CalvinBackup/Insecure-By-Design
1
0
Fork 0
mirror of https://github.com/JGoyd/Insecure-By-Design.git synced 2026-06-07 00:13:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update and rename README to README.md

Browse Source
This commit is contained in:
Joseph Goydish II
2025-12-27 11:51:23 -05:00
committed by GitHub
parent 26d1c215c6
commit 4eda198687
2 changed files with 307 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Project Olympic/README
-1
View File
@@ -1 +0,0 @@
Project Olympic/README.md
+307
View File
@@ -0,0 +1,307 @@
# Project Olympic: BCM4388 Autonomous Operating System Analysis
## Documentation of Chipset-Level RTOS and Host Visibility Limitations
---
## Overview
This directory contains analysis of the **Poppy_CLPC_OS** autonomous operating system running on the Broadcom BCM4388 wireless chipset. The research documents how this dedicated Real-Time Operating System (RTOS) operates independently of the Host iOS/Android kernel, creating visibility and auditability gaps for Host security controls.
**Key Finding:** The BCM4388 runs a complete operating system (Poppy_CLPC_OS with Oly.Nash 1.70.2 calibration modules) that executes continuously—including during Host CPU sleep states—with direct memory access privileges and persistent storage that survives factory reset.
---
## Files
### Primary Artifacts
| File | Size | MD5 | Description |
|------|------|-----|-------------|
| **bluetoothd-hci-2025_01_02-12_47_38.pklg** | 1,729,081 bytes | `3c32f6926fa043e57c76b585a02341d0` | HCI packet log with runtime behavior |
### Analysis Documents
| Document | Focus |
|----------|-------|
| **Technical Analysis.md** | Comprehensive security architecture analysis |
---
## The Poppy_CLPC_OS Environment
### Identification
**Firmware String Found in HCI Log:**
```
BCM4388C0_22.2.507.1323_PCIE_Poppy_CLPC_OS_STATS_20241003.bin
```
**Components:**
- **BCM4388C0:** Chipset model identifier
- **Poppy:** Project codename
- **CLPC_OS:** Closed-Loop Power Control Operating System
- **STATS:** Telemetry collection enabled
- **Build Date:** October 3, 2024
### Architecture
**Operating System Modules Identified:**
| Component | Version | Location | Function |
|-----------|---------|----------|----------|
| **Poppy_CLPC_OS** | 22.2.507.1323 | Firmware image | Main RTOS for power and RF control |
| **Oly.Nash** | 1.70.2 | RAM offset 0x0032d6 | CLM calibration module (NVRAM) |
| **ClmImport** | 1.69.0 | RAM offset 0x0032d6 | Regulatory domain enforcement |
**Compilation Evidence:**
```
"Oly.Nash............1.70.2...........ClmImport: 1.69.0.............v2 Final 231204"
```
Build date: December 4, 2023
### Hardware Privileges
**Direct Memory Access (DMA) Channels:**
10 independent DMA channels mapped in RAM dump:
| Channel | Offset | Descriptor Base | Buffer Address |
|---------|--------|----------------|----------------|
| wl0:dma0 | 0x1a99c0 | 0x008f9b28 | 0x18031220 |
| wl0:dma1 | 0x1e54d8 | 0x008f9b28 | 0x18031260 |
| wl0:dma2 | 0x1be214 | 0x008f9b28 | 0x180312a0 |
| ... | ... | ... | ... |
| wl0:dma9 | 0x1be44c | 0x008f9b28 | (varies) |
**DMA Capabilities:**
- Device-to-Host (D2H) memory writes confirmed via error strings
- Host-to-Device (H2D) memory reads confirmed via error strings
- Hardware-level access bypasses Host OS memory protection
- Operates during Host CPU sleep states
---
## Operational Characteristics
### Autonomous Execution Evidence
**From HCI Packet Log Analysis:**
| Metric | Value | Implication |
|--------|-------|-------------|
| AP Sleep/Wake cycles | 599 | Extensive autonomous operation periods |
| Packets in longest sleep | 90 (67 commands + 23 data) | Chipset processes traffic without Host oversight |
| Total HCI commands | 87,654 | Substantial autonomous decision-making |
| State machine error | 1 ("state:10") | Firmware encountered undefined state |
**Key Observation:** During extended Host sleep (1,307-byte window), Poppy_CLPC_OS processed 90 packets completely independently—managing Bluetooth connections, memory allocation, and network decisions without Host OS involvement.
### Power State Correlation
**Critical State Warnings:**
- 79 total "2.4 GHz critical state" warnings observed
- 29 warnings (36.7%) occurred within 500 bytes of AP Sleep events
- Most common timing pattern: 89-byte distance (27.6% of correlations)
**Interpretation:** Power transitions create timing windows where Poppy_CLPC_OS state machines experience increased instability—consistent with complex asynchronous event handling during sleep/wake coordination.
### Persistence
**NVRAM-Backed Modules:**
The Oly.Nash and ClmImport modules reside in non-volatile memory:
| Sanitization Procedure | iOS User Data | iOS System | Poppy_CLPC_OS Firmware | Oly.Nash NVRAM |
|----------------------|---------------|------------|----------------------|---------------|
| Erase All Content | ✓ Deleted | Preserved | **Preserved** | **Preserved** |
| DFU Restore | ✓ Deleted | ✓ Reinstalled | **Preserved** | **Preserved** |
| Factory Reset | ✓ Deleted | ✓ Reinstalled | **Preserved** | **Preserved** |
**Implication:** The autonomous operating system and its calibration modules survive all standard Host OS reset procedures.
---
## Security Architecture Implications
### The Host OS Visibility Gap
**What Host OS Can Monitor:**
- High-level WiFi/Bluetooth on/off state
- Network traffic after encryption (application layer)
- General power state transitions (sleep/wake)
**What Host OS Cannot Monitor:**
- Poppy_CLPC_OS internal operations during Host sleep
- Real-time DMA transactions (only IOMMU policy enforcement)
- NVRAM module contents (Oly.Nash, ClmImport)
- Chipset state machine transitions
- Packet-level decisions during autonomous operation
### Trust Boundary Analysis
| Security Control | Host OS Domain | Poppy_CLPC_OS Domain |
|-----------------|---------------|---------------------|
| **Execution Control** | Kernel enforces process isolation | Operates independently with dedicated RTOS |
| **Memory Access** | MMU enforces page tables | DMA with IOMMU policy (hardware-enforced) |
| **Persistence** | Factory reset clears all data | NVRAM survives factory reset |
| **Audit Logging** | Comprehensive syscall logs | Limited HCI logs (post-hoc only) |
| **Real-Time Monitoring** | Yes (when CPU active) | No (especially during sleep) |
**Critical Finding:** Poppy_CLPC_OS operates in a separate trust domain from the Host OS, with hardware-level privileges but limited real-time Host visibility.
---
## Relationship to Main Repository
### Main Repo (BCM4387c2): Universal Architecture
The parent repository documents features **common across all wireless chipsets**:
- ThreadX RTOS presence
- DMA operations (52 references)
- Power state management
- NVRAM calibration storage
### This Study (BCM4388): Specific Implementation
Project "Poppy_CLPC_OS" extends the analysis with:
- **Named RTOS identification:** Poppy_CLPC_OS (not generic ThreadX)
- **Versioned modules:** Oly.Nash 1.70.2, ClmImport 1.69.0
- **Runtime behavior:** 599 sleep cycles with autonomous packet processing
- **Timing patterns:** 36.7% correlation, 89-byte event structure
- **Detailed DMA mapping:** 10 channels with exact memory addresses
**Bridge:** Main repo shows **what** chipsets do architecturally. This study shows **how** Poppy_CLPC_OS implements that architecture with specific modules and runtime behavior.
---
## Key Takeaways
### Technical Reality
1. **Autonomous Operating System:** BCM4388 runs Poppy_CLPC_OS—a complete RTOS managing power, RF, and network operations
2. **Hardware Privileges:** 10 DMA channels provide direct memory access (IOMMU-constrained)
3. **Persistent Modules:** Oly.Nash calibration in NVRAM survives factory reset
4. **Independent Operation:** Processes 90 packets during Host sleep with zero Host oversight
5. **Timing Dependencies:** 36.7% correlation between power transitions and critical warnings
### Security Implications
**If Poppy_CLPC_OS Firmware Were Compromised:**
- Would operate with DMA privileges during Host sleep states
- Could persist through factory reset (NVRAM modules)
- Would have limited Host OS visibility or detection
- Could make autonomous network and memory decisions
**Current Protections:**
- IOMMU enforces DMA access policies (hardware-level)
- Firmware signing by Broadcom (update integrity)
- Limited attack surface (no direct user input to chipset)
**Gaps:**
- No real-time Host monitoring during chipset autonomous operation
- No Host OS verification of NVRAM contents
- Limited audit logging of chipset-level decisions
- Factory reset does not clear chipset firmware/NVRAM
---
## Context and Limitations
### Why This Architecture Exists
Poppy_CLPC_OS autonomous operation is **required for:**
- 802.11 Power Save Mode (maintain connectivity during Host sleep)
- Real-time packet processing (multi-gigabit WiFi 6 performance)
- Battery life optimization (Host CPU sleep while maintaining network)
- Regulatory compliance (independent CLM enforcement)
### What This Analysis Does NOT Show
✗ Evidence of active exploitation or surveillance
✗ Intentional backdoors in Poppy_CLPC_OS
✗ Vulnerabilities unique to Broadcom (similar RTOS in all vendors)
✗ Methods to bypass IOMMU or compromise firmware
✗ Proof-of-concept attacks against this architecture
### What This Analysis DOES Show
✓ Detailed identification of autonomous OS (Poppy_CLPC_OS)
✓ Documentation of hardware privileges (10 DMA channels)
✓ Evidence of persistent modules (Oly.Nash NVRAM)
✓ Runtime behavior patterns (autonomous packet processing)
✓ Host OS visibility limitations (especially during sleep)
---
## Verification
### Quick Check Commands
```bash
md5sum bluetoothd-hci-2025_01_02-12_47_38.pklg
# Expected: 3c32f6926fa043e57c76b585a02341d0
# Extract Poppy_CLPC_OS reference
strings bluetoothd-hci-2025_01_02-12_47_38.pklg | grep Poppy_CLPC_OS
# Output: BCM4388C0_22.2.507.1323_PCIE_Poppy_CLPC_OS_STATS_20241003.bin
# Count DMA channels
strings SoC_RAM.bin | grep "wl0:dma" | sort
# Output: wl0:dma0 through wl0:dma9
```
### Analysis Script Usage
See detailed analysis documents for:
- Python scripts for DMA channel extraction
- HCI log parsing for power state correlation
- Statistical analysis of timing patterns
- Binary offset verification
---
## Recommendations
### For Security Practitioners
- **Threat Modeling:** Include Poppy_CLPC_OS autonomous operation in device threat models
- **IOMMU Verification:** Ensure DMA protections properly configured on platforms
- **Persistent Firmware:** Consider chipset firmware in device sanitization procedures
- **Visibility Gaps:** Acknowledge limited monitoring during Host sleep states
### For Researchers
- **Comparative Analysis:** Examine RTOS implementations in Qualcomm/Intel/MediaTek chipsets
- **Dynamic Analysis:** Instrument DMA transactions during power transitions
- **NVRAM Study:** Investigate Oly.Nash module integrity verification
- **Timing Analysis:** Further study of 89-byte event structure pattern
### For Industry
- **Firmware Transparency:** Disclose autonomous OS capabilities (e.g., Poppy_CLPC_OS)
- **Attestation:** Standardize firmware integrity verification mechanisms
- **Audit Logging:** Enhance real-time visibility into chipset operations
- **User Controls:** Provide mechanisms to audit NVRAM-backed modules
---
## Attribution
**Analysis Date:** December 2025
**Researcher:** Joseph Goydish II
**Primary Finding:** Identification and characterization of Poppy_CLPC_OS autonomous operating system in BCM4388
### Citation
```
Goydish II, J. (2025). Poppy_CLPC_OS: BCM4388 Autonomous Operating System Analysis.
Documentation of Chipset-Level RTOS and Host Visibility Limitations.
```
---
## License
**Analysis & Documentation:** Public benefit, freely shareable with attribution
This research documents architectural characteristics of commercial chipset firmware for educational and security research purposes.