-
Notifications
You must be signed in to change notification settings - Fork 113
Microsoft Xbox One Wireless Adapter
Florian Dollinger edited this page Jun 5, 2018
·
41 revisions
- Model: 1713
- VendorID: 045e
- ProductID: 02e6
- Chipset: Mediatek MT7612U(S), according to the Windows Driver
- Frequency: 5GHz
- https://gist.github.com/devkid/4b3bd50760504d1b93ea684cfd3ed895
- https://github.com/paroj/xpad/issues/25
-
The Gamepad is...
-
actively scanning for available access points (wireless adapters)
- by sending out
probe requests
and waiting forprobe responses
- at least on channel 1, 6 and 11 (2.4 GHz)
- How do I know that? Monitored every WiFi channel for some seconds and looked for the Gamepad MAC
- by sending out
-
passively scanning for available access points (wireless adapters)
- by searching for
beacon frames
and reacting withassociation requests
if the gamepad was paired to thi AP before - at least on channel 1, 6, 11 (2.4 GHz) beside 36, 40, 44, 48, 153, 157, 161 and 165 (5 GHz)
- How do I know that? Sent out fake beacons (the one from the original Adapter) using any monitor-mode capable WiFi adapter and monitored the channel
- by searching for
-
scanning for
beacon frames
and reacting withraw management 7
(?) packages- only in pairing mode
- at least on channel 1, 6, 11 (2.4 GHz) beside 36, 40, 44, 48, 153, 157, 161 and 165 (5 GHz)
- How do I know that? See above
-
-
The WiFi Adapter is...
- sending out beacon frames to tell the Gamepad on which channel it is
- It seems like the wifi adapter is selecting a channel out of 1, 6, 11, 36, 40, 44, 48, 153, 157, 161 and 165. I observed beacons on 40, 48, 153, 157 and 161 yet.
- How do I know that? See above
- sending out beacon frames to tell the Gamepad on which channel it is
- The AP (access point - wireless adapter) is sending
Dot11Beacon
at channel 161 - The GP (gamepad) is scanning channel 1, 6, 11, 36, 40, 44, 48, 153, 157 and 161 for those
Dot11Beacon
packages - Once a
Dot11Beacon
is found, the GP is comparing the MAC of theDot11Beacon
s origin to '62:45:B4:xx:yy:zz'
TODO: not sure yet if this is really a hardcoded value, maybe it's up to the pairing process - don't know yet 3.1. If a fittingDot11Beacon
is found, the GP is sending out anDot11AssoReq
3.2. If it doesn't fit, it keeps scanning - The AP is replying with an
Dot11AssoResp
packet - A lot of
LLC / Raw
messages are exchanged - don't know why yet
Once the connection is established, Data is sent via RadioTap / 802.11 Data 8 7e:ed:80:ac:99:3e > 62:45:b4:fa:d3:a8 / Dot11QoS / Dot11WEP
packages. As you can see, the package has a 'Dot11WEP' layer in Scapy (the Data Protected Flag is set) - what means that the Data is encrypted. Unfortunately I am not sure yet if it is WEP, WPA or WPA2 - my guess is: WPA or above.
Questions:
- Can we decrypt the packages? (i.e. is it WEP?)
- Can we build up a connection without encryption (using our fake access point script)?
- What are those LLC RAW packages are for? WPS?
- How is the secure connection set up? Is it WPS PushButton? Something vendor-specific?
-
https://github.com/Atamisk/Netgear-A6210/tree/for-4.15
- compiles on kernel4.16 (branch
for-4.15
) - kind of unstable
- you have to create
/etc/Wireless/RT2870STA/
and copy the firmware (RT2870STA.dat) by hand, currently I am using the one which the windows driver is using
- compiles on kernel4.16 (branch
-
https://github.com/LorenzoBianconi/mt76
- made for OpenWRT
- mac802.11 subsystem based
- fork includes USB support
-
https://github.com/ulli-kroll/mt7612u
- compiles on kernel4.16
- a bit more stable, but may crash the networkmanager
- unusable interfaces