Sunday, July 14, 2013

Monitor Mode Reloaded

Since most of you experienced some trouble during the kernel compilation...
We worked hard during the last months to bring an easy to use solution that won’t require kernel modifications.

The new solution is a normal android APK that you can try to install on your **ROOTED** device.
It should work on most devices with the supported chipset, but we won't know until you try it :)

Currently tested on the following devices:
  • GS 1 - Cyanogen 7
  • GS 2 - Cyanogen 9 & 10
  • Nexus One - Cyanogen 7
  • Nexus 7 - Cyanogen 9

We are currently working on GS3&4 support (which have a different broadcom chipset), we will release it “when it’s done”.

As usual:
please note that this code is experimental and you use it at your own risk and we are not responsible nor liable for any damage or loss of data. Sometimes unexpected things might go wrong and you might end up with a device that is no longer functional. Be warned and please take the responsibility yourself--it is your own risk and no one else can be held responsible.

You can download the apk from our google code page:
https://code.google.com/p/bcmon/
(Direct link: https://bcmon.googlecode.com/files/bcmon.apk)

Our slides from RECon:
https://www.dropbox.com/sh/le8zeczpddf3nx0/fdXn4LSxGI

Video of the lecture:
<coming soon...>

455 comments:

  1. plz add support for xperia s .. bcm4330 with b1 and b2 firmware

    ReplyDelete
    Replies
    1. please try it, it might work.
      if it doesn't work - send us the logs

      Delete
    2. here is my log from xperia s .. bcm4330 .. it has b1 b2 fimrwares but it didnt detect them .. and the apk forced to close sometimes .. http://www.mediafire.com/download/0wjdlct14tc1825/bcmon(2).rar

      Delete
    3. I have a Galaxy Nexus with stock rooted 4.3.
      Tried running the airodump but the terminal didnt show anything running...
      But then i tried wash,is like scanning but didnt found any router...

      Delete
    4. ami me funciona mui bien con galaxy s2 y rom original 4.1.2, e conseguido los diccionarios wlandecrypter, jazzteldecrypter etcccc, es una maravilla mui mui mui gran trabajo, a porcierto soi español no se ingles pero para eso esta nuestro gran amigo google, muchas graciassssss

      Delete
    5. can you tell me if is possible on s7500 samsung ace plus?

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. (meaning we don't have a specific date... we're working on it)

      Delete
    2. This comment has been removed by the author.

      Delete
    3. This comment has been removed by the author.

      Delete
  3. installed apk, trying to install firmware and tools , but it show "an error..." and crashes. where can i find logs?

    ReplyDelete
    Replies
    1. If it crashes when you click "Run airodump" or other commands, it can be due to a too old version of Terminal Emulator. Uninstall it using Titanium backup, and install latest version from play store.

      Delete
    2. I'm sorry, could you specify wich one, by link if possible? I see several terminal emulators, some free others paid.

      Delete
    3. https://play.google.com/store/apps/details?id=jackpal.androidterm
      Also, update busybox here:
      https://play.google.com/store/apps/details?id=stericson.busybox

      Delete
  4. Does it work with an original Galaxy Nexus firmware? Do I need to install Cyanogen?

    ReplyDelete
    Replies
    1. Just in case. I tried to run the app on the latest stock Galaxy Nexus firmware but the app closed every time. Now I installed Cyangenmod 10.1 and it works like a charm! Thanks!

      Delete
    2. Does it allow you to run commands?

      Delete
  5. Wooow, this is briliant. Thanks for this. Even injection mode works now :)
    My Specs:
    SG s2
    Siyah kernel 6.0b5+
    Omega v20.1 ROM

    ReplyDelete
  6. I'm also facing the same issue using an Atrix 4G. After I install the apk, when trying to "install firmware and tools" the application closes. I'm using CM 7.2, kernel 2.6.32.60 (MROM) BCM4329. I could make the application work on CM 9 and 10 using a 3.1.10 kernel but it is not stable yet so I had to go back to CM 7.2. If it is of any help to make this work on this device I've uploaded the log from sdcard/bcmon to this site...
    http://pastebin.com/bLGqXQYp

    ReplyDelete
    Replies
    1. What kernel are you running. I experienced the very same issue until I reverted back to Lean Kernel 7.1

      Delete
    2. I'm currently running MROM kernel 2.6.32.60. Using an alpha 3.1.10 kernel makes the application work so this must be a kernel incompatibility because I've noticed that most of the people using this on CM 7.2 are running a 2.6.35+ kernel.

      Delete
    3. from your log file it's looks like a busybox problem, try to reinstall busybox...

      command: 'chmod -R 755 "/data/data/com.bcmon.bcmon/files/tools"' failed with exitValue = 10
      Bad mode

      Delete
    4. I also have Atrix 4G and i try to install this on cm7.2 with kernel 2.6.32.56. After "Enable Monitoe mode" i see "Failed"
      This is my log http://pastebin.com/30GjEJsS
      Sorry for my bad English

      Delete
  7. I have a Nexus 7, and installation of the Firmware goes just fine, but clicking on an icon such as "airodump", causes it to force quit immediately.

    ReplyDelete
  8. Nice work! the app works fine on my SGS II with rooted stock firmware.

    How easy do you think it will be to implement new MAC layer algorithms directly in the firmware? Would it be possible to easily rewrite the MAC implementation in C and compile it for the phones? It would be nice to have some framework like https://github.com/ict-flavia/Wireless-MAC-Processor also for smartphones, which would allow to build large test beds with cheap phones on a university campus.

    ReplyDelete
  9. Hi Works really fine on Nexus 7 Cyanogene10.1 Kernel 3.1.10-gea48912.
    I'm in the same case as this of DerMathhias. I'm looking for making my own packet sniffer with radiotap or prism libs. I reverse your apk to see how you launch binary (LD_PRELOAD=fakedriver.so). But I don't know how to cross compile my code to enable with your library in goal to load my programm with your fakedriver (in opening bcmon_wrapper on a term).
    I've tried to open a term with bcmon_wrapper loaded on and launch my code but it seems to not detect my card in monitoring mode therefore, I can use radiotap libraies...

    Help will be appreciated... (it's for an intership...)

    By the way your work is really brillant, I compare the results given by airodump tablet version with these given by my computer and it's really close.

    Thanks a million
    Anthony

    ReplyDelete
    Replies
    1. You can take a look at our recon presentation, the short answer is that you need to:
      1. Load our patched firmware
      2. Run enable_bcmon
      3. Run your application with the LD_PRELOAD=fakedriver.so

      Delete
    2. Thanks for your reply. I just need to know where are the headers file you have used for radiotap and libpcap. Because I need to use your libraries but I need to have your headers files to compile my code with your custom libs.

      Thanks a million.
      Again great job.

      Delete
    3. It's working now, I just rewrite some radiotap headers. My question was a bit stupid, sorry about that.
      By the way, radiotap header seems to not work. Have you worked on it (I know it's really hard work), but I just wonder if ?
      BCM company might not worked on it at the end, so my guess is that the radiotap header I get are unusable ? Am I right ?

      Delete
  10. Hi. I am running Kali in chroot mode using deploy Linux. The apk works fine on my s2. But how to I install the drivers directly into the chroot? Thanks

    ReplyDelete
  11. here is my log from xperia s .. bcm4330 .. it has b1 b2 firwares but it didnt detect them .. and the apk forced to close sometimes .. http://www.mediafire.com/download/0wjdlct14tc1825/bcmon(2).rar

    ReplyDelete
  12. I have discovered that the kernel can affect compatibility. Lean Kernel works just fine, but I recently updated to Fancy Kernel and the application would not load properly even after a complete reinstall. I reverted back to Lean and it works fine now.

    ReplyDelete
  13. please
    what rom/kernel for gt-n7000 is good for bcmon.apk to works fine?

    ReplyDelete
  14. Hi good afternoon, I have a Samung galasy advance, with android 4.1.2 and kernel 3.0.31 - coCore-E-5.6.2 + I get an error to give has enabled monitor mode: monitor mode enabled - failed and you are not okay, there are times I restart.

    A greeting

    ReplyDelete
  15. Hi guys I ..I tried to install on my s2 and its working ..but where can I get the captured packet ? I mean when It gather enough packet how I need to save them..and how I need to launch the crack afterwards? Can some please guide.me please

    ReplyDelete
    Replies
    1. Hi can someone please reply to me..thnks..I wish to know how can we save the captured packet and then crack it afterwards..is there any command etc..?

      Delete
    2. that is an issue of knowing how to use the aircrack suite itself, rather than their application. I would advise you to look up some tutorials on the aircrack-ng website. the short answer is that you have to start airodump-ng with the saving function enabled, using -w [filename]

      Delete
  16. It can't detect the chipset or firmware of the Epic 4g (Sprint Galaxy S) on gingerbread. I'm rooted and it's a bcm4329.

    ReplyDelete
    Replies
    1. Just to add to what I posted above, in system/etc/wifi there is bcm4329_aps.bin, bcm4329_sta.bin, and bcm4329_mfg.bin

      Delete
  17. not working on htc sensation (pyramid) with CM 10.1
    log sent...

    working on sgs2 CM 10.1

    thx a lot

    ReplyDelete
  18. all who has crash apps when launching the airodump.. please install terminal from google play..

    this will fix the crash issue..

    ReplyDelete
  19. Please add Nexus 4 support

    ReplyDelete
  20. This comment has been removed by the author.

    ReplyDelete
  21. Thanks for this!
    I'm going to test it on the latest euroskank build for the n1!

    By the way did you guys ever fix the slow packet injection issue?

    ReplyDelete
  22. Hi! I just have tried your job on N7000 (with i9100 instruction). it works fine! But reaver doesnt save previus session when i stop and start again on same ssid. and airodump cannot start becouse it cannot make file with captured ivs. (airodump-ng wlan0 works) what im doing wrong? it seems like software doesnt have permission to create files. THANKS!!!! sorry for my english.

    ReplyDelete
  23. Any chance you could make this work with the Galaxy Note 8? I get as far as the screen with 'send logs' at the bottom... Cheers

    ReplyDelete
  24. Fantatisc.
    This is a revolution authentically wireless level audits
    All our support from seguridadwireless and wifislax

    ReplyDelete
  25. This comment has been removed by the author.

    ReplyDelete
  26. I think the apk does not install either the firmware and tools, is a galasy s samsung advance with 4.1.2, carries a BCM4329, I sent the logs to see if they can patch, I've also read that leaves no save catches, could be possible?? you save on the sd or internal memory of the phone, the phone is in root mode ... have if anyone can give me any ideas or suggestions to make it work.

    I tried it with terminial emulator without the ... and nothing is the same mistake other renicia the phone ... and stops the apk ... test the second option restuarar firmware and also original error jumps fw restoration - monitor mode failed and I get monitor mode enable - failed ...

    ReplyDelete
    Replies
    1. one thing I'm writing pado mar further up with the same error

      Delete
  27. tested it on nexus 7 CyanogenMod 10.1.2 AOSP
    working well

    ReplyDelete
    Replies
    1. I will be testing on Galaxy S2 with Cyanogenmod 10.1.2 on Tmobile this week. Will report back results.

      Anyone know what estimate of range you are getting for seeing networks?

      Delete
  28. GOOOOD job comrads. I sent 7 backs for you! But i see 1 problem. I cannot capture injection packets from aireplay-ng. but when i send them from laptop - everything works. Packet start capturing from laptop. Anyone else see this?.

    ReplyDelete
  29. Omg, this is COOL! http://fuckingtony.net/

    ReplyDelete
  30. Working like a charm on GSII I9100P with CyanogenMod9.

    Thank you so much for this awesome work guys.
    I've just bought you a beer ;). Cheers.

    ReplyDelete
  31. Bueno de antemano Muchísimas gracias pro este gran trabajo que estas haciendo para todos nosotros aunque en mi Xperia SP(c5303) no me funciona espero que mas adelante pueda funcionar perfectamente os animo en vuestro trabajo y aunque no me funcione muchísimas gracias por este gran paso para la auditoria en Android

    ReplyDelete
  32. Hello, I tried apk file uploaded here, but tha application says that there's no firmware detected. I'm sure my android has bcm4329/30 chipset. I also gave super user acess. What could be the problem?

    ReplyDelete
  33. http://db.tt/ptd0h89X
    Here is the log file

    ReplyDelete
    Replies
    1. My guess is that your firmware location is a non-standard one...
      I guess we will publish a zip file that is a bit less idiot-prof but more configurable...

      Delete
  34. This comment has been removed by the author.

    ReplyDelete
  35. hey fellas

    thx for your great work


    as for now i can report the monitor mode is also working for the samsung galaxy r I9103 running cm 10.1 with 4330 chipset

    i couldn t test injection support but that will follow

    so thx for now

    ReplyDelete
  36. please support for samsung galasy s advance Android 4.1.2 chipset bcm4330!!!

    Please!!!

    thanks!!!!

    ReplyDelete
  37. This comment has been removed by the author.

    ReplyDelete
  38. This comment has been removed by the author.

    ReplyDelete
  39. Need it for SGS 3
    Can you at least tell when there will be about a release?

    ReplyDelete
  40. I had a look at your slides. The Nexus 4 works differently because it uses wlan0. That means the monitor mode can be enabled by modifying the driver. Some talented people are working on an open source project to recreate the WCN3660 driver. Their project can be found at https://github.com/KrasnikovEugene/wcn36xx . Further modifications are necessary for monitor mode and packet injection. However if you examine the code you will notice that the enum for monitor mode is already present ;).

    ReplyDelete
    Replies
    1. On the nexus 7 I also use Wlan0 interface in monitor mode, I don't understand why your are telling "The Nexus 4 works differently because it uses wlan0" ? Interface name change nothing, indeed you can change it name with an ioctl call sys.

      Delete
    2. The WCN3660 uses a soft mac system, unlike the BCM4330 which uses a full mac.

      The project John pointed out is not enough. The WCN3660 firmware has to be modified to support monitor mode. Unfortunately qualcomm do not provide datasheets or documentations which explain how to update and modify the firmware.

      Delete
  41. here is mi log for samsung galasy s advance whith bcm4330, please support Samsung galasy s advance.

    My log: http://pastebin.com/Bk3t8p5Q

    ReplyDelete
  42. Hi, I'm unable to start monitor mode.

    My log: http://pastebin.com/802rh0GZ

    Can anyone see a problem? I have a Galaxy Ace 2 with a bcm4330 card.

    Thanks!

    ReplyDelete
    Replies
    1. I had the same problem. I solved it by getting cyanogenmod 10.1 installed on galaxy ace 2.

      Delete
    2. Thanks for the reply. From what I know on CM for the ace 2, the camera is still not working... So I would rather use a stable rom. Are you happy with CM for ace 2? I also understand that my phone might use a different location for the firmware, and that that might be the problem...

      Delete
    3. The lastest release of CM fixed the camera problem. http://forum.xda-developers.com/showthread.php?t=2342997

      CM is smoother then stock rom.
      As long as you have an official jellybean rom installed on your phone, you can install CM to your ROOTED phone.

      Delete
  43. http://fr.wikipedia.org/wiki/Mode_moniteur Hi I'm French and your application is 100/100 working on my galaxy s2 !!
    Thank you so much !
    And i've find this link, look at the end of the article, you're on wikipedia.
    Bye.

    ReplyDelete
    Replies
    1. What ROM? Cyanogenmod 10.1.2? If so, what type of range are you getting to see network mac addresses?

      Delete
  44. Hi, i have a LG Optimus 2x p990 with CM 10.1 (by tonyp), i think my wifi chipset is BCM4329 but if i start the apk (with root) say firmware model: not detected
    i publish my log https://mega.co.nz/#!PooiSLxC!RyreFm6KqEujezAqsSjMhHHs7qhRfeL_41RZqrmvsCE

    I think that in that ROM the chipset is renamed "wireless.ko" instead of bcm4329.ko.. maybe is this a problem?
    Thanks

    ReplyDelete
  45. You guys should add a forum

    ReplyDelete
  46. I got injection working with CM 10.1, thanks!!!

    now, how can i run applications with injection? From what i've read here i have to set LD_PRELOAD, but I'm unable to get it working. Could I maybe get an example line to get aireplay-ng --test wlan0 working, i've tried LD_PRELOAD=fakedriver.so aireplay-ng --test wlan0, but I get an error trying that.

    ReplyDelete
    Replies
    1. Figured it out:

      su
      LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
      LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
      cd /data/data/com.bcmon.bcmon/files/tools
      ./airodump-ng wlan0

      Thanks to a forum post

      Delete
  47. Hi Guys,

    It worked fine on Sony Xperia S running CyanogenMod 10.

    First time it stopped to respond, but just executing again everything was already working.

    ReplyDelete
    Replies
    1. does it work in xperia s with stock rom ..

      Delete
    2. and wherefirmware placed ... is it in .. vender/firmware or etc/firmware ..... i want to know if the problem is in the stock rom or the place of the firmware in the stock rom placed in etc/firmware

      Delete
  48. plz support lg optimus 4x hd (Broadcom4330)

    ReplyDelete
  49. Hello friends. . My device sam g i9082... BCM28155 SoC... rooted... I m ready to flash with cm but will it work???? Someone plz advise....

    ReplyDelete
  50. Did you test it already with Android 4.3? I think my Galaxy Nexus has problems when trying to update (some error regarding fw_bcmhd.bin). Or am I wrong and the bcm firmware is something different?

    ReplyDelete
    Replies
    1. I spend my also something I have a samsung advance I galasy s 9070 and I have wifi files bcmhd.bin think the concept is there ... I have android 4.1.2 and as root

      Delete
    2. It doesn't work for galaxy nexus

      Delete
  51. Please Release SGS 3 Support

    NEED IT
    Wont wait anymore

    ReplyDelete
  52. https://www.dropbox.com/s/9booik861h29yel/bcmon_log.xml

    crashes on "install firmware and tools"

    ReplyDelete
  53. Can i use this app with my Galaxy s2 Skyrocket? Because when i did open the app fail :-s

    ReplyDelete
  54. If release a good version with more option like crack the wpa or wpa-psk i can buy the app but release a good complete app, remember the Galaxy s2 skyrocket please!

    Thanks!

    ReplyDelete
  55. SGS 3 monitor mode and injection please.

    ReplyDelete
  56. Tried testing it on my HTC sensation and it didn't work.
    Installing the APK went fine, but when I press "Enable Monitor Mode" it just hangs. Toobad, but thanks for making an effort, you guys rock! :)

    Specs:

    Phone: HTC sensation
    ROM: CyanogenMod 9
    Chipset: BCM4329

    ReplyDelete
    Replies
    1. I actually dug around in my phone, it's probably because the driver is called bcmdhd.ko located in /system/lib/modules/

      and the vendor folder these files show up:

      bcm4329.hdc, fw_bmcdhd.bin, fw_bmcdhd_apsta.bin, fw_bmcdhd_p2p.bin

      Delete
    2. Mee to!!! I feel the same, I have the same file names, I have a BCM4330

      Delete
  57. It looks like it is still passing -1 as the channel, preventing some aircrack tools from working, any fix for this?

    ReplyDelete
  58. Can you add support for the Motorola Electrify ONLY IF it has Broadcom chipset? Plz and thank you :)

    ReplyDelete
  59. Hi all, i have worked fine on Sony Xperia S running CyanogenMod 10 too. ROM - Cyanogen Mod 10 - Android 4.1 JB FXP228 (I`don`t remember, but i think its NOT stock rom). =) But i have a one question! reaver in this app is not save progress??? I have it no save =(

    ReplyDelete
    Replies
    1. I resolved this problem, read and write root directory

      Delete
  60. Works fine on Samsung Galaxy S2 equipped with CyanogenMod 10.1-20130813-NIGHTLY-i9100 (Android version 4.2.2). Just install the apk and the program "bcmon" will show up in your app list. It is very easy to use and everything comes back to normal after disabling monitor mode. You also get the ability to restore original firmware as well as run some preconfigured tools like airodump/wash/besside-ng. Thanks for the amazing work, guys.

    ReplyDelete
    Replies
    1. What type of range are you getting to see network mac addresses?

      Delete
    2. How far away can you be from a client or access point and still see the device. Also do we know what the scale of the rssi is based?

      Delete
    3. As long as you are in target network's wifi range mac addresses are displayed in airmon-ng with their respective rssi. Max value is -100 as you would expect. Besside-ng automatically skips "crappy connections" and prefers stronger signals, so you better be very close when using it. I guess it all depends on the kind of hardware and interferences you get. My SGS2's broadcom wifi card can't certainly be compared to an alfa AWUS036H card in terms of signal strenght.

      Delete
  61. It is possible for xperia z firmware v4.2.2 ?

    ReplyDelete
  62. I have no problem running it, but I can't get packet injection to work. And besside-ng takes a lot of time to get only 70 000 ivs. What am I missing?
    Works well otherwise
    Sgs 2 cm10.1

    ReplyDelete
  63. Does not appear to work on Galaxy S1 CyanogenMod version 10.1.2-galaxysmtd.
    http://pastebin.com/XjA8Ube8

    First attempt with me fiddling with the buttons and several crashes can be found here: http://pastebin.com/n0QuPSij (Big ass mofo log)

    ReplyDelete
  64. This comment has been removed by the author.

    ReplyDelete
  65. Hi guys. Nice work.

    Please consider adding bundle for gs1 cm-7.2.
    I made a module for you https://github.com/flashvoid/bcmon_gs1_bundle

    I have to comment out some of your code because of kernel incompatibility, diffs in the repo.

    I would be great to see this in your repo so that i can remove mine.

    ReplyDelete
    Replies
    1. Any chance you'd like to take a crack at getting it working on stock/mostly stock gingerbread gs1 roms? Like The People's Rom? In system/etc/wifi there is bcm4329_aps.bin, bcm4329_sta.bin, and bcm4329_mfg.bin firmware files.

      Delete
  66. Reaver saves my session, but after reboot session is disappeared, where can i find my session copy it? Or how can i save it??? I think its interesting question for all :)

    ReplyDelete
  67. Geat job!!!...I´m waiting to works on CM10.2...When?? ;)

    ReplyDelete
  68. Great job guys!
    Looking forward for GS3 support =)))

    Cheers!

    ReplyDelete
    Replies
    1. I've compiled from modified source a fully working version for the s3 and have added features that let you hack by pushing one button. I made it because of how persistent you've been; commenting 18 times, usually complaining how slow the progress has been on what you want.

      Actually, I think I speak for everyone when I say STFU. You wouldn't know what to do with it if you had it. These guys aren't working for you and all you're doing is showing everyone that you're 12 years old and your mom got you a phone. I barely resisted making something for you that would brick it. So be happy.

      Delete
    2. Should have specified, but my reply was for neatertehacker, not huffao. I hope they give huffao what he wants and never let the ub3r1337 hax0r have it.

      Delete
    3. Sorry for this.
      I'm not stupid and can use all exploits pentests and, and , and...
      But you're right about the commenting and other things too, but I hack and Crack things that you won't now what they are.
      good bye.....
      One thing at the End I'm really not native speaker.

      Delete
    4. This comment has been removed by the author.

      Delete
    5. Hi Will, will you be publishing the modified source with works for the S3 even if it's experimental? I can't find it on the repository. Sorry to bother you again on this, but I tought that since you wrote it it would be easy to share...

      Delete
  69. HI. I TRY bcmon.APK on my LG 4X HD AND IT WORK NORMAL

    ReplyDelete
  70. I have Galaxy S1
    I need to learn how to do this all, please guide.

    ReplyDelete
  71. I am glad to see that this project is still active and I look forward to the future development you are undertaking for newer hardware. Thanks again, until I got into this comment thread, I was not sure if it was still a project that was being pursued. Great job!

    ReplyDelete
  72. would this work on xoom and which firmware should I download and install? please help

    ReplyDelete
  73. Nice work guys.
    I have a galaxy note 2 GT-N7100 (bcm4334 thought) if you need somebody to make some test or try something with this model just ask, my email on the comment (I think).
    Ah and if u come over spain, take some time to come over Toledo, u are going to enjoy a very beautyfull city, and u're going to have more than a beer ;).
    Keep this good work guys!

    ReplyDelete
    Replies
    1. Hi guys,

      I have a Galaxy SIII (GT-I9300). If you need a device to test/get information, it's at your disposal! :-)

      Cheers!

      Delete
  74. Airodump doesnt show up on terminal, after bcmon_wrapper terminal screen gets blank

    ReplyDelete
  75. cm7 with s1
    Error when run items menu

    http://pastebin.com/N0CzfLty

    ReplyDelete
  76. Hi bcmon team , bcmon.apk arpreply have some problem on international galaxy s2..

    First, my.english not good...sorry..

    phone model: international galaxy s2
    testing system: cm9, cm9.1, cm10.1, cm10.2

    run bcmon terminal:
    airodump-ng and fakeauth working fine
    but after start arpreply, when success injected, airodump-ng screen stop working (such as power stop, RXQ go to 0 , beacons stop increase, data stop, fakeauth stop working )
    if stop arpreply, airodump-ng and fakeauth working back normal

    my question is does bcmon.apk full support packet injected on galaxy s2 ?
    this problem is bcmon.apk problem or my phone problem?
    if it is my phone problem, can you tell me where is the problem and help me solve it..

    thanks bcmon team

    ReplyDelete
    Replies
    1. I am experiencing the same problem.
      When I am starting airodump-ng I see all the stats updating (beacons, data packets count, PWR, and RQX got to 0).
      But when I actively start sending arp packets, the stats of the AP stop updating, and I only see the number of sent packets on the station that I am sending the packets with its mac increase.
      I also sniffed the packets on the interface to understand if this was a problem with airodump not being able to process all the packets that it is received of that there we actually no packets to receive.
      I used this command line:
      tcpdump -evvni wlan0 -XX -s 0 -f "not ether src "
      What I saw was as follows: There were a lot of packets received using this filter when airodump was working alone, but in the moment I started aireplay to send the arps, tcpdump stopped receiving any packets using this filter. A few seconds after stopping aireplay, tcpdump started showing new pakcets, and airodump started updating again.
      I also tried lowering down the number of packets send in a second in aireplay using -x parameter. It didn't help much as it seems, but I did notice a change. When there was no limit and it was sending 500 PPS (packets per second) it took tcpdump a few seconds to start seeing packets again after stopping aireplay, but when I lowered it to 70 PPS tcpdump started showing packets immediately.
      Also sometimes when I set the PPS to 60 it worked as it should for sometime and I sent and received packets, and after a few seconds it stopped, and sometimes it stopped receiving packets almost immediately after starting aireplay (and started showing packets again after stopping aireplay).
      But when setting the PPS to 10 I saw something really odd, when looking at the tcp dump it looked like it was stopping and starting receiving packets a few time in a second. If I compared the time it took 100 packets to be captured with aireplay sending packets in a rate of 10 PPS and without, there is an enormous difference!! 1.36 seconds without aireplay vs 18.42 seconds with areplay working (according to top, aireplay takes only 11% and top itself takes 2%, everything else takes 0%). This is more then 13 times greater time with than without aireplay.
      This is the command I used to measure the time:
      time tcpdump -i wlan0 -c 100 -f "not ether src "
      And this the output:
      Without aireplay:
      100 packets captured
      133 packets received by filter
      17 packets dropped by kernel
      0m1.25s real 0m0.00s user 0m0.11s system

      With aireplay:
      100 packets captured
      103 packets received by filter
      0 packets dropped by kernel
      0m14.86s real 0m0.04s user 0m0.07s system

      To me this seems like some kind of buffer that is being filled above its limits, and thus losing packets. I don't know if this is a kernel issue or an issue in the firmware.

      I am using a rooted Samsung Galaxy S II (I9100T) with stock kernel and ROM (4.1.2).
      If you'll need more information or help debugging please feel free to contact me.

      Delete
  77. It seems you are just being raped with comments so I'll make this short does it indeed work on Samsung galaxy nexus and how would I get aircrack working a after monitor mode is enabled. Thanks again for your time I have no problem testing out software for you and sending logcats my Emil is gears177@gmail.com

    ReplyDelete
  78. This comment has been removed by the author.

    ReplyDelete
  79. Monitor mode seems to be working just fine on HTC HD2.

    However, there are some problems :

    -cannot figure out how to save logs
    -does radiotap work yet and is reaver-wps also working OK now
    -trying to use the inbuilt airodump, wash, besside-ng, bcmon command line fails and app crashes

    Any idea how to solve these issues will be appreciated. Great work so far guys, well done !

    ReplyDelete
  80. AnyBody tested this for galaxy S4 SGH-1337. it'd be nice if i could get around needing backtrack on my laptop

    ReplyDelete
  81. Do you have any plans to release the Android source used in bcmon.apk?

    ReplyDelete
    Replies
    1. +1
      Would be a really nice move.

      Delete
    2. Yeah, that would be cool!

      Cheers!

      Delete
    3. well... source code is already there :)
      Access https://code.google.com/p/bcmon/ and change to the "source" tab.

      Cheers :)

      Delete
  82. Hello.
    I tried to crack my router but cannot capture the handshake.
    At the stmac it always show 0.
    Can you tell me the solutions?
    Thank you.

    ReplyDelete
    Replies
    1. now I got the handshake.
      sorry fot the noob question.

      Delete
  83. Not working in my rooted galaxy note gt n7000 . It installs well but wont start the monitor mode

    ReplyDelete
  84. I really hope I can get this working for my motorola xoom tablet, don't see why it shouldnt work same chip set, bcm4329.ko, but from my research and understanding is, they renamed bcm4329 to bmcdhd, wonder if thats the main problem I'm having. I'm about to flash cm 9.1.0 and go back to ics, then try all of this again and see if I have any luck, if anyone has gotten this to work on xoom, please let me know, thanks.

    ReplyDelete
  85. I tried a few things removed team eos jb 4.2, then instaled cm 10 for xoom, no luck, then went and flashed cm 9.1.0 still same error LOADING MODULE
    insmod: can't open 'bcm4329.ko'
    error: SIOCGFFLAGS (No such device), used the app and cant detect firmware or anything, please tell me what kernel and firmware should be installed, or anyone using cm 10 which kernel and firmware is it? thanks in advance

    ReplyDelete
    Replies
    1. Try to flash Siyah kernel may be it will work....

      Delete
  86. Works perfectly on my galaxy S2.
    Android version 4.1.2
    3.0.31-1211311 kernel version

    just needed to update busybox and terminal emu.
    Thank you very much!!!

    ReplyDelete
  87. First of All thanks for Bcmon team doing good job,, Its working on S2 Android 4.3 cm 10.2, but problem was when I run the airodump-ng wlan0 Terminal becomes empty and not responding any more,, There is any solution plzzzzz.

    ReplyDelete
  88. I have compiled a driver for Galaxy TAB 2 but it does not start with
    your bcm4330_sta.bcmon.bin Can I send you a driver and you see the problem?

    ReplyDelete
  89. Please solve this runtime Exception.

    E/AndroidRuntime( 1121): FATAL EXCEPTION: main
    E/AndroidRuntime( 1121): java.lang.RuntimeException: Unable to start activity Co
    mponentInfo{com.bcmon.bcmon/com.bcmon.bcmon.MainActivity}: android.view.WindowMa
    nager$BadTokenException: Unable to add window -- token android.os.BinderProxy@40
    51aaa8 is not valid; is your activity running?
    E/AndroidRuntime( 1121): at android.app.ActivityThread.performLaunchActiv
    ity(ActivityThread.java:1728)
    E/AndroidRuntime( 1121): at android.app.ActivityThread.handleLaunchActivi
    ty(ActivityThread.java:1747)
    E/AndroidRuntime( 1121): at android.app.ActivityThread.access$1500(Activi
    tyThread.java:155)
    E/AndroidRuntime( 1121): at android.app.ActivityThread$H.handleMessage(Ac
    tivityThread.java:993)
    E/AndroidRuntime( 1121): at android.os.Handler.dispatchMessage(Handler.ja
    va:130)
    E/AndroidRuntime( 1121): at android.os.Looper.loop(SourceFile:351)
    E/AndroidRuntime( 1121): at android.app.ActivityThread.main(ActivityThrea
    d.java:3814)
    E/AndroidRuntime( 1121): at java.lang.reflect.Method.invokeNative(Native
    Method)
    E/AndroidRuntime( 1121): at java.lang.reflect.Method.invoke(Method.java:5
    38)
    E/AndroidRuntime( 1121): at com.android.internal.os.ZygoteInit$MethodAndA
    rgsCaller.run(ZygoteInit.java:901)
    E/AndroidRuntime( 1121): at com.android.internal.os.ZygoteInit.main(Zygot
    eInit.java:659)
    E/AndroidRuntime( 1121): at dalvik.system.NativeStart.main(Native Method)

    E/AndroidRuntime( 1121): Caused by: android.view.WindowManager$BadTokenException
    : Unable to add window -- token android.os.BinderProxy@4051aaa8 is not valid; is
    your activity running?
    E/AndroidRuntime( 1121): at android.view.ViewRoot.setView(ViewRoot.java:5
    64)
    E/AndroidRuntime( 1121): at android.view.WindowManagerImpl.addView(Window
    ManagerImpl.java:209)
    E/AndroidRuntime( 1121): at android.view.WindowManagerImpl.addView(Window
    ManagerImpl.java:123)
    E/AndroidRuntime( 1121): at android.view.Window$LocalWindowManager.addVie
    w(Window.java:455)
    E/AndroidRuntime( 1121): at android.app.Dialog.show(Dialog.java:272)
    E/AndroidRuntime( 1121): at android.app.AlertDialog$Builder.show(AlertDia
    log.java:849)
    E/AndroidRuntime( 1121): at com.bcmon.bcmon.Manager.checkAndInstallBusyBo
    x(Manager.java:470)
    E/AndroidRuntime( 1121): at com.bcmon.bcmon.MainActivity.onCreate(MainAct
    ivity.java:51)
    E/AndroidRuntime( 1121): at android.app.Instrumentation.callActivityOnCre
    ate(Instrumentation.java:1082)
    E/AndroidRuntime( 1121): at android.app.ActivityThread.performLaunchActiv
    ity(ActivityThread.java:1692)
    E/AndroidRuntime( 1121): ... 11 more
    W/ActivityManager( 169): Force finishing activity com.bcmon.bcmon/.MainActivi
    ty

    ReplyDelete
  90. Excellent work, this is working fine on a stock rooted Galaxy Nexus on 4.2.2.
    Has anyone here written or know of an android apk for parsing netxml files?

    ReplyDelete
  91. If you Guys are working on gs4 support which uses the bcm4335 then you guys should be able to use it on the HTC One which uses the same chipset. Just some food for thought

    ReplyDelete
  92. SGS3 please
    How successful was the ؟

    ReplyDelete
  93. i would also like to know like many if the packet issue has been fixed on the nexus one

    ReplyDelete
  94. Can you update us on your progress with Galaxy S3 and S4?

    ReplyDelete
  95. Hello all :)

    I was playing around a little bit, and I've found out that (it seems that) GS3 is different from GS2/1... I see a wlan0 interface, not eth0... See the image:

    https://www.dropbox.com/s/xfo4ctexa6xuwxg/iwconfig.jpg

    But it's never "easy", right? iwconfig was not able to change the interface to monitor mode... :(

    Cheers!

    ReplyDelete
    Replies
    1. well... "too soon" lol
      tcpdump says wlan0 is ethernet :_(

      https://www.dropbox.com/s/id2gpe1jlw3i39i/ethernet.jpg

      so it will have to be the hard way :P
      cheers!

      Delete
    2. =/
      cannot find a fimrware file anywhere, at my SGS3...
      Went look at the net... cannot see any firware file at https://android.googlesource.com/platform/hardware/broadcom/wlan/ either :-(

      cheers...

      Delete
  96. Do you plan to work on the nexus 4 ?

    ReplyDelete
  97. What about Qualcomm MSM7225 / ARM1136EJ-S. Are they similar enough with the BCM ones to work?

    ReplyDelete
  98. Hope you guys working on Galaxy S4

    ReplyDelete
  99. i knows you guys are working on gs3 driver, can i install to gn2"gt-n7100" because gs3 and gn2 have a same chips..

    ReplyDelete
  100. Works on my rooted Samsung Galaxy S2, I9100.
    CyanogenMod 10.1
    Thanks! Expect more donations/beer coming your way!

    ReplyDelete
  101. Funcionando en Galaxy Nexus con Cyanogenmod 10.2 y kernel franco 3.0.91
    wooooooooooooooowwww!

    ReplyDelete
  102. This comment has been removed by the author.

    ReplyDelete
  103. any body tested with CM 10.2 ?

    ReplyDelete
  104. I have a Galaxy Nexus with stock rooted 4.3.
    Tried running the airodump-ng wlan0 but the terminal didnt show anything running...
    After i press voldown+c ir shows "Caught signal 14 (SIGALRM). Pls contact author!"
    Then i tried wash,is like scanning but didnt found any router too...

    ReplyDelete
    Replies
    1. Btw i tried fancy kernel, franco r392 n stock kernel but still having the problem...

      Delete
  105. pleace add samsung galagy s3 with cm 10.2
    thanks!

    ReplyDelete
  106. if you can let go in monitor mode the gs3 mini not one but a case of beer I offer you ...

    ReplyDelete
  107. Any updates on packet injection fix for the nexus one ?

    ReplyDelete
  108. work very well in htc wilfire
    you can adds this phone on compatibility list :)

    ReplyDelete
  109. Hi I'm a bit new to monitor mode applications and am developing a class project to find out the number of user attached to an access point. I installed the app and it looks very good. But I'm totally lost in source code. I expected java classes (for an android app) but the source code is in C. My question is

    1. Am I missing something here ? Is the source code actually in C ?
    2. If it is in C is this the only way to develop an app which works in monitor mode ? To access all packets received by the NIC or the adapter ?
    3. How do I compile this C code to create an apk or android application ?

    I would be really grateful if you could provide some insight into this.

    Thanks

    ReplyDelete
  110. Holy f*ing sh*t....LMFAO

    I don't know what I respect you guys more for, hacking broadcom's firmware, or putting up with the hungry seagulls.

    Anyways, if you really need to do some testing and don't have a device this works on, I suggest finding another way to get the info your after, such as sitting in a car with an scope and a laptop, then you can use your phone for whatever sniffing you need when you can access the wifi network. Jut my two bits.

    peace.

    ReplyDelete
    Replies
    1. BTW, CM10.1 can be built with tcpdump and Linux in Android's / is possible with no chroot, I'm doin it, so all the other tools such as wireshark-cli msfconsole etc are availble, but I have permission error when trying to create a db with postgresql, most services say perm denied, perms need baking into android I think. But you dont need a db with msf anyways, also there is sqlite3 but haven't tested and also db_connect can use a network db such as a partner in the car while your filling out a Job app if you like fucking with your clients (if only the boss knows who you are of course)

      Delete
  111. Please suppot samsung galaxy s4 i9505 4.2.2 frameware...

    ReplyDelete
  112. This comment has been removed by the author.

    ReplyDelete
  113. Спасибо за проделаный труд ребята! Thank you for the work done by the guys!

    ReplyDelete
  114. Would you guys be able to release a source code for the android app ?? I have looked at kernel compilation, but would be very grateful if I could have the source code.

    Thanks

    ReplyDelete
  115. Maybe it is an anoying question. But when will you approximetly finish it?
    And will it also work on GS4 mini?

    ReplyDelete
  116. Hello I have Sony xperia ZL I need help for instalation Bcmon if anyone can help me I will be grateful thank for your work

    ReplyDelete
  117. Hello to everyone I have some problems for instalation Bcmon if anyone can help me with this I will be tankful for the help. This is really good work

    ReplyDelete
  118. Ho is it supported for htc Explorer and of Nut can u make it

    ReplyDelete
  119. This comment has been removed by the author.

    ReplyDelete
  120. When I am starting airodump-ng I see all the stats updating (beacons, data packets count, PWR, and RQX got to 0).
    But when I actively start sending arp packets, the stats of the AP stop updating, and I only see the number of sent packets on the station that I am sending the packets with its mac increase.
    I also sniffed the packets on the interface to understand if this was a problem with airodump not being able to process all the packets that it is received of that there we actually no packets to receive.
    I used this command line:
    tcpdump -evvni wlan0 -XX -s 0 -f "not ether src "
    What I saw was as follows: There were a lot of packets received using this filter when airodump was working alone, but in the moment I started aireplay to send the arps, tcpdump stopped receiving any packets using this filter. A few seconds after stopping aireplay, tcpdump started showing new pakcets, and airodump started updating again.
    I also tried lowering down the number of packets send in a second in aireplay using -x parameter. It didn't help much as it seems, but I did notice a change. When there was no limit and it was sending 500 PPS (packets per second) it took tcpdump a few seconds to start seeing packets again after stopping aireplay, but when I lowered it to 70 PPS tcpdump started showing packets immediately.
    Also sometimes when I set the PPS to 60 it worked as it should for sometime and I sent and received packets, and after a few seconds it stopped, and sometimes it stopped receiving packets almost immediately after starting aireplay (and started showing packets again after stopping aireplay).
    But when setting the PPS to 10 I saw something really odd, when looking at the tcp dump it looked like it was stopping and starting receiving packets a few time in a second. If I compared the time it took 100 packets to be captured with aireplay sending packets in a rate of 10 PPS and without, there is an enormous difference!! 1.36 seconds without aireplay vs 18.42 seconds with areplay working (according to top, aireplay takes only 11% and top itself takes 2%, everything else takes 0%). This is more then 13 times greater time with than without aireplay.
    This is the command I used to measure the time:
    time tcpdump -i wlan0 -c 100 -f "not ether src "
    And this the output:
    Without aireplay:
    100 packets captured
    133 packets received by filter
    17 packets dropped by kernel
    0m1.25s real 0m0.00s user 0m0.11s system

    With aireplay:
    100 packets captured
    103 packets received by filter
    0 packets dropped by kernel
    0m14.86s real 0m0.04s user 0m0.07s system

    To me this seems like some kind of buffer that is being filled above its limits, and thus losing packets. I don't know if this is a kernel issue or an issue in the firmware.

    I am using a rooted Samsung Galaxy S II (I9100T) with stock kernel and ROM (4.1.2).
    If you'll need more information or help debugging please feel free to contact me.

    ReplyDelete
  121. Hehe, no update for such a long time from the devs, guess this project is stuck in the year 2008, I gave up waiting for S3, such a waste of time

    ReplyDelete
  122. Hi bcmon creators. I think and hope that soon u will give everyone good news. With great plesure i'll donate u. More over i think that u should make it as a pay app. I know that u can not stop shearing bcmon but more people will pay for it than take it for free. BR

    ReplyDelete
  123. Will this work on the new Nexus 7? What kernel and rom should I use?

    ReplyDelete
  124. Thanks for sharing such a informative post with us.
    It works in Galaxy S4 perfectly.

    cell phone signal amplifier home

    ReplyDelete
    Replies
    1. I installed bcmon in my Galaxy S4 which has chip bcm4335 and it is not working. Is there a new version of bcmon that works with bcm4335?

      Delete
  125. Hi everybody,

    I'm testing BCMON to my desire (firmware AN Droid 2.2 [GB 2.3.3]), but I'm gettings error. I installed busybox, you can find the bclog in this link:

    https://drive.google.com/file/d/0B4F04QI-BZlEdm5yOWNTTkhpdlE/edit?usp=sharing

    ReplyDelete
  126. does not work on galaxy s3mini, i enter the app, but when i touch de wifi signal icon it crashes

    ReplyDelete
  127. Please upload for s3/n7100 !!!! I buy it

    ReplyDelete
  128. This comment has been removed by the author.

    ReplyDelete