Learn, hack!

URL

http://recon.cx/2013/video/Recon2013-Ruby%20feinstein%20Omri%20Ildis%20Yuval%20Ofir.mp4

File name

Recon2013-Ruby%20feinstein%20Omri%20Ildis%20Yuval%20Ofir.mp4

File size

269.2 MB

MD5

e558cd3d5908a6d47df978e6326ab4f9

SHA1

d6852992e54dcd75453e9ea7ec2bcee04cf7ad53

Until now WiFi pwnage wasn’t possible on most Android phones due to lack of support in the WiFi chipset. This is surprising, due to the fact that most android devices have a bcm43xx WiFi chipset. This talk will present our research on the bcm43xx chipsets and the custom tools we’ve developed, enabling the use of mobile phones as a platform for common WiFi pwnage tools. Unlike PCs which use SoftMac, embedded devices use FullMac meaning that the WiFi chip translates the 802.11 packets into ethernet packets. Crucial information is lost during the process, making WiFi pwnage impossible. Since this translation is done by the WiFi chipset, the only possible solution is to patch its firmware. One of the challenges was the fact that we only had part of the firmware and were missing the chip’s ROM. To overcome this, we exploited the firmware loading mechanism and extracted the ROM segment of the chip (the protected memory region). To optimize work­time we decided to implement a live debugging engine using Wireshark as a front­end client, producing custom output from any given function (e.g. stack­trace, return values and buffers). Using our debugging engine and a lot of reverse engineering we managed to enable both monitor mode as well as packet injection on any mobile device based on the Broadcomchipset (Galaxy S1/2/3, Nexus S, and many others). We will also demonstrate how to use the debugging engine to perform additional analysis and add additional features. Turning our phones into mobile pwning stations.