NexMon
@nexmon_dev
Followers
746
Following
87
Media
7
Statuses
155
NexMon is a firmware patching framework for the BCM4339 WiFi firmware of Nexus 5 smartphones.
Darmstadt, Germany
Joined August 2016
We published a pre-print paper about AirGuard. How does the app work? How does it perform against the iOS tracking detection and what can we learn from the anonymous data shared by the user? https://t.co/jiFRyhCW6x
arxiv.org
Finder networks in general, and Apple's Find My network in particular, can pose a grave threat to users' privacy and even health if these networks are abused for stalking. Apple's release of the...
0
10
23
The remaining @acm_wisec tutorials are online: open-sourcing research projects by Milan (@seemoolab), firmware reverse engineering with Ghidra by @ghidraninja, firmware rehosting with avatar2 by @nSinusR and details on a 5G testbed by @gvinevere (@5g_lab & @ComNets_TUD).
A new tutorial format at @acm_wisec features practical tools for wireless research. 👩💻📱📶 SDR intro by @bastibl, baseband fuzzing by @domenuk, iOS in-process fuzzing by @ttdennis & Bluetooth firmware mods by me. Ping me if you want to join as speaker. https://t.co/j6LAGNRwH6
0
13
37
The paper is online – reverse engineered details on WiFi password sharing and Handoff on Apple devices. https://t.co/4s7rYMTR9Y
Our paper “Disrupting Continuity of Apple’s Wireless Ecosystem Security” has been accepted by Usenix Security 21. It details in reverse-engineering private protocols on Apple‘s Hard- & Software and it includes two reversed protocols: Handoff and WiFi Password Sharing. #usesec21
0
10
17
Very nice that you finally found the shared memory regions between Wi-Fi and Bluetooth chip. As nexmon just patches the Wi-Fi firmware before loading it, we could try to load a patched Wi-Fi firmware using the Bluetooth chip and then reset the Wi-Fi chip to start it.
Code execution on a Broadcom Bluetooth chip leads to code execution within Wi-Fi. This has a couple of interesting implications for utilizing Wi-Fi without @nexmon_dev 📱, Wi-Fi debugging 🐛, and exploitation 💥 More details on CVE-2020-10367 (unpatched):
0
0
6
Happy Easter! Today I published our monitor mode and frame injection patches for the BCM4375 Wi-Fi chips installed in Samsung Galaxy S10 and S20 smartphones. I am still looking for access to a Galaxy S21 to analyze its firmware. https://t.co/t9hEbfC7xF
#nexmon
1
7
28
We reverse-engineered @Apple's Find My network for tracking offline #Bluetooth devices. Corresponding paper at @PET_Symposium. Create your own #AirTags today:
github.com
Build your own 'AirTags' 🏷 today! Framework for tracking personal Bluetooth devices via Apple's massive Find My network. - seemoo-lab/openhaystack
1
35
58
Who has a Galaxy S21 and could give me access to the BCM4389 WiFi 6e firmware files? And maybe remotely to the device to dump the chip's ROM?
4
3
9
Take a look at https://t.co/RjWV0IC9DU to decode the first episode of biohackers encoded in DNA on
github.com
Error correction scheme for storing information on DNA using Reed Solomon codes - reinhardh/dna_rs_coding
0
0
0
It's online! Bluetooth RCE == Wi-Fi RCE. Say hello to Spectra, the concept of breaking wireless chip separation as they share the same spectrum. #BlackHat
https://t.co/C03tUsfJ1o
5
141
351
Since people were asking how it works internally, here is Jan's final presentation, which covers the most important aspects why ARM Thumb2 disassembly was problematic and how the binary-only approach works. (9/8) https://t.co/nxn1Uvzvbg
1
2
6
Jan just released Frankenstein, the Broadcom/Cypress Bluetooth firmware emulator that enables fuzzing and further kinds of debugging. It works within a fully-functional Linux BlueZ stack and features virtual modem input. (1/2) https://t.co/iwWFx0kevk
github.com
Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging - seemoo-lab/frankenstein
3
113
247
:-( Unfortunately only an April Fool, it would have been so nice ...
3
0
7
Someone turned the Raspberry Pi into a GSM text message sniffer without any extra hardware using the Broadcom Bluetooth chip: https://t.co/QRTV1Vo4eb
https://t.co/vk3X0mnzsR
github.com
GSM scanner for raspberry pi. Contribute to huhtikuu/huhtikuu development by creating an account on GitHub.
1
5
10
Qualcomm QCACLD with monitor mode is served. Brings sniffer capabilities to a bunch of Android devices. I'll update the paper as we go this week, but now, ENJOY! @aircrackng @kalilinux @nexmon_dev
@digi_no @TheHackersNews
https://t.co/7Q0TQWiVVE
github.com
Qualcomm QCACLD WiFi monitor mode for Android. Contribute to kimocoder/qualcomm_android_monitor_mode development by creating an account on GitHub.
22
37
107
Jiska finally defended her PhD today. If you are into Bluetooth Firmware hacking, read her thesis ;-)
My PhD hat has Bluetooth. The implementation is trustworthy because Milan, our AirDrop hacker, built it 😍 #phdjiska
2
1
8
While you are all about hacking and breaking things, we built some cool wireless stuff with InternalBlue and @nexmon_dev, which we will present at #EWSN2020, February 17-19, Lyon, France. Happy to meet and chat if you are around, either at the conference or in Lyon.
1
3
7
36C3: Vertraue keinem Bluetooth-Gerät – schon gar nicht im vernetzten Auto https://t.co/ph3etwGqXN
#36c3 #36C3
heise.de
Bei Chips zur drahtlosen Datenübertragung etwa via Bluetooth gibt es massive Sicherheitslücken. Bei geteilten Antennen lässt sich etwa WLAN ausknipsen.
1
43
57
Today at #36c3, 5:10pm (GMT+1), Jiska will present "All wireless communication stacks are equally broken". Live stream and recordings available on https://t.co/QRPFNvma53. Covers results of @CYSEC_Darmstadt @ATHENECenter @emergen_CITY
0
8
16