Wireless functions

[noname120]

Advertising

The first version of my app will simply check every two seconds if there is an unprotected network available and if so, warn the user with a sound (bip).

This is great when you trip and need to connect to Internet for some reasons: you just have to walk across the city and the psp will warn you if there is one available (and maybe configure it, as well).

That will be the first release of my program.

The second part will be harder:
As far I know, there is no possibility to switch the psp's driver in monitoring mod: this one allow to capture packets and so hack any WEP/WPA network. If there is any, it would be really great but I'm not good at changing the driver of the chip. If you have knowledge to do that, this would be really great and if you're interrested in, then MP me.

If there is no possibility to capture packets (known as "IVS"), then I'll use fails in the routeurs: for example, the bbox, we can calculate the default password using the access point's name and the bssid. TN_Network does also have fails that allow to find the password.

Many do have fails.

If the routeur that the user want to get the password don't have known fail, then we can try bruteforcing with a dictionnary.


Do you better understand for what purpose I want to get this without dialog ?


Ps: I think the psp's java emulator does access to the low level but I'm not sure.

[hardhat]

Advertising

Such an idea has been often proposed but because the API is not implemented with that in mind, I haven't seen anyone make progress on such a thing.

If you want to detect all available networks then I think you will have some reversing ahead of you. There is no exposed API that I have seen for doing this, though obviously internally it is possible.

Again for monitoring (usually called permiscuous mode in Linux) you'd have to dig deep into the internals of the wifi driver.

Neither is well supported and neither is available from the PSPSDK functions that have been documented from what I've seen.

Proceed carefully, because some of these things may be illegal in your country depending on where you live.

[noname120]

Ok, then I'll dig.

Do you know a good MiPS reference ?

On what should I dig for that ?

How can i know what function is X ?(for example if the program uses WaitVBlankStart)


For the drivers, no problem, I live in France so I do it for research purposes only but I won't able to do it alone: I need someone to help me, if you're available or know someone with good skills then don't hesitate to inform me.

See you

[m0skit0]

there is no possibility to switch the psp's driver in monitoring mod

AFAIK it's not a driver problem. It's the hardware that does not support monitor mode.

If there is no possibility to capture packets (known as "IVS")

Of course you can capture packets... but only the ones that belong to you (which means you have to be authenticated to the AP).

Ps: I think the psp's java emulator does access to the low level but I'm not sure.

Java has no access to low level on any platform.

If you want to detect all available networks then I think you will have some reversing ahead of you

Nope. Detecting/scanning networks does not require monitor mode. Normal wifi mode is enough.

usually called permiscuous mode in Linux

You mean "promiscuous", and that's for network wired cards, not wifi. On wifi it's called "monitor" mode, although the concept is the same. And btw that's not Linux terminology, but standard terminology for networking (no matter the OS).

Proceed carefully, because some of these things may be illegal in your country depending on where you live.

Listening to radio waves is not illegal in any country. on the other hand, what you do with the information you get might be.

Do you know a good MiPS reference ?

MIPS is an open architecture, so Google maybe?

How can i know what function is X ?

I don't understand the question.

[noname120]

AFAIK it's not a driver problem. It's the
hardware that does not support monitor

I'm not sure: I contacted the enterprise that did this cheap chip and it seemed that it supports monitor mod but they can't inform me more (of course, Sony is a customer)

Of course you can capture packets... but only
the ones that belong to you (which means you
have to be authenticated to the AP).

I know but it was said implicitely.

Java has no access to low level on any
platform.

I was not meaning Java but the homebrew that interprate java on psp (not java itself but pspkvm)

Nope. Detecting/scanning networks does not
require monitor mode. Normal wifi mode is
enough.

Of course but it seems that there is no documented function for my need.

Listen to radio waves is not illegal in any
country. on the other hand, what you do with
the information you get might be.

With the IVS, I'll be able to hack the password (I'll port aicrack-ng). Of course, it's only to crack your own network and see that WEP is crappy.

MIPS is an open architecture, so Google ?

A reverse engineer does have the best tools, references etc: that's why I ask for the beat reference: google gives the most famous, not the best (most famous don't mean best in may cases)

I don't understand the question.

I mean, I don't know how functions are converted in assembly but probably args are stacked on the stack: So how can I figure out what function is called ? (there is a call with an adress probably)

[m0skit0]

I'm not sure: I contacted the enterprise that did this cheap chip and it seemed that it supports monitor mod but they can't inform me more (of course, Sony is a customer)

Hmmm then this can be interesting if we can get some Linux driver for that chip for example, and adapt it to PSP. I can help with this since I have low-level programming experience with MIPS.

I was not meaning Java but the homebrew that interprate java on psp (not java itself but pspkvm)

It doesn't matter if pspkvm (which indeed it does because it translates Java's byte-code into machine code) can access low-level because Java cannot access low-level.

A reverse engineer does have the best tools, references etc: that's why I ask for the beat reference: google gives the most famous, not the best (most famous don't mean best in may cases)

Best MIPS reference is the manual from MIPS Technologies. And that's what Googles shows. Period.

I don't know how functions are converted in assembly but probably args are stacked on the stack

Not exactly. In MIPS args are passed through a0-a3 registers, remaining args are placed on the stack.

So how can I figure out what function is called ? (there is a call with an adress probably)

Which function? Called from where?

[noname120]

M0skit0: your help is greatly apprecied !
Please PM me infos to contact you (email, msn, google talk...)

Best MIPS reference is the manual from MIPS
Technologies. And that's what Googles shows.
Period.

Why do I need an account to download stupid PDF files ?

Not exactly. In MIPS args are passed through
a0-a3 registers, remaining args are placed on
the stack.

Good to know, But do they have another purpose, it can't be possible that registers can have this only use.

Which function? Called from where?

For example, let's take an example: you compile a hello world using printf.
How can you see that printf is used not another function ?

[m0skit0]

Why do I need an account to download stupid PDF files ?

You don't.

Good to know, But do they have another purpose, it can't be possible that registers can have this only use.

Why not? They're main purpose is that one. They're usually not used by the assembly generated from compiler. They can be used for anything else, but that would break MIPS ABI.

For example, let's take an example: you compile a Hello World using printf.
How can you see that printf is used not another function ?

Ok. PSP executables (PRXs) have something called "imports". Such imports allow you to know what functions are used and from which libraries. HBL source code can help you understand this.

[noname120]

Why not? They're main purpose is that one.
They're usually not used by the assembly
generated from compiler. They can be used for
anything else, but that would break

I'm used to z80 assembly: there is very few registers (a--accumulator / b /c /d / e / hl (for adresses)/ ix and the flag register.
These limitations allow instructions to take in most case only 1 byte.

All registers are used and have many purposes; some instructions are limited to specific registers etc.
And add etc is always from a to a. Example: add b (add a and be and store it in a).

Ok. PSP executables (PRXs) have something
called "imports". Such imports allow you to know
what functions are used and from which
libraries. HBL source code can help you understand this.

Great, this make the task easier (or less hard :p ).


I'll have to learn MIPS then, but it seems to be an interrestive assembly language !

[m0skit0]

I'm used to z80 assembly

MIPS IV is not Z80. Z80 is a quite 8-bit old processor (the one GameBoy and some Spectrum use, IIRC) and MIPS IV is a relatively 32-bit modern processor. MIPS IV has 32 32-bit registers on the main processor, without counting the coprocessors.

These limitations allow instructions to take in most case only 1 byte.

MIPS has a fixed 32-bit instruction length. All instructions are 32 bits. This is a RISC characteristic.

but it seems to be an interrestive assembly language !

Interrestive? I don't understand this word...

MIPS assembly is one of my favorites due to the RISC philosophy followed, and also due to the homogeneity of the whole architecture.