nexmon BCM4375

Could you update patch for new binaries at S20, N20 series? From OneUI 3 even with permissive SELinux we cannot use monitor mode. please update

Jan 18 '23 21:01 savox-326

@jlinktu I don't know what it should look like, but my compiled bcm4375 (s20 version) firmware (with patch) hasn't wlc_monitor_attach if check with strings command though compilation finished successfully

Dec 13 '23 07:12 savox-326

Not sure what I am supposed to do with this information... thank you for telling me, I guess. Or is there a hidden question in there?

Dec 13 '23 08:12 jlinktu

@jlinktu Monitor mode finds nothing, maybe because of this

Dec 13 '23 08:12 savox-326

Some assume I'm a wizard 🧙🏻‍♂️ who magically knows what is happening on your local inner machine - surprise: I'm not.

You might help the situation by answering the following questions:

What do you want to achieve? / What is your goal?
How are you trying to get there? / What are you doing?
Is there something specific you want from me? (Try to formulate a question if that is the case.)

The more detailed and precise your answers are the easier it is for me to help you out.

Dec 13 '23 09:12 jlinktu

@jlinktu Sorry for that, I just thought you know what I was meaning about, cause thehe is many issues with that. My device is N9860 (Snapdragon) running on Android 13 (OneUI 5.1), with custom kernel where SELinux always permessive. Stock version of bcmdhd_sta.bin_b1 was equal 18.41.113 or higher. I replaced it to nexmon's unpatched 18.41.8.9 (because that version has monitor and injection patch). It works as stock binary. After patching also works perfectly. But after running monitor mode (with nexutil, with libfakeioctl) airodump starts and sticks on 0 cnannel and finds nothing. Yesterday with strings command I noticed, that my compiled binary no has wlc_monitor_attach string though meanwhile bcm4358 and etc has it

Dec 13 '23 09:12 savox-326

strings outputs the printable characters contained in the file you are running it on. If your patched firmware file doesn't contain the character sequence "wlc_monitor_attach" in a printable form, strings can't output it. This is not equivalent to your firmware missing a function with the C-naming wlc_monitor_attach. Nevertheless, you are partly on the right track as the stock firmware 18.41.8.9 (STA) probably doesn't have the wlc_monitor_attach function compiled in. Therefore, Matthias added it manually to his patch code: https://github.com/seemoo-lab/nexmon/blob/ae8addba003ceb68a4217c014242d5c747eeaf36/patches/bcm4375b1/18_41_8_9_sta/nexmon/src/monitormode.c#L97 which means, that the your patched firmware contains it. Also if there is no string "wlc_monitor_attach" in it.
You write that you are "[...] running monitor mode (with nexutil, with libfakeioctl) [...]". How exactly are you doing this? (commands) Are there any additional commands involved regarding configuration of the interface? I am not too familiar with airodump, therefore I can't really help you at this end. But you can check if the monitor mode is working in general by listening on the interface with e.g. tcpdump.

Dec 13 '23 10:12 jlinktu

I write this for launch monitor mode: ifconfig wlan0 down ifconfig wlan0 up nexutil -m2

Nexutil -m returns "monitor -2147483646" after -m2 parameter and "monitor -2147483647" after m1. Tcpdump also captures nothing

Dec 13 '23 11:12 savox-326

Try setting a channel before enabling monitor mode. Make sure that there is traffic on this channel too. E.g. for channel 6

ifconfig wlan0 down
ifconfig wlan0 up
nexutil -k6
nexutil -m2

Does this change anything?

Dec 13 '23 11:12 jlinktu

Also no result (channel also stuck on 0)

Dec 13 '23 11:12 savox-326

What does reading out the channel return? nexutil -k

Dec 13 '23 11:12 jlinktu

Says "chanspec: 0x1006, 6" and nothing capturing

Dec 13 '23 13:12 savox-326

Well, I guess matthias has tested the patch before committing and pushing it, so I assume it will work somehow. Maybe not directly with airodump. Are you sure there is traffic on that channel? What about 5GHz channels? Does it work there? Any obvious errors in the kernel log? If none of the above helps, you could check directly on the chip if you receive frames in monitor mode by extending the patch.

Dec 13 '23 14:12 jlinktu

@jlinktu I was busy in last several days. Today I checked all that you wrote. 5ghz is also same as 2.4ghz. After that command: ifconfig wlan0 up Dmesg shows that spaming log (even after nexutil -m2\-m1\-m0) I[0:dhd_rpm_state_t: 506] dhd_runtimepm_state: DHD Idle state!! - idletime :5, wdtick :100 Disappears only after wifi disable through android ui or ifconfig wlan down Maybe it was working for matthias and others cause they had samsungs with Exynos

Dec 18 '23 11:12 savox-326

This just means that the bus is idle for a specific time duration.

But maybe you have to disable power saving. You could do this by adding the following calls

set_mpc(wlc_for_chanspec, 0);
set_mpc(wlc_other, 0);

here:

https://github.com/seemoo-lab/nexmon/blob/29d990bdaea869cb32f5eaa2dbb7efacdcd405aa/patches/bcm4375b1/18_41_8_9_sta/nexmon/src/ioctl.c#L295

I don't think that Exynos makes the difference. Its the same WiFi chip.

If the above still doesn't help, there might be a compatibility issue between the firmware and driver.

Dec 19 '23 08:12 jlinktu

I'll try to figure out how find target patching addresses in new firmware. I hope I will can do that. So, I use nexmon rom extraction tool, it works but fills the binary with these errors: ioctl -95, I also tried bcm4389 extraction tool, same result. Will I need bcm's rom?

Dec 26 '23 06:12 savox-326

You can find a ROM dump of the bcm4375b1 here. This is a clean dump - meaning that it comes without flashpatches applied. For analyzing firmwares you want to add the flashpatches of the firmware version you are currently looking into. Fortunately, we already provide Makefile targets for this purpose. All you have to do is:

Dump a clean ROM; or use the already existing one
Place this clean rom.bin in the chip specific firmware directory nexmon/firmwares/bcm4375b1
Change into the firmware specific sub-directory nexmon/firmwares/bcm4375b1/18_41_113_sta
Create a full firmware image from the clean ROM, flashpatches, and firmware blob by running make complete.bin The output complete.bin is what you want to analyze.

Dec 26 '23 15:12 jlinktu

Hi, again. I adapted 18.41.8.9 firmware patch to 18.41.113. Just replacing addresses. So the firmware works same as other versions. So, I found one bug on every firmware (18.38.18, 18.41.8.9, 18.41.113). If I switch mode to -m1 using nexutil, and choose open wifi (without password) airodump and tcpdump begins showing something about earlier connected AP (connecting fails, but after that something begins works). But that data is incorrect. Airodump shows incorrect MACs sometimes the first catched one ends with 45:10 (even with different devices). Tcpdump sometimes works a little correctly, recognizes reassoc but other packets marks as unknown. Screenshot_20231231_194440_NetHunter Terminal Screenshot_20231231_222454_NetHunter Terminal Screenshot_20240101_110056_NetHunter Terminal nexutil -m2 is not showing anything even with any setting, like I said you before. With nexutil -m2 that happening in dmesg Screenshot_20240101_111740_NetHunter Terminal And after iw dev wlan0 set power_save off output is same

Dec 31 '23 20:12 savox-326

@jlinktu I added printf into firmware for some debug but dhdutil consoledump says Operation not supported on transport endpoint. Though DHD_DEBUG have been enabled in bcmdhd long time. Yeah dmesg also empty. I don't know what's wrong with it. Do you sure that mattias tested patch before the realise?

Jan 08 '24 10:01 savox-326

If the firmware doesn't support the "membytes" get var, dumping the console this way won't work, even when compiling the driver with debugging enabled. But you can also read out the console by using an own IOCTL, e.g. like this.

Jan 08 '24 10:01 jlinktu