https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio Skip to content Sign up * Why GitHub? Features - + Mobile - + Actions - + Codespaces - + Packages - + Security - + Code review - + Project management - + Integrations - + GitHub Sponsors - + Customer stories- * Team * Enterprise * Explore + Explore GitHub - Learn and contribute + Topics - + Collections - + Trending - + Learning Lab - + Open source guides - Connect with others + The ReadME Project - + Events - + Community forum - + GitHub Education - + GitHub Stars program - * Marketplace * Pricing Plans - + Compare plans - + Contact Sales - + Education - [ ] [search-key] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this organization All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} seemoo-lab / mobisys2018_nexmon_software_defined_radio * Notifications * Star 647 * Fork 58 Proof of concept project for operating Broadcom Wi-Fi chips as arbitrary signal transmitters similar to software-defined radios (SDRs) View license 647 stars 58 forks Star Notifications * Code * Issues 14 * Pull requests 0 * Actions * Projects 0 * Wiki * Security * Insights More * Code * Issues * Pull requests * Actions * Projects * Wiki * Security * Insights master Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags 1 branch 0 tags Code Clone HTTPS GitHub CLI [https://github.com/s] Use Git or checkout with SVN using the web URL. [gh repo clone seemoo] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit @matthiasseemoo matthiasseemoo bcm4339: fixed version.c file. ... 70733af Apr 17, 2018 bcm4339: fixed version.c file. 70733af Git stats * 12 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time payload_generation experimental raw signal injection support for bcm43455c0 (RPi3+). Run... Apr 12, 2018 src bcm4339: fixed version.c file. Apr 17, 2018 LICENSE working firmware patches that uses ioctl 426 to load iq samples into ... Mar 6, 2018 Makefile added basic support for bcm43455c0 (Raspberry Pi B3+ Apr 12, 2018 README.md Update README.md Apr 12, 2018 patch.ld working firmware patches that uses ioctl 426 to load iq samples into ... Mar 6, 2018 View code Nexmon Software Defined Radio Transmitting an Example Signal Extract from our License Getting Started References Contact Powered By Secure Mobile Networking Lab (SEEMOO) Networked Infrastructureless Cooperation for Emergency Response (NICER) Multi-Mechanisms Adaptation for the Future Internet (MAKI) Technische Universitat Darmstadt README.md NexMon logo Nexmon Software Defined Radio This projects demonstrates our discovery that turns Broadcom's 802.11ac Wi-Fi chips into software-defined radios that transmit arbitrary signals in the Wi-Fi bands. In this example, we patch the Wi-Fi firmware of BCM4339 devices installed in Nexus 5 smartphones and BCM43455c0 devices installed in Raspberry Pi B3+ computers. The Raspberry Pi B3 will never be supported as it only contains an 802.11n PHY. The firmware patch activates three ioctls: 1. NEX_WRITE_TEMPLATE_RAM (426) writes arbitrary data into Template RAM that stores the raw IQ samples that we may transmit. The ioctl's payload contains (1) an int32 value indicating the offset where data should be written in Template RAM in bytes, (2) an int32 value indicating the length of the data that should be written and (3) the IQ samples as array of IQ values, where I (inphase components) and Q (quadrature components) are stored as int16 numbers. 2. NEX_SDR_START_TRANSMISSION (427) that triggers the transmission of IQ samples. The ioctl's payload contains (1) an int32 value indicating the number of samples to transmit, (2) an int32 value indicating the offset where the signal starts in Template RAM, (3) an int32 value indicating a chanspec (channel number, bandwidth, band, ...), (4) an int32 value indicating the power index (lower value means higher output power), and (5) an int32 value indicating whether to loop over the IQ samples or transmit them only once. 3. NEX_SDR_STOP_TRANSMISSION (428) stops a transmission started using NEX_SDR_START_TRANSMISSION. Transmitting an Example Signal The directory payload_generation contains the MATLAB script generate_frame.m that generates a Wi-Fi beacon frame with SSID MyCovertChannel. The generated IQ samples are written to a bash script that calls nexutil from the nexmon.org project to load the samples into the Wi-Fi chip's Template RAM by using ioctls. You can either generate your own signals or use the example myframe.sh file for transmitting the generated Wi-Fi frame. To this end, follow the Getting Started instructions below to install our patched Wi-Fi firmware on a Nexus 5 smartphone. Then, you need to copy myframe.sh to a directory that allows execution (such as /su/xbin/). To load the samples and start a single transmission, simply executute the bash script and observe the results by listening with a Wi-Fi sniffer on channel 1. A suitable Wireshark filter is wlan.addr == 82:7b:be:f0:96:e0. Of course, you are not limited to transmitting handcrafted Wi-Fi signals, you can transmit whatever you like in the 2.4 and 5 GHz bands. Nevertheless, you have to obey your local laws for transmitting signals, that might prohibit you to transmit any signal at all. Extract from our License Any use of the Software which results in an academic publication or other publication which includes a bibliography must include citations to the nexmon project a) and the paper cited under b) or the thesis cited under c): a) "Matthias Schulz, Daniel Wegemer and Matthias Hollick. Nexmon: The C-based Firmware Patching Framework. https://nexmon.org" b) "Matthias Schulz, Jakob Link, Francesco Gringoli, and Matthias Hollick. Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi. Accepted to appear in Proceedings of the 16th ACM International Conference on Mobile Systems, Applications, and Services (MobiSys 2018), June 2018." c) "Matthias Schulz. Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements through Wi-Fi Firmware Modifications. Dr.-Ing. thesis, Technische Universitat Darmstadt, Germany, February 2018." Getting Started To compile the source code, you are required to first clone the original nexmon repository that contains our C-based patching framework for Wi-Fi firmwares. Than you clone this repository as one of the sub-projects in the corresponding patches sub-directory. This allows you to build and compile all the firmware patches required to repeat our experiments. The following steps will get you started on Xubuntu 16.04 LTS: 1. Install some dependencies: sudo apt-get install git gawk qpdf adb 2. Only necessary for x86_64 systems, install i386 libs: sudo dpkg --add-architecture i386 sudo apt-get update sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386 3. Clone the nexmon base repository: git clone https://github.com/ seemoo-lab/nexmon.git. 4. Download and extract Android NDK r11c (use exactly this version!). 5. Export the NDK_ROOT environment variable pointing to the location where you extracted the ndk so that it can be found by our build environment. 6. Navigate to the previously cloned nexmon directory and execute source setup_env.sh to set a couple of environment variables. 7. Run make to extract ucode, templateram and flashpatches from the original firmwares. 8. Navigate to utilities and run make to build all utilities such as nexmon. 9. Attach your rooted Nexus 5 smartphone running stock firmware version 6.0.1 (M4B30Z, Dec 2016). 10. Run make install to install all the built utilities on your phone. 11. Navigate to patches/bcm4339/6_37_34_43/ and clone this repository: git clone https://github.com/seemoo-lab/ mobisys2018_nexmon_software_defined_radio.git 12. Enter the created subdirectory mobisys2018_nexmon_software_defined_radio and run make install-firmware to compile our firmware patch and install it on the attached Nexus 5 smartphone or run make install-rpi3plus to compile our firmware patch and install it on a Raspberry Pi B3+. References * Matthias Schulz, Daniel Wegemer and Matthias Hollick. Nexmon: The C-based Firmware Patching Framework. https://nexmon.org * Matthias Schulz, Jakob Link, Francesco Gringoli, and Matthias Hollick. Shadow Wi-Fi: Teaching Smartphones to Transmit Raw Signals and to Extract Channel State Information to Implement Practical Covert Channels over Wi-Fi. Accepted to appear in Proceedings of the 16th ACM International Conference on Mobile Systems, Applications, and Services, MobiSys 2018, June 2018. * Matthias Schulz. Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements through Wi-Fi Firmware Modifications. Dr.-Ing. thesis, Technische Universitat Darmstadt, Germany, February 2018. Get references as bibtex file Contact * Matthias Schulz mschulz@seemoo.tu-darmstadt.de Powered By Secure Mobile Networking Lab (SEEMOO) SEEMOO logo Networked Infrastructureless Cooperation for Emergency Response (NICER) NICER logo Multi-Mechanisms Adaptation for the Future Internet (MAKI) MAKI logo Technische Universitat Darmstadt TU Darmstadt logo About Proof of concept project for operating Broadcom Wi-Fi chips as arbitrary signal transmitters similar to software-defined radios (SDRs) Resources Readme License View license Releases No releases published Packages 0 No packages published Languages * Shell 50.8% * MATLAB 29.4% * C 15.2% * Makefile 4.6% * (c) 2021 GitHub, Inc. * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.