It's worth mentioning that some chips integrate both WLAN and Bluetooth capabilities, like the bcm4339 or the bcm4330.Īll the chips analysed use an ARM Cortex-M3 or an ARMĬortex-R4 as the main MCU for non-time-critical operations, so weĭeal with two similar instruction sets: armv7m and armv7r.
The few datasheets available have been released by CypressĪfter their acquisition of the "IoT business" branch of Broadcom. Unfortunately we could not find all the datasheets for all the chips we analyzed.
The Broadcom bcm43xxx series have both HardMAC and SoftMAC cards. The MLME API in order to manage the Management frames, otherwise the kernel will use directly a hardware driverĪnd offload MLME processing to the chip's firmware.
Kernel will use a specific Linux Kernel Module (LKM) called 'mac80211'. Layouts of components in the wireless stack: When the wireless device is a SoftMAC device, the For that one will need to edit directly the firmwareįrom the Linux Operating System perspective the above gives us two major That they limit ability of the users to send specific frames or to Requests are managed by the driver, but association requests andĪuthentication are dealt by the chip's firmware.įullMAC devices offer better performance in terms of power consumptionĪnd speed, that's why they are heavily used in smartphones and tend toīe the most used kind of chips in the market. Some hybrid implementations also exist where, for example, probe responses and The kernel driver, and HardMAC (also called FullMAC) where the MLME is in theįirmware, embedded in the chip. Major types of wireless chip implementations: SoftMAC, where the MLME is running in Depending on the location of the core that processes MLME we get two Management frames are managed by an entity called MLME (MAC subLayer The Frame Control field of the 802.11 header's frame
The MAC layer uses three types of frames: management, data andĬontrol. The 802.11a, brought another frequency range (5GHz). The first IEEE 802.11 standard, created in 1997, standardized the PHY and MAC layers, the two lowest OSI layers.įor the PHY layer, two frequency bands were chosen: the Infrared (IR)īand and Microwave band (2.4GHz). In this blog post I provide an account of my journey which included obtaining, reversing and fuzzing the firmware, and finding a few new vulnerabilities.īut first let's briefly speak about the 802.11 standard and its implementation on Linux to support the family of chips I studied.īefore diving in let us have a look at the 802.11 wireless standard. In 2018 I did a 6 months internship at Quarkslab with the purpose of reproducing and porting publicly known vulnerabilities to other vulnerable devices, to learn and improve several common infosec practices and to contribute to increase Quarkslab's knowledge of these devices. Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk. Have an iPhone, a Mac book, a Samsumg phone or a Huawei phone, etc. It is also likely you use a Broadcom WiFi chip if you Laptop, you may be using a bcm43224 or a bcm4352 card. Probably use one without knowing it, for example if you have a Dell You can find these chipsĪlmost everywhere from smartphones to laptops, smart-TVs and IoT devices. Wireless chips labelled under the 43 series. Broadcom is one of the major vendors of wireless devices worldwide.