Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't setup nexmon for Nexus 6P #633

Open
amenekowo opened this issue Oct 15, 2024 · 1 comment
Open

Can't setup nexmon for Nexus 6P #633

amenekowo opened this issue Oct 15, 2024 · 1 comment

Comments

@amenekowo
Copy link

Summary

Hello there!
I installed nexmon firmware to my Nexus 6P. Because I use magisk to root and installed Kali Nethunter by Magisk, the /system is read only and I changed the utils installation path to /vendor and the firmware and tools installed successfully. But when I run any monitor steps in README, it doesn't work.

Use `nexutil -m2` 
angler:/vendor/bin # ./nexutil -m2
angler:/vendor/bin # iw wlan0 info
Interface wlan0
        ifindex 5
        wdev 0x1
        addr 98:e7:f5:xx:xx:xx
        type managed
        wiphy 0
angler:/vendor/bin # LD_PRELOAD=/vendor/lib/libnexmon.so ./airodump-ng wlan0
CANNOT LINK EXECUTABLE "sh": "/vendor/lib/libnexmon.so" is 32-bit instead of 64-bit

and it freezed. (I found that only sh binary is aarch64, both libnexmon.so and airodump-ng is arm.)

angler:/vendor/bin # file ./airodump-ng
./airodump-ng: ELF shared object, 32-bit LSB arm, dynamic (/system/bin/linker), stripped
angler:/vendor/bin # file /vendor/lib/libnexmon.so
/vendor/lib/libnexmon.so: ELF shared object, 32-bit LSB arm, dynamic (/system/bin/linker), stripped
Use iw phy `iw dev wlan0 info | gawk '/wiphy/ {printf "phy" $2}'` interface add mon0 type monitor 
angler:/vendor/bin # iw phy phy0 interface add mon0 type monitor
command failed: Operation not supported on transport endpoint (-95)
angler:/vendor/bin # ifconfig
rmnet_ipa0 Link encap:UNSPEC
          UP RUNNING  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 TX bytes:0

wlan0     Link encap:Ethernet  HWaddr 98:e7:f5:xx:xx:xx
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:114153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11006437 TX bytes:0

dummy0    Link encap:Ethernet  HWaddr 7e:c5:29:xx:xx:xx
          inet6 addr: fe80::7cc5:29ff:fexx:xxxx/64 Scope: Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 TX bytes:2834

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope: Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:204 errors:0 dropped:0 overruns:0 frame:0
          TX packets:204 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:32722 TX bytes:32722
angler:/vendor/bin # iw wlan0 info
Interface wlan0
        ifindex 5
        wdev 0x1
        addr 98:e7:f5:xx:xx:xx
        type managed
        wiphy 0

And another bug(Idk if it is called a bug) is, if I don't run ifconfig wlan0 up, my WLAN chip is not useable. This is mentioned there.

dmesg output 
[ 1605.705493] \x0aDongle Host Driver, version 1.201.31 (r)\x0aCompiled in drivers/net/wireless/bcmdhd on Oct 11 2018 at 19:39:21
[ 1605.705524] dhd_wlan_power Enter: power on
[ 1605.906382] dhd_bus_devreset: == Power ON ==
[ 1605.951092] dhd_bus_devreset: dhdpcie_bus_clock_start OK
[ 1605.951832] dhdpcie_dongle_attach: PCI_BAR1_WIN = 0
[ 1605.952487] dhdpcie_dongle_attach: BAR1 window val=23 mask=0
[ 1605.953211] dhdpcie_download_code_file: download firmware /vendor/firmware/fw_bcmdhd.bin
[ 1605.953253] _dhdpcie_download_firmware: dongle image file download failed
[ 1605.953263] dhd_bus_start: failed to download firmware /vendor/firmware/fw_bcmdhd.bin
[ 1605.953270] dhd_bus_devreset: dhd_bus_start: -1
[ 1605.953277] dhd_net_bus_devreset: dhd_bus_devreset: -1
[ 1605.953284] dhd_open : wl_android_wifi_on failed (-1)
[ 1605.953300] dhd_prot_ioctl : bus is down. we have nothing to do
[ 1605.953309] dhd_bus_devreset: == Power OFF ==
[ 1605.960782] dhd_bus_devreset:  WLAN OFF Done
[ 1605.960804] dhd_wlan_power Enter: power off

If i bring up wlan0 by ifconfig wlan0 up, it is working.

dmesg output 
[ 2178.973355] \x0aDongle Host Driver, version 1.201.31 (r)\x0aCompiled in drivers/net/wireless/bcmdhd on Oct 11 2018 at 19:39:21
[ 2178.973427] dhd_wlan_power Enter: power on
[ 2179.176411] dhd_bus_devreset: == Power ON ==
[ 2179.221097] dhd_bus_devreset: dhdpcie_bus_clock_start OK
[ 2179.225276] dhdpcie_dongle_attach: PCI_BAR1_WIN = 0
[ 2179.228714] dhdpcie_dongle_attach: BAR1 window val=23 mask=0
[ 2179.230718] dhdpcie_download_code_file: download firmware /vendor/firmware/fw_bcmdhd.bin
[ 2179.313765] dhdpcie_bus_write_vars: Download, Upload and compare of NVRAM succeeded.
[ 2179.315465] Failed to open the file logstrs.bin in dhd_init_logstrs_array, /vendor/firmware/logstrs.bin
[ 2179.530879] dhd_bus_start: Initializing 42 flowrings
[ 2179.531391] dhd_bus_cmn_writeshared:
[ 2179.531424] dhd_bus_cmn_writeshared:
[ 2179.531456] dhd_bus_cmn_writeshared:
[ 2179.531486] dhd_bus_cmn_writeshared:
[ 2179.531516] dhd_bus_cmn_writeshared:
[ 2179.531543] dhd_bus_cmn_writeshared:
[ 2179.531616] dhd_bus_cmn_writeshared:
[ 2179.585120] dhd_prot_ioctl: status ret value is -5
[ 2179.587384] dhd_preinit_ioctls lpc fail WL_DOWN : 0, lpc = 1
[ 2179.590423] dhd_prot_ioctl: status ret value is -23
[ 2179.618453] dhd_prot_ioctl: status ret value is -26
[ 2179.654451] dhd_rtt_init : FTM is supported
[ 2179.658422] dhd_bus_devreset: WLAN Power On Done

Any ideas is welcome. Thanks!

Environment

Nexus 6P running Android Oreo (8.1) and Kali Nethunter

`nexutil -v` output 
angler:/vendor/bin # nexutil -V
platform Nexus 6P
firmware 7.112.300.14 (r707445) FWID 01-3242a45b
vendorid 0x14e4
deviceid 0x43e9
radiorev 0x2e2069
chipnum 0x4358
chiprev 0x3
chippackage 0x2
corerev 0x30
boardid 0x7a1
boardvendor 0x14e4
boardrev P100
driverrev 0x77012c0
ucoderev 0x3c3013d
bus 0x0
phytype 0xb
phyrev 0x11
anarev 0x0
nvramrev 0x7a1f2

Kernel version
Linux kali 3.10.73-g309d642 #1 SMP PREEMPT Thu Oct 11 19:39:39 UTC 2018 aarch64
@jlinktu
Copy link
Member

jlinktu commented Oct 17, 2024

Summary

Hello there! I installed nexmon firmware to my Nexus 6P. Because I use magisk to root and installed Kali Nethunter by Magisk, the /system is read only and I changed the utils installation path to /vendor and the firmware and tools installed successfully. But when I run any monitor steps in README, it doesn't work.

Use nexutil -m2

angler:/vendor/bin # ./nexutil -m2
angler:/vendor/bin # iw wlan0 info
Interface wlan0
        ifindex 5
        wdev 0x1
        addr 98:e7:f5:xx:xx:xx
        type managed
        wiphy 0
angler:/vendor/bin # LD_PRELOAD=/vendor/lib/libnexmon.so ./airodump-ng wlan0
CANNOT LINK EXECUTABLE "sh": "/vendor/lib/libnexmon.so" is 32-bit instead of 64-bit

and it freezed. (I found that only sh binary is aarch64, both libnexmon.so and airodump-ng is arm.)

angler:/vendor/bin # file ./airodump-ng
./airodump-ng: ELF shared object, 32-bit LSB arm, dynamic (/system/bin/linker), stripped
angler:/vendor/bin # file /vendor/lib/libnexmon.so
/vendor/lib/libnexmon.so: ELF shared object, 32-bit LSB arm, dynamic (/system/bin/linker), stripped

You answered it yourself already. Compile libnexmon.so and airodump-ng for the correct achitecture.
iw will not show the device as being of type monitor. That's what you need libnexmon.so for. It let's programs see the interface as monitor interface even though the driver is not aware of it.

Use iw phy iw dev wlan0 info | gawk '/wiphy/ {printf "phy" $2}' interface add mon0 type monitor

angler:/vendor/bin # iw phy phy0 interface add mon0 type monitor
command failed: Operation not supported on transport endpoint (-95)
angler:/vendor/bin # ifconfig
rmnet_ipa0 Link encap:UNSPEC
          UP RUNNING  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 TX bytes:0

wlan0     Link encap:Ethernet  HWaddr 98:e7:f5:xx:xx:xx
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:114153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11006437 TX bytes:0

dummy0    Link encap:Ethernet  HWaddr 7e:c5:29:xx:xx:xx
          inet6 addr: fe80::7cc5:29ff:fexx:xxxx/64 Scope: Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 TX bytes:2834

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope: Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:204 errors:0 dropped:0 overruns:0 frame:0
          TX packets:204 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:32722 TX bytes:32722
angler:/vendor/bin # iw wlan0 info
Interface wlan0
        ifindex 5
        wdev 0x1
        addr 98:e7:f5:xx:xx:xx
        type managed
        wiphy 0

Adding a monitor interface that way won't work as the driver isn't aware that the interface can be operated as such.

And another bug(Idk if it is called a bug) is, if I don't run ifconfig wlan0 up, my WLAN chip is not useable. This is mentioned there.

Not a bug, this is expected. You have to configure the interface after reloading the firmware.

dmesg output

[ 1605.705493] \x0aDongle Host Driver, version 1.201.31 (r)\x0aCompiled in drivers/net/wireless/bcmdhd on Oct 11 2018 at 19:39:21
[ 1605.705524] dhd_wlan_power Enter: power on
[ 1605.906382] dhd_bus_devreset: == Power ON ==
[ 1605.951092] dhd_bus_devreset: dhdpcie_bus_clock_start OK
[ 1605.951832] dhdpcie_dongle_attach: PCI_BAR1_WIN = 0
[ 1605.952487] dhdpcie_dongle_attach: BAR1 window val=23 mask=0
[ 1605.953211] dhdpcie_download_code_file: download firmware /vendor/firmware/fw_bcmdhd.bin
[ 1605.953253] _dhdpcie_download_firmware: dongle image file download failed
[ 1605.953263] dhd_bus_start: failed to download firmware /vendor/firmware/fw_bcmdhd.bin
[ 1605.953270] dhd_bus_devreset: dhd_bus_start: -1
[ 1605.953277] dhd_net_bus_devreset: dhd_bus_devreset: -1
[ 1605.953284] dhd_open : wl_android_wifi_on failed (-1)
[ 1605.953300] dhd_prot_ioctl : bus is down. we have nothing to do
[ 1605.953309] dhd_bus_devreset: == Power OFF ==
[ 1605.960782] dhd_bus_devreset:  WLAN OFF Done
[ 1605.960804] dhd_wlan_power Enter: power off

If i bring up wlan0 by ifconfig wlan0 up, it is working.

dmesg output

[ 2178.973355] \x0aDongle Host Driver, version 1.201.31 (r)\x0aCompiled in drivers/net/wireless/bcmdhd on Oct 11 2018 at 19:39:21
[ 2178.973427] dhd_wlan_power Enter: power on
[ 2179.176411] dhd_bus_devreset: == Power ON ==
[ 2179.221097] dhd_bus_devreset: dhdpcie_bus_clock_start OK
[ 2179.225276] dhdpcie_dongle_attach: PCI_BAR1_WIN = 0
[ 2179.228714] dhdpcie_dongle_attach: BAR1 window val=23 mask=0
[ 2179.230718] dhdpcie_download_code_file: download firmware /vendor/firmware/fw_bcmdhd.bin
[ 2179.313765] dhdpcie_bus_write_vars: Download, Upload and compare of NVRAM succeeded.
[ 2179.315465] Failed to open the file logstrs.bin in dhd_init_logstrs_array, /vendor/firmware/logstrs.bin
[ 2179.530879] dhd_bus_start: Initializing 42 flowrings
[ 2179.531391] dhd_bus_cmn_writeshared:
[ 2179.531424] dhd_bus_cmn_writeshared:
[ 2179.531456] dhd_bus_cmn_writeshared:
[ 2179.531486] dhd_bus_cmn_writeshared:
[ 2179.531516] dhd_bus_cmn_writeshared:
[ 2179.531543] dhd_bus_cmn_writeshared:
[ 2179.531616] dhd_bus_cmn_writeshared:
[ 2179.585120] dhd_prot_ioctl: status ret value is -5
[ 2179.587384] dhd_preinit_ioctls lpc fail WL_DOWN : 0, lpc = 1
[ 2179.590423] dhd_prot_ioctl: status ret value is -23
[ 2179.618453] dhd_prot_ioctl: status ret value is -26
[ 2179.654451] dhd_rtt_init : FTM is supported
[ 2179.658422] dhd_bus_devreset: WLAN Power On Done

Any ideas is welcome. Thanks!

Environment

Nexus 6P running Android Oreo (8.1) and Kali Nethunter

nexutil -v output

angler:/vendor/bin # nexutil -V
platform Nexus 6P
firmware 7.112.300.14 (r707445) FWID 01-3242a45b
vendorid 0x14e4
deviceid 0x43e9
radiorev 0x2e2069
chipnum 0x4358
chiprev 0x3
chippackage 0x2
corerev 0x30
boardid 0x7a1
boardvendor 0x14e4
boardrev P100
driverrev 0x77012c0
ucoderev 0x3c3013d
bus 0x0
phytype 0xb
phyrev 0x11
anarev 0x0
nvramrev 0x7a1f2

Kernel version Linux kali 3.10.73-g309d642 #1 SMP PREEMPT Thu Oct 11 19:39:39 UTC 2018 aarch64

For an example on how to use Magisk to install patched firmware, have a look at https://github.com/seemoo-lab/nexmon/tree/master/patches/bcm4389c1/20_101_57_r1035009/nexmon .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jlinktu @amenekowo