Working aircrack-ng with monitor mode and packet injection !

zewelor · Sep 21, 2011

Hi,

so after few days of playing with drivers patches kernel sources i finally got aircrack-ng working on g1 !

( If you dont know whats aircrack-ng http://www.aircrack-ng.org/) I tested airodump for 1h, had it dumping packets to the sdcard to a cap file with channel switching and aireplay with deauth attack. I monitored this from my laptop to see if the packets are being sent ok and the client was disconnected from the network as expected.

I used patches for the n900 form the "download here" link at the bottom of this page http://david.gnedt.eu/blog/wl1251/. I also followed this tutorial http://bobcopeland.com/android_wifi.html and used his excellent kernel patch to get the msm_wifi.ko module. I then used the kernel and the zip file herehttp://xdaforums.com/showpost.php?p=14768272&postcount=2427

You will want to make a backup of your system before you do anything. With that kernel you won't be able to use wifi in the Android UI.

Requirements to use attached files:

2.2 Rom
Debian installed in chroot on g1 with aircrack-ng installed ( you can use this img http://www.mediafire.com/?0ab95ia8xbale0i , just extract in on /sdcard/ so debian.img path is /sdcard/debian/debian.img )

How to make it work ?
steps 1-5 are one time only

First boot your android ROM and type
adb shell
$ su
# mount -o remount,rw /
# cd /system/etc/firmware
# ln -s ../wifi/Fw1251r1c.bin wl1251-fw.bin
# cat /proc/calibration > wl1251-nvs.bin
# mount -o remount,ro /

Click to expand...

Click to collapse
Extract attached files ( g1_wl1251.zip ) to sdcard
Apply ez_1.5.1_wl1251.signed.zip from recovery ( it got 2708 and ebi0 kernel for now will add ebi1 later)
Boot the phone
adb shell
su
cd /sdcard/wl1251_modules
sh ../insmod.sh

Click to expand...

Click to collapse
Now chroot into you debian installation ( if you used mine debian.tar.bz2 there is script startdeb just write: sh /sdcard/debian/startdeb and you should be chrooted correctly )
screen ( dont know why airodump doesnt give any output without screen on adb shell ?! )
bash
airmon-ng start wlan0
airodump-ng -i mon0

and DONE

How com compile it

First you need to get sources:

kernel sources i used https://github.com/ezterry/kernel-biff-testing tag ezgb-2636-v1.5.1-20110820
prepatched compat-wireless-2010-12-22 ( attached in sources.zip. I did some small build fixes and applied every patch from wl1251-maemo/patches/wireless-testing/ EXCEPT 0003-wl1251-fix-scan-behaviour-while-not-associated.patch as i got build errors with it )
rest of the files in patches.zip

Kernel:

You can just apply all patches in the kernel dir
If you want to make your config by yourself you have to compile as module cfg80211 and mac80211, compile in CONFIG_RFKILL_PM, CONFIG_CRC7 and UNSET CONFIG_TIWLAN1251. Its important as there as some ifdefs for CONFIG_TIWLAN1251 in drivers/mmc/core/core.c which is compiled in and with CONFIG_TIWLAN1251 WL1251 drivers doesnt work !

Compat wireless:
there is make.sh script edit it and change the patchs for your crosscompile toolchain and kernel location
./make.sh
and copy all *.ko modules

I hope everything is clear and more ppl can use it in custom roms

If something is unclear plz write about it

benji · Sep 21, 2011

too bad i sold my g1!

nvhush · Sep 22, 2011

Thank you for the great tutorial! I think many people are using Gingerbread right now with several different incompatible ROMs. I think it would be useful if you list your ROM version as well as SPL & Radio info. Also if you could PLEASE make an image of your G1 with the debian install, it would help a lot. If you don't want your personal data in the image then I can remove it for you and will host the image. At the very least people need to know how exactly you installed debian before attempting this.

Please PM me if you can supply the image, thanks again!

zewelor · Sep 22, 2011

Debian location can by anywhere, nothing depends on it and i got it on sdcard so g1 dump wont do anything. But i can send u ready debian.img to mount it with wireless tools installed just want to add new kismet and as i cant find ready deb for debian i would need to compile it probably. As for the radio u can use that new 2708 radio and old one for kernel i provided. I used cm6 for it but i think you can use any 2.2 rom as its froyo kernel. I need to clean up everything and redo it to write good tutorial how to compile it for any kernel and how to patch drivers.

nvhush · Sep 22, 2011

zewelor said:
Debian location can by anywhere, nothing depends on it and i got it on sdcard so g1 dump wont do anything. But i can send u ready debian.img to mount it with wireless tools installed just want to add new kismet and as i cant find ready deb for debian i would need to compile it probably. As for the radio u can use that new 2708 radio and old one for kernel i provided. I used cm6 for it but i think you can use any 2.2 rom as its froyo kernel. I need to clean up everything and redo it to write good tutorial how to compile it for any kernel and how to patch drivers.

Thanks for the response. I just upgraded my hboot to a version that CM6 doesn't support, but I can use a different Froyo ROM that is still working.

On Gingerbread I am having a very hard time getting ext2.ko loaded. I already have an EXT(4) partition mounted, but since I am not on Froyo none of the kernel modules can be loaded correctly. I also think that ext2 support is already there but I don't know how to make use of it. There are filesystem modules under /system/lib/modules/2.6.36.4-s3-cos/.

My goal is to create a clockwork image of a Froyo/Debian install (with working injection driver) and use it as needed while keeping a 2.3.4/2.3.5 Android image for testing newer Apps that don't work on 2.2.

For anyone that just needs the Debian image, you can download it from the original G1 Debian tut site here: http://www.saurik.com/id/10

Please PM me if you are willing to upload a copy of your .img container file & I will host it for everyone to use. Thanks!

zewelor · Sep 22, 2011

If u want u can still flash cm6 and after flashing it, flash kernel.zip from attached zip in 1st post ( it got also kernel for newer radio, but i havent tested it as i got older radio). As i saw in ezterry's kernel config ext2 partitions are mounted using ext4 so u dont have to load ext2 ( it works at least in froyo version of ezterry's kernel ). I can send now debian.img without working kismet but i think its better to get also kismet running so ppl wont have to redownload it. My debian.img its normal debian only with aircrack-ng installed nothing special in it. Only magic is kernel config and modules with patches compiled for that kernel thats it nothing more.

nvhush · Sep 22, 2011

zewelor said:
If u want u can still flash cm6 and after flashing it, flash kernel.zip from attached zip in 1st post ( it got also kernel for newer radio, but i havent tested it as i got older radio). As i saw in ezterry's kernel config ext2 partitions are mounted using ext4 so u dont have to load ext2 ( it works at least in froyo version of ezterry's kernel ). I can send now debian.img without working kismet but i think its better to get also kismet running so ppl wont have to redownload it. My debian.img its normal debian only with aircrack-ng installed nothing special in it. Only magic is kernel config and modules with patches compiled for that kernel thats it nothing more.

Yes, let's wait until Kismet is working and then you can upload the image. I will try your suggestion and use EXT4. If I still have trouble I will create a flashable ZIP that has Froyo optimized for Debian with your Kernel patch included and a startup app to launch Debian via UI. Thanks again for your great contribution!

zewelor · Sep 22, 2011

But when you mount debian img just write mount -o loop -t ext2 not ext4 it should work

zewelor · Sep 22, 2011

Updated first post with some instructions how to compile drivers and kernel

nvhush · Sep 23, 2011

Constantly getting "mount: can't setup loop device: No such file or directory"

I tried "mknod /dev/loop0 b 7 0" but neither "mount -o loop,noatime /mnt/sdcard/debian.img /data/local/mnt" nor other variations using ext2 work. I did mount / as rw and created the /data/local/mnt directory. I also tried 2 versions of busybox and so far no luck; I guess you are using the version that comes with CM6? Thanks

zewelor · Sep 23, 2011

Yes i used busybox from cyanogenmod

Copy debian.img to /sdcard/debian/debian.img ( or change location in startdeb script )
First do mkdir -p /data/local/debian/mnt
then sh /sdcard/debian/startdeb ( or where u got it )

startdeb script i used:

#!/system/bin/sh

if [ ! -e /dev/block/loop99 ]
then
mknod -m 660 /dev/block/loop99 b 7 99
fi

if [ ! -e /dev/loop1 ]
then
ln /dev/block/loop99 /dev/loop0
fi
mount -o loop -t ext2 /sdcard/debian/debian.img /data/local/debian/mnt
busybox mount -o bind /sdcard /data/local/debian/mnt/sdcard
export PATH=/usr/bin:/usr/sbin:/bin:$PATH
export TERM=linux
export HOME=/root
export USER=root
busybox mount -t proc none /data/local/debian/mnt/proc
busybox mount -t sysfs sysfs /data/local/debian/mnt/sys
busybox mount -t devpts devpts /data/local/debian/mnt/dev/pts
busybox chroot /data/local/debian/mnt/ /bin/bash

fatcobrah · Sep 29, 2011

can u do it for lg optimus black ?

zewelor · Sep 29, 2011

That depends on wifi chipset there, if its wl1251 it should be doable.

blackplatypus · Oct 2, 2011

nice work, a year ago I did the same work (I think I posted it in the modaco android forum), however there was no injection patch at that time, so only packet capturing worked. The HTC Hero has the same TI wifi chip

(wl1251). By the way you don't need an entire linux environment it is sufficient to compile static binaries (aircrack, kismet..). If i remember correctly compiling aircrack was very straight forward, however for kismet I had to make a dirty hack because it complained for a missing environment variable, but int he end Kismet worked fine too, even the gps

. Unfortunately I lost my dev environment due to a harddisk failure, otherwise I would share the patches and binaries.

[EDIT]

HA! I found the aircrack binaries on an old backup disc

If you want to copy the files on your sdcard remember to remount it with (mount -o,exec,remount /mnt/scard), because by default the noexec flat is set or you copy the files to internal memory.

zewelor · Oct 2, 2011

Thx for that aircrack

I have chosen debian to avoid recompiling everything i will like to use and to have normal command line enviroment. Except aircrack and kismet u can also like to have iw / wireless tools / ping / nmap /tcpdump etc so you will have to search for it or recompiling staticly everything. I just prefer to find .deb file and install it, as using apt-get on g1 takes forever

Also htc magic got wl1251 as afaik its the same as g1 (?).

blackplatypus · Oct 2, 2011

yeah thats true, I decided to compile everything statically because I had very poor performance using debian (apt-get, compiling stuff etc), another advantage is you can start the programs very easily from the homescreen using gscript, sl4a..., in the end its just a question of preference

misieq666 · Oct 2, 2011

Sorry for asking in wrong topic, but:

Is there any airdump app that works well on HD2 ? (Broadcom chip: bmc 4329).
Or maybe the right question is : If it is even possible to create such app for hd2/nexus ?

blackplatypus · Oct 2, 2011

misieq666 said:
Sorry for asking in wrong topic, but:

Is there any airdump app that works well on HD2 ? (Broadcom chip: bmc 4329).
Or maybe the right question is : If it is even possible to create such app for hd2/nexus ?

The problem is not the app, the problem is having wireless driver that support packet injection/Promiscuous-mode for the specific wireless chip, which in this case are afaik not available.

zewelor · Oct 3, 2011

And even not a driver but firmware for specific chipset that allow to do that. As i read the main problem in bmc4329 is the firmware as driver can only do what firmware will allow. Well u can rewrite driver to workaround some limitations in firmware etc. Anyway here is a page u can follow http://linuxwireless.org/en/users/Drivers/brcm80211 they even got monitor mode in todo so maybe it can be done

tuthan · Oct 3, 2011

Hi guy, final step, I got this:

airmon-ng start wlan0

Interface Chipset Driver

wlan0 wl1251_sdio - [phy0]SIOCSIFFLAGS: No such file or directory

(monitor mode enabled on mon0)

and this:

airodump-ng mon0
ioctl(SIOCSIFFLAGS) failed: No such file or directory

how should i fix this? plz.
Thank you.

Working aircrack-ng with monitor mode and packet injection !

Senior Member

Attachments

Senior Member

Member

Senior Member

Member

Senior Member

Member

Senior Member

Senior Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Attachments

Senior Member

Senior Member

Member

Senior Member

Senior Member

Member

Similar threads

Top Liked Posts