Jump to content
co4ie

Working monitor mode on Nexus one & Galaxy S II !!!

By co4ie, in Mobile security

Recommended Posts

co4ie Newbie

co4ie

Posted
Posted

nexusone-airodump.jpg

Our Motivation

On the first day we bought our first android-based phone, we thought to ourself, "How nice it would be if we would be able to use the common 802.11 pwnage tools?"

We quickly relized that the thing that is missing is monitor-mode support for the Wi-Fi Modules.

For a long time we've waited for someone to take initiative and add support for monitor mode

This year, in our summer Vacation, we decided that we are going to add it ourselves.

Technical details

You might ask yourself why monitor mode is so very common among Laptop's & USB Wifi modules, and why there is not even one implementation of monitor mode for android devices.

The short answer is that most of the common smartphones use the same chipset made by broadcom, named bcm4329 or bcm4330, and broadcom never added the support for monitor mode.

The reason that those chips are so common in smartphones is that they combine every short-distance communication needed for those devices, and more importantly - they offload most of the protocol overhead to a dedicated processor, and communicates with the linux device with simple ethernet packets.

Project Overview

During the last 3 weeks, we decided to take the mission of understanding how this device works.

At first, we compiled the driver in debug mode, and noticed that the module strips the 802.11 headers in hw and sends only ethernet packets to the linux device.

We concluded that in order to receive full 802.11 frames, a change to the device firmware is needed.

So we started reverse engineering the firmware and after a few weeks we had a decent understanding of the packet receiving process.

** More details on the reversing process would be released soon

Having this knowledge, it took us only a few more days to get a first working version of the monitor-mode-enabled firmware

Current Status

We currently have a patched firmware for the following chipsets:

  • bcm4329 - Fully working monitor mode on our Nexus One
  • bcm4330 - Fully working monitor mode on our Galaxy S II

We havent tested it yet, but if you have a phone with one of those chipsets (and you most probably have one), it should also work on your phone.

Further work

  • Add packet injection support to the patched firmware
  • Better implementation of the linux driver
  • Create an APK bundle for "mass distribution"

Instructions

All the changes are volatile and should disappear after device reboot:

Although, please note that this code is experimental and you use it at your own risk and we are not responsible nor liable for any damage or loss of data. Sometimes unexpected things might go wrong and you might end up with a device that is no longer functional. Be warned and please take the responsibility yourself--it is your own risk and no one else can be held responsible.

Cyanogen 7 & Nexus one

Download the zip: LINK

Extract the zip on your device (your sdcard will do fine)

Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)

Now you have a wifi interface named eth0 in monitor mode

Now run 'iwconfig eth0' and check that you get a similar output:

eth0      IEEE 802.11-DS  ESSID:""  Nickname:""
          Mode:Monitor  Frequency:2.412 GHz  Access Point: Not-Associated
          Bit Rate:72 Mb/s   Tx-Power:32 dBm
          Retry min limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Managementmode:All packets received
          Link Quality=5/5  Signal level=0 dBm  Noise level=-92 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Cyanogen 9 & GS2 (I9100)

  1. Download the zip: LINK
  2. Extract the zip on your device (your sdcard will do fine)
  3. Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
  4. Now you have a wifi interface named wlan0 in monitor mode
  5. Now run 'iwconfig wlan0' and check that you get an output similar to the one above

Other phones

  1. Check out the source from LINK
  2. Build the KO for your device (cyanogen wiki should be helpful)
  3. If it works please tell us and send us the compiled version so we can list it here (if it doesn't work
    contact us)

AirCrack binaries

We bundled useful binary executables for arm:

  1. aircrack-ng suite
  2. tcpdump
  3. iwconfig

FAQ

  1. I get "Can't find wireless tools, exiting."

  • Solution: Make sure you have 'iwpriv' on your system, just add soft link from 'iwpriv' to 'iwconfig' (actually it is 'iwmulticall')

available on: http://bcmon.googlecode.com/svn/trunk/bundles/utils.zip

Unzip them and run: 'chmod a+x -R aircrack misc'

Update: We added a statically linked version of aircrack-ng suite.

Now you can have fun with commands like: 'airodump-ng -i eth0'

Sursa

Maine intru in teste pentru SGS 1 ...sa vedem ce iese:D

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...