search

seemoo-lab / nexmon

The C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more
GNU General Public License v3.0
2.4k stars 450 forks source link

RPI ZERO 2W: don't works, needs patch for firmware 7.45.96.s1 #619

Open qrp73 opened 1 month ago

qrp73 commented 1 month ago

New RPI ZERO 2W uses chip BCM43430/1 with firmware 7.45.96.s1 (gf031a129). It appears that there is no patch for this firmware... Here is original firmware which works ok, but don't have monitor mode:

brcmf_fw_alloc_request: using brcm/brcmfmac43430-sdio for chip BCM43430/1
brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Jun 14 2023 07:27:45 version 7.45.96.s1 (gf031a129) FWID 01-70bd2af7 es7

With this RPI ZERO 2W WiFi don't works at all on latest Kali Linux (for both OEM and nexmon firmware).

I tried to compile patches/bcm43430a1/7_45_41_46/nexmon and patches/bcm43436b0/9_88_4_65/nexmon/ but it don't works. And Kali Linux loads brcmfmac43436s-sdio for some unknown reason. I tried to copy brcmfmac43430-sdio and brcmfmac43436-sdio to brcmfmac43436s-sdio, but it also fails to load with error:

brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43436s-sdio.raspberrypi,model-zero-2-w.bin failed with error -2
jlinktu commented 1 month ago

We are not related to Raspberry Pi nor Kali Linux - but if you want to get this to work I suggest you to first get Kali Linux to correctly load the original firmware. Once this works, you can think about adding monitor mode.

On Raspberry Pi OS they do this by creating a corresponding symlink, see: https://github.com/RPi-Distro/firmware-nonfree/tree/bookworm/debian/config/brcm80211/brcm The brcmfmac driver will try to load brcmfmac43430-sdio.raspberrypi,model-zero-2-w.bin, which links to brcmfmac43436s-sdio.bin. In your case, the driver on Kali Linux seems to try loading brcmfmac43436s-sdio.raspberrypi,model-zero-2-w.bin, which you should link to brcmfmac43436s-sdio.bin accordingly. brcmfmac43436s-sdio.bin should be this file.

qrp73 commented 1 month ago

I just want to get working monitor mode, since it don't works on raspi-os, this is why I installed Kali Linux.

With RPI4 it works ok (with some minor issues, but it can be ignored), but RPI4 uses different chip BCM4345/6.

With RPI Zero 2w it don't works at all on Kali Linux (no WiFi with OEM firmware and no WiFi with nexmon patched firmware) because RPI Zero 2w uses chip BCM43430/1. Original raspi-os uses firmware 7.45.96.s1 for this BCM43430/1 chip.

I tried to compile nexmon, but there is no patch for firmware 7.45.96.s1.

Original raspi-os-bookworm 6.6.31+rpt-rpi-v8 running on rpi2w uses this symlink /lib/firmware/brcm/brcmfmac43430-sdio.bin -> ../cypress/cyfmac43430-sdio.bin. It loads this firmware and it works ok, but don't support monitor mode.

Here is log file from raspi-os-bookworm with working firmware:

[   12.919275] brcmfmac: F1 signature read @0x18000000=0x1541a9a6
[   12.936804] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43430-sdio for chip BCM43430/1
[   12.937728] usbcore: registered new interface driver brcmfmac
[   13.192057] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob available (err=-2)
[   13.192698] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Jun 14 2023 07:27:45 version 7.45.96.s1 (gf031a129) FWID 01-70bd2af7 es7

Unfortunately there is no patch for firmware 7.45.96.s1.

Kali Linux for some unknown reason loads brcm/brcmfmac43436-sdio with error and it don't works at all.

I'm not sure - how the system determines which chip type is installed and which firmware needs to be loaded? It seems that there is some issue in Kali Linux to determine which firmware should be loaded, because it loads brcmfmac43436-sdio instead of brcmfmac43430-sdio. I tried to replace brcmfmac43436-sdio with a copy of brcmfmac43430-sdio, it loads brcmfmac43430-sdio firmware, but it also don't works.

PS: also it's not clear why original raspi-os-bookworm loads brcmfmac43430-sdio, because all symlinks with .raspberrypi,model-zero-2-w postfix are pointing to brcmfmac43436-sdio.bin:

$ ls -l /lib/firmware/brcm/*raspberrypi,model-zero-2-w*
lrwxrwxrwx 1 root root 27 Feb 26 19:44 /lib/firmware/brcm/BCM43430A1.raspberrypi,model-zero-2-w.hcd -> ../synaptics/SYN43430A1.hcd
lrwxrwxrwx 1 root root 27 Feb 26 19:44 /lib/firmware/brcm/BCM43430B0.raspberrypi,model-zero-2-w.hcd -> ../synaptics/SYN43430B0.hcd
lrwxrwxrwx 1 root root 22 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43430b0-sdio.raspberrypi,model-zero-2-w.bin -> brcmfmac43436-sdio.bin
lrwxrwxrwx 1 root root 27 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43430b0-sdio.raspberrypi,model-zero-2-w.clm_blob -> brcmfmac43436-sdio.clm_blob
lrwxrwxrwx 1 root root 22 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43430b0-sdio.raspberrypi,model-zero-2-w.txt -> brcmfmac43436-sdio.txt
lrwxrwxrwx 1 root root 23 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43430-sdio.raspberrypi,model-zero-2-w.bin -> brcmfmac43436s-sdio.bin
lrwxrwxrwx 1 root root 23 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43430-sdio.raspberrypi,model-zero-2-w.txt -> brcmfmac43436s-sdio.txt
lrwxrwxrwx 1 root root 22 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43436-sdio.raspberrypi,model-zero-2-w.bin -> brcmfmac43436-sdio.bin
lrwxrwxrwx 1 root root 27 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43436-sdio.raspberrypi,model-zero-2-w.clm_blob -> brcmfmac43436-sdio.clm_blob
lrwxrwxrwx 1 root root 22 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43436-sdio.raspberrypi,model-zero-2-w.txt -> brcmfmac43436-sdio.txt
lrwxrwxrwx 1 root root 23 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43436s-sdio.raspberrypi,model-zero-2-w.bin -> brcmfmac43436s-sdio.bin
lrwxrwxrwx 1 root root 23 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43436s-sdio.raspberrypi,model-zero-2-w.txt -> brcmfmac43436s-sdio.txt
jlinktu commented 1 month ago

Well, if it doesn't matter what OS you are using, I suggest to go for Raspberry Pi OS then.

From the log output I can see that on Raspberry Pi OS, other than you suggested, brcmfmac43436s.bin is loaded.

Regarding the confusion about what file is to be loaded, there are a couple of discussions there: https://github.com/RPi-Distro/firmware-nonfree/issues TLDR: There are different versions of the Raspberry Pi Zero 2 W, with different Wi-Fi chips, which require different firmwares. Apparently you have the version that requires brcmfmac43436s.bin. Kali simply seems to load the wrong firmware, thus, again suggesting to go with Raspberry Pi OS or port the related stuff to Kali.

However, all of the above has nothing to do with nexmon itself. It is possible to patch brcmfmac43436s.bin to support monitor mode, but I currently can't do this in my free-time. If you really need this, you can contact me by mail and we can try to find a solution.

qrp73 commented 1 month ago

Apparently you have the version that requires brcmfmac43436s.bin. Kali simply seems to load the wrong firmware, thus, again suggesting to go with Raspberry Pi OS or port the related stuff to Kali.

Why brcmfmac43436s-sdio???

When I boot into original Raspi OS with working wifi firmware it shows in the log that the chip is BCM43430/1 and load firmware from brcmfmac43430-sdio which is symlink to /lib/firmware/cypress/cyfmac43430-sdio.bin and this firmware version is 7.45.96.s1 (gf031a129) FWID 01-70bd2af7 es7

However, all of the above has nothing to do with nexmon itself. It is possible to patch brcmfmac43436s.bin to support monitor mode, but I currently can't do this in my free-time. If you really need this, you can contact me by mail and we can try to find a solution.

Currently I'm trying to setup clean Raspi-OS Lite and make the patch. If I understand correctly there is needs to build patches/bcm43430a1/7_45_41_46/nexmon/ and then try to replace original firmware with version 7.45.96.s1 at /lib/firmware/cypress/cyfmac43430-sdio.bin. Is it correct?

jlinktu commented 1 month ago

The log says: brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Jun 14 2023 07:27:45 version 7.45.96.s1 (gf031a129) FWID 01-70bd2af7 es7, which is the versioning string of brcmfmac43436s-sdio.bin.

qrp73 commented 1 month ago

just checked, yes - brcmfmac43436s-sdio.bin contains version string 7.45.96.s1 (gf031a129)

It is possible to patch brcmfmac43436s.bin to support monitor mode, but I currently can't do this in my free-time. If you really need this, you can contact me by mail and we can try to find a solution.

Thanks , I wrote you mail about it.

alexzaporozhets commented 3 weeks ago

@qrp73, @jlinktu any updates on this issue?

qrp73 commented 2 weeks ago

@alexzaporozhets no, adding patch for 7.45.96.s1 is a paid service.

But I found old firmware BCM43430/1 version 7.45.41.46 (r666254 CY) which was supplied for RPI3 also works for RPI02W. And there is a patch in nexmon for this firmware version.

You can found original 7.45.41.46 firmware version in this package: http://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_0.43+rpi6_all.deb

This firmware has some bug which sometimes may lead to not responding state. But this is better than nothing.

rudyrdx commented 1 day ago

@alexzaporozhets no, adding patch for 7.45.96.s1 is a paid service.

But I found old firmware BCM43430/1 version 7.45.41.46 (r666254 CY) which was supplied for RPI3 also works for RPI02W. And there is a patch in nexmon for this firmware version.

You can found original 7.45.41.46 firmware version in this package: http://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_0.43+rpi6_all.deb

This firmware has some bug which sometimes may lead to not responding state. But this is better than nothing.

Any steps or guide on how to execute it?