├── .gitignore ├── LICENSE ├── README.md ├── debugfs ├── dbg_show_callout_info.py ├── dbg_show_dma_queues_info.py ├── dbg_show_mpdu_pools.py ├── dbg_show_paging_ucode_info.py ├── dbg_show_umac_threads.py └── iwldebug.py ├── descriptions └── intel_wifi │ ├── iwlwifi-Qu-b0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-Qu-b0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-Qu-c0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-Qu-c0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-QuZ-a0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-QuZ-a0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-cc-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-so-a0-gf-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-so-a0-gf-a0.pnvm__2022-11-08.txt │ ├── iwlwifi-so-a0-gf4-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-so-a0-gf4-a0.pnvm__2022-11-08.txt │ ├── iwlwifi-so-a0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-so-a0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ ├── iwlwifi-ty-a0-gf-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt │ └── iwlwifi-ty-a0-gf-a0.pnvm__2022-11-08.txt ├── dumps ├── nvm_from_linux │ ├── OUT_dump_hw_00a38000_wirelessAC_9560.parsed.txt │ ├── after_CVE-2022-21181_patch_dump_hw_00a38000_wirelessAC_9560.txt │ ├── dump_hw_00a38000_wirelessAC_9560.txt │ ├── notes_CVE-2022-21181_patch.md │ ├── parse_00a38000_dump.py │ └── wirelessAC_9560_nvm_dump │ │ ├── README.md │ │ ├── after_CVE-2022-21181_patch_nvm_hw.bin │ │ ├── nvm_calib.bin │ │ ├── nvm_hw.bin │ │ ├── nvm_phy_sku.bin │ │ ├── nvm_prod.bin │ │ ├── nvm_reg.bin │ │ ├── nvm_sw.bin │ │ └── sram.bin └── wireless_AC_9560_160MHz │ ├── fwloader_wirelessAC_9560_at_00060000.bin │ ├── lmac_auxregs.txt │ └── umac_auxregs.txt ├── exploit ├── exploit_enable_debug.py └── kernel-module │ ├── LICENSE │ ├── Makefile │ ├── exploit.c │ ├── exploit.h │ ├── ftrace_hook.c │ └── nan.h ├── firmware ├── fw2elf.py └── parse_intel_wifi_fw.py ├── ghidra-scripts ├── define_ARCompact_iwlwifi_exc_vectors.py ├── define_auxregs_mem.py ├── define_wifi_cmdhandler_functions.py └── list_functions.py ├── on-chip-debugger ├── Makefile ├── debugger.py ├── payload.c ├── prologue.s ├── redirect.s ├── setup_debugger.py └── write_mem.py └── tdls-crash.py /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/.gitignore -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/README.md -------------------------------------------------------------------------------- /debugfs/dbg_show_callout_info.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/debugfs/dbg_show_callout_info.py -------------------------------------------------------------------------------- /debugfs/dbg_show_dma_queues_info.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/debugfs/dbg_show_dma_queues_info.py -------------------------------------------------------------------------------- /debugfs/dbg_show_mpdu_pools.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/debugfs/dbg_show_mpdu_pools.py -------------------------------------------------------------------------------- /debugfs/dbg_show_paging_ucode_info.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/debugfs/dbg_show_paging_ucode_info.py -------------------------------------------------------------------------------- /debugfs/dbg_show_umac_threads.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/debugfs/dbg_show_umac_threads.py -------------------------------------------------------------------------------- /debugfs/iwldebug.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/debugfs/iwldebug.py -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-Qu-b0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-Qu-b0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-Qu-b0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-Qu-b0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-Qu-c0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-Qu-c0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-Qu-c0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-Qu-c0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-QuZ-a0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-QuZ-a0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-QuZ-a0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-QuZ-a0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-cc-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-cc-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-so-a0-gf-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-so-a0-gf-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-so-a0-gf-a0.pnvm__2022-11-08.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-so-a0-gf-a0.pnvm__2022-11-08.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-so-a0-gf4-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-so-a0-gf4-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-so-a0-gf4-a0.pnvm__2022-11-08.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-so-a0-gf4-a0.pnvm__2022-11-08.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-so-a0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-so-a0-hr-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-so-a0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-so-a0-jf-b0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-ty-a0-gf-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-ty-a0-gf-a0-77.ucode__2022-11-08__74.f92b5fed.0.txt -------------------------------------------------------------------------------- /descriptions/intel_wifi/iwlwifi-ty-a0-gf-a0.pnvm__2022-11-08.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/descriptions/intel_wifi/iwlwifi-ty-a0-gf-a0.pnvm__2022-11-08.txt -------------------------------------------------------------------------------- /dumps/nvm_from_linux/OUT_dump_hw_00a38000_wirelessAC_9560.parsed.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/OUT_dump_hw_00a38000_wirelessAC_9560.parsed.txt -------------------------------------------------------------------------------- /dumps/nvm_from_linux/after_CVE-2022-21181_patch_dump_hw_00a38000_wirelessAC_9560.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/after_CVE-2022-21181_patch_dump_hw_00a38000_wirelessAC_9560.txt -------------------------------------------------------------------------------- /dumps/nvm_from_linux/dump_hw_00a38000_wirelessAC_9560.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/dump_hw_00a38000_wirelessAC_9560.txt -------------------------------------------------------------------------------- /dumps/nvm_from_linux/notes_CVE-2022-21181_patch.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/notes_CVE-2022-21181_patch.md -------------------------------------------------------------------------------- /dumps/nvm_from_linux/parse_00a38000_dump.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/parse_00a38000_dump.py -------------------------------------------------------------------------------- /dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/README.md -------------------------------------------------------------------------------- /dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/after_CVE-2022-21181_patch_nvm_hw.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/after_CVE-2022-21181_patch_nvm_hw.bin -------------------------------------------------------------------------------- /dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_calib.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_calib.bin -------------------------------------------------------------------------------- /dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_hw.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_hw.bin -------------------------------------------------------------------------------- /dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_phy_sku.bin: -------------------------------------------------------------------------------- 1 | 3 -------------------------------------------------------------------------------- /dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_prod.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_prod.bin -------------------------------------------------------------------------------- /dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_reg.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_reg.bin -------------------------------------------------------------------------------- /dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_sw.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/nvm_sw.bin -------------------------------------------------------------------------------- /dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/sram.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/nvm_from_linux/wirelessAC_9560_nvm_dump/sram.bin -------------------------------------------------------------------------------- /dumps/wireless_AC_9560_160MHz/fwloader_wirelessAC_9560_at_00060000.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/wireless_AC_9560_160MHz/fwloader_wirelessAC_9560_at_00060000.bin -------------------------------------------------------------------------------- /dumps/wireless_AC_9560_160MHz/lmac_auxregs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/wireless_AC_9560_160MHz/lmac_auxregs.txt -------------------------------------------------------------------------------- /dumps/wireless_AC_9560_160MHz/umac_auxregs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/dumps/wireless_AC_9560_160MHz/umac_auxregs.txt -------------------------------------------------------------------------------- /exploit/exploit_enable_debug.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/exploit/exploit_enable_debug.py -------------------------------------------------------------------------------- /exploit/kernel-module/LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/exploit/kernel-module/LICENSE -------------------------------------------------------------------------------- /exploit/kernel-module/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/exploit/kernel-module/Makefile -------------------------------------------------------------------------------- /exploit/kernel-module/exploit.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/exploit/kernel-module/exploit.c -------------------------------------------------------------------------------- /exploit/kernel-module/exploit.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/exploit/kernel-module/exploit.h -------------------------------------------------------------------------------- /exploit/kernel-module/ftrace_hook.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/exploit/kernel-module/ftrace_hook.c -------------------------------------------------------------------------------- /exploit/kernel-module/nan.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/exploit/kernel-module/nan.h -------------------------------------------------------------------------------- /firmware/fw2elf.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/firmware/fw2elf.py -------------------------------------------------------------------------------- /firmware/parse_intel_wifi_fw.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/firmware/parse_intel_wifi_fw.py -------------------------------------------------------------------------------- /ghidra-scripts/define_ARCompact_iwlwifi_exc_vectors.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/ghidra-scripts/define_ARCompact_iwlwifi_exc_vectors.py -------------------------------------------------------------------------------- /ghidra-scripts/define_auxregs_mem.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/ghidra-scripts/define_auxregs_mem.py -------------------------------------------------------------------------------- /ghidra-scripts/define_wifi_cmdhandler_functions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/ghidra-scripts/define_wifi_cmdhandler_functions.py -------------------------------------------------------------------------------- /ghidra-scripts/list_functions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/ghidra-scripts/list_functions.py -------------------------------------------------------------------------------- /on-chip-debugger/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/on-chip-debugger/Makefile -------------------------------------------------------------------------------- /on-chip-debugger/debugger.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/on-chip-debugger/debugger.py -------------------------------------------------------------------------------- /on-chip-debugger/payload.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/on-chip-debugger/payload.c -------------------------------------------------------------------------------- /on-chip-debugger/prologue.s: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/on-chip-debugger/prologue.s -------------------------------------------------------------------------------- /on-chip-debugger/redirect.s: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/on-chip-debugger/redirect.s -------------------------------------------------------------------------------- /on-chip-debugger/setup_debugger.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/on-chip-debugger/setup_debugger.py -------------------------------------------------------------------------------- /on-chip-debugger/write_mem.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/on-chip-debugger/write_mem.py -------------------------------------------------------------------------------- /tdls-crash.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ledger-Donjon/intel-wifi-research-tools/HEAD/tdls-crash.py --------------------------------------------------------------------------------