error in function `ieee80211_raw_frame_sanity_check':

[hawkeye1103]

Hello,

I'm getting the error below when trying to build/flash. I am running everything on windows 10.

I saw that it's mentioned in the readme to use the make command instead of build but make is not a valid command on the latest version of esp-idf. Maybe I'm doing something wrong.

Thanks in advance

Generated C:/esp-idf/examples/deauther/build/bootloader/bootloader.bin [894/895] Linking CXX executable deauther.elf FAILED: deauther.elf cmd.exe /C "cd . && C:\Users\hawke.espressif\tools\xtensa-esp32-elf\esp-2020r3-8.4.0\xtensa-esp32-elf\bin\xtensa-esp32-elf-g++.exe -mlongcalls -Wno-frame-address @CMakeFiles\deauther.elf.rsp -o deauther.elf && cd ." c:/users/hawke/.espressif/tools/xtensa-esp32-elf/esp-2020r3-8.4.0/xtensa-esp32-elf/bin/../lib/gcc/xtensa-esp32-elf/8.4.0/../../../../xtensa-esp32-elf/bin/ld.exe: C:/esp-idf/components/esp_wifi/lib/esp32/libnet80211.a(ieee80211_output.o): in function ieee80211_raw_frame_sanity_check': (.text.ieee80211_raw_frame_sanity_check+0x64): multiple definition ofieee80211_raw_frame_sanity_check'; esp-idf/main/libmain.a(main.cpp.obj):c:\esp-idf\examples\deauther\build/../main/main.cpp:38: first defined here collect2.exe: error: ld returned 1 exit status ninja: build stopped: subcommand failed. ninja failed with exit code 1

[jonathanmuller]

Hi,

• Make a copy of "libnet80211.a" -> "libnet80211.a.old"
• Run ???/.espressif/tools/xtensa-esp32-elf/esp-2020r3-8.4.0/xtensa-esp32-elf/bin/xtensa-esp32-elf-objcopy --weaken-symbol=ieee80211_raw_frame_sanity_check ???/esp/esp-idf/components/esp_wifi/lib/esp32/libnet80211.a ???/esp/esp-idf/components/esp_wifi/lib/esp32/libnet80211.a2
• Copy libnet80211.a2 in place of libnet80211.a

Now "ieee80211_raw_frame_sanity_check" is a weak link that will be overridden by the function with the same name from the project

[Crsarmv7l]

@jonathanmuller

I assume those commands are location specific? I am looking to bypass the raw_frame_sanity_check myself for an implementation on the TTGO Twatch, ESP-IDF 3.3.0.

I found libnet80211.a in C:\Users(user).platformio\packages\framework-arduinoespressif32@src-745eb9bf7c21582e61c010425ed055df\tools\sdk\lib

Or if you happen to have a weakend libnet80211.a?

[Crsarmv7l]

Interesting, found a dutch security researcher page that says this:

We can make this modification very easily by opening libnet80211 in a hex editor, searching for the byte sequence 70 95 83 (in
hexadecimal notation) and replacing it with 50 95 20. Now any program we compile will use the modified library, and can 
therefore send arbitrary 802 management frames.

[jonathanmuller]

Or if you happen to have a weakend libnet80211.a?

I do but it probably won't work with the version of your lib

Interesting, found a dutch security researcher page that says this:

We can make this modification very easily by opening libnet80211 in a hex editor, searching for the byte sequence 70 95 83 (in
hexadecimal notation) and replacing it with 50 95 20. Now any program we compile will use the m

So this may be definitely simpler in your case, Just make the function bypass any check and return True

[Crsarmv7l]

They must have changed the byte segment.

On a whim however I tried some build flags: -Wl,-zmuldefs

No compile errors or failure and successful compile. No idea if it overwrote the libnet80211.a function, as I still need to write the actual packet sending implementation, but it is a good sign.

Posting here for posterity if someone ever goes searching like I did. Although they will probably just fork my fork of a project and use it lol. At least my other enhancements would be appreciated as well.

Edit: Raw tx is working like a charm for me (different firmware though)

[Crsarmv7l]

I also did not find the hex sequence.

I ended up using the compile flags -Wl,-zmuldefs to establish a weak link with multiple definitions so mine overwrites the libraries. Worked well with my setup.

I am also not using anything from this github. I wrote my own deauther. On open a scan is conducted and returned to an lvgl list -> A user lvgl selection sets the esp32 into monitor mode -> packets are filtered by AP -> if the AP packet bssid matches the bssid of the user selection, memcopy the AP MAC and BSSID into the deauth packet. Set a bool flag on the function so it only runs once. Then every packet received in monitor mode triggers a deauth send, which is at least every 100ms. It is also non-blocking which works well and can be turned off by the user at anytime.

Also wrote one to deauth every individual client sending a packet to the AP.

[Crsarmv7l]

@joroMaser No.... but at this point I have explained how I bypassed it twice and someone else has explained how they bypassed it as well.

Not sure why you need to know the exact location of a function you want to bypass when you can overwrite it to whatever you want... But if you need the location for something then you probably will need to break out your tools and go looking.

[RapierXbox]

Is there any way to bypass this on windows? The command doesnt work and I cant seem to find the bytes specified