Broadcom chipset (brcmfmac driver): failed to arm interface on Raspberry Pi Zero W

[LywLover]

I installed the latest Pi OS Lite on a Raspberry Pi Zero W and build the latest hcxdumptool 6.2.9-136-g2859dbe, but get failed to arm interface error when start hcxdumptool.

pi@raspberrypi:~ $ sudo hcxdumptool

Requesting interface capabilities. This may take some time.
Please be patient...

failed to arm interface

1 errors during runtime

bye-bye

pi@raspberrypi:~ $ sudo hcxdumptool -m wlan0

Requesting interface capabilities. This may take some time.
Please be patient...

failed to set monitor mode

2 errors during runtime

bye-bye

pi@raspberrypi:~ $ sudo hcxdumptool -L

Requesting interface capabilities. This may take some time.
Please be patient...

available wlan devices:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0   3 b827eb550a37 a4a6a9ddc709 - wlan0            brcmfmac (NETLINK & WIRELESS EXTENSIONS)

* active monitor mode available
+ monitor mode available
- no monitor mode available

bye-bye

pi@raspberrypi:~ $ sudo hcxdumptool -I wlan0

Requesting interface capabilities. This may take some time.
Please be patient...

interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0   3 b827eb550a37 a4a6a9ddc709 - wlan0            brcmfmac (NETLINK & WIRELESS EXTENSIONS)

available frequencies: frequency [channel] tx-power of Regulatory Domain: 00

  2412 [  1] 20.0 dBm     2417 [  2] 20.0 dBm     2422 [  3] 20.0 dBm     2427 [  4] 20.0 dBm
  2432 [  5] 20.0 dBm     2437 [  6] 20.0 dBm     2442 [  7] 20.0 dBm     2447 [  8] 20.0 dBm
  2452 [  9] 20.0 dBm     2457 [ 10] 20.0 dBm     2462 [ 11] 20.0 dBm     2467 [ 12] 20.0 dBm
  2472 [ 13] 20.0 dBm     2484 [ 14] 20.0 dBm

bye-bye

[ZerBea]

This chipset/driver (Broadcom / brcmfmac) does neither support monitor mode nor packet injection:

0   3 b827eb550a37 a4a6a9ddc709 - wlan0            brcmfmac (NETLINK & WIRELESS EXTENSIONS)
The "-"  between MAC (a4a6a9ddc) and interface name (wlan0) means:
- = no monitor mode available

From README.md Adapters section:

Not recommended WiFi chipsets:
* Broadcom (neither monitor mode nor frame injection by official Linux kernel)
* Qualcomm (no frame injection by official Linux kernel)

We can close this report, because the driver is not suitable.

[LywLover]

Thanks for your reply. I'm new to wireless security and raspberry pi , so still have some questions.

1. Why is the Pi Zero W chip not supported but you recommend it in the README.md? Raspberry Pi A, B, A+, B+, Zero (WH). (Recommended: Zero (WH) or A+, because of a very low power consumption), but notebooks and desktops will work, too.
2. I used pwnagotchi image before on my Pi Zero W, it works. So I think the chip should be supported monitor mode and packet injection. After searching I learned about the NEXMON patch, but I spent a whole day and still couldn't successfully install nexmon patch on latest RaspBerry Pi OS Lite.
3. is hcxdumptool only supports external network adapters on raspberry?
4. I like to take my Pi with me when I go out. I've been using pwnagotchi, but due to its blindness bug, it often needs to be restarted. So I want to try hcxdumptool, but I don't want to carry an external USB antenna with me, that's too awkward. Do you have any recommended devices or methods to use hcxdumptool without the need for an external antenna?

[ZerBea]

I recommend the Raspberry Pi due to its very "low power consumption" and not because of its build in WiFi chip. (Recommended: Zero (WH) or A+, because of a very low power consumption)

Please read the entire section Requirements:

* chipset must be able to run in monitor mode. Recommended: MediaTek chipsets (due to active monitor mode capabilities)
* driver must (mandatory) support monitor and full frame injection mode
* Raspberry Pi A, B, A+, B+, Zero (WH). (Recommended: Zero (WH) or A+, because of a very low power consumption), but notebooks and desktops will work, too.

The standard driver (brcmfmac) and an unpatched firmware do not provide this features. https://forums.raspberrypi.com/viewtopic.php?t=328970 and there is absolutely nothing I can do.

pwnagotchi run a patched driver and a patched firmware: Pwnagotchi’s developement environment is [Raspbian](https://www.raspberrypi.org/downloads/raspbian/) + [nexmon patches](https://re4son-kernel.com/re4son-pi-kernel/) for monitor mode, or any Linux with a monitor mode enabled interface as mentioned here: https://pwnagotchi.ai/contributing/

BTW: NEXMON is a wrapper wrapper.c: Wrappers for functions that already exist in the firmware https://github.com/seemoo-lab/nexmon

and hcxdumptool does not support wrappers as mentioned in README.md: Unsupported: Windows OS, macOS, Android, emulators or wrappers!

The Requirements section also contain a recommendation: Recommended: MediaTek chipsets and the wiki an example: https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-1 Please notice the comment there: (internal WiFi disabled)

ALLNET ALLWA0150 https://www.reichelt.de/de/en/allnet-wireless-nano-usb-adapter-150-mbit-s-allnet-allwa0150-p149756.html?GROUPID=5839&START=0&OFFSET=16&SID=966258d86b1870b14ffa18403dd9950736949ff7c28f7e95213f3&LANGUAGE=EN&&r=1

driver is part of the Linux stock kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/mediatek/mt7601u?h=v6.2.13

[ZerBea]

There are hundreds of different drivers (e.g. on git hub) running on different chipsets. I don't want to wrestle with them and decided to support Linux stock kernel drivers only https://www.kernel.org/ as mentioned in README.md:

No support for a third party driver which is not part of the official Linux kernel (https://www.kernel.org/). Report related issues to the site, from which you downloaded the driver
No support for a driver which doesn't support monitor mode and full frame injection natively. If you need these features, do a request on www.kernel.org

[LywLover]

Thank you very much for your answer, you have given me a lot of useful information. I'd go buy a proper adapter to use hcxdumptool.

[ZerBea]

In fact, every (cheap) wireless adapter will do it and here is absolutely no need to buy an expensive high TX power adapter. 802.11 is packet oriented. It the target receive a frame of hcxdumptool and respond to it, the attack is successful. An external antenna would be nice, because it increase TX range and RX range (while a high TX power device only increase TX range). Please also notice that hcxdumptool (in contrast to other tools) target CLIENTs. Goal is to receive as much as possible EAPOL M2 frames from a CLIENT (for each entry of its wpa-supplicant.conf) as well as undirected PROBEREQUEST frames and EAP-IDs.

See lessons learned: https://github.com/ZerBea/hcxdumptool/blob/master/docs/lessons_learned.txt

[ZerBea]

Although I do not support NEXMON, it looks like it is working: https://github.com/ZerBea/hcxdumptool/issues/313#issuecomment-1532618372