Sunday, September 30, 2012

Injection support for BCM4329


New version

I just uploaded a new patched firmware version for bcm4329, this version adds raw packet injection support.


Issues

  • Low injection speed - on my nexus one the injection is working really slow. It seems that the injection speed starts fine but then slows down to as slow as ~700ms per packet.
  • Radiotap - we don't handle radiotap on packet injection. 'aireplay-ng' works fine with it but tools like 'reaver' seem to require it.


A list of things I already tried

  • 'aireplay-ng --test eth0' - WORKS!
    • I had to increase some timeouts for the '--test' to pass
  • reaver - NOT WORKING
    • It seems like reaver injects packets with radiotap header.

Are you having the same chip version? 

My original firmware md5 is:
d5707abb0175a813274b54af613d7736 *fw_bcm4329.bin

If you have a different bcm4329 firmware, please send me a copy and I'll see what I can do :)

29 comments:

  1. Could you please add /data/local/bin path for aireplay-ng too, like you did for airodump. It can not find iwconfig too :)

    ReplyDelete
  2. Great work so far! I'd like to help you guys getting this to work on the htc desire aka bravo. I'm running Sandvold's ICS 0.18.2.1
    My firmware has md5:
    3f65dedb69158adbbc122b3ed7d7821f *fw_bcm4329.bin
    so it's different from yours ;)
    You can download mine from https://www.dropbox.com/s/18zfb3d4o6ivdb4/fw_bcm4329.bin
    Let me know if you can do something with it. Cheers!

    ReplyDelete
    Replies
    1. Hey Sebastian,
      I've got the same chipset md5. Is it working for you by now?

      Delete
  3. Awesome work, i have actually been trying to get this working for over 3 years on the N1. There is a driver that was created and has injection support i posted on XDA-Dev in one of the debian/ubu multiboot threads but never could get it to work.

    Also, i sent you guys off a small donation with much more on the way.
    Please let us know if there are any developments with a possible fix for the PPS. Anything 25PPS or greater should allow for injection to work as designed.

    I have some more thoughts on the app but want to fully vet the driver before coming to any conclusions.

    ReplyDelete
  4. Hi all, i have a motorola Atrix with chipset Broadcom BCM4329 but How can I see which firmware version I have? How can I help you with my atrix?
    My atrix running CM10.

    ReplyDelete
    Replies
    1. If your looking for the Md5, using something like ES File Explorer and bcm4329 can be found in the vendor>firmware folder. Long press fw_bcm4329.bin, select properties and press Show checksum

      Delete
  5. Running bcm4329 firmware on my Motorola Atrix(CyanogenMod 7.2). Confirmed Md5. Tried extracting and running sh setup.sh and receive "insmod: init_module "bcm4329.k' failed (Exec format error)" Any ideas or do I need to compile a ko for the atrix.

    ReplyDelete
    Replies
    1. Try change moding the setup script...

      cd to the directory containing setup.sh and then run the command:

      "chmod 775 setup.sh && sh setup.sh" as a root user of course

      Delete
  6. I am looking into buying the Samsung Galaxy Tablet 7", which according to http://www.ifixit.com/Teardown/Samsung+Galaxy+Tab+Teardown/4103/2 uses the BCM4329. I noticed you guys mostly focus on phones, but would patched firmware above work on the aforementioned tablet? I have programming experience, but I have just getting started with packet injection on tablets.

    ReplyDelete
  7. I don't want to bother, but is there any progress in getting injection support on the bcm4330 (Galaxy Ace 2)? Is there anything i can do to help? And do you need to have CM running on the phone to use the alternative drivers? (CM is not out yet for the Ace 2 sadly...).

    ReplyDelete
  8. i`m trying to get this to work with default android kernel for an HTC wildfire S, got the kernel source from htcdev.com, but i can not compile this driver. trying make but i get an error. I would like to mention that i`m new to driver compiling under linux so any help would be thanked in the afterlife :P :)).
    tried to get this driver to work under my phone but versionmagic says it`s for cyanogen. I dont want to install cyanogen. My kernel info: (2.6.35.13eoghan-cryptomilk-alquez-r1-g0bb9087-dirty preempt mod_unload ARMv6

    ReplyDelete
    Replies
    1. how can i compile a driver for cyanogenmod 10? I'm using modpunks Alpha2 release and want to enjoy the pwnage tools i had in cm7.2

      Delete
    2. What's the error you get when compiling on wildfire S?
      However I used CyanogenMod 7.2 and the driver goes very well!
      Monitor mode and packet injection at full speed!

      Delete
  9. i need a fix for htc thunderbolt it dont seem to want to play nice with the packet if u need the firm wares and stuff i have them if u wouldnt mind editing them.

    ReplyDelete
  10. i also am running imol 6.2.0 kernel

    ReplyDelete
  11. I would also like to have it work on HTC Desire. I mean the Nexus and Desire are nearly completely similar.

    Here's my firmware:
    http://www.speedyshare.com/4kce7/fw-bcm4329.bin

    It has MD5:
    ecea1dde28963dc1be365fff0b273681

    Wich is both different from yours and Sebastian Stammers.

    I have:

    Androidversion: 2.2

    Model: HTC Desire A8181

    Kernel: 2.6.32.38-Starburst-110416 sqn@drone #1

    Im running the ROM StarBurst Classic 1.5.1.0

    ReplyDelete
  12. Did the packet injection slowdown issue ever get "fixed" for the nexus one (bcm4329) ?

    Thanks
    XDS

    ReplyDelete
  13. Hi, anybody make run in motorola atrix 4g? I want to make my own KO any help will be appreciated

    ReplyDelete
    Replies
    1. need help to install for atrix
      mail S a n r o o t @ gmail . com

      Delete
  14. Hi there

    Im trying to run monitor mode from ubuntu arm installed in android but if i try to run it from ubuntu filesystem "/pt/monitor/" as root it showme the following error:
    setup.sh: 12: [: 1: unexpected operator
    LOADING MODULE
    SIOCSIFFLAGS: Operation not permitted

    but if i run it from the same ubuntu but diferent folder "/sdcard/gs2_bundle" it's works fine. the folder /sdcard is a simlink to the internal sd card of android and is used to move files from android to ubuntu
    The problem here is that im trying to build a ubuntu distro for android with many tools ported like wifi pineapple but for android, so if i can't run it from ubuntu i'll can't make an ubuntu image with all installed.
    Any idea?
    thank you good work!
    I need runit from u

    ReplyDelete
  15. Hi there is there is there a firmware for the galaxy note 2, I think it's a bmc4334

    ReplyDelete
  16. Hey i have Qmobile Noir A8 ... i would really appritiate if you can make me a frimware for that model ... + plz PM me if u have time
    My EMAIL is lpclpclpc43@gmail.com

    ReplyDelete
  17. Htc Explorer has bcm4329 so can anyone help?

    ReplyDelete
  18. Can work with htc wildfire s ?

    ReplyDelete
  19. I'm using Samsung Galaxy S2 I9100G bcmon works fine also airodump-ng runs but when I press 'c' it doesn't takes me again to command prompt to type plzz help me

    ReplyDelete
  20. hello I have GT s7392 cm11 monitor mode enable failed plzz help me

    ReplyDelete
  21. plzzz help me monitor mode elable fail plz help me friends. my model GT S7392 CYANOGENMOD 11

    ReplyDelete
    Replies
    1. change your android and cyanogen version..it may work

      Delete