NexMon logo

What is nexmon?

Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.

Below, you find an overview what is possible with nexmon. This repository mainly focuses on enabling monitor mode and frame injection on many chips. If you want additional features, the following projects might be interesting for you:

http://nexmon.org/jammer: A real Wi-Fi jammer that allows to overlay ongoing frame transmissions with an arbitrary jamming signal.
- It uses the Wi-Fi chip as a Software-defined Radio to generate jamming signals
- It allows using non-standard channels such as 80 MHz bandwidth in the 2.4 GHz bands
- It allows to set arbitrary transmission powers
- It allows patching the D11 core's real-time MAC implementation
http://nexmon.org/csi: Channel State Information extractor for various Wi-Fi chips
- It allows to extract CSI of up to 4x4 MIMO transmissions at 80 MHz bandwidth
http://nexmon.org/debugger: Debugging ARM microcontrollers without JTAG access
- It allows low-level access to debugging registers to set breakpoints and watchpoints and allows single stepping
http://nexmon.org/covert_channel: Covert Channel that hides information in Wi-Fi signals
- More advanced Software-defined Radio capabilities than the jammer
- Example application for channel state information extraction
http://nexmon.org/sdr: Use your Wi-Fi chip as Software-defined Radio
- Currently only transmissions are working in both 2.4 and 5 GHz Wi-Fi bands

NexMon logo

WARNING

Our software may damage your hardware and may void your hardware’s warranty! You use our tools at your own risk and responsibility! If you don't like these terms, don't use nexmon!

Supported Devices

The following devices are currently supported by our nexmon firmware patch.

WiFi Chip	Firmware Version	Used in	Operating System	M	RT	I	FP	UC	CT
bcm4330	5_90_100_41_sta	Samsung Galaxy S2	Cyanogenmod 13.0	X	X		X	X	O
bcm4335b0	6.30.171.1_sta	Samsung Galaxy S4	LineageOS 14.1	X	X	X		X	O
bcm4339	6_37_34_43	Nexus 5	Android 6 Stock	X	X	X	X	X	O
bcm43430a1<sup>1</sup>	7_45_41_26	Raspberry Pi 3 and Zero W	Raspbian 8	X	X	X	X	X	O
bcm43430a1<sup>1</sup>	7_45_41_46	Raspberry Pi 3 and Zero W	Raspbian Stretch	X	X	X	X	X	O
bcm43439a0<sup>7</sup>	7_95_49 (2271bb6 CY)	Raspberry Pi Pico W	Pico SDK	X	X		X	X
bcm43451b1	7_63_43_0	iPhone 6	iOS 10.1.1 (14B100)				X	X
bcm43455	7_45_77_0_hw	Huawei P9	Android 7 Stock	X	X	X	X	X
bcm43455	7_120_5_1_sta_C0	Galaxy J7 2017	?				X	X
bcm43455	7_45_77_0_hw(8-2017)	Huawei P9	Android 7 Stock	X	X	X	X	X
bcm43455<sup>5</sup>	7_46_77_11_hw	Huawei P9	Android 8 China Stock	X	X	X	X	X
bcm43455	7_45_59_16	Sony Xperia Z5 Compact	LineageOS 14.1	X	X	X	X	X
bcm43455c0	7_45_154	Raspberry Pi B3+/B4	Raspbian Kernel 4.9/14/19	X	X		X	X
bcm43455c0	7_45_189	Raspberry Pi B3+/B4	Raspbian Kernel 4.14/19, 5.4	X	X		X	X
bcm43455c0	7_45_206	Raspberry Pi B3+/B4	Raspberry Pi OS Kernel 5.4	X	X	X	X	X
bcm43455c0	7_45_234 (4ca95bb CY)	Raspberry Pi B3+/B4/5	Raspberry Pi OS				X	X
bcm43436b0<sup>3</sup>	9_88_4_65	Raspberry Pi Zero 2 W	Raspberry Pi OS Kernel 5.10	X	X	X	X	X
bcm4356	7_35_101_5_sta	Nexus 6	Android 7.1.2	X	X		X	X	O
bcm4358	7_112_200_17_sta	Nexus 6P	Android 7 Stock	X	X		X	X	O
bcm4358	7_112_201_3_sta	Nexus 6P	Android 7.1.2 Stock	X	X		X	X	O
bcm4358<sup>2</sup>	7_112_300_14_sta	Nexus 6P	Android 8.0.0 Stock	X	X	X	X	X	O
bcm43596a0<sup>3</sup>	9_75_155_45_sta_c0	Samsung Galaxy S7	Android 7 Stock	X			O	X
bcm43596a0<sup>3,2</sup>	9_96_4_sta_c0	Samsung Galaxy S7	LineageOS 14.1	X	X	X	O	X
bcm4375b1<sup>3,5,6</sup>	18_38_18_sta	Samsung Galaxy S10	Rooted + disabled SELinux	X	X	X	O	X
bcm4375b1<sup>3,5,6</sup>	18_41_8_9_sta	Samsung Galaxy S20	Rooted + disabled SELinux	X	X	X	O	X
bcm4389c1<sup>5,8,9</sup>	20_82_42_sta (r994653)	Samsung Galaxy S22 Plus	Android 14, Rooted with Magisk				X	X
bcm4389c1<sup>5,8,9</sup>	20_101_36_2 (r994653)	Google Pixel 7 and 7 Pro	Rooted with Magisk				X	X
bcm4389c1<sup>5,8,9</sup>	20_101_57 (r1035009)	Google Pixel 7 and 7 Pro	Rooted with Magisk				X	X
bcm4398d0<sup>5,8,9</sup>	24_671_6_9 (r1031525)	Google Pixel 8	Rooted with Magisk				X	X
bcm6715b0<sup>5</sup>	17_10_188_6401 (r808804)	Asus RT-AX86U Pro	Stock firmware 3.0.0.4_388.23565				/	X
qca9500<sup>4</sup>	4-1-0_55	TP-Link Talon AD7200	Custom LEDE Image

1 bcm43430a1 was wrongly labeled bcm43438 in the past.

2 use LD_PRELOAD=libnexmon.so instead of LD_PRELOAD=libfakeioctl.so to inject frames through ioctls

3 flash patches need to be 8 bytes long and aligned on an 8 byte boundary

4 802.11ad Wi-Fi chip from first 60 GHz Wi-Fi router Talon AD7200. Patch your firmware using nexmon-arc and run it with our custom LEDE image lede-ad7200

5 Disabled the execution protection (called Execute Never) on region 1, because it interferes with the nexmon code (Permission fault on Section)

6 To use nexutil, you need to deactivate SELinux or set it to permissive

7 See pico-nexmon for example applications using Pico SDK with nexmon.

8 flash patches need to be 16 bytes long and aligned on a 16 byte boundary.

9 Uses Magisk module to install firmware, nexutil, and set SELinux policies.

Legend

M = Monitor Mode
RT = Monitor Mode with RadioTap headers
I = Frame Injection
FP = Flash Patching
UC = Ucode Compression
CT = c't Article Support (for consistent support, use our ct-artikel branch)

Steps to create your own firmware patches

Build patches for bcm4330, bcm4339 and bcm4358 using a x86 computer running Linux (e.g. Ubuntu 16.04)

Install some dependencies: sudo apt-get install git gawk qpdf adb flex bison

Only necessary for x86_64 systems, install i386 libs:

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386

Clone our repository: git clone https://github.com/seemoo-lab/nexmon.git
In the root directory of the repository: cd nexmon
- Setup the build environment: source setup_env.sh
- Compile some build tools and extract the ucode and flashpatches from the original firmware files: make
Go to the patches folder of your target device (e.g. bcm4339 for the Nexus 5): cd patches/bcm4339/6_37_34_43/nexmon/
- Compile a patched firmware: make
- Generate a backup of your original firmware file: make backup-firmware
- Install the patched firmware on your smartphone: make install-firmware (make sure your smartphone is connected to your machine beforehand)

Using the Monitor Mode patch

Install at least nexutil and libfakeioctl from our utilities. The easiest way to do this is by using this app: https://nexmon.org/app. But you can also build it from the source by executing make in the utilties folder (Note: you will need the Android NDK properly installed for this).
Connect to your Android phone using the ADB tools: adb shell
Make sure you are not connected to an access point
Use nexutil to enable monitor mode: nexutil -m2
At this point the monitor mode is active. There is no need to call airmon-ng.
Important: Most tools need a Radiotap interface to work properly. libfakeioctl emulates this type of interface for you, therefore, use LD_PRELOAD to load this library when you call the favourite tool (e.g. tcpdump or airodump-ng): LD_PRELOAD=libfakeioctl.so tcpdump -i wlan0
untested hint: Thanks to XDA member ruleh, there is a bcmdhd driver patch to activate native monitor mode, see: https://github.com/ruleh/misc/tree/master/monitor

Using nexutil over UDP on Nexus 5

To be able to communicate with the firmware without root priviledges, we created a UDP interface accessible through the libnexio, which is also used by nexutil. You first have to prove to the firmware that you generally have root priviledges by setting a security cookie. Then you can use it for UDP based connections. Your wlan0 interface also needs an IP address in the 192.168.222.0/24 range or you have to change the default nexutil broadcast-ip:

Set the IP address of the wlan0 interface: ifconfig wlan0 192.168.222.1 netmask 255.255.255.0
Set the security cookie as root: nexutil -x<cookie (uint)>
Start a UDP connection for example to activate monitor mode: nexutil -X<cookie> -m1

Build patches for bcm43430a1 on the RPI3/Zero W or bcm434355c0 on the RPI3+/RPI4 or bcm43436b0 on the RPI Zero 2W using Raspbian/Raspberry Pi OS (recommended)

Note: We currently support Kernel Version 4.4 (deprecated), 4.9, 4.14, 4.19, 5.4, 5.10 and 5.15. Raspbian contains firmware version 7.45.154 for the bcm43455c0. We also support the newer firmware release 7.45.189 from Cypress. Raspberry Pi OS contains firmware version 7.45.206. Please, try which works best for you.

Make sure the following commands are executed as root: sudo su
Upgrade your Raspbian installation: apt-get update && apt-get upgrade
Install the kernel headers to build the driver and some dependencies: sudo apt install raspberrypi-kernel-headers git libgmp3-dev gawk qpdf bison flex make autoconf libtool texinfo
Clone our repository: git clone https://github.com/seemoo-lab/nexmon.git
Go into the root directory of our repository: cd nexmon
On 32bit Raspbian/Raspberry Pi OS
- Check if /usr/lib/arm-linux-gnueabihf/libisl.so.10 exists, if not, compile it from source:
- cd buildtools/isl-0.10, ./configure, make, make install, ln -s /usr/local/lib/libisl.so /usr/lib/arm-linux-gnueabihf/libisl.so.10
- Check if /usr/lib/arm-linux-gnueabihf/libmpfr.so.4 exists, if not, compile it from source:
- cd buildtools/mpfr-3.1.4, autoreconf -f -i, ./configure, make, make install, ln -s /usr/local/lib/libmpfr.so /usr/lib/arm-linux-gnueabihf/libmpfr.so.4
On 64bit Raspberry Pi OS
- sudo dpkg --add-architecture armhf
- sudo apt-get update
- `sudo apt-get install libc6:armhf libisl23:armhf