Enabling Security Research on Qualcomm Wifi Chips
06-10, 15:30–16:30 (America/New_York), Grand Salon

Wifi chips contain general purpose processors. Even though these are powerful processors, their firmware is closed source and does not allow modifications. This talk explores how the firmware of modern Qualcomm Wifi chips can be modified to allow extending its indented functionality. Such modifications can even be leveraged by security researchers to find vulnerabilities in an otherwise closed source Wifi code. During the talk we will also dive into the architecture of Qualcomms Wifi chips as well as the structure of the firmware used withing these chips. We will release a modified version of the Nexmon framework to enable patching of Xtensa based firmware and show all the steps involved to create such patches.


The talk begins by describing that firmware running on Wifi chips is closed source despite the chips being able to run arbitrary code. Enabling patching of the existing firmware would enable enhancing the firmware with additional functionality as well as security research. Security researcher can leverage a patched firmware for dynamic code analysis to find vulnerabilities hidden in Wifi code.
Qualcomm is one of the most relevant Wifi chip manufacturers. Their chips are used in many Wifi enabled routers as well as smartphones. We will explain the general architecture of Wifi chips as well as the architecture of the example chip which we look at: IPQ4019. Different kinds of drivers and firmware's can run on Qualcomm Wifi chips, we will explain the differences.
This particular chip IPQ4019 is used in many Wifi routers (e.g. routers by AVM). It supports both 2.4 and 5GHz frequency bands and has an additional ARM application processor to run OpenWRT. It was selected because its a relatively recent chip which supports newer Wifi standards. The cores inside the chip responsible for Wifi use the Xtensa architecture.
The next section of the talk dives into how the firmware in the Xtensa core is structured and how loading of the firmware into the chip works. We also explain methods to access memory of the Wifi core from within the Linux system. The firmware is partially compressed and consists of multiple "segments". Because the structure is not straight forward a good understanding of its structure is necessary to enable patching of the firmware later on.
Before we can start patching the firmware further Xtensa details need to be discussed. Tools like disassemblers ignore certain Xtensa functionality which is present in Qualcomms firmware. We explain how an existing Binary Ninja plugin could be patched to generate readable assembly. Compiling little endian turns out to be a challenge as well because mainline gcc does only support little endian output. We show which compilers can be used instead to successfully compile little endian patches needed for Qualcomm chips.
Finally, we introduce the Nexmon framework (https://nexmon.org). This framework was initially developed to create firmware patches for Broadcom chips. We will show which modifications are necessary to allow patching of Qualcomm firmware in the C programming language. A demonstration of a proof-of-concept patch will show how the modified framework works and that indeed this framework can enable modifications to the Xtensa firmware.
In the conclusion we will discuss how the existing framework can be improved and where more research needs to be conducted to get a better understanding of the Qualcomm Wifi firmware.

See also: Final Slides (1.3 MB)

Security Researcher interested in enabling new features in closed source firmware. Areas of interest are: Wifi, IoT and Automotive.
Co-author of http://nexmon.org/