Nexmon Turns Nexus 5 (and RPi3!) Into WiFi Toolkit

Back in the day, when wardriving was still useful (read: before WPA2 was widespread), we used to wander around with a Zaurus in our pocket running Kismet. Today, every cellphone has WiFi and a significantly more powerful processor inside. But alas, the firmware is locked down.

mrmcd16-7748-deu-nexmon_-_make_wi-fi_hacking_on_smartphones_great_again_sdmp4-shot0005_thumbnailEnter the NexMon project. If you’ve got a Nexus 5 phone with the Broadcom BCM4339 WiFi chipset, you’ve now got a monitor-mode, packet-injecting workhorse in your pocket, and it looks a lot less creepy than that old Zaurus. But more to the point, NexMon is open. If you’d like to get inside what it took to reverse-engineer a hole into the phone’s WiFi, or make your own patches, here’s a great starting place.

But wait, there’s more! The recently released Raspberry Pi 3 has a similar Broadcom WiFi chipset, and has been given the same treatment, turning your RPi 3 into a wireless-sniffing powerhouse. How many Raspberry Pi “hacks” actually hack the Raspberry Pi? Well, here’s one.

We first learned of this project from a talk given at the MetaRhein-Main Chaos Days conference which took place last weekend. The NexMon talk (in German, but with slides in English) is just one of the many talks, all of which are available online.

The NexMon project is a standout, however. Not only do they reverse the WiFi firmware in the Nexus 5, but they show you how, and then apply the same methods to the RPi3. Kudos times three to [Matthias Schulz], [Daniel Wegemer], and [Matthias Hollick]!

22 thoughts on “Nexmon Turns Nexus 5 (and RPi3!) Into WiFi Toolkit

      1. “Open” is such a wishy-washy word. The Nexus phones are not carrier locked (you can use them on most carriers and change networks simply by changing sims). They use stock Android and you can unlock the bootloader. But there are binaries that go into the software, and there are binaries running on the hardware inside (like the radios). In those ways, the Nexus line is not “Open”.

    1. AH, I miss my Z, best handheld computer until I got a N900. Now I am stuck again waiting for a replacement and considering libhybris or the promised kernel mainlining.
      Both the Zaurus and N900 have binary blobs though I remember someone finally hacked some FOSS drivers for the SL-5500 when they merged openZaurus into Angstrom but that was around EOL for me.

      1. I had both and miss them. A modern smartphone is somehow not a replacement even with all the extra CPU and GPU power. I guess a Pyra will soon fix my cravings for a real handheld computer.

      1. Would you be willing to do subtitles on YouTube or an srt file? I understand the slides are English but I feel like I’m missing out of so much of the presentation not being able to understand what is being said.

    1. The MRMCD conference theme this year was medical infosec/hacking, so there were a lot of random doctor-y stuff around, including that big box of anti-itch creme.

      Some people gave their presentations in lab coats. There was a skeleton in the background of some of the shots too. Looked like much fun.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.