Support for RaspberryPi 400 / BCM4345C3 (0x6606) #49
Comments
|
Hi @phantomblot-x, you should be fine by copying another Is there any specific feature you're looking for? For example, anything related to KNOB/BIAS requires reverse-engineering and diffing the firmware, which is quite a lot of effort (multiple days if you never did it before, but still a couple of hours depending on the chip's bugs if you know what you're doing). Best, |
|
Hi @jiska2342 , Thanks for the quick response. My interest is in the LMP/LL packet injection, using it for fuzz-testing BT controllers from the air-interface and possibly for crafting some attacks. I have tried to use BCM4345C0 (0x6119) but the chip crashes when attempting to inject a message. So, I guess some reverse engineering will be needed to make this work. I have no experience doing that for these chipsets. I was just hoping since all the other Raspberry Pi versions seem to be supported, that it might be added for the 400 version too. |
|
Hi, LMP fuzzing should just work. There's a HCI command that can send LMP PDUs (0xFC58): ...afair we even linked that to a However, sending LMP via HCI is limited to a maximum of 17 bytes, since this is the maximum LMP PDU length. The firmware does some internal checks. If you want to bypass these, you need to write your own hook similar to the one we have for the Nexus 5 firmware. The same goes for sending LCP/LL (BLE) control packets, you need a custom patch similar to the one in the firmware you linked. Broadcom changed packet handling behavior from time to time, so the patch needs at least to be adapted to the changed addresses in ROM, but sometimes even more. So, the simplest solution might be to only fuzz LMP and not LCP or get the Raspberry Pi that has support for it. Otherwise, you can try to dump the ROM and use Polypyus or BinDiff to find the handlers and modify them accordingly. Best, |
Any chance that support for RaspberryPi 400 / BCM4345C3 (0x6606) will be added?
The text was updated successfully, but these errors were encountered: