seemoo-lab/mobisys2018_nexmon_software_defined_radio seemoo-lab/mobisys2018_nexmon_software_defined_radio

  • Stars
    star
    749
  • Rank 58,353 (Top 2 %)
  • Language
    Shell
  • License
    Other
  • Created about 6 years ago
  • Updated about 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
seemoo-lab/mobisys2018_nexmon_software_defined_radio
github

seemoo-lab

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Proof of concept project for operating Broadcom Wi-Fi chips as arbitrary signal transmitters similar to software-defined radios (SDRs)

NexMon logo

Nexmon Software Defined Radio

This projects demonstrates our discovery that turns Broadcom's 802.11ac Wi-Fi chips into software-defined radios that transmit arbitrary signals in the Wi-Fi bands. In this example, we patch the Wi-Fi firmware of BCM4339 devices installed in Nexus 5 smartphones and BCM43455c0 devices installed in Raspberry Pi B3+ computers. The Raspberry Pi B3 will never be supported as it only contains an 802.11n PHY. The firmware patch activates three ioctls:

  1. NEX_WRITE_TEMPLATE_RAM (426) writes arbitrary data into Template RAM that stores the raw IQ samples that we may transmit. The ioctl's payload contains (1) an int32 value indicating the offset where data should be written in Template RAM in bytes, (2) an int32 value indicating the length of the data that should be written and (3) the IQ samples as array of IQ values, where I (inphase components) and Q (quadrature components) are stored as int16 numbers.

  2. NEX_SDR_START_TRANSMISSION (427) that triggers the transmission of IQ samples. The ioctl's payload contains (1) an int32 value indicating the number of samples to transmit, (2) an int32 value indicating the offset where the signal starts in Template RAM, (3) an int32 value indicating a chanspec (channel number, bandwidth, band, ...), (4) an int32 value indicating the power index (lower value means higher output power), and (5) an int32 value indicating whether to loop over the IQ samples or transmit them only once.

  3. NEX_SDR_STOP_TRANSMISSION (428) stops a transmission started using NEX_SDR_START_TRANSMISSION.

Transmitting an Example Signal

The directory payload_generation contains the MATLAB script generate_frame.m that generates a Wi-Fi beacon frame with SSID MyCovertChannel. The generated IQ samples are written to a bash script that calls nexutil from the nexmon.org project to load the samples into the Wi-Fi chip's Template RAM by using ioctls. You can either generate your own signals or use the example myframe.sh file for transmitting the generated Wi-Fi frame. To this end, follow the Getting Started instructions below to install our patched Wi-Fi firmware on a Nexus 5 smartphone. Then, you need to copy myframe.sh to a directory that allows execution (such as /su/xbin/). To load the samples and start a single transmission, simply executute the bash script and observe the results by listening with a Wi-Fi sniffer on channel 1. A suitable Wireshark filter is wlan.addr == 82:7b:be:f0:96:e0. Of course, you are not limited to transmitting handcrafted Wi-Fi signals, you can transmit whatever you like in the 2.4 and 5 GHz bands. Nevertheless, you have to obey your local laws for transmitting signals, that might prohibit you to transmit any signal at all.

Extract from our License

Any use of the Software which results in an academic publication or other publication which includes a bibliography must include citations to the nexmon project a) and the paper cited under b) or the thesis cited under c):

a) "Matthias Schulz, Daniel Wegemer and Matthias Hollick. Nexmon: The C-based Firmware Patching Framework. https://nexmon.org"

b) "Matthias Schulz, Jakob Link, Francesco Gringoli, and Matthias Hollick. Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi. Accepted to appear in Proceedings of the 16th ACM International Conference on Mobile Systems, Applications, and Services (MobiSys 2018), June 2018."

c) "Matthias Schulz. Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements through Wi-Fi Firmware Modifications. Dr.-Ing. thesis, Technische Universität Darmstadt, Germany, February 2018."

Getting Started

To compile the source code, you are required to first clone the original nexmon repository that contains our C-based patching framework for Wi-Fi firmwares. Than you clone this repository as one of the sub-projects in the corresponding patches sub-directory. This allows you to build and compile all the firmware patches required to repeat our experiments. The following steps will get you started on Xubuntu 16.04 LTS:

  1. Install some dependencies: sudo apt-get install git gawk qpdf adb
  2. Only necessary for x86_64 systems, install i386 libs:
sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386
  1. Clone the nexmon base repository: git clone https://github.com/seemoo-lab/nexmon.git.
  2. Download and extract Android NDK r11c (use exactly this version!).
  3. Export the NDK_ROOT environment variable pointing to the location where you extracted the ndk so that it can be found by our build environment.
  4. Navigate to the previously cloned nexmon directory and execute source setup_env.sh to set a couple of environment variables.
  5. Run make to extract ucode, templateram and flashpatches from the original firmwares.
  6. Navigate to utilities and run make to build all utilities such as nexmon.
  7. Attach your rooted Nexus 5 smartphone running stock firmware version 6.0.1 (M4B30Z, Dec 2016).
  8. Run make install to install all the built utilities on your phone.
  9. Navigate to patches/bcm4339/6_37_34_43/ and clone this repository: git clone https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio.git
  10. Enter the created subdirectory mobisys2018_nexmon_software_defined_radio and run make install-firmware to compile our firmware patch and install it on the attached Nexus 5    smartphone or run make install-rpi3plus to compile our firmware patch and install it on a Raspberry Pi B3+.

References

  • Matthias Schulz, Daniel Wegemer and Matthias Hollick. Nexmon: The C-based Firmware Patching Framework. https://nexmon.org
  • Matthias Schulz, Jakob Link, Francesco Gringoli, and Matthias Hollick. Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi. Accepted to appear in Proceedings of the 16th ACM International Conference on Mobile Systems, Applications, and Services, MobiSys 2018, June 2018.
  • Matthias Schulz. Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements through Wi-Fi Firmware Modifications. Dr.-Ing. thesis, Technische Universität Darmstadt, Germany, February 2018.

Get references as bibtex file

Contact

Powered By

Secure Mobile Networking Lab (SEEMOO)

SEEMOO logo

Networked Infrastructureless Cooperation for Emergency Response (NICER)

NICER logo

Multi-Mechanisms Adaptation for the Future Internet (MAKI)

MAKI logo

Technische Universität Darmstadt

TU Darmstadt logo

More Repositories

1

opendrop

An open Apple AirDrop implementation written in Python
Python
8,426
star
2

openhaystack

Build your own 'AirTags' 🏷 today! Framework for tracking personal Bluetooth devices via Apple's massive Find My network.
Swift
7,719
star
3

nexmon

The C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more
C
2,319
star
4

AirGuard

Protect yourself from being tracked 🌍 by AirTags 🏷 and Find My accessories 📍
Kotlin
1,809
star
5

owl

An open Apple Wireless Direct Link (AWDL) implementation written in C
C
1,192
star
6

openwifipass

An open source implementation of Apple's Wi-Fi Password Sharing protocol in Python.
Python
789
star
7

internalblue

Bluetooth experimentation framework for Broadcom and Cypress chips.
Python
655
star
8

frankenstein

Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging
C
414
star
9

nexmon_csi

Channel State Information Extraction on Various Broadcom Wi-Fi Chips
C
286
star
10

toothpicker

Python
229
star
11

polypyus

Python
212
star
12

privatedrop

Practical Privacy-Preserving Authentication for Apple AirDrop
Swift
210
star
13

bcm-rpi3

DEPRECATED: Monitor Mode and Firmware patching framework for the Raspberry Pi 3, development moved to: https://github.com/seemoo-lab/nexmon
C
158
star
14

BTLEmap

Nmap for Bluetooth Low Energy
Swift
144
star
15

airtag

AirTag instrumentation including AirTechno and firmware downgrades.
JavaScript
130
star
16

wireshark-awdl

Wireshark Dissector for Apple Wireless Direct Link (AWDL) and Apple's CoreCapture logging framework. Note: the AWDL dissector is part of Wireshark 3.0!
129
star
17

mobisys2018_nexmon_channel_state_information_extractor

Example project for extracting channel state information of up to 80 MHz wide 802.11ac Wi-Fi transmissions using the BCM4339 Wi-Fi chip of Nexus 5 smartphones.
MATLAB
96
star
18

airdrop-keychain-extractor

Extracting Apple ID Validation Record, Certificate, and Key for AirDrop
Objective-C
94
star
19

frida-scripts

JavaScript
89
star
20

bcm-public

DEPRECATED: Monitor Mode and Firmware patching framework for the Google Nexus 5, development moved to: https://github.com/seemoo-lab/nexmon
C
75
star
21

fitness-app

Java
68
star
22

apple-continuity-tools

Reverse engineering toolkit for Apple's wireless ecosystem
JavaScript
59
star
23

nexmon_debugger

Debugger with hardware breakpoints and memory watchpoints for BCM4339 Wi-Fi chips
C
54
star
24

talon-tools

Talon Tools: The Framework for Practical IEEE 802.11ad Research
TeX
41
star
25

aristoteles

A Wireshark dissector for the Apple Remote Invocation (ARI) protocol, used between Intel base band chips and the iOS CommCenter for various management purposes, SMS, telephony and much more.
Lua
41
star
26

wisec2017_nexmon_jammer

This project contains the nexmon-based source code required to repeat the experiments of our WiSec 2017 paper.
C
41
star
27

mmTrace

mmTrace: Millimeter Wave Propagation Simulation
MATLAB
39
star
28

fitness-firmware

HTML
39
star
29

apple_u1

JavaScript
38
star
30

dtrace-memaccess_cve-2020-27949

C++
33
star
31

proxawdl

Tunnels a regular TCP connection through an AWDL link by exploiting the NetService API
Objective-C
33
star
32

chirpotle

A LoRaWAN Security Evaluation Framework
Jupyter Notebook
31
star
33

AirGuard-iOS

Protect yourself from being tracked 📍by Samsung SmartTags and Tile Trackers
Swift
26
star
34

pyshimmer

pyshimmer provides a Python API to work with the wearable sensor devices produced by Shimmer.
Python
24
star
35

mobisys2018_nexmon_covert_channel

Wi-Fi based covert channel that hides information in hand crafted acknowledgement frames imitating additional channel effects that can be extracted from channel state information at the intended receiver.
C
23
star
36

h4bcm_wireshark_dissector

Wireshark dissector for Broadcom specific H4 diagnostic commands
C
21
star
37

owlink.org

Opening up Apple's wireless ecosystem around the Apple Wireless Direct Link (AWDL) protocol
HTML
19
star
38

uwb-sniffer

A UWB Sniffer with accurate timestamps
C
19
star
39

wisec2017_nexmon_jammer_demo_app

This project contains source code of our Nexmon-based jammer app presented as a demo at WiSec 2017.
Java
18
star
40

plist17lib

Python
17
star
41

seemoo-mobile-sensing

Sensor data collector for Android devices
Java
17
star
42

BTLEmap-Framework

BTLEmap's Bluetooth Low Energy framework that powers the app
Swift
16
star
43

seemoo-wearable-sensing

Sensor data collector for Samsung Gear S3
JavaScript
16
star
44

nexmon-arc

The nexmon C-based firmware patching framework adapted for the ARC architecture.
C
16
star
45

csicloak

Python
14
star
46

talon-sector-patterns

Antenna Sector Patterns as obtained by Measurements in the CoNEXT'17 paper
MATLAB
13
star
47

privatefind

Lost and Found: Stopping Bluetooth Finders from Leaking Private Information
C
12
star
48

nexmon_tx_task

Scheduled frame transmission on Broadcom Wi-Fi Chips
C
11
star
49

wisec2017_nexmon_jammer_demo_firmware

This project contains the nexmon-based source code of the jammer used in our WiSec 2017 demo Android app.
C
11
star
50

fido2ext

Bring Your Own FIDO2 Extensions!
JavaScript
11
star
51

wifi-password-sharing

An open source implementation of Apple's Wi-Fi Password Sharing protocol in Swift.
Swift
10
star
52

bcm_misc

10
star
53

Hardwhere

snipeit-it based asset management app
Kotlin
9
star
54

opennan

OpenNAN - An open source NAN stack for Linux
C
9
star
55

ubicomp19_zero_interaction_security

Source code for experiments and evaluation of five zero-interaction security schemes, for our Ubicomp 2019 paper "Perils of Zero-Interaction Security in the Internet of Things"
Jupyter Notebook
9
star
56

myo-keylogging

Code for "My(o) Armband Leaks Passwords: An EMG and IMU Based Keylogging Side-Channel Attack" paper
Python
8
star
57

natural-disaster-mobility

Natural Disaster Mobility Model and Scenarios in the ONE
Java
7
star
58

wisec2017_nexmon_jammer_reproducibility

This project contains all measured data and scripts to recreate the plots used in our WiSec 2017 paper.
MATLAB
7
star
59

nexmon_energy_measurement

This repository contains patched Linux kernel sources to run energy measurements on the Wi-Fi chip of a Nexus 5 smartphone.
C
7
star
60

next2you

Source code for experiments and evaluation of Next2You copresence detection scheme, for our TIOT 2021 paper "Next2You: Robust Copresence Detection Based on Channel State Information".
C
7
star
61

aic-prototype

Proof of concept implementation of Acoustic Integrity Codes (AICs) for Android smartphones
Kotlin
7
star
62

offline-finding-evaluation

Quantitative analysis of location reports from Apple's offline finding (OF) location tracking system
Jupyter Notebook
6
star
63

pico-nexmon

Applications for the Raspberry Pi Pico W related to Nexmon the C-based firmware patching framework for Broadcom/Cypress WiFi chips.
CMake
5
star
64

fastzip

Source code for experiments and evaluation of FastZIP zero-interaction pairing scheme, for our Mobisys 2021 paper "FastZIP: Faster and More Secure Zero-Interaction Pairing".
Python
5
star
65

powerpc-ose

C++
4
star
66

d11-emu

D11emu: A BCM43 D11 Emulation Framework
Rust
4
star
67

PrivateDrop-Base

The framework that powers PrivateDrop
C
3
star
68

graphics

3
star
69

click-castor

Click implementation of LIDOR/SEMUD (based on the Castor routing protocol)
C++
3
star
70

tpy

A Lightweight Framework for Agile Distributed Network Experiments
Python
3
star
71

privatedrop-evaluation

Jupyter Notebook
3
star
72

wintech23_nexmon_d11debug

Pawn
3
star
73

wintech2017_nexmon_ping_offloading

This project contains the nexmon-based source code of the ping offloading application used in our WiNTECH 2017 paper.
C
2
star
74

wisec23-speaker-bootstrapping

Software repository for our WiSec '23 demo: Secure Bootstrapping of Smart Speakers Using Acoustic Communication
C
2
star
75

hardzipa

Source code for experiments and evaluation of HardZiPA system for our EWSN 2023 paper "Hardening and Speeding UpZero-interaction Pairing and Authentication".
Python
2
star
76

talon-library-measurements

Large-Scale Talon Measurements at Library
1
star
77

kardia-demod

Python
1
star
78

handoff-authentication-swift

C++
1
star
79

caret

CARET: The Crisis and Resilience Evaluation Tool
Python
1
star
80

Please-Unstalk-Me

User Data and Online Survey results
Jupyter Notebook
1
star
81

python-msp430-tools

This is a fork of the original python-msp430-tools repository on Launchpad. It features a patchset that is required to use the tools with the Shimmer3 devices.
Python
1
star