Jakob Link, M.Sc.

Repurposing of wireless devices / Wireless security / Reverse engineering / Researcher

Contact Information

Jakob Link

Offered Theses Topics

No results match your search criteria.

  2024 In progress

Bringing Rust to Broadcom WiFi SoCs

In this thesis, we develop a minimal firmware that initializes vital parts of Broadcom WiFi SoCs and provides a feature extendable base for future projects. We use the modern programming language Rust, which is performant like C but more secure by default, and still provides low-level access as required when designing such a system. Broadcom develops complex WiFi single-chip systems that can be found in million of devices like recent smartphones and access points. Those WiFi SoCs are running just as complex firmware. This proprietary firmware is originally written in C and only available as binary blob. A framework originally developed at SEEMOO by M. Schulz (Nexmon: The C-based Firmware Patching Framework) simplifies the process of modifying the firmware, but still, doing this correctly is a heavy and error prone task, mostly due to interference of the complex firmware and our modifications. In many cases, we don't need most parts of the original firmware and a minimal running system would benefit us, especially reducing interference with our additions. Besides coding in Rust, this work includes static and dynamic reverse engineering & analysis of code, drivers, and firmware. You should be confident with reading C code and open to learn new skills. Experience with hardware-near programming / microcontrollers is beneficial.

Bringing Rust to Broadcom WiFi SoCs

  2024 In progress

Reversing Broadcom's WiFi CSI Monitor

Channel State Information (CSI) is a metric describing amplitude and phase changes introduced by the communication channel between two devices. It is estimated for WiFi communication by default to compensate channel effects. Recent research shows that this metric can be used for sensing, e.g. localization, fingerprinting, or motion detection. However, CSI is typically not available to applications on consumer devices. Broadcom entered the game by providing a CSI monitor with some of its latest WiFi SoCs. These chips can be found on numerous Access Points. But, there is no public documentation of this feature's implementation nor usage. In this thesis, we analyze Broadcom's proprietary CSI monitor feature by dynamically and statically reverse engineering userland, driver, and firmware binaries and compare the results with state-of-the-art CSI extractors. You should be confident with the programming language C and with digging into unknown territories.

Reversing Broadcom's WiFi CSI Monitor

  2023 Completed

Functional Analysis of Broadcom WiFi SoC Scan Cores

Recent Broadcom WiFi 6E/7 BCM43XX SoCs feature a dedicated Scan Core. It can be found on several modern smartphones, i.a. Samsung Galaxy S21 Ultra, S22 variations, Google Pixel 7 / 7 Pro, and Google Pixel 8 / 8 Pro. The Scan Core is advertised as a 2.4 GHz, 5 GHz, and 6 GHz channel performance enhancement, but the real technical properties are not publicly available. In this work, we perform an extensive analysis of the Scan Core's functionalities in- and outside of its intended use. Therefore, we make use of static and dynamic reverse engineering of related soft- and hardware components. A detailed understanding of the Scan Core's internals and peripherals possibly provides a new platform for research applications on WiFi SoCs that can run in parallel to default WiFi operation.

  2023 Completed (September 2023)

Limits of CSI-based keylogging on 10-digit number pads

Using the channel state of a Wi-Fi transmission an attacker can extract keystrokes a victim presses on a 10-digit number pad. Other research groups have already shown such an attack to be possible to perform on keyboards and number pads, but have not explored the limitations of this attack. This work builds such a keylogger to show that it is possible to detect and identify keystrokes using only signals from a nearby Wi-Fi network as a side channel and find the limits of such an attack. For this, we run multiple experiments with different parameters changed, like distance or missing line of sight, and evaluate the results of the keylogger. We found that with our current setup, we are able to achieve good results in key detection with over 90 % in both precision and recall, but are unable to identify keys. Additionally, we found that introducing unrelated movement deteriorates the results, while increasing the distance between the devices or removing line of sight barely impacts the result of the keylogger.

  2022 Completed (August 2023)

SpyFi: Deep Learning for CSI-based Keylogging Side Channel Attacks

Spying on what is typed on a keyboard with Wi-Fi signals sounds scary but might not be as far from reality as suspected. Wi-Fi-enabled devices constantly measure the communication channel conditions represented with Channel State Information (CSI). Finger and hand movements alter the wireless signal propagation characteristic and cause changes in the CSI over time. Prior work proves it is possible to correlate the patterns in a CSI time series to the motion of keys pressed on a keyboard. This leaking information from Wi-Fi signal distortions can be exploited in a side-channel keylogging attack. Typing is a prevalent activity when it comes to working with computers on a regular basis. Considering that what we type reveals not only private messages like emails or notes but also highly sensitive data such as passwords or banking information, this leaves a frightening prospect. In this thesis, we practically explore the potential threat of side-channel keylogging attacks with CSI by implementing and comparing the conventional method found in related work to deep learning-based approaches to infer keystrokes. Motivated by the fact that the use of deep learning models promises less effort in pre-processing and feature extraction, we apply deep learning approaches for the first time for CSI-based keylogging and extend the knowledge about the applications of Deep Neural Networks (DNNs). We create a dataset worth more than 24 hours of recording time with a controlled experimental setup to empirically evaluate the performance of the implemented keyloggers. Our results indicate the difficulties and limitations our keylogging models face, which renders keylogging attacks with Wi-Fi signals rather cumbersome for real-world attackers.

  2023 In progress

Reverse Engineering Broadcom's Vector Application-Specific Instruction-Set Processor (VASIP)

Selected Broadcom Wi-Fi SoCs feature a Vector Application-Specific Instruction-Set Processor (VASIP). A brief description of one of its application areas can be found in the following patent: Inter-radio communications for scheduling or allocating time-varying frequency resources. The processor might be used to mitigate interference, support MU-MIMO operation, or in general help with computational complex tasks correlated to signal processing at the PHY layer. Understanding VASIP's functionalities and capabilities, paired with its positioning near the radio front-end, can open up a new practical platform for researchers with a large area of applications in the wireless field on real end-user devices. To gain more insight into this type of processor we offer several thesis topics, ranging from analyzing its default functionalities up to reverse engineering its instruction set. You should be comfortable with the C-language, digging in the unknown, signal processing, and improving your skill-set.

  2023 Completed

PicoWSDR: Low-cost Software-Defined Radio Receiver

Raspberry Pi's Pico W microcontroller board comes with a Broadcom / Infineon Wi-Fi SoC (CYW43439). The combination of the two offers a possibility to create a low-budget, but powerful, software-defined radio receiver. This work involves low-level programming, debugging and reverse engineering. You should be familiar with or ready to deep dive into microcontroller programming, the programming language C, firmware reverse engineering and patching. An understanding of radio frequency receiver architecture and signal processing is helpful.

PicoWSDR: Low-cost Software-Defined Radio Receiver

  2022 Completed

Repurposing Wi-Fi Chips as Software-defined Radio Receivers

Broadcom FullMac Wi-Fi Chips offer the possibility to configure its internals such that IQ samples can be fetched at several stages in the RX chain. This opens up the opportunity to repurpose those Wi-Fi Chips as Software-defined Receivers. As the firmare is proprietary and the configuration is non-trivial, reverse engineering of the underlying processes are required. In this thesis, we try to better understand the possible configuration options, tackle bottlenecks like memory and bus bandwidth restrictions, and create a tool that abstracts the SDR RX feature to end-users. You should have experience with C, Reverse Egineering and interest in hardware features of RF receiver chains.

  2022 Completed

Reverse Engineering and Emulating Broadcom's WiFi Real-Time Core Peripherals

Broadcom/Cypress WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine (PSM). It is directly connected to the chip's PHY components as well as its non-real-time related parts. Successful attacks on the D11 core would therefore pose a high risk on the whole device. Especially, as the chip is constantly exposed over its wireless interface. Although the D11 core's architecture and instruction set are mostly proprietary, disassembling and assembling of microcodes (D11's firmware) is possible due to previous reverse engineering efforts. This in turn allows analyzing, modifying and on-chip debugging of microcodes. However, the current related processes are error-prone and time consuming. To improve those tasks, a basic emulator that can interpret the proprietary instruction set and perform corresponding calculations and memory/register accesses was designed and implemented in prior work. But, in order to properly run microcodes on the emulator, several peripherals (e.g. timers, crypto engine, tx/rx engines, PHY interface, ...) that directly influence the PSM's flow need to be emulated additionally. In this thesis, we want to analyze peripherals that are directly connected to the D11 core and simulate their behavior to the existing emulator. C and Assembly skills are recommended, as well as experience and/or interest on reverse engineering, IEEE 802.11 MAC, and low-level programming.

  2022 Completed

Emulating Broadcom's D11 Core

Cypress/Broadcom WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine. The D11 core's architecture and instruction set are proprietary. Reverse engineering efforts already disclosed a sufficient subset of the instruction set to allow disassembling and assembling of microcodes(firmware of the D11 core) for specific core revisions. Still, analyzing, modifying, and debugging microcodes on-chip is error-prone and time consuming. Emulating the D11 core can be used as support for such tasks. In this thesis, we want to gain more knowledge about the D11 core's functionalities by further reverse engineering its internals, and implement an emulator that supports its instruction set and eases debugging of microcodes.

Publications

No results match your search criteria.

Rolling the D11: An Emulation Game for the Whole BCM43 Family

Energy-efficient Broadcast Trees for Decentralized Data Dissemination in Wireless Networks

Energy-Efficient Decentralized Broadcasting in Wireless Multi-Hop Networks

Next2You: Robust Copresence Detection Based on Channel State Information

Towards an Automated Monitoring of RF Activity in Low-Power Wireless Testbeds

Cross-Technology Broadcast Communication between Off-The-Shelf Wi-Fi, BLE, and IEEE 802.15.4 Devices

Free Your CSI: A Channel State Information Extraction Platform For Modern Wi-Fi Chipsets

Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi