No results match your search criteria.
2023
Available now
Reversing Broadcom's WiFi CSI Monitor
Supervisor:
Jakob Link
Channel State Information (CSI) is a metric describing amplitude and phase changes introduced by the communication channel between two devices. It is estimated for WiFi communication by default to compensate channel effects. Recent research shows that this metric can be used for sensing, e.g. localization, fingerprinting, or motion detection. However, CSI is typically not available to applications on consumer devices.
Broadcom entered the game by providing a CSI monitor with some of its latest WiFi SoCs. These chips can be found on a number of Access Points. But, there is no public documentation of this feature's implementation nor usage.
In this thesis, we analyze Broadcom's proprietary CSI monitor feature by dynamically and statically reverse engineering userland, driver, and firmware binaries and compare the results with state-of-the-art CSI extractors.
You should be confident with the programming language C and with digging into unknown territories.
2023
In progress
Functional Analysis of Broadcom WiFi SoC Scan Cores
Supervisor:
Jakob Link
Recent Broadcom WiFi 6E/7 BCM43XX SoCs feature a dedicated Scan Core. It can be found on several modern smartphones, i.a. Samsung Galaxy S21 Ultra, S22 variations, Google Pixel 7 / 7 Pro, and Google Pixel 8 / 8 Pro. The Scan Core is advertised as a 2.4 GHz, 5 GHz, and 6 GHz channel performance enhancement, but the real technical properties are not publicly available. In this work, we perform an extensive analysis of the Scan Core's functionalities in- and outside of its intended use. Therefore, we make use of static and dynamic reverse engineering of related soft- and hardware components. A detailed understanding of the Scan Core's internals and peripherals possibly provides a new platform for research applications on WiFi SoCs that can run in parallel to default WiFi operation.
2023
Completed
Limits of CSI-based keylogging on 10-digit number pads
Supervisor:
Matthias Gazzari
Jakob Link
...
2022
Completed
SpyFi: Deep Learning for CSI-based Keylogging Side Channel Attacks
Supervisor:
Matthias Gazzari
Jakob Link
Spying on what is typed on a keyboard with Wi-Fi signals sounds scary but might not be as far from reality as suspected. Wi-Fi-enabled devices constantly measure the communication channel conditions represented with Channel State Information (CSI). Finger and hand movements alter the wireless signal propagation characteristic and cause changes in the CSI over time. Prior work proves it is possible to correlate the patterns in a CSI time series to the motion of keys pressed on a keyboard. This leaking information from Wi-Fi signal distortions can be exploited in a side-channel keylogging attack.
Typing is a prevalent activity when it comes to working with computers on a regular basis. Considering that what we type reveals not only private messages like emails or notes but also highly sensitive data such as passwords or banking information, this leaves a frightening prospect.
In this thesis, we practically explore the potential threat of side-channel keylogging attacks with CSI by implementing and comparing the conventional method found in related work to deep learning-based approaches to infer keystrokes. Motivated by the fact that the use of deep learning models promises less effort in pre-processing and feature extraction, we apply deep learning approaches for the first time for CSI-based keylogging
and extend the knowledge about the applications of Deep Neural Networks (DNNs).
We create a dataset worth more than 24 hours of recording time with a controlled experimental setup to empirically evaluate the performance of the implemented keyloggers. Our results indicate the difficulties and limitations our keylogging models face, which renders keylogging attacks with Wi-Fi signals rather cumbersome for real-world attackers.
2023
Available now
Reverse Engineering Broadcom's Vector Application Specific Processor (VASIP)
Supervisor:
Jakob Link
Selected Broadcom Wi-Fi SoCs feature a Vector Application Specific Processor (VASIP). A brief description of its application areas can be found in the following patent: Inter-radio communications for scheduling or allocating time-varying frequency resources.
The processor might be used to mitigate interference, support MU-MIMO operation, or in general help with computational complex tasks correlated to signal processing. Understanding VASIPs functionalities and capabilities, paired with its positioning near the radio front-end, can open up a new practical platform for researchers with a large area of applications in the wireless field on real end-user devices.
To gain more insight into this type of processor we offer several thesis topics, ranging from analyzing its default functionalities up to reverse engineering its instruction set.
You should be comfortable with the C-language, digging in the unknown, signal processing, and improving your skill-set. Be aware that depending on the sub-topic this might be a heavy task.
2023
In progress
PicoWSDR: Low-cost Software-Defined Radio Receiver
Supervisor:
Jakob Link
Raspberry Pi's Pico W microcontroller board comes with a Broadcom / Infineon Wi-Fi SoC (CYW43439). The combination of the two offers a possibility to create a low-budget, but powerful, software-defined radio receiver.
This work involves low-level programming, debugging and reverse engineering. You should be familiar with or ready to deep dive into microcontroller programming, the programming language C, firmware reverse engineering and patching. An understanding of radio frequency receiver architecture and signal processing is helpful.
2022
Completed
Repurposing Wi-Fi Chips as Software-defined Radio Receivers
Supervisor:
Jakob Link
Broadcom FullMac Wi-Fi Chips offer the possibility to configure its internals such that IQ samples can be fetched at several stages in the RX chain. This opens up the opportunity to repurpose those Wi-Fi Chips as Software-defined Receivers. As the firmare is proprietary and the configuration is non-trivial, reverse engineering of the underlying processes are required. In this thesis, we try to better understand the possible configuration options, tackle bottlenecks like memory and bus bandwidth restrictions, and create a tool that abstracts the SDR RX feature to end-users.
You should have experience with C, Reverse Egineering and interest in hardware features of RF receiver chains.
2022
Completed
Reverse Engineering and Emulating Broadcom's WiFi Real-Time Core Peripherals
Supervisor:
Jakob Link
David Noel Breuer
Broadcom/Cypress WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine (PSM). It is directly connected to the chip's PHY components as well as its non-real-time related parts. Successful attacks on the D11 core would therefore pose a high risk on the whole device. Especially, as the chip is constantly exposed over its wireless interface.
Although the D11 core's architecture and instruction set are mostly proprietary, disassembling and assembling of microcodes (D11's firmware) is possible due to previous reverse engineering efforts. This in turn allows analyzing, modifying and on-chip debugging of microcodes. However, the current related processes are error-prone and time consuming. To improve those tasks, a basic emulator that can interpret the proprietary instruction set and perform corresponding calculations and memory/register accesses was designed and implemented in prior work. But, in order to properly run microcodes on the emulator, several peripherals (e.g. timers, crypto engine, tx/rx engines, PHY interface, ...) that directly influence the PSM's flow need to be emulated additionally.
In this thesis, we want to analyze peripherals that are directly connected to the D11 core and simulate their behavior to the existing emulator.
C and Assembly skills are recommended, as well as experience and/or interest on reverse engineering, IEEE 802.11 MAC, and low-level programming.
2022
Completed
Emulating Broadcom's D11 Core
Supervisor:
Jakob Link
Cypress/Broadcom WiFi chips commonly hold a microprocessor, also called D11 core, that handles all real-time related 802.11 MAC tasks in form of a programmable state machine. The D11 core's architecture and instruction set are proprietary. Reverse engineering efforts already disclosed a sufficient subset of the instruction set to allow disassembling and assembling of microcodes(firmware of the D11 core) for specific core revisions. Still, analyzing, modifying, and debugging microcodes on-chip is error-prone and time consuming. Emulating the D11 core can be used as support for such tasks. In this thesis, we want to gain more knowledge about the D11 core's functionalities by further reverse engineering its internals, and implement an emulator that supports its instruction set and eases debugging of microcodes.