[DEV] Packet injection and monitor mode support

Thanks Meter: 20
By blackplatypus, Senior Member on 24th October 2011, 02:04 PM
Post Reply Subscribe to Thread Email Thread

Motivated by zewelor´s thread about injection support for the G1, I decided to create an equal one for our beloved Hero :).

The attached kernel is Flykernel 13 by erasmux with patched compat wireless kernel modules, using the injection patches from David and Bobs msm_wifi patch. Thanks to zewelor for the prepatched sources. This means the kernel supports packet injection and monitor mode, so you can inject packets with aireplay-ng or capture them with kismet/aircrack and so on.


What do you need?

1. Rooted HTC Hero
2. Installed recovery Image
3. 2.2 Rom
4. It is suggested to install debian in chroot to use aircrack, kismet and set the card into monitor mode. An debian image with aircrack preinstalled by zewelor you can find here: (159MB) extract it on the /sdcard/ and chroot in your debian environment with "sh /sdcard/debian/startdeb". [TEST IT YOURSELF]

Second method:

Use Lil`debi installer to mount the image, instructions are here:


1) Download
2) Flash the kernel in recovery mode
3) Use the attached and scripts to load and unload the patched wifi modules for "injection mode".
4) Have fun!

Known Issues/Bugs

-If the interface is not associated to an access point it drains battery like crazy. The fix is to backport the idle mode patch, needs more investigation in my tests the kernel becomes very unstable.

-Airodump-ng and kismet stop showing traffic after 20-30mins, not sure if display error or interface stops working.

-In "adb shell" you need to start "screen" otherwise airodump shows no output, or you use connectbot or any other terminal app.

For Devs:

Patches to backport for the wl1251 driver you can find here:

An injection patch for the compat-wireless-2.6.37-4-sn you find here:

Prepatched compat-wireless-2010-12-22 with n900 patches by david and config patch you find here thanks for the work zewelor.


Yes the scripts are very dirty, but hey they work! ;)
kernel config 2.6.29:

If you want to set the interface into monitor mode without a linux image, push the attached (static compiled) iwconfig to /data/local/bin and execute "/data/local/bin/iwconfig wlan0 mode monitor" or uncomment the line in both shell scripts, of course you can copy the binary in any directory you like.

Action Time:
$adb shell
# sh
[x] Injection startup
[x] Firmware/calibration file found
[+] Load injection modules
[+] Start wlan0 interface
wlan0 should be up and running :)
lo       UP       0x00000049
dummy0   DOWN         0x00000082
rmnet0   UP 0x00001043
rmnet1   DOWN         0x00001002
rmnet2   DOWN         0x00001002
usb0     DOWN         0x00001002
wlan0    UP         0x00001003

# debian (I'm using lil´debian this command starts the chroot script)
root@localhost:/# ifconfig wlan0 down (In order to set monitor mode you most shutdown the interface or edit the injection script to start iwconfig)
root@localhost:/# iwconfig wlan0 mode monitor
root@localhost:/# ifconfig wlan0 up
root@localhost:/# iwconfig wlan0
wlan0     IEEE 802.11bg  Mode:Monitor  Tx-Power=20 dBm
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

root@localhost:/# aireplay-ng --test wlan0
15:27:09  Trying broadcast probe requests...
15:27:13  Injection is working!
15:27:13  Found 1 AP

15:27:13  Trying directed probe requests...
15:27:13  E0:91:F5:XX:XX:XX - channel: 4 - 'XX_G'
15:27:43  Ping (min/avg/max): 982.727ms/993.888ms/1001.832ms Power: -70.16
15:27:43  19/30:  63%

root@localhost:/# exit

# sh
[x] Stop Injection
[-] Stop wlan0 interface
[-] Unload injection modules
[+] Load wlan.ko module
[+] Load Firmware
[+] Start tiwlan0 interface
tiwlan0 should be up and running :)
lo       UP       0x00000049
dummy0   DOWN         0x00000082
rmnet0   UP 0x00001043
rmnet1   DOWN         0x00001002
rmnet2   DOWN         0x00001002
usb0     DOWN         0x00001002
tiwlan0  UP         0x00001043

Now enable wifi in android!
Remember these are not my patches, I only provide the patched kernel/kernel modules and loading scripts! Regarding the functionality and stability, Take it or leave it!, I have not the time and skill to make real modifications to the kernel module code to fix or improve stuff. You are free and welcome to post any progress you made.
Last edited by blackplatypus; 24th October 2011 at 03:32 PM.
The Following 2 Users Say Thank You to blackplatypus For This Useful Post: [ View ]
24th October 2011, 02:05 PM |#2  
OP Senior Member
Thanks Meter: 20

Q: What does packet injection and monitor mode mean?
A: It means that this thread is not for you!

Q: Does this stuff work for my XY phone?
A: No!, This kernel is only for HTC Hero, you need a phone which has the TI WL1251 wifi chipset, e.g G1, HTC Hero aka G2, Nokia N900 maemo...and build your own kernel.

Q: I have a problem with aircrack-ng,kismet...
A: This thread is about packet injection and monitor mode for the TI WL1251 and not about aircrack or kismet. I have nothing against serious questions, but want to avoid script kiddies derailing the thread with non topic related questions.

Q: I can't get the debian image running
A: Search the forum, there are a lot of different threads with instructions or use Lil`Debi Installer.

Q: I have a problem not related to aircrack-ng or kismet, can you help me?
A: I try to, however please post the question in the thread and _NOT_ via PM.

Q: Why not use Las Venturax kernel sources?
A: If there is demand I will post it, unfortunately it does not support "on the fly" switching between "regular and patched" wifi, which means every time you want to use the normal wlan module you need to reflash the kernel.

A lot questions are already answered in the G1 thread:
Last edited by blackplatypus; 24th October 2011 at 03:27 PM.
The Following User Says Thank You to blackplatypus For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes