Microsoft Xbox One Wireless Adapter

Microsoft Xbox One Wireless Adapter

• Model: 1713
• VendorID: 045e
• ProductID: 02e6
• Chipset: Mediatek MT7612U(S), according to the Windows Driver
• Frequency: 5GHz

Reversed Protocol Internals

• https://gist.github.com/devkid/4b3bd50760504d1b93ea684cfd3ed895
• https://github.com/paroj/xpad/issues/25

Connection Establishment

Actors

• The Gamepad is...

  • actively scanning for available access points (wireless adapters)

    • by sending out probe requests and waiting for probe responses
    • at least on channel 1, 6 and 11 (2.4 GHz)
    • How do I know that? Monitored every WiFi channel for some seconds and looked for the Gamepad MAC

  • passively scanning for available access points (wireless adapters)

    • by searching for beacon frames and reacting with association requests if the gamepad was paired to thi AP before
    • at least on channel 1, 6, 11 (2.4 GHz) beside 36, 40, 44, 48, 153, 157, 161 and 165 (5 GHz)
    • How do I know that? Sent out fake beacons (the one from the original Adapter) using any monitor-mode capable WiFi adapter and monitored the channel

  • scanning for beacon frames and reacting with raw management 7(?) packages

    • only in pairing mode
    • at least on channel 1, 6, 11 (2.4 GHz) beside 36, 40, 44, 48, 153, 157, 161 and 165 (5 GHz)
    • How do I know that? See above

• The WiFi Adapter is...

  • sending out beacon frames to tell the Gamepad on which channel it is
    • It seems like the wifi adapter is selecting a channel out of 1, 6, 11, 36, 40, 44, 48, 153, 157, 161 and 165. I observed beacons on 40, 48, 153, 157 and 161 yet.
    • How do I know that? See above

Procedure

Example 1 - Initiated by AP

1. The AP (access point - wireless adapter) is sending Dot11Beacon at channel 161
2. The GP (gamepad) is scanning channel 1, 6, 11, 36, 40, 44, 48, 153, 157 and 161 for those Dot11Beacon packages
3. Once a Dot11Beacon is found, the GP is comparing the MAC of the Dot11Beacons origin to '62:45:B4:xx:yy:zz'
   TODO: not sure yet if this is really a hardcoded value, maybe it's up to the pairing process - don't know yet 3.1. If a fitting Dot11Beacon is found, the GP is sending out an Dot11AssoReq 3.2. If it doesn't fit, it keeps scanning
4. The AP is replying with an Dot11AssoResp packet
5. A lot of LLC / Raw messages are exchanged - don't know why yet

Encryption

Once the connection is established, Data is sent via RadioTap / 802.11 Data 8 7e:ed:80:ac:99:3e > 62:45:b4:fa:d3:a8 / Dot11QoS / Dot11WEP packages. As you can see, the package has a 'Dot11WEP' layer in Scapy (the Data Protected Flag is set) - what means that the Data is encrypted. Unfortunately I am not sure yet if it is WEP, WPA or WPA2 - my guess is: WPA or above.

Questions:

• Can we decrypt the packages? (i.e. is it WEP?)
• Can we build up a connection without encryption (using our fake access point script)?
• What are those LLC RAW packages are for? WPS?
• How is the secure connection set up? Is it WPS PushButton? Something vendor-specific?

Drivers for the Chipset

• https://github.com/Atamisk/Netgear-A6210/tree/for-4.15
  • compiles on kernel4.16 (branch for-4.15)
  • kind of unstable
  • you have to create /etc/Wireless/RT2870STA/ and copy the firmware (RT2870STA.dat) by hand, currently I am using the one which the windows driver is using
• https://github.com/LorenzoBianconi/mt76
  • made for OpenWRT
  • mac802.11 subsystem based
  • fork includes USB support
• https://github.com/ulli-kroll/mt7612u
  • compiles on kernel4.16
  • a bit more stable, but may crash the networkmanager
  • unusable interfaces

AP SetUp

https://wiki.archlinux.org/index.php/software_access_point