36C3 preroll music
Herald Angel: Our next speaker is jiska.
jiska is attending this conference since
ages like a decade? even more?
jiska: 20, 22 C3
Herald Angel: Long, long time. Sometimes
she is also doing some talks here. The
last one last year was about Bluetooth.
There she was in depth. This time it will
be a more general talk about wireless
protocols NFC, LTE, Wi-Fi, and, of course,
Bluetooth. So she will tell us what is
broken in all those protocols. So have fun
and enjoy the talk "All wireless
communications stacks are equally broken"
by jiska.
applause
jiska: So welcome to my talk. I thought it
first to be a foundation talk, but it will
also have new topics about everything that
is kind of fundamentally broken in
wireless communication and it will cover
anything in your smartphone soul like NFC,
Bluetooth, Wi-Fi, LTE. You could order
them like by communication range or by
specification length or lines of code. But
the thing is, so the specification length
and line of code also mean increased
complexity. And if there is increased
complexity, you might have issues with
security in it, in the very end. And then
there is something that is even worse than
LTE, which is vendor specific additions
that would be when you open like five
instances of IDA and like tried to
analyze where the wireless message is
going and what it is doing. So most of
this in this talk will be about wireless
exploitation and the new stuff will be
fuzzing techniques and a new escalation
target. But everything else is more like a
general view on wireless exploitation. So
first, to understand what the wireless
exploit does is to separate it in
different layers. So there is the lowest
layer, which is some hybrid chip which
runs a firmware, let's say bluetooth
firmware, which is then attached to a
driver. Then there's some privileged
stuff, it depends a bit on what kind of
system you're on. And in the end, there
will be applications and no matter where
you exploit is on that layer that you're
exploiting, some security measures become
ineffective. So, for example, if there is
encryption and you have an exploit for
that layer, it would become ineffective.
And it depends, so the higher you are, the
higher also the exploit prices get. So for
the Wi-Fi RCE, you would be at 100K, for
baseband RCE with local privilege
escalation, it gets already 200 K, and if
it's just a messenger or something, then
it's like really, really high in the
price. So the question is like, why is
this wireless stuff a bit cheaper? So
well, you need a certain distance. And so
that's probably a thing. And then also,
maybe they are just too easy to find. I
don't know. Like at least, maybe for me, I
don't know for normal people. Or maybe the
market demand is not that high for them.
Or they are not privileged enough. I don't
know. But actually they'd need like only
like non or less interaction. So. Yeah.
Still a thing I would say. So within the
group I am working at we had a lot of
wireless research and also tools that we
released. And the first one I think that
was running on a mobile phone is NFCGate,
which is currently managed by Max. Then
there is nexmon, which is our largest
project, which is patching of Broadcom
Wi-Fi. And Matthias, who did that, reached
his goal by just saying, like, I now have
kind of a software defined radio in a
commodity like Broadcom Wi-Fi chip. And so
he was a bit bored and kicked off two new
projects before he left, which he then
handed over. The first one is Qualcomm LTE
and the second one was Broadcom Bluetooth,
which I ended up with. And then we have
someone else who is Milan and he is doing
stuff that comes more like from the
application layer. So he implemented an
open source solution for Apple Airdrop
that you can run on your Raspberry Pi. And
well hackers gonna hack, so this stuff has
been used a lot for exploitation, not by
us, but by others. So there were three
groups using nexmon for Wi-Fi
exploitation, at least like what is
publicly known and like the bigger ones,
maybe I forget someone, but so there is a
lot of exploitation going on there. Then
internal blue has been used to demonstrate
an attack against a key negotiation of
Bluetooth just this august. And the open
Airdrop implementation was used for some
honeypots at Black Hat and AirDos. And
like a lot of stuff is going on there. And
then you might ask yourself, like, yeah,
so, if everybody is using it for
exploitation why don't we just do it
ourselves. And we actually did that and we
even did that for this very first project,
this NFC project. And the most important
thing you need to know about NFC is that
the near field is not really a near field.
So there's -- it's just communication, but
it's not near field communication, which
means so if you are able to forward the
communication, so for example, you have
like your credit card and then a
smartphone with NFC, you could forward it
over the cloud or some server and then to
another smartphone and then to the payment
terminal. And usually there's no time
constraint or distance pounding that would
prevent this. So you can at least forward
and relay messages and you might even be
able to modify them on the way. And some
students of us did like some testing in
some systems of some third parties who
then politely asked them to please stop
the testing. So it was not really a cool
thing overall. Like, not not good to
publish and so on. And the more happy I am
about that there's other researchers who
actually used some other tooling to look
into NFC. So just this month there has
been a talk at Black Hat, so not by us,
but by others about the visa credit cards.
And it's just all broken and it's cool
that some people like just did it anyway.
Yeah. So this is more about -- the NFC
stuff is more about forwarding and the
actual specification, but something that
is also cool is -- If you get code
execution within a chip and this is very
different attack scenario. And for
Bluetooth, I think it's especially bad
because of how everything is designed. And
the first design issue in Bluetooth is
that the encryption key is stored in a way
that the chip can always ask for
encryption keys here at the host, or it's
even already on the chip. And there is no
kind of security there. So whenever you
have code execution on the chip, it means
you can get all the encryption keys, not
of just the active connection, and then
break everything that is kind of a trusted
connection by this key. And that even
breaks features like the Android Smart
Lock. And Android Smart Lock is a thing
you can unlock your Android smartphone, if
you have a trusted device and if you'd
like add this, you might do this for your
car because it's nice in your car when you
have like your audio and your navigation
and everything without a locked
smartphone. But the question is like, how
secure is the Bluetooth of your car? Would
you trust that one to unlock your
smartphone? I don't know. And the next
thing is, so if you have code execution on
a Bluetooth chip, it also means that you
might be able to escalate into some other
components so that you go up all the
layers. The next question, is the exploit
persistent? So let's say I have something
that is running on the chip and I don't
know, extracting encryption keys or doing
whatever. You might ask yourself, so how
long will it be on the chip? I mean, it's
just a Bluetooth chip you switch Bluetooth
off sometimes and then the specifications.
So it's just a page like almost 1000. So
just like the first third of the
specification it says not the HCI_Reset
command will not necessarily perform a
hardware reset. This is implementation
defined. Then I looked into the Cypress
and Broadcom chips and saw, yeah, so if
you do each day reset, it's obviously not
a full hardware reset, it's just flashing
some queues connection stuff here and
there. So there is definitely a memory
area where you could put your exploit and
it would be persistent. So then you might
say, yeah, OK, so what do I do? I don't
know. I put my smartphone into flight mode
for a hard reset. That usually doesn't
work. You might also like reboot your
phone. In most cases, this works. For some
other coexistence stuff, I had the
impression that sometimes so it's a bit
strange, it might not necessarily like,
reset. Turning off for a while might hard-
reset the chip I think. Or you just put
your smartphone in a blender and then.
Yeah. So that might turn off the Bluetooth
chip finally. Yeah. So the next issue is
so let's say we have an exploit running
there, but we first need an exploit. So
the very first step is still missing as a
building block. And after the talk last
year, I did some stuff with the unicorn
and fuzzing on the chip and it was super
slow. And then suddenly Jan showed up and
Jan said, Hey, I want to build a fully
emulated chip for superfast fuzzing and
attach it to Linux and everything should
like run on the real -- like as on a real
system, just the over the air input will
be fast. And I was like, you cannot do
this for a master thesis. And then he was
building that thing within three months
and the remaining three months he was
writing a thesis and e-mails to vendors.
So here we go. What does Frankenstein do?
So it's running on an evaluation board of
that, yeah, it's just a normal Bluetooth
Bord that's connected to a Linux host over
UART and a modem over the air and then you
would snapshot that thing and emulate it
and give it fast input attached to the
real host. And that means that if you find
some vulnerability, it might be within all
the components or it might also be under
Linux host or it might be something that
is full stack. So you have something that
starts on the chip, gets to the host, the
host requests further things and then it
goes back to the chip. So you could build
like quite complex stuff. And for this I
have a short demo video. So the reason why
I do this as a video is that it might
happen that it finds heap overflows
otherwise. And then also it's not super
stable at the moment. So you can see it's
scanning for LE devices and then Wireshark
most of the time would get malformed
packets, but sometimes it could also get
normal packets and like some mesh stuff,
whatever. So this is Frankenstein running.
Ja, so what Jan focused on is early
connection states. That means stuff
where you don't need a pairing. And then
he found like heap overflows there in very
basic package types. So quite interesting.
And then the stuff was fixed, I think, or
hope, whatever. So at least like in very
recent devices and then the iPhone 11 came
out and in contrast to the specification,
over the air, the iPhone 11 says, hey, I'm
Bluetooth 5.1. I was like, wow, first
consumer device, Blueotooth 5.1. And I was
like, I don't really mind my way of the
exploitation as long as I can get code
execution on chip. So if it is with user
interaction and a pairing and whatever, I
don't care as long as I get code execution
on it. And then I was like, okay, let's
add some fuzz cases to Frankenstein,
continue fuzzing. And then I found that
specific evaluation board that Jan was
building this for has a problem with the
heap configuration for certain packet
types. And so if you change that, you
would hard-brick the device. I mean, I
bricked two evaluation boards trying to
fix stuff. So, yeah, it's just
bricked. And so that means for me to
continue fuzzing to write like to port
something like 200 handwritten hooks to
another evaluation board. It's almost
running. So there's just some stuff with
thread switching that's not super smooth
yet, but like it's almost on the next
board. And further plans are to add more
hardware. So we're also working on the
Samsung Galaxy S 10 and probably a MacBook
to get it in there. So then it would not
just be Linux, but at least macOS, maybe
Android. I don't know yet. And another
thing that would be cool and also we
didn't build yet, but it might be feasible
with some USRP X310 over PCI Express and
with FPGA and all the fancy stuff to get
real over the air input, which then would
mean that you would have a full queue like
from over the air real Bluetooth packets
going all the way up and then to a host
and the way back. And you could also use
that just to test your new emulation
scheme or whatever you want to change. So
not just security. Ja, so the next thing
is, so if you have code execution, what do
you do with it? And the normal approach is
to try to go all the layers up. But there
might also be some chip level escalation
and you might immediately see it on the
next picture. So this is from a Broadcom
chip, but that's something that you would
also see in many other chips, which is
that you have a shared antenna. And you
could also have two antennas, but they are
both on 2.5GHz and it's in the very same
smartphone super close next to each other
and you would get interference. So usually
you just have the same antenna and do some
coordination like when it's Bluetooth
sending, when it's Wi-Fi sending so that
they don't interfere. And this feature is
called coexistence and there is tons of
coexistence interfaces. So this is just
the one from Broadcom. And when I saw it,
I was like, oh, Francesco, let's look into
this. You know, all the Wi-Fi stuff, I
know all the Bluetooth stuff let's do
something. And he was like, no, it's just
it's just a marketing feature so that it
can like sell one chip for the price of
two chips or something. And I was like,
no, no, no, it must be an exploitation
feature. So, and then to end this
discussion, I went to Italy for eating
some ice cream and saw reality somewhere
in between. It's more like it's hardcoded
blacklisting for wireless channels and
stuff. It's traffic classes for different
types of traffic for Bluetooth and Wi-Fi.
And you can look it up in tons of patents
and it's like super, super proprietary.
And so we let's say we played a game which
was like I tried to steal his antenna and
he tried to steal my antenna. And so it
turned out, if you do that, yeah, you can
turn off Wi-Fi via Bluetooth, Bluetooth
via Wi-Fi. And then also like on most
phones, you need to reboot them and some
of them even reboot them themselves. So
this is just like a speed accelerated
thing with an Samsung Galaxy S 8 that is
not up to date. For iPhones, you would
just immediately see a reboot without any
interaction of things going off and on. So
Broadcom is still in the process of fixing
it. I don't know if they can fix it, but
they said they could fix it. But something
you should definitely fix is like the
driver itself so that the smartphone
reboots and so on. So I don't know. I
thought it would be fixed, actually, in
iOS 13 because it mentions Francesco and
me, but still on 13.3 I don't know, it,
it's still - um - you can
still crash the iPhone that way. But
it's just some resource blocking so it's
like not super dangerous thing, I would
say. And you still need a Bluetooth RCE
before you could do it and so on. But
still not cool that it's still not fixed.
Yeah, so what about the other stacks and
the escalations? So there is tons of
different Bluetooth stacks, so it's really
a mess. And obviously because of
Frankenstein, we had this first Linux
Bluetooth stack attached and so on. But,
yeah. So what has been there for a
wireless 2017, these BlueBorne attacks,
you might have heard of them. And they
found escalations like on Android,
Windows, Linux, iOS, whatever. And then
you might say, like in security, you often
say, so someone looked into it. It must be
secure now. And then there's so many
features coming. So there's all these IoT
devices. So everybody nowadays has
wireless headphones and fitness trackers
and Bluetooth always on. And in the Apple
ecosystem, it's really a mess. So if you
have more than one Apple device, you would
have Bluetooth enabled all the time.
Otherwise you couldn't use a lot of
features. And then there is like stuff
like Web Bluetooth so Bluetooth LE
support from within the browser. So it's
like a lot of new attack surfaces that
arised since then. I think -- So that's
more my personal estimation is, 2020 might
be more BlueBorne like attacks. The
saddest Bluetooth stack somehow is the
Linux Bluetooth stack. So I don't want to
blame the developers there. I mean, it's
not their fault, but it's not enough
people contributing to that project. And
if you would try to to analyze something
that is going on in the stack and you
don't really know what is going on, you
would do git blame or whatever and you
would always see the same guy as the
commiter. So at least if you're on a
specific problem, then there's only one
person committing there. And so the
picture down there actually has the same
guy thrice. So this is also a bit of a pun
here intended. We did some fuzzing in
there. We still need to evaluate some of
the results. So yeah, but I also feel like
nobody's really using it and it's kind of
sad. I mean, there's some Linux users, I
guess, but ... Yeah. Then there is the
weirdest stack I would say. So there's the
Apple Bluetooth stack and this one is
actually three. So there is there is the
MacOS Bluetooth stack. There's an iOS
Bluetooth stack. They are definitely
different. And then there is a third
embedded one, for example, for the
AirPods. They are all running different
different things. So, yeah, whatever. And
then they also have tons of proprietary
protocols on top of their Bluetooth stuff
that they're also very special. And I had
like at least two students, just one
porting it to iOS one to MacOS. And then
we also have students working on the other
protocols that are on top of Bluetooth.
And if you look into this, it's like, what
the hell? It's really hard to reverse
engineer because you have like three
different implementations and then
sometimes you're like: "yeah, okay. Maybe
it's also just bad code." And in the end,
so from what I saw so far, I would say
that it's kind of both. And then there is
the stack that I played also lots around
with, which is the Android Bluetooth
Stack. And they did a lot for the security
in the recent releases. And it annoys me
so much that when I want to get internal
blue running on it, I just echo to the
serial port instead so I bypass everything
that the operating system does. And so
something that Android cannot do, which
Apple does, is so Apple has all the
proprietary protocols. And if something
goes wrong, they immediately cut the
connection. But Android doesn't because of
compatibility and stuff. So you could just
send garbage for like two minutes and try
and see what happens. And it would
continue listening and asking and
confirming. But that's kind of an
overall design issue, I think. And yet
there's Windows and I couldn't find any
students to work on Windows. laughter
If someone wants to do this, that would be
great. And so another stack that's kind of
missing here is LTE. And I would call this
like the long term exploitation plan. So
it's not. I think if the long term
evaluation, evolution, whatever, but
exploitation I think is the best thing for
the E. So we have like tons of wireless
stuff where we are working on and I mean
like even PowerPC. And then there is
Qualcomm and they have they have this
Qualcomm hexagon DSP. I hate it so much.
So there's even source code leaks for
their LTE stuff. But it's just such a pain
to work on it. So you might have noticed
is that ARM has this LTE project with
Qualcomm, but it's just not fun. But other
people were doing a lot in this area and
they've already presented here today and
yesterday. So the first thing is the SIM
card in the phone. So the SIM cards should
be a thing like. From from my perspective,
that should be secure because it protects
your key material. And then it runs tons
of applications. I don't know. And then
you can exploit them and get the victim's
location, dial premium numbers and launch
a browser. And then I didn't really
understand, like there's just this WIB set
browser whatever, and then there's launch
browser what, is it? And I think it even
launches a browser then on the smartphone,
whatever. It's just crazy. And then I was
trying to call Deutsche Telekom and I'm a
business customer. So it's just like
three minutes for a call for me. So giving
a call there is nice. And then the first thing
they told me is: "You are secure. We know
you have three SIM cards and they are all
up to date." So I have to say, one of them
is more than 10 years old, but maybe it's
up to date. And my answer is like, what
exactly is running on my SIM card? They of
course not answered. So yeah, something is
running there. If you want to know more
about SIM cards, there has been talk
already yesterday evening and it's already
online. And then there's also a lot of
people looking into LTE. And I think the
most popular one is to work by Yongdae
Kim. He did even some LTE fuzzing
framework that he didn't release publicly
so far, because of the findings. So it's
like, should you publish? Should you not
publish? But so the findings are super
interesting. And he also has students here
who just did a talk this morning.
Responsible disclosure. So that's the
thing. When you find stuff you need to do
is responsible disclosure. And so I said
Jan was writing a lot of e-mails. And one
of the first that he wrote was to ThreadX,
because ThreadX is the operating system
that runs on the Broadcom Bluetooth
chip. And so he said, like, your
heap is a bit broken and does not have any
checks. You could implement the following
checks, which are pretty cheap and it
should be cool. And then I could not
attack it anymore. And then ThreadX was
answering, which was a bit unexpected,
that they already knew about this
exploitation technique and that it is up
to the application to not be vulnerable to
memory corruption, so not to cause any
memory corruption. So it's the programmers
fault if they do something and it's not
the operating system that has to take care
of the heap. Okay. Yeah. Next issue. So
the bin diffing and the testing if a
vulnerability is still there. So you might
not always get feedback from all the
vendors. If they fix it, they may just fix
it at a certain point in time and then you
tell them all we tested the next release
and it's still vulnerable. And then they
would say, like for Samsung said, Yeah, we
cannot send your patches in advance
without an NDA because Broadcom, blah,
blah, blah and so on and so forth. And
then Broadcom offered to send us patches
in advance. And I said, Yeah. Nice. And I
also sent them a device list because they
already knew it from the previous process.
So if you tell them the following 10
devices have an issue, then you would
already know that we can test those
devices anyway. And so and after I sent
them the list, they said: "Oh, wait, but
you need an NDA." So no, I mean, we are
doing this for free anyway. And signing an
NDA, I wouldn't do that. Yeah. So overall,
it also did Broadcom Product Security
Incident Response Team is a bit strange so
they wouldn't hand out any CVEs. And what
I mean what I do is like I first get a CVE
and then informed them and the other
customers because I also don't get any
incident number or something. So if I
wouldn't do this, I wouldn't have any
number to refer a vulnerability to. And
well, at least they are also not doing
that much legal trouble. But it's just.
Yeah, not really something happening
there. But some of their customers were
nice at least to my students, so they paid.
So one customer, they don't want to be
named here, but they payed to fly to DefCon
for one of my students and Samsung gave a
bounty off one thousand dollar. I mean,
still I mean we are in the range of of
very very more expensive exploits if it
would be on the black market, but for
students it's definitely nice. Yeah.
Responsible disclosure timelines. So this
is something that I thought like maybe
some of this responsible disclosure
timeline is just because of how I
communicate with the vendor. And sometimes
I'm writing e-mails like a five year old
or something - I don't know. But actually.
So this is a timeline of Quarkslab, who
also found just this year vulnerabilities
in Broadcom Wi-Fi chips. And so they've
also asked about NDA and then also their
exploit timeline. It's a bit fun because
they had similar exploitation strategies
as the very first exploit that you could
see by Google Project Zero and then, yeah,
more distorted timeline, whatever. And in
the end, well. So it's just taking time.
And again, no CVE id issued and so on and
so forth. So it's the very same stuff for
others, which is pretty sad. And then so
for Cyprus, which is partially having
source code of Broadcom, it also
manufactures chips. It's also very slow
for the response of disclosure. And then I
got told by other people, like, yeah, if
you would disclose something to Qualcomm,
it also takes very long. And luckily we
didn't find something in an Intel CPU. But
yeah, there is ... so on the wireless
market, there still so many other vendors
to become friends with. So yeah. So
practical solutions to end my talk. What
could you do to defend yourself if you
don't have a tinfoil hat? Other things I
can recommend is the secure Wi-Fi set up.
So don't use antennas, just use antenna
cables. If you do that in our lap a lot.
So this is a setup by Felix. And so when I
was sending my slides to Francesca in
advance she just said "cool, I have the
same one right now at my desktop". So it's
a very common setup. Maybe not at your
home, but for us it is. Or you'd just go
to the air-gapped device. So this is my
Powerbook 170, that's a really great
device. Almost impossible to get it online
and it has Word and Excel.
So ask all the questions.
Applause
Herald Angel: Thank you very much to
jiska. We still have several minutes left.
You will find eight microphones in the
room. Please line up in behind the
microphones to ask a question. And the
first question goes to the Internet.
Signal Angel: So at jiska, the question
is, are the Bluetooth issues you are
talking about also present in Bluetooth
Low Energy IoT devices.
jiska: Yes. So, I mean, there is IoT
devices, I cannot tell the vendor, but
there is also some popular devices that
have like Cypress Broadcom chips and then
it's even worse because they don't have a
separate stack, but often they have an
application running on the same arm core
and then you don't even need any
escalation.
Herald: All right. We have another
question at the microphone number one,
please.
Microphone 1: Thank you for the talk. My
question is, could you like did you
actually when you fuzzed the Bluetooth low
energy chip, did you when you managed to
get code execution, did you actually
climb up the protocol?
Did you like access Bluetooth profiles or
something like this?
jiska: Ah, so we, for example with the
link key extraction, we were building some
proof of concepts. But so it depends. We
don't currently have like a fully exploit
chain in terms of first on the chip and
then on the host. We have something that
goes directly on some hosts, but yeah,
there's tons of things there to do. Sorry?
Microphone 1: Yeah. And when you fuzz the
... how did you actually fuzz the chip
itself? How did you extract the
firmware from the chip?
jiska: So there is ... so Broadcom and
Cyprus are very nice because they have a
read RAM command so you don't need any
secure bypass or something. And for the
evaluation kits, there is even symbols
that we found in it. So symbols only means
like function names and global variable
names, that's it. But that's something to
work with.
Herald: Thank you. Another question from
the Internet, please.
Signal: Would you like the return of
physical switches for
the network controller?
jiska: Yeah, so that would be nice to like
physically switch it off. Actually, I
don't know where Paul is, but he is
building ... There is Paul. He is building
such a device. When is your talk at 10
o'clock. Paul is giving a talk about a
device where you have a physical
controller to switch off your wireless
stuff.
Herald: OK. The next question is again
microphone number one, please.
Microphone 1: Yes. Thank you. We just
bought a new car and by because
connecting the Bluetooth of my phone to
the car's system was very, very hard. And
I had to reboot the radio several times.
And then I found a message that the radio
must be directly connected to the CAN-bus
of the car. So you have a blueooth stack
connected directly to a CAN-bus. It was a
very cheap car. But if you
have an idea of what this means then...
jiska: Can you can you borrow me that car?
Microphone 1: It's a Toyota Aygo, you can
have it everywhere.
jiska: Well, that shouldn't be.
Herald: Alright, do we have a question at
microphone number eight, please?
Microphone 8: Hi and thank you for the
talk first of all. Uh well, if I
understood correctly, you said that the
vendors didn't mention if they fixed it or
not or they don't know if they fixed it.
jiska: Umm, yeah. So it depends. I know
like so if you look into the Android
security updates, so for example, August 5
has some Broadcom issue that was fixed and
I know which one that was and so on and so
forth. But so then it also means I like to
get that one onto a Samsung device. I
would need ... so they wouldn't build it
in the August update, but only in the
September update and then release it to
Europe, which is like mid or end of
September. And then I could download it to
my phone and test it over the air if it's
like really fixed and so on and so forth.
So it's ... there is like the first thing
is like that is listed publicly that it is
fixed. And then the next thing is that it
is actually fixed and it's really hard.
And for the communication with Apple, I
don't know. So sometimes they fix it
silently without mentioning us. And then
there's this iOS 13 thing where they
mentioned us but didn't fix it. So, yeah.
Microphone 8: Were there any issues like
that they found and they didn't know if
they fixed it or not. And you did like
patch-diffing or something like that?
jiska: Yeah, I did a lot of patch-diffing
and I currently have a student who is
doing nothing else than developing diffing
tools for the particular issues that I
have.
Microphone 8: And did you find that they
fixed it or not?
jiska: So it's first of all ... so we are
... so first of all, it's currently about
speed and stuff and I gave him some some
iPhone stuff for the next task.
But yes, it's work in progress. So most of
the other stuff I did by hand, so I also
have a good idea about like what a changed
within each kind of chip generation.
Microphone 8: Okay. Thank you very much.
Herald: All right. We had another question
from the Internet.
Signal: Yes. So from Mastodon, how exactly
was the snapshot of the Samsung Bluetooth
stack extracted for the fuzzing process?
jiska: The Samsung is ... so for Samsung
we have snap shotting, but for Samsung, we
don't have the rest of Frankenstein. The
other stuff is running on an evaluation
board. So the first part is mapping all
the hardware registers. So this is the
first trip that runs and tries to find
like all the memory regions. And once that
is done, there is a snapshotting hook that
you set to the function. So let's say you
want to look into a device scanning so you
would set the function into device
scanning. And once that it's called by the
Linux stack, he would freeze the whole chip
and disable like other interrupt stuff,
whatever that would kill it otherwise and
then copy everything that is in the
registers ... so that is kind of the snap
shotting. And once you have a snapshot,
then you can try to find everything that
kills your emulation like interrupts again
and thread switches and so on.
Herald: All right. We have one more
question from microphone, number one,
please.
Microphone 1: OK. So do you think that
open source, the driver or that open
hardware design will improve the
situation?
jiska: So open source? I think it would
improve the situation. But also one thing.
So I had to talk at mrmcd in September
this year. Another thing which is not
about open source is that the patching
capabilities of the Broadcom bluetooth
chips are very limited in terms of how
much can be fixed. So just open sourcing
wouldn't help Broadcom, for example.
Microphone 1: Like you mean like the
firmware is burnt into the chip and it's
limited to ...
jiska: Yeah
Microphone 1: Yeah, it's limited, right?
jiska: Yes, it's in the ROM. And then you
have patch ROM slots and you have like 128
patch ROM slot and each patch ROM slot is
a four byte override breakpoint thingy
that branches then somewhere else into
RAM. And then RAM is also limited.
So you couldn't like branch into large
chunks of RAM all the time. Yeah.
Microphone 1: Thank you.
Herald: All right. If there are not any
more questions?
jiska: Internet!
Herald: Internet? Oh, more Internet
questions. Then, please go ahead.
Signal: Yes. So winfreak on Twitter asks
what stack was tested when mentioning
Android? There are several and Google is
convinced rewriting it every year is a
good idea.
jiska: Ah, yeah. So this stuff that's like
the standard stack that runs on a Samsung
phone for example. So I think, like for
the main entry, there's only one ... I
know that there's like legacy stacks, but
they switch to only one.
Herald: So Signal Angel, do you have more
for us?
Signal: Yes. What is your hat made of?
jiska: My hat? So it's like aluminum foil.
And then there is the cyber cyber thingy.
So that's also important. Yeah. So but as
I said, it doesn't really help. It would
more help to put the smartphone in a
blender, for example.
Herald: Alright. Thank you very much for
this awesome talk. Give her a huge round
of applause to jiska.
applause
36c3 postroll
subtitles created by c3subtitles.de
in the year 2020. Join, and help us!