Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[DEV] Packet injection and monitor mode support

OP blackplatypus

24th October 2011, 03:04 PM   |  #1  
OP Senior Member
Thanks Meter: 20
123 posts
Join Date:Joined: Jan 2008

Motivated by zewelor´s thread about injection support for the G1, I decided to create an equal one for our beloved Hero :).

The attached kernel is Flykernel 13 by erasmux with patched compat wireless kernel modules, using the injection patches from David and Bobs msm_wifi patch. Thanks to zewelor for the prepatched sources. This means the kernel supports packet injection and monitor mode, so you can inject packets with aireplay-ng or capture them with kismet/aircrack and so on.


What do you need?

1. Rooted HTC Hero
2. Installed recovery Image
3. 2.2 Rom
4. It is suggested to install debian in chroot to use aircrack, kismet and set the card into monitor mode. An debian image with aircrack preinstalled by zewelor you can find here: http://www.megaupload.com/?d=HA6CJKET (159MB) extract it on the /sdcard/ and chroot in your debian environment with "sh /sdcard/debian/startdeb". [TEST IT YOURSELF]

Second method:

Use Lil`debi installer to mount the image, instructions are here: https://guardianproject.info/2011/06...an-on-android/.


1) Download injection_FlyKernel-13.zip
2) Flash the kernel in recovery mode
3) Use the attached start-inject.sh and stop-inject.sh scripts to load and unload the patched wifi modules for "injection mode".
4) Have fun!

Known Issues/Bugs

-If the interface is not associated to an access point it drains battery like crazy. The fix is to backport the idle mode patch, needs more investigation in my tests the kernel becomes very unstable.

-Airodump-ng and kismet stop showing traffic after 20-30mins, not sure if display error or interface stops working.

-In "adb shell" you need to start "screen" otherwise airodump shows no output, or you use connectbot or any other terminal app.

For Devs:

Patches to backport for the wl1251 driver you can find here:

An injection patch for the compat-wireless-2.6.37-4-sn you find here: http://trac.pentoo.ch/export/2496/po...t-2.6.37.patch

Prepatched compat-wireless-2010-12-22 with n900 patches by david and config patch you find here http://forum.xda-developers.com/atta...0&d=1316713392 thanks for the work zewelor.

89fc9c7fd97dab56d3220e93dea77d63 kernel-config_2.6.29.zip
e03c0a22bcb5425f1b301f463ea87490 injection_FlyKernel-13.zip
8009fa3c70211aaa329a6456eb0af6c8 iwconfig-static.zip
14b1866cc2b60ddbc1b565dab4a219d8 injection_scripts.zip

Yes the scripts are very dirty, but hey they work! ;)

start-inject.sh: http://pastebin.com/MDKc2WJm
stop-inject.sh: http://pastebin.com/UuX83CBD
kernel config 2.6.29: http://pastebin.com/8ASmEAgN

If you want to set the interface into monitor mode without a linux image, push the attached (static compiled) iwconfig to /data/local/bin and execute "/data/local/bin/iwconfig wlan0 mode monitor" or uncomment the line in both shell scripts, of course you can copy the binary in any directory you like.

Action Time:
$adb shell
# sh start-inject.sh
[x] Injection startup
[x] Firmware/calibration file found
[+] Load injection modules
[+] Start wlan0 interface
wlan0 should be up and running :)
lo       UP       0x00000049
dummy0   DOWN         0x00000082
rmnet0   UP 0x00001043
rmnet1   DOWN         0x00001002
rmnet2   DOWN         0x00001002
usb0     DOWN         0x00001002
wlan0    UP         0x00001003

# debian (I'm using lil´debian this command starts the chroot script)
root@localhost:/# ifconfig wlan0 down (In order to set monitor mode you most shutdown the interface or edit the injection script to start iwconfig)
root@localhost:/# iwconfig wlan0 mode monitor
root@localhost:/# ifconfig wlan0 up
root@localhost:/# iwconfig wlan0
wlan0     IEEE 802.11bg  Mode:Monitor  Tx-Power=20 dBm
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

root@localhost:/# aireplay-ng --test wlan0
15:27:09  Trying broadcast probe requests...
15:27:13  Injection is working!
15:27:13  Found 1 AP

15:27:13  Trying directed probe requests...
15:27:13  E0:91:F5:XX:XX:XX - channel: 4 - 'XX_G'
15:27:43  Ping (min/avg/max): 982.727ms/993.888ms/1001.832ms Power: -70.16
15:27:43  19/30:  63%

root@localhost:/# exit

# sh stop-inject.sh
[x] Stop Injection
[-] Stop wlan0 interface
[-] Unload injection modules
[+] Load wlan.ko module
[+] Load Firmware
[+] Start tiwlan0 interface
tiwlan0 should be up and running :)
lo       UP       0x00000049
dummy0   DOWN         0x00000082
rmnet0   UP 0x00001043
rmnet1   DOWN         0x00001002
rmnet2   DOWN         0x00001002
usb0     DOWN         0x00001002
tiwlan0  UP         0x00001043

Now enable wifi in android!
Remember these are not my patches, I only provide the patched kernel/kernel modules and loading scripts! Regarding the functionality and stability, Take it or leave it!, I have not the time and skill to make real modifications to the kernel module code to fix or improve stuff. You are free and welcome to post any progress you made.
Attached Files
File Type: zip injection_FlyKernel-13.zip - [Click for QR Code] (4.37 MB, 142 views)
File Type: zip iwconfig-static.zip - [Click for QR Code] (330.7 KB, 120 views)
File Type: zip injection_scripts.zip - [Click for QR Code] (1.5 KB, 108 views)
File Type: zip kernel-config_2.6.29.zip - [Click for QR Code] (10.3 KB, 80 views)
Last edited by blackplatypus; 24th October 2011 at 04:32 PM.
The Following 2 Users Say Thank You to blackplatypus For This Useful Post: [ View ]
24th October 2011, 03:05 PM   |  #2  
OP Senior Member
Thanks Meter: 20
123 posts
Join Date:Joined: Jan 2008

Q: What does packet injection and monitor mode mean?
A: It means that this thread is not for you!

Q: Does this stuff work for my XY phone?
A: No!, This kernel is only for HTC Hero, you need a phone which has the TI WL1251 wifi chipset, e.g G1, HTC Hero aka G2, Nokia N900 maemo...and build your own kernel.

Q: I have a problem with aircrack-ng,kismet...
A: This thread is about packet injection and monitor mode for the TI WL1251 and not about aircrack or kismet. I have nothing against serious questions, but want to avoid script kiddies derailing the thread with non topic related questions.

Q: I can't get the debian image running
A: Search the forum, there are a lot of different threads with instructions or use Lil`Debi Installer.

Q: I have a problem not related to aircrack-ng or kismet, can you help me?
A: I try to, however please post the question in the thread and _NOT_ via PM.

Q: Why not use Las Venturax kernel sources?
A: If there is demand I will post it, unfortunately it does not support "on the fly" switching between "regular and patched" wifi, which means every time you want to use the normal wlan module you need to reflash the kernel.

A lot questions are already answered in the G1 thread: http://forum.xda-developers.com/show....php?t=1271854
Last edited by blackplatypus; 24th October 2011 at 04:27 PM.
The Following User Says Thank You to blackplatypus For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes