#Realtek rtl8821ae wifi intermittent code
With a bit of custom code on both the EC and the WiFi chip, had a keylogger that didn’t run on the main processor broadcasting the PS/2 keystrokes as UDP packets.
This has to do with 0x80 postcodes from the processor being routed out somewhere accessible via the EC. There also happens to be an RX and a TX trace from the EC to the m.2 slot (where the rtl8821ae is). The keyboard matrix is read by the Embedded Controller (EC), which happens to be another 8051 based microcontroller. Next, looked at what could be done with his newfound hackability. With a tweak in the kernel to allow accessing the shared config space from userspace, was on his way to a complete firmware image. However, the checksum is just a 16-bit XOR. The easiest way to extract it would be to write some custom code that just copies the masked ROM back to the main CPU via the shared memory-mapped config space, but the firmware is checksummed by the masked ROM code. The firmware is loaded at 0x4000 but it calls to code below that address, which means there is a ROM on the chip that contains some code. Careful consideration, reasoned that the firmware was using RTX51 Tiny, which is a small real-time kernel. The firmware was loaded on startup from a known file path and loaded onto the chip sitting in an M.2 slot. True to his name, was pleased to find that the rtl8821ae was clearly based on the Intel 8051. The Realtek rtl8821ae chip is a fairly standard Realtek chip as seen in this unboxing (which is where the main image comes from). dove into the Realtek rtl8821ae WiFi chip on his laptop and extracted the firmware. In fact, there is a surprisingly large number of small processors alongside the many cores that make up the processor. In the interest of simplification or abstraction, we like to think of the laptop on the kitchen table as a single discrete unit of processing.
0 kommentar(er)
