MediaTek Wi-Fi chipsets power hundreds of millions of routers, laptops and smartphones, and their firmware is locked behind encryption and integrity checks that are widely assumed to be robust. Starting from kernel driver analysis and working down to the on-chip ROM, this research reconstructs the full Wi-Fi boot process, introduces the NDS32 instruction set architecture embedded in real MediaTek firmware, and builds a set of primitives that enable both static and dynamic firmware analysis.

In this session, led by Edoardo Mantovani, you will learn:

• How existing debug interfaces are turned into reliable read/write capabilities - enabling ROM and RAM dumping and code execution on the Wi-Fi MCU;
• How XOR-encrypted Wi-Fi 6 and AES-protected Wi-Fi 6E firmware protections are broken by leveraging an unprotected executable window to recover decryption routines and keys;
• How the proprietary CRC32 integrity checking mechanism is reversed.