How can I capture frames with bad FCS?

seemoo-lab / nexmon

The C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more

GNU General Public License v3.0

2.42k stars 453 forks source link

How can I capture frames with bad FCS? #493

Open doragasu opened 3 years ago

doragasu commented 3 years ago

I am trying to capture packets with bad FCS on a RaspberryPi 4 and nexmon firmware 7.45.206. I have tried without success several combinations of nexutil switches -m and -p (I do not know exactly what the different values do, so I tried all). I only get data with -m2, but that data lacks packets with wrong FCS. I have also tried enabling wrong FCS data capture with iw mon0 set monitor fcsfail without success.

How can I get packets with wrong FCS data? Is it supported?

doragasu commented 3 years ago

I have just found related Issue #200, and it seems my problem is that I need to patch the wlc_mctrl() function. I have browsed code for the bcm43455c0 in the RPi4 and the wcl_mctrl_hook() function is effectively not implemented.

So I suppose I need to copy/paste the code for the hook and find the address in the original firmware blob to place the hook. The question here is: how can I find the address? Do I have to backup the original firmware and then reverse-engineer it using e.g. Ghidra? Or is there an easier way?