Extracting The WiFi Firmware And Putting Back A Keylogger

July 20, 2021 by Matthew Carlson 35 Comments

In the interest of simplification or abstraction, we like to think of the laptop on the kitchen table as a single discrete unit of processing. In fact, there is a surprisingly large number of small processors alongside the many cores that make up the processor. [8051enthusiast] dove into the Realtek rtl8821ae WiFi chip on his laptop and extracted the firmware. The Realtek rtl8821ae chip is a fairly standard Realtek chip as seen in this unboxing (which is where the main image comes from).

True to his name, [8051enthusiast] was pleased to find that the rtl8821ae was clearly based on the Intel 8051. The firmware was loaded on startup from a known file path and loaded onto the chip sitting in an M.2 slot. Careful consideration, [8051enthusiast] reasoned that the firmware was using RTX51 Tiny, which is a small real-time kernel.

The firmware is loaded at 0x4000 but it calls to code below that address, which means there is a ROM on the chip that contains some code. The easiest way to extract it would be to write some custom code that just copies the masked ROM back to the main CPU via the shared memory-mapped config space, but the firmware is checksummed by the masked ROM code. However, the checksum is just a 16-bit XOR. With a tweak in the kernel to allow accessing the shared config space from userspace, [8051enthusiast] was on his way to a complete firmware image.

Next, [8051enthusiast] looked at what could be done with his newfound hackability. The keyboard matrix is read by the Embedded Controller (EC), which happens to be another 8051 based microcontroller. There also happens to be an RX and a TX trace from the EC to the m.2 slot (where the rtl8821ae is). This has to do with 0x80 postcodes from the processor being routed out somewhere accessible via the EC. With a bit of custom code on both the EC and the WiFi chip, [8051enthusiast] had a keylogger that didn’t run on the main processor broadcasting the PS/2 keystrokes as UDP packets.

Of course, there are plenty of other 8051 based devices out there just waiting to be discovered. Like this 8051 based e-ink display controller.

[Main image source: Realtek RTL8821AE unboxing on YouTube by Евгений Горохов]

New Chip Alert: RTL8710, A Cheaper ESP8266 Competitor

July 28, 2016 by Brian Benchoff 98 Comments

Almost exactly two years ago, shocking news thundered across the electronics blogosphere. There was a new WiFi module on the block. It was called the ESP8266, a simple serial device capable of taking care of an 802.11 network and a WiFi stack, giving any project with a microcontroller access to the Internet. Earlier modules to connect microcontrollers were sufficient for the task, but nothing could beat the ESP8266 on price.

Now, there’s a new module that’s even cheaper and more powerful than the ESP8266, and just like all of our favorite parts from China, it inexplicably shows up on eBay and AliExpress before anywhere else. It’s the Realtek RTL8710, available on eBay, on AliExpress, and elsewhere around the web for about $1.50 per device. There’s also a dev kit for the device featuring breakouts, an additional microcontroller, and a few switches and buttons for about $15.

As you would expect, there is zero English-language data available about the RTL8710, everything is in Chinese. There is a forum of sorts going over this new chip, and the Google Translatrix is good enough to glean a little bit of info about the new chip.

The RTL8710 features an ARM processor clocked at 166MHz. Stock, this module is running FreeRTOS. There’s 1MB of Flash, 48k of RAM available to the user, up to 21 GPIOs, 3 I2C, 4 PWM pins, and 2 PCM. This module also comes with an FCC logo, but I can’t find anything on the FCC website about this module.

If anything, the Realtek RTL8710 isn’t meant to be a competitor to the ESP8266. While extremely popular and still very useful, the ‘next gen’ ESP32 is due to be released in a month or so, and with the exception of Bluetooth on the ESP32, this Realtek module should match its capabilities quite well. Whether anyone can get an English datasheet is another matter, but if history is any indication a few English language RTL8710 forums will pop up a few hours after this is posted.

Thanks [sabas] for sending this in

OS X Port Of Gqrx Is The Easiest Way To Get Into Software Defined Radio

October 8, 2012 by Brian Benchoff 18 Comments

Many have tried to put together an easy package for running software defined radio packages on the Mac. Not many have succeeded the way [Elias]’ port of the gqrx SDR package has. It’s simply the easiest way to get a software defined radio up and running on the mac.

gqrx is a front end for the very popular GNU Radio software defined radio toolkit. Originally designed for the FUNcube SDR dongle, gqrx can also be made to work with one of the many, many USB TV tuners that have come out of China this past year for use as a software radio.

[Elias]’ port of gqrx isn’t the first app to put software defined radio on the Mac, but it certainly is the easiest. Simply by downloading [Elias] disk image, plugging in a TV tuner dongle, and starting the app, I was able to have a software radio receiver on my MacBook Air in less than a minute.

Everything required by GNU Radio and gqrx is already included, making this the easiest way to get SDR on a Mac. Very awesome work from [Elias], and we thank him.

Two Software Defined Radio Hacks From Our Resident SDR Guru

June 16, 2012 by Brian Benchoff 13 Comments

It seem [Balint] is becoming somewhat of a SDR guru around these parts; in the past few months, he’s gotten a USB TV tuner receiver working with GNU Radio, started a software defined radio tutorial YouTube channel, and even used this project to listen in on conversations between airplanes and air traffic control. This time, [Balint] is back ~~using this cheap USB TV tuner for~~ radio direction finding and running HDSDR in Linux and OS X.

[Balint]’s radio direction finding presentation goes over traditional means of direction finding using the doppler effect and mechanically rotated antennas. Because [Balint] is dealing with frequencies around 150MHz (about 2 meter wavelength), building a physical direction finding setup requires spinning antennas at around 40,000 RPM; much to fast for any hardware build. [Balint]’s solution was to attach 4 antennas around the circumference of a circle and electronically switch between them many thousands of times a second. [Balint] put up a wiki page going over all the theory and implementation details of his build.

[Balint] also put wrote up a neat app to control software defined radios – including the Realtek TV dongle – over a network. Spread over a wide enough geographic area, it could become extremely easy for anyone to play air traffic controller. The BorIP Server can also be used to run HDSDR in Linux and OS X under Wine; just connect HDSDR to the network loopback on the same machine, and you get around Wine’s distaste for accessing hardware natively.

Awesome work, and we can’t wait to see what comes out of [Balint]’s laboratory next.

Edit: instead of the dongle, [Balnt] is using a ‘real’ software radio board. A lot of people are messaging him asking if the same method of direction finding is possible with the dongle. Here’s what [Balint] has to say:

The trick, as I see it, would be to create some (more or less simple) additional hardware to take the clock signal straight off the dongle’s on-board oscillator and divide it down for use with the antenna switch, i.e. 28 MHz à tens of kHz (this is the bit that’s done in ‘software’ on the FPGA). One problem still remains however: the counter needs to remain calibrated against the known direction the antenna was pointing at the time – otherwise a stop/start of the data stream from the dongle will mean the direction will go out of sync by 90/180/270 degrees each stop/start. Perhaps someone will figure out an elegant solution for this slight hurdle!

So there you go. Up for a challenge?