Qualcomm QCACLD WiFi (Android) monitor mode
An update!
This method will work OUT-of-the-BOX, it seems someone over at CodeAurora actually flipped the switch
on monitor mode, so the kernel patch isn't really nescessary, only for they on older/unmaintained kernels.
Great news, less dirty tricks/patching needed. 1. A rooted Android environment.
2. Either compile a kernel yourself (NetHunter chroot works)
3. WiFi chipset that actually uses the QCACLD driver/firmware.
Older devices/drivers would need the patch from 'files', future kernels of 4.9, 4.14, 4.19
may have it WORKING from vendor. See "LIST_OF_DEVICES.txt" for known working phones.
Use issue reports for comments, new information that could help us get a working frame injection to it.Configure device to deliver 802.11 packets in raw mode. Below is the example of starting monitor mode and channel settings + tcpdump
Start monitor mode on adapter
ip link set wlan0 down
echo "4" > /sys/module/wlan/parameters/con_mode
ip link set wlan0 upStop monitor mode on adapter
ip link set wlan0 down
echo "0" > /sys/module/wlan/parameters/con_mode
ip link set wlan0 upI've found phones with frame injection support present. The phone is OnePlus 3T with lineageos 17.1, it has the QCACLD-2 driver, which QCACLD-3 replaced. However, finding the solution in QCACLD-2 to port to QCACLD-3 seems like an ok solution instead of fiddling around half blind in QCACLD-3, propably deactivated by Qualcomm.
Original commit where frame injection was added in QCACLD-2 https://gitlab.com/Codeaurora/platform_vendor_qcom-opensource_wlan_qcacld-2.0/-/commit/3d3ad7877d1b4d097b4302a4293a1cbb2478e7bf
Got great news regarding QCACLD-3 frame/packet injection. Another device ordered for testing.
Research recovered this has been pushed to a few branches, devices is: BERYLLIUM and HELIUM for now. CAF tag: wlan-cld3.driver.lnx.2.0.r60-rel
Research links and base knowledge ..
'For parsing frame injection capabilities you need "radiotap iterator" available.
If the radiotap iterator is found like below, the chance is big for frame capabilities.'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/blob/wlan-cld3.driver.lnx.2.0.r60-rel/components/pkt_capture/core/inc/wlan_pkt_capture_mon_thread.h#L124
'This string we will need to take a note of, because this was added to turn this capabilities of specific.
You see the radiotap parser defines its guarding.'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/blob/wlan-cld3.driver.lnx.2.0.r60-rel/components/pkt_capture/core/inc/wlan_pkt_capture_data_txrx.h#L36
'qcacld-3.0: Fill correct 802.11hdr in rx data pkts in pkt capture mode'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/60cebbb9e9884de7310623b25549c96e41f63333
'this is the struct where the packet/payload gets crafted'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/blob/wlan-cld3.driver.lnx.2.0.r60-rel/components/pkt_capture/core/src/wlan_pkt_capture_main.c#L255
And we have more clues below:
'qcacld-3.0: Add INI parameter for packet capture mode support'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/blob/wlan-cld3.driver.lnx.2.0.r60-rel/components/pkt_capture/dispatcher/inc/cfg_pkt_capture.h
'qcacld-3.0: vendor command changes to configure parameters for monitor mode'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/-/commit/db872287ef87a6c2765a7612f1eb3246c98c48e0
'qcacld-3.0: Update path for monitor files'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/35736804a84aa4340102d2897e4bc5626761be83
'fw-api: Add hw headers for wkk monitor'
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/fw-api/-/commit/4b855f97afe633afe0addfb7f44865c88fc42c02Thread will be updated.
- 'iw phy0 info' output is over here
- Android QCACLD-3.0 patch to enable monitor mode - DOWNLOAD HERE
-
kimocoder
- Twitter: https://twitter.com/kimocoder
-
@Re4son
-
@johanlike (DJY)
-
Qualcomm
-
CodeAurora
