< NULLCON 2025 - BERLIN />

About the Speaker

GO BACK
img
Daniel Wegemer
Security Researcher
img
Edoardo Mantovani
Security Researcher

< Talk Title />

Unlock hidden Superpowers in MediaTek Wi-Fi Chips

< Talk Category />

Technical Speakers

< Talk Abstract />

Mediatek Wi-Fi chips are widely used, powering everything from smartphones and routers to IoT devices and notebooks. Despite their broad use, their internal firmware workings, particularly on the NDS32 architecture, have remained largely a black box – until now. This talk dives deep into the reverse engineering of Mediatek's Wi-Fi firmware, providing a look behind the curtain of proprietary technology.

We'll detail our journey of demystifying the NDS32 architecture, overcoming significant hurdles like undocumented hardware peripherals enforcing CRC32 integrity checks, and successfully descrambling firmware protected by XOR ciphers. Learn how we developed novel techniques to dump protected ROMs, even on hardware with restricted debug access.

Beyond just analysis, we demonstrate how to unlock powerful, previously inaccessible features such as raw I/Q data streaming (ICAP mode) and Channel State Information (CSI). To empower the community and pave the way for new Wi-Fi security research and custom firmware development, we are releasing a suite of open-source tools. These include firmware parsers, patchers, a ROM dumper, an automatic descrambler, and utilities for interacting with the newly discovered low-level interfaces. Join us as we liberate Mediatek Wi-Fi chips and unleash their hidden potential.

< Speaker Bio />

Daniel Wegemer

Security researcher interested in enabling new features in closed source firmware. Areas of interest are: Wif-Fi, IoT and Automotive.
Co-author of http://nexmon.org/

Edoardo Mantovani

Independent researcher with a specific focus on firmware reverse engineering, kernel programming and software obfuscation.