Working wifi monitor mode!!!

shoote · 11:07 PM

Working wifi monitor mode!!!

UPDATE: added injection support for bcm4329 firmware
I just uploaded a new patched firmware version for bcm4329, this version adds raw packet injection support.

Issues

Low injection speed - on my nexus one the injection is working really slow. It seems that the injection speed starts fine but then slows down to as slow as ~700ms per packet.
Radiotap - we don't handle radiotap on packet injection. 'aireplay-ng' works fine with it but tools like 'reaver' seem to require it.

Greetings,

We are a group of 3 researchers and in the last few weeks we have successfully added "monitor mode" support to the common broadcom wifi chipsets: BCM4329 and BCM4330. We have a working PoC on Galaxy S 2 and Nexus One.

We opened a new blog with all of the details at:
http://bcmon.blogspot.com

For the lazy ones the current status is:
bcm4329 - Fully working monitor mode on our Nexus One
bcm4330 - successful PoC - monitor mode on Galaxy S II
We havent tested it yet, but if you have a phone with one of those chipsets (and you most probably have one), it should also work on your phone too.

We would appreciate any comments on the forum or to our mail "contact dot bcmon at gmail dot com"

Its been a long day (with little sleep) so good night/morning and enjoy

Ruby, Yuval and Omri

UPDATE: if you had wireless-tools errors with airodump-ng try the new utils.zip version.

MemoryController · 18th September 2012, 11:01 AM

Awesome!!! The bcm4330 is fully functional?

Sent from my GT-I9100 running CM10

shoote · 18th September 2012, 11:38 AM

We are still working on packet injection but monitor mode is fully functional.
Since you use CM10 you will need to compile the kernel object yourself.

** If it works for you please send us the binary so we can share it

Quote:

Originally Posted by MemoryController

Awesome!!! The bcm4330 is fully functional?

Sent from my GT-I9100 running CM10

flow3d · 18th September 2012, 12:28 PM

added gs2 bundle

fixed the svn branch of bcm4330, if you downloaded the previous version, please update.

also added a gs2 bundle file to the bundle directory

MemoryController · 18th September 2012, 01:07 PM

Compiling for siyah soon can't wait! If you guys could share the ida databases for a fellow reverser that would be great!!

Sent from my GT-I9100 running CM10

yuvalof · 18th September 2012, 01:57 PM

Quote:

Originally Posted by MemoryController

Compiling for siyah soon can't wait! If you guys could share the ida databases for a fellow reverser that would be great!!

Sent from my GT-I9100 running CM10

Great! Please post updates and share the binary KO with us, so we can upload it for other users!

as for the IDB file - dont worry, we will share some info on the reversing process soon

MemoryController · 18th September 2012, 03:21 PM

So to compile i have to replace original driver source in my kernel with this one? Judging from the build.sh script.

yuvalof · 18th September 2012, 03:28 PM

Quote:

Originally Posted by MemoryController

So to compile i have to replace original driver source in my kernel with this one? Judging from the build.sh script.

Yes.
We will upload a patch in a few hours for more easier compilation...

Currently we are working on packet injection for bcm4329...

MemoryController · 07:33 AM

Deleted

MemoryController · 07:31 AM

These should work, it insmods fine however i get library problems with iwconfig and airodump gives cant find wireless tools. Anyway here are the kernel and the module.

1.Flash the zImage
2.Use the dhd.ko
3.Give thanks to the bcmon team
4.???
5.Profit