By: Matthias Schulz

Scheduled on: February 3 at 11:00

Nexmon is our C-based firmware patching framework mainly intended for patching Broadcom Wi-Fi firmwares. For the dynamic analysis of proprietary firmwares it is helpful to set hardware breakpoints and watchpoints on the ARM processor running the FullMAC Wi-Fi firmware. To this end, we developed a monitor mode debugger that activates the ARM Debug core on Cortex-R4 microcontrollers and handles debugging events directly in the chip’s firmware as there is no easy access to the JTAG port of the chip. The processor is, for example, built into BCM4339 FullMAC Wi-Fi chips of Nexus 5 smartphones. Whenever, one of the set breakpoints or watchpoints is triggered an interrupt handler is called in which we handle this debugging exception and then may continue with the regular Wi-Fi operation. The setup even allows single-step debugging of the Wi-Fi firmware. All of our source code is open and can, hence, be reused by the community, even for other Cortex-R4 based platforms.