Linux

Bug #1189721
Comment #265

Comment 265 for bug 1189721

Revision history for this message

Jan Vodochalek (kukulo2011) wrote on 2017-01-28:

#265

@Host

Can you trace with edb debugger this routine inside rtbt?

    _v32 = _t102;
    _v40 = _t109;
    _v48 = _t96;
    _t73 = _v40;
    _t110 = _t73;
    LM_Find_Link_Table_Entry();
    _v16 = _t73;
    if(_v16 == 0) {
        return;
    }
    if(( *(_v16 + 122) & 65535) == 31) { // *(_v16 + 122) & 65535) = 31
        if(( *(_v16 + 219) & 255) != 0) {
            DM_Clear_Timer(); //0x0049bbf4 //timer cleared
             *(_v16 + 219) = 0;
        }
        if(( *(_v16 + 216) & 255) == 0) {
             *(_v16 + 221) = 1;
            if(( *(_v16 + 220) & 255) == 0) { //0x48615c we go here
                 *(_v16 + 122) = 33; //put 33 decimal value to pointer *(_v16 + 122) and quit writing du
            } else {
                if(( *(_v16 + 221) & 255) == 1) {
                    r8d = 65;
                    LMP_Send_Accepted(); //0x00494DF6
                    _t110 = _v16;
                    _LMssp_Send_LMP_DH_Key_Check() //0x0048983A
                   }
            }
        } else {
             *(_v16 + 221) = 1;
            if(( *(_v16 + 225) & 255) != 0) {
                _t110 = _v16;
                _LMssp_Send_LMP_DH_Key_Check();//0x0048983A
                 *(_v16 + 122) = 32;
            }
        }
        write_du(6, _v16 + 424, _v48, _t110); //we get here and quit
        return;
    } else {
        return;
    }

Somehow the value at the *(_v16 + 220) in this routine is zero and the program is quitting before _LMssp_Send_LMP_DH_Key_Check() is reached. This is not the case on Ubuntu 12.04 and 12.10 where it is pairing. I would be interested how it is on Ubuntu 12.10. You will need a BT V4 device in order to pair with simple secure mode and reach this routine.

The decompiled file is provided in the earlier post.

@Host

Can you trace with edb debugger this routine inside rtbt?

LMssp_LM_User_Confirmation_Request_Reply()
{// addr = 0x00486064
    long long _v16;                        // _cfa_fffffff0
    long long _v32;                        // _cfa_ffffffe0
    long long _v40;                        // _cfa_ffffffd8
    long long _v48;                        // _cfa_ffffffd0
    _unknown_ __rbp;                       // r59
    long long _t73;                        // _t73
    long long _t96;                        // _t96
    long long _t102;                       // _t102
    long long _t109;                       // _t109
    long long _t110;                       // _t110

_v32 = _t102;
    _v40 = _t109;
    _v48 = _t96;
    _t73 = _v40;
    _t110 = _t73;
    LM_Find_Link_Table_Entry();
    _v16 = _t73;
    if(_v16 == 0) {
        return;
    }
    if(( *(_v16 + 122) & 65535) == 31) {  // *(_v16 + 122) & 65535) = 31
        if(( *(_v16 + 219) & 255) != 0) {
            DM_Clear_Timer(); //0x0049bbf4  //timer cleared
             *(_v16 + 219) = 0;
        }
        if(( *(_v16 + 216) & 255) == 0) { 
             *(_v16 + 221) = 1;
            if(( *(_v16 + 220) & 255) == 0) {  //0x48615c we go here
                 *(_v16 + 122) = 33; //put 33 decimal value to pointer *(_v16 + 122) and quit writing du 
            } else {
                if(( *(_v16 + 221) & 255) == 1) {
                    r8d = 65;
                    LMP_Send_Accepted();  //0x00494DF6
                    _t110 = _v16;
                    _LMssp_Send_LMP_DH_Key_Check() //0x0048983A
                   }
            }
        } else {
             *(_v16 + 221) = 1;
            if(( *(_v16 + 225) & 255) != 0) {
                _t110 = _v16;
                _LMssp_Send_LMP_DH_Key_Check();//0x0048983A
                 *(_v16 + 122) = 32;
            }
        }
        write_du(6, _v16 + 424, _v48, _t110); //we get here and quit
        return;
    } else {
        return;
    }

The decompiled file is provided in the earlier post.