Examples
Nordic uses supervisor calls to perform configuration operations on the BLE stack. To execute argXtract against the example Nordic BLE binary, use the following command from the project root folder:
python start.py -f examples/nordic_ble/nordic_ble.bin -M s -v nordic_ble
The output will be in the output folder. The name will be the SHA256 hash of the nordic_ble.bin. The expected output is provided in examples/nordic_ble/nordic_ble_output.json.
Only four Nordic BLE API calls are "enabled" by default: sd_ble_gap_device_name_set, sd_ble_uuid_vs_add, sd_ble_gatts_service_add, sd_ble_gatts_characteristic_add. The example binary nordic_ble.bin contains these four calls. The names reflect the functionality pretty well without the need for explanation :)
The argxtract/resources/vendor/nordic_ble/args/ folder contains many other API calls that you can test for. To "enable" testing against them, simply rename the files from .jsonx to .json. Similarly, to "disable" the checking of any API call, rename the associated argument definition file to anything other than *.json.
We have provided additional example binaries to test for:
- Fixed passkeys (test binary:
nordic_ble_passkey.bin; enable onlysd_ble_opt_set.json). The output file will indicate a passkey of "313233343536", which is hex for "123456". - Fixed advertising addresses (test binary: nordic_ble_address.bin; enable only
sd_ble_gap_address_set.json). The output file will indicateaddr_type=1 (which, according to the Nordic SDK, is a random static address). The output file shows that the fixed address is "010101010101".
Note that all example binaries were generated by us.
Supervisor calls are also used by Nordic for its ANT stack. To execute argXtract against the example Nordic ANT binary, use the following command from the project root folder:
python start.py -f examples/nordic_ant/nordic_ant.bin -M s -v nordic_ant
The expected output is provided in examples/nordic_ant/nordic_ant_output.json.
Note that in the given example binary (which was generated by us), all of the defined channels have encryption enabled, i.e., ucNumberOfEncryptedChannels=ucTotalNumberOfChannels=15. This is in contrast with the real-world binaries described in our paper, where none had encryption enabled.
ST uses normal functions for its configuration operations. To execute argXtract against the example ST BLE binary, use the following command from the project root folder:
python start.py -f examples/st_ble/st_ble.bin -M f -v stm -m 0
Note the different Mode used in this command
Because this test requires function pattern matching, i.e., identifying one function out of several hundred, it will take a lot longer (several hours) than for the Nordic tests.
The expected output is provided in examples/st_ble/st_ble_output.json.
The API call that is enabled by default is the aci_gap_init, which is used to set the privacy option (among other things). Additional function patterns have been provided for the aci_hal_write_config_data, which is used to set a device's public address (among other things) and aci_gap_set_io_capability, which is used to set the device's I/O capability (and which is the first step for specifying BLE security). To test for these API calls, rename the relevant files within argxtract/resources/vendor/stm/args/ and argxtract/resources/vendor/stm/fpfs/ from .jsonx to .json. Be aware that this will significantly increase analysis time.
