What is nexmon?

Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.

Below, you find an overview what is possible with nexmon. This repository mainly focuses on enabling monitor mode and frame injection on many chips. If you want additional features, the following projects might be interesting for you:

• http://nexmon.org/jammer: A real Wi-Fi jammer that allows to overlay ongoing frame transmissions with an arbitrary jamming signal.
  • It uses the Wi-Fi chip as a Software-defined Radio to generate jamming signals
  • It allows using non-standard channels such as 80 MHz bandwidth in the 2.4 GHz bands
  • It allows to set arbitrary transmission powers
  • It allows patching the D11 core's real-time MAC implementation
• http://nexmon.org/csi: Channel State Information extractor for various Wi-Fi chips
  • It allows to extract CSI of up to 4x4 MIMO transmissions at 80 MHz bandwidth
• http://nexmon.org/debugger: Debugging ARM microcontrollers without JTAG access
  • It allows low-level access to debugging registers to set breakpoints and watchpoints and allows single stepping
• http://nexmon.org/covert_channel: Covert Channel that hides information in Wi-Fi signals
  • More advanced Software-defined Radio capabilities than the jammer
  • Example application for channel state information extraction
• http://nexmon.org/sdr: Use your Wi-Fi chip as Software-defined Radio
  • Currently only transmissions are working in both 2.4 and 5 GHz Wi-Fi bands

WARNING

Our software may damage your hardware and may void your hardware’s warranty! You use our tools at your own risk and responsibility! If you don't like these terms, don't use nexmon!

Supported Devices

The following devices are currently supported by our nexmon firmware patch.

¹ bcm43430a1 was wrongly labeled bcm43438 in the past.

² use LD_PRELOAD=libnexmon.so instead of LD_PRELOAD=libfakeioctl.so to inject frames through ioctls

³ flash patches need to be 8 bytes long and aligned on an 8 byte boundary

⁴ 802.11ad Wi-Fi chip from first 60 GHz Wi-Fi router Talon AD7200. Patch your firmware using nexmon-arc and run it with our custom LEDE image lede-ad7200

⁵ Disabled the execution protection (called Execute Never) on region 1, because it interferes with the nexmon code (Permission fault on Section)

⁶ To use nexutil, you need to deactivate SELinux or set it to permissive

⁷ See pico-nexmon for example applications using Pico SDK with nexmon.

⁸ flash patches need to be 16 bytes long and aligned on a 16 byte boundary.

⁹ Uses Magisk module to install firmware, nexutil, and set SELinux policies.

Legend

• M = Monitor Mode
• RT = Monitor Mode with RadioTap headers
• I = Frame Injection
• FP = Flash Patching
• UC = Ucode Compression
• CT = c't Article Support (for consistent support, use our ct-artikel branch)

Steps to create your own firmware patches

Build patches for bcm4330, bcm4339 and bcm4358 using a x86 computer running Linux (e.g. Ubuntu 16.04)

• Install some dependencies: sudo apt-get install git gawk qpdf adb flex bison

• Only necessary for x86_64 systems, install i386 libs:

  sudo dpkg --add-architecture i386
  sudo apt-get update
  sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386
  

• Clone our repository: git clone https://github.com/seemoo-lab/nexmon.git

• In the root directory of the repository: cd nexmon

  • Setup the build environment: source setup_env.sh
  • Compile some build tools and extract the ucode and flashpatches from the original firmware files: make

• Go to the patches folder of your target device (e.g. bcm4339 for the Nexus 5): cd patches/bcm4339/6_37_34_43/nexmon/

  • Compile a patched firmware: make
  • Generate a backup of your original firmware file: make backup-firmware
  • Install the patched firmware on your smartphone: make install-firmware (make sure your smartphone is connected to your machine beforehand)

Using the Monitor Mode patch

• Install at least nexutil and libfakeioctl from our utilities. The easiest way to do this is by using this app: https://nexmon.org/app. But you can also build it from the source by executing make in the utilties folder (Note: you will need the Android NDK properly installed for this).
• Connect to your Android phone using the ADB tools: adb shell
• Make sure you are not connected to an access point
• Use nexutil to enable monitor mode: nexutil -m2
• At this point the monitor mode is active. There is no need to call airmon-ng.
• Important: Most tools need a Radiotap interface to work properly. libfakeioctl emulates this type of interface for you, therefore, use LD_PRELOAD to load this library when you call the favourite tool (e.g. tcpdump or airodump-ng): LD_PRELOAD=libfakeioctl.so tcpdump -i wlan0
• untested hint: Thanks to XDA member ruleh, there is a bcmdhd driver patch to activate native monitor mode, see: https://github.com/ruleh/misc/tree/master/monitor

Using nexutil over UDP on Nexus 5

To be able to communicate with the firmware without root priviledges, we created a UDP interface accessible through the libnexio, which is also used by nexutil. You first have to prove to the firmware that you generally have root priviledges by setting a security cookie. Then you can use it for UDP based connections. Your wlan0 interface also needs an IP address in the 192.168.222.0/24 range or you have to change the default nexutil broadcast-ip:

• Set the IP address of the wlan0 interface: ifconfig wlan0 192.168.222.1 netmask 255.255.255.0
• Set the security cookie as root: nexutil -x<cookie (uint)>
• Start a UDP connection for example to activate monitor mode: nexutil -X<cookie> -m1

Build patches for bcm43430a1 on the RPI3/Zero W or bcm434355c0 on the RPI3+/RPI4 or bcm43436b0 on the RPI Zero 2W using Raspbian/Raspberry Pi OS (recommended)

Note: We currently support Kernel Version 4.4 (deprecated), 4.9, 4.14, 4.19, 5.4, 5.10 and 5.15. Raspbian contains firmware version 7.45.154 for the bcm43455c0. We also support the newer firmware release 7.45.189 from Cypress. Raspberry Pi OS contains firmware version 7.45.206. Please, try which works best for you.

• Make sure the following commands are executed as root: sudo su
• Upgrade your Raspbian installation: apt-get update && apt-get upgrade
• Install the kernel headers to build the driver and some dependencies: sudo apt install raspberrypi-kernel-headers git libgmp3-dev gawk qpdf bison flex make autoconf libtool texinfo
• Clone our repository: git clone https://github.com/seemoo-lab/nexmon.git
• Go into the root directory of our repository: cd nexmon

• On 32bit Raspbian/Raspberry Pi OS

  • Check if /usr/lib/arm-linux-gnueabihf/libisl.so.10 exists, if not, compile it from source:
  • cd buildtools/isl-0.10, ./configure, make, make install, ln -s /usr/local/lib/libisl.so /usr/lib/arm-linux-gnueabihf/libisl.so.10
  • Check if /usr/lib/arm-linux-gnueabihf/libmpfr.so.4 exists, if not, compile it from source:
  • cd buildtools/mpfr-3.1.4, autoreconf -f -i, ./configure, make, make install, ln -s /usr/local/lib/libmpfr.so /usr/lib/arm-linux-gnueabihf/libmpfr.so.4

• On 64bit Raspberry Pi OS

  • sudo dpkg --add-architecture armhf
  • sudo apt-get update
  • `sudo apt-get install libc6:armhf libisl23:armhf