[tool] Broadcom NDIS driver monitor enabler (or simply monitor mode for your macbook)

["Kacper Szczesniak" <kacper () qwe pl>]

INTRODUCTION

If you are an unlucky BCM432x (in terms of pci-id's) user like all of
macbook owners since santa rosa
your wireless card is not supported by the bcm43xx driver. There are 2
possible solutions
of this problem:
- use ndiswrapper (but you've been told that there's no monitor mode
in ndis<6 drivers)
- use buggy and closed Broadcom wl driver

But unfortunately wl is also not capable of enabling monitor. This is
strange because
in wlioctl.h you can find following defines:
#define WLC_GET_MONITOR                         107
#define WLC_SET_MONITOR                         108

also there's a function skeleton in wl_linux.c:
void wl_set_monitor(wl_info_t *wl, int val) { }

So, how should it work? It should be possible to pass WLC_SET_MONITOR
to the wl_ioctl() function
inside the closed driver. I tried that. No luck. I disassembled the
provided object and there seems to be
no code that can handle monitor mode request. If there's no monitor
mode support what are the ioctl
numbers for? It's just common for all Broadcom drivers. So I
disassembled the bcmwl5.sys file.
Here's the finding:
.text:00038CE7    int __stdcall sub_38CE7(int Register, int, char *, int, int)
look's just like wl_ioctl()...

and what's more:
.text:00039037     mov     al, [ebp+64h+var_D] ; jumptable 00038DF4 case 108
WLC_SET_MONITOR is handled inside windows ndis driver!

win_wl_ioctl() is never called directly, instead few ndis OIDs (eg.
DISASSOCIATE) make use of it.
But as far as I know there's no code that calls win_wl_ioctl() to
enable monitor mode in the driver itself.
Why is there unused code to handle monitor requests inside an ndis
driver but not in linux driver?!

The question remains open. We can try to make use of the gift found
inside bcmwl5.sys.
All we have to do is:
1. load ndis driver using ndiswrapper
2. find win_wl_ioctl()'s location in memory
3. find the location of the internal structure used by bcmwl5.sys
4. call it

Since ndis driver asks ndiswrapper to allocate memory for it [3] is fairly easy.
Now we have our own full-featured wl_ioctl() function that can handle
most of the wlioctl.h
(eg. SET_PASSIVE_SCAN)

Last thing is to receive data from the card set to monitor mode. The
NDIS spec states
that there's no other possibility than to receive Ethernet frame from
the driver.
That's true. bcmwl5.sys will give us 80211_RADIO_PRISM frames encapsulated
in dummy Ethernet frames. All we need to do is strip it down inside ndiswrapper.

Fully functional monitor mode inside ndis driver. This method should
work for all
Broadcom cards supported by x86 bcmwl5.sys and since there are no hardcoded
offsets possibly for others.

INSTALLATION

1. Download bcmmon tarball from http://qwe.pl/~kacper/bcmmon.tar.bz2
2. Download ndiswrapper source from http://ndiswrapper.sourceforge.net/
3. Extract tarballs
$ tar jxf bcmmon.tar.bz2
$ tar zxf ndiswrapper-1.53.tar.gz
4. Patch ndiswrapper using bcmmon.diff
$ patch -p1 < ./bcmmon.diff
5. Compile
$ make
6. If you haven't configured ndiswrapper before you can use bcmwl5.sys
extracted from bcmmon - this is the non-modified .sys file that I use
# ndiswrapper -i bcmwl5.inf
7. Load the new ndiswrapper module
# insmod ./ndiswrapper.ko

Note that this module is suitable for normal use so you can just replace
your original ndiswrapper module if it's working fine for you.

USAGE

# iwconfig wlan0 mode monitor
# ifconfig wlan0 up

now you are ready to go, just fire up kismet (set source to orinoco)
and enjoy!

then you can just get back to the Infrastructure mode
# ifconfig wlan0 down
# iwconfig wlan0 mode managed

cheers,
kacper

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/