Hi all,
I've been digging around to try and gain the ability to access the WiFi stack from an Android device that is rooted. What I am interested in, is capturing the 802.11 radio headers. I've done a bunch of searching, and it seems like getting the card in to promiscuous/monitor mode is out of the question. I haven't been able to find anyone to do it. But, even not being in this mode I am wondering if it is possible to get 802.11 headers.
I've downloaded the android-wifi-tether project to get the tools it has pre-built and installed on the file system, such as iwconfig, and I've also installed tcpdump.
I cannot get the card into monitor mode, as was expected:
Code:
# ./iwconfig tiwlan0 mode monitor
Error for wireless request "Set Mode" (8B06) :
SET failed on device tiwlan0 ; Operation not supported on transport endpoint.
That's fine. But when I use tcpdump, it seems as though the lowest layer of information available is the Ethernet/IP information:
Code:
# /data/tcpdump -i tiwlan0 -L
tcpdump: WARNING: can't create rx ring on packet socket 3: 92-Protocol not available
Data link types (use option -y to set):
DOCSIS (DOCSIS) (printing not supported)
EN10MB (Ethernet)
So for example, if I tcpdump:
Code:
07:51:21.793444 IP 192.168.1.103.34528 > 64.233.169.193.443: Flags [S], seq 3412091441, win 5840, options [mss 1460,sackOK,TS[|tcp]>
07:51:22.096239 IP 64.233.169.193.443 > 192.168.1.103.34528: Flags [S.], seq 513767123, ack 3412091442, win 5672, options [mss 1430,sackOK,TS[|tcp]>
Has anyone been able to dig any lower in the networking stack?
Thanks!
George
OK, I've done a significant amount of digging, and luckily the TI wl1271 wireless driver is built as a kernel module (I'm using a Droid 1). the "dmesg" output provides some hints that the TIWLAN module is active and parsing incoming packets at the lower layer:
Code:
<6>[ 5940.231292] TIWLAN: 3835.067243: rx , ERROR: rxData_receivePacketFromWlan() : MLME returned error
The code for this function can be found here, and even better the low-level packet information (e.g., RSSI) is available in this function.:
Code:
/*
* Set rx attributes
*/
RxAttr.channel = pRxParams->channel;
RxAttr.packetInfo = pRxParams->flags;
RxAttr.ePacketType= pRxParams->packet_class_tag;
RxAttr.Rate = appRate;
RxAttr.Rssi = pRxParams->rx_level;
RxAttr.SNR = pRxParams->rx_snr;
RxAttr.status = pRxParams->status & RX_DESC_STATUS_MASK;
I'm also wondering whether or not it might be possible to drop the card in to promiscuous mode with some driver hacking. It appears to be possible through the RX filter, albeit maybe not supported by the actual firmware (that would suck):
Code:
#define RX_CFG_PROMISCUOUS 0x0008 /* promiscuous - receives all valid frames */
#define RX_CFG_BSSID 0x0020 /* receives frames from any BSSID */
#define RX_CFG_MAC 0x0010 /* receives frames destined to any MAC address */
#define RX_CFG_ENABLE_ONLY_MY_DEST_MAC 0x0010
I too want to capture WiFi packet headers on Android using tcpdump. I am using an HTC dream phone (Android 1.6, Wi-Fi (802.11b/g) using a Texas Instruments WL1251B chipset). The default TI driver filters the 802.11 packet headers while doing a packet capture on the device using tcpdump. Did you figure out a way to capture the 802.11 headers using the default TI driver?
Also, I was looking at installing a mac80211 based driver on an android device. I followed the instructions to create the kernel modules and loaded them up on the phone. But, I could not activate the WiFi interface after doing so (though I saw the "wlan0" interface indicating that the mac80211 driver was loaded).
So, I am stuck at this point. Can you provide some directions from here?
Thanks
Ashish
I'm trying to get VPN Connections or vpnc working on the Thunderbolt.
I'm running BAMF 1.5 which is supposed to have tun support. I can connect to my VPN (Cisco IPsec) just fine, but I can't get any traffic to actually route over it.
Any suggestions?
I don't know enough about VPN to mess with it, but I did add it built in. If it needs it as a module instead, let me know.
Unfortunately I don't know much about it either. The only thing I do know is that tun.ko needs to be compiled for each phone/ROM individually. Beyond that, I have no idea.
Well, if I get a chance today, I'll work up a tun.ko module that matches a kernel for ya. Maybe it will work better. I had assumed, perhaps erroneously, that built in support would be fine.
Try this.
http://www.mediafire.com/file/bf30vdk4ccyyfjx/bamf_4.4.3_beta.zip
Thanks, I flashed it but still getting the same thing: VPN connects but no traffic gets routed through it.
Here's the log from VPNC (hand typed since I don't see a way to copy it:
Enter IPsec secret for [redacted]
Enter password for [redacted]
pre-init phase...
connect phase...
vpnc-script ran to completion
vpnc[5489]: select: Interrupted system call
vpnc[5489]: terminated by signal: 15
disconnect phase...
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
ip: RTNETLINK answers: No such process
vpnc version ERSION
IKE SA selected psk+xauth-aes128-sha1
NAT status: this end behind NAT? YES -- remote end got address [redacted]
IPSEC SA selected aes256-sha1
VPNC started in foreground...
Stoli/Adrynalyne,
I have the same thing, and so far, it has been the same for all kernels that support tun (I have tried 2 or 3). I think that Stoli is onto something - the ROM needs to be built to support tun.ko. That said, I haven't actually tried the 4.4.3 mentioned above yet - only the 4.4.2 kernel baked into BAMF 1.5
I'll keep an eye on this thread and and maybe do some VPN debugging on my end to see what happens...
Seth
That's entirely possible. Today is the first time I've tried to setup vpnc on my Thunderbolt. Worked like a charm on my Nexus One running CM7.
The rom isnt what supports tun, its the kernel.
The ramdisk was supposed to load the module, but perhaps it did not.
Try this:
su
insmod /system/lib/modules/tun.ko
This goes in conjunction with the kernel I posted.
I get:
insmod: init_module '/system/lib/modules/tun.ko' failed (File exists)
Then its already loaded.
adrynalyne said:
The rom isnt what supports tun, its the kernel.
Click to expand...
Click to collapse
That may be, you know a lot more about developing than I do. I did noticed, however, that in previous ROMs with my D1 I would not only have to have a kernel that supported tun, but I would also have to have the tun.ko module loaded in system/lib/modules. Maybe you could glean a little info from this:
http://www.droidforums.net/forum/team-d1-miui/95453-anyone-using-cisco-vpn-miui-2.html
I have never had the problem that I am seeing with the Thunderbolt, however. Usually VPN connections would FC if it wasn't working properly. I've never been able to establish the VPN but been unable to pass data...
Sounds like a routing issue to me, but could be wrong.
Seth
sethschmautz said:
I have never had the problem that I am seeing with the Thunderbolt, however. Usually VPN connections would FC if it wasn't working properly. I've never been able to establish the VPN but been unable to pass data...
Sounds like a routing issue to me, but could be wrong.
Click to expand...
Click to collapse
That's been my past experience as well. If you had the wrong settings or your ROM/kernel didn't support tun, then you would get a FC when trying to connect. With the TBolt, the VPN connects but just won't route. I wish I knew more about how the routing tables work so I could help...
Hi, the VPNC Connection and the VPNC widget will show connected but the routing won't work on Verizon's 3g/4g. Hook up to a wifi and then try the vpnc connection again - it should work. I use both of these and am having the same issues. It was never a problem on T-Mobile's 3g network. While connected, drop to a command line (terminal or over adb) and do:
#route
and
#ip route
and
#ifconfig
this will tell the tale. I've been playing with the routes but no good so far.
The dev for vpnc connection seems to have stopped supporting his app. I downloaded his source and have been playing with it.
The dev for vpnc widget is very good and is very active right now - I'm hopeful he can find a solution soon.
Edit: AFAIK it is not rom or kernel related. This is a routing issue with Verizon. I ran all kinds of ROMs and kernels on my G1 and my N1 while with Tmobile and never had a problem as long as you had busybox installed and the tun module was configured (CONFIG_TUN=y) in the kernel during compiling.
Edit2: I put my TBolt in wifi tethering mode and connected my laptop. Then I put my laptop in vpn mode - it also connects successfully but will not route. So, that is why I figure it is a problem with Verizon and routing.
Edit3: Very interesting. The new radio/rom base yields different results in the route and ip route.
Code:
# ifconfig
eth0 Link encap:Ethernet HWaddr 7C:61:93:11:8A:0C
inet addr:10.211.94.178 Bcast:10.211.94.255 Mask:255.255.255.128
inet6 addr: fe80::7e61:93ff:fe11:8a0c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:460 errors:0 dropped:0 overruns:0 frame:0
TX packets:514 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:356464 (348.1 KiB) TX bytes:82262 (80.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:113 errors:0 dropped:0 overruns:0 frame:0
TX packets:113 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6511 (6.3 KiB) TX bytes:6511 (6.3 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.65.200.1 P-t-P:10.65.200.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:104 errors:0 dropped:0 overruns:0 frame:0
TX packets:112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:68893 (67.2 KiB) TX bytes:11262 (10.9 KiB)
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.211.94.128 * 255.255.255.128 U 0 0 0 eth0
default 10.211.94.129 0.0.0.0 UG 0 0 0 eth0
# ip route
10.211.94.128/25 dev eth0 proto kernel scope link src 10.211.94.178
default via 10.211.94.129 dev eth0
# ping www.google.com
PING www.l.google.com (74.125.65.103) 56(84) bytes of data.
64 bytes from gx-in-f103.1e100.net (74.125.65.103): icmp_seq=1 ttl=49 time=22.7 ms
64 bytes from gx-in-f103.1e100.net (74.125.65.103): icmp_seq=2 ttl=49 time=23.5 ms
The tun0 doesn't even show up in the route although it is working - I connect just fine to servers behind the vpn. very interesting.
Okay, I experimented a bit more. I used the LTE OnOff app to set my TBolt into "CDMA only" mode (CDMA auto doesn't work). Waited for ping test to pass. Connected via VPNC widget and voila it works!
Code:
# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:221 errors:0 dropped:0 overruns:0 frame:0
TX packets:221 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14887 (14.5 KiB) TX bytes:14887 (14.5 KiB)
rmnet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:75.248.248.23 Mask:255.0.0.0
UP RUNNING MTU:1428 Metric:1
RX packets:100 errors:0 dropped:0 overruns:0 frame:0
TX packets:112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:43139 (42.1 KiB) TX bytes:14202 (13.8 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.65.200.1 P-t-P:10.65.200.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Of course, the connection is pretty slow but it does point the finger at verizon's 4g being the culprit.
Edit: remember to reboot your phone after clearing an unusuable or unworking vpnc connection after disconnect. remnants stay in that prevent it from working when it should work.
thanks for testing this. I was lost.
Does anyone know where to place *.p12 cert to create a L2TP/IPSec CRT connection? I put it in the root of the SD card but it keeps on saying "cert not found".
adrynalyne said:
thanks for testing this. I was lost.
Click to expand...
Click to collapse
My pleasure. I can't begin to do all the things you do for the community so am happy to help where I can.
I have been working with compiling vpnc binaries and creating custom kernels for myself with tun enabled since android 1.0. I love this stuff. It is critical for me to be able to vpn into work to do certain things at any hour of any day, so it is awesome for me to be able to do it all from my handheld and not have to lug around my laptop. lol
Ok I'm at a loss. With the wifi radio on, the VPN connects but I can't route. In fact, nothing routes...I can't ping www.google.com, let alone anything on the VPN.
I switched to CDMA only mode and the VPN won't connect at all.
I even tried wiping completely and it still doesn't work.
I don't know why or how but my mac address changes everytime I turn on the wifi to random mac address from texas instruments instead of motorola mobility
Sent from my XT720 using xda premium
take a look here:
http://forum.xda-developers.com/showthread.php?t=1244982&highlight=mac
probably the offending part is here:
Code:
service wlan_loader /system/bin/wlan_loader \
-f /system/etc/wifi/fw_wlan1271.bin -i /system/etc/wifi/tiwlan.ini \
[b] -e /pds/wifi/nvs_map.bin [/b]
class post-zygote_services
disabled
oneshot
and more preciously in pds/wifi/nvs_map.bin
probably the wlan_loader doesn't look there, or doesn't interpret it right ..
but without additional info it is just speculation ...
basically when the wireless module is unloaded, you don't have wlan0 interface.
when you (actually the phone services) load the module, then wlan0 appears, but with 00:00:00:00:00:00 mac address (if the module is the stock one)
after wlan_loader do his job, the mac address is changed to the one specified in the nvs_map.bin file
p.s. I did not check the above statement now, it is from my memories, when i had trouble with my phone mac ....
Hi All,
It is know that IP exclusion is almost impossible using Android VPN Service API in NON ROOTED Device.
But I have rooted device . So I first connect VPN ( openvpn ).
After than from ADB ROOT SHELL - I run following command
./route add -net <<DESTINATION_IP>> netmask 255.255.255.255 gw 192.168.1.1
For example if I run following command
./route add -net 141.101.120.15 netmask 255.255.255.255 gw 192.168.1.1
All traffic to whatismyip DOT com/ go directly ( Not passing through VPN )
Hence whatismyip.com reports my Local ISP IP in Its home page.
By these way I could exclude IPs from VPN path. This is working fine in ICS and Jelly without any issue.
But this same procedure not working in KITKAT. I tested both in 4.4.2 and 4.4.4
If I modify route, traffic still goes through VPN path. Whatismyip.com displaying VPN Server IP in its home page.
My KITKAT routing table shows following same as ICS and jelly. Command is successfully executed in routing table..But just not working..
Can anybody please point out what changes I need to make for KITKAT.
Thank you
----Fresh Routing Table -----
Code:
ip route
default via 192.168.1.1 dev wlan0
default via 192.168.1.1 dev wlan0 metric 324
192.168.1.0/24 dev wlan0 scope link
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.2 metric 324
192.168.1.1 dev wlan0 scope link
----- After VPN Connected------
Code:
ip route
default via 192.168.1.1 dev wlan0
default via 192.168.1.1 dev wlan0 metric 324
172.22.1.4/30 dev tun0 proto kernel scope link src 172.22.1.6
192.168.1.0/24 dev wlan0 scope link
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.2 metric 324
192.168.1.1 dev wlan0 scope link
------ After whatismyip dot com [141.101.120.15] exclusion ------
Code:
ip route
default via 192.168.1.1 dev wlan0
default via 192.168.1.1 dev wlan0 metric 324
[B]141.101.120.15 via 192.168.1.1 dev wlan0[/B]
172.22.1.4/30 dev tun1 proto kernel scope link src 172.22.1.6
192.168.1.0/24 dev wlan0 scope link
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.2 metric 324
192.168.1.1 dev wlan0 scope link
Hi All,
I have a stupid Juniper VPN device at work which does not support 64 bit linux clients using netconnect. I have found ways around this previously, but now we are setting up 2 factor auth which throws a lot of javascript into the mix, making the scripts I used pretty much obsolete. The Junos pulse client works well for android, so I am thinking I want to use an android device as a router. Connecting to the VPN and using wifi tethering does not work, same with USB tethering does not work, and those are not exactly what I want anyway.
So basically I want to be able to connect my android device to my wifi here at home, connect to the VPN on it, run a script to do my setup on the Android device, lastly add a route on my client pc to tunnel through the android device. here is what I tried so far on the device:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
ip rule add from all to 10.0.0.0/8 fwmark 0x3c lookup 60
and on the client PC:
Code:
route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.29
where 192.168.1.29 is the IP of my android device, and 10.0.0.0/8(I know its lazy) is the IP range I want to go through tun0 on the device. This is however not working.
The only thing I need to do on a standard linux box to do this would be:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
And setup the same route command on the client but point it at the linux box instead. This currently works, but when we decide to flip the switch and use the 2 factor auth only I will not be able to make it work on a standard linux box, but 2 factor does work on android via the Junos app.
I fear I am missing something simple in Android land, please help...