Monitor Mode on Android Phone

At first, we compiled the driver in debug mode, and noticed that the module strips the 802.11 headers in hw and sends only ethernet packets to the linux device.

We concluded that in order to receive full 802.11 frames,  a change to the device firmware is needed.

So we started reverse engineering the firmware and after a few weeks we had a decent understanding of the packet receiving process.

** More details on the reversing process would be released soon

Having this knowledge, it took us only a few more days to get a first working version of  the monitor-mode-enabled firmware

We currently have a patched firmware for the following chipsets:

• bcm4329 - Fully working monitor mode on our Nexus One
• bcm4330 -   Fully working monitor mode on our Galaxy S II

We havent tested it yet, but if you have a phone with one of those chipsets (and you most probably have one), it should also work on your phone.

Further work

• Add packet injection support to the patched firmware
• Better implementation of the linux driver
• Create an APK bundle for "mass distribution"

Instructions

All the changes are volatile and should disappear after device reboot:
Although,  please note that this code is experimental and you use it at your own risk and we are not responsible nor liable for any damage or loss of data. Sometimes unexpected things might go wrong and you might end up with a device that is no longer functional. Be warned and please take the responsibility yourself--it is your own risk and no one else can be held responsible.

Cyanogen 7 & Nexus one

1. Download the zip: http://bcmon.googlecode.com/svn/trunk/bundles/nexus_bundle.zip
2. Extract the zip on your device (your sdcard will do fine)
3. Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
4. Now you have a wifi interface named eth0 in monitor mode
5. Now run 'iwconfig eth0' and check that you get a similar output:

eth0      IEEE 802.11-DS  ESSID:""  Nickname:""

          Mode:Monitor  Frequency:2.412 GHz  Access Point: Not-Associated

          Bit Rate:72 Mb/s   Tx-Power:32 dBm

          Retry min limit:7   RTS thr:off   Fragment thr:off

          Encryption key:off

          Power Managementmode:All packets received

          Link Quality=5/5  Signal level=0 dBm  Noise level=-92 dBm

          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0

          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Cyanogen 9 & GS2 (I9100)

1. Download the zip: http://bcmon.googlecode.com/svn/trunk/bundles/gs2_bundle.zip
2. Extract the zip on your device (your sdcard will do fine)
3. Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
4. Now you have a wifi interface named wlan0 in monitor mode
5. Now run 'iwconfig wlan0' and check that you get an output similar to the one above

GS2 Update:  iwconfig wlan0 will show 'Mode: Managed",  ignore it - airodump should work fine (we are working on a fix).

Other phones

1. Check out the source from  http://code.google.com/p/bcmon/source/checkout
2. Build the KO for your device (cyanogen wiki should be helpful)
3. If it works please tell us and send us the compiled version so we can list it here (if it doesn't work contact us)

AirCrack binaries

We bundled useful binary executables for arm:

• aircrack-ng suite 
• tcpdump
• iwconfig

FAQ

• I get "Can't find wireless tools, exiting."
• Solution: Make sure you have 'iwpriv' on your system, just add soft link from 'iwpriv' to 'iwconfig' (actually it is 'iwmulticall')

available on: http://bcmon.googlecode.com/svn/trunk/bundles/utils.zip

Unzip them and run: 'chmod a+x -R  aircrack misc'

Update: We added a statically linked version of aircrack-ng suite.

Now you can have fun with commands like: 'airodump-ng -i eth0'