No results match your search criteria.
Limits of CSI-based keylogging on 10-digit number pads
Deep Learning for CSI-based Keylogging Side Channel Attacks
Repurposing Wi-Fi Chips as Software-defined Radio Receivers
Broadcom FullMac Wi-Fi Chips offer the possibility to configure its internals such that IQ samples can be fetched at several stages in the RX chain. This opens up the opportunity to repurpose those Wi-Fi Chips as Software-defined Receivers. As the firmare is proprietary and the configuration is non-trivial, reverse engineering of the underlying processes are required. In this thesis, we try to better understand the possible configuration options, tackle bottlenecks like memory and bus bandwidth restrictions, and create a tool that abstracts the SDR RX feature to end-users.
You should have experience with C, Reverse Egineering and interest in hardware features of RF receiver chains.
Reverse Engineering and Emulating Broadcom's WiFi Real-Time Core Peripherals
Broadcom/Cypress WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine (PSM). It is directly connected to the chip's PHY components as well as its non-real-time related parts. Successful attacks on the D11 core would therefore pose a high risk on the whole device. Especially, as the chip is constantly exposed over its wireless interface.
Although the D11 core's architecture and instruction set are mostly proprietary, disassembling and assembling of microcodes (D11's firmware) is possible due to previous reverse engineering efforts. This in turn allows analyzing, modifying and on-chip debugging of microcodes. However, the current related processes are error-prone and time consuming. To improve those tasks, a basic emulator that can interpret the proprietary instruction set and perform corresponding calculations and memory/register accesses was designed and implemented in prior work. But, in order to properly run microcodes on the emulator, several peripherals (e.g. timers, crypto engine, tx/rx engines, PHY interface, ...) that directly influence the PSM's flow need to be emulated additionally.
In this thesis, we want to analyze peripherals that are directly connected to the D11 core and simulate their behavior to the existing emulator.
C and Assembly skills are recommended, as well as experience and/or interest on reverse engineering, IEEE 802.11 MAC, and low-level programming.
Emulating Broadcom's D11 Core
Cypress/Broadcom WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine. The D11 core's architecture and instruction set are proprietary. Reverse engineering efforts already disclosed a sufficient subset of the instruction set to allow disassembling and assembling of microcodes(firmware of the D11 core) for specific core revisions. Still, analyzing, modifying, and debugging microcodes on-chip is error-prone and time consuming. Emulating the D11 core can be used as support for such tasks. In this thesis, we want to gain more knowledge about the D11 core's functionalities by further reverse engineering its internals, and implement an emulator that supports its instruction set and eases debugging of microcodes.