wifiFirmwareLoader

[BooCocky]

I was playing around with aircrack today and installed the tiacx100/111 drivers firmware.  I think they are useless, but when installing them with airdriver

Code: [Select]

airdriver-ng install_firmware 0
They install to /lib/firmware/tiacx100xxx

So I was playing around with /usr/libexec/wifiFirmwareLoader and found that with the -f flag I can list the loaded firmware in /usr/share/firmware/wifi/loco.bin

And you can load other firmware with the -F flag if you specify the path to the firmware.  So for ****s and giggles I installed the tiacx firmware with airdriver and loaded it with

Code: [Select]

/usr/libexec/wifiFirmwareLoader -F /lib/firmware/tiacx111c19
and it loaded fine.  Although my wirless stopped working.   Until a reboot.  So this means that you can load other wireless drivers into the kernel.   Next step would  be to reverse engineer /usr/share/firmware/wifi/loco.bin then maybe figure somthing out lol.  Just post this because i thought ut was interesting.

[Apetrick]

So we can load our own drivers on the ipod/iphone. Boo you are a LEGEND. Do you think we could achieve monitor mode with a right driver?

[BooCocky]

Monitor mode doesnt depend on the driver really.  Its just the wireless card disabling its BSSID filter (slut mode).  Think about this for a second.... The Settings.app and many others can stumble upon nearby wireless networks.  So why not take that code and make a command line stumbler that can sniff packets from non-associated BSSIDS, AND inject packets with lorcon using a newly ported driver,  or reverse engineer the existing one? 

   I dont know any objective-C so I was hoping to use a python wrapper but pyobjc for iOS is broken.   So i may have to bite the bulet and learn a little objc just for the stumbler part and wrap the rest with Cython.

[Apetrick]

That is actually really smart boo never thought of that working that way. Maybe somebody who knows obj-c could help like c0de. But i have a question is the BSSID filter enabled/didabled in the kernel or is in the card and we cant access that because of the kernel or is it just not their.

[Trcx528]

Time to open up IDA pro and get cracking on reversing loco.  If only I knew a little more assembly. 

[A12danrulz]

Lol

[Apetrick]

Yeh i tried learning assembly about a month ago and had no chance its to confuzing with alm the r1 and r2 stuff

[StealthHacker]

Boo the legend has struck again. Nice job bro.

[C0deH4cker]

boo: on my iPad there is no /usr/stash, though i did find /usr/share/firmware/wifi/4329c0/, which contains second.txt and second.bin. Here are the contents of second.txt:



sromrev=3
vendid=0x14e4
devid=0x432e
boardtype=0x509
boardrev=0x11
boardflags=0x10003200
xtalfreq=37400
aa2g=1
aa5g=1
ag0=0x81
ag1=0x84
pa0b0=5885
pa0b1=64203
pa0b2=65262
pa0itssit=62
pa0maxpwr=70
opo=0
ofdmpo=0x00000000
mcs2gpo0=0x0000
mcs2gpo1=0x3000
cckdigfilttype=1
pa1lob0=5854
pa1lob1=64186
pa1lob2=65195
pa1b0=5554
pa1b1=64273
pa1b2=65226
pa1hib0=5348
pa1hib1=64279
pa1hib2=65203
pa1itssit=62
pa1maxpwr=66
opo=0
ofdmalpo=0x00000000
ofdmapo=0x00000000
ofdmahpo=0x00000000
mcs5gpo=0x60000000
rssismf2g=0xa
rssismc2g=0xb
rssisav2g=0x3
bxa2g=0
rssismf5g=0x8
rssismc5g=0x6
rssisav5g=0x0
bxa2g=0
ccode=XZ
regrev=6
cctl=0x0
rxpo2g=2
rxpo5g=0
5g_cga=0xff,0xff,0x0,0x1,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0
boardnum=2048
sd_gpout=1
sd_gpval=1
sd_gpdc=0x003c003c
otpimagesize=182
hwhdr=0x05ffff031030031003100000
RAW1=80 02 fe ff
nvramver=4.221.90

[Apetrick]

Yeh i think he messed up. I have basiclly the same thing in my .txt just a few things different like the nvram version.

[BooCocky]

messed up? 

[Apetrick]

Yeh in the OP you said
/usr/stash/ and its

/usr/share/firmware/wifi
Thats what i ment

[BooCocky]

Oops, i fixed it

Yea Ive been trying to write a command line stumbler using snippets from iphone-wireless on googlecode.  Its not going so good lol. 

[Apetrick]

Wwhats wrong with it when you try it?

[BooCocky]

Well there is alot of different things I am trying.  The most promising is using the stumbler version for iOS5 source code


 Here is SOLStumbler.m

Code: [Select]

//
//  SOLStumbler.m
//  StumblerIOS5
//
//  Created by Guvener Gokce on 11/5/11.
//  Copyright (c) 2011 RIA/Cocoa Developer. All rights reserved.
//


#import "SOLStumbler.h"
@implementation SOLStumbler
- (id)init
{
        self = [super init];
        
        networks = [[NSMutableDictionary alloc] init];
        libHandle = dlopen("/System/Library/SystemConfiguration/IPConfiguration.bundle/IPConfiguration", RTLD_LAZY);
        char *error;
        if (libHandle == NULL && (error = dlerror()) != NULL)  {
                NSLog(@"%c",error);
                exit(1);
        }
        apple80211Open = dlsym(libHandle, "Apple80211Open");
        apple80211Bind = dlsym(libHandle, "Apple80211BindToInterface");
        apple80211Close = dlsym(libHandle, "Apple80211Close");
        apple80211Scan = dlsym(libHandle, "Apple80211Scan");
        apple80211Open(&airportHandle);
        apple80211Bind(airportHandle, @"en0"); 
        return self;
}

- (NSDictionary *)network:(NSString *) BSSID
{
        return [networks objectForKey:@"BSSID"];
}

- (NSDictionary *)networks
{
        return networks;
}

- (void)scanNetworks
{
        NSLog(@"Scanning WiFi Channels...");
        
        NSDictionary *parameters = [[NSDictionary alloc] init];
        NSArray *scan_networks; //is a CFArrayRef of CFDictionaryRef(s) containing key/value data on each discovered network
        apple80211Scan(airportHandle, &scan_networks, parameters);
        NSLog(@"===--======\n%@",scan_networks);
        for (int i = 0; i < [scan_networks count]; i++) {
                [networks setObject:[scan_networks objectAtIndex: i] forKey:[[scan_networks objectAtIndex: i] objectForKey:@"BSSID"]];
        }
        NSLog(@"Scanning WiFi Channels Finished.");     
}

- (int)numberOfNetworks
{
        return [networks count];
}

- ( NSString * ) description {
        NSMutableString *result = [[NSMutableString alloc] initWithString:@"Networks State: \n"];
        for (id key in networks){
                [result appendString:[NSString stringWithFormat:@"%@ (MAC: %@), RSSI: %@, Channel: %@ \n", 
                                                          [[networks objectForKey: key] objectForKey:@"SSID_STR"], //Station Name
                                                          key, //Station BBSID (MAC Address)
                                                          [[networks objectForKey: key] objectForKey:@"RSSI"], //Signal Strength
                                                          [[networks objectForKey: key] objectForKey:@"CHANNEL"]  //Operating Channel
                                                          ]];
        }
        return [NSString stringWithString:result];
}

- (void) dealloc {
        apple80211Close(airportHandle);
        [super dealloc];
}
@end

and here is SOLStumbler.h

Code: [Select]

//
//  SOLStumbler.h
//  StumblerIOS5
//
//  Created by Guvener Gokce on 11/5/11.
//  Copyright (c) 2011 RIA/Cocoa Developer. All rights reserved.
//

#import <Foundation/Foundation.h>
#import <CoreFoundation/CoreFoundation.h>
#include <dlfcn.h>
@interface SOLStumbler : NSObject {
        NSMutableDictionary *networks; //Key: MAC Address (BSSID)
        
        void *libHandle;
        void *airportHandle;    
        int (*apple80211Open)(void *);
        int (*apple80211Bind)(void *, NSString *);
        int (*apple80211Close)(void *);
        int (*associate)(void *, NSDictionary*, NSString*);
        int (*apple80211Scan)(void *, NSArray **, void *);
}
- (NSDictionary *)networks;                                                             //returns all 802.11 scanned network(s)
- (NSDictionary *)network:(NSString *) BSSID;                   //return specific 802.11 network by BSSID (MAC Address)
- (void)scanNetworks;
- (int)numberOfNetworks;
@end


The problem is writing main.m.  Im not sure how to do that.