Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

Wardriving from your pocket

reverse engineering
Omri Ildis, Ruby Feinstein
REcon 2013
Indexed on
Sep 18, 2014
File name
File size
37.0 MB

Until now WiFi pwnage wasn’t possible on most Android phones due to lack of support in the WiFi chipset. This is surprising, due to the fact that most android devices have a bcm43xx WiFi chipset. This talk will present our research on the bcm43xx chipsets and the custom tools we’ve developed, enabling the use of mobile phones as a platform for common WiFi pwnage tools. Unlike PCs which use SoftMac, embedded devices use FullMac meaning that the WiFi chip translates the 802.11 packets into ethernet packets. Crucial information is lost during the process, making WiFi pwnage impossible. Since this translation is done by the WiFi chipset, the only possible solution is to patch its firmware. One of the challenges was the fact that we only had part of the firmware and were missing the chip’s ROM. To overcome this, we exploited the firmware loading mechanism and extracted the ROM segment of the chip (the protected memory region). To optimize work­time we decided to implement a live debugging engine using Wireshark as a front­end client, producing custom output from any given function (e.g. stack­trace, return values and buffers). Using our debugging engine and a lot of reverse engineering we managed to enable both monitor mode as well as packet injection on any mobile device based on the Broadcomchipset (Galaxy S1/2/3, Nexus S, and many others). We will also demonstrate how to use the debugging engine to perform additional analysis and add additional features. Turning our phones into mobile pwning stations.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !