Working wifi monitor mode!!!

Search This thread

shoote

Member
Aug 29, 2010
6
69
UPDATE: added injection support for bcm4329 firmware
I just uploaded a new patched firmware version for bcm4329, this version adds raw packet injection support.

Issues

  • Low injection speed - on my nexus one the injection is working really slow. It seems that the injection speed starts fine but then slows down to as slow as ~700ms per packet.
  • Radiotap - we don't handle radiotap on packet injection. 'aireplay-ng' works fine with it but tools like 'reaver' seem to require it.

Greetings,

We are a group of 3 researchers and in the last few weeks we have successfully added "monitor mode" support to the common broadcom wifi chipsets: BCM4329 and BCM4330. We have a working PoC on Galaxy S 2 and Nexus One.

We opened a new blog with all of the details at:
http://bcmon.blogspot.com

For the lazy ones the current status is:
bcm4329 - Fully working monitor mode on our Nexus One
bcm4330 - successful PoC - monitor mode on Galaxy S II
We havent tested it yet, but if you have a phone with one of those chipsets (and you most probably have one), it should also work on your phone too.

We would appreciate any comments on the forum or to our mail "contact dot bcmon at gmail dot com"

Its been a long day (with little sleep) so good night/morning and enjoy :)

Ruby, Yuval and Omri

UPDATE: if you had wireless-tools errors with airodump-ng try the new utils.zip version.
 

Attachments

  • gs2_bundle.zip
    317.9 KB · Views: 23,108
  • nexus_bundle.zip
    1.2 MB · Views: 13,199
  • utils.zip
    7.3 MB · Views: 27,357
Last edited:

flow3d

New member
Sep 18, 2012
1
0
added gs2 bundle

fixed the svn branch of bcm4330, if you downloaded the previous version, please update.

also added a gs2 bundle file to the bundle directory
 

MemoryController

Senior Member
Dec 21, 2011
1,024
219
Thessaloniki
These should work, it insmods fine however i get library problems with iwconfig and airodump gives cant find wireless tools. Anyway here are the kernel and the module.

1.Flash the zImage
2.Use the dhd.ko
3.Give thanks to the bcmon team
4.???
5.Profit
 

Attachments

  • bcm4330_mon.zip
    212.2 KB · Views: 8,036
  • siyah415_monitor.zip
    6.4 MB · Views: 8,036
Last edited:

s.m.p.l

New member
Dec 1, 2011
4
0
Hi!
Just tried to get it running on my SGS2, tried with CM 9.0.0 and CM 9.1.0 - both failed
root@android:/sdcard/gs2_bundle # ./setup.sh
./setup.sh
LOADING MODULE
insmod: can't insert 'dhd.ko': invalid module format
error: SIOCGIFFLAGS (No such device)
255|root@android:/sdcard/gs2_bundle #

I honestly don't know much about anything related to this topic, my guess is it has something to do with the kernel. I'm running Siyah Kernel v4.1.5 and booted the CM ROMs with dual-boot.
I tried the dhd.ko uploaded by MemoryController, but get the same error.

I'll check tomorrow if something new came up here
 

MemoryController

Senior Member
Dec 21, 2011
1,024
219
Thessaloniki
Hi!
Just tried to get it running on my SGS2, tried with CM 9.0.0 and CM 9.1.0 - both failed


I honestly don't know much about anything related to this topic, my guess is it has something to do with the kernel. I'm running Siyah Kernel v4.1.5 and booted the CM ROMs with dual-boot.
I tried the dhd.ko uploaded by MemoryController, but get the same error.

I'll check tomorrow if something new came up here

You also need my kernel. Wait, in an hour or so I will upload it

Sent from my GT-I9100 running CM10

Uploaded kernel image and module, look at first page
 
Last edited:
  • Like
Reactions: s.m.p.l

shoote

Member
Aug 29, 2010
6
69
If you get "Can't find wireless tools, exiting."
Solution: Make sure you have 'iwpriv' on your system, just add soft link from 'iwpriv' to 'iwconfig' (actually it is 'iwmulticall')

if iwconfig dosen't work you will need to compile it with your libs, maybe I'll make a statically linked version of iwmulticall later today.

These should work, it insmods fine however i get library problems with iwconfig and airodump gives cant find wireless tools. Anyway here are the kernel and the module.

1.Flash the zImage
2.Use the dhd.ko
3.Give thanks to the bcmon team
4.???
5.Profit
 
  • Like
Reactions: flow3d and yuvalof

sambwel

Senior Member
May 24, 2011
249
70
Adelaide
I have a Galaxy S i9000 (bcm4329) and will be compiling this shortly for testing, if all goes well I will post the binary here (assuming nobody beats me to it) :)

Thanks shoote, you guys have done great work here and I'm looking forward to injection mode!
 
  • Like
Reactions: trut and sUsH667

MemoryController

Senior Member
Dec 21, 2011
1,024
219
Thessaloniki
/data/aircrack-static # ./iwconfig
lo no wireless extensions.

sit0 no wireless extensions.

ip6tnl0 no wireless extensions.

rmnet0 no wireless extensions.

rmnet1 no wireless extensions.

rmnet2 no wireless extensions.

wlan0 IEEE 802.11abgn Mode:Monitor Tx-Power=1496 dBm
Retry long limit:7 RTS thr:eek:ff Fragment thr:eek:ff
Power Management:eek:n


airodump-ng gives no output
 

Top Liked Posts

  • There are no posts matching your filters.
  • 57
    UPDATE: added injection support for bcm4329 firmware
    I just uploaded a new patched firmware version for bcm4329, this version adds raw packet injection support.

    Issues

    • Low injection speed - on my nexus one the injection is working really slow. It seems that the injection speed starts fine but then slows down to as slow as ~700ms per packet.
    • Radiotap - we don't handle radiotap on packet injection. 'aireplay-ng' works fine with it but tools like 'reaver' seem to require it.

    Greetings,

    We are a group of 3 researchers and in the last few weeks we have successfully added "monitor mode" support to the common broadcom wifi chipsets: BCM4329 and BCM4330. We have a working PoC on Galaxy S 2 and Nexus One.

    We opened a new blog with all of the details at:
    http://bcmon.blogspot.com

    For the lazy ones the current status is:
    bcm4329 - Fully working monitor mode on our Nexus One
    bcm4330 - successful PoC - monitor mode on Galaxy S II
    We havent tested it yet, but if you have a phone with one of those chipsets (and you most probably have one), it should also work on your phone too.

    We would appreciate any comments on the forum or to our mail "contact dot bcmon at gmail dot com"

    Its been a long day (with little sleep) so good night/morning and enjoy :)

    Ruby, Yuval and Omri

    UPDATE: if you had wireless-tools errors with airodump-ng try the new utils.zip version.
    5
    These should work, it insmods fine however i get library problems with iwconfig and airodump gives cant find wireless tools. Anyway here are the kernel and the module.

    1.Flash the zImage
    2.Use the dhd.ko
    3.Give thanks to the bcmon team
    4.???
    5.Profit
    4
    Here's a general tutorial on compiling and installing kernel modules:

    YOU NEED
    ----------
    -64-bit Linux operating system
    - kernel source code for the one your building your module for
    - Module source
    - Toolchain used to compile the kernel, usually the same one the developer used


    Ill skip over the usual "How to use Linux" part, as you should already know how to use Linux if your messing with kernel stuff.

    1. Setup Your Build Environment
    --------------------------------

    Create a folder in your home directory, and name it KERNEL (caps make it easier to get back to later). Go into that directory and create three more, TC, KERNEL, and WIFI (TC is for your toolchain). Copy your kernel source into KERNEL, your toolchain into TC, and the wifi module source into WIFI.

    If you have enough space available, I recommend creating a backup folder of the source as well (mine is BKERNEL). Copy the kernel source there just in case you need to start from scratch (and you will, trust me lol).

    As all devices are different and have different kernel setups and places to download everything, I also wont provide links to toolchains or sources, you need to find the correct ones yourself.

    Once everything is in place, enter:
    Code:
    export ARCH=arm
    export CROSS_COMPILE=/home/<yourusername/KERNEL/TC/bin/<toolchainnamewithfollowing->

    An example CROSS_COMPILE variable would be:

    Code:
    export CROSS_COMPILE=/home/zen/KERNEL/TC/arm-linux-none-gnueabi-

    In your terminal:
    Code:
     su
     cd KERNEL/KERNEL/drivers/net/wireless
    ls -l

    Now look for your bcm device, the folder name will match one of the folders in the WIFI src directory.

    For good measure, ls the bcm directory and remember what it looks like to compare to after coping the source across.

    Next (assuming the bcm folder exists):

    Code:
    cp -rfv /home/<yourusername/KERNEL/WIFI<pocateyoursrcfolder>/<bcmfoldername> ./<bcmfoldername>

    Compare the contents with ls against what you saw earlier, if its different, with alot of the same files, the copy went across right.

    cd back to your KERNEL/KERNEL folder and your ready to go.


    2. Compiling
    -------------

    Now you will need to setup the kernel source itself. You will need to do a full build of the kernel to ensure the modules are compiled correctly.

    You will need to know which kernel .config to use as well. Refer to the kernel developers notes for the one you are compiling to get the proper one.

    Once you know which config to use, enter this command:

    Code:
    cp arch/arm/config/<yourconfigname> ./.config
    make clean
    make menuconfig (if you want to check out settings, rename kernel and such)
    make -j8
    make modules

    Assuming everything compiled correctly, Your new kernel is located at arch/arm/boot/zImage, and your kernel modules are located in their respective drivers/ location. (In this case, for the wifi drivers, its under drivers/net/wireless/<bcmfoldername>/<modulename>.ko)

    Enjoy :)

    Sent from my Xoom using xda premium
    3
    It should work, you'll need to compile the kernel module for your version.

    Any chance this work on galaxy s ?
    3
    Cummon guys.. If you dont have time to compile our driver, at least give us a detailed tutorial. So we can compile driver for our own phones.
    Thank you.

    Sent from my GT-I9070 using xda app-developers app