Open DennisHerell opened 3 years ago
You do not need LD_PRELOAD=libnexmon.so
on the RPi. It is used on Android devices to fake a monitor mode interface.
Here is a code snipped for transmitting a fixed data frame using 20MHz and MCS 4 that can be triggered using an IOCTL call. The code should be placed inside ioctl.c
. This will end up in the firmware.
...
// additional includes
#include <rates.h>
#include <sendframe.h>
// a data frame, dst and src are 00:11:22:33:44:55
static char packet_bytes[] = {
0x88, 0x42, 0x2c, 0x00,
0x00, 0x11, 0x22, 0x33, 0x44, 0x55,
0x00, 0x11, 0x22, 0x33, 0x44, 0x55,
0x00, 0x11, 0x22, 0x33, 0x44, 0x55,
0x20, 0x21, 0x00, 0x00,
0x46, 0x09, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
0x32, 0xf5, 0x22, 0xdf, 0xf1, 0xb2, 0xf5, 0x9b,
0x19, 0x20, 0x0e, 0x56, 0x9e, 0x27, 0xac, 0x7c,
0x6c, 0xb0, 0xca, 0x4b, 0x56, 0x10, 0x10, 0x51,
0x8e, 0xe2, 0x19, 0x75, 0x4f, 0x80, 0x44, 0x7d,
0x87, 0x73, 0xc1, 0x0e, 0x2f, 0xf5, 0x2e, 0x7c,
0xdc, 0x05, 0xba, 0x91, 0x3e, 0xe0, 0x94, 0xd3,
0x82, 0x2a, 0x25, 0x3c, 0xe1, 0xbb, 0xb4, 0xef,
0x83, 0x60, 0xef, 0x3e, 0xf0, 0x79
};
...
wlc_ioctl_hook(...
...
// define a new ioctl
case 599:
{
// suppress scanning
set_scansuppress(wlc, 1);
// disable minimal power consumption
set_mpc(wlc, 0);
// get length of packet
int len = sizeof(packet_bytes);
// reserve a packet buffer with header space
sk_buff *p = pkt_buf_get_skb(wlc->osh, len + 202);
// pull header space
char *packet_skb = (char *) skb_pull(p, 202);
// copy packet bytes to buffer
memcpy(packet_skb, &packet_bytes, len);
// send packet with specific rate
uint32 rate = RATES_BW_20MHZ | RATES_OVERRIDE_MODE | RATES_ENCODE_VHT | RATES_VHT_MCS(4) | RATES_VHT_NSS(1);
sendframe(wlc, p, 1, rate);
ret = IOCTL_SUCCESS;
break;
}
To trigger this code you can use an IOCTL call, e.g. using nexutil
:
nexutil -s599
It is also possible to pass data along with an IOCTL call. Inside wlc_ioctl_hook
you can access it via the arg
argument and its length via len
. This can e.g. be used to pass the packet bytes and/or rate settings dynamically to the firmware. nexutil
already provides you options to do this easily, see its help output for more.
For example code have a look at how we pass configuration parameters to the firmware via IOCTL 500 for the nexmon_csi patch.
Thank you very much for the response! The comment for each function really help, I'll try to implement it for now
May I know what is the purpose of set_scansuppress(wlc,1)
?
I tried to install nexmon with the change you've given to the ioctl.c, but it failed to compile. I found out the set_scansuppress in helper.c does not include bcm43430a1. I tried to just add bcm43430a1, but helper.c failed to compile after that change.
So I tried installing it without the set_scansuppress function, and it successfully compile. However, after calling nexutil -599 nothing seem to happen. Is bcm43430a1 not supported for frame injection?
Edit: I tried installing it in rpi 3b+ with bcm43455c0 and this time everything compiled successfully, however I found no indicator that the injection work. What I did was:
Edit the ioctl according to the snipped code, I haven't add channels to the firmware, so I'm trying to sniff in the 2.4 GHz bandwidth and change the rate from VHT --> HT. Also add a printf to show if frame injection work. After installation finished, I goes into monitor mode
iw dev wlan0 interface add mon0 type monitor
ifconfig mon0 up
and change into channel 6nexutil -k6
and to call the frame injection function, I call nexutil -s599
I tried adding interface nexutil -Imon0 -s599
but nothing different
On the receiver side, I use rpi3b with nexmon. In here, I also goes to monitor mode and change to channel 6, then:
tcpdump -imon0 - w capture.pcap
then I look at the result in capture.pcap, but nothing from the frame injection shows up
Am I using it correctly? Did I miss something? I assume calling nexutil -s599
only transmit once, so I did it many times.
Maybe it need to be done with timer? I tried incorporating the sendframe_with_timer but it didn't work. I realize the sendpacket function in [https://github.com/seemoo-lab/mobisys2018_nexmon_covert_channel/blob/de4e3823eb2262ae1391e2aa80d513e6700adeed/src/ioctl_7xx.c#L344] is very similar, but it use
rate = RATES_RATE_6M
instead of the various parameters. Are the rates I'm using correct? @jlinktu your help would be really appreciated
You do not need
LD_PRELOAD=libnexmon.so
on the RPi. It is used on Android devices to fake a monitor mode interface.Here is a code snipped for transmitting a fixed data frame using 20MHz and MCS 4 that can be triggered using an IOCTL call. The code should be placed inside
ioctl.c
. This will end up in the firmware.... // additional includes #include <rates.h> #include <sendframe.h> // a data frame, dst and src are 00:11:22:33:44:55 static char packet_bytes[] = { 0x88, 0x42, 0x2c, 0x00, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x20, 0x21, 0x00, 0x00, 0x46, 0x09, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x32, 0xf5, 0x22, 0xdf, 0xf1, 0xb2, 0xf5, 0x9b, 0x19, 0x20, 0x0e, 0x56, 0x9e, 0x27, 0xac, 0x7c, 0x6c, 0xb0, 0xca, 0x4b, 0x56, 0x10, 0x10, 0x51, 0x8e, 0xe2, 0x19, 0x75, 0x4f, 0x80, 0x44, 0x7d, 0x87, 0x73, 0xc1, 0x0e, 0x2f, 0xf5, 0x2e, 0x7c, 0xdc, 0x05, 0xba, 0x91, 0x3e, 0xe0, 0x94, 0xd3, 0x82, 0x2a, 0x25, 0x3c, 0xe1, 0xbb, 0xb4, 0xef, 0x83, 0x60, 0xef, 0x3e, 0xf0, 0x79 }; ... wlc_ioctl_hook(... ... // define a new ioctl case 599: { // suppress scanning set_scansuppress(wlc, 1); // disable minimal power consumption set_mpc(wlc, 0); // get length of packet int len = sizeof(packet_bytes); // reserve a packet buffer with header space sk_buff *p = pkt_buf_get_skb(wlc->osh, len + 202); // pull header space char *packet_skb = (char *) skb_pull(p, 202); // copy packet bytes to buffer memcpy(packet_skb, &packet_bytes, len); // send packet with specific rate uint32 rate = RATES_BW_20MHZ | RATES_OVERRIDE_MODE | RATES_ENCODE_VHT | RATES_VHT_MCS(4) | RATES_VHT_NSS(1); sendframe(wlc, p, 1, rate); ret = IOCTL_SUCCESS; break; }
To trigger this code you can use an IOCTL call, e.g. using
nexutil
:nexutil -s599
It is also possible to pass data along with an IOCTL call. Inside
wlc_ioctl_hook
you can access it via thearg
argument and its length vialen
. This can e.g. be used to pass the packet bytes and/or rate settings dynamically to the firmware.nexutil
already provides you options to do this easily, see its help output for more. For example code have a look at how we pass configuration parameters to the firmware via IOCTL 500 for the nexmon_csi patch.
Hi, can you kindly tell me to pass parameters to the firmware in details? I see the struct params in the IOCTL 500, but how do I pass the params from nexutil -s500 command?
Hi, first of all I want to say thank you for the great tools provided by seemoo-lab. I have managed to extract CSI using a raspberry pi (RPi 3B+), and now I want to inject frame using another RPi (3B with bcm43430a1) from which I can collect the CSI. I am new to this field, so I have a hard time implementing the frame injection.
Firstly, I want to clarify my understanding of injecting frame. I've gone through the many discussions here, and from what I gathered, there are many way to inject frame. We can use the aireplay-ng to inject frame for example, and I've managed to inject frame using that. However, injecting frame this way is not really relevant for the purpose of extracting CSI. Nexmon has provided functions to implement frame injection that allow us to control several parameter such as:
From what I understand the function to send frame are defined in sendframe.c and injection.c, and to implement it I need to write an ioctl that call those function, am I right? An example of ioctl code that implement frame injection can be seen in https://github.com/seemoo-lab/wisec2017_nexmon_jammer_demo_firmware/blob/master/src/ioctl_5xx.c#L489
After writing the necessary ioctl code, I need to write my injection program that send the ioctl message. Finally, I run the injection by putting the bash command:
LD_PRELOAD=libnexmon.so [INJECTION_PROGRAM]
So my questions are:
I hope someone can help me clarify these issues. Thanks!