This is an old revision of the document!
authored by sleek
Review and injection tutorial
The ZyDAS zd1211 and zd1211b (also known as AR5007UG) chips are one of the most distributed wireless b/g chips in the market. They are also the cheapest, on eBay, you can get one for about 5-6USD shipping included. In the same time, these chips are very stable, with excellent range and sensitivity, both under Linux and Windows and you can purchase one with or without an external antenna. The zd1211rw driver, which covers the chips under linux is very well built, offering reliable wireless connectivity as well as injection and monitoring support via aircrack-ng's utilities.
The zd1211rw was included in mainline kernel 2.6.18 as a softmac driver, known to be notoriously unstable and heavily crippled in terms aircrack-ng support. Things turned for the better when the zd1211rw was ported as mac80211 driver since kernel 2.6.25, a move which led the zd1211rw to gain excellent support for injection and monitoring.
To enable injection, we'll have to patch the driver first. The easiest and most convenient way is to take the compat-wireless route.
1. Go to http://wireless.kernel.org/download/compat-wireless-2.6/, download the latest version of compat-wireless and untar the package: tar xfj compat-wireless-2.6.tar.bz2
2. Next up, cd to your /path/to/compat-wireless directory and download the patch, required for injection: zd1211rw-inject+dbi-fix-2.6.26.patch, the fixed channel patch, channel-negative-one-maxim.patch and the mac80211.compat08082009.wl_frag+ack_v1.patch for higher injection speed. Visit the general mac80211 wiki page for details.
3. Apply the patches:
patch -Np0 -i zd1211rw-inject+dbi-fix-2.6.26.patch. patch -Np1 -i mac80211.compat08082009.wl_frag+ack_v1.patch. patch -Np1 -i channel-negative-one-maxim.patch.
Note: the xxxxx-xxxx-xxxx.patch files must be in your compat-wireles-xxxx-xx-xx directory while patching, otherwise you will be asked to provide full path of the file which needs to be patched, example: /home/user/compat-wireless-xxxx-xx-xx/drivers/net/wireless/zd1211rw/zd_mac.c
4. Patching is complete and we are ready to compile our driver, type make for the process to begin and wait for few minutes to complete.
5. Barring any errors, next up is installing, sudo make install
6. Now that the newly compiled driver is installed, we are ready to use it, but before that we have to unload the old driver by typing sudo make wlunload
7. To load the new driver, just type sudo modprobe zd1211rw or simply unplug and plug again your USB adapter. Reboot if you're unsure
8. That's it! This concludes the zd1211 injection tutorial. You should now be able to inject. Test your USB device, by setting it to monitor mode (airmon-ng)
# aireplay-ng -9 mon0 14:39:59 Trying broadcast probe requests... 14:39:59 Injection is working! 14:40:01 Found 1 AP 14:40:01 Trying directed probe requests... 14:40:01 00:00:00:00:00:00 - channel: 11 - 'LINKSYS' 14:40:01 Ping (min/avg/max): 0.881ms/12.418ms/37.725ms Power: -53.83 14:40:01 30/30: 100%
Known issues at this point: Fragmentation attack is not yet supported.
As mentioned above, kernels prior to 2.6.25 (2.6.24 with compat-wireless) are shipped with the softmac version of the driver which in its best day supports only half the functions, half the time. In other words, if you're stuck on an ancient kernel, you're pretty much out of luck. Your best bet is to either install a supported kernel, or utilize one of the many Live CDs with pre-configured settings for aircrack-ng.
And if you're absolutely bent on installing the softmac driver on an old kernel, you can try this source code. Be warned, you'll be disappointed with the outcome.
The most frequent road block you'll stumble upon is compilation errors with compat-wireless. They're not necessarily your fault. Every now and then compat-wireless tar balls are released with compilation errors which are subsequently fixed. If this happens to you, simply download and install a version from the previous day or two.
If dmesg has an error similar to the following:
usb 1-1: Could not load firmware file zd1211/zd1211b_ub. Error number -2 zd1211rw 1-1:1.0: couldn't load firmware. Error number -2
This means you are missing the firmware for your device or it is located in the wrong location. The firmware is downloaded to the device each time it is initialized by the kernel module and is required for your device to operate. The typical location is /lib/firmware/zd1211. Please keep in mind that this may vary for your specific distribution. Try this location first, if that fails then seek out help from your distribution support group or review the source code of the zd1211rw module on your distribution.
On some distributions, the kernel version is included in the firmware path: /lib/firmware/<kernel version from uname -r>/zd1211. If this is the case then you may have to copy the firmware to the standard driver location or add a symbolic link. One way or another, the driver needs to be able to find the firmware.
You can obtain the firmware from:
If you get error messages similar to:
Then See this FAQ entry.
The only unsupported function is the fragmentation “-5” attack. A bug in the firmware prevents that. Despite of this fact, we patch the mac80211 with the fragmentation patch to enable higher injection speed. The frag attack is not mandatory for the zd1211rw driver to inject or capture packets, its only one of the many attacks designed to penetrate WEP encryption.
Overall, its a great all-purpose chip to have for wireless auditing and general connectivity.