https://github.com/kimocoder/qualcomm_android_monitor_mode
Qualcomm QCACLD WiFi monitor mode for Android
https://github.com/kimocoder/qualcomm_android_monitor_mode
aircrack-ng android monitor-mode nethunter qualcomm wifi
Last synced: 19 days ago
JSON representation
Qualcomm QCACLD WiFi monitor mode for Android
- Host: GitHub
- URL: https://github.com/kimocoder/qualcomm_android_monitor_mode
- Owner: kimocoder
- Created: 2020-03-15T00:54:14.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2024-11-28T00:14:00.000Z (5 months ago)
- Last Synced: 2025-04-01T16:16:07.781Z (26 days ago)
- Topics: aircrack-ng, android, monitor-mode, nethunter, qualcomm, wifi
- Language: HTML
- Homepage: https://www.aircrack-ng.org
- Size: 114 KB
- Stars: 312
- Watchers: 32
- Forks: 56
- Open Issues: 43
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# qualcomm_android_monitor_mode
Qualcomm QCACLD WiFi (Android) monitor mode
[](#)
[](#)
[](https://github.com/kimocoder/qualcomm_android_monitor_mode/issues)
[](https://github.com/kimocoder/qualcomm_android_monitor_mode/network)
[](https://github.com/kimocoder/qualcomm_android_monitor_mode/stargazers)
[](https://travis-ci.org/kimocoder/qualcomm_android_monitor_mode)
[](https://github.com/kimocoder/qualcomm_android_monitor_mode/blob/master/LICENSE)
[](https://www.kali.org)
[](https://github.com/aircrack-ng/aircrack-ng)
[](https://github.com/derv82/wifite2)
### NOTES
```sh
An update!
This method will work OUT-of-the-BOX, it seems someone over at CodeAurora actually flipped the switch
on monitor mode, so the kernel patch isn't really nescessary, only for they on older/unmaintained kernels.
Great news, less dirty tricks/patching needed.
```
### DEPENDENCIES
```sh
1. A rooted Android environment.
2. Either compile a kernel yourself (NetHunter chroot works)
3. WiFi chipset that actually uses the QCACLD driver/firmware.
Older devices/drivers would need the patch from 'files', future kernels of 4.9, 4.14, 4.19
may have it WORKING from vendor. See "LIST_OF_DEVICES.txt" for known working phones.
Use issue reports for comments, new information that could help us get a working frame injection to it.
```
### Howto get that MONITORING MODE working
Configure device to deliver 802.11 packets in raw mode.
Below is the example of starting monitor mode and channel settings + tcpdump
Start monitor mode on adapter
```sh
ip link set wlan0 down
echo "4" > /sys/module/wlan/parameters/con_mode
ip link set wlan0 up
```
Stop monitor mode on adapter
```sh
ip link set wlan0 down
echo "0" > /sys/module/wlan/parameters/con_mode
ip link set wlan0 up
```
### Information about frame injection
I've found phones with frame injection support present.
The phone is OnePlus 3T with lineageos 17.1, it has the QCACLD-2 driver, which QCACLD-3 replaced.
However, finding the solution in QCACLD-2 to port to QCACLD-3 seems like an ok solution instead of
fiddling around half blind in QCACLD-3, propably deactivated by Qualcomm.
Original commit where frame injection was added in QCACLD-2
https://gitlab.com/Codeaurora/platform_vendor_qcom-opensource_wlan_qcacld-2.0/-/commit/3d3ad7877d1b4d097b4302a4293a1cbb2478e7bf
Got great news regarding QCACLD-3 frame/packet injection.
Another device ordered for testing.
Research recovered this has been pushed to a few branches, devices is:
BERYLLIUM and HELIUM for now. CAF tag: wlan-cld3.driver.lnx.2.0.r60-rel
Research links and base knowledge ..
```sh
'For parsing frame injection capabilities you need "radiotap iterator" available.
If the radiotap iterator is found like below, the chance is big for frame capabilities.'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/blob/wlan-cld3.driver.lnx.2.0.r60-rel/components/pkt_capture/core/inc/wlan_pkt_capture_mon_thread.h#L124
'This string we will need to take a note of, because this was added to turn this capabilities of specific.
You see the radiotap parser defines its guarding.'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/blob/wlan-cld3.driver.lnx.2.0.r60-rel/components/pkt_capture/core/inc/wlan_pkt_capture_data_txrx.h#L36
'qcacld-3.0: Fill correct 802.11hdr in rx data pkts in pkt capture mode'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/60cebbb9e9884de7310623b25549c96e41f63333
'this is the struct where the packet/payload gets crafted'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/blob/wlan-cld3.driver.lnx.2.0.r60-rel/components/pkt_capture/core/src/wlan_pkt_capture_main.c#L255
And we have more clues below:
'qcacld-3.0: Add INI parameter for packet capture mode support'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/blob/wlan-cld3.driver.lnx.2.0.r60-rel/components/pkt_capture/dispatcher/inc/cfg_pkt_capture.h
'qcacld-3.0: vendor command changes to configure parameters for monitor mode'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/-/commit/db872287ef87a6c2765a7612f1eb3246c98c48e0
'qcacld-3.0: Update path for monitor files'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/35736804a84aa4340102d2897e4bc5626761be83
'fw-api: Add hw headers for wkk monitor'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/fw-api/-/commit/4b855f97afe633afe0addfb7f44865c88fc42c02
```
Thread will be updated.
### Logs / Outputs
* 'iw phy0 info' output is over [here](https://github.com/kimocoder/qualcomm_android_monitor_mode/blob/master/docs/iwphy_output.txt)
### Downloads / Patches
* Android QCACLD-3.0 patch to enable monitor mode - [DOWNLOAD HERE](https://github.com/kimocoder/qualcomm_android_monitor_mode/raw/master/files/enable_monitor_mode.patch)
### Credits
* kimocoder
* Twitter: https://twitter.com/kimocoder
* @Re4son
* Url: https://github.com/Re4son
* @johanlike (DJY)
* Url: https://github.com/johanlike
* Qualcomm
* https://www.qualcomm.com
* CodeAurora
* https://www.codeaurora.org
