Shulou(Shulou.com)06/03 Report--

This article focuses on "how to perform an overlay boot-based ambiguity test on iOS Bluetooth". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to perform an override boot-based fuzzy test on iOS Bluetooth".

ToothPicker

ToothPicker is an override boot-based fuzzy testing tool for iOS. This tool is specifically designed for iOS's Bluetooth daemon bluetoothd. Because it is built on FRIDA, it can be adapted to any platform running FRIDA.

The project code base also includes a wireless blur testing tool that can fuzzy test Apple's MagicPairing protocol using InternalBlue, and provides demonstration samples for reference. In addition, the project also provides a ReplayCrashFile.py script to help researchers identify and verify process crashes found by fuzzy testing tools.

This fuzzy testing tool supports "out of the box" on various iOS versions (which have been tested on 13.3-13.6), but requires symbols to be specified. Other versions of iOS need to adapt function addresses. In addition, FRIDA's stalker seems to have some problems with iPhone 8 that we haven't been able to solve. Newer versions of iPhone support PAC, and the performance of signature pointers will be greatly affected. Therefore, we recommend that the tool be run by a large number of researchers on iPhone7.

ToothPicker is developed based on frizzer code, but we have refactored the code for ToothPicker, so we no longer need to be compatible with the original version. After that, we plan to replace it with a more targeted version.

prerequisite

On iPhone:

Https://frida.re/docs/ios/

On Linux:

Usbmuxd

Libimobiledevice

Virtualenv is recommended

Radamsa (required for frizzer)

Arch-based Linux:

# usbmuxd typically comes with libimobiledevice# but just to be sure, we manually install it as wellsudo pacman-S usbmuxd libimobiledevice python-virtualenv radamsa # Connect the iPhone to the computer# Unlock it.# If a pairing message pops up, click "Trust" # If no pairing message pops up:idevicepair pair# Now there should be the pop up Accept and then again:idevicepair pair # In case of connection errors:sudo systemctl restart usbmuxd# or pair phone and computer again # Other useful commands # To ssh into the iPhone:# Checkra1n comes with an SSH server listening on Port 4 "Proxy the phone's SSH port to 4444 localport:iproxy 4444 4" Connect:ssh root@localhost-p 444 "Default password: alpine # To fetch some device information of the phone:Ideviceinfo

Debian Linux:

The general steps are the same as above, but:

Radamsa needs to be installed from the Git library because it does not have a packaged version.

The iproxy command requires an additional package: libusbmuxd-tools

On macOS:

Brew install libimobiledevice usbmuxd radamsa npmidevicepair pairnpm install frida-compilepip3 install frida-tools

On macOS, PacketLogger is an additional component in Xcode that will help us decode various packets after installing the Bluetooth debug configuration. In addition, if you use Xcode to open the iOS crash log, it can also help automatically add some symbols.

Tool configuration

We recommend that you configure a virtual Python environment for frizzer, and then run the command in the frizzer directory to install the required code package.

The projects directory contains a sample fuzzy test for the MagicPairing protocol.

Then compile some general tools and MagicPairing into a file.

Use the cd command to change to the harness directory and install frida-compile:

Npm install frida-compile

Next, run the following command:

Frida-compile. / projects/YOUR_PROJECT/YOUR_SPECIALIZED_HARNESS.JS-o. / projects/YOUR_PROJECT/harness.js tool use

First of all, connect your iOS device to your computer, we recommend that you switch your phone to flight mode, and then turn on the do not disturb function.

Then, run the following command to turn on bluetoothd:

Killall-9 bluetoothd

At this point, you need to make sure that the phone is not connected to another Bluetooth device. Next, use the cd command to change back to the project directory, then create the directory where the crash log is stored, and run the following command:

Mkdir crashes../../frizzer/fuzzer.py fuzz-p

Now we can collect crash logs about Apple devices.

In short, to start a new project, simply run the following command:

Cd harnessnpx frida-compile. / projects/YOUR_PROJECT/YOUR_SPECIALIZED_HARNESS.JS-o. / projects/YOUR_PROJECT/harness.jscd. / projects/YOUR_PROJECT/mkdir crashesfrizzer fuzz-p.

To start the tool with a different seed, run the following command:

Frizzer fuzz-seed 1234-p so far, I believe you have a better understanding of "how to perform an overlay boot-based fuzzy test on iOS Bluetooth". You might as well do it in practice! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.