diff --git a/misc/brcm/BCM43430A1.hcd b/misc/brcm/BCM43430A1.hcd new file mode 100644 index 0000000..162275a Binary files /dev/null and b/misc/brcm/BCM43430A1.hcd differ diff --git a/rpi0w-nexmon-p4wnp1.sh b/rpi0w-nexmon-p4wnp1-aloa.sh similarity index 68% rename from rpi0w-nexmon-p4wnp1.sh rename to rpi0w-nexmon-p4wnp1-aloa.sh index 06db699..84952af 100755 --- a/rpi0w-nexmon-p4wnp1.sh +++ b/rpi0w-nexmon-p4wnp1-aloa.sh @@ -1,9 +1,11 @@ #!/bin/bash set -e -# This is the Raspberry Pi Kali 0-W Nexmon ARM build script - http://www.kali.org/downloads -# A trusted Kali Linux image created by Offensive Security - http://www.offensive-security.com -# Maintained by @binkybear +###### +# This is a work in progress script for P4wnP1 A.L.O.A. based on @binkybear's built script for P4wnP1 +# +########## + if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" @@ -15,15 +17,15 @@ if [[ $# -eq 0 ]] ; then exit 0 fi -basedir=`pwd`/rpi0w-nexmon-p4wnp1-$1 +basedir=`pwd`/rpi0w-nexmon-p4wnp1-aloa-$1 TOPDIR=`pwd` # Custom hostname variable hostname=${2:-kali} # Custom image name variable - MUST NOT include .img at the end. -imagename=${3:-kali-linux-$1-rpi0w-nexmon-p4wnp1} +imagename=${3:-kali-linux-$1-rpi0w-nexmon-p4wnp1-aloa} # Size of image in megabytes (Default is 4500=4.5GB) -size=4500 +size=6000 # Suite to use. # Valid options are: # kali-rolling, kali-dev, kali-bleeding-edge, kali-dev-only, kali-experimental, kali-last-snapshot @@ -35,7 +37,7 @@ suite=kali-rolling machine=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) # Package installations for various sections. -# This will build a minimal XFCE Kali system with the top 10 tools. +# This will build a minimal Kali system with the top 10 tools. # This is the section to edit if you would like to add more packages. # See http://www.kali.org/new/kali-linux-metapackages/ for meta packages you can # use. You can also install packages, using just the package name, but keep in @@ -43,13 +45,19 @@ machine=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) # script will throw an error, but will still continue on, and create an unusable # image, keep that in mind. -arm="abootimg cgpt fake-hwclock ntpdate u-boot-tools vboot-utils vboot-kernel-utils" -base="apt-transport-https apt-utils console-setup e2fsprogs firmware-linux firmware-realtek firmware-atheros firmware-libertas ifupdown initramfs-tools iw kali-defaults man-db mlocate netcat-traditional net-tools parted psmisc rfkill screen snmpd snmp sudo tftp tmux unrar usbutils vim wget zerofree" -#desktop="kali-menu fonts-croscore fonts-crosextra-caladea fonts-crosextra-carlito gtk3-engines-xfce kali-desktop-xfce kali-root-login lightdm network-manager network-manager-gnome xfce4 xserver-xorg-video-fbdev xserver-xorg-input-evdev xserver-xorg-input-synaptics" -tools="aircrack-ng crunch cewl dnsrecon dnsutils ethtool exploitdb hydra john libnfc-bin medusa metasploit-framework mfoc ncrack nmap passing-the-hash proxychains recon-ng sqlmap tcpdump theharvester tor tshark usbutils whois windows-binaries winexe wpscan" -services="apache2 haveged openssh-server openvpn" -extras="bluez bluez-firmware i2c-tools python-configobj python-pip python-requests python-rpi.gpio python-smbus wpasupplicant" - +arm="fake-hwclock ntpdate u-boot-tools" +tools="aircrack-ng crunch cewl dnsrecon dnsutils ethtool exploitdb hydra medusa metasploit-framework ncrack nmap passing-the-hash proxychains recon-ng sqlmap tcpdump theharvester tor tshark usbutils whois windows-binaries winexe wpscan" +base="apt-transport-https apt-utils console-setup e2fsprogs firmware-linux firmware-realtek firmware-atheros ifupdown initramfs-tools iw kali-defaults man-db mlocate netcat-traditional net-tools parted psmisc rfkill screen snmpd snmp tftp tmux unrar usbutils vim wget zerofree" +services="apache2 atftpd openssh-server openvpn" +# haveged: assure enough entropy data for hostapd on startup +# avahi-daemon: allow mDNS resolution (apple bonjour) by remote hosts +# dhcpcd5: REQUIRED (P4wnP1 A.L.O.A. currently wraps this binary if a DHCP client is needed) +# dnsmasq: REQUIRED (P4wnP1 A.L.O.A. currently wraps this binary if a DHCP server is needed, currently not used for DNS) +# genisoimage: allow creation of CD-Rom iso images for CD-Rom USB gadget from existing folders on the fly +# iodine: allow DNS tunneling +# dosfstools: contains fatlabel (used to label FAT32 iamges for UMS) +# Note on Go: The golang package is version 1.10, so we are missing support for current gopherjs (webclient couldn't be build on Pi) and go modules (replacement for dep) +extras="autossh avahi-daemon bash-completion bluez bluez-firmware dhcpcd5 dnsmasq dosfstools genisoimage golang haveged hostapd i2c-tools iodine policykit-1 python-configobj python-dev python-pip python-requests python-smbus wpasupplicant" packages="${arm} ${base} ${services} ${extras}" architecture="armel" @@ -94,14 +102,16 @@ ff02::1 ip6-allnodes ff02::2 ip6-allrouters EOF +# added wlan0 configuration to allow copying of wpa_supplicant.conf to work mkdir -p kali-${architecture}/etc/network/ cat << EOF > kali-${architecture}/etc/network/interfaces auto lo iface lo inet loopback + EOF cat << EOF > kali-${architecture}/etc/resolv.conf -nameserver 8.8.8.8 +nameserver 1.1.1.1 EOF export MALLOC_CHECK_=0 # workaround for LP: #520465 @@ -118,14 +128,31 @@ console-common console-data/keymap/full select en-latin1-nodeadkeys EOF # Create monitor mode start/remove +# The script returns an error code if the monitor interface couldn't be started +# Note: Removing this should be considered, as enabling the monitor interface once +# and using wpa_supplicant afterwards, crashs the WiFi firmware (even if the monitor +# interface is removed). Afterwards the 'brcmfmac' module has to be removed and +# loaded again (the driver push the firmware and restarts the fmac chip on init). +# Sometimes only a reboot works cat << 'EOF' > kali-${architecture}/usr/bin/monstart #!/bin/bash interface=wlan0mon -echo "Bring up monitor mode interface ${interface}" -iw phy phy0 interface add ${interface} type monitor -ifconfig ${interface} up +echo -n "Create monitor mode interface ${interface}... " +iw phy phy0 interface add ${interface} type monitor 2> /dev/null 1> /dev/null if [ $? -eq 0 ]; then - echo "started monitor interface on ${interface}" + echo "success" +else + echo "failed, already created ?" +fi + +echo -n "Trying to enable ${interface}... " +ifconfig ${interface} up 2> /dev/null +if [ $? -eq 0 ]; then + echo "success, ${interface} is up" + exit 0 +else + echo "failed" + exit 1 fi EOF chmod 755 kali-${architecture}/usr/bin/monstart @@ -183,29 +210,18 @@ WantedBy=multi-user.target EOF chmod 644 "${basedir}"/kali-${architecture}/lib/systemd/system/enable-ssh.service -cat << EOF > "${basedir}"/kali-${architecture}/lib/systemd/system/copy-user-wpasupplicant.service -[Unit] -Description=Copy user wpa_supplicant.conf -ConditionPathExists=/boot/wpa_supplicant.conf -Before=dhcpcd.service - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/bin/mv /boot/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant.conf -ExecStartPost=/bin/chmod 600 /etc/wpa_supplicant/wpa_supplicant.conf - -[Install] -WantedBy=multi-user.target -EOF -chmod 644 "${basedir}"/kali-${architecture}/lib/systemd/system/copy-user-wpasupplicant.service - +# Bluetooth enabling +mkdir -p kali-${architecture}/lib/udev/rules.d/ +cp "${basedir}"/../misc/pi-bluetooth/50-bluetooth-hci-auto-poweron.rules kali-${architecture}/lib/udev/rules.d/50-bluetooth-hci-auto-poweron.rules cp "${basedir}"/../misc/pi-bluetooth/pi-bluetooth+re4son_2.2_all.deb kali-${architecture}/root/pi-bluetooth+re4son_2.2_all.deb # Copy a default config, with everything commented out so people find it when # they go to add something when they are following instructions on a website. cp "${basedir}"/../misc/config.txt "${basedir}"/kali-${architecture}/boot/config.txt +# move P4wnP1 in (change to release blob when ready) +git clone -b 'v0.1.0-alpha2' --single-branch --depth 1 https://github.com/mame82/P4wnP1_aloa "${basedir}"/kali-${architecture}/root/P4wnP1 + cat << EOF > kali-${architecture}/third-stage #!/bin/bash set -e @@ -226,16 +242,13 @@ echo "root:toor" | chpasswd rm -f /etc/udev/rules.d/70-persistent-net.rules export DEBIAN_FRONTEND=noninteractive apt-get --yes --allow-change-held-packages install ${packages} || apt-get --yes --fix-broken install -apt-get --yes --allow-change-held-packages install ${packages} || apt-get --yes --fix-broken install -apt-get --yes --allow-change-held-packages install ${desktop} ${tools} || apt-get --yes --fix-broken install apt-get --yes --allow-change-held-packages install ${desktop} ${tools} || apt-get --yes --fix-broken install apt-get --yes --allow-change-held-packages dist-upgrade apt-get --yes --allow-change-held-packages autoremove # Because copying in authorized_keys is hard for people to do, let's make the # image insecure and enable root login with a password. - -echo "Making the image insecure" +echo "Allow root login..." sed -i -e 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config # Resize FS on first run (hopefully) @@ -245,8 +258,9 @@ systemctl enable rpiwiggle systemctl enable regenerate_ssh_host_keys systemctl enable ssh -# Install pi-bluetooth deb package from re4son +# Install and hold pi-bluetooth deb package from re4son dpkg --force-all -i /root/pi-bluetooth+re4son_2.2_all.deb +apt-mark hold pi-bluetooth+re4son # systemd version 232 and above breaks execution of above bluetooth rule, let's fix that sed -i 's/^RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6.*/RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_BLUETOOTH/' /lib/systemd/system/systemd-udevd.service @@ -254,21 +268,37 @@ sed -i 's/^RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6.*/Restric # Enable bluetooth systemctl unmask bluetooth.service systemctl enable bluetooth +systemctl enable hciuart +# dhcpcd is needed by P4wnP1, but started on demand +# installation of dhcpcd5 package enables a systemd unit starting dhcpcd for all +# interfaces, which results in conflicts with DHCP servers running on created +# bridge interface (especially for the bteth BNEP bridge). To avoid this we +# disable the service. If communication problems occur, although DHCP leases +# are handed out by dnsmasq, dhcpcd should be the first place to look +# (no interface should hava an APIPA addr assigned, unless the DHCP client +# was explcitely enabled by P4wnP1 for this interface) +systemctl disable dhcpcd + +# enable fake-hwclock (P4wnP1 is intended to reboot/loose power frequently without getting NTP access in between) +# a clean shutdown/reboot is needed, as fake-hwclock service saves time on stop +systemctl enable fake-hwclock # Create cmdline.txt file mkdir -p /boot echo "dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait" > /boot/cmdline.txt -# Install P4wnP1 (kali version) -cd /root -git clone --depth 1 https://github.com/nethunteros/P4wnP1.git /root/P4wnP1 -chmod 755 /root/P4wnP1/install.sh -cd /root/P4wnP1 -git submodule update --init --recursive --remote -./install.sh +# Install P4wnP1 A.L.O.A. +cd /root/P4wnP1 +make installkali +# add Designware DUAL role USB driver to loaded modules echo "dwc2" | tee -a /etc/modules -echo "libcomposite" | tee -a /etc/modules + +# allow root login from tyyGS0 (serial device for USB gadget) +echo ttyGS0 >> /etc/securetty + +# add minutely cronjob to update fake-hwclock +echo '* * * * * root /usr/sbin/fake-hwclock' >> /etc/crontab # Turn off kernel dmesg showing up in console since rpi0 only uses console echo "dmesg -D" > /etc/rc.local @@ -302,6 +332,7 @@ fi cat << EOF > kali-${architecture}/cleanup #!/bin/bash rm -rf /root/.bash_history +rm -rf /root/P4wnP1_go apt-get update apt-get clean rm -f /0 @@ -313,11 +344,6 @@ EOF chmod 755 kali-${architecture}/cleanup LANG=C systemd-nspawn -M ${machine} -D kali-${architecture} /cleanup -#umount kali-$architecture/proc/sys/fs/binfmt_misc -#umount kali-$architecture/dev/pts -#umount kali-$architecture/dev/ -#umount kali-$architecture/proc - # Enable login over serial echo "T0:23:respawn:/sbin/agetty -L ttyAMA0 115200 vt100" >> "${basedir}"/kali-${architecture}/etc/inittab @@ -339,13 +365,43 @@ git clone --depth 1 https://github.com/raspberrypi/firmware.git rpi-firmware cp -rf rpi-firmware/boot/* "${basedir}"/kali-${architecture}/boot/ rm -rf rpi-firmware +# Build nexmon firmware outside the build system, if we can (use repository with driver and firmware for P4wnP1). +cd "${basedir}" +git clone https://github.com/mame82/nexmon_wifi_covert_channel.git -b p4wnp1 "${basedir}"/nexmon --depth 1 + # Setup build cd ${TOPDIR} -git clone --depth 1 https://github.com/nethunteros/re4son-raspberrypi-linux.git -b rpi-4.14.80-re4son "${basedir}"/kali-${architecture}/usr/src/kernel +# Re4son kernel 4.14.80 with P4wnP1 patches (dwc2 and brcmfmac) +git clone --depth 1 https://github.com/Re4son/re4son-raspberrypi-linux -b rpi-4.14.80-re4son-p4wnp1 "${basedir}"/kali-${architecture}/usr/src/kernel + + cd "${basedir}"/kali-${architecture}/usr/src/kernel +# Note: Compiling the kernel in /usr/src/kernel of the target file system is problematic, as the binaries of the compiling host architecture +# get deployed to the /usr/src/kernel/scripts subfolder (in this case linux-x64 binaries), which is symlinked to /usr/src/build later on. +# This would f.e. hinder rebuilding single modules, like nexmon's brcmfmac driver, on the Pi itself (online compilation). +# The cause:building of modules relies on the pre-built binaries in /usr/src/build folder. But the helper binaries are compiled with the +# HOST toolchain and not with the crosscompiler toolchain (f.e. /usr/src/kernel/script/basic/fixdep would end up as x64 binary, as this helper +# is not compiled with the CROSS toolchain). As those scripts are used druing module build, it wouldn't work to build on the pi, later on, +# without recompiling the helper binaries with the proper crosscompiler toolchain. +# +# To account for that, the 'script' subfolder could be rebuild on the target (online) by running `make scripts/` from /usr/src/kernel folder. +# Rebuilding the script, again, depends on additional tooling, like `bc` binary, which has to be installed. +# +# Currently the step of recompiling the kernel/scripts folder has to be done manually online, but it should be possible to do it after kernel +# build, by setting the host compiler (CC) to the gcc of the linaro-arm-linux-gnueabihf-raspbian-x64 toolchain (not only the CROSS_COMPILE). +# The problem is, that the used linaro toolchain builds for armhf (not a problem for kernel, as there're no dependencies on hf librearies), +# but the debian packages (and the provided gcc) are armel. +# +# To clean up this whole "armel" vs "armhf" mess, the kernel should be compiled with a armel toolchain (best choice would be the toolchain +# which is used to build the kali armel packages itself, which is hopefully available for linux-x64) +# +# For now this is left as manual step, as the normal user shouldn't have a need to recompile kernel parts on the Pi itself. + + # Set default defconfig export ARCH=arm +# use hard float with RPi cross compiler toolchain, as described here: https://www.raspberrypi.org/documentation/linux/kernel/building.md export CROSS_COMPILE=arm-linux-gnueabi- # Set default defconfig @@ -366,7 +422,6 @@ cp arch/arm/boot/dts/overlays/README "${basedir}"/kali-${architecture}/boot/over make mrproper make re4son_pi1_defconfig - # Fix up the symlink for building external modules # kernver is used so we don't need to keep track of what the current compiled # version is @@ -401,10 +456,11 @@ mkdir -p "${basedir}"/kali-${architecture}/root/scripts wget https://raw.github.com/steev/rpiwiggle/master/rpi-wiggle -O "${basedir}"/kali-${architecture}/root/scripts/rpi-wiggle.sh chmod 755 "${basedir}"/kali-${architecture}/root/scripts/rpi-wiggle.sh -# Build nexmon firmware outside the build system, if we can. -cd "${basedir}" -git clone https://github.com/seemoo-lab/nexmon.git "${basedir}"/nexmon --depth 1 +# git clone of nexmon moved in front of kernel compilation, to have poper brcmfmac driver ready cd "${basedir}"/nexmon +# Make sure we're not still using the armel cross compiler +unset CROSS_COMPILE + # Disable statistics touch DISABLE_STATISTICS source setup_env.sh @@ -415,25 +471,21 @@ CC=$CCgcc make sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/Makefile cd ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon -# Make sure we use the cross compiler to build the firmware. -# We use the x86 cross compiler because we're building on amd64 -unset CROSS_COMPILE -#export CROSS_COMPILE=${NEXMON_ROOT}/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi- make clean # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems. LD_LIBRARY_PATH=${NEXMON_ROOT}/buildtools/isl-0.10/.libs make ARCH=arm CC=${NEXMON_ROOT}/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi- # RPi0w->3B firmware +# disable nexmon by default mkdir -p "${basedir}"/kali-${architecture}/lib/firmware/brcm cp ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.nexmon.bin cp ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.bin wget https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/master/brcm/brcmfmac43430-sdio.txt -O "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.txt -# Bluetooth Firmware(?) -wget https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM4345C0.hcd -O "${basedir}"/kali-${architecture}/lib/firmware/brcm/BCM4345C0.hcd -wget https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM43430A1.hcd -O "${basedir}"/kali-${architecture}/lib/firmware/brcm/BCM43430A1.hcd # Make a backup copy of the rpi firmware in case people don't want to use the nexmon firmware. # The firmware used on the RPi is not the same firmware that is in the firmware-brcm package which is why we do this. wget https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/master/brcm/brcmfmac43430-sdio.bin -O "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.rpi.bin -cd "${basedir}" +#cp "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.rpi.bin "${basedir}"/kali-${architecture}/lib/firmware/brcm/brcmfmac43430-sdio.bin + +cp "${basedir}"/../misc/brcm/BCM43430A1.hcd "${basedir}"/kali-${architecture}/lib/firmware/brcm/BCM43430A1.hcd cd "${basedir}" @@ -442,10 +494,6 @@ chmod 755 "${basedir}"/kali-${architecture}/etc/init.d/zram sed -i -e 's/^#PermitRootLogin.*/PermitRootLogin yes/' "${basedir}"/kali-${architecture}/etc/ssh/sshd_config -echo "Running du to see how big kali-${architecture} is" -du -sh "${basedir}"/kali-${architecture} -echo "the above is how big the sdcard needs to be" - # Create the disk and partition it echo "Creating image file ${imagename}.img" dd if=/dev/zero of="${basedir}"/${imagename}.img bs=1M count=${size} @@ -493,10 +541,6 @@ EOF echo "Rsyncing rootfs into image file" rsync -HPavz -q "${basedir}"/kali-${architecture}/ "${basedir}"/root/ -# Build nexmon -#LANG=C systemd-nspawn -M ${machine} -D "${basedir}"/root/ /bin/bash -c "cd /root && gcc -Wall -shared -o libfakeuname.so fakeuname.c" -#LANG=C systemd-nspawn -M ${machine} -D "${basedir}"/root/ /bin/bash -c "LD_PRELOAD=/root/libfakeuname.so /root/buildnexmon.sh" - # Unmount partitions sync umount ${bootp} @@ -509,7 +553,6 @@ MACHINE_TYPE=`uname -m` if [ ${MACHINE_TYPE} == 'x86_64' ]; then echo "Compressing ${imagename}.img" pixz "${basedir}"/${imagename}.img "${basedir}"/../${imagename}.img.xz -rm "${basedir}"/${imagename}.img fi # Clean up all the temporary build stuff and remove the directories.