Back in the day, when wardriving was still useful (read: before WPA2 was widespread), we used to wander around with a Zaurus in our pocket running Kismet. Today, every cellphone has WiFi and a significantly more powerful processor inside. But alas, the firmware is locked down.
Enter the NexMon project. If you’ve got a Nexus 5 phone with the Broadcom BCM4339 WiFi chipset, you’ve now got a monitor-mode, packet-injecting workhorse in your pocket, and it looks a lot less creepy than that old Zaurus. But more to the point, NexMon is open. If you’d like to get inside what it took to reverse-engineer a hole into the phone’s WiFi, or make your own patches, here’s a great starting place.
But wait, there’s more! The recently released Raspberry Pi 3 has a similar Broadcom WiFi chipset, and has been given the same treatment, turning your RPi 3 into a wireless-sniffing powerhouse. How many Raspberry Pi “hacks” actually hack the Raspberry Pi? Well, here’s one.
We first learned of this project from a talk given at the MetaRhein-Main Chaos Days conference which took place last weekend. The NexMon talk (in German, but with slides in English) is just one of the many talks, all of which are available online.
The NexMon project is a standout, however. Not only do they reverse the WiFi firmware in the Nexus 5, but they show you how, and then apply the same methods to the RPi3. Kudos times three to [Matthias Schulz], [Daniel Wegemer], and [Matthias Hollick]!
Do not mock my gorram Zaurus. It is TWICE the computer your Nexus is. Open by default, expandable and with a surprisingly default keyboard for a mobile device.
I feel strongly that “surprisingly default” should enter the lexicon.
“surprisingly default”?
Probably meaning a layout that’s not effed up in some way
Probably a typo for “decent.”
Nexus isn’t “Open by default”?
“Open” is such a wishy-washy word. The Nexus phones are not carrier locked (you can use them on most carriers and change networks simply by changing sims). They use stock Android and you can unlock the bootloader. But there are binaries that go into the software, and there are binaries running on the hardware inside (like the radios). In those ways, the Nexus line is not “Open”.
AH, I miss my Z, best handheld computer until I got a N900. Now I am stuck again waiting for a replacement and considering libhybris or the promised kernel mainlining.
Both the Zaurus and N900 have binary blobs though I remember someone finally hacked some FOSS drivers for the SL-5500 when they merged openZaurus into Angstrom but that was around EOL for me.
I had both and miss them. A modern smartphone is somehow not a replacement even with all the extra CPU and GPU power. I guess a Pyra will soon fix my cravings for a real handheld computer.
Does the giant orange box, of what google is telling me is anti-itch cream, seem almost proudly displayed to anyone else?
The motto of the MRMCD conference this year was “diagnosis:critical”, see https://2016.mrmcd.net/en/mrmcd/. The organizers were dressed in hospital cloth, globules were used as coffee sweetener, there were giant boxes of pharmaceutics everywhere. It was really great :D
I really appreciate having an article about our project here on hackaday, thanks :-)
It’s a fantastic project, and I love the way you guys made it so open that it borders on tutorial. I hope it inspires a new batch of people to try similar hacks!
Would you be willing to do subtitles on YouTube or an srt file? I understand the slides are English but I feel like I’m missing out of so much of the presentation not being able to understand what is being said.
I should have held the talk in english in the first place :-/ Unfortunately I’ve never done any subtitleing before and I’m not sure if I got time to make it happen, sorry.
With the Maneki-neko (had to look that up on Google) on top, too. Good luck to not itching?
Stfu
What’s the big deal, if you get itchy the Hello Kitty (I heard once that Maneki Neko can be translated as Hello Kitty) can scratch your back.
The MRMCD conference theme this year was medical infosec/hacking, so there were a lot of random doctor-y stuff around, including that big box of anti-itch creme.
Some people gave their presentations in lab coats. There was a skeleton in the background of some of the shots too. Looked like much fun.
Gotta love the intro of this article.
Wifi security may have gone up, but so has raw processing power, WPA2 isnt that much safer then WPA/WEP afaik.
BCmon for the galaxy s2 and Nexus 7 was much much better without the need for a custom kernel
Not anymore ;-) We now offer an app to install nexmon on an Android smartphone without flashing the boot.img or replacing the kernel. We also deliver a libfakeioctl.so library similar to the one from the bcmon project, that allows you to spoof ioctl requests to announce a monitor mode interface.
Take a look at: https://github.com/seemoo-lab/bcm-public/releases/tag/v1.0 and follow us on twitter: https://twitter.com/nexmon_dev
In case you want to learn more about Nexmon, I recently published my PhD thesis about this topic. Feel free to download and read it: http://nexmon.org/thesis