jiang/kali-arm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adde P4wnP1 A.L.O.A. and bt firmware

Browse Source
This commit is contained in:
MaMe82
2018-12-07 03:26:39 +01:00
parent c19a58b929
commit 3ee4b4a55c
2 changed files with 119 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
misc/brcm/BCM43430A1.hcd Normal file
View File

Binary file not shown.

195
rpi0w-nexmon-p4wnp1.sh → rpi0w-nexmon-p4wnp1-aloa.sh
View File

@@ -1,9 +1,11 @@
#!/bin/bash
set -e
# This is the Raspberry Pi Kali 0-W Nexmon ARM build script - http://www.kali.org/downloads
# A trusted Kali Linux image created by Offensive Security - http://www.offensive-security.com
# Maintained by @binkybear
######
# This is a work in progress script for P4wnP1 A.L.O.A. based on @binkybear's built script for P4wnP1
#
##########
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
@@ -15,15 +17,15 @@ if [[ $# -eq 0 ]] ; then
exit 0
fi
basedir=`pwd`/rpi0w-nexmon-p4wnp1-$1
basedir=`pwd`/rpi0w-nexmon-p4wnp1-aloa-$1
TOPDIR=`pwd`
# Custom hostname variable
hostname=${2:-kali}
# Custom image name variable - MUST NOT include .img at the end.
imagename=${3:-kali-linux-$1-rpi0w-nexmon-p4wnp1}
imagename=${3:-kali-linux-$1-rpi0w-nexmon-p4wnp1-aloa}
# Size of image in megabytes (Default is 4500=4.5GB)
size=4500
size=6000
# Suite to use.
# Valid options are:
# kali-rolling, kali-dev, kali-bleeding-edge, kali-dev-only, kali-experimental, kali-last-snapshot
@@ -35,7 +37,7 @@ suite=kali-rolling
machine=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
# Package installations for various sections.
# This will build a minimal XFCE Kali system with the top 10 tools.
# This will build a minimal Kali system with the top 10 tools.
# This is the section to edit if you would like to add more packages.
# See http://www.kali.org/new/kali-linux-metapackages/ for meta packages you can
# use. You can also install packages, using just the package name, but keep in
@@ -43,13 +45,19 @@ machine=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
# script will throw an error, but will still continue on, and create an unusable
# image, keep that in mind.
arm="abootimg cgpt fake-hwclock ntpdate u-boot-tools vboot-utils vboot-kernel-utils"
base="apt-transport-https apt-utils console-setup e2fsprogs firmware-linux firmware-realtek firmware-atheros firmware-libertas ifupdown initramfs-tools iw kali-defaults man-db mlocate netcat-traditional net-tools parted psmisc rfkill screen snmpd snmp sudo tftp tmux unrar usbutils vim wget zerofree"
#desktop="kali-menu fonts-croscore fonts-crosextra-caladea fonts-crosextra-carlito gtk3-engines-xfce kali-desktop-xfce kali-root-login lightdm network-manager network-manager-gnome xfce4 xserver-xorg-video-fbdev xserver-xorg-input-evdev xserver-xorg-input-synaptics"
tools="aircrack-ng crunch cewl dnsrecon dnsutils ethtool exploitdb hydra john libnfc-bin medusa metasploit-framework mfoc ncrack nmap passing-the-hash proxychains recon-ng sqlmap tcpdump theharvester tor tshark usbutils whois windows-binaries winexe wpscan"
services="apache2 haveged openssh-server openvpn"
extras="bluez bluez-firmware i2c-tools python-configobj python-pip python-requests python-rpi.gpio python-smbus wpasupplicant"
arm="fake-hwclock ntpdate u-boot-tools"
tools="aircrack-ng crunch cewl dnsrecon dnsutils ethtool exploitdb hydra medusa metasploit-framework ncrack nmap passing-the-hash proxychains recon-ng sqlmap tcpdump theharvester tor tshark usbutils whois windows-binaries winexe wpscan"
base="apt-transport-https apt-utils console-setup e2fsprogs firmware-linux firmware-realtek firmware-atheros ifupdown initramfs-tools iw kali-defaults man-db mlocate netcat-traditional net-tools parted psmisc rfkill screen snmpd snmp tftp tmux unrar usbutils vim wget zerofree"
services="apache2 atftpd openssh-server openvpn"
# haveged: assure enough entropy data for hostapd on startup
# avahi-daemon: allow mDNS resolution (apple bonjour) by remote hosts
# dhcpcd5: REQUIRED (P4wnP1 A.L.O.A. currently wraps this binary if a DHCP client is needed)
# dnsmasq: REQUIRED (P4wnP1 A.L.O.A. currently wraps this binary if a DHCP server is needed, currently not used for DNS)
# genisoimage: allow creation of CD-Rom iso images for CD-Rom USB gadget from existing folders on the fly
# iodine: allow DNS tunneling
# dosfstools: contains fatlabel (used to label FAT32 iamges for UMS)
# Note on Go: The golang package is version 1.10, so we are missing support for current gopherjs (webclient couldn't be build on Pi) and go modules (replacement for dep)
extras="autossh avahi-daemon bash-completion bluez bluez-firmware dhcpcd5 dnsmasq dosfstools genisoimage golang haveged hostapd i2c-tools iodine policykit-1 python-configobj python-dev python-pip python-requests python-smbus wpasupplicant"
packages="${arm} ${base} ${services} ${extras}"
architecture="armel"
@@ -94,14 +102,16 @@ ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOF
# added wlan0 configuration to allow copying of wpa_supplicant.conf to work
mkdir -p kali-${architecture}/etc/network/
cat << EOF > kali-${architecture}/etc/network/interfaces
auto lo
iface lo inet loopback
EOF
cat << EOF > kali-${architecture}/etc/resolv.conf
nameserver 8.8.8.8
nameserver 1.1.1.1
EOF
export MALLOC_CHECK_=0 # workaround for LP: #520465
@@ -118,14 +128,31 @@ console-common console-data/keymap/full select en-latin1-nodeadkeys
EOF
# Create monitor mode start/remove
# The script returns an error code if the monitor interface couldn't be started
# Note: Removing this should be considered, as enabling the monitor interface once
# and using wpa_supplicant afterwards, crashs the WiFi firmware (even if the monitor
# interface is removed). Afterwards the 'brcmfmac' module has to be removed and
# loaded again (the driver push the firmware and restarts the fmac chip on init).
# Sometimes only a reboot works
cat << 'EOF' > kali-${architecture}/usr/bin/monstart
#!/bin/bash
interface=wlan0mon
echo "Bring up monitor mode interface ${interface}"
iw phy phy0 interface add ${interface} type monitor
ifconfig ${interface} up
echo -n "Create monitor mode interface ${interface}... "
iw phy phy0 interface add ${interface} type monitor 2> /dev/null 1> /dev/null
if [ $? -eq 0 ]; then
echo "started monitor interface on ${interface}"
echo "success"
else
echo "failed, already created ?"
fi
echo -n "Trying to enable ${interface}... "
ifconfig ${interface} up 2> /dev/null
if [ $? -eq 0 ]; then
echo "success, ${interface} is up"
exit 0
else
echo "failed"
exit 1
fi
EOF
chmod 755 kali-${architecture}/usr/bin/monstart
@@ -183,29 +210,18 @@ WantedBy=multi-user.target
EOF
chmod 644 "${basedir}"/kali-${architecture}/lib/systemd/system/enable-ssh.service
cat << EOF > "${basedir}"/kali-${architecture}/lib/systemd/system/copy-user-wpasupplicant.service
[Unit]
Description=Copy user wpa_supplicant.conf
ConditionPathExists=/boot/wpa_supplicant.conf
Before=dhcpcd.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/mv /boot/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant.conf
ExecStartPost=/bin/chmod 600 /etc/wpa_supplicant/wpa_supplicant.conf
[Install]
WantedBy=multi-user.target
EOF
chmod 644 "${basedir}"/kali-${architecture}/lib/systemd/system/copy-user-wpasupplicant.service
# Bluetooth enabling
mkdir -p kali-${architecture}/lib/udev/rules.d/
cp "${basedir}"/../misc/pi-bluetooth/50-bluetooth-hci-auto-poweron.rules kali-${architecture}/lib/udev/rules.d/50-bluetooth-hci-auto-poweron.rules
cp "${basedir}"/../misc/pi-bluetooth/pi-bluetooth+re4son_2.2_all.deb kali-${architecture}/root/pi-bluetooth+re4son_2.2_all.deb
# Copy a default config, with everything commented out so people find it when
# they go to add something when they are following instructions on a website.
cp "${basedir}"/../misc/config.txt "${basedir}"/kali-${architecture}/boot/config.txt
# move P4wnP1 in (change to release blob when ready)
git clone -b 'v0.1.0-alpha2' --single-branch --depth 1 https://github.com/mame82/P4wnP1_aloa "${basedir}"/kali-${architecture}/root/P4wnP1
cat << EOF > kali-${architecture}/third-stage
#!/bin/bash
set -e
@@ -226,16 +242,13 @@ echo "root:toor" | chpasswd
rm -f /etc/udev/rules.d/70-persistent-net.rules
export DEBIAN_FRONTEND=noninteractive
apt-get --yes --allow-change-held-packages install ${packages} || apt-get --yes --fix-broken install
apt-get --yes --allow-change-held-packages install ${packages} || apt-get --yes --fix-broken install
apt-get --yes --allow-change-held-packages install ${desktop} ${tools} || apt-get --yes --fix-broken install
apt-get --yes --allow-change-held-packages install ${desktop} ${tools} || apt-get --yes --fix-broken install
apt-get --yes --allow-change-held-packages dist-upgrade
apt-get --yes --allow-change-held-packages autoremove
# Because copying in authorized_keys is hard for people to do, let's make the
# image insecure and enable root login with a password.
echo "Making the image insecure"
echo "Allow root login..."
sed -i -e 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# Resize FS on first run (hopefully)
@@ -245,8 +258,9 @@ systemctl enable rpiwiggle
systemctl enable regenerate_ssh_host_keys
systemctl enable ssh
# Install pi-bluetooth deb package from re4son
# Install and hold pi-bluetooth deb package from re4son
dpkg --force-all -i /root/pi-bluetooth+re4son_2.2_all.deb
apt-mark hold pi-bluetooth+re4son
# systemd version 232 and above breaks execution of above bluetooth rule, let's fix that
sed -i 's/^RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6.*/RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_BLUETOOTH/' /lib/systemd/system/systemd-udevd.service
@@ -254,21 +268,37 @@ sed -i 's/^RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6.*/Restric
# Enable bluetooth
systemctl unmask bluetooth.service
systemctl enable bluetooth
systemctl enable hciuart
# dhcpcd is needed by P4wnP1, but started on demand
# installation of dhcpcd5 package enables a systemd unit starting dhcpcd for all
# interfaces, which results in conflicts with DHCP servers running on created
# bridge interface (especially for the bteth BNEP bridge). To avoid this we
# disable the service. If communication problems occur, although DHCP leases
# are handed out by dnsmasq, dhcpcd should be the first place to look
# (no interface should hava an APIPA addr assigned, unless the DHCP client
# was explcitely enabled by P4wnP1 for this interface)
systemctl disable dhcpcd
# enable fake-hwclock (P4wnP1 is intended to reboot/loose power frequently without getting NTP access in between)
# a clean shutdown/reboot is needed, as fake-hwclock service saves time on stop
systemctl enable fake-hwclock
# Create cmdline.txt file
mkdir -p /boot
echo "dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait" > /boot/cmdline.txt
# Install P4wnP1 (kali version)
cd /root
git clone --depth 1 https://github.com/nethunteros/P4wnP1.git /root/P4wnP1
chmod 755 /root/P4wnP1/install.sh
cd /root/P4wnP1
git submodule update --init --recursive --remote
./install.sh
# Install P4wnP1 A.L.O.A.
cd /root/P4wnP1
make installkali
# add Designware DUAL role USB driver to loaded modules
echo "dwc2" | tee -a /etc/modules
echo "libcomposite" | tee -a /etc/modules
# allow root login from tyyGS0 (serial device for USB gadget)
echo ttyGS0 >> /etc/securetty
# add minutely cronjob to update fake-hwclock
echo '* * * * * root /usr/sbin/fake-hwclock' >> /etc/crontab
# Turn off kernel dmesg showing up in console since rpi0 only uses console
echo "dmesg -D" > /etc/rc.local
@@ -302,6 +332,7 @@ fi
cat << EOF > kali-${architecture}/cleanup
#!/bin/bash
rm -rf /root/.bash_history
rm -rf /root/P4wnP1_go
apt-get update
apt-get clean
rm -f /0
@@ -313,11 +344,6 @@ EOF
chmod 755 kali-${architecture}/cleanup
LANG=C systemd-nspawn -M ${machine} -D kali-${architecture} /cleanup
#umount kali-$architecture/proc/sys/fs/binfmt_misc
#umount kali-$architecture/dev/pts
#umount kali-$architecture/dev/
#umount kali-$architecture/proc
# Enable login over serial
echo "T0:23:respawn:/sbin/agetty -L ttyAMA0 115200 vt100" >> "${basedir}"/kali-${architecture}/etc/inittab
@@ -339,13 +365,43 @@ git clone --depth 1 https://github.com/raspberrypi/firmware.git rpi-firmware
cp -rf rpi-firmware/boot/* "${basedir}"/kali-${architecture}/boot/
rm -rf rpi-firmware
# Build nexmon firmware outside the build system, if we can (use repository with driver and firmware for P4wnP1).
cd "${basedir}"
git clone https://github.com/mame82/nexmon_wifi_covert_channel.git -b p4wnp1 "${basedir}"/nexmon --depth 1
# Setup build
cd ${TOPDIR}
git clone --depth 1 https://github.com/nethunteros/re4son-raspberrypi-linux.git -b rpi-4.14.80-re4son "${basedir}"/kali-${architecture}/usr/src/kernel
# Re4son kernel 4.14.80 with P4wnP1 patches (dwc2 and brcmfmac)
git clone --depth 1 https://github.com/Re4son/re4son-raspberrypi-linux -b rpi-4.14.80-re4son-p4wnp1 "${basedir}"/kali-${architecture}/usr/src/kernel
cd "${basedir}"/kali-${architecture}/usr/src/kernel
# Note: Compiling the kernel in /usr/src/kernel of the target file system is problematic, as the binaries of the compiling host architecture
# get deployed to the /usr/src/kernel/scripts subfolder (in this case linux-x64 binaries), which is symlinked to /usr/src/build later on.
# This would f.e. hinder rebuilding single modules, like nexmon's brcmfmac driver, on the Pi itself (online compilation).
# The cause:building of modules relies on the pre-built binaries in /usr/src/build folder. But the helper binaries are compiled with the
# HOST toolchain and not with the crosscompiler toolchain (f.e. /usr/src/kernel/script/basic/fixdep would end up as x64 binary, as this helper
# is not compiled with the CROSS toolchain). As those scripts are used druing module build, it wouldn't work to build on the pi, later on,
# without recompiling the helper binaries with the proper crosscompiler toolchain.
#
# To account for that, the 'script' subfolder could be rebuild on the target (online) by running `make scripts/` from /usr/src/kernel folder.
# Rebuilding the script, again, depends on additional tooling, like `bc` binary, which has to be installed.
#
# Currently the step of recompiling the kernel/scripts folder has to be done manually online, but it should be possible to do it after kernel
# build, by setting the host compiler (CC) to the gcc of the linaro-arm-linux-gnueabihf-raspbian-x64 toolchain (not only the CROSS_COMPILE).
# The problem is, that the used linaro toolchain builds for armhf (not a problem for kernel, as there're no dependencies on hf librearies),
# but the debian packages (and the provided gcc) are armel.
#
# To clean up this whole "armel" vs "armhf" mess, the kernel should be compiled with a armel toolchain (best choice would be the toolchain
# which is used to build the kali armel packages itself, which is hopefully available for linux-x64)
#
# For now this is left as manual step, as the normal user shouldn't have a need to recompile kernel parts on the Pi itself.
# Set default defconfig
export ARCH=arm
# use hard float with RPi cross compiler toolchain, as described here: https://www.raspberrypi.org/documentation/linux/kernel/building.md
export CROSS_COMPILE=arm-linux-gnueabi-
# Set default defconfig
@@ -366,7 +422,6 @@ cp arch/arm/boot/dts/overlays/README "${basedir}"/kali-${architecture}/boot/over
make mrproper
make re4son_pi1_defconfig
# Fix up the symlink for building external modules
# kernver is used so we don't need to keep track of what the current compiled
# version is
@@ -401,10 +456,11 @@ mkdir -p "${basedir}"/kali-${architecture}/root/scripts
wget https://raw.github.com/steev/rpiwiggle/master/rpi-wiggle -O "${basedir}"/kali-${architecture}/root/scripts/rpi-wiggle.sh
chmod 755 "${basedir}"/kali-${architecture}/root/scripts/rpi-wiggle.sh
# Build nexmon firmware outside the build system, if we can.
cd "${basedir}"
git clone https://github.com/seemoo-lab/nexmon.git "${basedir}"/nexmon --depth 1
# git clone of nexmon moved in front of kernel compilation, to have poper brcmfmac driver ready
cd "${basedir}"/nexmon
# Make sure we're not still using the armel cross compiler
unset CROSS_COMPILE
# Disable statistics
touch DISABLE_STATISTICS
source setup_env.sh
@@ -415,25 +471,21 @@ CC=$CCgcc
make
sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/Makefile
cd ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon
# Make sure we use the cross compiler to build the firmware.
# We use the x86 cross compiler because we're building on amd64
unset CROSS_COMPILE
#export CROSS_COMPILE=${NEXMON_ROOT}/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
make clean
# We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
LD_LIBRARY_PATH=${NEXMON_ROOT}/buildtools/isl-0.10/.libs make ARCH=arm CC=${NEXMON_ROOT}/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
# RPi0w->3B firmware
# disable nexmon by default
mkdir -p "${basedir}"/kali-${architecture}/lib/firmware/brcm
cp ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.nexmon.bin
cp ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.bin
wget https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/master/brcm/brcmfmac43430-sdio.txt -O "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.txt
# Bluetooth Firmware(?)
wget https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM4345C0.hcd -O "${basedir}"/kali-${architecture}/lib/firmware/brcm/BCM4345C0.hcd
wget https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM43430A1.hcd -O "${basedir}"/kali-${architecture}/lib/firmware/brcm/BCM43430A1.hcd
# Make a backup copy of the rpi firmware in case people don't want to use the nexmon firmware.
# The firmware used on the RPi is not the same firmware that is in the firmware-brcm package which is why we do this.
wget https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/master/brcm/brcmfmac43430-sdio.bin -O "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.rpi.bin
cd "${basedir}"
#cp "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.rpi.bin "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.bin
cp "${basedir}"/../misc/brcm/BCM43430A1.hcd "${basedir}"/kali-${architecture}/lib/firmware/brcm/BCM43430A1.hcd
cd "${basedir}"
@@ -442,10 +494,6 @@ chmod 755 "${basedir}"/kali-${architecture}/etc/init.d/zram
sed -i -e 's/^#PermitRootLogin.*/PermitRootLogin yes/' "${basedir}"/kali-${architecture}/etc/ssh/sshd_config
echo "Running du to see how big kali-${architecture} is"
du -sh "${basedir}"/kali-${architecture}
echo "the above is how big the sdcard needs to be"
# Create the disk and partition it
echo "Creating image file ${imagename}.img"
dd if=/dev/zero of="${basedir}"/${imagename}.img bs=1M count=${size}
@@ -493,10 +541,6 @@ EOF
echo "Rsyncing rootfs into image file"
rsync -HPavz -q "${basedir}"/kali-${architecture}/ "${basedir}"/root/
# Build nexmon
#LANG=C systemd-nspawn -M ${machine} -D "${basedir}"/root/ /bin/bash -c "cd /root && gcc -Wall -shared -o libfakeuname.so fakeuname.c"
#LANG=C systemd-nspawn -M ${machine} -D "${basedir}"/root/ /bin/bash -c "LD_PRELOAD=/root/libfakeuname.so /root/buildnexmon.sh"
# Unmount partitions
sync
umount ${bootp}
@@ -509,7 +553,6 @@ MACHINE_TYPE=`uname -m`
if [ ${MACHINE_TYPE} == 'x86_64' ]; then
echo "Compressing ${imagename}.img"
pixz "${basedir}"/${imagename}.img "${basedir}"/../${imagename}.img.xz
rm "${basedir}"/${imagename}.img
fi
# Clean up all the temporary build stuff and remove the directories.