
Operating Broadcom Wi-Fi Chips as Arbitrary Signal Transmitters, Like SDRs - bcaa7f3a8bbc
https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio
======
bcaa7f3a8bbc
There are some interesting applications...

 _Matthias Schulz, Jakob Link, Francesco Gringoli, and Matthias Hollick._
__Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract
Channel State Information to Implement Practical Covert Channels over Wi-Fi.
___Accepted to appear in Proceedings of the 16th ACM International Conference
on Mobile Systems, Applications, and Services, MobiSys 2018, June 2018._

 _Matthias Schulz._ __Teaching Your Wireless Card New Tricks: Smartphone
Performance and Security Enhancements through Wi-Fi Firmware Modifications.
___Dr.-Ing. thesis, Technische Universität Darmstadt, Germany, February 2018._

But the papers are nowhere to be found. Just went through peer review and
still waiting for public publication?

~~~
mirimir
Secure mixnet using Android devices would be very cool.

~~~
bcaa7f3a8bbc
Chaum's Store-and-Forward mixnet or Tor's Realtime Onion Routing? I think both
can be built with Wi-Fi Direct on Android. But the end-point security may be
less-than-ideal...

~~~
mirimir
I don't know. Maybe Riffle. Mostly it was the idea of using a custom spread-
spectrum channel with strong encryption.

Edit: + covert channels

------
zokier
This is exactly the sort of thing why FCC wants to lock down wlan ap/router
firmwares. So, while a cool hack indeed, it is also bit unfortunate that it
also kinda justifies FCCs position

~~~
awalton
Yeah that's not a strong argument at all. The 2.4GHz and 5GHz bands are known
widely as "garbage bands" due to how terrible they are to work with (e.g. rain
will heavily attenuate your signal, they're literally how microwaves work to
cook your food, etc.).

Moreover, there are plenty of radios on the market that transmit all kinds of
noise on these channels that _isn 't_ WiFi (e.g. my neighbors had a baby
monitor that I could tell when it was on by how shit my WiFi was at that
moment, FPV drones somewhat frequently use this band with proprietary analog
video transports, etc.) This is permitted because these channels are
"unregulated" (or, more realistically, "regulated for unlicensed operation").

On top of that, the FCC's official statement on this very topic was that what
they really care about is the amount of _power_ being put into these channels,
as some aftermarket router firmwares of varying repute would let you crank the
output wattage above FCC regulations for these frequencies (<1W power to stay
within unlicensed operation regulations for 2.4GHz), and apparently some in-
market WiFi routers picked up those firmwares as a "supported" option (I think
ASUS and Linksys were both named). Most of these routers have since patched
themselves to stay regulation-safe.

So, go nuts, just stay below 30 dBm/1W from the transmitter in 2.4Ghz channels
or prepare for a visit from the FCC. (You'll have to do your own research for
5GHz).

~~~
exikyut
Does this mean the 3W and 5W amplified Wi-Fi dongles all over ebay aren't
actually legal? :(

I realize they're probably terrible quality, and that they're really just Wi-
Fi dongles with amplifiers tacked on, and that overly loud signal
amplification destroys close range performance - but still, I'd been meaning
to get a couple of these and see how good they are.

~~~
paulie_a
Please don't

~~~
exikyut
Forgive my denseness, but I'm honestly/genuinely not sure what you mean by
your comment.

~~~
paulie_a
My comment was to discourage illegal and generally noisy low quality WiFi
equipment that degrades the shared spectrum

------
kevin_b_er
It is impossible for you to redistribute this software or any sort of
resulting binary.

It would be based on both their GPLv3 and their no-military licenses
simultaneously. The linked requires another depot based on GPLv3 to function
and perform patching. The resulting software would then undistributable as you
cannot possibly comply with both the GPLv3 and their no-military license.
GPLv3 would permit distribution to military and not permit you to restrict
them and the other would prohibit military.

Additionally this should be considered a violation of Gitbub's Terms of Use.
It is intentionally discriminatory against another group: Any given military.
For example, the content hosted on GitHub is intentionally discriminatory
toward the Deutsches Heer.

------
technofiend
Considering the wildly varied performance of smartphone GPS implementations
I'd love to use this to build my own WAAS emitter so that when me and 10 of my
closest friends play ingress we're where we are supposed to be. But that would
be based on using a higher accuracy source (think pucks that have better
antennae, higher accuracy GPS chips and can see the other satellites as well).

Unfortunately I don't think some people could ignore the potential for abuse.
_If only I could be 15 feet to the left_ where the other guy's crappy GPS puts
him. At some point I'm hoping my city will put up a few WAAS transmitters to
help in the glass canyon that is our downtown.

------
xt00
Only in WiFi bands.. so not super flexible as you would expect from an actual
SDR rig.. or maybe I’m missing that it can actually transmit in other bands ?

~~~
userbinator
This particular hardware may be limited to those frequencies but I believe the
Mediatek combo chips that do WiFi+BT+GPS+GLONASS+Beidou+FM as well as GSM are
capable of a much wider range. WiFi and BT are at 2.4GHz but GSM/UMTS/LTE
reach up to 2.6GHz and down to 800-900MHz, and the various navigation systems
use frequencies in the 1.x GHz range. From what I've read, only the FM
hardware is different due to its vastly different frequency (76-108MHz,
although the hardware could probably go beyond those ranges slightly) but
everything else is based on the same SDR.

~~~
xt00
Which chips are those? Most of those solutions I had seen were not actually a
single output stage but rather each band had dedicated pins that went out to
dedicated PA's in many cases. So wifi/BT has its own antenna and front end
etc.. same for the other bands..

~~~
userbinator
Start on page 34 of this:

[http://www.datasheetspdf.com/datasheet/download.php?id=73999...](http://www.datasheetspdf.com/datasheet/download.php?id=739995)

The combo chip itself probably has multiple SDRs internally so that e.g. you
can use GPS and WiFi/BT simultaneously, but they can be connected externally
to the same antenna through a diplexer.

------
rasz
This is a continuation of a 2016 work on bcm4339 firmware.

[https://2016.mrmcd.net/fahrplan/system/event_attachments/att...](https://2016.mrmcd.net/fahrplan/system/event_attachments/attachments/000/002/897/original/nexmon_mrmcd16.pdf)

RaspberryPee wifi chipset (BCM43438) is a close cousin and previous work
(monitor mode, sending raw frames) was ported last year.

[https://dev.seemoo.tu-darmstadt.de/bcm/bcm-
rpi3/tree/master/...](https://dev.seemoo.tu-darmstadt.de/bcm/bcm-
rpi3/tree/master/firmware_patching/nexmon)

so there is a chance this could to, it would mean $30 self contained 2.4/5 GHz
SDR.

------
FPGAhacker
Halfway to making a handheld radar.

~~~
dharma1
What's the missing half?

~~~
trelliscoded
Quadrature receiver.

------
Y_Y
Nice to see that instead of a free license they've opted for a bullshit made-
up one where they want you to cite their papers.

~~~
bringtheaction
The license is MIT but not MIT. It’s the MIT license with two additional
conditions imposed;

\- The one you mentioned about citation.

\- “The Software is not used by, in cooperation with, or on behalf of any
armed forces, intelligence agencies, reconnaissance agencies, defense
agencies, offense agencies or any supplier, contractor, or research
associated.”

[https://github.com/seemoo-
lab/mobisys2018_nexmon_software_de...](https://github.com/seemoo-
lab/mobisys2018_nexmon_software_defined_radio/blob/master/LICENSE)

Even just the one about citation is problematic but IMO the condition about
armed forces and so on is even worse. I kind of see where they are coming from
but I wish people just used standard MIT and acknowledged that yes your
software might end up being used for something that you do not agree with
morally.

And if they are going to impose such restrictions, why stop there? Why not
also say that you cannot use the software to transmit for example child
pornography? And how about saying that you cannot use it to spread false
information, fake news etc?

I would be exaggerating, but not much, if I were to say that as soon as you
introduce one or more moral restrictions into a software license, you are
implicitly saying that any moral concern _not_ mentioned is ok.

How about terrorism? They didn’t say anything about terrorism so I guess using
their software for terror is fine as long as the terrorists are not an “armed
force”, an intelligence agency etc.

Technology has infitinite uses, a whole host of which are good, probably as
many that are bad, and likewise an uncountable amount of uses that are either
neither or both, and very many that will be one thing for some people and the
other for other people.

It should in my opinion not be the job of a software license to pass moral
judgement. Either you release your software for anyone to use for any purpose
under the terms of an unmodified license accepted by the community or you
might as well not bother trying to be open source at all.

~~~
viraptor
> Why not also say that you cannot use the software to transmit for example
> child pornography?

Because it's already illegal, so the point would be a noop. On the other hand,
contracting for the army is legal and one of the places where licenses may be
reviewed/enforced internally.

Same for terrorism. (Also, why would terrorists respect the license)

~~~
em3rgent0rdr
But as parent said, "Technology has infitinite uses", so what about the other
infinite uses?

~~~
davrosthedalek
Well I guess you can divide them in illegal uses (license does not matter) and
legal uses (license could matter). I guess from all the legal uses, the
authors disliked military etc. use enough to exclude it. Their choice.

------
bigiain
This opens up some exciting new ways to break radio spectrum laws! (I see the
Raspberry Pi W is supported there... Hmmm...)

~~~
tlrobinson
Or get a ham radio license and go wild (within the limits of that license)

~~~
escherplex
You have a point. 23cm band gives you a bandwidth of 60MHz to play with. The
13cm (2.3-2.45 GHz) playground also happens to be within the frequency range
of your microwave oven (2.45GHz) so experimenting with high ERP in that area
will probably have physiological consequences.

------
drefanzor
I'll stick with my RTL-SDR thanks :)

~~~
taxidump
RTL-SDR is RX only.

~~~
duskwuff
It also has much lower bandwidth than a wifi chipset. (And doesn't even get
close to the 5 GHz range.)

------
rsync
What was required to achieve this result ? That is, what did these folks have
to break in order to gain control of the wifi chip in this way ?

How does this work compare to gaining (similar) access to the baseband
processor on a phone ?

There should be a bounty for that ...

