This is an old revision of the document!
As of 2.6.17, a driver for the Broadcom bcm43xx wireless chipset has been included in the kernel. Older kernels can sometimes be made to work, check out resources available here While this driver natively supports monitor mode, it requires patching before packet injection can be done. After testing aireplay-ng with the patches, please contribute to the forum thread by reporting any successes or failures there.
Note: As of 2.6.24, this driver is considered deprecated, and you might be better off using the new b43 driver instead. (B43 supports the fragmentation attack, and it's much more stable than bcm43xx.)
There is a patch by SuD which dramatically improves the injection speed:
Also see this thread for more information.
Use this patch instead of the one below.
This patch may not apply directly and may require that you modify the bcm43xx_main.c (located in $linux/wireless/net/drivers/bcm43xx/ manually)
After building and installing the new module, it is best to test that injection is working correctly. Use the injection test to confirm your card can inject.
Forum thread: The complete how to of making bcm43xx injection work
This forum thread may also provide some useful information: Broadcom bcm43xx Injection
The bcm43xx has been verified to produce all attacks. However, there a few known problems.
There is a problem in the bcm43xx driver when injecting packets using DMA access. I'll try to compile the mod without DMA and see what happens asap. I'll also make another patch soon that waits till the send buffer is empty before resuming after an error occured. Now it just waits a second before resuming at a lower rate.
Same problem as above, there is a problem with injection and DMA access.
ASSERTION FAILED (!ring→suspended) at: drivers/net/wireless/bcm43xx/bcm43xx_dma.c:71:request_slot(). Again, a problem with DMA. Aireplay tries to write a packet, the driver wants a free DMA slot for that and can't because the DMA slots were all taken (the driver blocks all dma requests then).
All these problems should be mitigated or fixed with the new patch!
First, double check that you are in fact running the new module:
It will give you the fully qualified file name. Do “ls -l <fully qualified file name>” and confirm it has the date/time of when you compiled and installed the new module. If it does not match, then you are not running the patched module. This would, of course, need to be fixed.
This thread has a number of potential fixes to problems you may encounter: Broadcom bcm43xx Injection
If you get error messages similar to:
Then See this FAQ entry.