Matthias Schulz

Did you check how the wifi interface is called? If it is not called wlan0, you need to define it with the -I argument when calling nexutil. Additionally, you might...

It is quite complex as you need to integrate ucode compression first before you can extend the ioctl handler with a custom ROM extraction command. Am Di., 11. Dez. 2018,...

The ROM cannot be changed, as it is a read only memory. You can only apply temporary patches that we call flashpatches, which are used for patching. The driver loads...

To be exact, nexutil tunnels ioctls through the driver to the firmware, where those ioctls are answered. As long as some ioctls work, we can add custon ioctl handlers. Regarding...

I now reverse engineered the RAM firmware and created the necessary files to build a firmware patch that activates flashpatches and ucode compression. As the BCM4361b0 is a bit different...

Then, we should try and find out, where the problem comes from. 1. deactivate flash patches in Makefile: ``` @printf "\033[0;31m APPLYING FLASHPATCHES\033[0m gen/flashpatches.mk => %s (details: log/flashpatches.log)\n" $@ $(Q)make...

> UCODE compression is used when patching firmware, I can extract code used to do this, but I don't think got enough luck. > > Anyway, if you need SSH...

ROM extraction works now, simply run "make dump-rom". I made a mistake when handling flashpatches before. So far I did not find a wlc_monitor or wl_monitor function in the firmware,...

We can now capture frames using wlc_recv, however, I only observed Beacon Frames so far. There is no radiotap header so far. you have to run nexutil -m first and...

I think that there is currently no other way than to recompile the kernel with disabled selinux. At least if you want to use tools such as nexutil in its...