CalvinBackup/Insecure-By-Design
1
0
Fork 0
mirror of https://github.com/JGoyd/Insecure-By-Design.git synced 2026-02-12 22:02:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Insecure-By-Design/Project Olympic/README.md
Joseph Goydish II 3bd5b9af96 Remove 'What This Analysis Does NOT Show' section 
Removed section detailing what the analysis does not show.
2025-12-27 14:55:39 -05:00

11 KiB
Raw Permalink Blame History

Project Olympic: BCM4388 Autonomous Operating System Analysis

Documentation of Chipset-Level RTOS and Host Visibility Limitations

Overview

This directory contains analysis of the Poppy_CLPC_OS autonomous operating system running on the Broadcom BCM4388 wireless chipset. The research documents how this dedicated Real-Time Operating System (RTOS) operates independently of the Host iOS/Android kernel, creating visibility and auditability gaps for Host security controls.

Key Finding: The BCM4388 runs a complete operating system (Poppy_CLPC_OS with Oly.Nash 1.70.2 calibration modules) that executes continuously—including during Host CPU sleep states—with direct memory access privileges and persistent storage that survives factory reset.

Files

Primary Artifacts

File Size MD5 Description
bluetoothd-hci-2025_01_02-12_47_38.pklg 1,729,081 bytes 3c32f6926fa043e57c76b585a02341d0 HCI packet log with runtime behavior

Analysis Documents

Document Focus
Technical Analysis.md Comprehensive security architecture analysis

The Poppy_CLPC_OS Environment

Identification

Firmware String Found in HCI Log:

BCM4388C0_22.2.507.1323_PCIE_Poppy_CLPC_OS_STATS_20241003.bin

Components:

  • BCM4388C0: Chipset model identifier
  • Poppy: Project codename
  • CLPC_OS: Closed-Loop Power Control Operating System
  • STATS: Telemetry collection enabled
  • Build Date: October 3, 2024

Architecture

Operating System Modules Identified:

Component Version Location Function
Poppy_CLPC_OS 22.2.507.1323 Firmware image Main RTOS for power and RF control
Oly.Nash 1.70.2 RAM offset 0x0032d6 CLM calibration module (NVRAM)
ClmImport 1.69.0 RAM offset 0x0032d6 Regulatory domain enforcement

Compilation Evidence:

"Oly.Nash............1.70.2...........ClmImport: 1.69.0.............v2 Final 231204"

Build date: December 4, 2023

Hardware Privileges

Direct Memory Access (DMA) Channels:

10 independent DMA channels mapped in RAM dump:

Channel Offset Descriptor Base Buffer Address
wl0:dma0 0x1a99c0 0x008f9b28 0x18031220
wl0:dma1 0x1e54d8 0x008f9b28 0x18031260
wl0:dma2 0x1be214 0x008f9b28 0x180312a0
... ... ... ...
wl0:dma9 0x1be44c 0x008f9b28 (varies)

DMA Capabilities:

  • Device-to-Host (D2H) memory writes confirmed via error strings
  • Host-to-Device (H2D) memory reads confirmed via error strings
  • Hardware-level access bypasses Host OS memory protection
  • Operates during Host CPU sleep states

Operational Characteristics

Autonomous Execution Evidence

From HCI Packet Log Analysis:

Metric Value Implication
AP Sleep/Wake cycles 599 Extensive autonomous operation periods
Packets in longest sleep 90 (67 commands + 23 data) Chipset processes traffic without Host oversight
Total HCI commands 87,654 Substantial autonomous decision-making
State machine error 1 ("state:10") Firmware encountered undefined state

Key Observation: During extended Host sleep (1,307-byte window), Poppy_CLPC_OS processed 90 packets completely independently—managing Bluetooth connections, memory allocation, and network decisions without Host OS involvement.

Power State Correlation

Critical State Warnings:

  • 79 total "2.4 GHz critical state" warnings observed
  • 29 warnings (36.7%) occurred within 500 bytes of AP Sleep events
  • Most common timing pattern: 89-byte distance (27.6% of correlations)

Interpretation: Power transitions create timing windows where Poppy_CLPC_OS state machines experience increased instability—consistent with complex asynchronous event handling during sleep/wake coordination.

Persistence

NVRAM-Backed Modules:

The Oly.Nash and ClmImport modules reside in non-volatile memory:

Sanitization Procedure iOS User Data iOS System Poppy_CLPC_OS Firmware Oly.Nash NVRAM
Erase All Content ✓ Deleted Preserved Preserved Preserved
DFU Restore ✓ Deleted ✓ Reinstalled Preserved Preserved
Factory Reset ✓ Deleted ✓ Reinstalled Preserved Preserved

Implication: The autonomous operating system and its calibration modules survive all standard Host OS reset procedures.

Security Architecture Implications

The Host OS Visibility Gap

What Host OS Can Monitor:

  • High-level WiFi/Bluetooth on/off state
  • Network traffic after encryption (application layer)
  • General power state transitions (sleep/wake)

What Host OS Cannot Monitor:

  • Poppy_CLPC_OS internal operations during Host sleep
  • Real-time DMA transactions (only IOMMU policy enforcement)
  • NVRAM module contents (Oly.Nash, ClmImport)
  • Chipset state machine transitions
  • Packet-level decisions during autonomous operation

Trust Boundary Analysis

Security Control Host OS Domain Poppy_CLPC_OS Domain
Execution Control Kernel enforces process isolation Operates independently with dedicated RTOS
Memory Access MMU enforces page tables DMA with IOMMU policy (hardware-enforced)
Persistence Factory reset clears all data NVRAM survives factory reset
Audit Logging Comprehensive syscall logs Limited HCI logs (post-hoc only)
Real-Time Monitoring Yes (when CPU active) No (especially during sleep)

Critical Finding: Poppy_CLPC_OS operates in a separate trust domain from the Host OS, with hardware-level privileges but limited real-time Host visibility.

Relationship to Main Repository

Main Repo (BCM4387c2): Universal Architecture

The parent repository documents features common across all wireless chipsets:

  • ThreadX RTOS presence
  • DMA operations (52 references)
  • Power state management
  • NVRAM calibration storage

This Study (BCM4388): Specific Implementation

Project "Poppy_CLPC_OS" extends the analysis with:

  • Named RTOS identification: Poppy_CLPC_OS (not generic ThreadX)
  • Versioned modules: Oly.Nash 1.70.2, ClmImport 1.69.0
  • Runtime behavior: 599 sleep cycles with autonomous packet processing
  • Timing patterns: 36.7% correlation, 89-byte event structure
  • Detailed DMA mapping: 10 channels with exact memory addresses

Bridge: Main repo shows what chipsets do architecturally. This study shows how Poppy_CLPC_OS implements that architecture with specific modules and runtime behavior.

Key Takeaways

Technical Reality

  1. Autonomous Operating System: BCM4388 runs Poppy_CLPC_OS—a complete RTOS managing power, RF, and network operations
  2. Hardware Privileges: 10 DMA channels provide direct memory access (IOMMU-constrained)
  3. Persistent Modules: Oly.Nash calibration in NVRAM survives factory reset
  4. Independent Operation: Processes 90 packets during Host sleep with zero Host oversight
  5. Timing Dependencies: 36.7% correlation between power transitions and critical warnings

Security Implications

If Poppy_CLPC_OS Firmware Were Compromised:

  • Would operate with DMA privileges during Host sleep states
  • Could persist through factory reset (NVRAM modules)
  • Would have limited Host OS visibility or detection
  • Could make autonomous network and memory decisions

Current Protections:

  • IOMMU enforces DMA access policies (hardware-level)
  • Firmware signing by Broadcom (update integrity)
  • Limited attack surface (no direct user input to chipset)

Gaps:

  • No real-time Host monitoring during chipset autonomous operation
  • No Host OS verification of NVRAM contents
  • Limited audit logging of chipset-level decisions
  • Factory reset does not clear chipset firmware/NVRAM

Context and Limitations

Why This Architecture Exists

Poppy_CLPC_OS autonomous operation is required for:

  • 802.11 Power Save Mode (maintain connectivity during Host sleep)
  • Real-time packet processing (multi-gigabit WiFi 6 performance)
  • Battery life optimization (Host CPU sleep while maintaining network)
  • Regulatory compliance (independent CLM enforcement)

What This Analysis DOES Show

✓ Detailed identification of autonomous OS (Poppy_CLPC_OS)
✓ Documentation of hardware privileges (10 DMA channels)
✓ Evidence of persistent modules (Oly.Nash NVRAM)
✓ Runtime behavior patterns (autonomous packet processing)
✓ Host OS visibility limitations (especially during sleep)

Verification

Quick Check Commands


md5sum bluetoothd-hci-2025_01_02-12_47_38.pklg
# Expected: 3c32f6926fa043e57c76b585a02341d0

# Extract Poppy_CLPC_OS reference
strings bluetoothd-hci-2025_01_02-12_47_38.pklg | grep Poppy_CLPC_OS
# Output: BCM4388C0_22.2.507.1323_PCIE_Poppy_CLPC_OS_STATS_20241003.bin

# Count DMA channels
strings SoC_RAM.bin | grep "wl0:dma" | sort
# Output: wl0:dma0 through wl0:dma9

Analysis Script Usage

See detailed analysis documents for:

  • Python scripts for DMA channel extraction
  • HCI log parsing for power state correlation
  • Statistical analysis of timing patterns
  • Binary offset verification

Recommendations

For Security Practitioners

  • Threat Modeling: Include Poppy_CLPC_OS autonomous operation in device threat models
  • IOMMU Verification: Ensure DMA protections properly configured on platforms
  • Persistent Firmware: Consider chipset firmware in device sanitization procedures
  • Visibility Gaps: Acknowledge limited monitoring during Host sleep states

For Researchers

  • Comparative Analysis: Examine RTOS implementations in Qualcomm/Intel/MediaTek chipsets
  • Dynamic Analysis: Instrument DMA transactions during power transitions
  • NVRAM Study: Investigate Oly.Nash module integrity verification
  • Timing Analysis: Further study of 89-byte event structure pattern

For Industry

  • Firmware Transparency: Disclose autonomous OS capabilities (e.g., Poppy_CLPC_OS)
  • Attestation: Standardize firmware integrity verification mechanisms
  • Audit Logging: Enhance real-time visibility into chipset operations
  • User Controls: Provide mechanisms to audit NVRAM-backed modules

Attribution

Analysis Date: December 2025
Researcher: Joseph Goydish II
Primary Finding: Identification and characterization of Poppy_CLPC_OS autonomous operating system in BCM4388

Citation

Goydish II, J. (2025). Poppy_CLPC_OS: BCM4388 Autonomous Operating System Analysis.
Documentation of Chipset-Level RTOS and Host Visibility Limitations.

License

Analysis & Documentation: Public benefit, freely shareable with attribution

This research documents architectural characteristics of commercial chipset firmware for educational and security research purposes.

Reference in New Issue View Git Blame Copy Permalink