How To Guide Get BCM4389 into monitor mode for WIFI sniffing

[ccfries]

Hey all,

I was trying to watch beacon frames transmitted by my access point, but had no capable hardware in my house to sniff it. Or did I?

Turns out, Pixel 6 / Pixel 6 Pro can do it. Here's my howto.

Getting the BCM4389 in Pixel 6 into monitor mode for tcpdump/Wireshark WIFI sniffing

A little side project to debug a WIFI 6E TP-Link mesh network in my house, went from "This sounds easy!" to "This is impossible!" to "It can...

chrisf4.blogspot.com

Short answer: Flash an aosp_raven-userdebug build from Google, then use wifi_sniffer and some related system properties to configure frequency and bandwidth, and enable monitor mode using a special firmware that is shipped in the userdebug build. Then, use tcpdump on the newly created radiotap0 interface.

Enjoy,
Chris

 

[x56x]

Is there any real difference from doing it this way?

GitHub - kimocoder/qualcomm_android_monitor_mode: Qualcomm QCACLD WiFi monitor mode for Android

Qualcomm QCACLD WiFi monitor mode for Android. Contribute to kimocoder/qualcomm_android_monitor_mode development by creating an account on GitHub.

github.com

 

[ccfries]

Is there any real difference from doing it this way?

GitHub - kimocoder/qualcomm_android_monitor_mode: Qualcomm QCACLD WiFi monitor mode for Android

Qualcomm QCACLD WiFi monitor mode for Android. Contribute to kimocoder/qualcomm_android_monitor_mode development by creating an account on GitHub.

github.com

Hi x56x, a dependency for that is "3. WiFi chipset that actually uses the QCACLD driver/firmware."

Since Pixel 6 uses a Broadcom WIFI chip and not Qualcomm, you would need my directions for Pixel 6 and 6 Pro.

-Chris

 

[x56x]

Hi x56x, a dependency for that is "3. WiFi chipset that actually uses the QCACLD driver/firmware."

Since Pixel 6 uses a Broadcom WIFI chip and not Qualcomm, you would need my directions for Pixel 6 and 6 Pro.

-Chris

I actually used these commands for qualcomm on a rooted stock A12 P6P and it worked flawlessly. Never got a chance to mess around with packet sniffing. I am curious as to how you found this? Maybe someone can take a deeper look at the firmware and start working on packet injection.

 

[ccfries]

I actually used these commands for qualcomm on a rooted stock A12 P6P and it worked flawlessly. Never got a chance to mess around with packet sniffing. I am curious as to how you found this? Maybe someone can take a deeper look at the firmware and start working on packet injection.

I don't think it could work

raven:/ # ls -l /sys/module/wlan/parameters/con_mode
ls: /sys/module/wlan/parameters/con_mode: No such file or directory

 

[x56x]

Are you on Android 12, 12.1, or 13? I got it to work on 12 when the phone first came out, so something had to have changed.

 

[ccfries]

I worked on Pixel 6 kernel software and this didn't change..

 

[ccfries]

Just to be sure, you can sniff WIFI packets that the kernel sees, without any changes and just root, using tcpdump. If you want to see other traffic that the WIFI chip would normally filter out, you need monitor mode and you need to load this separate firmware to get into monitor mode.

 

[Duhjoker]

I pulled the wifi sniffer binary, firmware and .rc files needed to get monitor mode working and packed them into a magisk module. you can find it here on my github

GitHub - Biohazardousrom/nh-magisk-wifi-firmware-gs101-gs201: This Magisk module adds the required firmware for external wireless adapters to be used with NetHunter.

This Magisk module adds the required firmware for external wireless adapters to be used with NetHunter. - GitHub - Biohazardousrom/nh-magisk-wifi-firmware-gs101-gs201: This Magisk module adds the r...

github.com

 

[raven(bear)claws]

I pulled the wifi sniffer binary, firmware and .rc files needed to get monitor mode working and packed them into a magisk module. you can find it here on my github

GitHub - Biohazardousrom/nh-magisk-wifi-firmware-gs101-gs201: This Magisk module adds the required firmware for external wireless adapters to be used with NetHunter.

This Magisk module adds the required firmware for external wireless adapters to be used with NetHunter. - GitHub - Biohazardousrom/nh-magisk-wifi-firmware-gs101-gs201: This Magisk module adds the r...

github.com

Tried to install today, Didnt see a Release on the Github page, tried to manually compile the magisk module and just get error "Failed to unzip" in magisk. Any ideas? Thanks regardless, been searching up and down for the Wifi_Sniffer binary

 

[Duhjoker]

try this zip. github is weird sometimes with magisk modules source when you download it.

as for the binaries and the firmware they are located in the system/vendor folder in the zip

 

[raven(bear)claws]

try this zip. github is weird sometimes with magisk modules source when you download it.

as for the binaries and the firmware they are located in the system/vendor folder in the zip

WORKS PERFECT, THANKS A MILLION!!!!

 

[raven(bear)claws]

WORKS PERFECT, THANKS A MILLION!!!!

on a side note, i am getting "permission denied" while trying to run "wifi_sniffer start". on a rooted pixel 6 pro, factory image but have ro.userdebugging enabled. adb sees the process just does not have access to view it. Could be my goof since i am not using userdebug build

 

[Duhjoker]

go to data/adb/modules look for the module and go to system/vendor/bin and change the permissions with

chmod a+x wifi_sniffer
chmod a+x wifi_perf_diag

i guess i need to fix that somehow

 

[raven(bear)claws]

go to data/adb/modules look for the module and go to system/vendor/bin and change the permissions with

chmod a+x wifi_sniffer
chmod a+x wifi_perf_diag

i guess i need to fix that somehow

It starts now!! time for me to fiddle with this "Unable to open /sys/wifi/firmware_path, Failed to up radiotap0" error, surely i made a mistake.

 

[Duhjoker]

i havent had much time to play with it. i was really hoping someone could figure it out and recount thier steps here.

i noticed some sepolicy stuff reguarding wifi_sniffer while building a few roms for pixel 7, theres an incomplete package to build it. right now adding the package to the device trees to build enables the sepolicy for it but thats it. we may not be able to use them with out using a beta preview until android 14 is released. thats speculation though, cause i dont know.

but please anyone that gets this working please share your steps

 

[raven(bear)claws]

i havent had much time to play with it. i was really hoping someone could figure it out and recount thier steps here.

i noticed some sepolicy stuff reguarding wifi_sniffer while building a few roms for pixel 7, theres an incomplete package to build it. right now adding the package to the device trees to build enables the sepolicy for it but thats it. we may not be able to use them with out using a beta preview until android 14 is released. thats speculation though, cause i dont know.

but please anyone that gets this working please share your steps

I actually got useful help from ChatGPT. dmesg has an output of [wlan] wl_cfg80211_alert ←[0m: In : error alert eventing, reason=0x6, which indicated firmware corruption. Will start looking at the firmware file its self momentarily.

 

[Duhjoker]

This is how i get wifi_sniffer to work. first download and install the nethunter firmware magisk module. check permissions of the binaries.

next reboot your device and disable wifi and data. This must be done in order to restart the wlan in monitor mode

now open terminal emulator and either type or copy and paste the commands below

in su shell

su

# Set bandwidth to 160 MHz for sniffing on 2.4 GHz

setprop persist.vendor.wifi.sniffer.bandwidth 160

# Set 2.4GHz band

setprop persist.vendor.wifi.sniffer.freq 2412

# start wifi sniffer

wifi_sniffer start

#tcp dump to .pcap file

tcpdump -i radiotap0 type mgt subtype beacon -w /data/beacon-capture.pcap