tkaiser Posted August 17, 2017 Posted August 17, 2017 On Black Hat 2017 security researcher Nitay Artenstein showed a vulnerability affecting millions of smartphones he called BroadPwn. The bug/vulnerability sits inside the firmware blobs but I didn't pay that much attention since I thought it would be related to recent smartphones and at least the one I use still receives full security fix support now in the 5th year. But when I heard that latest Raspbian release contains a fix for BroadPwn (RPi 3 and Zero W use BCM43438 to provide wireless capabilities) I asked myself immediately a question: http://www.cnx-software.com/2017/08/17/raspbian-for-raspberry-pi-boards-gets-upgraded-to-debian-stretch/#comment-545270 I booted my RPi 3, added the stretch repo, did an apt-update and checked (after updating the kernel): root@raspberrypi:~# apt list --upgradable Listing... Done device-tree-compiler/testing 1.4.4-1 armhf [upgradable from: 1.4.1-1+rpi1] dnsmasq/testing 2.76-5+rpi2 all [upgradable from: 2.76-5+rpi1] dnsmasq-base/testing 2.76-5+rpi2 armhf [upgradable from: 2.76-5+rpi1] libcairo2/testing 1.14.8-1+rpi1 armhf [upgradable from: 1.14.0-2.1+deb8u2+rpi1] libpam-modules/testing 1.1.8-3.6+rpi1 armhf [upgradable from: 1.1.8-3.1+deb8u2+rpi3] libpam-modules-bin/testing 1.1.8-3.6+rpi1 armhf [upgradable from: 1.1.8-3.1+deb8u2+rpi3] libpam-runtime/testing 1.1.8-3.6+rpi1 all [upgradable from: 1.1.8-3.1+deb8u2+rpi3] libpam0g/testing 1.1.8-3.6+rpi1 armhf [upgradable from: 1.1.8-3.1+deb8u2+rpi3] libraspberrypi-bin/testing 1.20170811-1 armhf [upgradable from: 1.20170703-1] libraspberrypi0/testing 1.20170811-1 armhf [upgradable from: 1.20170703-1] openmediavault/erasmus 3.0.87 all [upgradable from: 3.0.85] raspberrypi-bootloader/testing 1.20170811-1 armhf [upgradable from: 1.20170703-1] If I understand correctly a BroadPwn fix has to be applied to firmware blobs. Since the above is an Armbian userland combined with RPi kernel I checked Raspbian's firmware package: https://pastebin.com/bMWqwxcy So if the most common Wi-Fi chips on supported boards are affected (since AP6212 is just a BCM43438 A0 while AP6212A is an A1 BCM43438) we might want to provide an updated armbian-firmware package asapissimo, true?
tkaiser Posted August 17, 2017 Author Posted August 17, 2017 1 hour ago, tkaiser said: Since the above is an Armbian userland combined with RPi kernel I checked Raspbian's firmware package: https://pastebin.com/bMWqwxcy Hmm... I dont'r really understand what's happening. On my Jessie OMV image above I installed 'firmware-brcm80211' package (https://archive.raspberrypi.org/debian/ stretch/main firmware-brcm80211 all 1:20161130-3+rpi2). Now booted latest Raspbian Stretch minimal and checked again. It's there also pool/main/f/firmware-nonfree/firmware-brcm80211_20161130-3+rpi2_all.deb: https://pastebin.com/N7WkB6yH But on my Jessie/OMV image it's: -rw-r--r-- 1 root root 369577 Jan 15 2017 brcmfmac43430-sdio.bin -rw-r--r-- 1 root root 1108 Jan 3 2017 brcmfmac43430-sdio.txt 9258986488eca9fe5343b0d6fe040f8e brcmfmac43430-sdio.bin 8c3cb6d8f0609b43f09d083b4006ec5a brcmfmac43430-sdio.txt While on the Raspbian/Stretch it looks like this: -rw-r--r-- 1 root root 372398 Aug 9 11:10 brcmfmac43430-sdio.bin -rw-r--r-- 1 root root 1014 Aug 9 11:10 brcmfmac43430-sdio.txt 5f520a38ab4e943bfa1ba102f80fb2a0 brcmfmac43430-sdio.bin 9a88b55134d9f8f3ad2331b93f4b7b79 brcmfmac43430-sdio.txt Dmesg differences as follows: OMV Jessie: 'brcmfmac: Firmware version = wl0: Aug 29 2016 20:48:16 version XXX.XXX.41.26 (r640327) FWID 01-4527cfab' Raspbian Stretch: 'brcmfmac: Firmware version = wl0: Aug 7 2017 00:46:29 version 7.45.41.46 (r666254 CY) FWID 01-f8a78378'
tkaiser Posted August 29, 2017 Author Posted August 29, 2017 Well, again talking to myself I put the exchanged firmware files online: http://kaiser-edv.de/tmp/NumpU4/brcmfmac43430-sdio-broadpwn-fix.tar Is anyone here with the following combination able to test whether exchanging this firmware file works or not? Board with AP6212 (not AP6212A as far as I understood) Mainline kernel and everything configured correctly to activate Wi-Fi) test with /lib/firmware/brcm/brcmfmac43430-sdio.bin as it's part of armbian-firmware package and from the link above later (collecting 'dmesg | grep brcm' of course) No idea whether /lib/firmware/brcm/brcmfmac43430-sdio.txt must also be replaced...
Guest Posted September 2, 2017 Posted September 2, 2017 The firmware from Jessie/OMV image is apparently from the official Linux firmware repository, which has not been updated in quite a while. https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/brcm The firmware from Raspbian/Stretch has been updated specifically to fix Broadpwn: Quote firmware-nonfree (1:20161130-3+rpi2) stretch; urgency=medium * Bump epoch to prevent being replaced by raspbian.org * Update brcmfmac43430-sdio.txt and brcmfmac43430-sdio.bin - CVE-2017-9417: "Broadpwn" issue fix - Add "CY" string in the version string - AMPDU sequence number deadlock fix (potential fix for this issue) - CLM version upgrade - CVE-2017-0572: memory corruption fix -- Serge Schneider <serge@raspberrypi.org> Wed, 09 Aug 2017 12:10:08 +0100 Running "strings" on the Raspbian brcmfmac43430-sdio.bin shows: Quote Version: 7.45.41.46 (r666254 CY) CRC: 970a33e2 Date: Mon 2017-08-07 00:48:36 PDT Ucode Ver: 1043.206 FWID 01-ef6eb4d3 Which interestingly does not exactly match your dmesg message. In any case, this is obviously the one we should use. If it works. Which I have no idea.
Recommended Posts