServiceDown: Finished sending callbacks to registered clients
01-15 10:30:42.531 968 1306 D BluetoothManagerService: Sending BLE State Change: ON > TURNING_OFF
01-15 10:30:42.532 2535 2583 D BluetoothAdapter: onBluetoothServiceDown: Sending callbacks to 1 clients
01-15 10:30:42.532 2535 2583 D BluetoothAdapter: onBluetoothServiceDown: Finished sending callbacks to registered clients
01-15 10:30:42.532 2505 2821 D BluetoothAdapter: onBluetoothServiceDown: Sending callbacks to 0 clients
01-15 10:30:42.532 2505 2821 D BluetoothAdapter: onBluetoothServiceDown: Finished sending callbacks to registered clients
01-15 10:30:42.532 3469 3517 D BluetoothAdapter: onBluetoothServiceDown: Sending callbacks to 0 clients
01-15 10:30:42.532 3469 3517 D BluetoothAdapter: onBluetoothServiceDown: Finished sending callbacks to registered clients
01-15 10:30:42.532 2150 2150 D BluetoothPbap: Proxy object disconnected
01-15 10:30:42.532 2150 2150 D PbapServerProfile: Bluetooth service disconnected
01-15 10:30:42.533 2150 2678 D BluetoothHeadset: Proxy object disconnected
01-15 10:30:42.533 2150 2189 D BluetoothAdapter: onBluetoothServiceDown: Sending callbacks to 1 clients
01-15 10:30:42.533 2150 2189 D BluetoothAdapter: onBluetoothServiceDown: Finished sending callbacks to registered clients
01-15 10:30:42.534 968 3562 I ActivityManager: Process com.android.bluetooth (pid 6638) has died
01-15 10:30:42.534 968 3562 D ActivityManager: cleanUpApplicationRecord -- 6638
01-15 10:30:42.534 2150 2150 D HeadsetProfile: Bluetooth service disconnected
01-15 10:30:42.534 968 3562 W ActivityManager: Scheduling restart of crashed service com.android.bluetooth/.hid.HidService in 1000ms
01-15 10:30:42.535 968 3562 W ActivityManager: Scheduling restart of crashed service com.android.bluetooth/.hdp.HealthService in 1000ms
01-15 10:30:42.535 968 3562 W ActivityManager: Scheduling restart of crashed service com.android.bluetooth/.pbap.BluetoothPbapService in 1000ms
01-15 10:30:42.536 968 3562 W ActivityManager: Scheduling restart of crashed service com.android.bluetooth/.map.BluetoothMapService in 1000ms
01-15 10:30:42.536 968 3562 W ActivityManager: Scheduling restart of crashed service com.android.bluetooth/.hfp.HeadsetService in 1000ms
01-15 10:30:42.536 968 3562 W ActivityManager: Scheduling restart of crashed service com.android.bluetooth/.gatt.GattService in 1000ms
01-15 10:30:42.536 968 3562 W ActivityManager: Scheduling restart of crashed service com.android.bluetooth/.btservice.AdapterService in 11000ms
01-15 10:30:42.537 968 3562 W ActivityManager: Scheduling restart of crashed service com.android.bluetooth/.opp.BluetoothOppService in 21000ms
01-15 10:30:42.537 968 3562 W ActivityManager: Scheduling restart of crashed service com.android.bluetooth/.pan.PanService in 21000ms
01-15 10:30:42.537 968 3562 W ActivityManager: Scheduling restart of crashed service com.android.bluetooth/.a2dp.A2dpService in 20999ms
01-15 10:30:42.540 338 338 I brcm-uim: brcm-uim:After Polling to check POLLERR | POLLHUP erro = 1
01-15 10:30:42.540 338 338 I brcm-uim: brcm-uim:Breaking out from RE_POLL_TILL_POLL_ERR while loop with err=1
01-15 10:30:42.542 968 968 D AudioService: mConnectedBTDevicesList size 0
01-15 10:30:42.543 968 1306 D BluetoothManagerService: Bluetooth is complete send Service Down
01-15 10:30:42.543 968 1306 D BluetoothManagerService: Broadcasting onBluetoothServiceDown() to 5 receivers.
01-15 10:30:42.543 968 1306 D BluetoothAdapter: onBluetoothServiceDown: Sending callbacks to 0 clients
01-15 10:30:42.543 968 1306 D BluetoothAdapter: onBluetoothServiceDown: Finished sending callbacks to registered clients
01-15 10:30:42.543 968 1306 D BluetoothManagerService: unbindAndFinish(): null mBinding = false mUnbinding = false
01-15 10:30:42.543 968 1306 D BluetoothManagerService: Sending BLE State Change: TURNING_OFF > OFF
01-15 10:30:42.543 3469 3517 D BluetoothAdapter: onBluetoothServiceDown: Sending callbacks to 0 clients
01-15 10:30:42.543 3469 3517 D BluetoothAdapter: onBluetoothServiceDown: Finished sending callbacks to registered clients
01-15 10:30:42.544 2535 2577 D BluetoothAdapter: onBluetoothServiceDown: Sending callbacks to 1 clients
01-15 10:30:42.544 2535 2577 D BluetoothAdapter: onBluetoothServiceDown: Finished sending callbacks to registered clients
01-15 10:30:42.544 2150 2192 D BluetoothAdapter: onBluetoothServiceDown: Sending callbacks to 1 clients
01-15 10:30:42.544 2150 2192 D BluetoothAdapter: onBluetoothServiceDown: Finished sending callbacks to registered clients
01-15 10:30:42.544 2150 2784 D BluetoothEventManager: isFirstBoot: false state: 13
01-15 10:30:42.545 338 338 I brcm-uim: brcm-uim:value of install = 0
01-15 10:30:42.545 338 338 I brcm-uim: brcm-uim:value of dev_fd = 6
01-15 10:30:42.545 338 338 I brcm-uim: brcm-uim:snoop_enable = 0
01-15 10:30:42.546 2505 2525 D BluetoothAdapter: onBluetoothServiceDown: Sending callbacks to 0 clients
01-15 10:30:42.546 2505 2525 D BluetoothAdapter: onBluetoothServiceDown: Finished sending callbacks to registered clients
01-15 10:30:42.548 2535 2535 D BluetoothEventManager: isFirstBoot: false state: 13
01-15 10:30:42.549 338 338 I brcm-uim: brcm-uim:cleanup complete
01-15 10:30:42.549 338 338 I brcm-uim: brcm-uim: setting upio power to 0
01-15 10:30:42.549 338 338 D bt_upio : upio_set_bluetooth_power(on: 0)
01-15 10:30:42.549 338 338 D bt_upio : is_emulator_context : 0
01-15 10:30:42.549 338 338 D bt_upio : is_rfkill_disabled ? [0]
01-15 10:30:42.549 338 338 D bt_upio : is_rfkill_disabled returned
01-15 10:30:42.549 338 338 D bt_upio : is_rfkill_disabled returned ret 0
01-15 10:30:42.549 338 338 I brcm-uim: brcm-uim:begin polling
01-15 10:30:42.549 338 338 I brcm-uim: brcm-uim:Polling to check POLLERR | POLLHUP on install fd

Additional context

It happens when i enter connect 1c:23:..... or any other working device.
os: debian buster.

Hi there,
I try to using the CYW20735 evaluation board connect to android system,
but only watch the hci_h4 & L2CAP data on wireshark, and can't watch the LMP data.
So I can't watch LMP is because I didn't install the patch on the evaluation board, or other problem ?

Thanks in advance !

im using raspberry 4.even though i run internalbule with root user,it shows

_sendThreadFunc: Sending to socket failed, reestablishing connection.
    With HCI sockets, some HCI commands require root!

what shall i do to figure it.

When trying to run the nexus5 examples, such as CVE_2018_19860 Crash on Connect example, pwntools throws an error. I assume this error is caused by the linker treating a certain warning as an error in this version of binutils.

Hardware: Google Nexus5
Operating System: Linux 6.0.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.10-2kali1 (2022-12-06) x86_64 GNU/Linux

To Reproduce
sudo ./CVE_2018_19860_Crash_on_Connect.py

Output log from commands:

`$ sudo ./CVE_2018_19860_Crash_on_Connect.py
[] Found multiple adb devices
[] Connected to 0e5b1fa70c634e21
[] Chip identifier: 0x6109 (003.001.009)
[] Using fw_0x6109.py
[] Loaded firmware information for BCM4335C0.
[] Try to enable debugging on H4 (warning if not supported)...
[*] installing assembly patches to crash other device on connect requests...
There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']:
It had this on stdout:
/usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions

An error occurred while assembling:
1: .section .shellcode,"awx"
2: .global _start
3: .global __start
4: .p2align 2
5: _start:
6: __start:
7: .syntax unified
8: .arch armv7-a
9: .thumb
10: ldr r0, =table
11: bx lr
12: //dummy table entry
13: .align
14: table:
15: .byte 0x35 //nullsub1+1
16: .byte 0xAC
17: .byte 0x00
18: .byte 0x00
19: .byte 0x10 //length
20: .byte 0x00
21: .byte 0x00
22: .byte 0x00
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 702, in asm
_run(linker + ldflags)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 397, in _run
log.error(msg, *args)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/log.py", line 424, in error
raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']:
It had this on stdout:
/usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions

Traceback (most recent call last):
File "/home/zarich/internalblue/examples/nexus5/./CVE_2018_19860_Crash_on_Connect.py", line 123, in
code = asm(ASM_SNIPPET_LMP_00_LOOKUP, vma=ASM_LOCATION_LMP_00_LOOKUP)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/context/init.py", line 1524, in setter
return function(*a, **kw)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 725, in asm
log.exception("An error occurred while assembling:\n%s" % lines)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 702, in asm
_run(linker + ldflags)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 397, in _run
log.error(msg, *args)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/log.py", line 424, in error
raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']:
It had this on stdout:
/usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions
`

Additional context

After some attempts to figure out the cause of the issue, I found a discussion of a similar error in another github repo.

OP-TEE/optee_os#5471

The issue was attributed to the fact that binutils after 2.38 classifies this kind of behavior as an error and breaks the compilation, as addressed here:

OP-TEE/optee_os#5474

Adding the following flag to line 700 in pwnlib/asm.py solved the problem for me.

'--no-warn-rwx-segments'

This probably would better be classified a pwntools issue but I'm reporting it here since this is the context I found it in.