This chipset implements some encryption in hardware.

We'll later reference a shm offset that I'll call security_offset, it is initialised to the value of the SHM at location 0x56 multiplied by 2.

Revision 5 and higher cores support up to 54 keys, others only 16.

Each key has the following properties associated:

The key index is used to index the various parts of the SHM that are related to this.

The algorithm type can be one of the following:

  1. WEP1
  2. ?
  3. AES, where the flags decide on the type (0b00 -> CCM, 0b10 -> OCB_MSDU, 0b11 -> OCB_MPDU)

  4. 104 bit WEP
  5. TKIP

The key material is always at most 16 bytes.

The ethernet address is (probably) used to match which key to use to decrypt frames received from what station.

The control word (16-bit) at addresses 0x100 and higher in the SHM (see there) contains the following information:





key index

algorithm identifier

The first 4 keys are (probably) reserved for the 4 WEP keys a station can have. They do not have MAC addresses associated. The other MACs are saved in various places depending on the core revision.

The SHM has a 16 byte key data area for each key at the location pointed to by security_offset. The key area is laid out as follows:

16 byte area number














key material for key 0

key material for key 1

key material for key 2

key material for key 3

key material for key 0 (unless TKIP, then zero)

likewise for key 1

likewise for key 2

likewise for key 3

key material for key 4

key material for key 5

key material for key 6


The key material is written as a set of 8 16-bit little endian values.

FIXME: There's additional key material needed for TKIP.

Using the security hardware to encrypt


Create the appropriate 802.11 frame including WEP IV and WEP key number you want to use. Copy the IV/key number data (4 bytes) into the transmit header (see Sending) and set the appropriate key index in the transmit header. The actual data encryption and ICV calculation is done by the hardware. Remember to set the WEP bit in the 802.11 frame header and to adjust the length in the PLCP header for the added ICV!


Should be similar, but I'm not sure where what TKIP info goes, and with AES I don't know yet how to tell apart the different modes.

Using the security hardware to decrypt

Decryption is done by the hardware before you get the frame. Note that the WEP bit is still turned on, the IV/key number is still present etc., only the data is decrypted.

Exported/Archived from the wiki to HTML on 2016-10-27