Our Motivation
On the first day we bought our first android-based phone, we thought to ourself, "How nice it would be if we would be able to use the common 802.11 pwnage tools?"
We quickly relized that the thing that is missing is monitor-mode support for the Wi-Fi Modules.
For a long time we've waited for someone to take initiative and add support for monitor mode
This year, in our summer Vacation, we decided that we are going to add it ourselves.
Technical details
You might ask yourself why monitor mode is so very common among Laptop's & USB Wifi modules, and why there is not even one implementation of monitor mode for android devices.
The short answer is that most of the common smartphones use the same chipset made by broadcom, named bcm4329 or bcm4330, and broadcom never added the support for monitor mode.
The reason that those chips are so common in smartphones is that they combine every short-distance communication needed for those devices, and more importantly - they offload most of the protocol overhead to a dedicated processor, and communicates with the linux device with simple ethernet packets.
Project Overview
During the last 3 weeks, we decided to take the mission of understanding how this device works.
At first, we compiled the driver in debug mode, and noticed that the module strips the 802.11 headers in hw and sends only ethernet packets to the linux device.
We concluded that in order to receive full 802.11 frames, a change to the device firmware is needed.
So we started reverse engineering the firmware and after a few weeks we had a decent understanding of the packet receiving process.
** More details on the reversing process would be released soon
Having this knowledge, it took us only a few more days to get a first working version of the monitor-mode-enabled firmware
Current Status
We currently have a patched firmware for the following chipsets:
- bcm4329 - Fully working monitor mode on our Nexus One
- bcm4330 - Fully working monitor mode on our Galaxy S II
We havent tested it yet, but if you have a phone with one of those chipsets (and you most probably have one), it should also work on your phone.
Further work
- Add packet injection support to the patched firmware
- Better implementation of the linux driver
- Create an APK bundle for "mass distribution"
Instructions
All the changes are volatile and should disappear after device reboot:Although, please note that this code is experimental and you use it at your own risk and we are not responsible nor liable for any damage or loss of data. Sometimes unexpected things might go wrong and you might end up with a device that is no longer functional. Be warned and please take the responsibility yourself--it is your own risk and no one else can be held responsible.
Cyanogen 7 & Nexus one
- Download the zip: http://bcmon.googlecode.com/svn/trunk/bundles/nexus_bundle.zip
- Extract the zip on your device (your sdcard will do fine)
- Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
- Now you have a wifi interface named eth0 in monitor mode
- Now run 'iwconfig eth0' and check that you get a similar output:
eth0 IEEE 802.11-DS ESSID:"" Nickname:""
Mode:Monitor Frequency:2.412 GHz Access Point: Not-Associated
Bit Rate:72 Mb/s Tx-Power:32 dBm
Retry min limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Managementmode:All packets received
Link Quality=5/5 Signal level=0 dBm Noise level=-92 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Cyanogen 9 & GS2 (I9100)
- Download the zip: http://bcmon.googlecode.com/svn/trunk/bundles/gs2_bundle.zip
- Extract the zip on your device (your sdcard will do fine)
- Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
- Now you have a wifi interface named wlan0 in monitor mode
- Now run 'iwconfig wlan0' and check that you get an output similar to the one above
Other phones
- Check out the source from http://code.google.com/p/bcmon/source/checkout
- Build the KO for your device (cyanogen wiki should be helpful)
- If it works please tell us and send us the compiled version so we can list it here (if it doesn't work contact us)
AirCrack binaries
We bundled useful binary executables for arm:
- aircrack-ng suite
- tcpdump
- iwconfig
FAQ
- I get "Can't find wireless tools, exiting."
- Solution: Make sure you have 'iwpriv' on your system, just add soft link from 'iwpriv' to 'iwconfig' (actually it is 'iwmulticall')
available on: http://bcmon.googlecode.com/svn/trunk/bundles/utils.zip
Unzip them and run: 'chmod a+x -R aircrack misc'
Update: We added a statically linked version of aircrack-ng suite.
Now you can have fun with commands like: 'airodump-ng -i eth0'
Call for help!
We have no intentions of quitting this project soon but in order to proceed we need some assistance:
- Donations
- Any amount will be appreciated...
- Another licence for IDA Pro
- Cellphones with similar wifi chipset
- Experienced kernel module developer - To assist in the further development
Nice work. Can't wait to see packet injection.
ReplyDeleteany way to use this on the 4325?
ReplyDeleteIt shouldn't be too hard, but a change to the firmware is necasery and we dont have any bcm4325 device to do it with (the modification from 4329 to 4330 took only several hours).
Deletewhat device are you using?
I've got an iPhone 3GS with a bcm4325, perhaps that's what he refers to?
DeleteWow, great work here!! I had also noted they were stripping the 802.11 header. I really appreciate this work, thanks so much.
ReplyDeletepatchs from 2011, can be interesting http://forum.xda-developers.com/showthread.php?t=1271854
ReplyDeleteAs I recall 4325 is brcmsmac and supports monitor already in the wireless-testing tree. Just a matter of using the backport.
ReplyDeleteanyway.... OMG... funny how the official kernel dev's had said they were working on this for over a year and never got anywhere.
Nice work, thanks for the great effort and having monitor mode is good.
ReplyDeleteOn a related topic, is it possible to get ad-hoc mode working on the bcm4330 chipset? I can do this on the bcm4329 (via CM7 on both Nexus 1 and Nexus S) with the iwconfig command, but I'd love to get this working on the Galaxy S II with CM9.
no response? i need ad-hoc mode too on my galaxy S2 :(
Deletebtw- does this break "Managed" mode? Or can you easily switch back and forth between managed and monitor? Ideally, you should be able to create a second interface like "moni0" that is in monitor mode and doesn't touch wlan0, which still runs in managed mode. Is this possible?
ReplyDeleteCurrently it breaks the managed mode, so whenever the patched firmware is loaded - the chip is always in monitor mode.
Deleteas of mon0 and wlan0, it is not simple at all, as broadcom designed this chip as a full mac, and our patch just converts it to a "stupid soft mac" and sends the packets out of the chip without any further processing.
we can add this feature, but it will have a negative affect on the performance (meaning more packet loss and lower rate).
Great, thanks for the response! I'm not sure how it would create packet loss though. As long as the monitoring interface is still just sitting on the same channel, it just gets all of the packets. The managed interface would just get the packets that are filtered to the client's MAC.
DeleteThe Managed interface expects to get Ethernet packets, and the Monitor interface expects to get wifi packets, so it's not just a matter of filtering.
Deleteif we want to deliver both of them out of the chip - we would have to duplicate some of the packets on the chip, and this would affect the performance.
another solution, when injection would work, we could implement a new soft mac driver on top of the monitor&injection firmware, and by this simulate the situation you described.
This comment has been removed by the author.
DeleteTrue, although it seems like another solution to this would be to modify the driver to actually expect 802.11 packets. This might be the simplest solution and would not require duplication. I don't think this would require a new soft mac in the driver, would it?
DeleteAnyway, very cool work and sincerely appreciated.
Well, you are correct, but making it work in monitor mode currently has some other effects that makes it harder, like the fact that currently we completely disable the chip's association state machine due to the fact that we "steal" every incoming packet, including the association & beacon packets, so if we still want it to work, we will have to either duplicate these packets on-chip, or deeply investigate how some of these mechanisms work.
DeleteAs i said, its completely possible, but currently we prefer to concentrate on new and cool features like injection.
Anyway, thanks for the great ideas and for the good words, We highly appreciate it.
We will keep this blog updated, so come back soon :-)
Cool, my cheap LG P350 has a BCM radio:
ReplyDeletehttp://www.zoobab.com/lg-optimus-me
<3>[ 1.113441] bcm432x_sdcc_wlan_slot_status: 93 0
<6>[ 1.113478] [LGE] mmc1 - wifi is detected
<3>[ 1.113495] bcm432x_sdcc_wlan_slot_status: 93 0
There is a CM9 port for it, will try to install it.
Any success on this?
DeleteCould this work on htc desire aswell ?
ReplyDeleteas fair as i can recall these two are essentially the same hardware wise..
Should work - Please update us when you try!
DeleteYou sirs deserve my respect. ....and people claiming as imposible :P
ReplyDeletePlease add Samsung Galaxy S 3 broadcom chip support pls :}
Model:
bcm4334
Avaiable Android's for SGS3: Stock, AOKP, CM9, CM10
Are you sure that GS3 has bcm4334 and not bcm4330?
DeleteCould you post a link to a tear down with this information or send us your firmware?
** the firmware location is probably something like:
/system/vendor/firmware/fw_bcm4329(_apsta).bin
A quick Google search reveals that it is indeed bcm4334.
DeleteThe only thing in /system/vendor/firmware is the .so file for the NFC chip. My S3 is running Paranoid Android which is a modified CM10.
https://github.com/CyanogenMod/android_device_samsung_i9300/blob/jellybean/proprietary-files.sh
DeleteThe listy list of all Samsung Propietary Drivers in a S3 device
Interesting Lines (tm)
adb pull /system/bin/bcm4334.hcd ../../../vendor/$MANUFACTURER/$DEVICE/proprietary/system/bin/bcm4334.hcd
adb pull /system/bin/bcm4334_murata.hcd ../../../vendor/$MANUFACTURER/$DEVICE/proprietary/system/bin/bcm4334_murata.hcd
adb pull /system/bin/bcm4334_semcosh.hcd ../../../vendor/$MANUFACTURER/$DEVICE/proprietary/system/bin/bcm4334_semcosh.hcd
my S3 wifi is "murata", if they wish, I will upload :)
or just downloading the lastest CM10 nigtly sould work?
It won't work, we need a phone with this chipset to create a patched firmware version.
DeleteWould giving you those files help?
DeleteNote, I'm not that other guy I just also happen to have an S3.
Correct me if I'm wrong, but although the i9300 apparently uses bcm4334, I believe other models of the galaxy S3 (such as the US T-Mobile variant [d2tmo]) in fact DO use the 4330... if that is the case, then in theory one would just have to compile the code? I've been working on setting up a working cm9/cm10 build environment for d2tmo, but I've a lot to learn still...perhaps someone else could compile it for us?
Delete(or give me a hand setting up said build environment, if you're REALLY cool ;X)
hi.. where can i get Programming guide and Data sheet of BCM4330..??
DeleteHi , Excellent... It works for me.... Could I know how to trigger monitor mode in command line? Thanks...
Deleteche .com.ar, hablan en español? gracias y saludos!
ReplyDeleteVery nice...been waiting for this to happen...got my donation
ReplyDeleteI guess it's time I downgraded to CM7 then. Tried to run the script on JellyBean, but it failed. (HTC Desire)
ReplyDeletePretty damn excited to try this!
Could this theoretically work on the iPhone 4? It has the BCM4329 chipset.
ReplyDeleteI don't own apple hardware but it should be possible, we will try to team up with someone that own one.
DeleteI got the following error when running setup on the epic 4g touch (Sprints galaxy s2). It has the bcm 4330 chipset. Any ideas of what's wrong? Also, can I inject into a Wi-Fi network?
ReplyDeletea/local/bin:$PATH <
app_35@android:/ $ su
app_35@android:/ # cd /sdcard/gs2_bundle
app_35@android:/sdcard/gs2_bundle # sh install.sh
sh: install.sh: No such file or directory
up.sh <
Original module loaded. disabling WiFi
LOADING MODULE
insmod: init_module 'dhd.ko' failed (Exec format error)
error: SIOCGIFFLAGS (No such device)
255|app_35@android:/sdcard/gs2_bundle #
Look at your dmesg log, I guess you'll see wrong kernel ver magic.
DeleteIf this happens you'll have to compile the kernel module to your version or take a risk and replace the kernel ver magic.
Hi, I have the same problem. From dmesg, I got:
Deletebcm4329: version magic '2.6.37.6-cyanogenmod-g0799e00 preempt mod_unload ARMv7' should be '2.6.35.7-ge0fb012 preempt mod_unload ARMv7'
I am not familar with this. Could you please let me know how to compile the kernel module to my version or how to replace the kernel? Thanks a lot.
According to ifixit the last Google phone, Galaxy Nexus, uses the BCM4330 chipset too.
ReplyDeletehttp://www.ifixit.com/Teardown/Samsung-Galaxy-Nexus-Teardown/7182/1
justr tried on my Galaxy Nexus... I rebuilt the kernel module and it inserts, but the interface will not come up: http://pastebin.com/KLfDWdJh
Deletecan't insmod on my device; no issue, compiling right now and will send you a new module for the att galaxy note once I have ensured that it works. Where should I send it?
ReplyDeleteWork in galaxy note (N7000) ?
ReplyDeleteCan you remove the client limit from the AP mode? You've reversed engeneered the driver so it shouldn't be so hard to do.
ReplyDeleteI know somebody will say that nobody need it, but believe me, that some people need eg. 20 devices connected at the same time, and PC or USB WiFi module does NOT have such a limitation, so why do we have to have it on our android smartphones??
Wow you guys! I've been waiting for something like this for a long time and I would like to contribute by testing it on my GNote. If you guys have made one for the GNote send me an email and I will test it for you.
ReplyDeleteRunning the sh setup.sh I'm getting:
ReplyDeleteLOADING MODULE
insmod: can't open 'bcm4329.ko'
error: SIOCGFFLAGS (No such device)
This is on a Nexus One (CM9 I believe)
Any help?
sorry, CM7
DeleteYou should run the script in the same directory of 'bcm4329.ko'.
DeleteMake sure that you have the latest stable version of CM 7.2.0, had the same situation.
DeleteFirst of all, great work and thanks :)
ReplyDeleteNow about my problem on Nexus One. I loaded the module and confirmed that monitor mode is working, extracted aircrack-static binaries to /data/local/bin and when tried to start airodump-ng it complained about missing wireless tools. I checked even before that there is some version of iwconfig and iwpriv on the system in /system/xbin/ and that they seem to work as they should, but for some reason airodump can't find/use them. I tried all sorts of combinations to copy/link them to /data/local/bin, tried your version of iwconfig from utils.zip, changed $PATH so that it doesn't point to /system/xbin hoping that airodump will use just iwconfig that you supplied and I pointed, but it still doesn't want to start :)
Are there any other options that you could suggest?
I'll try to fix it now, I believe this is the problem:
Delete** from osdep/linux.c
static const char * paths [] = {
"/sbin",
"/usr/sbin",
"/usr/local/sbin",
"/bin",
"/usr/bin",
"/usr/local/bin",
"/tmp"
};
fixed it, try downloading the updated version of utils.zip
DeleteGreat, tried and now it purrs like a kitty :)
DeleteThanks again, respect for your work.
If Paket Injection will work, the support of 802.11s would be really cool. Many people work on this and if most of the mobiles would support mesh, there are great new use cases.
ReplyDeleteVery cool work, i'm very impressed
I was wondering how I could find out what chipset my phone has, everywhere I look there seems to be no information... I have a HTC sensation (pyramid)
ReplyDeleteWill this work on Tmobile GS2 t989 ?
ReplyDelete(this is sort of a part 2 to a previous problem)
ReplyDeleteI flashed my Nexus One to CM7.2 and I'm not getting my old error, so that's good. But no I'm getting:
$ sh setup.sh
Original module loaded. disabling WiFi
[1] Killed svc wifi disable
LOADING MODULE
insmod: init_module 'bcm4329.ko' failed (Operation not permitted)
error: SIOCSIFFLAGS (Permission denied)
Any (more) help?
Cheers
you need to run 'su' before.
DeleteUsing a Samsung Galaxy S3 here. The mantra wifi drivers are not compatible with either of these. Is there anything I can provide you with to help you reverse patch this driver?
ReplyDeleteI'm having a friends GS3 this weekend to play with, if you want you can get us a beer :)
DeleteI will buy you 12 :)
DeleteTry reading cyanogen wiki:
ReplyDeletehttp://wiki.cyanogenmod.com/wiki/Building_Kernel_from_source
after setting the build env (downloading the sources and tools) you will need to run 'make modules SUBDIRS=drivers/net/wireless/bcm4329'
To all of you who had troubles loading the driver, try running dmesg and look for any errors that seem related...
ReplyDeleteThis can help you (and us) to identify the real problem :)
Tried the CM9 GS2 bundle on my Galaxy Note and I got this error.
ReplyDeleteLOADING MODULE
insmod: init_module 'dhd.ko' failed (Exec format error)
ifconfig: SIOCGIFFLAGS: No such device
If you get "(Exec format error)" then probably you have a wrong ver magic. that means that the your kernel configuration is different than the one we used to compile our version.
Deletelook at your dmesg log to confirm.
I am using a Galaxy Note (N7000) with CM9-RC1. I used the dhd.ko from /system/lib/modules/ and replaced the dhd.ko from the CM9 GS2 Bundle, somehow I got this output when I typed in "sh setup.sh"
ReplyDeleteifconfig: SIOCSIFFLAGS: Operation not permitted.
I think I'm getting somewhere here.
I guess the error could be solved by running 'su' but what you are trying to do will not work because of kernel version differences.
DeleteYou will have to recompile the kernel module for your version...
I should be able to get this working on my nexus 7 (also bcm4330), i'll let you know what goes down. I also have an itouch 4 (bcm4329) that i think i'll mess with and see what I can do.
ReplyDeletelet us now where you got, nexus 7 support would be neat.
DeleteAm I missing something in your repository or does this involve only 2 line changes in the source? Trying to get it to work on the 4334 by myself.
ReplyDeleteI will try converting our solution to bcm4334 this weekend, I don't know how to answer that yet.
DeleteWhen puy "chmod a+x -R aircrack misc" said Bad mode
ReplyDeletewhy??????
I have galaxy s2 cm9.1.0 stable
1) Is the aircrack executable is on your sd card? if the answer is yes , move it to a native linux partition (fat32 partitions don't have permissions)
Delete2) If the answer to the last question is no, try chmod 777 ...
I tried compiling the source against a kernel for the ATT galaxy note (sgh-i717). No dice. Getting some errors when I try to send any sort of command to the chipset (the module I have compiled loads just fine now). The erros seem mainly centered around the bus (internal to 4330?), not being ready. Double checked that note uses the 4330 and not the 29 or a newer chip like the 34. Unless they are misleadingly lableling the firmware, then it is truely a 4330. Any thoughts on the matter? I am compiling against a known stable kernel for cm9.
ReplyDeleteIs there another place to discuss minor dev work other than this comment section (Dont want to contribute to clutter if there is)?
Thanks
You can email us at contact.bcmon at gmail dot com.
Deleteat the mean time look at your dmesg log and check if you see something like:
<4>[ 168.994262] Dongle trap type 0x3 @ epc 0x80e308, cpsr 0x20000003, spsr 0x21000210, sp 0x47920,lp 0x8117ff, rpc 0x80e308 Trap offset 0x478cc, r0 0xc701ff0f, r1 0x23d98, r2 0x1, r3 0x18000300, r4 0xc701ff0f, r5 0x23d98, r6 0x445dc, r7 0x23d98
Nope, nothing like that... sending off a log via email to you.
DeleteCan someone post if they are able to get this working with their galaxy nexus?
ReplyDeleteCan't get it working on HTC Nexus One Cyanogen Mod 7.2.0 stable with Super User permissions.
ReplyDeleteLOADING MODULE
insmod: can't open 'bcm4329.ko'
error: SIOCGFFLAGS (No such device)
Can tcpdump show the per-packet signal strength with the new driver?
ReplyDeleteyes.
DeleteIs someone kind enough to show me a link to compile a dhd.ko? I would really like to help develop this.
ReplyDeleteOkay I think this is what I'm looking for. I'll go try this one out: http://forum.geeksphone.com/index.php?topic=2366.0
DeleteI was able to run the setup.sh script and the aircrack static binaries, but iwconfig and tcpdump keeps saying "No such file or directory". Missing shared libs? I'm using an I9100 and I tried with CM 9.0, 9.1 and the 09/16 daily build. Which CM9 version should I use or if possible kindly also include a static build of iwconfig and tcpdump. Thanks for your work!
ReplyDeleteI also have this problem. Did you manage to solve it?
DeleteI have a HTC Nexus One...How do u run the setup.sh on terminal like terminal emulator?
ReplyDeletesh setup.sh ??
message: Cant open setup.sh
Wat to do?
have you "cd" to the correct DIR? or "su" first?
DeleteHi , I am using galaxyS3(WITH broadcom4330 hipset)......
ReplyDeleteI mean, do i need to do other thing, such as edit script? or just compile it from the checkout in SVN?
I cloned the source code already....
and I have an ARM Linux , I can just direct compile in ARM-eabi v7l, and also "include" kernel source(se-infra@3.0.3.1) first in Makefile..........
1.run build.sh
2.make
will these steps able to make it work on s3?
or this need a technical source code modify to make it work?
From what I learned GS3 has a broadcom 4334 chipset,
Deleteand we've didn't port our firmware patches to this chipset...
I believe that in the next few weeks we will have a working firmware for this version.
hoping for it :))))
DeleteHello! I have a phone HTC sensation xl. I do not know what my chipset? bcm4329 or
ReplyDeletebcm4330! I have Root (super user). I tried 2 files at a time, bcm4329 or bm4330.
1.Download the zip:
2.Extract the zip on your device (your sdcard will do fine)
Open terminal:
$ su
# Cd sdcard (enter)
# Cd gs2_bundle (enter)
# Sh setup.sh (enter)
LOADING MODULE
insmod: init_module 'dhd.ko' failed (Exec format error)
error: SIOCGIFFLAGS (No such device)
#
What am I doing wrong?
I would be very grateful for the help me!
software Version
Android version
2.3.5
Version of HTC Sense
3.5
number on
1.05.401.4
additionally
Radio version, kernel, and other data
Kernel version
2.6.35.13-g04ab942
htc-kernel @ and18-2 # 1
Thu Oct 27 17:43:33 CST 2011
radio version
20.5101.30.0822U_3822.10.10.12_M
build Number
1.05.401.4 CL185058 release-keys
browser Version
WebKit/533.1
Hi Guys, Nice Work.
ReplyDeleteAre the changes just in the firmware or do I have to compile the kernel module as well.
I'm doing this on the nexus 7 ( 3.10 tegra, grouper branch ) which already has a version of the dhd driver built in..... I've broken that out as it's own module anyway but like I say do I have to use your dhd code?
Any update on nexus 7? would love to help get this going.
DeleteI would love to test a kernel...but I really like Using Ubuntu 13.04 on my N7. Im guessing it wont work after flashing another kernel. Im using the modified stock 4.2 kernel on this page: http://forum.xda-developers.com/showthread.php?t=2011403 Maybe someone with more skills could make further mods to this copy?
DeleteGreat work guys! I just wanted to ask a couple of small questions.
ReplyDeleteI have a HTC 4G phone. I found a bcm4329.hcd file in supersonic's firmware directory in the CM android source tree. Have you done any modifications to this file? Also, is it possible enable the promiscuous mode on the bcm4329 card in the managed mode?
The driver now is not stable. If we start tcpdump, it will stop capturing traffic after a few minutes or less. Looking at dmesg, we see ioctl errors.
ReplyDeleteWhile using Galaxy S2 i9100 after running the sg setup.sh i get " original module loaded. disabling WiFi"
ReplyDelete"LOADING MODULE"
then it just goes right back to the
"app_127@android:" line, and iwconfig / iwconfig wlan0 return with
" Sh: can't open 'iwconfig', any ideas?
Iwconfig is a part of wireless tools! You have to cross-compile/install them
DeleteWow! Would love to see this on my Galaxy S3:) (GT-I9300)
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteUsing CM 9
DeleteI've just posted my thread. The easiest way of getting monitor mode using your sources. http://forum.xda-developers.com/showthread.php?p=32884345#post32884345
ReplyDeleteVery cool what you're doing here. Two questions:
ReplyDelete1. Can you comment on what the battery life is like under typical use-cases e.g. passively collecting packets?
2. How does the phone behave with respect to sleep mode? If you leave packet collection running, will collection continue until the phone battery is depleted or does the phone enter sleep mode after some interval e.g. 10 minutes?
Bryce.
We didn't benchmark this, but it will drain your battery.
Deleteafter you finished capturing packets you should unload the monitor mode firmware.
This comment has been removed by the author.
ReplyDeleteI got the Exec Format Error, but just then I saw the post asking for "Don't post any comments on this...". Will you guys ever work on the LG Optimus Black P970? I would buy you a pack of beers!
DeleteIs there any way for samsung galaxy note n7000 to make the monitor mode worke ?
ReplyDeleteI too have been working on monitor mode for Android, though using an external USB Wi-Fi card (ALFA AWUS036H) and without root. I've just released a proof of concept on Google Play and the source on github. More details at http://bryce-thomas.blogspot.com.au/2012/10/introducing-liber80211.html.
ReplyDeleteThough your method requires root, I love that it uses the internal chipset. Any plans for putting together a basic tute on how you went about achieving what you did/something others can work off?
Yes, I just need to find some time to write one...
DeleteI tried with Nexus S 3G, it works. But I also get some trouble.
ReplyDelete1. I can only capture the traffic from clients to access point with tcpdump in 802.11n. But 802.11g works fine.
2. If leave the monitor mode for about twenty minute, the phone will reboot automatically.
BTW, did you modify the firmware?
Thank you!!
Hello to all such, for samsung galaxis if 9000 has the BCM4329 chip, would also be compatible if carrying the cyanogen sigiendo galaxis steps 2, thanks for all friends.
ReplyDeleteHow to use it on lg otimus black?It gives an error
ReplyDeleteerror: SIOCGIFFLAGS (No such device)
Do i need cyanogenmod, or is is possible to run it on lite'ning rom, too?
ReplyDeleteIf it isn't possoble i will try to make a dualboot with siyah-kernel ;)
it will be helpfull to know abaout what exactly kernel flash on galaxy i9100 I´ve tried flashing two pieces of galaxy s2 with cyanogen wiki allways getting same error: SIOCGIFFLAGS (No such device)
ReplyDeleteAnyway is a great job and we know is a big effort. Go on developing this please!
DeleteYou can use hardly any kernel, bur you have to compile the dhd.ko fiel for your specific kernel to get it work. And you have to cross compole wireless-tools using the ndk to get aircrack working.
DeleteGalaxy Note support?
ReplyDeleteHow to build your driver for Galaxy TAB 2 (P3110)?
ReplyDeleteHello!! I tried to run mode monitoring Xperia S LT26i bcm4330
ReplyDeleteinsmod: can't insert 'dhd.ko': invalid module format
ERROR: SIOCGIFFLAGS (No such device)
I try it on cm9.1.0 and Miui same error
You have to compile the dhd.ko file for your specific kernel.
DeleteHow can i make it? Do you have a Guide? =)
DeleteThis comment has been removed by the author.
Deleteput the code of this project in the code of your kernel and compile it :). it's not difficult :)
DeleteHi Developer Team,
ReplyDeleteI got the NovaThor U8500 chipset. Do you know if it supports monitor mode by any chance? If not, can I use the methods you have provided to enable it? Any help is appreciated
Done the above, but cant get airodump-ng to work, I just get airodump-ng not found
ReplyDeleteOk managed to sort out previous problem by copying the aircrack-ng suite into /data/local/bin/ and chmod 711, now does anyone know how
ReplyDeleteto update the airodump-ng oui file to get the latest vendor codes? as running the airodump-ng-oui-update script does not seem to work. This is all on a nexus one by the way.
I got airodump working on a s2 with siyah-kernel!
ReplyDeleteI simply cross-compiles wireless tools with the android ndk and it works!
Latest vendor codes can be added by manually creating or copying airodump-ng-oui.txt from an updated installation of aircrack-ng and copying into /usr/local/etc/ on the phone, which didn't exist on my Nexus One so I had to create it first. Also I had to remount as rw to do this.
ReplyDeleteIs it possible to switch back to managed mode without rebooting the phone?
ReplyDeleteyes, ofcourse, yout just have to write a script, which unloads the dhd.ko-module and loads the orginal module (nearly the same thing, which does the setup.sh).
Deletehi
ReplyDeletei want just to ask if it work on xperia arc s lt18i
It schould work, if your phone has the bcm4329 or bcm4330 chipset. Just compile it for your kernel and it will work ;)
DeleteIs it possible to enable a second wlan-interface with the bcm4330 chip? I tryed it, but I can't load 2 second interface with the orginal driver, because bove drivers have the same name.
ReplyDeletehow about helping out with Acer a500 and LG optimistic 2x. Aircrack is installed just need monitor mode
ReplyDeleteis it working for sg-gio?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteDo you need cyanogen to run this?
ReplyDeleteI have a samsung galaxy note 2...I kmow it has a 4330
My misteak its 4334
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI have compiled your driver for Galaxy Tab 2 but it does not start with your fw. What could be the problem?
ReplyDeleteNot sure. Can you upload the ko somewhere. Or email me it at plugsmustard@gmail.com
DeleteHi, sorry for my English, I wanted to congratulate you for the excellent work, I wanted to know if you could release a driver compiled for the S2-SiyahKernel v5.0.1, I could not figure out how to compile it, you would be really nice. Or I potrste explain how to compile the driver for the S2-SiyahKernel v5.0.1.
ReplyDeleteHi, is there already a solution for the bcm4334?
ReplyDeleteI have a galaxy S3 and would love to try it...
Thanks in advance..
mike
same question ?
DeleteWhen i replace files in kernel source with your files, i am getting this error:
ReplyDeletedrivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c: In function 'wl_setup_wip
hy':
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c:5458: error: 'struct wiphy
' has no member named 'max_remain_on_channel_duration'
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c:5459: error: 'struct wiphy
' has no member named 'mgmt_stypes'
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c:5468: error: 'WIPHY_FLAG_S
UPPORTS_SEPARATE_DEFAULT_KEYS' undeclared (first use in this function)
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c: In function 'wl_inform_si
ngle_bss':
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c:5597: error: too many argu
ments to function 'ieee80211_channel_to_frequency'
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c: In function 'wl_notify_co
nnect_status_ap':
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c:5796: error: too many argu
ments to function 'ieee80211_channel_to_frequency'
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c:5806: error: implicit decl
aration of function 'cfg80211_rx_mgmt'
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c: In function 'wl_notify_rx
_mgmt_frame':
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c:6475: error: too many argu
ments to function 'ieee80211_channel_to_frequency'
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c: In function 'wl_construct
_reginfo':
drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.c:8104: error: too many argu
ments to function 'ieee80211_channel_to_frequency'
make[4]: *** [drivers/net/wireless/bcm4330/src/wl/sys/wl_cfg80211.o] Error 1
make[3]: *** [drivers/net/wireless/bcm4330] Error 2
make[2]: *** [drivers/net/wireless] Error 2
make[1]: *** [drivers/net] Error 2
make: *** [drivers] Error
Can someone help me?
What i am doing wrong?
My phone is Samsung Galaxy Beam, kernel sources i got on samsung open source.
Sorry for my English.
Hi,
DeleteDid you manage to solve your problems? I also got the beam with the novathor chipset and I´d love to see that work on that device
Help! I am trying to load this onto an S2 skyrocket. I compiled the module and it appears to load, but nothing shows up in iwconfig. The dmesg appears to indicate that it has something to do with p2p. Anyone know how to fix this?
ReplyDelete<4>[ 216.918792] dhd_early_suspend: enter
<4>[ 216.918823] dhd_set_suspend: enter, value = 1 in_suspend=1
<4>[ 217.083862] dhdsdio_write_vars: Download, Upload and compare of NVRAM succ
eeded.
<4>[ 217.221191] dhd_wl_ioctl_cmd: WLC_GET_VAR: p2p, error = -23
<4>[ 217.222198] dhd_wl_ioctl_cmd: WLC_GET_VAR: p2p, error = -23
<4>[ 217.222229] Firmware up: op_mode=1POWER_VAL = 1
<4>[ 217.328613] Firmware version = wl0: Jan 17 2012 09:18:41 version 5.90.100.
311 (CCX)
<4>[ 217.348815] Broadcom Dongle Host Driver: register interface [wlan0]dhdsdio
_probe : the lock is released.
<4>[ 217.360473]
<4>[ 217.360473] Dongle Host Driver, version 1.15.11
<4>[ 217.360504] Compiled in drivers/net/wireless/bcmdhd-new/src on Dec 13 2012
at 13:01:52
<3>[ 217.363464] CFGP2P-INFO2) wl_cfgp2p_supported : wl p2p error -23
insmod: init_module 'dhd.ko' failed (exec format error) on samsung galaxy s3 i747m bcm 4330
ReplyDeleteOh Here is the Coolest Stuff i am reading through this post. seems very interesting.
ReplyDeleteSamsung Galaxy S2
team great work..is there an update on the s3 development.
ReplyDeleteThis doesn't seem to work on the Galaxy S2 Skyrocket. Getting the same error about "'dhd.ko' failed". What a shame, as we would love to provide assistance in developing.
ReplyDeleteHello sir,
ReplyDeleteI would like to port 4330 driver to my phone (Galaxy Y GT-S5360).
For that I need to compare the original kernel source and the modified version by you people.
So if you post the original kernel source from which you started this work, it will be a great help for people like us.
Big thanks for such a great work
when are you gonna made it for Galaxy Y GT-S5360?
ReplyDeleteit's a great thing because more people area using Galaxy Y GT-S5360.
Thanks and great job!
Can you make one for the nexus 4? It's a really popular phone and even more people would get it with all the backorders they have
ReplyDeleteWould it be possible for someone to make a simple installer to make the process even easier?
ReplyDeleteOr even a zip we could flash?
DeleteI am using Galaxy Nexus with cm10. How can I use monitor mode on my device?
ReplyDeleteCurrently running gs2 rooted with jelly bean. Downloaded and followed your directions. Can't open monitor in terminal emulator???
ReplyDeleteThanks for your great effort,
ReplyDeleteMy phone is Samsung Galaxy S II(GT-I9100) and I have flashed
3.0.15-CM-g3de9504 inky-ghost@cyanogenmod #2 Kernel with CyanogenMod version 10.1 NIGHTLY i9100
Then I have installed Backtrack5arm from Google Play Store and aircrack-ng after that and then your instractions above, But I couldn't have a successful airodump-ng yet.
The result was:
root@localhost:~/Desktop/sdcard/gs2_bundle# sh setup.sh
Original module loaded. disabling WiFi
setup.sh: line 14: svc: command not found
LOADING MODULE
insmod: error inserting 'dhd.ko': -1 Invalid module format
wlan0: ERROR while getting interface flags: No such device
Moreover, how should I recognize what's my phone's WiFi chipset?
I wonder if it is bcm4330 or not!
Please help me I'm working on this case for a week!
also result for airmon-ng is
Deleteroot@localhost:~# airmon-ng
Interface Chipset Driver
wlan0 Unknown bcmsdh_sdmmc - [phy0]
# as you see the chipset is unknown!
HI
ReplyDeleteI HAVE SAMSUNG GALAXY CDMA POP SCHI559.
COULD YOU PLEASE LET ME KNOW WHETHER THE ABOVE PROCESS WORKS OUT FOR MY MOBILE FOR WIFICRACK, IF YES THEN HOW /
swamyhrd at gmail dot com
I have a samsung illusion ,can u email me if u got achip set for that at jokerthebroker@gmail.com
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIt is very impressive information i read here. I was searching for such information from a long time and my journey ends here. Thanks alot.Digital Inspiration
ReplyDeleteOn 4.0.4 ICS update Samsung changed Galaxy S2 screen capture key combination. The previous combo was Volume down (-) key and power button. The new method is also a two key combination. I feel its a bit faster than the previous combo.copy galaxy S2 contacts to S3
ReplyDeletehello,i have a Galaxy Nexus and its chipset is bcm4330, i had compiled dhd.ko ,but it cant works.
ReplyDeletehere are dmesg output info:
<4>[ 9429.901885] dhdsdio_membytes: write 4 bytes at offset 0x00007ffc in window 0x00040000
<4>[ 9429.902679] CLKCTL: turned OFF
<4>[ 9429.902770] dhdsdio_clkctl: 3 -> 1
<4>[ 9431.461334] dhdsdio_htclk: HT Avail timeout (2000000): clkctl 0x50
<4>[ 9431.461517] dhdsdio_clkctl: 1 -> 1
<4>[ 9431.461700] dhd_bus_init: clock state is wrong. state = 1
<4>[ 9433.023834] dhdsdio_htclk: HT Avail timeout (2000000): clkctl 0x50
<4>[ 9433.024017] dhdsdio_clkctl: 1 -> 1
<4>[ 9433.024597] dhd_bus_start failed bus is not ready
<4>[ 9433.024810] dhdsdio_probe: dhd_bus_start failed
<4>[ 9433.035888] Broadcom Dongle Host Driver: register interface [wlan0]dhdsdio_probe : the lock is released.
<4>[ 9433.045349]
<4>[ 9433.045349] Dongle Host Driver, version 1.15.11
<4>[ 9433.045349] Compiled in /home/mrbaron/driver/bcmon-read-only/bcm4330/driver/src/bcmdhd/src on Feb 20 2013 at 13:29:23
<4>[ 9434.601959] dhdsdio_htclk: HT Avail timeout (2000000): clkctl 0x50
<4>[ 9434.602142] dhdsdio_clkctl: 1 -> 1
<4>[ 9434.602447] dhd_bus_init: clock state is wrong. state = 1
<4>[ 9436.164459] dhdsdio_htclk: HT Avail timeout (2000000): clkctl 0x50
<4>[ 9436.164764] dhdsdio_clkctl: 1 -> 1
<4>[ 9436.165069] dhd_bus_start failed bus is not ready
<4>[ 9436.165252] dhd_open: failed with code -19
can u help me to fix it ?
Dear Sir,
ReplyDeleteI have Karbonn A21. so which tool i use ?
Thanks in advance....
umm the source checkout link doesn't exactly show anything i think you should fix it because there isn't a way to get to the read-only
ReplyDeleteCan it work onmy Desire HD ?(using Jellytime OS) the phone is rooted
ReplyDeleteRunning Jelly time on Desire Hd
ReplyDeleteGot this after "su" and "sh setup.sh"
LOADING MODULE
insmod: init_module 'bcm4329.ko' failed (Exec Format Error)
error: SI0CGIFFLAGS (no such device)
help please
Wanted to ask a question, but not the topic ... Mtk platform mt-6573 chip mt6620 . Interested in the question of transfer in monitor mode packets. On the chip it is possible? Will deal with the driver himself ...
ReplyDeleteHere Chip Specifications:
Low power, small size and high performance WLAN/Bluetooth/GPS/FM solution
WLAN 802.11 a/b/g/n dual band single stream (20/40MHz) with dual band LNA and 2.4GHz PA integration
Bluetooth 3.0+HS and V4.0 Low Energy support with PA integration
Support GPS/Galileo/QZSS/SBAS with -165dBm tracking sensitivity
FM Tx/Rx with RDS/RBDS support
Support WAPI hardware encryption and Wi-Fi Direct
Support FM over Bluetooth
PLC (Packet Loss Concealment) technology for superior audio quality
Advanced AlwaysLocateTM location awareness technology with ultra low power consumption
Flexible host interfaces support include single SDIO interface for all wireless functions
Thanks in advance !!!
man ! i want your help i am running cm 9.1 build#14 stable by yash which has bcm 4330 chipset and i am not able to run sh setup.sh on my htc explorer using terminal emulator pls help and give me simple instructions as you reply and remember that i am a noob in these internal cases .
ReplyDeleteany ideas on the programmable RF Chipsets available at Broadcom ! Thank you
ReplyDeleteI just got hold of a spare Nexus One. Installed the bundle to get monitor mode working, and confirmed the setup.sh script runs with no errors. However when trying to execute airodump-ng I am getting a Permission Denied error. Any suggestions?
ReplyDeleteI got this on Galaxy S2 (Omega ROM, should i use Cyanogen Mod version?)
ReplyDeletesh setup.sh
LOADING MODULE
Assuming firmware path: /storage/sdcard1/Programi/gs2_bundle/bcm4330_sta.bcmon.b
in
insmod: can't insert 'dhd.ko': invalid module format
error: SIOCGIFFLAGS (No such device)
255|root@android:/extSdCard/Programi/gs2_bundle #
Hi, i'm from Germany.
ReplyDeleteI have one Samsung Galaxy s3 GT-I9300 for free vor you, but my english is not gold :-(
Please send me a E-Mail to Simon.Gleinert@live.de vor add me on Facebook (Simon Gleinert) and i want send s3 to you for maybe eneble monitor mode in this :-)
Hello, I have to write my English I hope that you can help with the translation on google for say another word samsung s2 aircrack-ng-b (bssid) (file name-01.cap) wrote a dictionary please specify option-w file I created on my own that I started something I do not know olşturdumu aircrack-ng-b (BSSID) how do I get an error when I wrote ahmet-01.cap thank şimdidem düzeltebilrim
ReplyDeleteThe consequences of today are determined by the actions of the past scarlet blade gold. To change your future, alter your decisions today scarlet blade gold, Experience is a hard teacher because she gives the test first, the lesson afterwards scarlet blade gold, but it takes character to keep you there.
ReplyDeleteThe bravery of each bull is then rated with care according to the number of times he demonstrates his willingness to charge in spite of the sting of the blade Runescape gp, Henceforth will I recognize that each day I am tested by life in like manner. If I persist, if I continue to try, if I continue to charge forward, I will succeed rs gp, Your future depends on your dreams Runescape2 Gold. So go to sleep. Do not keep anything for a special occasion..
Monitor mode for mt6620
ReplyDeleteMonitor mode for MediaTek (MT6620 and MT6628)
ReplyDeleteBut is it possible?
Any way to get monitor mode working on CM 10.1 with 3.0.31-CM-ga034655 kernel & BCM 4330?
ReplyDeleteI get message:
init_module 'dhd.ko' failed (Exec format error) SI0CGIFFLAGS (no such device)
Any help much appreciated
it support se mini pro?
ReplyDeleteis this working on verizon gs4 yet....
ReplyDeletedoes anyone have this working for the xoom?
ReplyDeleteThanks for your great effort. I really appreciate your job. samsung galaxy
ReplyDeleteHow do the s duos'm having difficulties?
ReplyDeleteHow do the s duos'm having difficulties?
ReplyDeleteI'm trying to put on a GALAXY TAB 2 (p3110)
ReplyDeletebut When I translate the adapter into monitor mode:
insmod ./dhd.ko iface_name=wlan0 firmware_path=./bcm4330_sta.bcmon.bin nvram_path=/system/etc/wifi/nvram_net.txt
when you start airodump-ng receive:
Operation not permitted
Maybe I will give you the original .bin my device?
What i must to do if i want to work on my phone? I have a GS3 and i really don't know from where to start. I installed the apk and when i open it at firmware model it's says it's not detected. I must to modify the kernel ory something? My phone have the original kernel. All i do it to GS3 it's root. Can someone give me a help?
ReplyDeleteI need help to
DeleteCan't run as root' su' failed htc desire c
ReplyDeletePleas can you make it work for gs3
ReplyDeleteNice work, could I know how to trigger "monitor mode" in command lines? Thanks .
ReplyDeletei'm have galaxy tab 3 sm-t211, work?????
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteworking in Galaxy S Advance (I9070p) ?
ReplyDeletethks
This comment has been removed by the author.
ReplyDeleteNice work. I cant get this thing to work for my s2. I get the no such device error, i am running cm 11 and maybe that is the case why its no working. If someone has an idea please tell me. Cheers
ReplyDeleteلمن يريد سرقة الفيس بوك فعليه الذهاب إلى
ReplyDeletehttp://mgjmp.com/inv/f6z8mjn4rqc6a5fn
how can i make it work in not 3 >>>>?
ReplyDeleteשלום לכל הצוות. שאלה האם יש מצב שתעשו זאת עבור שבב מדיאטק mt6628 ?
ReplyDelete