The Microstumbler Project
Creado por: The Prism54 Project ( www.prism54.org )
Nota: Si alguien se anima a traducirlo, hara un favor al Foro
What's Microstumbler ?
The Microstumbler project is aimed at adding autonomous network scanning capabilities to a wireless card ; that's to say, your can scan wireless networks using just your wifi card and no computer : a LCD and a simple 3-key keypad are connected to it, and it's powered by a battery. This hack is in theory compatible with all hardware that contains an ISL38xx chip : PCI and PCMCIA SoftMAC and FullMAC cards, and USB version 1 and version 2 devices. All you need to be able to is to electrically power up the device outside of a computer, and tap two easily locatable signals on its circuit board !
Is it working now ?
No, the software part is not finished yet. A big missing part is full access to the baseband processor of the device, which is needed for FreeMAC too.
However, the hardware is working. As you can see in the photo, it can be assembled on a piece of veroboard (no SMD, QFP, BGA or other hard-to-solder parts), and only requires 4 thin wires* to be connected to the circuit board of your wifi card !
* power supply (+5V and GND) and I2C bus (SCL and SDA)
Nota por Zero13: Para los que desconozcan la comunicacion entre memorias y microcontroladores, comentar que los puertos llamados SCL y SDA son utilizados para comunicar dos microtroladores ó bien un microcontrolador con una memoria y siempre utilizando un sistema llamado I2C, desarrollado por Philips y pudiendo conectar en anillo hasta 256 dispositivos, habiendo un dispositivo master y hasta 255 esclavos. ( Zero13 )
The external board is connected to the I2C bus of the wifi card. This bus can be easily located and tapped on the device, because all the cards contain an I2C EEPROM, on which you can easily locate and solder the SCL and SDA pins. On the photo, you can see clearly that EEPROM, it's the 8-pin chip with two wires soldered to it.
The hack board is based on very common and cheap parts :
a classical LCD module based on some HD44780 clone
a PCF8574 GPIO expander for I2C bus, which is used to drive the LCD and get the status of the keys
a 24C256 I2C EEPROM to store the software run on the ISL38xx to drive all this
The hacked wifi card still works normally when plugged into a computer. On to the I2C bus, the added components will remain "silent" if they no data is sent to them (and Conexant's firmware obviously hasn't anything to send to a GPIO expander or an additional EEPROM...)
Some tricks are needed to execute the ARM code stored inside the external EEPROM with no help from any host computer, and still making the hacked wifi card "compatible" with an unmodified one.
To understand how this works, you need some basics about what happens inside your wifi card when voltage is applied to the ISL38xx :
some power-on-reset circuitry initializes internal ISL38xx peripherals, enables its internal ARM946E core and branches it to address 0xe0000000, where lie 4 or 8 kilobytes (depending on the chip) of bootstrap ROM.
the ROM reads the first 4 bytes of the I2C EEPROM of the card (not that of the Microstumbler board, which is at a different I2C address on the I2C bus). If these bytes match a signature, the EEPROM is assumed to have been programmed especially for the ISL38xx.
If the EEPROM seems correctly programmed, the ROM reads 2 bytes of padding (hmm, in fact, we're not sure this is padding, but in all EEPROMs we've seen, those bytes were always zero), then 2 more bytes which form a 16-bit little endian integer, the "EEPROM firmware size".
If EEPROM firmware size was zero (which is generally the case on all devices except 3887-based ones), the ROM does nothing and immediately enter its main idle loop, from which several commands can be run from the host to download firmware, debug,... but that's another story.
Otherwise, the ROM reads the indicated number of bytes from the EEPROM, plus a 32-bit word which is the CRC32 of the data that has been just read.
If that CRC is positive, the code just read from the EEPROM is executed on the ARM. This code may eventually call functions into the ROM which acts like the BIOS of a computer (the details of this mechanism have not been completely reverse engineered yet). On the 3887-based devices we've seen, the firmware area of the EEPROM is used, and makes USB transfers involving ROMcalls. I think those transfers are device enumeration, so that the USB IDs can be programmed in the EEPROM.
So we can dump the EEPROM of the to-be-modified device, and inject a bootstrapper code in it which will check for the presence of the Microstumbler EEPROM and load firmware from it if possible. If loading was not possible, the bootstrapper will resume normal ROM operation, so that disconnecting the Microstumbler board does not interfere with device functioning.
The software contained in the Microstumbler EEPROM should not interfere with normal firmware loading on devices with a PCI bus (this includes USB v1) ; indeed, with these, the PCI registers are used to stop the ARM and write to its memory, with no software intervention. However, on USB v2, we'll have to simulate the ROM host interface.
If you're interested in developing this, especially on reverse engineering the baseband processor (this will also benefit FreeMAC), just drop us a mail.
How to build and install the Microstumbler board ?
Building the external board
You'll need the following parts :
R1 - contrast control, any potentiometer between 4.7k and 22k should be fine.
C1 - decoupling capacitor, around 100nF.
D1, D2 - general purpose diodes, 1N4148 is an example of suitable diode.
S1, S2, S3 - any pushbutton that looks good to you.
IC1 - PCF8574A I2C GPIO expander. Strangely enough, the PCF8574A seems cheaper than the PCF8574 although they differ only by they slave address. If you want to use a PCF8574, it will work but you'll have to change the I2C address in the ISL38xx firmware.
IC2 - 24C256 I2C serial EEPROM. Used to store the ISL38xx firmware.
LCD - 1x16 characters LCD module based on some HD44780 clone. If you choose to scavenge it from consumer electronics, most modules that have a 14-pin connector in the top-left corner of the PCB and look like the one on this snapshot are of the suitable type. Anyway, check the datasheets if you can find them.
Build the circuit according to these schematics. No PCB has been made, use Veroboard (contributions welcome...).
Beware ! If you modify the circuit, keep in mind that the I2C bus is 3.3V altough the rest of the Microstumbler board is 5V. In particular, don't connect pull-ups to 5V to the I2C signals. You can cause irreversible damage to your wifi card.
Connecting the board to your wifi card
First, tap the 5V power supply on the USB connector. On the USB plug that goes to the computer, the power supply pins are those at the extremities of the connector. Use an ohmmeter to figure out on which solder pads these pins are connected to on the PCB of the wifi card, solder wires to them, then plug the card and use a voltmeter to find out the polarity. You can easily fry parts if you power them up the wrong way, especially the LCD module. Connect this power supply to the Microstumbler board, on the pins labeled "+5V" and "GND".
Then, to connect the I2C bus, you need to find where the serial EEPROM of the wifi card is. It is typically a 8-pin SMD package labelled 24Cxx. On the 24Cxx EEPROMs, the signals SDA and SCL are respectively on pins 5 and 6 ; if your wifi card uses a different EEPROM, check its datasheet. Use very thin wire to tap these signals, then glue the wires to the EEPROM package using cyanoacrylate to avoid damaging the EEPROM pins and solder pads by pulling on the wires. Double check you did not make any short circuit, the SMD package of the EEPROM is quite small:
Here is a snapshot of a Siemens Gigaset USB Adapter 54 version 1 :