[APP][2.2+][ROOT][WiFi] Reaver-GUI for Android

SOEDI

Senior Member
May 14, 2011
154
346
0

Reaver for Android v1.30
Reaver-WPS GUI for rooted devices with bcm4329/4330 wifi chipset or working external wifi card.


INFO:
Reaver for Android, short RfA, is a simple-to-use Reaver-GUI for Android devices with monitor-mode support.
It has some very cool features:

  • Detects automatically WPS-enabled routers.
  • All Reaver-Settings are accessible from a simple-to-use GUI.
  • Activates and deactivates Monitor-Mode automatically when needed.
  • Provides a simple way to connect when Reaver finds the WPA-Key.
  • External script support

Project status: PRE-FINAL
What does this mean?
There are some features which are not implemented yet.
Developement will continue very soon.​


Installation

  1. Download/install bcmon.apk from HERE and RfA.apk from the bottom of this post. RfA may also download bcmon automatically.
  2. Run bcmon, if it crashes try a second time.
  3. If all runs fine, start RfA. If not, your device may be not bcmon compatible. Please see second post.
  4. After selecting an WPS-enabled router, click on "Test Monitor-Mode".
  5. Now you can use RfA:), don't uninstall bcmon.
Steps 1 - 4 are only for the installation, they don't have to be repeated once done.


FAQ:

What is this awesome app actually usefull for?
Well, RfA is able to unveil the actual WPA(2)-Key of many routers within 2 - 10 hours.

WHAT?! I though WPA(2) is safe?
It used to be, but then many router models got WiFi Protected Setup, short WPS, implemeted, which is pretty vulnerable. (Details)
Basically it's a Brute-Force attack with Reaver against a 8 digit pin with 10^4 + 10^3 possibilities.

What is Reaver?
Reaver-WPS is a pentesting tool developed by Tactical Network Solutions.
It attacks WPS-enabled routers and after the WPS-Pin is cracked, it retrieves the actual WPA-key.
Reaver provides only a terminal interface, which is ok for notebooks etc., however it's a pain on Android devices.
Because of this I developed RfA.

Doesn't Reaver requires monitor-mode and so can't work on Android?
Yes, Reaver needs monitor-mode, but thanks to bcmon (or external wifi cards) some Android devices are now monitor-mode capable.​


bcmon compatibility
Developed and tested on: Nexus 7 2012 (Stock 4.3)
RfA *should* work on all devices with bcmon support (Broadcom bcm4329/bcm4330 chipsets)
Simply try by installing bcmon. Don't worry, if something goes wrong a simple reboot should fix everything.
For external wifi cards please see second post.

Tested & works on:
Nexus 7 2012 (Stock 4.3, Cyanogen 9)
Huawei Honour (Cyanogen Mod based ROM)

bcmon does NOT work on:
Samsung Galaxy S3/4/5
HTC One
LG G2
Nexus 4/5
Nexus 7 (2013)

Credits & used tools:

Monitor-Mode over bcmon.apk:
Omri Ildis, Ruby Feinstein & Yuval Ofir
See: bcmon.blogspot.com

Reaver-WPS:
Tactical Network Solutions
See: code.google.com/p/reaver-wps/

Disclaimer

Attention: Hacking of networks is illegal without having the permission of the owner! The developer is not responsible for any damage etc. this app could cause.
This software is only intended to show a big security hole, not to be able to surf in the neighbours Wifi;)

XDA:DevDB Information
Reaver-GUI for Android, App for all devices (see above for details)

Contributors
SOEDI, bcmon team & Tactical Network Solutions

Version Information
Status: Stable
Current Stable Version: 1.30
Stable Release Date: 2014-07-01
Beta Release Date: 2013-11-04

Created 2013-09-24
Last Updated 2014-09-27
 

Attachments

Last edited by a moderator:

SOEDI

Senior Member
May 14, 2011
154
346
0
Second Post

  • If anyone has working Andorid drivers for external Wifi cards, please let me know,
  • If the layout looks strange on your phone, please send me a screenshot, so I can fix it
    I have only a tablet and HD phone (emulator works to slow), so can't test the layout properly.


Usage of custom-scripts

To make RfA less dependent from bcmon, which seems to be dicontinued, I introduced custom monitor-mode-activation scripts.

Please note that those scripts only have sense for you, if you are already able to use monitor-mode on your device. Ether via special firmware for the internel wifi card or a kernel, which properly supports external wifi cards. Those scripts serve only as a "connector" between your wifi interface and RfA.
In order to enable this function you need to open RfA settings, tap on "Monitor-Mode settings" and disable the "Use bcmon" checkbox.

There are 3 different scripts you can specify:

Activation script
This script will be executed in it's own directory.
It should enable monitor-mode and exit.
Example:
Code:
#!/bin/bash
svc wifi disable
LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
cd /data/data/com.bcmon.bcmon/files/tools
./enable_bcmon
echo "rfasuccess"
exit
Warm-up script
RfA will read in this script as textfile and execute the commands internally. This is needed to execute reaver in the same terminal session as the script.
It should do all prepartions before Reaver is started. At least it has to cd into the directory where the reaver binary is.
Example:
Code:
#!/bin/bash
LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
cd /data/data/com.bcmon.bcmon/files/tools
Stop script
This script will be executed in it's own directory.
It should disable monitor-mode and exit.
Code:
#!/bin/bash
svc wifi enable
echo "rfasuccess"
Additional Information
  • You have also to specify your wifi-interface.
  • The given examples are those scripts, which RfA uses by default when you enable the "Use bcmon" checkbox.
  • The activation and stop script have to echo "rfasuccess" in order to tell RfA that they were executed properly. With this method you can also implement a sort of error-checking, by returning "rfasuccess" only when everything went fine.
 
Last edited:

krispyfriez

Senior Member
Aug 6, 2013
107
16
0
Interesting.... nice job.
But better not let this get into the wrong hands, with these Admin Password hacking apps going on, anyone can take over someones router.

Sent from my super rare, old Scroll Excel running Android 2.3 using the offical app.
DOES DAT APP RUN ON DEVICES STILL ROCKIN 2.3?
 
  • Like
Reactions: sreehari vasudev

Paxy

Senior Member
Aug 29, 2007
67
39
0
Great job folks.
But for some reason user mode bcmode do not work well on HTC HD2 and my custom firmware, so I am using system module bcmon which create eth0 monitor interface instead of wlan0 (wifi0).
Can you please add interface selection or auto-detect interface in monitor mode ?

Tnx !
 
Last edited:
  • Like
Reactions: i_raiyan786

SOEDI

Senior Member
May 14, 2011
154
346
0
interface support

Hi,
RfA supports wlan0 and eth0 interface.
The problem seems to be the startup script and location of the Reaver binary, which seems to be different on your HD2.
Please describe exactly how you start monitor-mode, so I can update RfA:)

regards,
SOEDI
 

Paxy

Senior Member
Aug 29, 2007
67
39
0
Please describe exactly how you start monitor-mode, so I can update RfA:)
Ok.
I have downloaded module src code from https://code.google.com/p/bcmon/source/browse/#svn/trunk/bcm4329/driver/src/bcm4329
Compile for my kernel and use with script that switch drivers with:
Code:
insmod bcm4329.ko firmware_path=fw_bcm4329.bcmon.bin
Firmware version is from https://code.google.com/p/bcmon/source/browse/#svn/trunk/bcm4329/fw

After that I can use sniffer like airodump (airodump -i eth0) and aireplay without need to switch monitor mode with airmon.

---------- Post added at 08:01 AM ---------- Previous post was at 07:11 AM ----------

Ahh, I have just researched the problem.
Problem is at enable_bcmon
Code:
./enable_bcmon
error: SIOCGIFFLAGS (No such device)
error: SIOCGIFFLAGS (No such device)
Couldn't find device index: No such device
I have also tried to start reaver with ./reaver -i eth0 -b 90:F6:52:C0:22:9C -c 1 -a -vv -w -S, but old problem with this drivers occurred, failed to associate to AP (it is not range problem, it is old known inject problem with kernel module driver)

Just have to find a way to make new bcmon working.
 
Last edited:
  • Like
Reactions: SOEDI

SOEDI

Senior Member
May 14, 2011
154
346
0
[/COLOR]Ahh, I have just researched the problem.
Problem is at enable_bcmon
Code:
./enable_bcmon
error: SIOCGIFFLAGS (No such device)
error: SIOCGIFFLAGS (No such device)
Couldn't find device index: No such device
I have also tried to start reaver with ./reaver -i eth0 -b 90:F6:52:C0:22:9C -c 1 -a -vv -w -S, but old problem with this drivers occurred, failed to associate to AP (it is not range problem, it is old known inject problem with kernel module driver)

Just have to find a way to make new bcmon working.
Ok, I see where the problem is....
The method to activate Monitor-Mode over bcmon.apk is:
Code:
define some paths
./enable_bcmon
But if you have self compiled modules:
Code:
sh setup.sh
?define tools path?.
Also on the bcmon website they said they fixed injection. Have you installed the newest firmware files and modules?
If you want to use bcmon.apk instead, maybe try to reinstall BusyBox. Some users reported this fixed their problems.
After you got your Monitor-Mode working, post it and I will update RfA.

reagrds,
SOEDI
 
  • Like
Reactions: gustarballs1983
Sep 25, 2013
37
18
0
First of all thank You SOEDI

Finally someone did it.. reaver is on android...

However i find the job of making it functional only half done...

as i understood from reaver forums it works best with wireless cards based on RTL8187 chipsets
in addition on the site of those modded bcmon drivers there is a statement that it doesn't support radiotap (be it mode or whatever) wich reaver seems to require..

so my idea is why not expanding Your application by adding linux kernel driver to support usb OTG (on the go) plugged in the android device's usb port...

search for phrase "android pcap" in google and You'll find it on kismet wireless

sorry for lack of link.. aperently i'd have to write 9 additional posts to post one :p

there is a source code down on that site too.. and it's monitor mode with no root priviledges..:D
plus additionally You also could add a functionality to Your gui to choose between built-in card and the one plugged in via USB-OTG to select wich one the gui is going to use..

So.. how about it? it could be mindblowing if You'd suceed
I'd bet You'd probably make a lot of peapole happy out there :D
sorry 4 my eventual spelling mistakes engilsh is not my native though..
regards
GusT.
 

SOEDI

Senior Member
May 14, 2011
154
346
0
Radiotap Headers

Hi,

The new bcmon.apk method supports radiotap headers, tested and worked:) At least with bcm4330 on Nexus7.
Monitor-Mode over USB-OTG would be cool, but I'm working on 3 other projects, so this will take some time...
At least it's working pretty good for a beta release:)
 
  • Like
Reactions: svengrasshoff

SOEDI

Senior Member
May 14, 2011
154
346
0
Reaver

Stuck on waiting for beacon:
Usually this is a range problem.
Try to start another attack, maybe on a different router.

Stuck on switching wlan0 to channel....:
The only solution I have is to simply restart the attack.
Usually this fixes the problem...
 

Charle692

Senior Member
Jul 7, 2012
164
20
0
Ottawa
Hey great job on getting this working! Been waiting for this for a while, the aircrack solutions out there just take too long for a phone to crack through wpa/wpa2.

I'm having some issues though btw im on samsung galazy s2x which has the bcm4330. First off the bcmon starts up and enables monitor mode just fine but when I come to scan networks in reaver it nevers successfully finds any. I've tried to increase scan time and i've enables scan fix but nothing seems to work. I know my device is in monitor mode since i can scan for networks on another app, I can also reveice data packets but it's just not working on here any ideas? thanks awesome work!
 

SOEDI

Senior Member
May 14, 2011
154
346
0
The solution is pretty simple:
RfA scans in Managed-Mode, then enables Monitor-Mode and passes the data to Reaver.
So RfA can handle the Monitor-Mode on it’s own, no need to start bcmon first:)
Simply start RfA with wifi on:)

regards,
SOEDI
 
  • Like
Reactions: dalya

Charle692

Senior Member
Jul 7, 2012
164
20
0
Ottawa
Thanks for the clarification now once I've scanned for networks connections come up like it should but i'm getting a new problem when testing monitoring mode it fails. I believe that this could be because of bcmon since the app doesn't seem to properly install the modded drivers. I could be wrong. I think i'm running into compatibility issues with my rom. I'm using MIUI I'm gonna try cyanogenmod to see if it helps anything.
 

voodoo5222

New member
Sep 27, 2013
2
0
0
hi
great work :) but im having a problem i have a htc wildfire s
evry time i start cracking a network i get (illigal instruction ./reaver wlan....)
and then nothing i think this is from my rom mostly but im not sure
my phone is fully rooted thx in advance :D
 

Charle692

Senior Member
Jul 7, 2012
164
20
0
Ottawa
Alright well guess mini was causing problems with it so I guess that's not compatible working great on 4.3

Sent from my SGH-T989 using XDA Premium 4 mobile app
 

nasser4life

Member
Nov 6, 2010
49
13
8
Roseau
I'm on 09/26 cm 10.2 nightly and using galaxy s2, router is Linksys wrt110. First I wasn't able to get past "switching wlan0 to channel 1"

And if I enabled monitor mode in bcmon before scanning in rfa no router is found. how I got it to work was to scan first and once I found my router i tested for monitor mode. Before starting attack i used home button and then open bcmon and enabled monitor mode ( I had already said yes to install tool on first run), press and held home button and went back to rfa and started attack.


This was the result.
I do have a question though.. This was tested on my own router and my password is set to 0123456789 on the router. So what exactly do I have to enter from the result to connect?
I tried this on Kali as well and I got similar result, can remember if it was exact same.
I tried the WPA psk and the pin as passwords and was not able to connect to router. And my router is set to wpa2. Is that why? I kno this is off topic but I'm curious :)

Sent from my GT-I9100 using Tapatalk 4 Beta
 

SOEDI

Senior Member
May 14, 2011
154
346
0
Wow, seems like RfA has some problems with the S2.
Cool workaround!

Regarding your problem:
The shown WPA PSK is the hash of your real WPA Key.
Sometimes Reaver fails to get the plaintext Key and shows instead the hash.
However, if you use the hash as WPA Key it should work. Had tried this a few times and worked fine:)

regards,
SOEDI

EDIT:
Of course, you have to use the hash withoud the ' ' as key. Wanted only to mention this;)
RfA should have shown a Dialog with the Key and a connect button. Did it?
 
Last edited: