WiFi monitor mode

[cerg2010cerg2010]

OK, I don't think this thread will get any attention, but I want to document it anyway. All this should work on other devices with qcom WiFi drivers.

TL;DR:
Grab iwpriv binary somewhere (i've got my here: https://github.com/kriswebdev/android_wireless_tools/tree/master/bin)
adb push iwpriv /data/local/tmp/
adb shell su -c chmod +x /data/local/tmp/iwpriv

#!/system/bin/sh
ip link set wlan0 down
sleep 1
echo 4 > /sys/module/wlan/parameters/con_mode
sleep 2
ip link set wlan0 up
/data/local/tmp/iwpriv wlan0 monitor 1
/data/local/tmp/iwpriv wlan0 MonitorModeConf 9 40 1 111 0

And enjoy your airodump output

NO PACKET INJECTION! (stubbed out in driver, removed previously?)
If you don't receive any packets, issue "/data/local/tmp/iwpriv wlan0 monitor 1" again.

How does this all work?
Some time ago I discovered these strings in wlan_hal_msg.h: (they appeared in google):

...
   /* Monitor Mode */
   WLAN_HAL_ENABLE_MONITOR_MODE_REQ         = 302,
   WLAN_HAL_ENABLE_MONITOR_MODE_RSP         = 303,

   WLAN_HAL_DISABLE_MONITOR_MODE_REQ        = 304,
   WLAN_HAL_DISABLE_MONITOR_MODE_RSP        = 305,
...

Then I unscrambled some indirections:

WLAN_HAL_ENABLE_MONITOR_MODE_REQ to WDI_MON_START_REQ in WDI_2_HAL_REQ_TYPE
WDI_MON_START_REQ sent in WDI_ProcessMonStartReq <— actual message sents here!
Called from "Request Processing Array" in function WDI_MonStartReq
Wrapped in WDA_ProcessMonStartReq, which is called in WDA_McProcessMsg by message WDA_MON_START_REQ
Which message is posted by wlan_hdd_mon_postMsg if (MON_MODE_START == pMonCtx->state)
Which is called in __iw_setint_getnone with sub_cmd = WE_SET_MONITOR_STATE
Which is set by iw_priv cmd "monitor"

And then figured out that driver works in different modes:
(vos_types.h)

/// Concurrency role.  These are generic IDs that identify the various roles
/// in the software system.
typedef enum
{ /*ON linux maintain 1-1 corespondence with device_mode_t in hdd*/
    VOS_STA_MODE=0, 
    VOS_STA_SAP_MODE=1, //to support softAp  mode . This is misleading. It means AP MODE only. 
                        //The constant name has historical reason
    VOS_P2P_CLIENT_MODE,
    VOS_P2P_GO_MODE,
    VOS_MONITOR_MODE,
    VOS_FTM_MODE = 5,
    VOS_IBSS_MODE,
    VOS_P2P_DEVICE,
    VOS_MAX_NO_OF_MODE
} tVOS_CON_MODE;

Mode can be changed by "con_mode" module parameter.
(idk why they reinvented the wheel and not used the default "iw dev wlan0 set mode monitor")

Combined all this and... got a kernel panic. You may get it too. Main reasons are:
- You have not disabled WiFi before changing the mode
- The sleep time after disabling interface is short
- Driver is old. Yes, you can get crashes on some kernels. If you are, flash AGNi.

After successful switching you'll get a working monitor (check this with tcpdump -i wlan0), but with ethernet packets instead of radiotap, so airodump will not work. Luckily, this giant crappy driver can work with radiotap, but you need to configure it. This is done by another iwpriv call:
MonitorModeConf: <channel> <bandwidth> <crccheck> <filter> <conversion_required>
Filter: 3 decimal numbers
least to most: management packets, control packets, data packets
Conversion: 1 - ARPHRD_ETHER (802.3 packets), 0 - ARPHRD_IEEE80211_RADIOTAP (802.11 packets)
(again don't know why they implemented these calls instead of default ioctl's for channel switch, etc. This makes airodump unable to switch channels)

As a result you may get something like on a screenshot
Happy sniffing!

 

[Crayvolt]

Who said it will not be an interesting , I my self appreciated your effort to bring this up. Kudos to you friend.

 

[cerg2010cerg2010]

Who said it will not be an interesting , I my self appreciated your effort to bring this up. Kudos to you friend.

Thanks. I wanted to say that kenzo development is almost dead, we've lost official LOS and keep losing devs.... So it's most likely we'll not see working packet injection (cuz devs who know driver's internals better than me are left), and, possibly, a wrapper library implementing the default ioctl's (like channel switch) used in most programs.

 

[Crayvolt]

i understand, hopefully we can have new devs. who will continue

 

[aldhi]

This is a perfect news. At least if this device became obsolete, it should still be useful to be a portable linux pen test device, if possible. Anyway, awesome job mate. Very much appreciated

Sent from my Note 3 using XDA Labs

 

[Crayvolt]

you dont have permission to capture on that device sokect operation not permitted

 

[cerg2010cerg2010]

This is a perfect news. At least if this device became obsolete, it should still be useful to be a portable linux pen test device, if possible. Anyway, awesome job mate. Very much appreciated

Sent from my Note 3 using XDA Labs

Thank you. I forgot to say that monitor mode requiers support from firmware (there's some code in driver that checks for it). Kenzo guys are lucky because we have it enabled . There's also sta+monitor mode (so you can have working wifi connection while sniffing), but it also requiers support from firmware and kenzo's fw compiled without it. I forgot how to enable it, but i think you need to issue "iwpriv wlan0 monitor 1" in default con_mode and check dmesg - there will be a string that says it's not supported (if it is not).

And if someone is interested, our wireless chip is wcn3680b, simmilar one (or same, idk) can be found in nexus 4 (mako)

 

[Khimin]

Thank you. I forgot to say that monitor mode requiers support from firmware (there's some code in driver that checks for it). Kenzo guys are lucky because we have it enabled . There's also sta+monitor mode (so you can have working wifi connection while sniffing), but it also requiers support from firmware and kenzo's fw compiled without it. I forgot how to enable it, but i think you need to issue "iwpriv wlan0 monitor 1" in default con_mode and check dmesg - there will be a string that says it's not supported (if it is not).

And if someone is interested, our wireless chip is wcn3680b, simmilar one (or same, idk) can be found in nexus 4 (mako)

Can you ziping code and flashable instal on twrp?

 

[cerg2010cerg2010]

Can you ziping code and flashable instal on twrp?

There's nothing to install except iwpriv binary... But OK, I'll try to create a magisk module with enable/disable scripts.

 

[Khimin]

There's nothing to install except iwpriv binary... But OK, I'll try to create a magisk module with enable/disable scripts.

Thx, im waiting

 

[cerg2010cerg2010]

Thx, im waiting

Ok, I made it quickly!
Source: https://github.com/cerg2010cerg2010/qcmon
There's 2 scripts, run them from shell:
monen - enables monitor mode (you can specify configuration in the parameters, see system/xbin/monen)
mondis - disables monitor mode. You can use your wifi connection again.

 

[Khimin]

Ok, I made it quickly!
Source: https://github.com/cerg2010cerg2010/qcmon
There's 2 scripts, run them from shell:
monen - enables monitor mode (you can specify configuration in the parameters, see system/xbin/monen)
mondis - disables monitor mode. You can use your wifi connection again.

Thx dude

 

[Crayvolt]

thank you you are awsome +thumbsup

---------- Post added at 08:49 AM ---------- Previous post was at 08:03 AM ----------

filter expresion syntax error using command tcpdump -i wlan0
help please

---------- Post added at 09:05 AM ---------- Previous post was at 08:49 AM ----------

can you help me?

 

[Perinban Parameshwaran]

Ok, I made it quickly!
Source: https://github.com/cerg2010cerg2010/qcmon
There's 2 scripts, run them from shell:
monen - enables monitor mode (you can specify configuration in the parameters, see system/xbin/monen)
mondis - disables monitor mode. You can use your wifi connection again.

Is it safe to flash with magisk in note 5 pro ?

 

[Perinban Parameshwaran]

Ok, I made it quickly!
Source: https://github.com/cerg2010cerg2010/qcmon
There's 2 scripts, run them from shell:
monen - enables monitor mode (you can specify configuration in the parameters, see system/xbin/monen)
mondis - disables monitor mode. You can use your wifi connection again.

@cerg2010 Tried to flash with magisk in note 5 pro. System apps are not working after disabling the module from magisk it returned to normal. Any solution for this ?

 

[cerg2010cerg2010]

@cerg2010 Tried to flash with magisk in note 5 pro. System apps are not working after disabling the module from magisk it returned to normal. Any solution for this ?

Please understand that I don't have any "note 5 pro". You can send me logcat and I can try to identify the problem or ask your ROM developer to take a look (if it's not MIUI lol). Anyway, that's just scripts, so you can copy them to /data/local/tmp or /system/bin manually.

 

[Op_Flashpoint]

Lol I'm a n00b what does this do? Is this a packet sniffer or something?

 

[cerg2010cerg2010]

Lol I'm a n00b what does this do? Is this a packet sniffer or something?

Sort of. It makes your sniffer to work - you will be able to capture raw WiFi packets from your device without any dongles.

 

[pion_sekolah]

plis whats rom u use ¿

 

[csleo17]

Ok, I made it quickly!
Source: https://github.com/cerg2010cerg2010/qcmon
There's 2 scripts, run them from shell:
monen - enables monitor mode (you can specify configuration in the parameters, see system/xbin/monen)
mondis - disables monitor mode. You can use your wifi connection again.

thank you man, monitor mode now working on my poco F1, using its module magisk + aircrack-ng