Saturday, November 30, 2019

Stadia Controller failing to connect to Cisco Wireless APs

When I received my Stadia Controller Founder's Edition, I've noticed that I cannot connect to any SSID on my Cisco Wireless Access points. I've tried moving my 802.11ac Wave 2 APs from WLC to Mobility Express and back, creating new WPA3 and WPA2 SSIDs and still cannot get the Stadia Controller to connect. I've even taken out my old 3600 AP, reflashed it with Autonomous image and tried to set up a plain vanilla WPA2 SSID on it. Stadia Controller still would not connect. That was very odd, considering I have dozens of wireless clients of various age and processing power, including Google/Nest devices that connect with no issues.

My next step was setting up a test SSID on Meraki MR24 AP reflashed with lates trunk image of OpenWRT. Stadia Controller connected to my test WPA3 SSID right away. Test with WPA2 was also successful. But that was not an acceptable workaround for me, since I don't want to keep another AP up and running just for the Stadia Controller, so I've decided to take time over the weekend to spin up Kali Linux on one of my laptops, to do some packet captures in monitor mode and compare the attributes of beacon frames.

Here is what I have discovered:

Starting with Cisco WLC version 8.3.1020, IEEE 802.11v and IEEE 802.11k are enabled for new SSIDs by default.
According to Cisco, "Wireless network management (802.11v) strives to improve the quality of the end-user experience by enabling information exchange. Basic Service Set (BSS) transition management is a vital aspect of 802.11v by which devices can solicit advice from the WLAN as well as receive unsolicited advice from the WLAN about which access point they should associate to. The decision to associate or not would ultimately depend on the device. Additionally, 802.11v includes multiple extensions that enable the client to sleep for a longer duration and thereby save battery life."
Unfortunately, it seems that this undoubtedly helpful feature is not compatible with Google Stadia Controller.

Once I've turned off 802.11v on my SSIDs, Stadia Controller was immediately able to connect.

I don't know if Stadia Controller is using wpa_supplicant, or some in-house WPA Supplicant implementation, but whatever they use, it seems that the implementation is buggy.
Hopefully it is fixed in future, but meanwhile, if you are experiencing issues connecting your Stadia Controller to WLC-managed enterprise APs, try disabling 802.11v. Here is a good article describing how to check SSID for 802.11v support and how to enable/disable it for SSID on a Cisco WLC.
In Wireshark you would want to look at beacon frames, IEEE 802.11 wireless LAN, Tagged Parameters, Extended Capabilities, Octet 3.

Monday, November 4, 2019

BMW NBT and NBT Evo Firmware Unpacker

It has been five years since I have released the first build of NBT firmware unpacker.

A few years ago I've had to stop the distribution of unpacker because the misuse of unpacker was disrupting the business of BMW retrofit shops. With 2018 public release of NBT and EVO vulnerabilities that have been known to the BMW retrofit scene since at least fall of 2014, and subsequent patching of vulnerabilities by BMW, I no longer consider distribution of the unpacker as harmful.

To commemorate the five years of NBT unpacker, I am releasing an updated and refactored version with the following new features:

  • Search for supported unpackable firmware files within specified folder
  • Searching for specific file within firmware across multiple firmware files in specified folder
  • Better handling of special cases like ASD or EQU files.
Download nbt_unpack release 1.0.0 here: Win32

Making work with eMMC interposer slightly more convenient

In one of the previous posts I have described eMMC interposer and how it can help with modifications of the device firmware without having t...