[ Webstats ] [ Forums ] [ Mailing lists ] [ Developers ]



Hosted by tuxfamily.org

What's Microstumbler ?

The Microstumbler project is aimed at adding autonomous network scanning capabilities to a wireless card ; that's to say, your can scan wireless networks using just your wifi card and no computer : a LCD and a simple 3-key keypad are connected to it, and it's powered by a battery. This hack is in theory compatible with all hardware that contains an ISL38xx chip : PCI and PCMCIA SoftMAC and FullMAC cards, and USB version 1 and version 2 devices. All you need to be able to is to electrically power up the device outside of a computer, and tap two easily locatable signals on its circuit board !

Is it working now ?

No, the software part is not finished yet. A big missing part is full access to the baseband processor of the device, which is needed for FreeMAC too.
Microstumbler development will resume once we have FreeMAC working.
However, the hardware is working. As you can see in the photo, it can be assembled on a piece of veroboard (no SMD, QFP, BGA or other hard-to-solder parts), and only requires 4 thin wires* to be connected to the circuit board of your wifi card !
* power supply (+5V and GND) and I2C bus (SCL and SDA)

Technical details


The external board is connected to the I2C bus of the wifi card. This bus can be easily located and tapped on the device, because all the cards contain an I2C EEPROM, on which you can easily locate and solder the SCL and SDA pins. On the photo, you can see clearly that EEPROM, it's the 8-pin chip with two wires soldered to it.
The hack board is based on very common and cheap parts : The hacked wifi card still works normally when plugged into a computer. On to the I2C bus, the added components will remain "silent" if they no data is sent to them (and Conexant's firmware obviously hasn't anything to send to a GPIO expander or an additional EEPROM...)


Some tricks are needed to execute the ARM code stored inside the external EEPROM with no help from any host computer, and still making the hacked wifi card "compatible" with an unmodified one.
To understand how this works, you need some basics about what happens inside your wifi card when voltage is applied to the ISL38xx :
So we can dump the EEPROM of the to-be-modified device, and inject a bootstrapper code in it which will check for the presence of the Microstumbler EEPROM and load firmware from it if possible. If loading was not possible, the bootstrapper will resume normal ROM operation, so that disconnecting the Microstumbler board does not interfere with device functioning.

The software contained in the Microstumbler EEPROM should not interfere with normal firmware loading on devices with a PCI bus (this includes USB v1) ; indeed, with these, the PCI registers are used to stop the ARM and write to its memory, with no software intervention. However, on USB v2, we'll have to simulate the ROM host interface.

If you're interested in developing this, especially on reverse engineering the baseband processor (this will also benefit FreeMAC), just drop us a mail.

How to build and install the Microstumbler board ?

Check out this page for schematics and instructions.