Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,741,492 Members 39,322 Now Online
XDA Developers Android and Mobile Development Forum

[DEV] Get Monitor Mode/Injection/Aircrack working on Galaxy S Devices(bcm4329)

Tip us?
 
worstenbrood
Old
#61  
worstenbrood's Avatar
Senior Member
Thanks Meter 193
Posts: 561
Join Date: May 2008

 
DONATE TO ME
Quote:
Originally Posted by putero View Post
Looking for coders xd.
We need aircrack-ng on galaxy s. I'am going to learn how to cook this code. I'll back in 5 years xd.



Sent from my Galaxy S. Darkyy Rom xxjpy with voodoo 5.5 (supercurio), voodoo app, bln!!!//twitter putero//
As long we don't have a monitor mode enabled fw_bcm4329.bin it will never happen, adjusting the driver alone doesn't work (already tried that). The bcm4329 is a fullmac interface, this means that all the heavy work is done by a chip on the interface, not by the driver. The .bin is the "software" for that chip. Reversing it is not so simple and broadcom doesn't want to implement monitor mode since there is no request for it from their clients.
 
sambwel
Old
(Last edited by sambwel; 20th September 2012 at 01:43 AM.)
#62  
sambwel's Avatar
Senior Member
Thanks Meter 67
Posts: 245
Join Date: May 2011
Location: Adelaide
Quote:
Originally Posted by worstenbrood View Post
As long we don't have a monitor mode enabled fw_bcm4329.bin it will never happen, adjusting the driver alone doesn't work (already tried that). The bcm4329 is a fullmac interface, this means that all the heavy work is done by a chip on the interface, not by the driver. The .bin is the "software" for that chip. Reversing it is not so simple and broadcom doesn't want to implement monitor mode since there is no request for it from their clients.
Heads up! Monitor mode has now been acheived for bcm4239 & bcm4330: http://bcmon.blogspot.com

The solution is essentially to bolt on a softmac driver that "steals" the full packets from the chip so headers are not stripped. Injection is in the works apparently!

This is a huge step forward and is an elegant and sensible solution to the the problem of the bcm4329's fullmac interface.

EDIT: XDA thread from the dev here http://forum.xda-developers.com/show....php?t=1892535
<sarcasm>I HATE IT WHEN PEOPLE CLICK THE 'THANKS' BUTTON</sarcasm>
The Following 5 Users Say Thank You to sambwel For This Useful Post: [ Click to Expand ]
 
Cjen1987
Old
#63  
Account currently disabled
Thanks Meter 953
Posts: 661
Join Date: Jun 2012
Ubuntu 12.04 with aircrack IMG for android can be found here:
Ubuntu-12-04v2-aircrack-ng-on-android
 
CoolApps
Old
#64  
CoolApps's Avatar
Senior Member
Thanks Meter 600
Posts: 3,304
Join Date: May 2011

 
DONATE TO ME
Quote:
Originally Posted by Cjen1987 View Post
Ubuntu 12.04 with aircrack IMG for android can be found here:
Ubuntu-12-04v2-aircrack-ng-on-android
Not really a good place since Virgin Media blocked it and I have to use Tunnelbear to access it.
By the way I am not saying the site is bad, what I am saying is that it takes time to bypass the proxy (Orbot aka For does not help).

Sent from my Nexus 4 using XDA Premium 4 mobile app
 
Edge-Case
Old
(Last edited by Edge-Case; 14th November 2013 at 06:43 PM.)
#65  
Edge-Case's Avatar
Member
Thanks Meter 26
Posts: 97
Join Date: Jul 2013
I do have Kali/CyanogenMod running on my phone right now, I can launch and use Metasploit but postgresql doesn't yet work so no database, it works just no db to store info thats all, maybe connecting to a db on laptop over network might work but I haven't tried it. This is not a chroot enviroment, /bin /sbin /usr /var /opt have all been added to Android's / directory and then the files that belong in them get --bind mounted, (right now I run a script when I turn on my phone for mounting, but it will be added to the init boot sequence when I get into it).

Apt-get works because the actual Linux-side directories exist on my external sdcard (a few permissions in Android's source had to be changed, then built into the rom) and then get mounted as I said before to Android's root.

The biggest issue of getting Linux binaries to run in Android's root is that, normally there is not a /lib directory with the proper /glibc (special gnu or gpl libc for embedded devices). Android uses a different clib called Bionic that gets linked to executables ( Bionic is in /system/lib I believe and linker is in /system/bin) so as I understand it, now that I have added /lib to Android, glibc based executables can now link with it via the linker in /usr/bin I believe, correct me if I am wrong).

Very few specific mods/hack to Android's source need to be done to accomplish this. I know the Kali docs have info on patching a Sumsung device with wireless injection drivers, though I am not sure if it will work with G S I/II/III. I own an S III. I need to look into this so thank you everyone for the links.

Py4A can also be extracted from its installation location (need root) to /system/xbin and if you put the libs in a good place and add PYTHON_HOME and all that, you can get python working on the command line like bash does on CM, not sure if other roms come with bash.

But as far as I know Metasploit uses Ruby, and Sl4A has JRuby and I am not sure if they are compatable. But I had to install Metasploit on my phone and the package wasnt available from Kali's repository for whatever reason, so what I did (remember I have a full distro running) was follow some instructions for compiling Ruby 1.9.3 (i think) and then using that to install Metasploit, yes, on my phone with no chroot. ( I didn't install any Desktop or gui apps for somewhat obvious reasons regarding X windows and Android's front "destop" on dalvik.) But, still no postgresql db, but u don't need a db to run Metasploit, you just can't save the nmap scans for automation, I am sure some modules require a db. As a note, Android does now have sqlite3 which I have heard is usable with Metasploit but not optimal for large scale testing, but I have yet to figure out how to use sqlite3 instead of postgresql.

In regards to getting postgresql and services like nfs-kernel-server, nfs-common, openssh, samba, cups, beef , etc etc. I think permissions for those services need to baked into Android ROMs, so I need to get off my ars and get to work.

Code:
Select Code
localhost / # ls
acct                        init.target.rc
bin                         init.trace.rc
cache                       init.usb.rc
charger                     initlogo.rle
config                      lib
d                           lpm.rc
data                        media
default.prop                mnt
dev                         opt
efs                         persist
etc                         proc
extSdCard                   res
firmware                    root
fstab.qcom                  run
home                        sbin
init                        sdcard
init.cm.rc                  selinux
init.goldfish.rc            srv
init.qcom.class_core.sh     storage
init.qcom.class_main.sh     sys
init.qcom.early_boot.sh     system
init.qcom.lpm_boot.sh       tmp
init.qcom.rc                tombstones
init.qcom.sh                ueventd.goldfish.rc
init.qcom.syspart_fixup.sh  ueventd.qcom.rc
init.qcom.usb.rc            ueventd.rc
init.qcom.usb.sh            usbdisk0
init.rc                     usr
init.recovery.qcom.rc       var
init.superuser.rc           vendor
localhost / # export HOME=/root
localhost / # cd
localhost ~ # ls
localhost ~ # which ruby
/usr/bin/ruby
localhost ~ # echo $PATH
/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
localhost ~ # which python
/usr/bin/python
localhost ~ # which gcc
/usr/bin/gcc
localhost ~ # which apt-get
/usr/bin/apt-get
localhost ~ # which msfconsole
/usr/bin/msfconsole
localhost ~ # which aircrack-ng
/usr/bin/aircrack-ng
localhost ~ # ifconfig wlan0 permisc
localhost ~ #
"Wise man say, 'Forgiveness is divine,
but never pay full price for late pizza'."

Some Usefull links:

http://elinux.org/Android_Kernel_Features // Good read on the Android specificities of the kernel

http://www.androidenea.com/2010/03/s...binder-in.html // Info on Binder and ashmem and how to share memory!
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes