User Tools

Site Tools


zd1211rw

zd1211rw

authored by sleek

Review and injection tutorial

The ZyDAS zd1211 and zd1211b (also known as AR5007UG) chips are one of the most distributed wireless b/g chips in the market. They are also the cheapest, on eBay, you can get one for about 5-6USD shipping included. In the same time, these chips are very stable, with excellent range and sensitivity, both under Linux and Windows and you can purchase one with or without an external antenna. The zd1211rw driver, which covers the chips under linux is very well built, offering reliable wireless connectivity as well as injection and monitoring support via aircrack-ng's utilities.

The zd1211rw was included in mainline kernel 2.6.18 as a softmac driver, known to be notoriously unstable and heavily crippled in terms aircrack-ng support. Things turned for the better when the zd1211rw was ported as mac80211 driver since kernel 2.6.25, a move which led the zd1211rw to gain excellent support for injection and monitoring.

The only unsupported function is the fragmentation ”-5” attack. A bug in the firmware prevents that. The frag attack is not mandatory for the zd1211rw driver to inject or capture packets, it's only one of the many attacks designed to penetrate WEP encryption.

Overall, its a great all-purpose chip to have for wireless auditing and general connectivity.

Patching

To enable injection, we'll have to patch the driver first.

Modern kernels

For modern kernels, good results can be obtained even when sticking closely to stock kernels.

Kernel 2.6.39+

See ticket 894 on the bugtracker.

1. cd into your kernel sources

2. Apply the patch:

wget -O - 'http://trac.aircrack-ng.org/raw-attachment/ticket/894/zd1211rw-inject+dbi-fix-2.6.39.2.patch' | patch -p0

3. Recompile and reload the driver as usual. Refer to your distro's kernel compilation documentation if necessary.

Kernel 2.6.34 - 2.6.38

1. cd into your kernel sources

2. Apply the patch:

wget -O - 'http://patches.aircrack-ng.org/zd1211rw-inject+dbi-fix-2.6.26.patch' | patch -p1

3. Recompile and reload the driver as usual. Refer to your distro's kernel compilation documentation if necessary.

Legacy kernels

On old kernels, you need to use the compat-wireless approach. The most frequent road block you'll stumble upon is compilation errors with compat-wireless. They're not necessarily your fault. Every now and then compat-wireless tar balls are released with compilation errors which are subsequently fixed. If this happens to you, simply download and install a version from the previous day or two.

Kernel 2.26.24+

1. Go to http://wireless.kernel.org/download/compat-wireless-2.6/, download the latest version of compat-wireless and untar the package: tar xfj compat-wireless-2.6.tar.bz2

2. Next up, cd to your /path/to/compat-wireless directory and download the patch, required for injection: zd1211rw-inject+dbi-fix-2.6.26.patch, the fixed channel patch, channel-negative-one-maxim.patch and the mac80211.compat08082009.wl_frag+ack_v1.patch for higher injection speed. Visit the general mac80211 wiki page for details.

3. Apply the patches:

patch -Np0 -i zd1211rw-inject+dbi-fix-2.6.26.patch.
patch -Np1 -i mac80211.compat08082009.wl_frag+ack_v1.patch.
patch -Np1 -i channel-negative-one-maxim.patch.

Note: the xxxxx-xxxx-xxxx.patch files must be in your compat-wireles-xxxx-xx-xx directory while patching, otherwise you will be asked to provide full path of the file which needs to be patched, example: /home/user/compat-wireless-xxxx-xx-xx/drivers/net/wireless/zd1211rw/zd_mac.c

4. Patching is complete and we are ready to compile our driver, type make for the process to begin and wait for few minutes to complete.

5. Barring any errors, next up is installing, sudo make install

6. Now that the newly compiled driver is installed, we are ready to use it, but before that we have to unload the old driver by typing sudo make wlunload

7. To load the new driver, just type sudo modprobe zd1211rw or simply unplug and plug again your USB adapter. Reboot if you're unsure

8. That's it! This concludes the zd1211 injection tutorial. You should now be able to inject. Test your USB device, by setting it to monitor mode (airmon-ng)

# aireplay-ng -9 mon0
14:39:59  Trying broadcast probe requests...
14:39:59  Injection is working!
14:40:01  Found 1 AP
14:40:01  Trying directed probe requests...
14:40:01  00:00:00:00:00:00 - channel: 11 - 'LINKSYS'
14:40:01  Ping (min/avg/max): 0.881ms/12.418ms/37.725ms Power: -53.83
14:40:01  30/30: 100%

Voila ;-)

Known issues at this point: Fragmentation attack is not yet supported.

Kernels 2.6.23 and lower

As mentioned above, kernels prior to 2.6.25 (2.6.24 with compat-wireless) are shipped with the softmac version of the driver which in its best day supports only half the functions, half the time. In other words, if you're stuck on an ancient kernel, you're pretty much out of luck. Your best bet is to either install a supported kernel, or utilize one of the many Live CDs with pre-configured settings for aircrack-ng.

And if you're absolutely bent on installing the softmac driver on an old kernel, you can try this source code. Be warned, you'll be disappointed with the outcome.

Troubleshooting

Couldn't load firmware. Error number -2

If dmesg has an error similar to the following:

 usb 1-1: Could not load firmware file zd1211/zd1211b_ub. Error number -2
 zd1211rw 1-1:1.0: couldn't load firmware. Error number -2

This means you are missing the firmware for your device or it is located in the wrong location. The firmware is downloaded to the device each time it is initialized by the kernel module and is required for your device to operate. The typical location is /lib/firmware/zd1211. Please keep in mind that this may vary for your specific distribution. Try this location first, if that fails then seek out help from your distribution support group or review the source code of the zd1211rw module on your distribution.

On some distributions, the kernel version is included in the firmware path: /lib/firmware/<kernel version from uname -r>/zd1211. If this is the case then you may have to copy the firmware to the standard driver location or add a symbolic link. One way or another, the driver needs to be able to find the firmware.

You can obtain the firmware from:

  1. RPM for you distribution. For example under fedora it is similar to “zd1211-firmware-x.x-x.fcx”. On Gentoo, you can emerge net-wireless/zd1211-firmware .

Why do I get ioctl(SIOCGIFINDEX) failed ?

If you get error messages similar to:

  • Error message: “SIOCSIFFLAGS : No such file or directory”
  • Error message: “ioctl(SIOCGIFINDEX) failed: No such device”

Then See this FAQ entry.

Feedback

  • Instructions and discussion about the zd1211rw in the forum here
zd1211rw.txt · Last modified: 2011/06/26 17:32 by wicher