search

Jeija / esp32-80211-tx

Send arbitrary IEEE 802.11 frames with Espressif's ESP32
469 stars 79 forks source link

Be able to send Disassociate 0xA0 frame using esp32_wifi_80211_tx ? #1

Open sst2001 opened 5 years ago

sst2001 commented 5 years ago

What can I do to send such a management frame, currently limited to 0x80, etc...

Jeija commented 5 years ago

I don't think that is possible, according to the API guide it is only possible to send "beacon, probe request, probe response, action" frames with esp_wifi_80211_tx. If you want to send more frames with this, I'm afraid you'll have to do some reverse engineering yourself.

sst2001 commented 5 years ago

You are so right. Do you have a clue why did they limit it in esp_wifi_80211_tx? this doesn't really stop the attackers to do it (reverse eng), but make hard on good usage of it. I could see that this function is part of libnet80211.a but they do not provide its source code. Is there a system call I can use to simply access the lowest level and send frame I build directly to a MAC address?

Jeija commented 5 years ago

I don't know if there is some lower-level API that you could use. I think the best thing you could do is to take a look at the assembly instructions in libnet80211.a using some RE tool such as cutter, you can also find the instruction set online. I've had some success in reverse engineering some other parts of the ESP32 firmware, but it is a very tedious and painstakingly slow process...

sst2001 commented 5 years ago

Thank you so much! Is there a mail I can reach you?

Jeija commented 5 years ago

Yes, you can find it in my GitHub profile, on the left: https://github.com/Jeija

Hex2424 commented 3 months ago

Here I was fixing some frames sanity check in assembly to make it able send, can check my repo: https://github.com/Hex2424/esp32_deauth_patch I needed send deauth but esp unvalidates that, so had dig deeper and overcome it

Cancro29 commented 1 month ago

Here I was fixing some frames sanity check in assembly to make it able send, can check my repo: https://github.com/Hex2424/esp32_deauth_patch I needed send deauth but esp unvalidates that, so had dig deeper and overcome it

It is actually possible to bypass deauth packet restriction by fiddling with bypass function, boards definition, and weakened link tag. I've managed to develop my deauther project using Arduino for ESP32 without reverse engineering the library. But there is a problem, deauthentication cannot be sent if a station is connected to SoftAP. If you want to discuss this further, contact me at nethercap.dev@gmail.com