How-to make b43 / b43legacy packet injection work in kernel 2.6.25 (SUSE)

[Joker]

Hi guy's here is the complete guide on how to make the b43/b43 legacy (driver for the Broadcom wireless chips) packet injection and aircracking 802.11a/b/g/n work with kernel 2.6.25 (SUSE)
Kernel 2.6.25 works well in managed and monitor modes, Fragmentation is not broken, and has good injection speed.

*This guide is openSUSE specific*

b43 is a mac80211 driver. b43 offers a newer codebase and hardware crypto support than bcm43xx. With patches the injection speed is at least 700pps. Also, all attacks work, including fragmentation.
and has now complete support for aircracking in this kernel with aircack-ng 1.0-rc1. 
For more info go here;
http://www.aircrack-ng.org/doku.php?id=b43

*Make sure the Broadcom wlan card is installed with b43 or b43legacy with correct firmware!

*Most of the work from here on will be done from the command-line, so open up a terminal by Start -> Programs -> System -> Consoles -> Konsole.

"linux-kernel-headers", "kernel-source", "libopenssl-devel", "libsqlite3-0", "sqlite3" "sqlite3-devel", "libnl-devel". In addition, "base development" pattern must be installed in YaST. It might come handy to also install the "Linux kernel development" pattern.
you can install these by:

Code:

zypper install linux-kernel-headers kernel-source libopenssl-devel libsqlite3-0 sqlite3 sqlite3-devel libnl-devel base development

now we will patch and compile new modules (the patches increase the injection speed and make fragmentation work)

Code:

cd /lib/modules/$(uname -r)/build
sudo wget http://patches.aircrack-ng.org/b43-injection-2.6.25-wl.patch
sudo wget http://www.latinsud.com/bcm/mac80211_2.6.24.4_frag.patch
sudo patch -p1 < b43-injection-2.6.25-wl.patch
sudo patch -p1 < mac80211_2.6.24.4_frag.patch
zcat /proc/config.gz > .config
sudo make net/mac80211/mac80211.ko drivers/net/wireless/b43/b43.ko drivers/net/wireless/b43legacy/b43legacy.ko
sudo cp net/mac80211/mac80211.ko ../kernel/net/mac80211
sudo cp drivers/net/wireless/b43/b43.ko ../kernel/drivers/net/b43
sudo cp drivers/net/wireless/b43legacy/b43legacy.ko ../kernel/drivers/net/b43legacy
sudo depmod -ae

The module should now be ready to use for injection.

Restart the PC.

Install Aircrack-ng 1.0-rc1    for more info go to http://www.aircrack-ng.org/doku.php?id=install_aircrack

Code:

wget http://download.aircrack-ng.org/aircrack-ng-1.0-rc1.tar.gz
tar -zxvf aircrack-ng-1.0-rc1.tar.gz
cd aircrack-ng-1.0-rc1
make
sudo make install

To use your card for aircracking we must put in these commands: (monitor mode)

Code:

sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up

run this command to test if your packet injection is working:

Code:

sudo aireplay-ng -9 wlan0

it should say Injection is working! and then a list of AP

Another way of setting the card in monitor mode: (Recommended)

This way, you can monitor on mon0 while still being associated on wlan0.
- Install iw, for info go here http://www.aircrack-ng.org/doku.php?id=mac80211#installing_iw

Code:

sudo mkdir iw
cd iw
sudo wget http://dl.aircrack-ng.org/iw.tar.bz2
sudo tar xjf iw.tar.bz2
sudo make
sudo make install

- Instead of setting monitor mode on wlan0, create mon0 using

Code:

sudo airmon-ng start wlan0

and you can go here for more information http://www.aircrack-ng.org/doku.php?id=airmon-ng
- Test

Code:

sudo aireplay-ng -9 mon0

and see if injection works.

Edit /etc/modprobe.d/options, by

Code:

sudo gedit /etc/modprobe.d/options

and add a new line containing "options b43 nohwcrypt=1" This ensures that the encryption on wlan0 doesn't interfere with monitoring. This should be only enabled when aircracking with mon0, as it increases the softmac overhead.  Remove it from your blacklist when not using aircrack for a longer time.
This is a workaround for a known bug in b43.

After that, use "mon0' for all moninjection tasks.

after that refer here on how to WEP crack
http://www.aircrack-ng.org/doku.php?id=simple_wep_crack
and here for WPA/WPA2
http://www.aircrack-ng.org/doku.php?id=cracking_wpa

you can control the injection speed with aireplay-ng -x 'number'
1024 is the max, 500 is the default pps
 
I am injecting but the IVs don't increase!
go here: http://aircrack-ng.org/doku.php?id=i_am_injecting_but_the_ivs_don_t_increase

*Comments, Sugestions or Problems make a post!

and thats it

[user888]

Hi there,

I have two problems. I have OpenSuse 11, I didn't had the /usr/bin/patch executable (what package do I have to install to get this??). I now worked around this problem by copy it from a OpenSuse 10.2 distribution.

Now when doing...

Code:

sudo patch -p1 < b43-injection-2.6.25-wl.patch

... I get the error:

Code:

can't find file to patch at input line 5
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
|index a37d7fa..5655688 100644
|--- a/drivers/net/wireless/b43/main.c
|+++ b/drivers/net/wireless/

Same kind of error I get with the second patch. I figured that I do not have the b43 sources (I do not have a 'b43' directory in  ls /usr/src/linux-2.6.25.11-0.1/net/wireless/)
How do I get the (correct) sources?

[darkAudax]

user888,

Visit the OpenSuse support forums to learn how to install packages and add kernel sources/headers in particular.

d.

[user888]

Well,

I just needed to supply the complete path and filenames to the sources. Like this:

Code:

# sudo patch -p1 < b43-injection-2.6.25-wl.patch
...
File to patch: /usr/src/linux/drivers/net/wireless/b43/main.c
...
File to patch: /usr/src/linux/drivers/net/wireless/b43/xmit.c
...
File to patch: /usr/src/linux/drivers/net/wireless/b43legacy/main.c
...
File to patch: /usr/src/linux/drivers/net/wireless/b43legacy/xmit.c
...

Code:

# sudo patch -p1 < mac80211_2.6.24.4_frag.patch
...
File to patch: /usr/src/linux/net/mac80211/tx.c             
...

Btw, I used aircrack-ng1-1.0beta2-0.1.suse110.x86_64.rpm from http://www.davjam.org/~davjam/linux/repositories/

[user888]

And also the location of the libs was different:

Code:

cp net/mac80211/mac80211.ko /lib/modules/2.6.25.11-0.1-default/kernel/net/mac80211/mac80211.ko
cp drivers/net/wireless/b43/b43.ko /lib/modules/2.6.25.11-0.1-default/kernel/drivers/net/wireless/b43/b43.ko
cp drivers/net/wireless/b43legacy/b43legacy.ko /lib/modules/2.6.25.11-0.1-default/kernel/drivers/net/wireless/b43legacy/b43legacy.ko

[user888]

I'm not using the aircrack-ng1-1.0beta2-0.1.suse110.x86_64.rpm anymore because I got a error message:

Code:

Interface Chipset Driver

wlan0 b43 - [phy0]/usr/sbin/airmon-ng: line 357: /sys/class/ieee80211/phy0/add_iface: No such file or directory
mon0: unknown interface: No such device

(monitor mode enabled on mon0)

when trying to enable monitoring:

Code:

airmon-ng start wlan0

I now use the same aircrack version as described in the top post. Works perfectly now on my OpenSuse 11 system.

[darkAudax]

user888,

The reason you needed to specify the full path is because you were not in "/usr/src/linux/".  Had you CD to it first, then the command would have worked.  Simply put, you need to be in the root path of the files specified in the patch.

What you did is a perfectly good solution.  It is just more work.  Full compliments for finding a solution on your own!

d.

[.NetRolller 3D]

user888: On opensuse, the command to install aircrack is "make prefix=/usr install", not "make install".

[VoicesX]

I have problem with opensuse 11 and kernel 2.6.25.16-0.1-pae, the patch don't work for this kernel.