Researching Marvell Avastar Wi-Fi: from zero knowledge to over-the-air zero-touch RCE

Last year, the cybersecurity community was wrapped up in the discussion about the vulnerability of Broadcom BCM43xx Wi-Fi chipsets. By exploiting the firmware vulnerability of these chipsets, researchers could develop exploits enabling them to gain access to a device without any need to interact with its user. Regardless of the degree to which the OS of a device was protected, in a system, there was a separate chip that was responsible for Wi-Fi frames parsing and operated with no anti-exploitation functionality.

This talk will cover the internals and structure of the Marvell Avastar Wi-Fi chips. We will also discuss the techniques of detecting and exploiting firmware vulnerabilities, as well as the mechanisms and operation algorithms of the ThreadX real-time OS. ThreadX is the OS used as a basis for the firmware of these devices. The last topic addressed in this report will be the tools/techniques that simplify the process of analyzing devices of the kind.

Denis Selyanin

Denis Selyanin is a security researcher. His key interests include Microsoft software and mobile device hacking.

Social sharing