• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[APP][2.2+][ROOT][WiFi] Reaver-GUI for Android

Search This thread

SOEDI

Senior Member
May 14, 2011
154
346
8pxfqkb9.png

Reaver for Android v1.30
Reaver-WPS GUI for rooted devices with bcm4329/4330 wifi chipset or working external wifi card.
4t3b7gia.png


INFO:
Reaver for Android, short RfA, is a simple-to-use Reaver-GUI for Android devices with monitor-mode support.
It has some very cool features:

  • Detects automatically WPS-enabled routers.
  • All Reaver-Settings are accessible from a simple-to-use GUI.
  • Activates and deactivates Monitor-Mode automatically when needed.
  • Provides a simple way to connect when Reaver finds the WPA-Key.
  • External script support

Project status: PRE-FINAL
What does this mean?
There are some features which are not implemented yet.
Developement will continue very soon.​


Installation

  1. Download/install bcmon.apk from HERE and RfA.apk from the bottom of this post. RfA may also download bcmon automatically.
  2. Run bcmon, if it crashes try a second time.
  3. If all runs fine, start RfA. If not, your device may be not bcmon compatible. Please see second post.
  4. After selecting an WPS-enabled router, click on "Test Monitor-Mode".
  5. Now you can use RfA:), don't uninstall bcmon.
Steps 1 - 4 are only for the installation, they don't have to be repeated once done.


FAQ:

What is this awesome app actually usefull for?
Well, RfA is able to unveil the actual WPA(2)-Key of many routers within 2 - 10 hours.

WHAT?! I though WPA(2) is safe?
It used to be, but then many router models got WiFi Protected Setup, short WPS, implemeted, which is pretty vulnerable. (Details)
Basically it's a Brute-Force attack with Reaver against a 8 digit pin with 10^4 + 10^3 possibilities.

What is Reaver?
Reaver-WPS is a pentesting tool developed by Tactical Network Solutions.
It attacks WPS-enabled routers and after the WPS-Pin is cracked, it retrieves the actual WPA-key.
Reaver provides only a terminal interface, which is ok for notebooks etc., however it's a pain on Android devices.
Because of this I developed RfA.

Doesn't Reaver requires monitor-mode and so can't work on Android?
Yes, Reaver needs monitor-mode, but thanks to bcmon (or external wifi cards) some Android devices are now monitor-mode capable.​


bcmon compatibility
Developed and tested on: Nexus 7 2012 (Stock 4.3)
RfA *should* work on all devices with bcmon support (Broadcom bcm4329/bcm4330 chipsets)
Simply try by installing bcmon. Don't worry, if something goes wrong a simple reboot should fix everything.
For external wifi cards please see second post.

Tested & works on:
Nexus 7 2012 (Stock 4.3, Cyanogen 9)
Huawei Honour (Cyanogen Mod based ROM)

bcmon does NOT work on:
Samsung Galaxy S3/4/5
HTC One
LG G2
Nexus 4/5
Nexus 7 (2013)

Credits & used tools:

Monitor-Mode over bcmon.apk:
Omri Ildis, Ruby Feinstein & Yuval Ofir
See: bcmon.blogspot.com

Reaver-WPS:
Tactical Network Solutions
See: code.google.com/p/reaver-wps/

Disclaimer

Attention: Hacking of networks is illegal without having the permission of the owner! The developer is not responsible for any damage etc. this app could cause.
This software is only intended to show a big security hole, not to be able to surf in the neighbours Wifi;)

XDA:DevDB Information
Reaver-GUI for Android, App for all devices (see above for details)

Contributors
SOEDI, bcmon team & Tactical Network Solutions

Version Information
Status: Stable
Current Stable Version: 1.30
Stable Release Date: 2014-07-01
Beta Release Date: 2013-11-04

Created 2013-09-24
Last Updated 2014-09-27
 

Attachments

  • Screenshot_2014-07-01-15-28-30.png
    Screenshot_2014-07-01-15-28-30.png
    106.3 KB · Views: 291,364
  • Screenshot_2014-07-01-15-29-19.png
    Screenshot_2014-07-01-15-29-19.png
    197.1 KB · Views: 286,538
  • Screenshot_2014-07-01-15-29-53.png
    Screenshot_2014-07-01-15-29-53.png
    145.3 KB · Views: 281,812
  • Screenshot_2014-09-26-16-59-06.png
    Screenshot_2014-09-26-16-59-06.png
    142.5 KB · Views: 258,055
  • Screenshot_2014-09-26-17-00-27.png
    Screenshot_2014-09-26-17-00-27.png
    166.1 KB · Views: 262,370
Last edited by a moderator:

SOEDI

Senior Member
May 14, 2011
154
346
Second Post

  • If anyone has working Andorid drivers for external Wifi cards, please let me know,
  • If the layout looks strange on your phone, please send me a screenshot, so I can fix it
    I have only a tablet and HD phone (emulator works to slow), so can't test the layout properly.


Usage of custom-scripts

To make RfA less dependent from bcmon, which seems to be dicontinued, I introduced custom monitor-mode-activation scripts.

Please note that those scripts only have sense for you, if you are already able to use monitor-mode on your device. Ether via special firmware for the internel wifi card or a kernel, which properly supports external wifi cards. Those scripts serve only as a "connector" between your wifi interface and RfA.
In order to enable this function you need to open RfA settings, tap on "Monitor-Mode settings" and disable the "Use bcmon" checkbox.

There are 3 different scripts you can specify:

Activation script
This script will be executed in it's own directory.
It should enable monitor-mode and exit.
Example:
Code:
#!/bin/bash
svc wifi disable
LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
cd /data/data/com.bcmon.bcmon/files/tools
./enable_bcmon
echo "rfasuccess"
exit

Warm-up script
RfA will read in this script as textfile and execute the commands internally. This is needed to execute reaver in the same terminal session as the script.
It should do all prepartions before Reaver is started. At least it has to cd into the directory where the reaver binary is.
Example:
Code:
#!/bin/bash
LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
cd /data/data/com.bcmon.bcmon/files/tools

Stop script
This script will be executed in it's own directory.
It should disable monitor-mode and exit.
Code:
#!/bin/bash
svc wifi enable
echo "rfasuccess"

Additional Information
  • You have also to specify your wifi-interface.
  • The given examples are those scripts, which RfA uses by default when you enable the "Use bcmon" checkbox.
  • The activation and stop script have to echo "rfasuccess" in order to tell RfA that they were executed properly. With this method you can also implement a sort of error-checking, by returning "rfasuccess" only when everything went fine.
 
Last edited:

krispyfriez

Senior Member
Aug 6, 2013
107
16
Interesting.... nice job.
But better not let this get into the wrong hands, with these Admin Password hacking apps going on, anyone can take over someones router.

Sent from my super rare, old Scroll Excel running Android 2.3 using the offical app.
DOES DAT APP RUN ON DEVICES STILL ROCKIN 2.3?
 
  • Like
Reactions: sreehari vasudev

Paxy

Senior Member
Aug 29, 2007
67
39
Great job folks.
But for some reason user mode bcmode do not work well on HTC HD2 and my custom firmware, so I am using system module bcmon which create eth0 monitor interface instead of wlan0 (wifi0).
Can you please add interface selection or auto-detect interface in monitor mode ?

Tnx !
 
Last edited:
  • Like
Reactions: i_raiyan786

SOEDI

Senior Member
May 14, 2011
154
346
interface support

Hi,
RfA supports wlan0 and eth0 interface.
The problem seems to be the startup script and location of the Reaver binary, which seems to be different on your HD2.
Please describe exactly how you start monitor-mode, so I can update RfA:)

regards,
SOEDI
 

Paxy

Senior Member
Aug 29, 2007
67
39
Please describe exactly how you start monitor-mode, so I can update RfA:)

Ok.
I have downloaded module src code from https://code.google.com/p/bcmon/source/browse/#svn/trunk/bcm4329/driver/src/bcm4329
Compile for my kernel and use with script that switch drivers with:
Code:
insmod bcm4329.ko firmware_path=fw_bcm4329.bcmon.bin
Firmware version is from https://code.google.com/p/bcmon/source/browse/#svn/trunk/bcm4329/fw

After that I can use sniffer like airodump (airodump -i eth0) and aireplay without need to switch monitor mode with airmon.

---------- Post added at 08:01 AM ---------- Previous post was at 07:11 AM ----------

Ahh, I have just researched the problem.
Problem is at enable_bcmon
Code:
./enable_bcmon
error: SIOCGIFFLAGS (No such device)
error: SIOCGIFFLAGS (No such device)
Couldn't find device index: No such device

I have also tried to start reaver with ./reaver -i eth0 -b 90:F6:52:C0:22:9C -c 1 -a -vv -w -S, but old problem with this drivers occurred, failed to associate to AP (it is not range problem, it is old known inject problem with kernel module driver)

Just have to find a way to make new bcmon working.
 
Last edited:
  • Like
Reactions: SOEDI

SOEDI

Senior Member
May 14, 2011
154
346
[/COLOR]Ahh, I have just researched the problem.
Problem is at enable_bcmon
Code:
./enable_bcmon
error: SIOCGIFFLAGS (No such device)
error: SIOCGIFFLAGS (No such device)
Couldn't find device index: No such device

I have also tried to start reaver with ./reaver -i eth0 -b 90:F6:52:C0:22:9C -c 1 -a -vv -w -S, but old problem with this drivers occurred, failed to associate to AP (it is not range problem, it is old known inject problem with kernel module driver)

Just have to find a way to make new bcmon working.

Ok, I see where the problem is....
The method to activate Monitor-Mode over bcmon.apk is:
Code:
define some paths
./enable_bcmon
But if you have self compiled modules:
Code:
sh setup.sh
?define tools path?.

Also on the bcmon website they said they fixed injection. Have you installed the newest firmware files and modules?
If you want to use bcmon.apk instead, maybe try to reinstall BusyBox. Some users reported this fixed their problems.
After you got your Monitor-Mode working, post it and I will update RfA.

reagrds,
SOEDI
 
  • Like
Reactions: gustarballs1983
Sep 25, 2013
37
18
First of all thank You SOEDI

Finally someone did it.. reaver is on android...

However i find the job of making it functional only half done...

as i understood from reaver forums it works best with wireless cards based on RTL8187 chipsets
in addition on the site of those modded bcmon drivers there is a statement that it doesn't support radiotap (be it mode or whatever) wich reaver seems to require..

so my idea is why not expanding Your application by adding linux kernel driver to support usb OTG (on the go) plugged in the android device's usb port...

search for phrase "android pcap" in google and You'll find it on kismet wireless

sorry for lack of link.. aperently i'd have to write 9 additional posts to post one :p

there is a source code down on that site too.. and it's monitor mode with no root priviledges..:D
plus additionally You also could add a functionality to Your gui to choose between built-in card and the one plugged in via USB-OTG to select wich one the gui is going to use..

So.. how about it? it could be mindblowing if You'd suceed
I'd bet You'd probably make a lot of peapole happy out there :D
sorry 4 my eventual spelling mistakes engilsh is not my native though..
regards
GusT.
 

SOEDI

Senior Member
May 14, 2011
154
346
Radiotap Headers

Hi,

The new bcmon.apk method supports radiotap headers, tested and worked:) At least with bcm4330 on Nexus7.
Monitor-Mode over USB-OTG would be cool, but I'm working on 3 other projects, so this will take some time...
At least it's working pretty good for a beta release:)
 
  • Like
Reactions: svengrasshoff

SOEDI

Senior Member
May 14, 2011
154
346
Reaver

Stuck on waiting for beacon:
Usually this is a range problem.
Try to start another attack, maybe on a different router.

Stuck on switching wlan0 to channel....:
The only solution I have is to simply restart the attack.
Usually this fixes the problem...
 

Charle692

Senior Member
Jul 7, 2012
164
20
Ottawa
Hey great job on getting this working! Been waiting for this for a while, the aircrack solutions out there just take too long for a phone to crack through wpa/wpa2.

I'm having some issues though btw im on samsung galazy s2x which has the bcm4330. First off the bcmon starts up and enables monitor mode just fine but when I come to scan networks in reaver it nevers successfully finds any. I've tried to increase scan time and i've enables scan fix but nothing seems to work. I know my device is in monitor mode since i can scan for networks on another app, I can also reveice data packets but it's just not working on here any ideas? thanks awesome work!
 

SOEDI

Senior Member
May 14, 2011
154
346
The solution is pretty simple:
RfA scans in Managed-Mode, then enables Monitor-Mode and passes the data to Reaver.
So RfA can handle the Monitor-Mode on it’s own, no need to start bcmon first:)
Simply start RfA with wifi on:)

regards,
SOEDI
 
  • Like
Reactions: dalya

Charle692

Senior Member
Jul 7, 2012
164
20
Ottawa
Thanks for the clarification now once I've scanned for networks connections come up like it should but i'm getting a new problem when testing monitoring mode it fails. I believe that this could be because of bcmon since the app doesn't seem to properly install the modded drivers. I could be wrong. I think i'm running into compatibility issues with my rom. I'm using MIUI I'm gonna try cyanogenmod to see if it helps anything.
 

voodoo5222

New member
Sep 27, 2013
2
0
hi
great work :) but im having a problem i have a htc wildfire s
evry time i start cracking a network i get (illigal instruction ./reaver wlan....)
and then nothing i think this is from my rom mostly but im not sure
my phone is fully rooted thx in advance :D
 

nasser4life

Member
Nov 6, 2010
49
13
Roseau
I'm on 09/26 cm 10.2 nightly and using galaxy s2, router is Linksys wrt110. First I wasn't able to get past "switching wlan0 to channel 1"
uvadyja4.jpg

And if I enabled monitor mode in bcmon before scanning in rfa no router is found. how I got it to work was to scan first and once I found my router i tested for monitor mode. Before starting attack i used home button and then open bcmon and enabled monitor mode ( I had already said yes to install tool on first run), press and held home button and went back to rfa and started attack.
5e6abugu.jpg

ejaru7at.jpg

This was the result.
I do have a question though.. This was tested on my own router and my password is set to 0123456789 on the router. So what exactly do I have to enter from the result to connect?
I tried this on Kali as well and I got similar result, can remember if it was exact same.
I tried the WPA psk and the pin as passwords and was not able to connect to router. And my router is set to wpa2. Is that why? I kno this is off topic but I'm curious :)

Sent from my GT-I9100 using Tapatalk 4 Beta
 

SOEDI

Senior Member
May 14, 2011
154
346
Wow, seems like RfA has some problems with the S2.
Cool workaround!

Regarding your problem:
The shown WPA PSK is the hash of your real WPA Key.
Sometimes Reaver fails to get the plaintext Key and shows instead the hash.
However, if you use the hash as WPA Key it should work. Had tried this a few times and worked fine:)

regards,
SOEDI

EDIT:
Of course, you have to use the hash withoud the ' ' as key. Wanted only to mention this;)
RfA should have shown a Dialog with the Key and a connect button. Did it?
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 176
    8pxfqkb9.png

    Reaver for Android v1.30
    Reaver-WPS GUI for rooted devices with bcm4329/4330 wifi chipset or working external wifi card.
    4t3b7gia.png


    INFO:
    Reaver for Android, short RfA, is a simple-to-use Reaver-GUI for Android devices with monitor-mode support.
    It has some very cool features:

    • Detects automatically WPS-enabled routers.
    • All Reaver-Settings are accessible from a simple-to-use GUI.
    • Activates and deactivates Monitor-Mode automatically when needed.
    • Provides a simple way to connect when Reaver finds the WPA-Key.
    • External script support

    Project status: PRE-FINAL
    What does this mean?
    There are some features which are not implemented yet.
    Developement will continue very soon.​


    Installation

    1. Download/install bcmon.apk from HERE and RfA.apk from the bottom of this post. RfA may also download bcmon automatically.
    2. Run bcmon, if it crashes try a second time.
    3. If all runs fine, start RfA. If not, your device may be not bcmon compatible. Please see second post.
    4. After selecting an WPS-enabled router, click on "Test Monitor-Mode".
    5. Now you can use RfA:), don't uninstall bcmon.
    Steps 1 - 4 are only for the installation, they don't have to be repeated once done.


    FAQ:

    What is this awesome app actually usefull for?
    Well, RfA is able to unveil the actual WPA(2)-Key of many routers within 2 - 10 hours.

    WHAT?! I though WPA(2) is safe?
    It used to be, but then many router models got WiFi Protected Setup, short WPS, implemeted, which is pretty vulnerable. (Details)
    Basically it's a Brute-Force attack with Reaver against a 8 digit pin with 10^4 + 10^3 possibilities.

    What is Reaver?
    Reaver-WPS is a pentesting tool developed by Tactical Network Solutions.
    It attacks WPS-enabled routers and after the WPS-Pin is cracked, it retrieves the actual WPA-key.
    Reaver provides only a terminal interface, which is ok for notebooks etc., however it's a pain on Android devices.
    Because of this I developed RfA.

    Doesn't Reaver requires monitor-mode and so can't work on Android?
    Yes, Reaver needs monitor-mode, but thanks to bcmon (or external wifi cards) some Android devices are now monitor-mode capable.​


    bcmon compatibility
    Developed and tested on: Nexus 7 2012 (Stock 4.3)
    RfA *should* work on all devices with bcmon support (Broadcom bcm4329/bcm4330 chipsets)
    Simply try by installing bcmon. Don't worry, if something goes wrong a simple reboot should fix everything.
    For external wifi cards please see second post.

    Tested & works on:
    Nexus 7 2012 (Stock 4.3, Cyanogen 9)
    Huawei Honour (Cyanogen Mod based ROM)

    bcmon does NOT work on:
    Samsung Galaxy S3/4/5
    HTC One
    LG G2
    Nexus 4/5
    Nexus 7 (2013)

    Credits & used tools:

    Monitor-Mode over bcmon.apk:
    Omri Ildis, Ruby Feinstein & Yuval Ofir
    See: bcmon.blogspot.com

    Reaver-WPS:
    Tactical Network Solutions
    See: code.google.com/p/reaver-wps/

    Disclaimer

    Attention: Hacking of networks is illegal without having the permission of the owner! The developer is not responsible for any damage etc. this app could cause.
    This software is only intended to show a big security hole, not to be able to surf in the neighbours Wifi;)

    XDA:DevDB Information
    Reaver-GUI for Android, App for all devices (see above for details)

    Contributors
    SOEDI, bcmon team & Tactical Network Solutions

    Version Information
    Status: Stable
    Current Stable Version: 1.30
    Stable Release Date: 2014-07-01
    Beta Release Date: 2013-11-04

    Created 2013-09-24
    Last Updated 2014-09-27
    17
    Second Post

    • If anyone has working Andorid drivers for external Wifi cards, please let me know,
    • If the layout looks strange on your phone, please send me a screenshot, so I can fix it
      I have only a tablet and HD phone (emulator works to slow), so can't test the layout properly.


    Usage of custom-scripts

    To make RfA less dependent from bcmon, which seems to be dicontinued, I introduced custom monitor-mode-activation scripts.

    Please note that those scripts only have sense for you, if you are already able to use monitor-mode on your device. Ether via special firmware for the internel wifi card or a kernel, which properly supports external wifi cards. Those scripts serve only as a "connector" between your wifi interface and RfA.
    In order to enable this function you need to open RfA settings, tap on "Monitor-Mode settings" and disable the "Use bcmon" checkbox.

    There are 3 different scripts you can specify:

    Activation script
    This script will be executed in it's own directory.
    It should enable monitor-mode and exit.
    Example:
    Code:
    #!/bin/bash
    svc wifi disable
    LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
    LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
    cd /data/data/com.bcmon.bcmon/files/tools
    ./enable_bcmon
    echo "rfasuccess"
    exit

    Warm-up script
    RfA will read in this script as textfile and execute the commands internally. This is needed to execute reaver in the same terminal session as the script.
    It should do all prepartions before Reaver is started. At least it has to cd into the directory where the reaver binary is.
    Example:
    Code:
    #!/bin/bash
    LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
    LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
    cd /data/data/com.bcmon.bcmon/files/tools

    Stop script
    This script will be executed in it's own directory.
    It should disable monitor-mode and exit.
    Code:
    #!/bin/bash
    svc wifi enable
    echo "rfasuccess"

    Additional Information
    • You have also to specify your wifi-interface.
    • The given examples are those scripts, which RfA uses by default when you enable the "Use bcmon" checkbox.
    • The activation and stop script have to echo "rfasuccess" in order to tell RfA that they were executed properly. With this method you can also implement a sort of error-checking, by returning "rfasuccess" only when everything went fine.
    9
    New Version

    Hey folks,

    finally, I found some time and implemented script support.
    This makes RfA ready for bcmon independent usage. Now, if you have a working external wifi card and the right kernel, you will be able to write a short shell-script (details later) and RfA will be able to use it.

    Also, this will make RfA compatible with @n01ce PwnAir, at least after the script for it is ready ;)


    Regards,
    SOEDI


    P.S: Release will be in the next few days.
    7
    @ruleh: it’s amazing how you stay calm and keep on answering even the most stupid questions!

    In the meantime I integrated the PixieDust attack. I had to rewrite some parts of RfA, pixiewps and reaver itself, but it looks pretty promising now. It was not easy to get the stuff compiled, so keep that in mind when you meet a "Segmentation fault" sometimes ;)
    Details (and release) will follow later...

    RfA 1.40 is coming soon, yeah :D
    6
    Theorically, all that needs is to crosscompile mdk3 (or bully, or a kernel module which supports monitor mode, or another program you want) for ARM architecture, and eventually doing some tweakings.

    In the reality, considering no one did other wifi tools for android, apart the old Reaver (excluding apps in google play mostly to find default passwords according to bssid and router model), I believe it's much difficult than thought.

    Let's remember also the aim of bcmon, reaver-wps and RfA is to return tools to use with internal wifi.
    I believe (but still to try), that if you use Linux Deploy to install Kali, a powered microusb-OTG and an external wifi dongle, you are able to run all of wifi-sec tools you want from your device.

    Just a personal consideration: I'm against the use of mdk3, because the "art" of reaver/bully is to find the correct settings not to trigger the WPS lockdown. I have tested on my TNCAP router and, according also to what I have read, unless you put up a series of wireless tools to intercept packets and monitor your router (wireshark, kismet, etc), you won't realize there is a WPS bruteforce attack in course.
    But start flooding periodically the AP with mdk3, freezing and resetting it in cycle, and I'll be the first to suspect an attack, intercept your packets and knock at your door with a handgun ;)

    P.S. being in topic, there are some reports of TNCAP routers being able to reboot with permanent lock WPS already on, after some floods with mdk3.

    Here's an android + bcmon compatible mdk3 binary + source. Tested and works on N7 2012 4.3, but some attack may not work (as fast) as they should.

    copy the mdk3 binary inside the zip to data/data/com.bcmon.bcmon/files/tools and don't forget to set the right permissions.


    Best Regards
    SOEDI