ESP32’s Freedom Output Lets You Do Anything

April 24, 2017 by Elliot Williams 39 Comments

The ESP32 is Espressif’s new wonder-chip, and one of the most interesting aspects of its development has been the almost entirely open-source development strategy that they’re taking. But the “almost” in almost entirely open is important — there are still some binary blobs in the system, and some of them are exactly where a hacker wouldn’t want them to be. Case in point: the low-level WiFi firmware.

So that’s where [Jeija]’s reverse engineering work steps in. He’s managed to decode enough of a function called ieee80211_freedom_output to craft and send apparently arbitrary WiFi data and management frames, and to monitor them as well.

This ability is insanely useful for a WiFi device. With low-level access like this, one can implement custom protocols for mesh networking, low-bandwidth data transfers, or remove the requirement for handshaking entirely. One can also spam a system with so many fake SSIDs that it crashes, deauth everyone, or generally cause mayhem. Snoop on your neighbors, or build something new and cool: with great power comes great responsibility.

Anyway, we reported on [Jeija]’s long distance hack and the post may have read like it was all about the antenna, but that vastly underestimates the role played by this firmware reverse-engineering hack. Indeed, we’re so stoked about the hack that we thought it was worth reiterating: the ESP32 is now a WiFi hacker’s dream.

Nexmon Turns Nexus 5 (and RPi3!) Into WiFi Toolkit

September 8, 2016 by Elliot Williams 22 Comments

Back in the day, when wardriving was still useful (read: before WPA2 was widespread), we used to wander around with a Zaurus in our pocket running Kismet. Today, every cellphone has WiFi and a significantly more powerful processor inside. But alas, the firmware is locked down.

Enter the NexMon project. If you’ve got a Nexus 5 phone with the Broadcom BCM4339 WiFi chipset, you’ve now got a monitor-mode, packet-injecting workhorse in your pocket, and it looks a lot less creepy than that old Zaurus. But more to the point, NexMon is open. If you’d like to get inside what it took to reverse-engineer a hole into the phone’s WiFi, or make your own patches, here’s a great starting place.

But wait, there’s more! The recently released Raspberry Pi 3 has a similar Broadcom WiFi chipset, and has been given the same treatment, turning your RPi 3 into a wireless-sniffing powerhouse. How many Raspberry Pi “hacks” actually hack the Raspberry Pi? Well, here’s one.

We first learned of this project from a talk given at the MetaRhein-Main Chaos Days conference which took place last weekend. The NexMon talk (in German, but with slides in English) is just one of the many talks, all of which are available online.

The NexMon project is a standout, however. Not only do they reverse the WiFi firmware in the Nexus 5, but they show you how, and then apply the same methods to the RPi3. Kudos times three to [Matthias Schulz], [Daniel Wegemer], and [Matthias Hollick]!

Wifibroadcast Makes WiFi FPV Video More Like Analog

June 13, 2015 by Elliot Williams 23 Comments

Normal WiFi is not what you want to send video from your quadcopter back to the first-person-view (FPV) goggles strapped on your head, because it’s designed for 100% correct, two-way transmission of data between just two radios. Transmission of analog video signals, on the other hand, is lossy, one-way, and one-to-many, which is why the longer-range FPV flights all tend to use old-school analog video transmission.

When you’re near the edge of your radios’ range, you care much more about getting any image in a timely fashion than about getting the entire video sequence correctly after a delay. While WiFi is retransmitting packets and your video is buffering, your quadcopter is crashing, and you don’t need every video frame to be perfect in order to get an idea of how to save it. And finally, it’s just a lot easier to optimize both ends of a one-way transmission system than it is to build antennas that must receive and transmit symmetrically.

And that’s why [Befinitiv] wrote wifibroadcast: to give his WiFi FPV video system some of the virtues of analog broadcast.

Continue reading “Wifibroadcast Makes WiFi FPV Video More Like Analog” →

Android Hack: Cracking WiFi Passwords With Your Phone

September 18, 2012 by Brian Benchoff 61 Comments

The WiFi adapter in your laptop has a special mode – monitor mode – that can be used to listen in on WiFi traffic and, with a little patience, can be used to crack a WEP password. Surprisingly, this monitor mode can’t be found on any Android device due in part to the limitations of the hardware. A group of three researchers, [Ruby], [Yuval], and [Omri], decided to spend their vacation adding monitor mode to their Android smartphones, allowing for a much more portable version of WiFi pwnage tools.

The phones used by the researchers – the Nexus One and Galaxy S II – used Broadcom chipsets that didn’t support monitor mode. To get around this limitation and allow the OS to see full 802.11 frames the team needed to reverse engineer the firmware of this Broadcom radio chip.

The team has released a firmware update for the bcm4329 and bcm4330 chipsets found in the Nexus One and Galaxy S II. The update may work for other phones with the same chipset, but don’t take our word on that.

There’s still a lot of work [Ruby], [Yuval], and [Omri] need to do. They’d like to add packet injection to their firmware hack, and of course create an APK to get this into the wild more easily.

If you have experience with kernel development and would like to help out, send the team an email. The source can be found at google code if you’d like to play around with it.