Unlocking hidden powers in Xtensa based Qualcomm Wifi chips

Presented at DEF CON 31 (2023), Aug. 13, 2023, 11 a.m. (45 minutes)

Wifi chips contain general purpose processors. Even though these are powerful processors, their firmware is closed source and does not allow modifications. This talk explores how the firmware of modern Xtensa based Qualcomm Wifi chips can be modified to allow extending its indented functionality. Such modifications can even be for example leveraged by security researchers to find vulnerabilities in an otherwise closed source Wifi code. During the talk we will also dive into the architecture of Qualcomms Wifi chips as well as the structure of the firmware used withing these chips. We will release a modified version of the Nexmon framework to enable patching of Xtensa based firmware and show all the steps involved to create such patches. REFERENCES: - http://problemkaputt.de/gbatek-dsi-atheros-wifi-bmi-bootloader-commands.htm - https://nstarke.github.io/firmware/wifi/linux/kernel/2021/08/11/dev-coredump-and-firmware-images.html - https://sachin0x18.github.io/posts/demystifying-xtensa-isa/ - https://nexmon.org

Presenters:

• Daniel Wegemer - Hacker
  Security Researcher interested in enabling new features in closed source firmware. Areas of interest are: Wifi, IoT and Automotive.

Links:

• https://forum.defcon.org/node/245775

Similar Presentations:

• REcon 2023 / Enabling Security Research on Qualcomm Wifi Chips
• Black Hat Europe 2021 / Owfuzz: WiFi Nightmare
• Black Hat USA 2021 / Qualcomm WiFi: Infinity War