Jakob Link, M.Sc.

Repurposing of wireless devices / Wireless security / Firmware reverse-engineering / Researcher

Contact Information

Jakob Link

Offered Theses Topics

No results match your search criteria.

  2022 In progress

Repurposing Wi-Fi Chips as Software-defined Radio Receivers

Broadcom FullMac Wi-Fi Chips offer the possibility to configure its internals such that IQ samples can be fetched at several stages in the RX chain. This opens up the opportunity to repurpose those Wi-Fi Chips as Software-defined Receivers. As the firmare is proprietary and the configuration is non-trivial, reverse engineering of the underlying processes are required. In this thesis, we try to better understand the possible configuration options, tackle bottlenecks like memory and bus bandwidth restrictions, and create a tool that abstracts the SDR RX feature to end-users. You should have experience with C, Reverse Egineering and interest in hardware features of RF receiver chains.

  2022 In progress

Reverse Engineering and Emulating Broadcom’s WiFi Real-Time Core Peripherals

Broadcom/Cypress WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine (PSM). It is directly connected to the chip’s PHY components as well as its non-real-time related parts. Successful attacks on the D11 core would therefore pose a high risk on the whole device. Especially, as the chip is constantly exposed over its wireless interface. Although the D11 core’s architecture and instruction set are mostly proprietary, disassembling and assembling of microcodes (D11’s firmware) is possible due to previous reverse engineering efforts. This in turn allows analyzing, modifying and on-chip debugging of microcodes. However, the current related processes are error-prone and time consuming. To improve those tasks, a basic emulator that can interpret the proprietary instruction set and perform corresponding calculations and memory/register accesses was designed and implemented in prior work. But, in order to properly run microcodes on the emulator, several peripherals (e.g. timers, crypto engine, tx/rx engines, PHY interface, …) that directly influence the PSM’s flow need to be emulated additionally. In this thesis, we want to analyze peripherals that are directly connected to the D11 core and simulate their behavior to the existing emulator. C and Assembly skills are recommended, as well as experience and/or interest on reverse engineering, IEEE 802.11 MAC, and low-level programming.

  2022 Completed

Emulating Broadcom’s D11 Core

Cypress/Broadcom WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine. The D11 core’s architecture and instruction set are proprietary. Reverse engineering efforts already disclosed a sufficient subset of the instruction set to allow disassembling and assembling of microcodes(firmware of the D11 core) for specific core revisions. Still, analyzing, modifying, and debugging microcodes on-chip is error-prone and time consuming. Emulating the D11 core can be used as support for such tasks. In this thesis, we want to gain more knowledge about the D11 core’s functionalities by further reverse engineering its internals, and implement an emulator that supports its instruction set and eases debugging of microcodes.

Publications

No results match your search criteria.

Next2You: Robust Copresence Detection Based on Channel State Information

Towards an Automated Monitoring of RF Activity in Low-Power Wireless Testbeds

Cross-Technology Broadcast Communication between Off-The-Shelf Wi-Fi, BLE, and IEEE 802.15.4 Devices

Free Your CSI: A Channel State Information Extraction Platform For Modern Wi-Fi Chipsets

Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi