seemoo-lab
RPI ZERO 2W: don't works, needs patch for firmware 7.45.96.s1
New RPI ZERO 2W uses chip BCM43430/1 with firmware 7.45.96.s1 (gf031a129). It appears that there is no patch for this firmware... Here is original firmware which works ok, but don't have monitor mode:
brcmf_fw_alloc_request: using brcm/brcmfmac43430-sdio for chip BCM43430/1
brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Jun 14 2023 07:27:45 version 7.45.96.s1 (gf031a129) FWID 01-70bd2af7 es7
With this RPI ZERO 2W WiFi don't works at all on latest Kali Linux (for both OEM and nexmon firmware).
I tried to compile patches/bcm43430a1/7_45_41_46/nexmon and patches/bcm43436b0/9_88_4_65/nexmon/ but it don't works. And Kali Linux loads brcmfmac43436s-sdio for some unknown reason. I tried to copy brcmfmac43430-sdio and brcmfmac43436-sdio to brcmfmac43436s-sdio, but it also fails to load with error:
brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43436s-sdio.raspberrypi,model-zero-2-w.bin failed with error -2
We are not related to Raspberry Pi nor Kali Linux - but if you want to get this to work I suggest you to first get Kali Linux to correctly load the original firmware. Once this works, you can think about adding monitor mode.
On Raspberry Pi OS they do this by creating a corresponding symlink, see:
https://github.com/RPi-Distro/firmware-nonfree/tree/bookworm/debian/config/brcm80211/brcm
The brcmfmac driver will try to load brcmfmac43430-sdio.raspberrypi,model-zero-2-w.bin, which links to brcmfmac43436s-sdio.bin.
In your case, the driver on Kali Linux seems to try loading brcmfmac43436s-sdio.raspberrypi,model-zero-2-w.bin, which you should link to brcmfmac43436s-sdio.bin accordingly. brcmfmac43436s-sdio.bin should be this file.
I just want to get working monitor mode, since it don't works on raspi-os, this is why I installed Kali Linux.
With RPI4 it works ok (with some minor issues, but it can be ignored), but RPI4 uses different chip BCM4345/6.
With RPI Zero 2w it don't works at all on Kali Linux (no WiFi with OEM firmware and no WiFi with nexmon patched firmware) because RPI Zero 2w uses chip BCM43430/1. Original raspi-os uses firmware 7.45.96.s1 for this BCM43430/1 chip.
I tried to compile nexmon, but there is no patch for firmware 7.45.96.s1.
Original raspi-os-bookworm 6.6.31+rpt-rpi-v8 running on rpi2w uses this symlink /lib/firmware/brcm/brcmfmac43430-sdio.bin -> ../cypress/cyfmac43430-sdio.bin. It loads this firmware and it works ok, but don't support monitor mode.
Here is log file from raspi-os-bookworm with working firmware:
[ 12.919275] brcmfmac: F1 signature read @0x18000000=0x1541a9a6
[ 12.936804] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43430-sdio for chip BCM43430/1
[ 12.937728] usbcore: registered new interface driver brcmfmac
[ 13.192057] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob available (err=-2)
[ 13.192698] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Jun 14 2023 07:27:45 version 7.45.96.s1 (gf031a129) FWID 01-70bd2af7 es7
Unfortunately there is no patch for firmware 7.45.96.s1.
Kali Linux for some unknown reason loads brcm/brcmfmac43436-sdio with error and it don't works at all.
I'm not sure - how the system determines which chip type is installed and which firmware needs to be loaded? It seems that there is some issue in Kali Linux to determine which firmware should be loaded, because it loads brcmfmac43436-sdio instead of brcmfmac43430-sdio. I tried to replace brcmfmac43436-sdio with a copy of brcmfmac43430-sdio, it loads brcmfmac43430-sdio firmware, but it also don't works.
PS: also it's not clear why original raspi-os-bookworm loads brcmfmac43430-sdio, because all symlinks with .raspberrypi,model-zero-2-w postfix are pointing to brcmfmac43436-sdio.bin:
$ ls -l /lib/firmware/brcm/*raspberrypi,model-zero-2-w*
lrwxrwxrwx 1 root root 27 Feb 26 19:44 /lib/firmware/brcm/BCM43430A1.raspberrypi,model-zero-2-w.hcd -> ../synaptics/SYN43430A1.hcd
lrwxrwxrwx 1 root root 27 Feb 26 19:44 /lib/firmware/brcm/BCM43430B0.raspberrypi,model-zero-2-w.hcd -> ../synaptics/SYN43430B0.hcd
lrwxrwxrwx 1 root root 22 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43430b0-sdio.raspberrypi,model-zero-2-w.bin -> brcmfmac43436-sdio.bin
lrwxrwxrwx 1 root root 27 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43430b0-sdio.raspberrypi,model-zero-2-w.clm_blob -> brcmfmac43436-sdio.clm_blob
lrwxrwxrwx 1 root root 22 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43430b0-sdio.raspberrypi,model-zero-2-w.txt -> brcmfmac43436-sdio.txt
lrwxrwxrwx 1 root root 23 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43430-sdio.raspberrypi,model-zero-2-w.bin -> brcmfmac43436s-sdio.bin
lrwxrwxrwx 1 root root 23 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43430-sdio.raspberrypi,model-zero-2-w.txt -> brcmfmac43436s-sdio.txt
lrwxrwxrwx 1 root root 22 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43436-sdio.raspberrypi,model-zero-2-w.bin -> brcmfmac43436-sdio.bin
lrwxrwxrwx 1 root root 27 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43436-sdio.raspberrypi,model-zero-2-w.clm_blob -> brcmfmac43436-sdio.clm_blob
lrwxrwxrwx 1 root root 22 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43436-sdio.raspberrypi,model-zero-2-w.txt -> brcmfmac43436-sdio.txt
lrwxrwxrwx 1 root root 23 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43436s-sdio.raspberrypi,model-zero-2-w.bin -> brcmfmac43436s-sdio.bin
lrwxrwxrwx 1 root root 23 Feb 26 19:06 /lib/firmware/brcm/brcmfmac43436s-sdio.raspberrypi,model-zero-2-w.txt -> brcmfmac43436s-sdio.txt
Well, if it doesn't matter what OS you are using, I suggest to go for Raspberry Pi OS then.
From the log output I can see that on Raspberry Pi OS, other than you suggested, brcmfmac43436s.bin is loaded.
Regarding the confusion about what file is to be loaded, there are a couple of discussions there: https://github.com/RPi-Distro/firmware-nonfree/issues
TLDR: There are different versions of the Raspberry Pi Zero 2 W, with different Wi-Fi chips, which require different firmwares.
Apparently you have the version that requires brcmfmac43436s.bin. Kali simply seems to load the wrong firmware, thus, again suggesting to go with Raspberry Pi OS or port the related stuff to Kali.
However, all of the above has nothing to do with nexmon itself.
It is possible to patch brcmfmac43436s.bin to support monitor mode, but I currently can't do this in my free-time. If you really need this, you can contact me by mail and we can try to find a solution.
Apparently you have the version that requires
brcmfmac43436s.bin. Kali simply seems to load the wrong firmware, thus, again suggesting to go with Raspberry Pi OS or port the related stuff to Kali.
Why brcmfmac43436s-sdio???
When I boot into original Raspi OS with working wifi firmware it shows in the log that the chip is BCM43430/1 and load firmware from brcmfmac43430-sdio which is symlink to /lib/firmware/cypress/cyfmac43430-sdio.bin and this firmware version is 7.45.96.s1 (gf031a129) FWID 01-70bd2af7 es7
However, all of the above has nothing to do with
nexmonitself. It is possible to patchbrcmfmac43436s.binto support monitor mode, but I currently can't do this in my free-time. If you really need this, you can contact me by mail and we can try to find a solution.
Currently I'm trying to setup clean Raspi-OS Lite and make the patch. If I understand correctly there is needs to build patches/bcm43430a1/7_45_41_46/nexmon/ and then try to replace original firmware with version 7.45.96.s1 at /lib/firmware/cypress/cyfmac43430-sdio.bin. Is it correct?
The log says:
brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Jun 14 2023 07:27:45 version 7.45.96.s1 (gf031a129) FWID 01-70bd2af7 es7, which is the versioning string of brcmfmac43436s-sdio.bin.
just checked, yes - brcmfmac43436s-sdio.bin contains version string 7.45.96.s1 (gf031a129)
It is possible to patch
brcmfmac43436s.binto support monitor mode, but I currently can't do this in my free-time. If you really need this, you can contact me by mail and we can try to find a solution.
Thanks , I wrote you mail about it.
@alexzaporozhets no, adding patch for 7.45.96.s1 is a paid service.
But I found old firmware BCM43430/1 version 7.45.41.46 (r666254 CY) which was supplied for RPI3 also works for RPI02W. And there is a patch in nexmon for this firmware version.
You can found original 7.45.41.46 firmware version in this package: http://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_0.43+rpi6_all.deb
This firmware has some bug which sometimes may lead to not responding state. But this is better than nothing.
@alexzaporozhets no, adding patch for 7.45.96.s1 is a paid service.
But I found old firmware BCM43430/1 version 7.45.41.46 (r666254 CY) which was supplied for RPI3 also works for RPI02W. And there is a patch in nexmon for this firmware version.
You can found original 7.45.41.46 firmware version in this package: http://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_0.43+rpi6_all.deb
This firmware has some bug which sometimes may lead to not responding state. But this is better than nothing.
Any steps or guide on how to execute it?
Any updates? I have the same problem with the same version of firmware. dmesg | grep "Firmware: BCM43430" [ 10.316434] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Feb 5 2021 12:49:07 version 7.45.96 (r745790) FWI D 01-71817851 es7. I would like to be able to make it work in monitor mode
Any updates? I have the same problem with the same version of firmware. dmesg | grep "Firmware: BCM43430" [ 10.316434] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Feb 5 2021 12:49:07 version 7.45.96 (r745790) FWI D 01-71817851 es7. I would like to be able to make it work in monitor mode
like @qrp73 suggested, first download rpi os lite, downgrade the firmware, then setup nexmon. I have created a list of commands to execute to achieve this in one of my Rpi02w repo you can look it up.
Hi, I think I found a solution for Kali Pi Zero 2W
as @qrp73 mentioned, is necesary change the firmware, to do that run:
wget http://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_0.43+rpi6_all.deb
sudo apt install ./firmware-brcm80211_0.43+rpi6_all.deb -y --allow-downgrades
This will give some warning but it is not an error
To make kali pi run this firmware instead of the original one run this:
Backup the orginal firmware:
sudo cp /lib/firmware/brcm/brcmfmac43436s-sdio.bin /lib/firmware/brcm/brcmfmac43436s-sdio.bin.bak
sudo cp /lib/firmware/brcm/brcmfmac43436s-sdio.txt /lib/firmware/brcm/brcmfmac43436s-sdio.txt.bak
Make a symlink to the new firmware
sudo ln -sf /lib/firmware/brcm/brcmfmac43430-sdio.bin /lib/firmware/brcm/brcmfmac43436s-sdio.bin
sudo ln -sf /lib/firmware/brcm/brcmfmac43430-sdio.txt /lib/firmware/brcm/brcmfmac43436s-sdio.txt
reboot
and now it should allow using monitor mode, from what I see the bcm43430a1 driver is well configured so it will not be necessary to recompile it
To create the wlan0 interface in monitor mode I recommend this command, which will create a new interface in monitor mode
sudo iw phy iw dev wlan0 info | gawk '/wiphy/ {printf "phy" $2}' interface add mon0 type monitor
now the monitor interface is mon0
update: inyection is not possible with de driver, so compile de driver for bcm43430a1
I have tried all the methods to get monitor mode on raspberry pi zero 2w but it's not working at all. And even if it shows monitor mode is switched on, I cannot capture any packets whereas the external adapter is working great.
hi @utkarsharora100
do what I mentioned above, install the firmware and compile the driver for bcm43430a1/7_45_41_46
with
sudo iw phy `iw dev wlan0 info | gawk '/wiphy/ {printf "phy" $2}'` interface add mon0 type monitor
you activate a new interface in monitor mode, Make sure you place the command correctly, below I leave you an image of how it should be
These captures are from a Pizero 2W, it works well, although the injection is quite slow in my opinion, and there are still things that I can't get to run correctly, like WPS attacks.
but packet capture and injection do work
@SmillerMP Thanks for the reply!
I followed the steps given above and still I am not able to use monitor mode. It says no clm_blob available even though I have set the country code as IN.
No problem men as far i can see, you have another version of firmware, you have the 7.45.96 version
you must have the 7.45.41.46 version, this is very important
@rudyrdx have a worksteps to put the interface on monitor mode, check this Monitor Mode - Raspberry Pi Zero 2W
if you have the correct version driver for BCM43430, you only need to install the 7.45.41.46 firmware, the steps can be a little different on kali but you can tell me if you have any problems or if you need help with something.
Ouu and the clm_blob configuration file is not important for this case, it is just a limiter for the channels depending on the region
It worked finally. Thanks a lot 🫡 Earlier I had ignored this error.
Notice: Download is performed unsandboxed as root as file '/home/utkarsh/firmwar e-brcm80211_0.43+rpi6_all.deb' couldn't be accessed by user '_apt'. - pkgAcquire ::Run (13: Permission denied)
To fix this I followed these 2 steps on the terminal -->
- Write
sudo vi /etc/apt/apt.conf.d/10sandbox. - Add the following line
APT::Sandbox::User "root";then write and quit.