Mobile, dongle-less injection with BCM4339 on Nexus 5

[asjadsyed]

So, apparently a researcher has made a framework for the Broadcom 4339 chip which not only allows the chip to enter monitor mode, but also implements packet injection. The project is named NexMon and I first ran across it on the /r/netsec subreddit.

You can read plenty about it on all of these links, or just google the project name "NexMon"

• Reddit link
• Project page
• Paper on the topic written by the researcher
• Hackaday article
• XDA Developers' thread

Now I don't personally have a Nexus 5 and am not planning to get one, but I'm sure some N5 users would be happy to see this integrated into NetHunter.

Lastly, if you find any program incompatible because it doesn’t give RadioTap headers, look at libtins by Matias Fontanini. It makes adding a RadioTap header on top of any other data painless, and comes with much more functionality. I've used it and can say that it's compatible with NetHunter + OPO + TL-WN722N via USB-OTG.

[binkybear]

@asjadsyed,

Thanks for the well written issue.

Nexmon is a great firmware/kernel modification. I have it installed right now on my Nexus 5 as we speak. The only issue that airodump-ng and a few other apps have to be rewritten to allow it to detect monitor mode. The biggest issue is that even though wlan0 operates in monitor mode, it reports its mode as managed (instead of monitor), so some programs have issue.

Nexmon was kind enough to patch some of the apps to work with their modified kernel and it works great outside the chroot. They included it in the ramdisk in /nexmon/bin. They also created a utility to turn on monitor mode.

I think nexmon holds a lot of promise and I do like not having to use an otg cable. In fact, the patch they use should work on a lot of other broadcom chips so that expands the number of devices. Unfortunately it doesn't play well right now with kali chroot.

[asjadsyed]

Well, I just opened this issue so that the developers of this project could discover NexMon. Seeing that you already have heard about it and considered integrating it, my job in opening this issue is done. All I can wish for now is that similar projects pop up for more phones and that enabling monitor mode and packet injection was more attainable on more chips...

[binkybear]

@asjadsyed - Thanks for opening issue. On a side note, which phone do you have? Does it support broadcom?

[asjadsyed]

I have a OnePlus One which I don't think has a Broadcom chip for WiFi Edit: apparently it's a "Skyworks SKY85709 WLAN Front-End Module" which I've read uses a "Qualcomm WCN3680" inside See https://forums.oneplus.net/threads/what-wifi-chipset-does-oneplus-one-have.349216/ http://forum.xda-developers.com/oneplus-one/help/bcmon-support-oneplus-one-t2827301 https://forums.oneplus.net/threads/bcmon-support-for-opo.304152/

[webcoderz]

cool find ! Thats awesome! Thanks for sharing it with us!

On Sep 10, 2016 12:04 AM, "Asjad Syed" notifications@github.com wrote:

I have a OnePlus One which I don't think has a Broadcom chip for WiFi

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/offensive-security/kali-nethunter/issues/567#issuecomment-246089394, or mute the thread https://github.com/notifications/unsubscribe-auth/AS9ogf0hWNQunatVuny0MzG9H6etgmNDks5qojpugaJpZM4J5ogX .

[asjadsyed]

@akrolla - Glad to help!

@binkybear - You mentioned that

The biggest issue is that even though wlan0 operates in monitor mode, it reports its mode as managed (instead of monitor), so some programs have issue

I spent some time thinking and researching how exactly this restriction could be bypassed, and I managed to come across the environment variable LD_PRELOAD while searching. By specifying libraries using this variable, you can make sure they are dynamically loaded first and thus can prioritize code within that .so file over code in other dynamic libraries. I strace'd iwconfig to see which system calls it was making to ask for the wireless cards' mode. It makes many ioctl calls, with one of them being a request for SIOCGIWMODE (see here) and having argp as a struct iwreq* (see here) for its argument.

So, I wrote some C so that I could compile it into a .so and then have it get preloaded. I've attached that source code at the bottom, and here's a demo of how to use it:

$ iwconfig
[unrelated interfaces...]
wlan0     [unrelated info...]
          Mode:Managed
          [more unrelated info...]
$ gcc -shared -fPIC -o ioctl_intercept.so ioctl_intercept.c -ldl
$ export LD_PRELOAD=./ioctl_intercept.so
$ iwconfig
[unrelated interfaces...]
wlan0     [unrelated info...]
          Mode:Monitor
          [more unrelated info...]
$ export LD_PRELOAD= # unset $LD_PRELOAD now that we're done with it
$ # here's an alternative way to run only a single command with LD_PRELOAD set
$ LD_PRELOAD=./ioctl_intercept.so iwconfig

Now again, I have no clue whether that will really help those applications run because I can't test with an N5 and the quirks of the NexMon hack. Let's just hope that those programs simply check if the chip reports itself as in monitor mode now and then attempts to continue.

HTH

ioctl_intercept.c.zip <- It doesn't accept .c files so I zipped it

[binkybear]

asjadsyed,

Wonderful!

I gave it a try in Kali chroot in Nethunter and that fixed issue. I can now use monitor mode in chroot with wlan0 without having to modify the binaries. I gave it a test with wifite and it returned results like normal.

I think you should contact the authors of nexmon also, they would probably be interested in the work you have done. Now I will look into wrapping all this up into a nice launcher.

Thanks for your help!

[asjadsyed]

They now have a similar intercept within their code, see https://twitter.com/nexmon_dev/status/776681411721957376 https://dev.seemoo.tu-darmstadt.de/bcm/bcm-public/commit/91237d6685eddbfbdc5e9517cdaaa6495ea63f46#3f9848409ce30168e80b4f705a7b579078f0f45f_0_82 :grinning:

[oltyx]

They released an app also, so I thought to try it out. It works like a charm outside the chroot, but I didn't manage to make it work inside the chroot. @binkybear could you, please tell me ,what is the secret, because when i type this command: LD_PRELOAD=libfakeioctl.so airodump-ng wlan0, this is the error that i get: ERROR: ld.so: object 'libfakeioctl.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. ioctl(SIOCSIWMODE) failed: Operation not supported ioctl(SIOCSIWMODE) failed: Operation not supported Error setting monitor mode on wlan0

[binkybear]

After you compiled just run an export to path to file:

export LD_PRELOAD=`pwd`/libfakeioctl.so

I just have it as a script and named preload and run:

source preload

All of this in chroot. I have not had a chance to try out the new app yet but I saw a release today that allows surfing the internet and frame injection at same time:

https://github.com/seemoo-lab/bcm-public/releases/tag/v1.1

[webcoderz]

@binkybear would it be possible for you to add the nexmon firmware upgrade within the nexus 5 kernel in a future update? I brought it up in the bettercap issue but was overlooked. Or provide some info on how you installed it, I have no idea how to install it properly. I have no computer at the moment

On Sep 27, 2016 2:56 PM, "binkybear" notifications@github.com wrote:

After you compiled just run an export to path to file:

export LD_PRELOAD=pwd/libfakeioctl.so

I just have it as a script and named preload and run:

source preload

All of this in chroot. I have not had a chance to try out the new app yet but I saw a release today that allows surfing the internet and frame injection at same time:

https://github.com/seemoo-lab/bcm-public/releases/tag/v1.1

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/offensive-security/kali-nethunter/issues/567#issuecomment-249979332, or mute the thread https://github.com/notifications/unsubscribe-auth/AS9ogYrAE4usBB3oz71uRbKERpx7li-xks5quXTfgaJpZM4J5ogX .

[binkybear]

Yes, with the addition of working internet with monitor mode it makes sense to add it. I will look into adding it in the future.

[webcoderz]

U sir are a gentleman and a scholar, they have a boot.img on their hub, are you looking at bcmon, or nexmon?

On Sep 27, 2016 3:19 PM, "binkybear" notifications@github.com wrote:

Yes, with the addition of working internet with monitor mode it makes sense to add it. I will look into adding it in the future.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/offensive-security/kali-nethunter/issues/567#issuecomment-249985671, or mute the thread https://github.com/notifications/unsubscribe-auth/AS9ogUCjPIT7RsJfJV9tMvNAcagDYfqCks5quXo-gaJpZM4J5ogX .

[webcoderz]

Bcmon has an .apk also and I think they actively still xo.teibue, I don't know about the nexmon mod, probably not since NEXus 5 is old now...

On Sep 27, 2016 3:37 PM, "cody webb" cody.l.webb@gmail.com wrote:

U sir are a gentleman and a scholar, they have a boot.img on their hub, are you looking at bcmon, or nexmon?

On Sep 27, 2016 3:19 PM, "binkybear" notifications@github.com wrote:

Yes, with the addition of working internet with monitor mode it makes sense to add it. I will look into adding it in the future.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/offensive-security/kali-nethunter/issues/567#issuecomment-249985671, or mute the thread https://github.com/notifications/unsubscribe-auth/AS9ogUCjPIT7RsJfJV9tMvNAcagDYfqCks5quXo-gaJpZM4J5ogX .

[oltyx]

@binkybear I still didn't manage. I am such a noob. I get still the same massage after i use: LD_PRELOAD=libfakeioctl.so airodump-ng wlan0.After I did what you said, this is the output for export -p: root@kali:~# export -p declare -x HOME="/root" declare -x HUSHLOGIN="FALSE" declare -x LD_PRELOAD="/system/lib/libfakeioctl.so" declare -x LOGNAME="root" What have I done wrong?

[binkybear]

@oltyx - I'm not sure why but your LD_PRELOAD is going to system lib folder. Mine looks like:

declare -x HOSTNAME="hammerhead"
declare -x LD_PRELOAD="./ioctl_intercept.so"
declare -x LOGNAME="root"

[oltyx]

@binkybear so I did not manage to make the chroot work with libfakeioctl.so from NEXMON, so I tried with @asjadsyed ioct_intercept.so. I compiled the c code to a ioctl_intercept.so from chroot and the actual file is in /root directory(my pwd). I tried both methods: first to set to LD_PRELOAD=./ioctl_intercept.so and second to type LD_PRELOAD for each particular command, but airmon-ng still doesn't work, so wifite. iwconfig is the single one that is writing to me what I need(monitor mode). This my error output: root@kali:~# ls ioctl_intercept.so root@kali:~# LD_PRELOAD=./ioctl_intercept.so airodump-ng wlan0 ioctl(SIOCSIWMODE) failed: Operation not supported ioctl(SIOCSIWMODE) failed: Operation not supported Error setting monitor mode on wlan0 Please consider a little help to me, but only if you have the necessary time.

[binkybear]

@oltyx - Are you using my kernel from repo or nexmon's kernel?

[oltyx]

@binkybear Yes, I am using your kernel: root@kali:~# uname -r 3.4.0-gb7558f2

Some iwconfig output(with LD_PRELOAD=ioctl_interception.so): wlan0 IEEE 802.11abgn ESSID:"#####" Mode:Monitor Frequency:2.437 GHz Access Point: ##:##:##:##:##:## Bit Rate=58.5 Mb/s Tx-Power=1496 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:on Link Quality=34/70 Signal level=-76 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:1 Missed beacon:0

And still this annoying error: root@kali:~# LD_PRELOAD=./ioctl_intercept.so airodump-ng wlan0 ioctl(SIOCSIWMODE) failed: Operation not supported ioctl(SIOCSIWMODE) failed: Operation not supported Error setting monitor mode on wlan0

[oltyx]

So any hope to integrate Nexmon in Nethunter project?

[B33tleSec]

After messing around with this on CM 13 used the app to install firmware which works great out of chroot i still also am getting the same error that @oltyx is getting for airodump. Using the kernal for CM I used @asjadsyed 's code and compiled because I can't get the libfakeioctl.so to work. keeps giving me cannot be preloaded issue however it works out of chroot. I can set the card to Monitor mode after exporting then when i try wifite it starts scanning then errors saying wifite is unable to generate airodump-ng output files. When i try airodump-ng wlan0 says. ioctl(SIOCSIWMODE) failed: Operation not supported ioctl(SIOCSIWMODE) failed: Operation not supported Error setting monitor mode on wlan0

Then i have to soft reboot my phone because the wifi doesn't work at all even after cutting it on and off in the android settings. Maybe i'm doing it wrong.. or not understanding something. I use export LD_PRELOAD=pwd/xxxx.so and it sends it to Monitor mode just fine.. I try wifite wlan0 right after that and the issue seems to be airodump trying to set wlan0 to monitor mode even when it's already set?? LOL please help

[binkybear]

I should note my own finding with playing with recent nexmon firmware. The libfakeioctl.so that comes with app works fine outside chroot to set monitor mode. However, it's lost when loading chroot. Thats because we 1) unset LD_PRELOAD 2) the system library but for libfakeioctl.so does not work with chroot. Monitor mode and libfakeioctl work fine OUTSIDE of the chroot.

Building the libfakeioctl inside chroot does not work (builds fine but doesn't load). Loading and running it causes reboot. Monitor mode works by setting nexutil -m true, however that doesn't fix the device still be set to manage.

The issue as it stands right now is with tweaking/fixing the libfakeioctl to work inside chroot. I thought about a kernel module instead but that would take a bit of development/research (I assume this might work).

The other option (maybe easier) is tweaking source code for libfakeioctl and getting it to work inside chroot.

[webcoderz]

If dongle less injection is added , with a dongle we could add an open source of pineapple type service or improve upon fruity wifi, that would enable us to essentially have built an android pineapple nano

[asjadsyed]

@binkybear: You mentioned making a kernel module to implement the hack on a system-wide level, so if you do take that approach:

From what I gather, the way to do this would be to replace the function pointer to ioctl within the kernel's memory. We would have to replace it with a function pointer to a similar function with the same signature as ioctl. The pointer is in a table named sys_call_table.

Unfortunately, the symbol sys_call_table is no longer exported by the kernel. It was removed a long time ago to make making kernel module rootkits harder. The table is still there in memory, but there is no straightforward way to get to it. Someone more experienced than me with kernel development should see if finding it is feasible. Another thought: perhaps since NetHunter controls its own kernels, sys_call_table could be re-exported for the Nexus 5 kernel specifically. That would be easier and less hacky than trying to find it.

Still, I think the bug is unrelated to libfakeioctl's code, and I think the root cause of the bug is somewhere else in the firmware. This may just be masking the bug.

HTH

[binkybear]

@asjadsyed - You are correct about it not be related to libfakeioctl. I opened an issue here:

https://github.com/seemoo-lab/bcm-public/issues/4

The problem was I needed to apply: https://github.com/seemoo-lab/bcm-public/blob/90bed6e1c3ad70ddc23ccf44033b152e0db300b6/kernel_patches/40mhz_channels_5GHz.patch

However, while airodump-ng will start in chroot it hangs after a few seconds. I'm unsure at the moment what is causing this error....

UPDATE

Current error related to set channel (40mhz patch):

[   60.516010] CFG80211-ERROR) wl_cfg80211_set_channel : netdev_ifidx(4), chan_type(0) target channel(1) 

This function can be traced back to: https://github.com/nethunteros/android_kernel_lge_hammerhead/blob/cm-14.1-caf/drivers/net/wireless/bcmdhd/wl_cfg80211.c#L5268

• Update 2 *

Fixed by replacing our wl_cfg80211 with https://raw.githubusercontent.com/seemoo-lab/bcm-public/8d84f570ecc9208f527f6e775eabe6b5aec9b0ca/kernel/drivers/net/wireless/bcmdhd/wl_cfg80211.c.

Everything appears to be working now.

Instructions for flashing NethunterOS with current Nexmon & kernel

https://gist.github.com/binkybear/8f0f4eee292d5263372f47c3c3edd08e

[binkybear]

Working now: https://gist.github.com/binkybear/8f0f4eee292d5263372f47c3c3edd08e

[asjadsyed]

That makes this wiki page outdated:

External wireless cards are necessary because Android devices do not support monitor mode.

:grinning:

[binkybear]

You're right! I have updated it. =)

[B33tleSec]

After getting this installed i did have a issue with the terminal saying that bootkali_login wasn't found.. I removed both nethunter and the terminal app and reinstalled with the latest and everything worked after that.

On a side note.... I've always had a bit of issues with my lte data and gps locking on.. Whatever rom this was imported to is the mad note! I've never seen my 32gb nexus 5 run so smoothly.

[oltyx]

@binkybear I tried to make a dual-boot with AOSP 6.0.1 and NethunterOS via MultiROM and when I try to flash the NethunterOS(nh-14.1-nethunter-hammerheadcaf-v1, also I wipe the cache and dalvik partitions) it tells me this error: Checking MD5 file... Skipping MD5 check: no MD5 file found Comparing BASEBAND version M8974-2.0.50.2.30 to M8974A-2.0.50.2.29 assert failed: hammerhead.verify_baseband("M8974A-2.-.50.2.30") == "1" Updater process ended with ERROR: 7

[B33tleSec]

@oltyx Grab that radio patch http://www.mediafire.com/file/ld8vvfj774sx6xy/NEXUS5_M4B30X_RADIO.zip

[oltyx]

@B33tleSec I flashed your patch and it almost worked... in the end of installation, this appears: E:unknown command [log] E:unknown command [log] E1001: Failed to update system image. E:unknown command [log] Updater process ended with ERROR: 7 Failed to install ZIP! Erasing incomplete ROM...

[jdoncouse]

@oltyx did you flash the twrp that supported hammerheadcaf? other than that that's all i know when it comes to this. I didn't have any issues besides the radio patch being needed but it's all in the tutorial bro.

Only other thing i could tell ya to do is. pull off everything you want on the phone if you have anything and wipe everything and start from the beginning.

[webcoderz]

@binkybear good stuff appreciate it

[oltyx]

@jdoncouse I have MultiROM TWRP version.

[jdoncouse]

@oltyx then that version of twrp doesnt support installing the hammerheadcaf version of cyanogenmod. I dont know what makes them different sadly. I believe they probably have different checks when it comes to installing the roms. All i know is with the twrp for hammerheadcaf linked in the tutorial it installed just fine for me. I switched back though to cm 13 untill a more updated version is out with all bugs ironed out... ive installed fruitywifi on two different nougat based cm14.1 roms now and im getting weird issues where the ap activates however the page still shows disabled even though its working. Cm 13 based roms ive never ran into this.

[jdoncouse]

@oltyx sorry to double post but i just googled multirom hammerheadcaf and it looks like people have requested the support for it in twrp but nothing seemed to transpire from that. Sadly dont think youd be able to multirom it untill this gets a hammerheadcm version non caf

[oltyx]

@jdoncouse That's very sad to hear, but I will continue to search for a solution.

[oltyx]

@jdoncouse @binkybear @akrolla @B33tleSec So after a looong search, I finally got what I want and I can confirm that everybody can make a dual-boot between Android 6.0.1 and NethunterOS(CM 14.1) on Nexus 5 with this UNOFFICIAL MultiROM version:https://basketbuild.com/devs/Captain_Throwback/Nexus%205/MultiROM The originial post, where I found this is here:http://forum.xda-developers.com/showthread.php?p=69695982#post69695982 THE CHROOT IS FULLY FUNCTIONAL AND I CAN USE aircrack SUITE

[EightieOG]

Hi guys. I have a noob question. I am running a nexus 6 with Nethunter, will this Nexmon firmware apply to my phone? Or does only the 6p support packet injection and monitor mode? I am very new to all this and taking courses at my local college. Building or compiling a kernal I hear is my only option to bring a external wifi card into moniter mode? Also what about an smcwusbs-n3 external wifi card? I plug it in and the power light comes on? I am going to test putiing into moniter mode but it says after airmon-ng wlan1 up it says driver ???????. I feel so helpless here and I know alot of this is beyond simple but I am not sure where else to look. Thanks Akrolla for responding before but I just dont know howe to build one.

[webcoderz]

You can do it on the nexus5

On Mar 8, 2017 8:22 PM, "EightieOG" notifications@github.com wrote:

Hi guys. I have a noob question. I am running a nexus 6 with Nethunter, will this Nexmon firmware apply to my phone? Or does only the 6p support packet injection and monitor mode? I am very new to all this and taking courses at my local college. Building or compiling a kernal I hear is my only option to bring a external wifi card into moniter mode? Also what about an smcwusbs-n3 external wifi card? I plug it in and the power light comes on? I am going to test putiing into moniter mode but it says after airmon-ng wlan1 up it says driver ???????. I feel so helpless here and I know alot of this is beyond simple but I am not sure where else to look. Thanks Akrolla for responding before but I just dont know howe to build one.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/offensive-security/kali-nethunter/issues/567#issuecomment-285234978, or mute the thread https://github.com/notifications/unsubscribe-auth/AS9ogU313HlpNU1h7sNwJ-VUnWlsZGkLks5rj2J0gaJpZM4J5ogX .

[Nethunterlover]

Help me my nexus 5 can't detech wn722n v1 in fluxion or HT-WPS-Breaker but work well with wifite please help

[Nethunterlover]

@binkybear I had a issue in my Nexus 5 when I start wifite to hack wifi network it scans network then it send some deauth packets to target then it says Airodump-ng exited with status 1 Same issue in airodump-ng When it scan some networks then it also says Network is down Wlan1 not found No such device

[sm0k3y13]

Link for the nexus 6p has error 404

[tjt263]

Did anyone ever actually get this to work smoothly?

[EightieOG]

For my Nexus 6 the newer version of nethunter worked. Then I couldn't get the internal wifi card to work normally. So then I downloaded a different kernal and it didn't work well with the phone.

On Sat, Sep 29, 2018, 2:17 AM tjt263 notifications@github.com wrote:

Did anyone ever actually get this to work smoothly?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/offensive-security/kali-nethunter/issues/567#issuecomment-425630383, or mute the thread https://github.com/notifications/unsubscribe-auth/AYMj8dLLZMi3DUSlXJYZ-NEtitWYm4ooks5ufzqjgaJpZM4J5ogX .