{"id":13464792,"url":"https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio","last_synced_at":"2025-04-05T05:06:06.623Z","repository":{"id":94401165,"uuid":"122815366","full_name":"seemoo-lab/mobisys2018_nexmon_software_defined_radio","owner":"seemoo-lab","description":"Proof of concept project for operating Broadcom Wi-Fi chips as arbitrary signal transmitters similar to software-defined radios (SDRs)","archived":false,"fork":false,"pushed_at":"2018-04-17T06:21:54.000Z","size":121,"stargazers_count":774,"open_issues_count":20,"forks_count":72,"subscribers_count":56,"default_branch":"master","last_synced_at":"2025-03-29T04:07:17.999Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/seemoo-lab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-02-25T07:38:21.000Z","updated_at":"2025-03-10T01:44:37.000Z","dependencies_parsed_at":"2023-04-23T16:46:31.167Z","dependency_job_id":null,"html_url":"https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seemoo-lab%2Fmobisys2018_nexmon_software_defined_radio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seemoo-lab%2Fmobisys2018_nexmon_software_defined_radio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seemoo-lab%2Fmobisys2018_nexmon_software_defined_radio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seemoo-lab%2Fmobisys2018_nexmon_software_defined_radio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/seemoo-lab","download_url":"https://codeload.github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247289426,"owners_count":20914464,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T14:00:50.408Z","updated_at":"2025-04-05T05:06:06.602Z","avatar_url":"https://github.com/seemoo-lab.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"![NexMon logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/nexmon.png)\n\n# Nexmon Software Defined Radio\n\nThis projects demonstrates our discovery that turns Broadcom's 802.11ac Wi-Fi chips into\nsoftware-defined radios that transmit arbitrary signals in the Wi-Fi bands. In this example,\nwe patch the Wi-Fi firmware of BCM4339 devices installed in Nexus 5 smartphones and BCM43455c0\ndevices installed in Raspberry Pi B3+ computers. The Raspberry Pi B3 will never be supported as\nit only contains an 802.11n PHY. The firmware patch activates three ioctls:\n\n1. `NEX_WRITE_TEMPLATE_RAM` (426) writes arbitrary data into Template RAM that stores the raw\n   IQ samples that we may transmit. The ioctl's payload contains (1) an int32 value indicating\n   the offset where data should be written in Template RAM in bytes, (2) an int32 value \n   indicating the length of the data that should be written and (3) the IQ samples as array of\n   IQ values, where I (inphase components) and Q (quadrature components) are stored as int16 \n   numbers.\n\n2. `NEX_SDR_START_TRANSMISSION` (427) that triggers the transmission of IQ samples. The ioctl's\n    payload contains (1) an int32 value indicating the number of samples to transmit, (2) an \n    int32 value indicating the offset where the signal starts in Template RAM, (3) an int32 \n    value indicating a chanspec (channel number, bandwidth, band, ...), (4) an int32 value\n    indicating the power index (lower value means higher output power), and (5) an int32\n    value indicating whether to loop over the IQ samples or transmit them only once.\n\n3. `NEX_SDR_STOP_TRANSMISSION` (428) stops a transmission started using \n   `NEX_SDR_START_TRANSMISSION`.\n\n# Transmitting an Example Signal\n\nThe directory `payload_generation` contains the MATLAB script `generate_frame.m` that generates\na Wi-Fi beacon frame with SSID `MyCovertChannel`. The generated IQ samples are written to a bash\nscript that calls `nexutil` from the nexmon.org project to load the samples into the Wi-Fi \nchip's Template RAM by using ioctls. You can either generate your own signals or use the\nexample `myframe.sh` file for transmitting the generated Wi-Fi frame. To this end, follow the\nGetting Started instructions below to install our patched Wi-Fi firmware on a Nexus 5 smartphone.\nThen, you need to copy `myframe.sh` to a directory that allows execution (such as `/su/xbin/`).\nTo load the samples and start a single transmission, simply executute the bash script and \nobserve the results by listening with a Wi-Fi sniffer on channel 1. A suitable Wireshark filter\nis `wlan.addr == 82:7b:be:f0:96:e0`. Of course, you are not limited to transmitting handcrafted\nWi-Fi signals, you can transmit whatever you like in the 2.4 and 5 GHz bands. Nevertheless, you\nhave to obey your local laws for transmitting signals, that might prohibit you to transmit any\nsignal at all.\n\n# Extract from our License\n\nAny use of the Software which results in an academic publication or\nother publication which includes a bibliography must include\ncitations to the nexmon project a) and the paper cited under b) or \nthe thesis cited under c):\n\n   a) \"Matthias Schulz, Daniel Wegemer and Matthias Hollick. Nexmon:\n       The C-based Firmware Patching Framework. https://nexmon.org\"\n\n   b) \"Matthias Schulz, Jakob Link, Francesco Gringoli, and Matthias \n       Hollick. Shadow Wi-Fi: Teaching Smartphones to Transmit Raw \n       Signals and to Extract Channel State Information to Implement \n       Practical Covert Channels over Wi-Fi. Accepted to appear in \n       Proceedings of the 16th ACM International Conference on Mobile \n       Systems, Applications, and Services (MobiSys 2018), June 2018.\"\n\n   c) \"Matthias Schulz. Teaching Your Wireless Card New Tricks: \n       Smartphone Performance and Security Enhancements through Wi-Fi\n       Firmware Modifications. Dr.-Ing. thesis, Technische Universität\n       Darmstadt, Germany, February 2018.\"\n\n# Getting Started\n\nTo compile the source code, you are required to first clone the original nexmon repository \nthat contains our C-based patching framework for Wi-Fi firmwares. Than you clone this \nrepository as one of the sub-projects in the corresponding patches sub-directory. This \nallows you to build and compile all the firmware patches required to repeat our experiments.\nThe following steps will get you started on Xubuntu 16.04 LTS:\n\n1. Install some dependencies: `sudo apt-get install git gawk qpdf adb`\n2. **Only necessary for x86_64 systems**, install i386 libs: \n\n  ```\n  sudo dpkg --add-architecture i386\n  sudo apt-get update\n  sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386\n  ```\n3. Clone the nexmon base repository: `git clone https://github.com/seemoo-lab/nexmon.git`.\n4. Download and extract Android NDK r11c (use exactly this version!).\n5. Export the NDK_ROOT environment variable pointing to the location where you extracted the \n   ndk so that it can be found by our build environment.\n6. Navigate to the previously cloned nexmon directory and execute `source setup_env.sh` to set \n   a couple of environment variables.\n7. Run `make` to extract ucode, templateram and flashpatches from the original firmwares.\n8. Navigate to utilities and run `make` to build all utilities such as nexmon.\n9. Attach your rooted Nexus 5 smartphone running stock firmware version 6.0.1 (M4B30Z, Dec 2016).\n10. Run `make install` to install all the built utilities on your phone.\n11. Navigate to patches/bcm4339/6_37_34_43/ and clone this repository: \n    `git clone https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio.git`\n12. Enter the created subdirectory mobisys2018_nexmon_software_defined_radio and run \n    `make install-firmware` to compile our firmware patch and install it on the attached Nexus 5 \n    smartphone or run `make install-rpi3plus` to compile our firmware patch and install it on\n    a Raspberry Pi B3+.\n\n# References\n\n* Matthias Schulz, Daniel Wegemer and Matthias Hollick. **Nexmon: The C-based Firmware Patching \n  Framework**. https://nexmon.org\n* Matthias Schulz, Jakob Link, Francesco Gringoli, and Matthias Hollick. **Shadow Wi-Fi: Teaching \n  Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement \n  Practical Covert Channels over Wi-Fi**. Accepted to appear in *Proceedings of the 16th ACM \n  International Conference on Mobile Systems, Applications, and Services*, MobiSys 2018, June 2018.\n* Matthias Schulz. **Teaching Your Wireless Card New Tricks: Smartphone Performance and Security \n  Enhancements through Wi-Fi Firmware Modifications**. Dr.-Ing. thesis, Technische Universität\n  Darmstadt, Germany, February 2018.\n\n[Get references as bibtex file](https://nexmon.org/bib)\n\n# Contact\n\n* [Matthias Schulz](https://seemoo.tu-darmstadt.de/mschulz) \u003cmschulz@seemoo.tu-darmstadt.de\u003e\n\n# Powered By\n\n## Secure Mobile Networking Lab (SEEMOO)\n\u003ca href=\"https://www.seemoo.tu-darmstadt.de\"\u003e![SEEMOO logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/seemoo.png)\u003c/a\u003e\n## Networked Infrastructureless Cooperation for Emergency Response (NICER)\n\u003ca href=\"https://www.nicer.tu-darmstadt.de\"\u003e![NICER logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/nicer.png)\u003c/a\u003e\n## Multi-Mechanisms Adaptation for the Future Internet (MAKI)\n\u003ca href=\"http://www.maki.tu-darmstadt.de/\"\u003e![MAKI logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/maki.png)\u003c/a\u003e\n## Technische Universität Darmstadt\n\u003ca href=\"https://www.tu-darmstadt.de/index.en.jsp\"\u003e![TU Darmstadt logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/tudarmstadt.png)\u003c/a\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseemoo-lab%2Fmobisys2018_nexmon_software_defined_radio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fseemoo-lab%2Fmobisys2018_nexmon_software_defined_radio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseemoo-lab%2Fmobisys2018_nexmon_software_defined_radio/lists"}