User Tools

Site Tools


broadcom

This is an old revision of the document!


Broadcom bcm43xx

As of 2.6.17, a driver for the Broadcom bcm43xx wireless chipset has been included in the kernel. Older kernels can sometimes be made to work, check out resources available here While this driver natively supports monitor mode, it requires patching before packet injection can be done. After testing aireplay-ng with the patches, please contribute to the forum thread by reporting any successes or failures there.

Patching the kernel

  • Download the bcm43xx inject_nofcs patch for the 2.6.20 kernel from here.
  • Place the patch in your kernel sources directory
  • Run 'patch -p1 < bcm43xx-injection-linux-2.6.20.patch'.

This patch may not apply directly and may require that you modify the bcm43xx_main.c manually.

  • Recompile your modules with 'make modules' followed by 'make modules_install'.
  • The module should now be ready to use for injection.
  • Remember to reload the kernel driver or reboot your system before trying to inject packages.

Patches for aircrack-ng

Because the bcm43xx injection scheme is rather, ahem, unconventional, it is necessary to apply one of the following patches to aireplay-ng, depending on the version you are using. The patch detects a loaded bcm43xx driver, uses “bcm43xx way” to inject packages and automatically changes the packets per second if needed instead of crashing aireplay-ng.

Known problems

The bcm43xx has been verified to produce all attacks except fragmentation. However, there a few known problems.

  • aireplay exits with “out of memory error” / syslog shows “out of DMA slots”

There is a problem in the bcm43xx driver when injecting packets using DMA access. I'll try to compile the mod without DMA and see what happens asap. I'll also make another patch soon that waits till the send buffer is empty before resuming after an error occured. Now it just waits a second before resuming at a lower rate.

  • packets per second is adjusted to around 25 pps

Same problem as above, there is a problem with injection and DMA access.

  • syslog shows a lot of failed assertions (!ring→suspended).

ASSERTION FAILED (!ring→suspended) at: drivers/net/wireless/bcm43xx/bcm43xx_dma.c:71:request_slot(). Again, a problem with DMA. Aireplay tries to write a packet, the driver wants a free DMA slot for that and can't because the DMA slots were all taken (the driver blocks all dma requests then).

broadcom.1178133729.txt.gz · Last modified: 2007/05/02 21:22 by dush