I've added a new firmware version for BCM4329, this version resolves crashes on devices other than Nexus One (for example Evo 4G).
The new firmware:
https://code.google.com/p/bcmon/source/browse/trunk/bcm4329/fw/fw_bcm4329.bcmon.bin
Nexus One bundle - CM 7.2 nightly:
https://code.google.com/p/bcmon/source/browse/trunk/bundles/nexus_bundle.zip
EVO 4G bundle - CM 7.2 stable (thanks for Miguel Martinez work):
https://code.google.com/p/bcmon/source/browse/trunk/bundles/evo4g_cm7.2.zip
Desire Z - CM 7.2 stable (thanks for j.mampe)
http://code.google.com/p/bcmon/source/browse/trunk/bundles/bcm_desirez_cyanogenmod_7.2_bundle.zip
** The new firmware resolves errors like:
<4>[ 7585.014312] Dongle trap type 0x3 @ epc 0x1d7f8, cpsr 0x20000003, spsr 0x21000010, sp 0x47a9c,lp 0x2127, rpc 0x1d7f8 Trap offset 0x47a48, r0 0xc701ff0f, r1 0x3d410, r2 0x1, r3 0x1d7f1, r4 0x0, r5 0xc701ff0f, r6 0x3d410, r7 0x3d410
so if you tried to compile the driver for your device and experienced similar errors, give it another try :)
Monday, October 1, 2012
Sunday, September 30, 2012
Injection support for BCM4329
New version
I just uploaded a new patched firmware version for bcm4329, this version adds raw packet injection support.
Issues
- Low injection speed - on my nexus one the injection is working really slow. It seems that the injection speed starts fine but then slows down to as slow as ~700ms per packet.
- Radiotap - we don't handle radiotap on packet injection. 'aireplay-ng' works fine with it but tools like 'reaver' seem to require it.
A list of things I already tried
- 'aireplay-ng --test eth0' - WORKS!
- I had to increase some timeouts for the '--test' to pass
- reaver - NOT WORKING
- It seems like reaver injects packets with radiotap header.
Are you having the same chip version?
My original firmware md5 is:d5707abb0175a813274b54af613d7736 *fw_bcm4329.bin
If you have a different bcm4329 firmware, please send me a copy and I'll see what I can do :)
Saturday, September 22, 2012
Status update and plans
Packet Injection
We invest most of our time on this subject and we hope to deliver "good news" quickly.For now all we can say is that we had some progress on our packet injection research and we hope to have some useful version in the next weeks.Lots of kernel versions...
Our goal is to have our solution running on as many phones as possible, sadly each different device has many different kernel configuration options. All that kernel versions are the main reason that most of our readers can't use our patched firmware and that makes us very sad.
Please don't add any more emails or comments on the "Exec format error" if the dmesg log states a wrong ver magic.
Our Suggested Solutions
Hot Patching
The diffs between the original broadcom driver and our version are very small, they are so small that we think hot patching of the kernel/ kernel module might be an easy task.
Using Cyanogen
Cyanogen is not needed for adding monitor mode support but it's very useful. The reason for that is the their team already created a great build environment for most of the devices available on the market.
We can assume most of our users currently use a stable version of cyanogen. Under that assumption we can build the kernel modules for all the devices automatically and post the binaries online.
Help needed!
We are only three guys, one of us is actually on this way to south america for a three week vacation. So most of our time is spent on trying adding new cool functionality like packet injection.
If you managed to get our firmware up and running and you think you can help us implementing one of our solutions (or come up with a new one), please contact us!
Beer donors, we thank you!
We just wanted to say that we really appreciate your donations and hope to bring out new features soon.
Tuesday, September 18, 2012
Working monitor mode on Nexus one & Galaxy S II !!!
Our Motivation
On the first day we bought our first android-based phone, we thought to ourself, "How nice it would be if we would be able to use the common 802.11 pwnage tools?"
We quickly relized that the thing that is missing is monitor-mode support for the Wi-Fi Modules.
For a long time we've waited for someone to take initiative and add support for monitor mode
This year, in our summer Vacation, we decided that we are going to add it ourselves.
Technical details
You might ask yourself why monitor mode is so very common among Laptop's & USB Wifi modules, and why there is not even one implementation of monitor mode for android devices.
The short answer is that most of the common smartphones use the same chipset made by broadcom, named bcm4329 or bcm4330, and broadcom never added the support for monitor mode.
The reason that those chips are so common in smartphones is that they combine every short-distance communication needed for those devices, and more importantly - they offload most of the protocol overhead to a dedicated processor, and communicates with the linux device with simple ethernet packets.
Project Overview
During the last 3 weeks, we decided to take the mission of understanding how this device works.
At first, we compiled the driver in debug mode, and noticed that the module strips the 802.11 headers in hw and sends only ethernet packets to the linux device.
We concluded that in order to receive full 802.11 frames, a change to the device firmware is needed.
So we started reverse engineering the firmware and after a few weeks we had a decent understanding of the packet receiving process.
** More details on the reversing process would be released soon
Having this knowledge, it took us only a few more days to get a first working version of the monitor-mode-enabled firmware
Current Status
We currently have a patched firmware for the following chipsets:
- bcm4329 - Fully working monitor mode on our Nexus One
- bcm4330 - Fully working monitor mode on our Galaxy S II
We havent tested it yet, but if you have a phone with one of those chipsets (and you most probably have one), it should also work on your phone.
Further work
- Add packet injection support to the patched firmware
- Better implementation of the linux driver
- Create an APK bundle for "mass distribution"
Instructions
All the changes are volatile and should disappear after device reboot:Although, please note that this code is experimental and you use it at your own risk and we are not responsible nor liable for any damage or loss of data. Sometimes unexpected things might go wrong and you might end up with a device that is no longer functional. Be warned and please take the responsibility yourself--it is your own risk and no one else can be held responsible.
Cyanogen 7 & Nexus one
- Download the zip: http://bcmon.googlecode.com/svn/trunk/bundles/nexus_bundle.zip
- Extract the zip on your device (your sdcard will do fine)
- Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
- Now you have a wifi interface named eth0 in monitor mode
- Now run 'iwconfig eth0' and check that you get a similar output:
eth0 IEEE 802.11-DS ESSID:"" Nickname:""
Mode:Monitor Frequency:2.412 GHz Access Point: Not-Associated
Bit Rate:72 Mb/s Tx-Power:32 dBm
Retry min limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Managementmode:All packets received
Link Quality=5/5 Signal level=0 dBm Noise level=-92 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Cyanogen 9 & GS2 (I9100)
- Download the zip: http://bcmon.googlecode.com/svn/trunk/bundles/gs2_bundle.zip
- Extract the zip on your device (your sdcard will do fine)
- Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
- Now you have a wifi interface named wlan0 in monitor mode
- Now run 'iwconfig wlan0' and check that you get an output similar to the one above
Other phones
- Check out the source from http://code.google.com/p/bcmon/source/checkout
- Build the KO for your device (cyanogen wiki should be helpful)
- If it works please tell us and send us the compiled version so we can list it here (if it doesn't work contact us)
AirCrack binaries
We bundled useful binary executables for arm:
- aircrack-ng suite
- tcpdump
- iwconfig
FAQ
- I get "Can't find wireless tools, exiting."
- Solution: Make sure you have 'iwpriv' on your system, just add soft link from 'iwpriv' to 'iwconfig' (actually it is 'iwmulticall')
available on: http://bcmon.googlecode.com/svn/trunk/bundles/utils.zip
Unzip them and run: 'chmod a+x -R aircrack misc'
Update: We added a statically linked version of aircrack-ng suite.
Now you can have fun with commands like: 'airodump-ng -i eth0'
Call for help!
We have no intentions of quitting this project soon but in order to proceed we need some assistance:
- Donations
- Any amount will be appreciated...
- Another licence for IDA Pro
- Cellphones with similar wifi chipset
- Experienced kernel module developer - To assist in the further development
Contact us: contact.bcmon at gmail.com
Subscribe to:
Posts (Atom)