Monday, October 1, 2012

New firmware for BCM4329

I've added a new firmware version for BCM4329, this version resolves crashes on devices other than Nexus One (for example Evo 4G).

The new firmware:
https://code.google.com/p/bcmon/source/browse/trunk/bcm4329/fw/fw_bcm4329.bcmon.bin

Nexus One bundle - CM 7.2 nightly:
https://code.google.com/p/bcmon/source/browse/trunk/bundles/nexus_bundle.zip

EVO 4G bundle - CM 7.2 stable (thanks for Miguel Martinez work):
https://code.google.com/p/bcmon/source/browse/trunk/bundles/evo4g_cm7.2.zip

Desire Z - CM 7.2 stable (thanks for j.mampe)
http://code.google.com/p/bcmon/source/browse/trunk/bundles/bcm_desirez_cyanogenmod_7.2_bundle.zip

** The new firmware resolves errors like:
<4>[ 7585.014312] Dongle trap type 0x3 @ epc 0x1d7f8, cpsr 0x20000003, spsr 0x21000010, sp 0x47a9c,lp 0x2127, rpc 0x1d7f8 Trap offset 0x47a48, r0 0xc701ff0f, r1 0x3d410, r2 0x1, r3 0x1d7f1, r4 0x0, r5 0xc701ff0f, r6 0x3d410, r7 0x3d410

so if you tried to compile the driver for your device and experienced similar errors, give it another try :)

Sunday, September 30, 2012

Injection support for BCM4329


New version

I just uploaded a new patched firmware version for bcm4329, this version adds raw packet injection support.


Issues

  • Low injection speed - on my nexus one the injection is working really slow. It seems that the injection speed starts fine but then slows down to as slow as ~700ms per packet.
  • Radiotap - we don't handle radiotap on packet injection. 'aireplay-ng' works fine with it but tools like 'reaver' seem to require it.


A list of things I already tried

  • 'aireplay-ng --test eth0' - WORKS!
    • I had to increase some timeouts for the '--test' to pass
  • reaver - NOT WORKING
    • It seems like reaver injects packets with radiotap header.

Are you having the same chip version? 

My original firmware md5 is:
d5707abb0175a813274b54af613d7736 *fw_bcm4329.bin

If you have a different bcm4329 firmware, please send me a copy and I'll see what I can do :)

Saturday, September 22, 2012

Status update and plans

Packet Injection

We invest most of our time on this subject and we hope to deliver "good news" quickly.For now all we can say is that we had some progress on our packet injection research and we hope to have some useful version in the next weeks.

Lots of kernel versions...

Our goal is to have our solution running on as many phones as possible, sadly each different device has many different kernel configuration options. All that kernel versions are the main reason that most of our readers can't use our patched firmware and that makes us very sad.
Please don't add any more emails or comments on the "Exec format error" if the dmesg log states a wrong ver magic.

Our Suggested Solutions


Hot Patching


The diffs between the original broadcom driver and our version are very small, they are so small that we think hot patching of the kernel/ kernel module might be an easy task.  

Using Cyanogen

Cyanogen is not needed for adding monitor mode support but it's very useful. The reason for that is the their team already created a great build environment for most of the devices available on the market.  
We can assume most of our users currently use a stable version of cyanogen. Under that assumption we can build the kernel modules for all the devices automatically and post the binaries online.

Help needed!

We are only three guys, one of us is actually on this way to south america for a three week vacation.  So most of our time is spent on trying  adding new cool functionality like packet injection.

If you managed to get our firmware up and running and you think you can help us implementing one of our solutions (or come up with a new one), please contact us! 


Beer donors, we thank you!

We just wanted to say that we really appreciate your donations and hope to bring out new features soon.
  

Tuesday, September 18, 2012

Working monitor mode on Nexus one & Galaxy S II !!!


Our Motivation

On the first day we bought our first android-based phone, we thought to ourself, "How nice it would be if we would be able to use the common 802.11 pwnage tools?"
We quickly relized that the thing that is missing is monitor-mode support for the Wi-Fi Modules.

For a long time we've waited for someone to take initiative and add support for monitor mode 
This year, in our summer Vacation, we decided that we are going to add it ourselves.

Technical details

You might ask yourself why monitor mode is so very common among  Laptop's & USB Wifi modules, and why there is not even one implementation of monitor mode for android devices.

The short answer is that most of the common smartphones use the same chipset made by broadcom, named bcm4329 or bcm4330, and broadcom never added the support for monitor mode.
The reason that those chips are so common in smartphones is that they combine every short-distance communication needed for those devices, and more importantly - they offload most of the protocol overhead  to a dedicated processor, and communicates with the linux device with simple ethernet packets.

Project Overview

During the last 3 weeks, we decided to take the mission of understanding how this device works.
At first, we compiled the driver in debug mode, and noticed that the module strips the 802.11 headers in hw and sends only ethernet packets to the linux device.
We concluded that in order to receive full 802.11 frames,  a change to the device firmware is needed.
So we started reverse engineering the firmware and after a few weeks we had a decent understanding of the packet receiving process.
** More details on the reversing process would be released soon

Having this knowledge, it took us only a few more days to get a first working version of  the monitor-mode-enabled firmware

Current Status

We currently have a patched firmware for the following chipsets:
  • bcm4329 - Fully working monitor mode on our Nexus One
  • bcm4330 -   Fully working monitor mode on our Galaxy S II
We havent tested it yet, but if you have a phone with one of those chipsets (and you most probably have one), it should also work on your phone.

Further work

  • Add packet injection support to the patched firmware
  • Better implementation of the linux driver
  • Create an APK bundle for "mass distribution"

Instructions

All the changes are volatile and should disappear after device reboot:
Although,  please note that this code is experimental and you use it at your own risk and we are not responsible nor liable for any damage or loss of data. Sometimes unexpected things might go wrong and you might end up with a device that is no longer functional. Be warned and please take the responsibility yourself--it is your own risk and no one else can be held responsible.

Cyanogen 7 & Nexus one

  1. Download the zip: http://bcmon.googlecode.com/svn/trunk/bundles/nexus_bundle.zip
  2. Extract the zip on your device (your sdcard will do fine)
  3. Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
  4. Now you have a wifi interface named eth0 in monitor mode
  5. Now run 'iwconfig eth0' and check that you get a similar output:
eth0      IEEE 802.11-DS  ESSID:""  Nickname:""
          Mode:Monitor  Frequency:2.412 GHz  Access Point: Not-Associated
          Bit Rate:72 Mb/s   Tx-Power:32 dBm
          Retry min limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Managementmode:All packets received
          Link Quality=5/5  Signal level=0 dBm  Noise level=-92 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Cyanogen 9 & GS2 (I9100)

  1. Download the zip: http://bcmon.googlecode.com/svn/trunk/bundles/gs2_bundle.zip
  2. Extract the zip on your device (your sdcard will do fine)
  3. Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
  4. Now you have a wifi interface named wlan0 in monitor mode
  5. Now run 'iwconfig wlan0' and check that you get an output similar to the one above
GS2 Update:  iwconfig wlan0 will show 'Mode: Managed",  ignore it - airodump should work fine (we are working on a fix).

Other phones

  1. Check out the source from  http://code.google.com/p/bcmon/source/checkout
  2. Build the KO for your device (cyanogen wiki should be helpful)
  3. If it works please tell us and send us the compiled version so we can list it here (if it doesn't work contact us)

AirCrack binaries

We bundled useful binary executables for arm:
  • aircrack-ng suite 
  • tcpdump
  • iwconfig

FAQ

  • I get "Can't find wireless tools, exiting."
    • Solution: Make sure you have 'iwpriv' on your system, just add soft link from 'iwpriv' to 'iwconfig' (actually it is 'iwmulticall')

Unzip them and run: 'chmod a+x -R  aircrack misc'

Update: We added a statically linked version of aircrack-ng suite.

Now you can have fun with commands like: 'airodump-ng -i eth0'

Call for help!

We have no intentions of quitting this project soon but in order to proceed we need some assistance:
  • Donations
    • Any amount will be appreciated...
    • Another licence for IDA Pro
    • Cellphones with similar wifi chipset
  • Experienced kernel module developer - To assist in the further development

Contact us: contact.bcmon at gmail.com