Microsoft Xbox One Wireless Adapter

Microsoft Xbox One Wireless Adapter

• Model: 1713
• VendorID: 045e
• ProductID: 02e6
• Chipset: Mediatek MT7612U(S), according to the Windows Driver
• Frequency: 5GHz

Reversed Protocol Internals

• https://gist.github.com/devkid/4b3bd50760504d1b93ea684cfd3ed895
• https://github.com/paroj/xpad/issues/25

Connection Establishment

Actors

• The Gamepad is...

  • actively scanning for available access points (wireless adapters)

    • by sending out probe requests and waiting for probe responses
    • at least on channel 1, 6 and 11 (2.4 GHz)
    • How do I know that? Monitored every WiFi channel for some seconds and looked for the Gamepad MAC

  • passively scanning for available access points (wireless adapters)

    • by searching for beacon frames and reacting with association requests if the gamepad was paired to thi AP before
    • at least on channel 1, 6, 11 (2.4 GHz) beside 36, 40, 44, 48, 153, 157, 161 and 165 (5 GHz)
    • How do I know that? Sent out fake beacons (the one from the original Adapter) using any monitor-mode capable WiFi adapter and monitored the channel

  • scanning for beacon frames and reacting with raw management 7(?) packages

    • only in pairing mode
    • at least on channel 1, 6, 11 (2.4 GHz) beside 36, 40, 44, 48, 153, 157, 161 and 165 (5 GHz)
    • How do I know that? See above

• The WiFi Adapter is...

  • sending out beacon frames to tell the Gamepad on which channel it is
    • It seems like the wifi adapter is selecting a channel out of 1, 6, 11, 36, 40, 44, 48, 153, 157, 161 and 165. I observed beacons on 40, 48, 153, 157 and 161 yet.
    • How do I know that? See above

Encryption

Once the connection is established, Data is sent via RadioTap / 802.11 Data 8 7e:ed:80:ac:99:3e > 62:45:b4:fa:d3:a8 / Dot11QoS / Dot11WEP packages. As you can see, the package has a 'Dot11WEP' layer in Scapy (the Data Protected Flag is set) - what means that the Data is encrypted. Unfortunately I am not sure yet if it is WEP, WPA or WPA2 - my guess is: WPA or above.

Questions:

• Can we decrypt the packages? (i.e. is it WEP?)
• Can we build up a connection without encryption (using our fake access point script)?
• What are those LLC RAW packages are for? WPS?
• How is the secure connection set up? Is it WPS PushButton? Something vendor-specific?

Drivers for the Chipset

• https://github.com/Atamisk/Netgear-A6210/tree/for-4.15
  • compiles on kernel4.16 (branch for-4.15)
  • kind of unstable
  • you have to create /etc/Wireless/RT2870STA/ and copy the firmware (RT2870STA.dat) by hand, currently I am using the one which the windows driver is using
• https://github.com/LorenzoBianconi/mt76
  • made for OpenWRT
  • mac802.11 subsystem based
  • fork includes USB support
• https://github.com/ulli-kroll/mt7612u
  • compiles on kernel4.16
  • a bit more stable, but may crash the networkmanager
  • unusable interfaces

AP SetUp

https://wiki.archlinux.org/index.php/software_access_point