Skip to content

Microsoft Xbox One Wireless Adapter

Florian Dollinger edited this page May 4, 2019 · 41 revisions

Microsoft Xbox One Wireless Adapter

Version 1 (the big bulky one)

  • Model: 1713
  • VendorID: 045E
  • ProductID: 02E6
  • Chipset: Mediatek MT7612U(S), according to the Windows Driver. Other name: Ralink RT2870.
  • Frequency: 2.4 / 5 GHz

Reversed Protocol Internals

Connection Establishment

Actors

  • The Gamepad is...

    • actively scanning for available access points (wireless adapters)

      • by sending out probe requests and waiting for probe responses
      • at least on channel 1, 6 and 11 (2.4 GHz)
      • How do I know that? Monitored every WiFi channel for some seconds and looked for the Gamepad MAC
    • passively scanning for available access points (wireless adapters)

      • by searching for beacon frames and reacting with association requests if the gamepad was paired to thi AP before
      • at least on channel 1, 6, 11 (2.4 GHz) beside 36, 40, 44, 48, 153, 157, 161 and 165 (5 GHz)
      • How do I know that? Sent out fake beacons (the one from the original Adapter) using any monitor-mode capable WiFi adapter and monitored the channel
    • scanning for beacon frames and reacting with raw management 7(?) packages

      • only in pairing mode
      • at least on channel 1, 6, 11 (2.4 GHz) beside 36, 40, 44, 48, 153, 157, 161 and 165 (5 GHz)
      • How do I know that? See above
  • The WiFi Adapter is...

    • sending out beacon frames to tell the Gamepad on which channel it is
      • It seems like the wifi adapter is selecting a channel out of 1, 6, 11, 36, 40, 44, 48, 153, 157, 161 and 165. I observed beacons on 40, 48, 153, 157 and 161 yet.
      • How do I know that? See above

Procedure

Example 1 - Initiated by AP

  1. The AP (access point - wireless adapter) is sending Dot11Beacon at channel 161
  2. The GP (gamepad) is scanning channel 1, 6, 11, 36, 40, 44, 48, 153, 157 and 161 for those Dot11Beacon packages
  3. Once a Dot11Beacon is found, the GP is comparing the MAC of the Dot11Beacons origin to '62:45:B4:xx:yy:zz'
    TODO: not sure yet if this is really a hardcoded value, maybe it's up to the pairing process - don't know yet 3.1. If a fitting Dot11Beacon is found, the GP is sending out an Dot11AssoReq 3.2. If it doesn't fit, it keeps scanning
  4. The AP is replying with an Dot11AssoResp packet
  5. A lot of (pseudo) LLC / Raw messages of yet unknown purpose are exchanged

Encryption

Once the connection is established, Data is sent via RadioTap / 802.11 Data 8 7e:ed:80:ac:99:3e > 62:45:b4:fa:d3:a8 / Dot11QoS / Dot11WEP packages. As you can see, the package has a 'Dot11WEP' layer in Scapy , which means nothing more but that the Data Protected Flag is set - hence the Data is encrypted!

Sometimes tools/frameworks like Scapy and Wireshark are wrong, but you will see that it is definitely somehow obfuscated if you press a button twice (the data sent is totally different).

Scapy tells us that the encryption is WEP, on the other hand, Wireshark thinks it is WPA (CCMP fields) and airodump shows both (WEP for Cipher and WPA for Encryption).

So, what kind of encryption is it and how is the key exchanged?

Questions:

  • Can we decrypt the packages? (i.e. is it WEP?)
  • Can we build up a connection without encryption (using our fake access point script)?
  • What are those LLC RAW packages are for? WPS?
  • How is the secure connection set up? Is it WPS PushButton? Something vendor-specific?
  • If the connection is strongly protected (e.g. by WPA2):
    • Is is maybe possible to extract the Key (if static) from the firmware / Windows drivers?

Drivers for the Chipset

Update Support for this chipset got added to the linux kernel, if you plug the dongle in it is recognized out of the box by the mt76x2u driver. There is no way to update/change the FW so far integrated - but maybe that's necessary since the dongle has more functionality (pairing buton, LED)?.

Firmware

Windows holds the firmware FW_ACC_00U.bin which is located in C:\Windows\system32\DRIVERS\, which is exactly the same as the RT2870STA.dat. Currently I am not sure if it IS really sent to the Dongle, it doesn't look like. But IT is the same which is hold by the original Mediatek/Ralink driver.

Version 2 (the handy one)

???