About the Speaker
< Talk Title />
< Talk Category />
< Talk Abstract />
Mediatek Wi-Fi chips are widely used, powering everything from smartphones and routers to IoT devices and notebooks. Despite their broad use, their internal firmware workings, particularly on the NDS32 architecture, have remained largely a black box – until now. This talk dives deep into the reverse engineering of Mediatek's Wi-Fi firmware, providing a look behind the curtain of proprietary technology.
We'll detail our journey of demystifying the NDS32 architecture, overcoming significant hurdles like undocumented hardware peripherals enforcing CRC32 integrity checks, and successfully descrambling firmware protected by XOR ciphers. Learn how we developed novel techniques to dump protected ROMs, even on hardware with restricted debug access.
Beyond just analysis, we demonstrate how to unlock powerful, previously inaccessible features such as raw I/Q data streaming (ICAP mode) and Channel State Information (CSI). To empower the community and pave the way for new Wi-Fi security research and custom firmware development, we are releasing a suite of open-source tools. These include firmware parsers, patchers, a ROM dumper, an automatic descrambler, and utilities for interacting with the newly discovered low-level interfaces. Join us as we liberate Mediatek Wi-Fi chips and unleash their hidden potential.
< Speaker Bio />
Daniel Wegemer
Security researcher interested in enabling new features in closed source firmware. Areas of interest are: Wif-Fi, IoT and Automotive.
Co-author of http://nexmon.org/
Edoardo Mantovani
Independent researcher with a specific focus on firmware reverse engineering, kernel programming and software obfuscation.