-
Notifications
You must be signed in to change notification settings - Fork 113
Microsoft Xbox One Wireless Adapter
- Model: 1713
- VendorID: 045E
- ProductID: 02E6
- Chipset: Mediatek MT7612U(S), according to the Windows Driver. Other name: Ralink RT2870.
- Frequency: 2.4 / 5 GHz
- https://gist.github.com/devkid/4b3bd50760504d1b93ea684cfd3ed895
- https://github.com/paroj/xpad/issues/25
-
The Gamepad is...
-
actively scanning for available access points (wireless adapters)
- by sending out
probe requests
and waiting forprobe responses
- at least on channel 1, 6 and 11 (2.4 GHz)
- How do I know that? Monitored every WiFi channel for some seconds and looked for the Gamepad MAC
- by sending out
-
passively scanning for available access points (wireless adapters)
- by searching for
beacon frames
and reacting withassociation requests
if the gamepad was paired to thi AP before - at least on channel 1, 6, 11 (2.4 GHz) beside 36, 40, 44, 48, 153, 157, 161 and 165 (5 GHz)
- How do I know that? Sent out fake beacons (the one from the original Adapter) using any monitor-mode capable WiFi adapter and monitored the channel
- by searching for
-
scanning for
beacon frames
and reacting withraw management 7
(?) packages- only in pairing mode
- at least on channel 1, 6, 11 (2.4 GHz) beside 36, 40, 44, 48, 153, 157, 161 and 165 (5 GHz)
- How do I know that? See above
-
-
The WiFi Adapter is...
- sending out beacon frames to tell the Gamepad on which channel it is
- It seems like the wifi adapter is selecting a channel out of 1, 6, 11, 36, 40, 44, 48, 153, 157, 161 and 165. I observed beacons on 40, 48, 153, 157 and 161 yet.
- How do I know that? See above
- sending out beacon frames to tell the Gamepad on which channel it is
- The AP (access point - wireless adapter) is sending
Dot11Beacon
at channel 161 - The GP (gamepad) is scanning channel 1, 6, 11, 36, 40, 44, 48, 153, 157 and 161 for those
Dot11Beacon
packages - Once a
Dot11Beacon
is found, the GP is comparing the MAC of theDot11Beacon
s origin to '62:45:B4:xx:yy:zz'
TODO: not sure yet if this is really a hardcoded value, maybe it's up to the pairing process - don't know yet 3.1. If a fittingDot11Beacon
is found, the GP is sending out anDot11AssoReq
3.2. If it doesn't fit, it keeps scanning - The AP is replying with an
Dot11AssoResp
packet - A lot of
(pseudo) LLC / Raw
messages of yet unknown purpose are exchanged
Once the connection is established, Data is sent via RadioTap / 802.11 Data 8 7e:ed:80:ac:99:3e > 62:45:b4:fa:d3:a8 / Dot11QoS / Dot11WEP
packages. As you can see, the package has a 'Dot11WEP' layer in Scapy , which means nothing more but that the Data Protected Flag is set - hence the Data is encrypted!
Sometimes tools/frameworks like Scapy and Wireshark are wrong, but you will see that it is definitely somehow obfuscated if you press a button twice (the data sent is totally different).
Scapy tells us that the encryption is WEP, on the other hand, Wireshark thinks it is WPA (CCMP fields) and airodump shows both (WEP for Cipher and WPA for Encryption).
So, what kind of encryption is it and how is the key exchanged?
Questions:
- Can we decrypt the packages? (i.e. is it WEP?)
- Can we build up a connection without encryption (using our fake access point script)?
- What are those LLC RAW packages are for? WPS?
- How is the secure connection set up? Is it WPS PushButton? Something vendor-specific?
- If the connection is strongly protected (e.g. by WPA2):
- Is is maybe possible to extract the Key (if static) from the firmware / Windows drivers?
-
https://github.com/Atamisk/Netgear-A6210/tree/for-4.15
- compiles on kernel4.16 (branch
for-4.15
) - kind of unstable
- you have to create
/etc/Wireless/RT2870STA/
and copy the firmware (RT2870STA.dat) by hand, currently I am using the one which the windows driver is using
- compiles on kernel4.16 (branch
-
https://github.com/LorenzoBianconi/mt76
- made for OpenWRT
- mac802.11 subsystem based
- fork includes USB support
-
https://github.com/ulli-kroll/mt7612u
- compiles on kernel4.16
- a bit more stable, but may crash the networkmanager
- unusable interfaces
Update
Support for this chipset got added to the linux kernel, if you plug the dongle in it is recognized out of the box by the mt76x2u
driver. There is no way to update/change the FW so far integrated - but maybe that's necessary since the dongle has more functionality (pairing buton, LED)?.
Windows holds the firmware FW_ACC_00U.bin
which is located in C:\Windows\system32\DRIVERS\
,
which is exactly the same as the RT2870STA.dat
. Currently I am not sure if it IS really sent to the Dongle, it doesn't look like. But IT is the same which is hold by the original Mediatek/Ralink driver.
???