Rolling the D11: An Emulation Game for the Whole BCM43 Family
Pages 88 - 95
Abstract
The D11 is Broadcom's proprietary IEEE 802.11 MAC implementation and an essential part of their WiFi chips. It is a microcontroller that orchestrates the Physical Layer and Radio Front-end implementation and is programmable through a custom microcode. We provide a new emulation framework for the D11 microcode and a corresponding firmware patch for the WiFi chip that enables essential debugging methods, including microcode breakpoints and D11 state extraction. This toolset allows researchers to analyze the D11 microcode in a controlled environment dynamically. To facilitate research on the D11, we provide an overview of state-of-the-art knowledge of the chip and publish all presented tools to the open-source community. We encourage everyone interested to enter the game, roll the D11, and provide new insights on Broadcom's MAC implementation.
References
[1]
[n.d.]. WARP Project. Retrieved June 30, 2023 from http://warpproject.org
[2]
Hugues Anguelkov. 2019. Reverse-engineering Broadcom wireless chipsets. Retrieved June 30, 2023 from https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html
[3]
Nitay Artenstein. 2017. Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets. Retrieved June 30, 2023 from https://blog.exodusintel.com/2017/07/26/broadpwn/
[4]
Fabrice Bellard. 2005. QEMU, a Fast and Portable Dynamic Translator. In Proceedings of the Annual Conference on USENIX Annual Technical Conference (Anaheim, CA) (ATEC '05). USENIX Association, USA, 41.
[5]
Gal Beniamini. 2017. Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved June 30, 2023 from https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
[6]
Johannes Berg. 2016. BCM43XX Specification. Retrieved June 30, 2023 from https://bcm-v4.sipsolutions.net
[7]
Michael Büsch. 2022. b43-tools. Retrieved June 30, 2023 from https://github.com/mbuesch/b43-tools
[8]
Michael Chesser, Surya Nepal, and Damith C. Ranasinghe. 2023. ICICLE: A Re-Designed Emulator for Grey-Box Firmware Fuzzing. arXiv:2301.13346 [cs.CR]
[9]
Abraham A Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 1201--1218.
[10]
Cypress Semiconductor Corporation/Infineon Technologies 2016. CYW4339: Single-Chip 5G WiFi IEEE 802.11ac MAC/Baseband/ Radio with Integrated Bluetooth 4.1 and FM Receiver. Cypress Semiconductor Corporation/Infineon Technologies.
[11]
Cypress Semiconductor Corporation/Infineon Technologies 2019. CYW43455: Single-Chip 5G WiFi IEEE 802.11n/ac MAC/Baseband/Radio with Integrated Bluetooth 5.0. Cypress Semiconductor Corporation/Infineon Technologies.
[12]
Francesco Gringoli, Matthias Schulz, Jakob Link, and Matthias Hollick. 2019. Free Your CSI: A Channel State Information Extraction Platform For Modern Wi-Fi Chipsets. In Proceedings of the 13th International Workshop on Wireless Network Testbeds, Experimental Evaluation & Characterization (Los Cabos, Mexico) (WiNTECH '19). Association for Computing Machinery, New York, NY, USA, 21--28.
[13]
Xianjun Jiao, Wei Liu, Michael Mehari, Muhammad Aslam, and Ingrid Moerman. 2020. openwifi: a free and open-source IEEE802. 11 SDR implementation on SoC. In 2020 IEEE 91st Vehicular Technology Conference (VTC2020-Spring). IEEE, 1--2.
[14]
Karl Koscher, Tadayoshi Kohno, and David Molnar. 2015. SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems. In 9th USENIX Workshop on Offensive Technologies (WOOT 15). USENIX Association, Washington, D.C.
[15]
Marius Muench, Dario Nisi, Aurélien, and Davide Balzarotti Francillon. 2018. Avatar2: A Multi-target Orchestration Platform. In Workshop on Binary Analysis Research (BAR). San Diego, CA, USA.
[16]
Lorenzo Nava and Franzesco Gringoli. 2008. Open FirmWare for WiFi networks: a UniBS NTW group project. Retrieved June 30, 2023 from http://netweb.ing.unibs.it/openfwwf/
[17]
Ralf Nico. 2017. Emulation and Exploration of BCM WiFi Frame Parsing using LuaQEMU. Retrieved June 30, 2023 from https://comsecuris.com/blog/posts/luaqemu_bcm_wifi/
[18]
Nguyen Anh Quynh and Dang Hoang Vu. 2015. Unicorn: Next generation cpu emulator framework.
[19]
Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi. 2022. Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA.
[20]
Matthias Schulz. 2018. Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications. Ph. D. Dissertation. Technische Universität, Darmstadt.
[21]
Matthias Schulz, Francesco Gringoli, Daniel Steinmetzer, Michael Koch, and Matthias Hollick. 2017. Massive Reactive Smartphone-Based Jamming Using Arbitrary Waveforms and Adaptive Power Control. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (Boston, Massachusetts) (WiSec '17). Association for Computing Machinery, New York, NY, USA, 111--121.
[22]
Matthias Schulz, Jakob Link, Francesco Gringoli, and Matthias Hollick. 2018. Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi. In Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services (Munich, Germany) (MobiSys '18). Association for Computing Machinery, New York, NY, USA, 256--268.
[23]
Matthias Schulz, Daniel Wegemer, and Matthias Hollick. 2017. Nexmon: The C-based Firmware Patching Framework. Retrieved June 30, 2023 from https://nexmon.org
[24]
James E. Smith and Ravi Nair. 2005. Virtual Machines - Versatile Platforms for Systems and Processes. Morgan Kaufmann.
[25]
Jonas Zaddach, Luca Bruno, Aurelien Francillon, and Davide Balzarotti. 2014. Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares. In Network and Distributed System Security (NDSS) Symposium (San Diego (USA)).
Index Terms
- Rolling the D11: An Emulation Game for the Whole BCM43 Family
Recommendations
Microprocessor assembly language draft standard IEEE task P694/D11
SIGSMALL '80: Proceedings of the 3rd ACM SIGSMALL symposium and the first SIGPC symposium on Small systemsWith the proliferation of microprocessors, the need to establish standards for the naming of microprocessor instruction sets and assemblers has become critical. This standard sets forth a set of instruction mnemonics and descriptions, provides ...
An evaluation of speculative instruction execution on simultaneous multithreaded processors
Modern superscalar processors rely heavily on speculative execution for performance. For example, our measurements show that on a 6-issue superscalar, 93% of committed instructions for SPECINT95 are speculative. Without speculation, processor resources ...
Frequency rolling: a cooperative frequency hopping for mutually interfering wpans
MobiHoc '04: Proceedings of the 5th ACM international symposium on Mobile ad hoc networking and computingA Wireless Personal Area Network (WPAN) provides wireless links among proximate devices,usually carried by an individual.As WPAN gains momentum in ubiquitous usage, the interference that collocated WPANs cause to each other, termed self-interference, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2023
115 pages
ISBN:9798400703409
DOI:10.1145/3615453
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 02 October 2023
Check for updates
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Deutsche Forschungsgemeinschaft
Conference
ACM MobiCom '23
Sponsor:
ACM MobiCom '23: The 29th Annual International Conference on Mobile Computing and Networking
October 6, 2023
Madrid, Spain
Acceptance Rates
Overall Acceptance Rate 63 of 100 submissions, 63%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 159Total Downloads
- Downloads (Last 12 months)88
- Downloads (Last 6 weeks)17
Reflects downloads up to 22 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in