Post Reply

Working wifi monitor mode!!!

OP shoote

18th September 2012, 05:43 AM   |  #1  
OP Junior Member
Thanks Meter: 67
 
6 posts
Join Date:Joined: Aug 2010
UPDATE: added injection support for bcm4329 firmware
I just uploaded a new patched firmware version for bcm4329, this version adds raw packet injection support.

Issues
  • Low injection speed - on my nexus one the injection is working really slow. It seems that the injection speed starts fine but then slows down to as slow as ~700ms per packet.
  • Radiotap - we don't handle radiotap on packet injection. 'aireplay-ng' works fine with it but tools like 'reaver' seem to require it.

Greetings,

We are a group of 3 researchers and in the last few weeks we have successfully added "monitor mode" support to the common broadcom wifi chipsets: BCM4329 and BCM4330. We have a working PoC on Galaxy S 2 and Nexus One.

We opened a new blog with all of the details at:
http://bcmon.blogspot.com

For the lazy ones the current status is:
bcm4329 - Fully working monitor mode on our Nexus One
bcm4330 - successful PoC - monitor mode on Galaxy S II
We havent tested it yet, but if you have a phone with one of those chipsets (and you most probably have one), it should also work on your phone too.

We would appreciate any comments on the forum or to our mail "contact dot bcmon at gmail dot com"

Its been a long day (with little sleep) so good night/morning and enjoy

Ruby, Yuval and Omri

UPDATE: if you had wireless-tools errors with airodump-ng try the new utils.zip version.
Attached Files
File Type: zip gs2_bundle.zip - [Click for QR Code] (317.9 KB, 5207 views)
File Type: zip nexus_bundle.zip - [Click for QR Code] (1.16 MB, 2864 views)
File Type: zip utils.zip - [Click for QR Code] (7.33 MB, 6049 views)
Last edited by shoote; 30th September 2012 at 11:07 PM.
The Following 55 Users Say Thank You to shoote For This Useful Post: [ View ]
18th September 2012, 11:01 AM   |  #2  
Senior Member
Flag Thessaloniki
Thanks Meter: 198
 
997 posts
Join Date:Joined: Dec 2011
More
Awesome!!! The bcm4330 is fully functional?

Sent from my GT-I9100 running CM10
The Following User Says Thank You to MemoryController For This Useful Post: [ View ]
18th September 2012, 11:38 AM   |  #3  
OP Junior Member
Thanks Meter: 67
 
6 posts
Join Date:Joined: Aug 2010
We are still working on packet injection but monitor mode is fully functional.
Since you use CM10 you will need to compile the kernel object yourself.

** If it works for you please send us the binary so we can share it

Quote:
Originally Posted by MemoryController

Awesome!!! The bcm4330 is fully functional?

Sent from my GT-I9100 running CM10

The Following 2 Users Say Thank You to shoote For This Useful Post: [ View ]
18th September 2012, 12:28 PM   |  #4  
Junior Member
Thanks Meter: 0
 
1 posts
Join Date:Joined: Sep 2012
added gs2 bundle
fixed the svn branch of bcm4330, if you downloaded the previous version, please update.

also added a gs2 bundle file to the bundle directory
18th September 2012, 01:07 PM   |  #5  
Senior Member
Flag Thessaloniki
Thanks Meter: 198
 
997 posts
Join Date:Joined: Dec 2011
More
Compiling for siyah soon can't wait! If you guys could share the ida databases for a fellow reverser that would be great!!

Sent from my GT-I9100 running CM10
18th September 2012, 01:57 PM   |  #6  
Junior Member
Thanks Meter: 2
 
2 posts
Join Date:Joined: Sep 2012
Quote:
Originally Posted by MemoryController

Compiling for siyah soon can't wait! If you guys could share the ida databases for a fellow reverser that would be great!!

Sent from my GT-I9100 running CM10

Great! Please post updates and share the binary KO with us, so we can upload it for other users!

as for the IDB file - dont worry, we will share some info on the reversing process soon
The Following User Says Thank You to yuvalof For This Useful Post: [ View ]
18th September 2012, 03:21 PM   |  #7  
Senior Member
Flag Thessaloniki
Thanks Meter: 198
 
997 posts
Join Date:Joined: Dec 2011
More
So to compile i have to replace original driver source in my kernel with this one? Judging from the build.sh script.
18th September 2012, 03:28 PM   |  #8  
Junior Member
Thanks Meter: 2
 
2 posts
Join Date:Joined: Sep 2012
Quote:
Originally Posted by MemoryController

So to compile i have to replace original driver source in my kernel with this one? Judging from the build.sh script.

Yes.
We will upload a patch in a few hours for more easier compilation...

Currently we are working on packet injection for bcm4329...
The Following User Says Thank You to yuvalof For This Useful Post: [ View ]
18th September 2012, 03:29 PM   |  #9  
Senior Member
Flag Thessaloniki
Thanks Meter: 198
 
997 posts
Join Date:Joined: Dec 2011
More
Deleted
Attached Files
File Type: zip dhd.ko.zip - [Click for QR Code] (210.9 KB, 1018 views)
Last edited by MemoryController; 19th September 2012 at 07:33 AM.
The Following 2 Users Say Thank You to MemoryController For This Useful Post: [ View ]
18th September 2012, 06:28 PM   |  #10  
Senior Member
Flag Thessaloniki
Thanks Meter: 198
 
997 posts
Join Date:Joined: Dec 2011
More
Smile
These should work, it insmods fine however i get library problems with iwconfig and airodump gives cant find wireless tools. Anyway here are the kernel and the module.

1.Flash the zImage
2.Use the dhd.ko
3.Give thanks to the bcmon team
4.???
5.Profit
Attached Files
File Type: zip bcm4330_mon.zip - [Click for QR Code] (212.2 KB, 1903 views)
File Type: zip siyah415_monitor.zip - [Click for QR Code] (6.41 MB, 1945 views)
Last edited by MemoryController; 19th September 2012 at 07:31 AM. Reason: Added links

The Following 5 Users Say Thank You to MemoryController For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Android Software and Hacking General [Developers Only] by ThreadRank