NexMon

156 posts

NexMon

@nexmon_dev

NexMon is a firmware patching framework for the BCM4339 WiFi firmware of Nexus 5 smartphones.

Darmstadt, Germany Joined Ağustos 2016

74 Following754 Followers

NexMon retweeted

yesimxev@yesimxev·18 Mar

Meet the MASTERS of wireless reverse engineering! @kalilinux NetHunter Episode 2 is out now! It was a pleasure to have the @nexmon_dev team on 📱⌚📡 @offsectraining youtu.be/6FNd77iu2W0

YouTube

English

12.4K

NexMon retweeted

@[email protected]@seemoolab·18 May

We just won the @acm_wisec best paper award for our paper about @AirGuardAndroid 🥳

English

NexMon@nexmon_dev·26 Şub

@jiska___ @LiveOverflow nexmon.org for reverse engineering and patching of broadcom/cypress wifi firmwares.

English

LiveOverflow 🔴@LiveOverflow·25 Şub

Do you know any (large) community-driven reverse engineering projects?

English

313

NexMon retweeted

AirGuard@AirGuardAndroid·25 Şub

We published a pre-print paper about AirGuard. How does the app work? How does it perform against the iOS tracking detection and what can we learn from the anonymous data shared by the user? arxiv.org/abs/2202.11813

English

NexMon retweeted

Jiska@naehrdine·29 Nis

The remaining @acm_wisec tutorials are online: open-sourcing research projects by Milan (@seemoolab), firmware reverse engineering with Ghidra by @ghidraninja, firmware rehosting with avatar2 by @nSinusR and details on a 5G testbed by @gvinevere (@5g_lab & @ComNets_TUD).

Jiska@naehrdine

A new tutorial format at @acm_wisec features practical tools for wireless research. 👩‍💻📱📶 SDR intro by @bastibl, baseband fuzzing by @domenuk, iOS in-process fuzzing by @ttdennis & Bluetooth firmware mods by me. Ping me if you want to join as speaker. sites.nyuad.nyu.edu/wisec21/tutori…

English

NexMon retweeted

@[email protected]@seemoolab·29 Nis

The paper is online – reverse engineered details on WiFi password sharing and Handoff on Apple devices. usenix.org/system/files/s…

@[email protected]@seemoolab

Our paper “Disrupting Continuity of Apple’s Wireless Ecosystem Security” has been accepted by Usenix Security 21. It details in reverse-engineering private protocols on Apple‘s Hard- & Software and it includes two reversed protocols: Handoff and WiFi Password Sharing. #usesec21

English

NexMon@nexmon_dev·24 Nis

Very nice that you finally found the shared memory regions between Wi-Fi and Bluetooth chip. As nexmon just patches the Wi-Fi firmware before loading it, we could try to load a patched Wi-Fi firmware using the Bluetooth chip and then reset the Wi-Fi chip to start it.

Jiska@naehrdine

Code execution on a Broadcom Bluetooth chip leads to code execution within Wi-Fi. This has a couple of interesting implications for utilizing Wi-Fi without @nexmon_dev 📱, Wi-Fi debugging 🐛, and exploitation 💥 More details on CVE-2020-10367 (unpatched): naehrdine.blogspot.com/2021/04/blueto…

English

NexMon@nexmon_dev·9 Nis

@jiska___ Oh maybe Samsung has different chips in the european and the international variants.

English

NexMon@nexmon_dev·8 Nis

@jiska___ Very nice :-) Would you mind also disabling SELinux O:-)

English

NexMon@nexmon_dev·4 Nis

Happy Easter! Today I published our monitor mode and frame injection patches for the BCM4375 Wi-Fi chips installed in Samsung Galaxy S10 and S20 smartphones. I am still looking for access to a Galaxy S21 to analyze its firmware. nexmon.org #nexmon

English

NexMon retweeted

@[email protected]@seemoolab·4 Mar

We reverse-engineered @Apple's Find My network for tracking offline #Bluetooth devices. Corresponding paper at @PET_Symposium. Create your own #AirTags today: github.com/seemoo-lab/ope…

English

NexMon@nexmon_dev·16 Şub

@enovella_ S10 patch is ready just need to find some time to publish it.

English

Edu Novella@enovella_·16 Şub

@nexmon_dev S10+ here if needed

English

NexMon@nexmon_dev·6 Şub

Who has a Galaxy S21 and could give me access to the BCM4389 WiFi 6e firmware files? And maybe remotely to the device to dump the chip's ROM?

English

NexMon@nexmon_dev·25 Ağu

Take a look at github.com/reinhardh/dna_… to decode the first episode of biohackers encoded in DNA on de.biohackersnetflix.com

English

NexMon@nexmon_dev·3 Ağu

@jiska___ Jiska in der Wirtschaft? Schwer vorstellbar ...

Deutsch

NexMon retweeted

Jiska@naehrdine·21 May

It's online! Bluetooth RCE == Wi-Fi RCE. Say hello to Spectra, the concept of breaking wireless chip separation as they share the same spectrum. #BlackHat #spectra-breaking-separation-between-wireless-chips-20005" target="_blank" rel="nofollow noopener">blackhat.com/us-20/briefing…

English

139

349

NexMon@nexmon_dev·1 May

@naehrdine found a new PRNG related vulnerability in the Galaxy S8's Bluetooth chip. spiegel.de/netzwelt/gadge… bild.de/digital/smartp… github.com/seemoo-lab/int…

English

NexMon@nexmon_dev·27 Nis

@naehrdine Nice work does it also work for ARM or also for the D11 ucode (b43 assembly)?

English

NexMon retweeted

Jiska@naehrdine·27 Nis

Since people were asking how it works internally, here is Jan's final presentation, which covers the most important aspects why ARM Thumb2 disassembly was problematic and how the binary-only approach works. (9/8) github.com/seemoo-lab/pol…

English

Jiska@naehrdine·26 Nis

We just released Polypyus, a binary-only diffing tool programmed by @freebejan that runs independent from Ghidra and IDA and integrates into the workflow of other diffing tools. (1/n) github.com/seemoo-lab/pol…

English

241

NexMon@nexmon_dev·27 Nis

@naehrdine pong

English

Jiska@naehrdine·10 Nis

@nexmon_dev ping ;)

English

Jiska@naehrdine·10 Nis

Jan just released Frankenstein, the Broadcom/Cypress Bluetooth firmware emulator that enables fuzzing and further kinds of debugging. It works within a fully-functional Linux BlueZ stack and features virtual modem input. (1/2) github.com/seemoo-lab/fra…

English

112

246

Discover

@kalilinux @offsectraining @acm_wisec @AirGuardAndroid @jiska___ @LiveOverflow @seemoolab @ghidraninja