Motivated by zewelor´s thread about injection support for the G1, I decided to create an equal one for our beloved Hero :).
The attached kernel is Flykernel 13 by erasmux with patched compat wireless kernel modules, using the injection patches from David and Bobs msm_wifi patch. Thanks to zewelor for the prepatched sources. This means the kernel supports packet injection and monitor mode, so you can inject packets with aireplay-ng or capture them with kismet/aircrack and so on.
ALWAYS MAKE A NANDROID BACKUP!
What do you need?
1. Rooted HTC Hero
2. Installed recovery Image
3. 2.2 Rom
4. It is suggested to install debian in chroot to use aircrack, kismet and set the card into monitor mode. An debian image with aircrack preinstalled by zewelor you can find here: http://www.megaupload.com/?d=HA6CJKET (159MB) extract it on the /sdcard/ and chroot in your debian environment with "sh /sdcard/debian/startdeb". [TEST IT YOURSELF]
Use Lil`debi installer to mount the image, instructions are here: https://guardianproject.info/2011/06...an-on-android/.
1) Download injection_FlyKernel-13.zip
2) Flash the kernel in recovery mode
3) Use the attached start-inject.sh and stop-inject.sh scripts to load and unload the patched wifi modules for "injection mode".
4) Have fun!
-If the interface is not associated to an access point it drains battery like crazy. The fix is to backport the idle mode patch, needs more investigation in my tests the kernel becomes very unstable.
-Airodump-ng and kismet stop showing traffic after 20-30mins, not sure if display error or interface stops working.
-In "adb shell" you need to start "screen" otherwise airodump shows no output, or you use connectbot or any other terminal app.
Patches to backport for the wl1251 driver you can find here:
An injection patch for the compat-wireless-2.6.37-4-sn you find here: http://trac.pentoo.ch/export/2496/po...t-2.6.37.patch
Prepatched compat-wireless-2010-12-22 with n900 patches by david and config patch you find here http://forum.xda-developers.com/atta...0&d=1316713392 thanks for the work zewelor.
Yes the scripts are very dirty, but hey they work! ;)
kernel config 2.6.29: http://pastebin.com/8ASmEAgN
If you want to set the interface into monitor mode without a linux image, push the attached (static compiled) iwconfig to /data/local/bin and execute "/data/local/bin/iwconfig wlan0 mode monitor" or uncomment the line in both shell scripts, of course you can copy the binary in any directory you like.
$adb shell # sh start-inject.sh [x] Injection startup [x] Firmware/calibration file found [+] Load injection modules [+] Start wlan0 interface wlan0 should be up and running :) lo UP 127.0.0.1 255.0.0.0 0x00000049 dummy0 DOWN 0.0.0.0 0.0.0.0 0x00000082 rmnet0 UP 126.96.36.199 255.255.255.248 0x00001043 rmnet1 DOWN 0.0.0.0 0.0.0.0 0x00001002 rmnet2 DOWN 0.0.0.0 0.0.0.0 0x00001002 usb0 DOWN 0.0.0.0 0.0.0.0 0x00001002 wlan0 UP 0.0.0.0 0.0.0.0 0x00001003 # debian (I'm using lil´debian this command starts the chroot script) root@localhost:/# ifconfig wlan0 down (In order to set monitor mode you most shutdown the interface or edit the injection script to start iwconfig) root@localhost:/# iwconfig wlan0 mode monitor root@localhost:/# ifconfig wlan0 up root@localhost:/# iwconfig wlan0 wlan0 IEEE 802.11bg Mode:Monitor Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:on root@localhost:/# aireplay-ng --test wlan0 15:27:09 Trying broadcast probe requests... 15:27:13 Injection is working! 15:27:13 Found 1 AP 15:27:13 Trying directed probe requests... 15:27:13 E0:91:F5:XX:XX:XX - channel: 4 - 'XX_G' 15:27:43 Ping (min/avg/max): 982.727ms/993.888ms/1001.832ms Power: -70.16 15:27:43 19/30: 63% root@localhost:/# exit logout # sh stop-inject.sh [x] Stop Injection [-] Stop wlan0 interface [-] Unload injection modules [+] Load wlan.ko module [+] Load Firmware [+] Start tiwlan0 interface tiwlan0 should be up and running :) lo UP 127.0.0.1 255.0.0.0 0x00000049 dummy0 DOWN 0.0.0.0 0.0.0.0 0x00000082 rmnet0 UP 188.8.131.52 255.255.255.248 0x00001043 rmnet1 DOWN 0.0.0.0 0.0.0.0 0x00001002 rmnet2 DOWN 0.0.0.0 0.0.0.0 0x00001002 usb0 DOWN 0.0.0.0 0.0.0.0 0x00001002 tiwlan0 UP 0.0.0.0 0.0.0.0 0x00001043 Now enable wifi in android!