Tuesday, March 14, 2017

Wi-Fi Monitor Mode on Android devices.

Monitor mode, also called promiscuous mode is a mode on some WiFi chips that allows one to intercept/sniff wifi packets in the air, doesn't matter whose they were, if they are out there, you can intercept them.

On most Desktop machines it is trivial, on Android smartphones, not so much.
There used to be a project long ago called bcmon, that enabled just monitor mode on Broadcom chipsets, worked wonderfully on my Galaxy S2, but I've long since retired that phone, and the project has been discontinued.

The most common problems in a WiFi chip on a SoC are:

  1. A FullMAC chip, everything is implemented in hardware(or firmware).
  2. Listening only for packets that belong to your MAC address.
  3. Stripping WiFi packets and making them seem as if they are regular Ethernet packets. E.g an 802.11 packet to 802.3. 

Basically the Android device doesn't even consider WiFi as true wifi, it knows nothing about WiFi in fact.

Usually the FullMAC interface is implemented in firmware, that is loaded on the WiFi module, although it's quite possible for some vendor to provide a chip where everything is hardwired, but that would likely make debugging a hell of a lot harder and providing a software fix impossible. I know just two popular chipsets, Qualcomm and Broadcom.

In Qualcomm's case, they have a driver that handles communication between the Linux Kernel and the WiFi module, and another driver that configures and uploads the proprietary firmware WCNSS blob(a Peripheral Image Loader driver). I used to have a Nexus 7 2013 tablet, but it died randomly, before it did I had worked on monitor mode, and I didn't succeed much, the firmware they had was large and incorporated subsystems for Bluetooth, FM Radio and of course, Wi-Fi, making it rather difficult to RE. But I did manage to load some unsigned code on the CPU to execute a CPUID and found out they had used an ARM926 CPU, which uses the ARMv5TEJ architecture.

I currently have an LG G2 device, I've had it for nearly 2 years now and I thought it also used Qualcomm's WIFI module, but it turns out, it's not. It in fact uses Broadcom, some BCM433X chip, not yet sure which.

Armed with this knowledge, bcmon's work, I think it will be possible to get monitor mode working, but of course no guarantees, as I will work on this in my spare time.

Well at the very least I can load unsigned code on the Broadcom chip so that's good.

I have discovered quite accidentally a project that has added upon the work of bcmon, the project is called Nexmon and has much more code written and more work done. I will try to help out with it on my own.

No comments:

Post a Comment