search

seemoo-lab / nexmon

The C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more
GNU General Public License v3.0
2.36k stars 449 forks source link

Can't capture packets with bad checksum #200

Open baharxy opened 6 years ago

baharxy commented 6 years ago

Hi, I am using the nexmon firmware on a RPI 3, and looking to do some debugging on packets with bad checksums that I intentionally inject to the network.

I can capture packets with bad check sums on other wifi chipsets and linux machines by executing "iw phy $phy_name interface add mon0 type monitor flags fcsfail". However after using the same command on the RPI 3 with the nexmon patch, I don't see any packets with the bad checksums.

Could you please let me know if there is anything that I am missing? Thanks.

matthiasseemoo commented 6 years ago

passing the fcsfail option is not supported. you can, however, patch the firmware to activate the collection of frames with wrong checksum: https://github.com/seemoo-lab/nexmon/blob/master/patches/bcm4339/6_37_34_43/nexmon/src/monitormode.c#L210

On Wed, Mar 28, 2018 at 11:31 PM, baharxy notifications@github.com wrote:

Hi, I am using the nexmon firmware on a RPI 3, and looking to do some debugging on packets with bad checksums that I intentionally inject to the network.

I can capture packets with bad check sums on other wifi chipsets and linux machines by executing "iw phy $phy_name interface add mon0 type monitor flags fcsfail". However after using the same command on the RPI 3 with the nexmon patch, I don't see any packets with the bad checksums.

Could you please let me know if there is anything that I am missing? Thanks.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/seemoo-lab/nexmon/issues/200, or mute the thread https://github.com/notifications/unsubscribe-auth/ALP_7lgYqK7WaeqY37Z2j05QKQ69KSy0ks5tjAE5gaJpZM4S_Zfx .

-- Matthias Schulz Secure Mobile Networking Lab - SEEMOO

Email: matthias.schulz@seemoo.tu-darmstadt.de Web: http://www.seemoo.de/mschulz Phone (new): +49 6151 16-25478 Fax: +49 6151 16-25471

Department of Computer Science Center for Advanced Security Research Darmstadt Technische Universität Darmstadt Mornewegstr. 32 (Office 4.2.10, Building S4/14) D-64293 Darmstadt, Germany

baharxy commented 6 years ago

I already built the patch [that has the MONITOR_ACTIVATE_BADFCS set to (1 << 5), in monitormode.h ] for RPI3, I assume that already should have been activated the collection of frames with wrong checksum , hasn't it?

baharxy commented 6 years ago

Looks like that wlc_mctrl_hook is missing from the monitormode.c source code for bcm43430a1 (RPI 3) patches. Do you happen to know if there is any specific reason for this? Thanks.

p8me commented 6 years ago

The key part missing from monitormode.c in RPI-3 (BCM43430a1 ) [by comparing versus Nexus 5 (BCM4339)] is: __attribute__((at(?????, ...))) BLPatch(????, wlc_mctrl_hook); Is there anyway to know what should be the address and the original function name (first argument to BLPatch)?

For example when applying BLPatch on wl_monitor_hook in here. where is flash_patch_179 is coming from?

matthiasseemoo commented 6 years ago

You need to reverse engineere the firmware binary to find the correct address. flash_patch_179 is just the name for the BLPatch. The location in rom/flash was already patched before as you can see in the flashpatches.c file in the firmware's subdirectory.

On Fri, Mar 30, 2018 at 12:17 AM, pm-89 notifications@github.com wrote:

The key part missing from monitormode.c in RPI-3 (BCM43430a1 ) [by comparing versus Nexus 5 (BCM4339)] is: attribute((at(?????, ...))) BLPatch(????, wlc_mctrl_hook); Is there anyway to know what should be the address and the original function name (first argument to BLPatch)?

For example when applying BLPatch on wl_monitor_hook in here https://github.com/seemoo-lab/nexmon/blob/eb8432ec15b0889e803b56a3a33760609eb016b3/patches/bcm43430a1/7_45_41_46/nexmon/src/monitormode.c#L112 . where is flash_patch_179 is coming from?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/seemoo-lab/nexmon/issues/200#issuecomment-377389569, or mute the thread https://github.com/notifications/unsubscribe-auth/ALP_7mmtOrVtAD4s-IEvs4IX6aJXyWksks5tjV2RgaJpZM4S_Zfx .

-- Matthias Schulz Secure Mobile Networking Lab - SEEMOO

Email: matthias.schulz@seemoo.tu-darmstadt.de Web: http://www.seemoo.de/mschulz Phone (new): +49 6151 16-25478 Fax: +49 6151 16-25471

Department of Computer Science Center for Advanced Security Research Darmstadt Technische Universität Darmstadt Mornewegstr. 32 (Office 4.2.10, Building S4/14) D-64293 Darmstadt, Germany