-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bcm43430a1 karma #164
base: master
Are you sure you want to change the base?
Bcm43430a1 karma #164
Conversation
… (hard limit 200) for upcoming KARMA loud. Caution KARMA on per default (autostart.c)
…r defined). KARMA on by default, bunch of debug output + (reversing) comments in source
…a + custom), added first version of python configuration tool (IOCTL)
…ashing, needs fix)
…s during runtime), Method to remove custom SSIDs
Hi mame82, thank you for your nice karma implementation, however, I do not want to add it directly into the nexmon repository. I intend to keep only the basic functionality such as injection and monitor mode in the nexmon repository and place any additional patches into separate repositories. For example, we also created a new repository for our jammer (https://github.com/seemoo-lab/wisec2017_nexmon_jammer_demo_firmware). By using external repositories, we can reduce the amount of function we need to find to support a new firmware version when it comes out and the maintainers of nexmon extension would have to update to newer firmwares on their own. I could however include your patches to the structs.h and wrapper.c files. For the future, it might be worth investigating a firmware extension strategy to extend firmwares during runtime. I already have a nice way to compile position independent code ready. Matthias |
Hi Matthias, thanks for your reply. I'm fine with your decission, feel free to add in the patches in structs.common.h + wrapper.c. According the firmware "hot patching": I thought about something similar. As you may have noticed, I extended the IOCTLs with mem_dump functionality (used to transfer custom runtime structs of firmware to userland python tool, namely the linked lists of SSIDs which are transfered entry by entry). Doing this I ended up with the idea of an additional "write what where" IOCTL to change data/code of firmware during runtime. To be honest, today I stumpled across research doing exactly this in order to bring up a dynamic tracer with minimal (static) firmware manipulation effort https://conference.hitb.org/hitbsecconf2015ams/sessions/eight-ou-two-mobile/ Reading the whitepaper, it became clear to me that I didn't considered non-writable memory regions, which are handled via flashpatching by the researcher. I'm glad that you're working on a dynamic patching system, too. This would open the door for creation of "firmware plugins" which could be loaded / unloaded on-demand, without bloating the firmware. If you agree I'll keep my fork with KARMA patches up (for P4wnP1). Merry Christmas Marcus |
Working KARMA mod for RPi0W / RPi3 firmware including a dedicated runtime configuration tool.
Details are here: https://github.com/mame82/P4wnP1_nexmon_additions/blob/master/README.md
(including help screen of tool)
So it is done before christmas