Wi-Fi replaced Ethernet and became the main network protocol on laptops for the last few years. Software implementations of the Wi-Fi protocol naturally became the targets of attackers, and vulnerabilities found in Wi-Fi drivers were exploited to gain control of the operating system, remotely and without any user interaction. However, not much research has been published on Wi-Fi chips and the firmware they run.Nowadays, Intel's Wi-Fi chips implement complex features in their firmware: Wake-on-WLAN, Tunnel Direct Link Setup (TDLS)... We investigated through reverse-engineering some internals of Intel Wi-Fi chips and exploited the way they load their firmware to gain arbitrary code execution. We also studied how the chip can securely store parts of its code in the system memory, through a mechanism we call "Paging Memory", and found how any read-anywhere vulnerability can be used to also gain code execution.