 Author
|
Topic: Broadcom bcm43xx Injection (Read 122116 times)
|
webgovernor
Newbie
Posts: 20
|
Oh hey, not a problem  I've done some research on the bcm43xx_lock_mmio call (this is my problem, the new module won't load because this is the "unknown symbol" that "modprobe bcm43xx" complains about. Dmesg confirms this. After doing a little reading I understand that "bcm43xx_(un)lock_mmio" should be referenced in the bcm43xx.h file, can anyone confirm this, preferably someone with the 2.6.17-10.33 kernel? I have the correct sources, but I can't find any reference to bcm43xx_(un)lock_mmio other then in the new.patch... Removing the call in bcm43xx_main.c and recompiling makes the module load, but causes various problems when attempting to use aireplay. Any help is appreciated. Thanks. Edit: Using "_irqsafe" instead of "_mmio" causes the same problem, "Unknow symbol". |
|
|
|
« Last Edit: November 23, 2006, 08:01:31 pm by webgovernor »
|
Logged
|
|
|
|
coloradoflats
Newbie
Posts: 5
|
I think that is weird that we have the same card and kernel and my module loads fine with the "warnings"...I wonder if something else is conflicting with your wireless in linux? That is all I can think of right now....maybe try a different distro, with a different .17 kernel?
|
|
|
|
|
Logged
|
|
|
|
webgovernor
Newbie
Posts: 20
|
I think I may have kind of gotten this to work, I'm not sure. I fixed it by adding the following lines to bcm43xx.h: #define bcm43xx_lock_mmio(bcm, flags)
#define bcm43xx_unlock_mmio(bcm, flags) Lines 767 and 768. This wasn't mentioned in any of the documentation anywhere, so hopefully this will help some people. If you have the same source as me, then the module won't load after it's patched unless you add the two lines above to the bcm43xx.h (header). This seems to resolve the "Unknown Symbol" errors when attempting to load the module after patching. After some testing, a fake auth attack ends with a "Authentication Successful :-)" message, but I can't see the fake client in airodump. The other attacks all claim to be working, but with arp replay I don't notice the packets increasing on the associated client or just the AP... don't know why, maybe there's a special option available? I've patched bcm43xx_main.c, bcm43xx.h, and aireplay-ng.c, am I forgetting something? Well, it kind of works now, which is a major first for me, and I had to use my own steps because nothing is mentioned about bcm43xx.h, but editing that file was the ONLY way I could get the module to load! If anyone has any questions about this, please let me know, I'd be more then happy to help. If and when I get this fully working, I'll be writing a tutorial in the Wiki, the tutorial will be formatted as a "last resort" sort of deal, focused towards people like me who have something completely different going on... even though I'm running the same system as most of you here... so confused. @Mister_X, do you have a paypal account? That would be the easiest way to donate that I can think of. If you do, you may want to consider putting it in the Wiki, as I'm sure there are people who enjoy this software enough to donate, I do, even though I can't use it "fully" as of yet. Edit: @coloradoflats, sorry I didn't see your reply before I posted. I thought about trying a different distro, but I was only going to do that as a very last resort, I've demo'd about 7 different distros before I attempted using aircrack, and of the distros I've tried, I found Ubuntu 6.10 to be the most solid, fast, and functional, by far. I love this distro too much to give up, but yes, it's very weird, do you have the above lines in your bcm43xx.h? Well, I'll continue working on this until I've reached a functional state. Well, I've attacked my patched bcm43xx.h and my patched (and modified) bcm43xx_main.c..... hope this helps. Oh, happy Thanksgiving to everyone who celebrates it. |
|
|
« Last Edit: November 24, 2006, 06:30:51 pm by webgovernor »
|
Logged
|
|
|
|
|
Mister_X
|
Yes, I have one at the address given in AUTHORS file (I also sent it via pm)  |
|
|
|
|
Logged
|
|
|
|
webgovernor
Newbie
Posts: 20
|
Using the above module, along with the patches, provides the below attack status: FakeAuth: Successful 25%, ends with a "Authentication Successful :-)" but doesn't make another associated client, I have no idea why, but this is supposed to mean that my card now supports injection, right? ArpReplay: Reads, Captures, and Sends packets, but the Airodump packets don't increase, at all, I have no idea why this is either. Death: Successfully kicks connected clients, forcing an ARP request, this is the only attack that works like it's supposed to. Haven't tried ChopChop or Interactive as of yet, but I'm afraid that the results will be similar to that of ArpReplay's. Hey, coloradoflats, would you mind posting your bcm43xx.h or bcm43xx.ko? I'd really appreciate it, I'm just trying to figure out what's going on, both would be great... please? I'll post more when I get this fixed, and I'm not giving up damn it! |
|
|
|
|
Logged
|
|
|
|
uovobw
Newbie
Posts: 45
|
from what i have been able to understand by reading the patch is that, each time the interface is upped, it creates the inject_nofcs file and deletes it when the interfaces goes down.
That's a "dirty hack" - at least that is what buesch said when first provided that patch - so i was wondering: _what_ is needed to have injection in a easy way (like, ie, on an atheros) on a bcm?
Is there a way to implement a stable and not-file bound injection method?
|
|
|
|
|
Logged
|
|
|
|
|
Mister_X
|
Yes, you can ask him some explanation about how to do it, where to look, ..., as he said some times ago on irc |
|
|
|
|
Logged
|
|
|
|
nOOb
Guest
|
Does anyone know if there is a ready to use livecd??
|
|
|
|
|
Logged
|
|
|
|
webgovernor
Newbie
Posts: 20
|
@n00b, not with these drivers, there isn't.
Anyway, I've gotten the card to work on a semi-functional level, but it appears that the injection rate has to be very very slow, just slightly faster then simply capturing packets with one connected client.
So, I've decided to purchase a Linksys WGUSB54 card instead, and now I'm getting amazing results, works perfectly!
|
|
|
|
|
Logged
|
|
|
|
nOOb
Guest
|
Excuse me if i'm so noob, but i can't undestand what of the many file posted in this thread i've to use to patch the bcm43xx driver in order to get the packet injection to work. Can anyone make a little "how to", and update the broken link at www.aircrack-ng.org regarding the broadcom packet injection driver patching?? Thank you. |
|
|
|
|
Logged
|
|
|
|
uovobw
Newbie
Posts: 45
|
So, I've decided to purchase a Linksys WGUSB54 card instead, and now I'm getting amazing results, works perfectly!
what chipset does it use? googling the name does not work for me...is it spelled correctly? thanks a lot |
|
|
|
|
Logged
|
|
|
|
webgovernor
Newbie
Posts: 20
|
Hey uovobw, the card is the USB based Linksys one, it uses the rt2570 drivers, and there's a howto under the "installing drivers" section for this card. I accidentally put a "G" in the wrong spot, the real name is "WUSB54G", and I can inject packets at 245 pps, amazing! Here's an amazon link, but I got it at walmart for 48.98 http://www.amazon.com/Linksys-WUSB54G-Wireless-G-USB-Adapter/dp/B00009X6PHSeriously, amazing performance, AND the 1.4.0 driver supports mac changing!!! Lemme know if you need more help. |
|
|
|
|
Logged
|
|
|
|
webgovernor
Newbie
Posts: 20
|
@n00b:
Ok, in the Wiki, download new.patch, apply it to bcm43xx_main.c, then compile the module with "make modules", then copy the recently made bcm43xx.ko to "/lib/modules/kernelversion/kernel/drivers/net/wireless/bcm43xx".
Next, go back to page 6 or 7, and download uovobw's areplay-ng.c and add it to the "src" directory of the extracted aircrack-ng-0.6.2, then compile and install aircrack, and reboot.
Hopefully it will work now.
Good luck.
|
|
|
|
|
Logged
|
|
|
|
uovobw
Newbie
Posts: 45
|
Hey uovobw, the card is the USB based Linksys one, it uses the rt2570 drivers, and there's a howto under the "installing drivers" section for this card. I accidentally put a "G" in the wrong spot, the real name is "WUSB54G", and I can inject packets at 245 pps, amazing! Here's an amazon link, but I got it at walmart for 48.98 http://www.amazon.com/Linksys-WUSB54G-Wireless-G-USB-Adapter/dp/B00009X6PHSeriously, amazing performance, AND the 1.4.0 driver supports mac changing!!! Lemme know if you need more help. eh, i was afraid it used the rt2570 chipset... i am on debian-ppc and the driver - both the standard one or the plarbig-aspj one - freezes the kernel. thanks anyway. |
|
|
|
|
Logged
|
|
|
|
clearscreen
Newbie
Posts: 10
|
Using:
airodump-ng --ivs --channel 14 --write out eth1
aireplay-ng -1 1 -e AP_ESSID -a AP_MAC -h MY_MAC eth1
aireplay-ng -3 -b AP_MAC -d ff:ff:ff:ff:ff:ff -h MY_MAC eth1 (also tried without -d, and with -x 10)
Getting my own client popped up in airodump; so that works..
but my other aireplay window with ARP injection shows me 30.000 read packets, 0 ARP requests, 0 sent packets. also said sometimes "got a deauth/disassoc packet. is the source mac associated?"
What gives?
|
|
|
|
|
Logged
|
|
|
|
|
 |
Aircrack-ng
bcm43xx.h
