Profile picture
, 9 tweets, 3 min read
My Authors
Read all threads
We just released Polypyus, a binary-only diffing tool programmed by @freebejan that runs independent from Ghidra and IDA and integrates into the workflow of other diffing tools. (1/n)
github.com/seemoo-lab/pol…
This was a long journey starting with @dennismantz who reverse-engineered the Nexus 5 Bluetooth firmware. It doesn't have any strings or symbols, but he located threads, HCI handlers & enabled firmware patching with InternalBlue mid 2018. (2/n)
I continued reverse-engineering based on the specification to locate SSP and LMP handlers. Even though I just found CVE-2018-19860 (without looking for parsing issues), all recent specification-compliant attacks are in there: ECDH, KNOB, BIAS. (3/n)
Due to a paper review that claimed the Nexus 5 would be too old, I ordered a recent CYW20735 evaluation board that arrived on December 6 2018. Just three days later I found all its symbols in WICED Studio :D (4/n)
Suddenly, binary diffing got interesting. BinDiff worked okayish with IDA 6.8. By picking the >90% matches, CYW20735 produced ~6% matched functions in the Nexus 5 firmware, but still with some false positives. (5/n)
Then, @AdmVonSchneider published a new BinDiff version and I tried it on IDA 7.2 (?). Suddenly, most matches were gone. As it turned out later, this was no BinDiff fault, but changed auto analysis in IDA. Weirdest bug report ever, because it worked and also didn't work. (6/n)
Of course, I also tried @matalaz' Diaphora. After fixing another bug, it worked for the Bluetooth firmware, but also did not find good matches, similar to BinDiff. (7/n)
Finally, @freebejan put some of my thoughts why all this was not working into high-performance code that diffs raw binaries within a few seconds. Amazing work :D A paper will follow soon :) (8/8)
Since people were asking how it works internally, here is Jan's final presentation, which covers the most important aspects why ARM Thumb2 disassembly was problematic and how the binary-only approach works. (9/8)
github.com/seemoo-lab/pol…
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Jiska

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @naehrdine see all

Profile picture
Jiska
@naehrdine
Because several people were asking about #Bluetooth, I'll make a thread. But I might ignore further questions, especially regarding over-the-air exploits. #DP3T

• BLE advertisements have a longer range than 2m, but are way more accurate than LTE cell towers.
(1/n)
• BLE advertisement distance measurement accuracy depends a lot on the chips, meaning that they will work well within the Apple ecosystem, but probably not so well on some Androids. (2/n)
• The Singapore app solves this by maintaining active BLE/GATT connections, which provides better measurements, but drains battery power.

• On iOS, the BLE/GATT handler has been extensively tested for security issues and is definitely one of the better ones by now. (3/n)
Read 11 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!