Broadcom bcm43xx Injection

[pierigno]

hello,
first of all thanks for your great work!

I have a bcm4318 chipset based wireless card and I managed to get it working with bcm43xx driver shipped with kernel 2.6.18 (i can use wifi at my university at 11M).
Do i still need to patch the kernel and aircrack-ng to do injection?
If yes where can i find the patches for 2.6.18 kernel version and aircrack-ng 0.6.2?

Just a note: i've tried to use arp request injection attack with my current configuration and (strangely) it seems to work (it gets ARPs and -apparently- sends packets). However IVS capturing speed seems to not increase significantly (or not at all). Chopchop attack doesn't work nor does fakeauth or deauth. So does my arp-request attack really work or not?

[sixfour]

Thanks for the tips.
I cannot patch aireplay-ng because the memory error patch is no longer available. Can someone attach it?

It's still attached. You have to be registered to see attachments

[necay]

Hi everyone!
I have a bcm4306-based card-linksys WPC54G Ver1.2,
Which live linux cd -(you know working with brcm card and supported with injection) do you recommend_?
and with your experience, which patches I gotta use?
I am a new Linux User,
THANKS

[schoch]

Hello
Someone has a new Inject Patch for the Broadcom Driver under Kernel Version 2.6.18?
The Broadcom Driver under 2.1.6.17 doesn't work on my system.
I tried to patch the new Driver, but it doesn't work.
Thanks a lot.

[Les_Sr]

oh, newbies~!!!!

[thefkboss]

Could anyone tell me what is the driver version you are using to aplay the pacht
where can i donwload???'
i´m using this one: bcm43xx-20060125 but is not the good one to aplay the pacht
thanks

[JuanJo4x4]

YES!!! it works in KUbuntu Edgy 6.10 AMD64, with my 4306 chip, i'm writting a howto.

Thank you very much guys

[Mister_X]

Can you post the URL or better, you can write it in the wiki (if there's any picture, i'll host them)

[trubblemaker]

ok got it working.. it seems to work (no errors) on Ubuntu Edgy, but i have yet to try to crack something..
a little offtopic: to recompile the module in ubuntu:
apt-get packages linux-source and linux-headers-your_version, then copy .config from /usr/src/linux-headers-xx to the linux-source directory, make modules and copy the bcm43xx.ko module to /lib/modules/yourkernelver/kernel/drivers/net/wireless/bcm43xx. hope this helps someone

thanks for the help you rule, it really helped as the wiki was a little vague, I did have to make some changes to bcm43xx_main.c. and the patch only did two "clumps"

I used the new.patch to tell me where to change the code.

[trubblemaker]

ok so I patched the driver, and logged into the webpage and still can't get the other patches, (the aircrakng patches.) Can some one  update the patch links? to real files, and if there was a link to a howto, or where to go know that would be awesome, Hey, if I find out I will post it there myself.,

If anyone's up to the task can they tell me what's the next thing to do after patching bcm43xx.  Can I inject after that? do I need to do the other mods that are listed in various places through out this forum?  Can anyone tell me one that worked, or are there 3 different ways to do it and you just got to make it work for you?  If you post it here I will write it up on the broadcom webpage, all nice and pretty. or if you point me in the write direction I will help document it.

[Coloradoflats]

Ok guys...I've gotten the bcm4306 to work with the Ubuntu Edgy release.  Thanks to mrbrdo and everyone else who figured this out first.  Here is a kinda howto: not for the faint of heart

download the source to your kernel
patch the bcm43xx_main.c (you have to do a couple by hand since the module versions are newer)
    *** you must use mrbrdo's fix from page 5...follow to the T
compile your modules - make modules
copy the resulting bcm43xx.ko to /usr/lib/modules/your-kernel-ver/drivers/net/wireless/bcm43xx
reboot
make sure the inject_nofcs file is in the /sys/class/net/ethX/device directory...if it is, your ready to rock.
download aircrack-ng tar and extract wherever
goto src dir and patch aireplay-ng.c with aireplay-ng.patch and the memory fix patch. (Again, just check to make  sure they all go in or put them in by hand...)
compile aircrack package by: make (make install if you wish)
now your ready to rock!

these are the success attacks (a deauth and interactive) that i have tested and run successfully with no crashing whatsoever....

airodump #sudo airodump-ng --ivs --channel 6 --write out ethX
deauth: # sudo aireplay-ng -0 1 -a APmac -c CLIENTmac ethX
interactive: # sudo aireplay-ng -2 -b APmc -d ff:ff:ff:ff:ff:ff -m 68 -n 68 -p 0841 -x 10 -h CLIENTmac ethX

I think that interactive attack, which is very picky of packet type and sending # per second is the key.  It's slow, but better than not at all.

I basically started airodump-ng, start my interactive to get a packet within my specifications, and then did my deauth on top of that to get the packet within about 2 mins. then everything worked as it should with no crashy!

Hope this helps everyone....btw, I believe that these same steps may be taken to get injection working the the new 2.6.18 kernels, so that's cool....let me know!

-coloradoflats

[Coloradoflats]

Update: after playing around a little bit more, all the attacks work with no crash! Also, you can use a higher -x # if you wish or take it out totally, but I think it performs fastest/more consistant at 10-30.

cheers...

-coloradoflats

[Coloradoflats]

Update: after playing around a little bit more, all the attacks work with no crash! Also, you can use a higher -x # if you wish or take it out totally, but I think it performs fastest/more consistant at 10-30.

cheers...

-coloradoflats

More update:

Here is how I ran the 2 other attacks I tested:
fakeauth: # sudo aireplay-ng -1 1 -e ESSID -a APmac -h SRCmac ethX
ARP: # sudo aireplay-ng -3 -b APmac -d ff:ff:ff:ff:ff:ff -h SRCmac ethX

Hope this helps...

-coloradoflats

[uovobw]

ok, working on my:

0001:10:12.0 Network controller: Broadcom Corporation BCM4306 802.11b/g Wireless LAN Controller (rev 03)

on an ibook with Debian unstable.
I downloaded a 2.6.17.14 kernel.
patched it with the new.patch (attached)
rebooted with the new kernel
patched aireplay with the memory patch (attached)
when patching with the aireplay-bcm-specific patch it gave an awful lot of errors.
I then applyed it by hand: the resulting file is attached.
Then i tried _all_ the attacks and they _all_ worked.
I also noticed that the -y option to look for the inject_nofcs is not needed, as i could do the attacks and so on without the -y option and they worked!
if anything else is needed let me know.
Anyone willing to port the actual kernel patch for bcm injection to the 2.6.19 kernels? When i'll find the time i'll try it, but driver programming for me is really obscure

[Coloradoflats]

ok, working on my:

0001:10:12.0 Network controller: Broadcom Corporation BCM4306 802.11b/g Wireless LAN Controller (rev 03)

on an ibook with Debian unstable.
I downloaded a 2.6.17.14 kernel.
patched it with the new.patch (attached)
rebooted with the new kernel
patched aireplay with the memory patch (attached)
when patching with the aireplay-bcm-specific patch it gave an awful lot of errors.
I then applyed it by hand: the resulting file is attached.
Then i tried _all_ the attacks and they _all_ worked.
I also noticed that the -y option to look for the inject_nofcs is not needed, as i could do the attacks and so on without the -y option and they worked!
if anything else is needed let me know.
Anyone willing to port the actual kernel patch for bcm injection to the 2.6.19 kernels? When i'll find the time i'll try it, but driver programming for me is really obscure

Hi...you don't have to use the -y option because the patch auto-detects bcm43xx cards and initializes them itself.  You are lucky because the 2.6.17.14 kernel/bcm43xx module is great for applying the new.patch...goes right in, whereas my 2.6.17-10-33 bcm43xx module was a little picky.  As I stated above, I think applying the module patch by hand in the next few kernel versions, i.e. 2.6.18 and 2.6.19 will work equally as well as what I had to do for the 2.6.17.  I believe that 2.6.18 has already been done in fact and is working successfully.  Again, it's slow with the 4306...I got 500k ivs in about 6 hours, but it keeps working and never crashes, which is all I wanted.  Thanks again to all that contributed ealier!

-coloradoflats