Learn, hack!

URL

http://www.recon.cx/2013/slides/Recon2013-Omri%20Ildis%2c%20Yuval%20Ofir%20and%20Ruby%20Feinstein-Wardriving%20from%20your%20pocket.pdf

File name

Recon2013-Omri%20Ildis%2c%20Yuval%20Ofir%20and%20Ruby%20Feinstein-Wardriving%20from%20your%20pocket.pdf

File size

37.0 MB

MD5

aa2e846a2ef9e14c06127c3f3efcf489

SHA1

e3adbfa2196f3d23cb65fe0c5b6f2d0418f216e0

Until now WiFi pwnage wasn’t possible on most Android phones due to lack of support in the WiFi chipset. This is surprising, due to the fact that most android devices have a bcm43xx WiFi chipset. This talk will present our research on the bcm43xx chipsets and the custom tools we’ve developed, enabling the use of mobile phones as a platform for common WiFi pwnage tools. Unlike PCs which use SoftMac, embedded devices use FullMac meaning that the WiFi chip translates the 802.11 packets into ethernet packets. Crucial information is lost during the process, making WiFi pwnage impossible. Since this translation is done by the WiFi chipset, the only possible solution is to patch its firmware. One of the challenges was the fact that we only had part of the firmware and were missing the chip’s ROM. To overcome this, we exploited the firmware loading mechanism and extracted the ROM segment of the chip (the protected memory region). To optimize work­time we decided to implement a live debugging engine using Wireshark as a front­end client, producing custom output from any given function (e.g. stack­trace, return values and buffers). Using our debugging engine and a lot of reverse engineering we managed to enable both monitor mode as well as packet injection on any mobile device based on the Broadcomchipset (Galaxy S1/2/3, Nexus S, and many others). We will also demonstrate how to use the debugging engine to perform additional analysis and add additional features. Turning our phones into mobile pwning stations.