├── .gitignore ├── LICENSE ├── Makefile ├── Makefile.exp10 ├── Makefile.exp11 ├── Makefile.exp12 ├── Makefile.exp4 ├── Makefile.exp9 ├── README.md ├── include ├── macros.inc ├── nex_phy_int.h ├── signalgeneration.h ├── vendor_radiotap.h └── wlc_phyreg_ac.inc ├── patch.ld └── src ├── autostart.c ├── experiment_1.c ├── experiment_2.c ├── injection.c ├── ioctl.c ├── ioctl_4xx.c ├── ioctl_5xx.c ├── ioctl_6xx.c ├── ioctl_7xx.c ├── ioctl_8xx.c ├── monitormode.c ├── patch.c ├── regulations.c ├── sendframe.c ├── signalgeneration.c ├── ucode-controlpower-3states-full-frm.patch ├── ucode-jammer-20in80mhz.patch ├── ucode-jammer-40in80mhz.patch ├── ucode-jammer-80in80mhz.patch ├── ucode-jammer-ack-full-frm.patch ├── ucode-jammer-full-frm.patch ├── ucode-jammer.patch ├── vendor_radiotap.c └── version.c /.gitignore: -------------------------------------------------------------------------------- 1 | src/templateram.c 2 | src/ucode_compressed.c 3 | src/*.asm 4 | tmp 5 | obj 6 | log 7 | gen 8 | BUILD_NUMBER 9 | fw_bcmdhd.bin 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | ########### ########### ########## ########## 3 | ############ ############ ############ ############ 4 | ## ## ## ## ## ## ## 5 | ## ## ## ## ## ## ## 6 | ########### #### ###### ## ## ## ## ###### 7 | ########### #### # ## ## ## ## # # 8 | ## ## ###### ## ## ## ## # # 9 | ## ## # ## ## ## ## # # 10 | ############ ##### ###### ## ## ## ##### ###### 11 | ########### ########### ## ## ## ########## 12 | 13 | S E C U R E M O B I L E N E T W O R K I N G 14 | 15 | License: 16 | 17 | Copyright (c) 2017 Secure Mobile Networking Lab (SEEMOO) 18 | 19 | Permission is hereby granted, free of charge, to any person obtaining a 20 | copy of this software and associated documentation files (the 21 | "Software"), to deal in the Software without restriction, including 22 | without limitation the rights to use, copy, modify, merge, publish, 23 | distribute, sublicense, and/or sell copies of the Software, and to 24 | permit persons to whom the Software is furnished to do so, subject to 25 | the following conditions: 26 | 27 | 1. The above copyright notice and this permission notice shall be 28 | include in all copies or substantial portions of the Software. 29 | 30 | 2. Any use of the Software which results in an academic publication or 31 | other publication which includes a bibliography must include 32 | citations to the nexmon project a) and the paper cited under b): 33 | 34 | a) "Matthias Schulz, Daniel Wegemer and Matthias Hollick. Nexmon: 35 | The C-based Firmware Patching Framework. https://nexmon.org" 36 | 37 | b) "Matthias Schulz, Francesco Gringoli, Daniel Steinmetzer, Michael 38 | Koch and Matthias Hollick. Massive Reactive Smartphone-Based 39 | Jamming using Arbitrary Waveforms and Adaptive Power Control. 40 | Proceedings of the 10th ACM Conference on Security and Privacy 41 | in Wireless and Mobile Networks (WiSec 2017), July 2017." 42 | 43 | 3. The Software is not used by, in cooperation with, or on behalf of 44 | any armed forces, intelligence agencies, reconnaissance agencies, 45 | defense agencies, offense agencies or any supplier, contractor, or 46 | research associated. 47 | 48 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 49 | OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 50 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 51 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 52 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, 53 | TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 54 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 55 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | GIT_VERSION := $(shell git describe --abbrev=4 --dirty --always --tags) 2 | FW_PATH=$(NEXMON_ROOT)/firmwares/bcm4339/6_37_34_43 3 | include $(FW_PATH)/definitions.mk 4 | 5 | LOCAL_SRCS=$(wildcard src/*.c) src/ucode_compressed.c src/templateram.c 6 | COMMON_SRCS=$(wildcard $(NEXMON_ROOT)/patches/common/*.c) 7 | FW_SRCS=$(wildcard $(FW_PATH)/*.c) 8 | 9 | # Standard node is the jammer, which is also connected to the power monitor 10 | NODE=J 11 | 12 | ifdef UCODEFILE 13 | ifeq ($(wildcard src/$(UCODEFILE)), ) 14 | ifeq ($(wildcard src/$(UCODEFILE:.asm=.patch)), ) 15 | $(error selected src/$(UCODEFILE) does not exist) 16 | endif 17 | endif 18 | endif 19 | 20 | ifeq ($(NODE),S) 21 | # receiver 22 | ADBSERIAL := 23 | #ADBSERIAL := -s 0000000000000000 24 | ifeq ($(ADBSERIAL),) 25 | $(warning Please set the device id of the smartphone used as receiver S in the Makefile.) 26 | endif 27 | endif 28 | 29 | ifeq ($(NODE),W) 30 | # transmitter standing next to wall 31 | ADBSERIAL := 32 | #ADBSERIAL := -s 0000000000000000 33 | ifeq ($(ADBSERIAL),) 34 | $(warning Please set the device id of the smartphone used as transmitter T in the Makefile.) 35 | endif 36 | endif 37 | 38 | ifeq ($(NODE),R) 39 | # transmitter standing away from wall 40 | ADBSERIAL := 41 | #ADBSERIAL := -s 0000000000000000 42 | ifeq ($(ADBSERIAL),) 43 | $(warning Please set the device id of the smartphone used as transmitter R in the Makefile.) 44 | endif 45 | endif 46 | 47 | ifeq ($(NODE),J) 48 | # jammer 49 | ADBSERIAL := 50 | #ADBSERIAL := -s 0000000000000000 51 | ifeq ($(ADBSERIAL),) 52 | $(warning Please set the device id of the smartphone used as jammer in the Makefile.) 53 | endif 54 | endif 55 | 56 | RATESPEC := 0 57 | EXPNAME := undefined 58 | CHANSPEC := 0x1007 59 | SRL := 7 60 | LRL := 6 61 | AMPDU_TX := 1 62 | 63 | # The following is used to connect to an adb server running on another node, where the phones are conncted 64 | #ADBFLAGS := -H 192.168.2.231 $(ADBSERIAL) 65 | 66 | # The following is used if the nodes are directly connected to this computer 67 | ADBFLAGS := $(ADBSERIAL) 68 | 69 | UCODEFILE=ucode.asm 70 | 71 | OBJS=$(addprefix obj/,$(notdir $(LOCAL_SRCS:.c=.o)) $(notdir $(COMMON_SRCS:.c=.o)) $(notdir $(FW_SRCS:.c=.o))) 72 | UCODEPATCHES:=$(notdir $(wildcard src/ucode*.patch)) 73 | UCODEPATCHESASMS:=$(UCODEPATCHES:.patch=.asm) 74 | 75 | CFLAGS= \ 76 | -fplugin=$(CCPLUGIN) \ 77 | -fplugin-arg-nexmon-objfile=$@ \ 78 | -fplugin-arg-nexmon-prefile=gen/nexmon.pre \ 79 | -fplugin-arg-nexmon-chipver=$(NEXMON_CHIP_NUM) \ 80 | -fplugin-arg-nexmon-fwver=$(NEXMON_FW_VERSION_NUM) \ 81 | -fno-strict-aliasing \ 82 | -DNEXMON_CHIP=$(NEXMON_CHIP) \ 83 | -DNEXMON_FW_VERSION=$(NEXMON_FW_VERSION) \ 84 | -DPATCHSTART=$(PATCHSTART) \ 85 | -DUCODESIZE=$(UCODESIZE) \ 86 | -DGIT_VERSION=\"$(GIT_VERSION)\" \ 87 | -DBUILD_NUMBER=\"$$(cat BUILD_NUMBER)\" \ 88 | -Wall -Werror -O2 -nostdlib -nostartfiles -ffreestanding -mthumb -march=$(NEXMON_ARCH) \ 89 | -Wno-unused-function \ 90 | -ffunction-sections -fdata-sections \ 91 | -I$(NEXMON_ROOT)/patches/include \ 92 | -Iinclude \ 93 | -I$(FW_PATH) 94 | 95 | ifdef EXPERIMENT 96 | CFLAGS += -DEXPERIMENT=$(EXPERIMENT) 97 | endif 98 | 99 | all: fw_bcmdhd.bin 100 | 101 | init: FORCE 102 | $(Q)if ! test -f BUILD_NUMBER; then echo 0 > BUILD_NUMBER; fi 103 | $(Q)echo $$(($$(cat BUILD_NUMBER) + 1)) > BUILD_NUMBER 104 | $(Q)touch src/version.c 105 | $(Q)make -s -f $(NEXMON_ROOT)/patches/common/header.mk 106 | $(Q)mkdir -p obj gen log 107 | 108 | obj/%.o: src/%.c 109 | @printf "\033[0;31m COMPILING\033[0m %s => %s (details: log/compiler.log)\n" $< $@ 110 | $(Q)cat gen/nexmon.pre 2>>log/error.log | gawk '{ if ($$3 != "$@") print; }' > tmp && mv tmp gen/nexmon.pre 111 | $(Q)$(CC)gcc $(CFLAGS) -c $< -o $@ >>log/compiler.log 112 | 113 | obj/%.o: $(NEXMON_ROOT)/patches/common/%.c 114 | @printf "\033[0;31m COMPILING\033[0m %s => %s (details: log/compiler.log)\n" $< $@ 115 | $(Q)cat gen/nexmon.pre 2>>log/error.log | gawk '{ if ($$3 != "$@") print; }' > tmp && mv tmp gen/nexmon.pre 116 | $(Q)$(CC)gcc $(CFLAGS) -c $< -o $@ >>log/compiler.log 117 | 118 | obj/%.o: $(FW_PATH)/%.c 119 | @printf "\033[0;31m COMPILING\033[0m %s => %s (details: log/compiler.log)\n" $< $@ 120 | $(Q)cat gen/nexmon.pre 2>>log/error.log | gawk '{ if ($$3 != "$@") print; }' > tmp && mv tmp gen/nexmon.pre 121 | $(Q)$(CC)gcc $(CFLAGS) -c $< -o $@ >>log/compiler.log 122 | 123 | gen/nexmon2.pre: $(OBJS) 124 | @printf "\033[0;31m PREPARING\033[0m %s => %s\n" "gen/nexmon.pre" $@ 125 | $(Q)cat gen/nexmon.pre | awk '{ if ($$3 != "obj/flashpatches.o" && $$3 != "obj/wrapper.o") { print $$0; } }' > tmp 126 | $(Q)cat gen/nexmon.pre | awk '{ if ($$3 == "obj/flashpatches.o" || $$3 == "obj/wrapper.o") { print $$0; } }' >> tmp 127 | $(Q)cat tmp | awk '{ if ($$1 ~ /^0x/) { if ($$3 != "obj/flashpatches.o" && $$3 != "obj/wrapper.o") { if (!x[$$1]++) { print $$0; } } else { if (!x[$$1]) { print $$0; } } } else { print $$0; } }' > gen/nexmon2.pre 128 | 129 | gen/nexmon.ld: gen/nexmon2.pre $(OBJS) 130 | @printf "\033[0;31m GENERATING LINKER FILE\033[0m gen/nexmon.pre => %s\n" $@ 131 | $(Q)sort gen/nexmon2.pre | gawk -f $(NEXMON_ROOT)/buildtools/scripts/nexmon.ld.awk > $@ 132 | 133 | gen/nexmon.mk: gen/nexmon2.pre $(OBJS) $(FW_PATH)/definitions.mk 134 | @printf "\033[0;31m GENERATING MAKE FILE\033[0m gen/nexmon.pre => %s\n" $@ 135 | $(Q)printf "fw_bcmdhd.bin: gen/patch.elf FORCE\n" > $@ 136 | $(Q)sort gen/nexmon2.pre | \ 137 | gawk -v src_file=gen/patch.elf -f $(NEXMON_ROOT)/buildtools/scripts/nexmon.mk.1.awk | \ 138 | gawk -v ramstart=$(RAMSTART) -f $(NEXMON_ROOT)/buildtools/scripts/nexmon.mk.2.awk >> $@ 139 | $(Q)printf "\nFORCE:\n" >> $@ 140 | $(Q)gawk '!a[$$0]++' $@ > tmp && mv tmp $@ 141 | 142 | gen/flashpatches.ld: gen/nexmon2.pre $(OBJS) 143 | @printf "\033[0;31m GENERATING LINKER FILE\033[0m gen/nexmon.pre => %s\n" $@ 144 | $(Q)sort gen/nexmon2.pre | \ 145 | gawk -f $(NEXMON_ROOT)/buildtools/scripts/flashpatches.ld.awk > $@ 146 | 147 | gen/flashpatches.mk: gen/nexmon2.pre $(OBJS) $(FW_PATH)/definitions.mk 148 | @printf "\033[0;31m GENERATING MAKE FILE\033[0m gen/nexmon.pre => %s\n" $@ 149 | $(Q)cat gen/nexmon2.pre | gawk \ 150 | -v fp_data_base=$(FP_DATA_BASE) \ 151 | -v fp_config_base=$(FP_CONFIG_BASE) \ 152 | -v fp_data_end_ptr=$(FP_DATA_END_PTR) \ 153 | -v fp_config_base_ptr_1=$(FP_CONFIG_BASE_PTR_1) \ 154 | -v fp_config_end_ptr_1=$(FP_CONFIG_END_PTR_1) \ 155 | -v fp_config_base_ptr_2=$(FP_CONFIG_BASE_PTR_2) \ 156 | -v fp_config_end_ptr_2=$(FP_CONFIG_END_PTR_2) \ 157 | -v ramstart=$(RAMSTART) \ 158 | -v out_file=fw_bcmdhd.bin \ 159 | -v src_file=gen/patch.elf \ 160 | -f $(NEXMON_ROOT)/buildtools/scripts/flashpatches.mk.awk > $@ 161 | 162 | gen/memory.ld: $(FW_PATH)/definitions.mk 163 | @printf "\033[0;31m GENERATING LINKER FILE\033[0m %s\n" $@ 164 | $(Q)printf "rom : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(ROMSTART) $(ROMSIZE) > $@ 165 | $(Q)printf "ram : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(RAMSTART) $(RAMSIZE) >> $@ 166 | $(Q)printf "patch : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(PATCHSTART) $(PATCHSIZE) >> $@ 167 | $(Q)printf "ucode : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(UCODESTART) $$(($(FP_CONFIG_BASE) - $(UCODESTART))) >> $@ 168 | $(Q)printf "fpconfig : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(FP_CONFIG_BASE) $(FP_CONFIG_SIZE) >> $@ 169 | 170 | gen/patch.elf: patch.ld gen/nexmon.ld gen/flashpatches.ld gen/memory.ld $(OBJS) 171 | @printf "\033[0;31m LINKING OBJECTS\033[0m => %s (details: log/linker.log, log/linker.err)\n" $@ 172 | $(Q)$(CC)ld -T $< -o $@ --gc-sections --print-gc-sections -M >>log/linker.log 2>>log/linker.err 173 | 174 | fw_bcmdhd.bin: init gen/patch.elf $(FW_PATH)/$(RAM_FILE) gen/nexmon.mk gen/flashpatches.mk 175 | $(Q)cp $(FW_PATH)/$(RAM_FILE) $@ 176 | @printf "\033[0;31m APPLYING FLASHPATCHES\033[0m gen/flashpatches.mk => %s (details: log/flashpatches.log)\n" $@ 177 | $(Q)make -f gen/flashpatches.mk >>log/flashpatches.log 2>>log/flashpatches.log 178 | @printf "\033[0;31m APPLYING PATCHES\033[0m gen/nexmon.mk => %s (details: log/patches.log)\n" $@ 179 | $(Q)make -f gen/nexmon.mk >>log/patches.log 2>>log/flashpatches.log 180 | 181 | ################################################################### 182 | # ucode compression related 183 | ################################################################### 184 | 185 | gen/ucode.asm: $(FW_PATH)/ucode.bin 186 | @printf "\033[0;31m DISASSEMBLING UCODE\033[0m %s => %s\n" $< $@ 187 | $(Q)$(NEXMON_ROOT)/buildtools/b43/disassembler/b43-dasm $< $@ --arch 15 --format raw-le32 188 | $(Q)$(NEXMON_ROOT)/buildtools/b43/debug/b43-beautifier --asmfile $@ --defs $(NEXMON_ROOT)/buildtools/b43/debug/include > tmp && mv tmp $@ 189 | $(Q)cat $@ | gcc -fpreprocessed -dD -E - > tmp && mv tmp $@ 190 | $(Q)sed -i '/^$$/d' $@ 191 | $(Q)sed -i '/""/d' $@ 192 | $(Q)sed -i -r 's|(mov )(0x48)(, SPR_TME_VAL12)|\1MAC_SUBTYPE_DATA_NULL\3|' gen/ucode.asm 193 | $(Q)sed -i -r 's|(mov )(0xC4)(, SPR_TME_VAL12)|\1MAC_SUBTYPE_CONTROL_CTS\3|' gen/ucode.asm 194 | $(Q)sed -i -r 's|(mov )(0xD4)(, SPR_TME_VAL12)|\1MAC_SUBTYPE_CONTROL_ACK\3|' gen/ucode.asm 195 | 196 | src/%.asm: src/%.patch gen/ucode.asm 197 | @printf "\033[0;31m PATCHING UCODE\033[0m %s => %s\n" $< $@ 198 | $(Q)cp gen/ucode.asm $@ 199 | $(Q)patch -p1 $@ $< >log/patch.log || true 200 | 201 | ifneq ($(wildcard src/$(UCODEFILE) src/$(UCODEFILE:.asm=.patch)), ) 202 | gen/ucode.bin: src/$(UCODEFILE) 203 | @printf "\033[0;31m ASSEMBLING UCODE\033[0m %s => %s\n" $< $@ 204 | 205 | ifneq ($(wildcard $(NEXMON_ROOT)/buildtools/b43/assembler/b43-asm.bin), ) 206 | $(Q)PATH=$(PATH):$(NEXMON_ROOT)/buildtools/b43/assembler $(NEXMON_ROOT)/buildtools/b43/assembler/b43-asm $< $@ --format raw-le32 207 | else 208 | $(error Warning: please compile b43-asm.bin first) 209 | endif 210 | 211 | else 212 | gen/ucode.bin: $(FW_PATH)/ucode.bin 213 | @printf "\033[0;31m COPYING UCODE\033[0m %s => %s\n" $< $@ 214 | $(Q)cp $< $@ 215 | endif 216 | 217 | gen/ucode_compressed.bin: gen/ucode.bin 218 | @printf "\033[0;31m COMPRESSING UCODE\033[0m %s => %s\n" $< $@ 219 | $(Q)cat $< | $(ZLIBFLATE) > $@ 220 | 221 | src/ucode_compressed.c: gen/ucode_compressed.bin 222 | @printf "\033[0;31m GENERATING C FILE\033[0m %s => %s\n" $< $@ 223 | $(Q)printf "#pragma NEXMON targetregion \"ucode\"\n\n" > $@ 224 | $(Q)cd $(dir $<) && xxd -i $(notdir $<) >> $(shell pwd)/$@ 225 | 226 | src/templateram.c: $(FW_PATH)/templateram.bin 227 | @printf "\033[0;31m GENERATING C FILE\033[0m %s => %s\n" $< $@ 228 | $(Q)printf "#pragma NEXMON targetregion \"ucode\"\n\n" > $@ 229 | $(Q)cd $(dir $<) && xxd -i $(notdir $<) >> $(shell pwd)/$@ 230 | 231 | ################################################################### 232 | 233 | check-nexmon-setup-env: 234 | ifndef NEXMON_SETUP_ENV 235 | $(error run 'source setup_env.sh' first in the repository\'s root directory) 236 | endif 237 | 238 | install-firmware: fw_bcmdhd.bin 239 | @printf "\033[0;31m REMOUNTING /system\033[0m\n" 240 | $(Q)adb $(ADBFLAGS) shell 'su -c "mount -o rw,remount /system"' 241 | @printf "\033[0;31m COPYING TO PHONE\033[0m %s => /sdcard/%s\n" $< $< 242 | $(Q)adb $(ADBFLAGS) push $< /sdcard/ >> log/adb.log 2>> log/adb.log 243 | @printf "\033[0;31m COPYING\033[0m /sdcard/fw_bcmdhd.bin => /vendor/firmware/fw_bcmdhd.bin\n" 244 | $(Q)adb $(ADBFLAGS) shell 'su -c "rm /vendor/firmware/fw_bcmdhd.bin && cp /sdcard/fw_bcmdhd.bin /vendor/firmware/fw_bcmdhd.bin"' 245 | @printf "\033[0;31m RELOADING FIRMWARE\033[0m\n" 246 | $(Q)adb $(ADBFLAGS) shell 'su -c "ifconfig wlan0 down && ifconfig wlan0 up"' 247 | 248 | backup-firmware: FORCE 249 | adb $(ADBFLAGS) shell 'su -c "cp /vendor/firmware/fw_bcmdhd.bin /sdcard/fw_bcmdhd.orig.bin"' 250 | adb $(ADBFLAGS) pull /sdcard/fw_bcmdhd.orig.bin 251 | 252 | install-backup: fw_bcmdhd.orig.bin 253 | adb $(ADBFLAGS) shell 'su -c "mount -o rw,remount /system"' && \ 254 | adb $(ADBFLAGS) push $< /sdcard/ && \ 255 | adb $(ADBFLAGS) shell 'su -c "cp /sdcard/fw_bcmdhd.bin /vendor/firmware/fw_bcmdhd.bin"' 256 | adb $(ADBFLAGS) shell 'su -c "ifconfig wlan0 down && ifconfig wlan0 up"' 257 | 258 | install-original: $(FW_PATH)/$(RAM_FILE) 259 | adb $(ADBFLAGS) shell 'su -c "mount -o rw,remount /system"' && \ 260 | adb $(ADBFLAGS) push $< /sdcard/ && \ 261 | adb $(ADBFLAGS) shell 'su -c "cp /sdcard/fw_bcmdhd.bin /vendor/firmware/fw_bcmdhd.bin"' 262 | adb $(ADBFLAGS) shell 'su -c "ifconfig wlan0 down && ifconfig wlan0 up"' 263 | 264 | install-symlink: FORCE 265 | @printf "\033[0;31m REMOUNTING /system\033[0m\n" 266 | $(Q)adb $(ADBFLAGS) shell 'su -c "mount -o rw,remount /system"' 267 | adb $(ADBFLAGS) shell 'su -c "rm /vendor/firmware/fw_bcmdhd.bin && ln -s /nexmon/fw_bcmdhd.bin /vendor/firmware/fw_bcmdhd.bin"' 268 | adb $(ADBFLAGS) shell 'su -c "ifconfig wlan0 down && ifconfig wlan0 up"' 269 | 270 | clean-firmware: FORCE 271 | @printf "\033[0;31m CLEANING\033[0m\n" 272 | $(Q)rm -fr fw_bcmdhd.bin obj gen log src/ucode_compressed.c src/templateram.c $(addprefix src/,$(UCODEPATCHESASMS)) 273 | 274 | clean: clean-firmware 275 | $(Q)rm -f BUILD_NUMBER 276 | 277 | # ADB commands 278 | cd: FORCE 279 | # dump console 280 | adb $(ADBFLAGS) shell su -c "dhdutil consoledump" 281 | 282 | clr: FORCE 283 | # clear console 284 | adb $(ADBFLAGS) shell su -c "nexutil -s417" 285 | 286 | busybox: FORCE 287 | adb $(ADBFLAGS) install apk/stericson.busybox.apk 288 | 289 | devices: FORCE 290 | adb $(ADBFLAGS) devices 291 | 292 | sh: FORCE 293 | adb $(ADBFLAGS) shell $(ADBSHELLCMD) 294 | 295 | pull: FORCE 296 | adb $(ADBFLAGS) pull $(ADBPULLSRC) $(ADBPULLDST) 297 | 298 | reboot: FORCE 299 | @printf "\033[0;31m REBOOTING\033[0m node = %s\n" $(NODE) 300 | $(Q)adb $(ADBFLAGS) reboot 301 | 302 | FORCE: 303 | -------------------------------------------------------------------------------- /Makefile.exp4: -------------------------------------------------------------------------------- 1 | EXPDIR := experiments_wisec2017 2 | CHANSPEC := 0xd074 3 | 4 | experiment4: \ 5 | init \ 6 | experiment4.000 \ 7 | experiment4.001 \ 8 | experiment4.002 \ 9 | experiment4.003 \ 10 | experiment4.004 \ 11 | experiment4.005 \ 12 | experiment4.006 \ 13 | experiment4.007 \ 14 | experiment4.008 15 | 16 | init: FORCE 17 | mkdir -p $(EXPDIR) 18 | 19 | reboot: FORCE 20 | make reboot NODE=S 21 | make reboot NODE=W 22 | make reboot NODE=R 23 | make reboot NODE=J 24 | 25 | experiment4.000: 26 | make clean 27 | make install-firmware NODE=S 28 | make install-firmware NODE=W 29 | make install-firmware NODE=R 30 | make clean 31 | make install-firmware NODE=J UCODEFILE=ucode-jammer.asm 32 | rm -rf $(EXPDIR)/$@ 33 | mkdir -p $(EXPDIR)/$@ 34 | mkdir -p $(EXPDIR)/$@/S 35 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 36 | sleep 10 37 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 38 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 39 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 40 | printf "\n\033[0;31m START WAITING\033[0m for 1350 seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 41 | sleep 1350 ##### WARNING 42 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 43 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 44 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 45 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 46 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 47 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 48 | # git add $(EXPDIR)/$@ 49 | # git commit -m "EXPERIMENT: added results for $@." 50 | 51 | experiment4.001: 52 | make clean 53 | make install-firmware NODE=S 54 | make install-firmware NODE=W 55 | make install-firmware NODE=R 56 | make clean 57 | make install-firmware NODE=J UCODEFILE=ucode-jammer.asm 58 | rm -rf $(EXPDIR)/$@ 59 | mkdir -p $(EXPDIR)/$@ 60 | mkdir -p $(EXPDIR)/$@/S 61 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 62 | sleep 10 63 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 64 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v50"' | tee -a $(EXPDIR)/$@/make.log 65 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 66 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 67 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 68 | printf "\n\033[0;31m START WAITING\033[0m for 1350 seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 69 | sleep 1350 ##### WARNING 70 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 71 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 72 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 73 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 74 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 75 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 76 | # git add $(EXPDIR)/$@ 77 | # git commit -m "EXPERIMENT: added results for $@." 78 | 79 | experiment4.002: 80 | make clean 81 | make install-firmware NODE=S 82 | make install-firmware NODE=W 83 | make install-firmware NODE=R 84 | make clean 85 | make install-firmware NODE=J UCODEFILE=ucode-jammer.asm 86 | rm -rf $(EXPDIR)/$@ 87 | mkdir -p $(EXPDIR)/$@ 88 | mkdir -p $(EXPDIR)/$@/S 89 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 90 | sleep 10 91 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 92 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v60"' | tee -a $(EXPDIR)/$@/make.log 93 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 94 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 95 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 96 | printf "\n\033[0;31m START WAITING\033[0m for 1350 seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 97 | sleep 1350 ##### WARNING 98 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 99 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 100 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 101 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 102 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 103 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 104 | 105 | experiment4.003: 106 | make clean 107 | make install-firmware NODE=S 108 | make install-firmware NODE=W 109 | make install-firmware NODE=R 110 | make clean 111 | make install-firmware NODE=J UCODEFILE=ucode-jammer.asm 112 | rm -rf $(EXPDIR)/$@ 113 | mkdir -p $(EXPDIR)/$@ 114 | mkdir -p $(EXPDIR)/$@/S 115 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 116 | sleep 10 117 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 118 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v70"' | tee -a $(EXPDIR)/$@/make.log 119 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 120 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 121 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 122 | printf "\n\033[0;31m START WAITING\033[0m for 1350 seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 123 | sleep 1350 ##### WARNING 124 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 125 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 126 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 127 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 128 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 129 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 130 | 131 | experiment4.004: 132 | make clean 133 | make install-firmware NODE=S 134 | make install-firmware NODE=W 135 | make install-firmware NODE=R 136 | make clean 137 | make install-firmware NODE=J UCODEFILE=ucode-jammer.asm 138 | rm -rf $(EXPDIR)/$@ 139 | mkdir -p $(EXPDIR)/$@ 140 | mkdir -p $(EXPDIR)/$@/S 141 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 142 | sleep 10 143 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 144 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v80"' | tee -a $(EXPDIR)/$@/make.log 145 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 146 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 147 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 148 | printf "\n\033[0;31m START WAITING\033[0m for 1350 seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 149 | sleep 1350 ##### WARNING 150 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 151 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 152 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 153 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 154 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 155 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 156 | 157 | experiment4.005: 158 | make clean 159 | make install-firmware NODE=S 160 | make install-firmware NODE=W 161 | make install-firmware NODE=R 162 | make clean 163 | make install-firmware NODE=J UCODEFILE=ucode-jammer.asm 164 | rm -rf $(EXPDIR)/$@ 165 | mkdir -p $(EXPDIR)/$@ 166 | mkdir -p $(EXPDIR)/$@/S 167 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 168 | sleep 10 169 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 170 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v90"' | tee -a $(EXPDIR)/$@/make.log 171 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 172 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 173 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 174 | printf "\n\033[0;31m START WAITING\033[0m for 1350 seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 175 | sleep 1350 ##### WARNING 176 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 177 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 178 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 179 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 180 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 181 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 182 | 183 | experiment4.006: 184 | make clean 185 | make install-firmware NODE=S 186 | make install-firmware NODE=W 187 | make install-firmware NODE=R 188 | make clean 189 | make install-firmware NODE=J UCODEFILE=ucode-jammer.asm 190 | rm -rf $(EXPDIR)/$@ 191 | mkdir -p $(EXPDIR)/$@ 192 | mkdir -p $(EXPDIR)/$@/S 193 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 194 | sleep 10 195 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 196 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v100"' | tee -a $(EXPDIR)/$@/make.log 197 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 198 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 199 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 200 | printf "\n\033[0;31m START WAITING\033[0m for 1350 seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 201 | sleep 1350 ##### WARNING 202 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 203 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 204 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 205 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 206 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 207 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 208 | 209 | experiment4.007: 210 | make clean 211 | make install-firmware NODE=S 212 | make install-firmware NODE=W 213 | make install-firmware NODE=R 214 | make clean 215 | make install-firmware NODE=J UCODEFILE=ucode-jammer.asm 216 | rm -rf $(EXPDIR)/$@ 217 | mkdir -p $(EXPDIR)/$@ 218 | mkdir -p $(EXPDIR)/$@/S 219 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 220 | sleep 10 221 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 222 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v110"' | tee -a $(EXPDIR)/$@/make.log 223 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 224 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 225 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 226 | printf "\n\033[0;31m START WAITING\033[0m for 1350 seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 227 | sleep 1350 ##### WARNING 228 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 229 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 230 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 231 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 232 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 233 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 234 | 235 | experiment4.008: 236 | make clean 237 | make install-firmware NODE=S 238 | make install-firmware NODE=W 239 | make install-firmware NODE=R 240 | make clean 241 | make install-firmware NODE=J UCODEFILE=ucode-jammer.asm 242 | rm -rf $(EXPDIR)/$@ 243 | mkdir -p $(EXPDIR)/$@ 244 | mkdir -p $(EXPDIR)/$@/S 245 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 246 | sleep 10 247 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 248 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v120"' | tee -a $(EXPDIR)/$@/make.log 249 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 250 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 251 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 252 | printf "\n\033[0;31m START WAITING\033[0m for 1350 seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 253 | sleep 1350 ##### WARNING 254 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 255 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 256 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 257 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 258 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 259 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 260 | 261 | FORCE: 262 | -------------------------------------------------------------------------------- /Makefile.exp9: -------------------------------------------------------------------------------- 1 | EXPDIR := experiments_wisec2017 2 | CHANSPEC := 0x2009 3 | EXP_LEN := 75 4 | 5 | experiment9: \ 6 | init \ 7 | experiment9.000 \ 8 | experiment9.001 \ 9 | experiment9.002 \ 10 | experiment9.003 \ 11 | experiment9.004 \ 12 | experiment9.005 \ 13 | experiment9.006 \ 14 | experiment9.007 \ 15 | experiment9.008 16 | 17 | init: FORCE 18 | mkdir -p $(EXPDIR) 19 | 20 | reboot: FORCE 21 | make reboot NODE=S 22 | make reboot NODE=W 23 | make reboot NODE=R 24 | make reboot NODE=J 25 | 26 | experiment9.000: 27 | make clean 28 | make install-firmware NODE=S 29 | make install-firmware NODE=W 30 | make install-firmware NODE=R 31 | make clean 32 | make install-firmware NODE=J UCODEFILE=ucode-jammer-20in80mhz.asm 33 | rm -rf $(EXPDIR)/$@ 34 | mkdir -p $(EXPDIR)/$@ 35 | mkdir -p $(EXPDIR)/$@/S 36 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 37 | sleep 10 38 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 39 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 40 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 41 | printf "\n\033[0;31m START WAITING\033[0m for $(EXP_LEN) seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 42 | sleep $(EXP_LEN) ##### WARNING 43 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 44 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 45 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 46 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 47 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 48 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 49 | # git add $(EXPDIR)/$@ 50 | # git commit -m "EXPERIMENT: added results for $@." 51 | 52 | experiment9.001: 53 | make clean 54 | make install-firmware NODE=S 55 | make install-firmware NODE=W 56 | make install-firmware NODE=R 57 | make clean 58 | make install-firmware NODE=J UCODEFILE=ucode-jammer-20in80mhz.asm 59 | rm -rf $(EXPDIR)/$@ 60 | mkdir -p $(EXPDIR)/$@ 61 | mkdir -p $(EXPDIR)/$@/S 62 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 63 | sleep 10 64 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 65 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v50"' | tee -a $(EXPDIR)/$@/make.log 66 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 67 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 68 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 69 | printf "\n\033[0;31m START WAITING\033[0m for $(EXP_LEN) seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 70 | sleep $(EXP_LEN) ##### WARNING 71 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 72 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 73 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 74 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 75 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 76 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 77 | # git add $(EXPDIR)/$@ 78 | # git commit -m "EXPERIMENT: added results for $@." 79 | 80 | experiment9.002: 81 | make clean 82 | make install-firmware NODE=S 83 | make install-firmware NODE=W 84 | make install-firmware NODE=R 85 | make clean 86 | make install-firmware NODE=J UCODEFILE=ucode-jammer-20in80mhz.asm 87 | rm -rf $(EXPDIR)/$@ 88 | mkdir -p $(EXPDIR)/$@ 89 | mkdir -p $(EXPDIR)/$@/S 90 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 91 | sleep 10 92 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 93 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v60"' | tee -a $(EXPDIR)/$@/make.log 94 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 95 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 96 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 97 | printf "\n\033[0;31m START WAITING\033[0m for $(EXP_LEN) seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 98 | sleep $(EXP_LEN) ##### WARNING 99 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 100 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 101 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 102 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 103 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 104 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 105 | 106 | experiment9.003: 107 | make clean 108 | make install-firmware NODE=S 109 | make install-firmware NODE=W 110 | make install-firmware NODE=R 111 | make clean 112 | make install-firmware NODE=J UCODEFILE=ucode-jammer-20in80mhz.asm 113 | rm -rf $(EXPDIR)/$@ 114 | mkdir -p $(EXPDIR)/$@ 115 | mkdir -p $(EXPDIR)/$@/S 116 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 117 | sleep 10 118 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 119 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v70"' | tee -a $(EXPDIR)/$@/make.log 120 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 121 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 122 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 123 | printf "\n\033[0;31m START WAITING\033[0m for $(EXP_LEN) seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 124 | sleep $(EXP_LEN) ##### WARNING 125 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 126 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 127 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 128 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 129 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 130 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 131 | 132 | experiment9.004: 133 | make clean 134 | make install-firmware NODE=S 135 | make install-firmware NODE=W 136 | make install-firmware NODE=R 137 | make clean 138 | make install-firmware NODE=J UCODEFILE=ucode-jammer-20in80mhz.asm 139 | rm -rf $(EXPDIR)/$@ 140 | mkdir -p $(EXPDIR)/$@ 141 | mkdir -p $(EXPDIR)/$@/S 142 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 143 | sleep 10 144 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 145 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v80"' | tee -a $(EXPDIR)/$@/make.log 146 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 147 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 148 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 149 | printf "\n\033[0;31m START WAITING\033[0m for $(EXP_LEN) seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 150 | sleep $(EXP_LEN) ##### WARNING 151 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 152 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 153 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 154 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 155 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 156 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 157 | 158 | experiment9.005: 159 | make clean 160 | make install-firmware NODE=S 161 | make install-firmware NODE=W 162 | make install-firmware NODE=R 163 | make clean 164 | make install-firmware NODE=J UCODEFILE=ucode-jammer-20in80mhz.asm 165 | rm -rf $(EXPDIR)/$@ 166 | mkdir -p $(EXPDIR)/$@ 167 | mkdir -p $(EXPDIR)/$@/S 168 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 169 | sleep 10 170 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 171 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v90"' | tee -a $(EXPDIR)/$@/make.log 172 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 173 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 174 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 175 | printf "\n\033[0;31m START WAITING\033[0m for $(EXP_LEN) seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 176 | sleep $(EXP_LEN) ##### WARNING 177 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 178 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 179 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 180 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 181 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 182 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 183 | 184 | experiment9.006: 185 | make clean 186 | make install-firmware NODE=S 187 | make install-firmware NODE=W 188 | make install-firmware NODE=R 189 | make clean 190 | make install-firmware NODE=J UCODEFILE=ucode-jammer-20in80mhz.asm 191 | rm -rf $(EXPDIR)/$@ 192 | mkdir -p $(EXPDIR)/$@ 193 | mkdir -p $(EXPDIR)/$@/S 194 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 195 | sleep 10 196 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 197 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v100"' | tee -a $(EXPDIR)/$@/make.log 198 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 199 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 200 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 201 | printf "\n\033[0;31m START WAITING\033[0m for $(EXP_LEN) seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 202 | sleep $(EXP_LEN) ##### WARNING 203 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 204 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 205 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 206 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 207 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 208 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 209 | 210 | experiment9.007: 211 | make clean 212 | make install-firmware NODE=S 213 | make install-firmware NODE=W 214 | make install-firmware NODE=R 215 | make clean 216 | make install-firmware NODE=J UCODEFILE=ucode-jammer-20in80mhz.asm 217 | rm -rf $(EXPDIR)/$@ 218 | mkdir -p $(EXPDIR)/$@ 219 | mkdir -p $(EXPDIR)/$@/S 220 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 221 | sleep 10 222 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 223 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v110"' | tee -a $(EXPDIR)/$@/make.log 224 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 225 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 226 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 227 | printf "\n\033[0;31m START WAITING\033[0m for $(EXP_LEN) seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 228 | sleep $(EXP_LEN) ##### WARNING 229 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 230 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 231 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 232 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 233 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 234 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 235 | 236 | experiment9.008: 237 | make clean 238 | make install-firmware NODE=S 239 | make install-firmware NODE=W 240 | make install-firmware NODE=R 241 | make clean 242 | make install-firmware NODE=J UCODEFILE=ucode-jammer-20in80mhz.asm 243 | rm -rf $(EXPDIR)/$@ 244 | mkdir -p $(EXPDIR)/$@ 245 | mkdir -p $(EXPDIR)/$@/S 246 | printf "\033[0;34m START OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee $(EXPDIR)/$@/make.log 247 | sleep 10 248 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s640 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 249 | make sh NODE=J ADBSHELLCMD='su -c "nexutil -s641 -i -v120"' | tee -a $(EXPDIR)/$@/make.log 250 | make sh NODE=S ADBSHELLCMD='su -c "nexutil -s610 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 251 | make sh NODE=S ADBSHELLCMD='su -c "export LD_PRELOAD=libfakeioctl.so && nohup tcpdump -i wlan0 -w /sdcard/capture.pcap > /sdcard/tcpdump.log 2>/sdcard/tcpdump.err &"' | tee -a $(EXPDIR)/$@/make.log 252 | make sh NODE=W ADBSHELLCMD='su -c "nexutil -s621 -i -v$(CHANSPEC)"' | tee -a $(EXPDIR)/$@/make.log 253 | printf "\n\033[0;31m START WAITING\033[0m for $(EXP_LEN) seconds, timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 254 | sleep $(EXP_LEN) ##### WARNING 255 | printf "\n\033[0;31m END WAITING\033[0m timestamp: %s\n" `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 256 | make sh NODE=S ADBSHELLCMD='su -c "killall tcpdump | true"' | tee -a $(EXPDIR)/$@/make.log 257 | make pull NODE=S ADBPULLSRC=/sdcard/capture.pcap ADBPULLDST=$(EXPDIR)/$@/S/capture.pcap | tee -a $(EXPDIR)/$@/make.log 258 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.log ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.log | tee -a $(EXPDIR)/$@/make.log 259 | make pull NODE=S ADBPULLSRC=/sdcard/tcpdump.err ADBPULLDST=$(EXPDIR)/$@/S/tcpdump.err | tee -a $(EXPDIR)/$@/make.log 260 | printf "\n\033[0;34m END OF EXPERIMENT\033[0m exp: %s, timestamp: %s\n" $@ `date +%Y-%m-%d-%H:%M:%S` | tee -a $(EXPDIR)/$@/make.log 261 | 262 | FORCE: 263 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![NexMon logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/nexmon.png) 2 | 3 | # WiSec 2017 Nexmon Jammer 4 | 5 | At the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017) 6 | we publish a paper on "Massive Reactive Smartphone-Based Jamming using Arbitrary Waveforms and 7 | Adaptive Power Control". This repository contains source code required to repeat the 8 | experiments we did for our paper. Additionally, it allows fellow researches to base their own 9 | research on our results. 10 | 11 | # Extract from our License 12 | 13 | Any use of the Software which results in an academic publication or 14 | other publication which includes a bibliography must include 15 | citations to the nexmon project (1) and the paper cited under (2): 16 | 17 | 1. "Matthias Schulz, Daniel Wegemer and Matthias Hollick. Nexmon: 18 | The C-based Firmware Patching Framework. https://nexmon.org" 19 | 20 | 2. "Matthias Schulz, Francesco Gringoli, Daniel Steinmetzer, Michael 21 | Koch and Matthias Hollick. Massive Reactive Smartphone-Based 22 | Jamming using Arbitrary Waveforms and Adaptive Power Control. 23 | Proceedings of the 10th ACM Conference on Security and Privacy 24 | in Wireless and Mobile Networks (WiSec 2017), July 2017." 25 | 26 | # Getting Started 27 | 28 | To compile the source code, you are required to first checkout a copy of the original nexmon 29 | repository that contains our C-based patching framework for Wi-Fi firmwares. That you checkout 30 | this repository as one of the sub-projects in the corresponding patches sub-directory. This 31 | allows you to build and compile all the firmware patches required to repeat our experiments. 32 | The following steps will get you started on Xubuntu 16.04 LTS: 33 | 34 | 1. Install some dependencies: `sudo apt-get install git gawk qpdf adb` 35 | 2. **Only necessary for x86_64 systems**, install i386 libs: 36 | 37 | ``` 38 | sudo dpkg --add-architecture i386 39 | sudo apt-get update 40 | sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386 41 | ``` 42 | 3. Clone the nexmon base repository: `git clone https://github.com/seemoo-lab/nexmon.git`. 43 | 4. Checkout tag 2.2.1 as branch wisec2017: `git checkout tags/2.2.1 -b wisec2017`. Tag 2.2.1 ensures compatibility with this repository. 44 | 5. Download and extract Android NDK r11c (use exactly this version!). 45 | 6. Export the NDK_ROOT environment variable pointing to the location where you extracted the ndk so that it can be found by our build environment. 46 | 7. Navigate to the previously cloned nexmon directory and execute `source setup_env.sh` to set a couple of environment variables. 47 | 8. Run `make` to extract ucode, templateram and flashpatches from the original firmwares. 48 | 9. Navigate to utilities and run `make` to build all utilities such as nexmon. 49 | 10. Attach your rooted Nexus 5 smartphone running stock firmware version 6.0.1 (M4B30Z, Dec 2016). 50 | 11. Run `make install` to install all the built utilities on your phone. 51 | 12. Navigate to patches/bcm4339/6_37_34_43/ and clone this repository: `git clone https://github.com/seemoo-lab/wisec2017_nexmon_jammer.git` 52 | 13. Enter the created subdirectory wisec2017_nexmon_jammer and run `make install-firmware` to compile our firmware patch and install it on the attached Nexus 5 smartphone. 53 | 54 | # References 55 | 56 | * Matthias Schulz, Francesco Gringoli, Daniel Steinmetzer, Michael Koch and Matthias Hollick. **Massive Reactive Smartphone-Based Jamming using Arbitrary Waveforms and Adaptive Power Control**. Proceedings of the *10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017)*, July 2017. 57 | * Matthias Schulz, Daniel Wegemer and Matthias Hollick. **Nexmon: The C-based Firmware Patching Framework**. https://nexmon.org 58 | 59 | [Get references as bibtex file](https://nexmon.org/bib) 60 | 61 | # Contact 62 | 63 | * [Matthias Schulz](https://seemoo.tu-darmstadt.de/mschulz) 64 | * [Francesco Gringoli](http://netweb.ing.unibs.it/~gringoli/) 65 | 66 | # Powered By 67 | 68 | ## Secure Mobile Networking Lab (SEEMOO) 69 | ![SEEMOO logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/seemoo.png) 70 | ## Networked Infrastructureless Cooperation for Emergency Response (NICER) 71 | ![NICER logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/nicer.png) 72 | ## Multi-Mechanisms Adaptation for the Future Internet (MAKI) 73 | ![MAKI logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/maki.png) 74 | ## Technische Universität Darmstadt 75 | ![TU Darmstadt logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/tudarmstadt.png) 76 | ## University of Brescia 77 | ![University of Brescia logo](https://github.com/seemoo-lab/nexmon/raw/master/gfx/brescia.png) 78 | -------------------------------------------------------------------------------- /include/macros.inc: -------------------------------------------------------------------------------- 1 | #ifndef MACROS_INC_ 2 | #define MACROS_INC_ 3 | 4 | #define phy_reg_read(addr, target) \ 5 | mov addr, r33 \ 6 | calls L52 \ 7 | or SPR_Ext_IHR_Data, 0x0, target 8 | 9 | #define phy_reg_read_to_shm(addr, target) \ 10 | mov addr, r33 \ 11 | calls L52 \ 12 | or SPR_Ext_IHR_Data, 0x0, [target] 13 | 14 | #define phy_reg_write(addr, value) \ 15 | mov addr, r33 \ 16 | mov value, r34 \ 17 | calls L54 18 | 19 | #define phy_reg_or(addr, value) \ 20 | mov addr, r33 \ 21 | calls L52 \ 22 | mov value, r34 \ 23 | or SPR_Ext_IHR_Data, r34, r34 \ 24 | calls L54 25 | 26 | #define phy_reg_and(addr, value) \ 27 | mov addr, r33 \ 28 | calls L52 \ 29 | mov value, r34 \ 30 | and SPR_Ext_IHR_Data, r34, r34 \ 31 | calls L54 32 | 33 | #define phy_table_write_word(id, offset, data) \ 34 | phy_reg_write(ACPHY_TableID(rev), id) \ 35 | phy_reg_write(ACPHY_TableOffset(rev), offset) \ 36 | phy_reg_write(ACPHY_TableDataLo(rev), data) 37 | 38 | #endif /* MACROS_INC_ */ 39 | -------------------------------------------------------------------------------- /include/nex_phy_int.h: -------------------------------------------------------------------------------- 1 | #ifndef NEX_PHY_INT_H_ 2 | #define NEX_PHY_INT_H_ 3 | 4 | /* wrapper macros to enable invalid register accesses error messages */ 5 | #define _PHY_REG_READ(pi, reg) phy_reg_read(pi, reg) 6 | #define _PHY_REG_MOD(pi, reg, mask, val) phy_reg_mod(pi, reg, mask, val) 7 | #define _READ_RADIO_REG(pi, reg) read_radio_reg(pi, reg) 8 | #define _MOD_RADIO_REG(pi, reg, mask, val) mod_radio_reg(pi, reg, mask, val) 9 | #define _PHY_REG_WRITE(pi, reg, val) phy_reg_write(pi, reg, val) 10 | 11 | #define ACPHY_REG_FIELD_MASK(pi, reg, core, field) \ 12 | ACPHY_Core0##reg##_##field##_MASK(pi->pubpi.phy_rev) 13 | #define ACPHY_REG_FIELD_SHIFT(pi, reg, core, field) \ 14 | ACPHY_Core0##reg##_##field##_SHIFT(pi->pubpi.phy_rev) 15 | #define ACPHY_REG_FIELD_MASKE(pi, reg, core, field) \ 16 | ACPHY_##reg##0_##field##_MASK(pi->pubpi.phy_rev) 17 | #define ACPHY_REG_FIELD_SHIFTE(pi, reg, core, field) \ 18 | ACPHY_##reg##0_##field##_SHIFT(pi->pubpi.phy_rev) 19 | #define ACPHY_REG_FIELD_MASKEE(pi, reg, core, field) \ 20 | ACPHY_##reg##0_##field##0_MASK(pi->pubpi.phy_rev) 21 | #define ACPHY_REG_FIELD_SHIFTEE(pi, reg, core, field) \ 22 | ACPHY_##reg##0_##field##0_SHIFT(pi->pubpi.phy_rev) 23 | 24 | #define WRITE_PHYREG(pi, reg, value) \ 25 | _PHY_REG_WRITE(pi, ACPHY_##reg(pi->pubpi.phy_rev), (value)) 26 | 27 | #define WRITE_PHYREGC(pi, reg, core, value) \ 28 | _PHY_REG_WRITE(pi, ACPHYREGC(pi, reg, core), (value)) 29 | 30 | #define WRITE_PHYREGCE(pi, reg, core, value) \ 31 | _PHY_REG_WRITE(pi, ACPHYREGCE(pi, reg, core), (value)) 32 | 33 | #define MOD_PHYREG(pi, reg, field, value) \ 34 | _PHY_REG_MOD(pi, ACPHY_##reg(pi->pubpi.phy_rev), \ 35 | ACPHY_##reg##_##field##_MASK(pi->pubpi.phy_rev), \ 36 | ((value) << ACPHY_##reg##_##field##_##SHIFT(pi->pubpi.phy_rev))) 37 | 38 | #define MOD_PHYREGC(pi, reg, core, field, value) \ 39 | _PHY_REG_MOD(pi, \ 40 | ACPHYREGC(pi, reg, core), \ 41 | ACPHY_REG_FIELD_MASK(pi, reg, core, field), \ 42 | ((value) << ACPHY_REG_FIELD_SHIFT(pi, reg, core, field))) 43 | 44 | #define MOD_PHYREGCE(pi, reg, core, field, value) \ 45 | _PHY_REG_MOD(pi, \ 46 | ACPHYREGCE(pi, reg, core), \ 47 | ACPHY_REG_FIELD_MASKE(pi, reg, core, field), \ 48 | ((value) << ACPHY_REG_FIELD_SHIFTE(pi, reg, core, field))) 49 | 50 | #define MOD_PHYREGCEE(pi, reg, core, field, value) \ 51 | _PHY_REG_MOD(pi, \ 52 | ACPHYREGCE(pi, reg, core), \ 53 | ACPHY_REG_FIELD_MASKEE(pi, reg, core, field), \ 54 | ((value) << ACPHY_REG_FIELD_SHIFTEE(pi, reg, core, field))) 55 | 56 | #define READ_PHYREG(pi, reg) \ 57 | _PHY_REG_READ(pi, ACPHY_##reg(pi->pubpi.phy_rev)) 58 | 59 | #define READ_PHYREGC(pi, reg, core) \ 60 | _PHY_REG_READ(pi, ACPHYREGC(pi, reg, core)) 61 | 62 | #define READ_PHYREGCE(pi, reg, core) \ 63 | _PHY_REG_READ(pi, ACPHYREGCE(pi, reg, core)) 64 | 65 | #define READ_PHYREGFLD(pi, reg, field) \ 66 | ((READ_PHYREG(pi, reg) \ 67 | & ACPHY_##reg##_##field##_##MASK(pi->pubpi.phy_rev)) >> \ 68 | ACPHY_##reg##_##field##_##SHIFT(pi->pubpi.phy_rev)) 69 | 70 | #define READ_PHYREGFLDC(pi, reg, core, field) \ 71 | ((READ_PHYREGC(pi, reg, core) \ 72 | & ACPHY_REG_FIELD_MASK(pi, reg, core, field)) \ 73 | >> ACPHY_REG_FIELD_SHIFT(pi, reg, core, field)) 74 | 75 | #define READ_PHYREGFLDCE(pi, reg, core, field) \ 76 | ((READ_PHYREGCE(pi, reg, core) \ 77 | & ACPHY_REG_FIELD_MASKE(pi, reg, core, field)) \ 78 | >> ACPHY_REG_FIELD_SHIFTE(pi, reg, core, field)) 79 | 80 | #endif /* NEX_PHY_INT_H_ */ -------------------------------------------------------------------------------- /include/signalgeneration.h: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #ifndef SIGNALGENERATION_H 36 | #define SIGNALGENERATION_H 37 | 38 | #define FIXED(X) ((int32)((X) << 16)) 39 | #define FLOAT(X) (((X) >= 0) ? ((((X) >> 15) + 1) >> 1) : -((((-(X)) >> 15) + 1) >> 1)) 40 | #define NULL 0 41 | #define ABS(x) ((x)<0 ? -(x) : (x)) 42 | 43 | #define IDFTCARRIER(c,num_samps) (((c) < 0) ? ((num_samps) + (c)) : (c) ) 44 | #define IDFTCARRIER20(c,num_samps) IDFTCARRIER(4*(c),num_samps) 45 | #define IDFTCARRIER40(c,num_samps) IDFTCARRIER(2*(c),num_samps) 46 | #define IDFTCARRIER80(c,num_samps) IDFTCARRIER(c,num_samps) 47 | 48 | typedef struct _cint32 { 49 | int q; 50 | int i; 51 | } cint32; 52 | 53 | typedef struct _cint16ap { 54 | uint16 amplitude; 55 | int16 phase; 56 | } cint16ap; 57 | 58 | typedef struct _cint16 { 59 | short q; 60 | short i; 61 | } cint16; 62 | 63 | extern void my_gen_samples(struct phy_info *pi, int f_kHz, unsigned short max_val, unsigned short num_samps, cint32* tone_buf, int32 theta); 64 | extern void ifft(struct phy_info *pi, cint16ap *freq_dom_samps, uint16 num_samps, cint32 *tone_buf); 65 | extern uint32 pwr(cint32 *tone_buf, uint16 num_samps); 66 | extern void my_phy_tx_tone_acphy_ext(struct phy_info *pi, int32 f_kHz, uint16 max_val, uint8 iqmode, uint8 mac_based, uint8 modify_bbmult, uint8 runsamples, uint16 loops, unsigned int num_samps); 67 | extern int my_phy_tx_ifft_acphy_ext(struct phy_info *pi, cint16ap *freq_dom_samps, uint8 iqmode, uint8 mac_based, uint8 modify_bbmult, uint8 runsamples, uint16 loops, unsigned int num_samps); 68 | extern int my_phy_tx_tone_acphy(struct phy_info *pi, int32 f_kHz, uint16 max_val, uint8 iqmode, uint8 mac_based, uint8 modify_bbmult); 69 | extern void clear_sample_play_buffer(struct phy_info *pi); 70 | 71 | #endif /* SIGNALGENERATION_H */ 72 | -------------------------------------------------------------------------------- /include/vendor_radiotap.h: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #ifndef VENDOR_RADIOTAP_H 36 | #define VENDOR_RADIOTAP_H 37 | 38 | extern const struct ieee80211_radiotap_vendor_namespaces rtap_vendor_namespaces; 39 | 40 | /* Name Data type Units 41 | * ---- --------- ----- 42 | * 43 | * RADIOTAP_NEX_TXDELAY s32 milliseconds 44 | * 45 | * Value in milliseconds to wait before transmitting this frame 46 | * for the first time 47 | * 48 | * RADIOTAP_NEX_TXREPETITIONS 2 x s32 unitless, milliseconds 49 | * 50 | * Amount of how often this frame should be transmitted and the 51 | * periodicity in milliseconds of the retransmissions. Setting 52 | * the number of retransmissions to -1 leads to infinite 53 | * retransmissions 54 | * 55 | * RADIOTAP_NEX_RATESPEC u32 unitless 56 | * 57 | * Define the ratespec according to the definitions in rates.h 58 | * This value overrides the rate settings in the regular 59 | * radiotap header 60 | */ 61 | enum radiotap_nex_vendor_subns_0_type { 62 | RADIOTAP_NEX_TXDELAY = 0, 63 | RADIOTAP_NEX_TXREPETITIONS = 1, 64 | RADIOTAP_NEX_RATESPEC = 2 65 | }; 66 | 67 | #endif /* VENDOR_RADIOTAP_H */ 68 | -------------------------------------------------------------------------------- /include/wlc_phyreg_ac.inc: -------------------------------------------------------------------------------- 1 | #define ACPHY_TableID(rev) (0x00d) 2 | #define ACPHY_TableOffset(rev) (0x00e) 3 | #define ACPHY_TableDataLo(rev) (0x00f) 4 | #define ACPHY_TableDataHi(rev) (0x010) 5 | #define ACPHY_TableDataWide(rev) (0x011) 6 | #define ACPHY_iqloCalCmdGctl(rev) (0x382) 7 | #define ACPHY_RfseqMode(rev) (0x400) 8 | #define ACPHY_sampleCmd(rev) (0x460) 9 | #define ACPHY_sampleLoopCount(rev) (0x461) 10 | #define ACPHY_sampleInitWaitCount(rev) (0x462) 11 | #define ACPHY_sampleDepthCount(rev) (0x463) 12 | #define ACPHY_macbasedDACPlay(rev) (0x471) 13 | 14 | #define ACPHY_RfseqMode_CoreActv_override_SHIFT(rev) (0) 15 | #define ACPHY_RfseqMode_CoreActv_override_MASK(rev) ((0x1 << ACPHY_RfseqMode_CoreActv_override_SHIFT(rev))) -------------------------------------------------------------------------------- /patch.ld: -------------------------------------------------------------------------------- 1 | MEMORY 2 | { 3 | INCLUDE gen/memory.ld 4 | } 5 | 6 | SECTIONS 7 | { 8 | INCLUDE gen/flashpatches.ld 9 | INCLUDE gen/nexmon.ld 10 | } 11 | -------------------------------------------------------------------------------- /src/autostart.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // wrapper definitions for functions that already exist in the firmware 39 | #include // structures that are used by the code in the firmware 40 | #include // useful helper functions 41 | #include // macros used to craete patches such as BLPatch, BPatch, ... 42 | #include // rates used to build the ratespec for frame injection 43 | #include 44 | #include 45 | #include 46 | 47 | #ifdef EXPERIMENT 48 | #define _EXPERIMENT(exp) experiment_ ## exp 49 | #define _experiment_fn(exp) _EXPERIMENT(exp) 50 | #define experiment_fn _experiment_fn(EXPERIMENT) 51 | extern void experiment_fn(struct hndrte_timer *t); 52 | #endif 53 | 54 | //struct wlc_info *wlc = (struct wlc_info *) 0x1e8d8c; // for patch size 0x2000 55 | struct wlc_info *wlc = (struct wlc_info *) 0x204838; // for patch size 0x4000 56 | 57 | void 58 | autostart(int a1) 59 | { 60 | #ifdef EXPERIMENT 61 | schedule_work(autostart, wlc, experiment_fn, 20000 /* ms */, 0 /* not periodic */); 62 | #endif 63 | enable_interrupts_and_wait(a1); 64 | } 65 | 66 | __attribute__((at(0x1838AC, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 67 | BPatch(autostart, autostart); 68 | -------------------------------------------------------------------------------- /src/experiment_1.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // wrapper definitions for functions that already exist in the firmware 39 | #include // structures that are used by the code in the firmware 40 | #include // useful helper functions 41 | #include // macros used to craete patches such as BLPatch, BPatch, ... 42 | #include // rates used to build the ratespec for frame injection 43 | #include 44 | #include 45 | #include 46 | 47 | #define TRANSMISSION_LEN 60 48 | #define BREAK_LEN 10 49 | #define EXPERIMENT_LEN (TRANSMISSION_LEN + BREAK_LEN) 50 | #define START_INDEX 25 51 | 52 | static void 53 | exp_set_gains(struct phy_info *pi, uint8 ipa, uint8 txlpf, uint8 pga, uint8 pad, uint8 txgm, uint8 bbmult) 54 | { 55 | wlc_phy_txpwrctrl_enable_acphy(pi, 0); 56 | ac_txgain_setting_t gains = { 0 }; 57 | gains.ipa = ipa; // default: 255 (650 mW) 58 | gains.txlpf = txlpf; // default: 0 59 | gains.pga = pga; 60 | gains.pad = pad; // default: 255 (100 mW) 61 | gains.txgm = txgm; // default: 255 62 | gains.bbmult = bbmult; // maximum value: 255, for iq transmissions set to 64, normally below 63 | wlc_phy_txcal_txgain_cleanup_acphy(pi, &gains); 64 | } 65 | 66 | static void 67 | exp_set_gains_by_index(struct phy_info *pi, int8 index) 68 | { 69 | ac_txgain_setting_t gains = { 0 }; 70 | wlc_phy_txpwrctrl_enable_acphy(pi, 0); 71 | wlc_phy_get_txgain_settings_by_index_acphy(pi, &gains, index); 72 | wlc_phy_txcal_txgain_cleanup_acphy(pi, &gains); 73 | } 74 | 75 | static int counter = 0; 76 | 77 | static void 78 | experiment_worker(struct hndrte_timer *t) 79 | { 80 | struct wlc_info *wlc = (struct wlc_info *) t->data; 81 | struct phy_info *pi = wlc->hw->band->pi; 82 | 83 | // we only have 128 possible indices 84 | if ((counter / EXPERIMENT_LEN + START_INDEX) == 128) { 85 | hndrte_del_timer(t); 86 | hndrte_free_timer(t); 87 | counter = 0; 88 | printf("experiments are finished"); 89 | } else if (counter % EXPERIMENT_LEN == 0) { 90 | //printf("starting at %d with index %d\n", counter, counter/EXPERIMENT_LEN + START_INDEX); 91 | exp_set_gains_by_index(pi, (counter/EXPERIMENT_LEN) + START_INDEX); 92 | wlc_phy_runsamples_acphy(pi, 512 /* num_samps */, 0xffff /* loops */, 0 /* wait */, 0 /* iqmode */, 0 /* mac_based */); 93 | } else if ((counter + BREAK_LEN) % EXPERIMENT_LEN == 0) { 94 | //printf("stopping at %d\n", counter); 95 | wlc_phy_stopplayback_acphy(pi); 96 | } 97 | 98 | counter++; 99 | } 100 | 101 | void 102 | experiment_1(struct hndrte_timer *t) 103 | { 104 | printf("%s: enter\n", __FUNCTION__); 105 | 106 | struct wlc_info *wlc = (struct wlc_info *) t->data; 107 | 108 | set_scansuppress(wlc, 1); 109 | set_mpc(wlc, 0); 110 | 111 | struct phy_info *pi = wlc->hw->band->pi; 112 | 113 | //set_chanspec(wlc, CH20MHZ_CHSPEC(7)); 114 | //set_chanspec(wlc, CH40MHZ_CHSPEC(7, WL_CHANSPEC_CTL_SB_L)); 115 | //set_chanspec(wlc, CH80MHZ_CHSPEC(7, WL_CHANSPEC_CTL_SB_L)); 116 | //set_chanspec(wlc, CH20MHZ_CHSPEC(106)); 117 | //set_chanspec(wlc, CH40MHZ_CHSPEC(106, WL_CHANSPEC_CTL_SB_L)); 118 | set_chanspec(wlc, CH80MHZ_CHSPEC(106, WL_CHANSPEC_CTL_SB_L)); 119 | 120 | wlc_phy_stay_in_carriersearch_acphy(pi, 1); 121 | 122 | uint32 num_samps = 512; 123 | 124 | cint16ap *freq_dom_samps = (cint16ap *) malloc(sizeof(cint16ap) * num_samps, 0); 125 | memset(freq_dom_samps, 0, sizeof(cint16ap) * num_samps); 126 | 127 | int c; 128 | //for (c = -128; c <= 128; c+=4){ 129 | for (c = -128; c <= 128; c+=8) { 130 | //for (c = -128; c <= 128; c+=1){ 131 | freq_dom_samps[c % num_samps].amplitude = 20; 132 | //amplitudes[c % num_samps] = 3; 133 | freq_dom_samps[c % num_samps].phase = (c > 0) ? 0 : 90; 134 | //phases[c % num_samps] = (c > 0) ? 0 : 90; 135 | } 136 | freq_dom_samps[0].amplitude = 0; 137 | freq_dom_samps[0].phase = 0; 138 | 139 | //my_phy_tx_ifft_acphy_ext(pi, freq_dom_samps, 0 /* iqmode */, 0 /* mac_based */, 0 /* modify_bbmult */, 0 /* runsamples */, 0xffff /* loops */, num_samps); 140 | my_phy_tx_tone_acphy_ext(pi, 4000, 181, 0 /* iqmode */, 0 /* mac_based */, 0 /* modify_bbmult */, 0 /* runsamples */, 0xffff /* loops */, num_samps); 141 | 142 | free(freq_dom_samps); 143 | 144 | schedule_work(0, wlc, experiment_worker, 1000, 1); 145 | } 146 | -------------------------------------------------------------------------------- /src/experiment_2.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // wrapper definitions for functions that already exist in the firmware 39 | #include // structures that are used by the code in the firmware 40 | #include // useful helper functions 41 | #include // macros used to craete patches such as BLPatch, BPatch, ... 42 | #include // rates used to build the ratespec for frame injection 43 | #include 44 | #include 45 | #include 46 | 47 | #define TRANSMISSION_LEN 60 48 | #define BREAK_LEN 10 49 | #define EXPERIMENT_LEN (TRANSMISSION_LEN + BREAK_LEN) 50 | 51 | static int counter = 0; 52 | 53 | static void 54 | experiment_worker(struct hndrte_timer *t) 55 | { 56 | struct wlc_info *wlc = (struct wlc_info *) t->data; 57 | //struct phy_info *pi = wlc->hw->band->pi; 58 | 59 | // we only have 128 possible indices 60 | if ((counter / EXPERIMENT_LEN) == 20) { 61 | hndrte_del_timer(t); 62 | hndrte_free_timer(t); 63 | counter = 0; 64 | printf("experiments are finished"); 65 | } else if (counter % EXPERIMENT_LEN == 0) { 66 | switch (counter / EXPERIMENT_LEN) { 67 | case 10: 68 | case 20: 69 | case 30: 70 | set_chanspec(wlc, CH20MHZ_CHSPEC(7)); 71 | printf("chanspec: %04x\n", get_chanspec(wlc)); 72 | set_mpc(wlc, 0); 73 | break; 74 | case 11: 75 | case 21: 76 | case 31: 77 | set_chanspec(wlc, CH40MHZ_CHSPEC(7, WL_CHANSPEC_CTL_SB_L)); 78 | printf("chanspec: %04x\n", get_chanspec(wlc)); 79 | set_mpc(wlc, 0); 80 | break; 81 | case 12: 82 | case 22: 83 | case 32: 84 | set_chanspec(wlc, CH80MHZ_CHSPEC(7, WL_CHANSPEC_CTL_SB_L)); 85 | printf("chanspec: %04x\n", get_chanspec(wlc)); 86 | set_mpc(wlc, 0); 87 | break; 88 | case 13: 89 | case 23: 90 | case 33: 91 | set_chanspec(wlc, CH20MHZ_CHSPEC(106)); 92 | printf("chanspec: %04x\n", get_chanspec(wlc)); 93 | set_mpc(wlc, 0); 94 | break; 95 | case 14: 96 | case 24: 97 | case 34: 98 | set_chanspec(wlc, CH40MHZ_CHSPEC(106, WL_CHANSPEC_CTL_SB_L)); 99 | printf("chanspec: %04x\n", get_chanspec(wlc)); 100 | set_mpc(wlc, 0); 101 | break; 102 | case 15: 103 | case 25: 104 | case 35: 105 | set_chanspec(wlc, CH80MHZ_CHSPEC(106, WL_CHANSPEC_CTL_SB_L)); 106 | printf("chanspec: %04x\n", get_chanspec(wlc)); 107 | set_mpc(wlc, 0); 108 | break; 109 | } 110 | } else if ((counter + BREAK_LEN) % EXPERIMENT_LEN == 0) { 111 | set_mpc(wlc, 1); 112 | } 113 | 114 | counter++; 115 | } 116 | 117 | void 118 | experiment_2(struct hndrte_timer *t) 119 | { 120 | printf("%s: enter\n", __FUNCTION__); 121 | 122 | struct wlc_info *wlc = (struct wlc_info *) t->data; 123 | 124 | set_scansuppress(wlc, 1); 125 | set_mpc(wlc, 1); 126 | 127 | schedule_work(0, wlc, experiment_worker, 1000, 1); 128 | } 129 | -------------------------------------------------------------------------------- /src/injection.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // contains macros to access the debug hardware 39 | #include // wrapper definitions for functions that already exist in the firmware 40 | #include // structures that are used by the code in the firmware 41 | #include // useful helper functions 42 | #include // macros used to craete patches such as BLPatch, BPatch, ... 43 | #include // rates used to build the ratespec for frame injection 44 | #include 45 | #include // radiotap header related 46 | #include // vendor specific radiotap extensions 47 | #include // sendframe functionality 48 | #include // related to securtiy cookie 49 | 50 | #define NEXUDP_IOCTL 0 51 | #define NEXUDP_INJECT_RADIOTAP 1 52 | 53 | extern int wlc_ioctl_hook(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if); 54 | extern void prepend_ethernet_ipv4_udp_header(struct sk_buff *p); 55 | 56 | struct nexudp_header { 57 | char nex[3]; 58 | char type; 59 | int securitycookie; 60 | } __attribute__((packed)); 61 | 62 | struct nexudp_ioctl_header { 63 | struct nexudp_header nexudphdr; 64 | unsigned int cmd; 65 | unsigned int set; 66 | char payload[1]; 67 | } __attribute__((packed)); 68 | 69 | inline uint32_t 70 | get_unaligned_le32(void *p) { 71 | return ((uint8 *) p)[0] | ((uint8 *) p)[1] << 8 | ((uint8 *) p)[2] << 16 | ((uint8 *) p)[3] << 24; 72 | } 73 | 74 | void * 75 | inject_frame(struct wlc_info *wlc, struct sk_buff *p) 76 | { 77 | int rtap_len = 0; 78 | int data_rate = 0; 79 | unsigned char use_ratespec = 0; 80 | int txdelay = 0; 81 | int txrepetitions = 0; 82 | int txperiodicity = 0; 83 | 84 | // Radiotap parsing: 85 | struct ieee80211_radiotap_iterator iterator; 86 | struct ieee80211_radiotap_header *rtap_header; 87 | 88 | // parse radiotap header 89 | rtap_len = *((char *)(p->data + 2)); 90 | rtap_header = (struct ieee80211_radiotap_header *) p->data; 91 | 92 | int ret = ieee80211_radiotap_iterator_init(&iterator, rtap_header, rtap_len, &rtap_vendor_namespaces); 93 | 94 | if(ret) { 95 | pkt_buf_free_skb(wlc->osh, p, 0); 96 | printf("rtap_init error\n"); 97 | return 0; 98 | } 99 | 100 | while(!ret) { 101 | ret = ieee80211_radiotap_iterator_next(&iterator); 102 | 103 | if(ret) { 104 | continue; 105 | } 106 | 107 | if (iterator.current_namespace == &rtap_vendor_namespaces.ns[0]) { 108 | switch(iterator.this_arg_index) { 109 | case RADIOTAP_NEX_TXDELAY: 110 | txdelay = get_unaligned_le32(iterator.this_arg); 111 | break; 112 | 113 | case RADIOTAP_NEX_TXREPETITIONS: 114 | txrepetitions = get_unaligned_le32(iterator.this_arg); 115 | txperiodicity = get_unaligned_le32(iterator.this_arg + 4); 116 | break; 117 | 118 | case RADIOTAP_NEX_RATESPEC: 119 | data_rate = get_unaligned_le32(iterator.this_arg); 120 | use_ratespec = 1; // this will override the rate of the regular radiotap header 121 | break; 122 | 123 | default: 124 | printf("unknows vendor field %d\n", iterator.this_arg_index); 125 | } 126 | 127 | } else if (iterator.current_namespace == &radiotap_ns) { 128 | switch(iterator.this_arg_index) { 129 | case IEEE80211_RADIOTAP_RATE: 130 | if (!use_ratespec) { 131 | data_rate = (*iterator.this_arg); 132 | } 133 | break; 134 | 135 | case IEEE80211_RADIOTAP_CHANNEL: 136 | //printf("Channel (freq): %d\n", iterator.this_arg[0] | (iterator.this_arg[1] << 8) ); 137 | break; 138 | 139 | default: 140 | //printf("default: %d\n", iterator.this_arg_index); 141 | break; 142 | } 143 | } 144 | } 145 | 146 | // remove radiotap header 147 | skb_pull(p, rtap_len); 148 | 149 | wlc_d11hdrs_ext(wlc, p, wlc->band->hwrs_scb, 0, 0, 1, 1, 0, 0, data_rate, 0); 150 | p->scb = wlc->band->hwrs_scb; 151 | 152 | // 124 bytes is d11txh length 153 | // 4 bytes are added in wlc_d11hdrs_ext 154 | // 16 bytes just for fun 155 | //hexdump("d11txh", p->data, 124 + 4 + 16); 156 | 157 | sendframe_with_timer(wlc, p, 1, data_rate, txdelay, txrepetitions, txperiodicity); 158 | 159 | return 0; 160 | } 161 | 162 | void * 163 | handle_sdio_xmit_request_hook(void *sdio_hw, struct sk_buff *p) 164 | { 165 | struct wl_info *wl = *(*((struct wl_info ***) sdio_hw + 15) + 6); 166 | struct wlc_info *wlc = wl->wlc; 167 | struct ethernet_ip_udp_header *ethfrm = (struct ethernet_ip_udp_header *) (p != 0) ? (p->data + 4) : 0; 168 | struct nexudp_ioctl_header *nexioctlhdr = (struct nexudp_ioctl_header *) (((void *) ethfrm) + sizeof(struct ethernet_ip_udp_header)); 169 | struct nexudp_header *nexudphdr = &nexioctlhdr->nexudphdr; 170 | 171 | // Check if destination MAC address starts with ff:ff:ff:ff, port equals 5500, and first three bytes equal NEX 172 | if (p != 0 && p->data != 0 173 | && !memcmp(ðfrm->ethernet.dst, "\xff\xff\xff\xff\xff\xff", 6) 174 | && ethfrm->udp.dst_port == htons(5500) 175 | && !memcmp(&nexudphdr->nex, "NEX", 3)) { 176 | 177 | if (!check_securitycookie(nexudphdr->securitycookie)) { 178 | printf("ERR: incorrect or unset security cookie.\n"); 179 | pkt_buf_free_skb(wlc->osh, p, 0); 180 | return 0; 181 | } 182 | 183 | // remove bdc, ethernet, ip, udp and nexudp headers 184 | skb_pull(p, sizeof(struct bdc_ethernet_ip_udp_header) + sizeof(struct nexudp_header)); 185 | 186 | switch(nexudphdr->type) { 187 | case NEXUDP_IOCTL: 188 | wlc_ioctl_hook(wlc, nexioctlhdr->cmd, nexioctlhdr->payload, p->len - sizeof(nexioctlhdr->cmd) - sizeof(nexioctlhdr->set), 0); 189 | 190 | // prepare to send back an answer tunneled over udp 191 | prepend_ethernet_ipv4_udp_header(p); 192 | 193 | // send back the answer 194 | wl->dev->chained->funcs->xmit(wl->dev, wl->dev->chained, p); 195 | return 0; 196 | break; 197 | 198 | case NEXUDP_INJECT_RADIOTAP: 199 | return inject_frame(wlc, p); 200 | break; 201 | 202 | default: 203 | hexdump("test", p->data, p->len); 204 | pkt_buf_free_skb(wlc->osh, p, 0); 205 | return 0; 206 | } 207 | } else if (wlc->monitor && p != 0 && p->data != 0 && ((short *) p->data)[2] == 0) { 208 | // remove bdc header 209 | skb_pull(p, 4); 210 | 211 | // check if in monitor mode and if first two bytes in the frame correspond to a radiotap header, if true, inject frame 212 | return inject_frame(wlc, p); 213 | } else { 214 | // otherwise, handle frame normally 215 | return handle_sdio_xmit_request_ram(sdio_hw, p); 216 | } 217 | } 218 | 219 | // Hook the call to handle_sdio_xmit_request_hook in sdio_header_parsing_from_sk_buff 220 | __attribute__((at(0x182AAA, "", CHIP_VER_BCM4339, FW_VER_ALL))) 221 | BPatch(handle_sdio_xmit_request_hook, handle_sdio_xmit_request_hook); 222 | 223 | // Replace the entry in the function pointer table by handle_sdio_xmit_request_hook 224 | __attribute__((at(0x180BCC, "", CHIP_VER_BCM4339, FW_VER_ALL))) 225 | GenericPatch4(handle_sdio_xmit_request_hook, handle_sdio_xmit_request_hook + 1); 226 | -------------------------------------------------------------------------------- /src/ioctl.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // contains macros to access the debug hardware 39 | #include // wrapper definitions for functions that already exist in the firmware 40 | #include // structures that are used by the code in the firmware 41 | #include // useful helper functions 42 | #include // macros used to craete patches such as BLPatch, BPatch, ... 43 | #include // rates used to build the ratespec for frame injection 44 | #include // ioctls added in the nexmon patch 45 | #include // version information 46 | #include // allows to execute argprintf to print into the arg buffer 47 | 48 | extern int wlc_ioctl_4xx(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if); 49 | extern int wlc_ioctl_5xx(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if); 50 | extern int wlc_ioctl_6xx(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if); 51 | extern int wlc_ioctl_7xx(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if); 52 | extern int wlc_ioctl_8xx(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if); 53 | 54 | int 55 | wlc_ioctl_hook(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if) 56 | { 57 | int ret = IOCTL_ERROR; 58 | argprintf_init(arg, len); 59 | 60 | if (cmd >= 400 && cmd < 500) 61 | ret = wlc_ioctl_4xx(wlc, cmd, arg, len, wlc_if); 62 | else if (cmd >= 500 && cmd < 600) 63 | ret = wlc_ioctl_5xx(wlc, cmd, arg, len, wlc_if); 64 | else if (cmd >= 600 && cmd < 700) 65 | ret = wlc_ioctl_6xx(wlc, cmd, arg, len, wlc_if); 66 | else if (cmd >= 700 && cmd < 800) 67 | ret = wlc_ioctl_7xx(wlc, cmd, arg, len, wlc_if); 68 | else if (cmd >= 800 && cmd < 900) 69 | ret = wlc_ioctl_8xx(wlc, cmd, arg, len, wlc_if); 70 | else 71 | ret = wlc_ioctl(wlc, cmd, arg, len, wlc_if); 72 | 73 | return ret; 74 | } 75 | 76 | __attribute__((at(0x1F3488, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 77 | GenericPatch4(wlc_ioctl_hook, wlc_ioctl_hook + 1); 78 | -------------------------------------------------------------------------------- /src/ioctl_4xx.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // wrapper definitions for functions that already exist in the firmware 39 | #include // structures that are used by the code in the firmware 40 | #include // useful helper functions 41 | #include // macros used to craete patches such as BLPatch, BPatch, ... 42 | #include // ioctls added in the nexmon patch 43 | #include // capabilities included in a nexmon patch 44 | #include // sendframe functionality 45 | #include // Functions to access object memory 46 | #include // Radiotap header related 47 | #include // Security cookie related 48 | #include // version information 49 | #include // allows to execute argprintf to print into the arg buffer 50 | 51 | extern void *inject_frame(struct wlc_info *wlc, struct sk_buff *p); 52 | 53 | struct inject_frame { 54 | unsigned short len; 55 | unsigned char pad; 56 | unsigned char type; 57 | char data[1]; 58 | }; 59 | 60 | int 61 | wlc_ioctl_4xx(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if) 62 | { 63 | int ret = IOCTL_ERROR; 64 | 65 | switch (cmd) { 66 | case NEX_GET_CAPABILITIES: 67 | // sends back the chips capabilities 68 | if (len == 4) { 69 | memcpy(arg, &capabilities, 4); 70 | ret = IOCTL_SUCCESS; 71 | } 72 | break; 73 | 74 | case NEX_WRITE_TO_CONSOLE: 75 | // writes the string from arg to the console 76 | if (len > 0) { 77 | arg[len-1] = 0; 78 | printf("ioctl: %s\n", arg); 79 | ret = IOCTL_SUCCESS; 80 | } 81 | break; 82 | 83 | case NEX_GET_PHYREG: 84 | // reads the value from arg[0] to arg[0] 85 | if(wlc->hw->up && len >= 4) { 86 | wlc_phyreg_enter(wlc->band->pi); 87 | *(int *) arg = phy_reg_read(wlc->band->pi, ((int *) arg)[0]); 88 | wlc_phyreg_exit(wlc->band->pi); 89 | ret = IOCTL_SUCCESS; 90 | } 91 | break; 92 | 93 | case NEX_SET_PHYREG: 94 | // writes the value arg[1] to physical layer register arg[0] 95 | if(wlc->hw->up && len >= 8) { 96 | wlc_phyreg_enter(wlc->band->pi); 97 | phy_reg_write(wlc->band->pi, ((int *) arg)[1], ((int *) arg)[0]); 98 | wlc_phyreg_exit(wlc->band->pi); 99 | ret = IOCTL_SUCCESS; 100 | } 101 | break; 102 | 103 | case NEX_READ_OBJMEM: 104 | if(wlc->hw->up && len >= 4) 105 | { 106 | int addr = ((int *) arg)[0]; 107 | int i = 0; 108 | 109 | for (i = 0; i < len/4; i++) { 110 | wlc_bmac_read_objmem32_objaddr(wlc->hw, addr + i, &((unsigned int *) arg)[i]); 111 | } 112 | 113 | ret = IOCTL_SUCCESS; 114 | } 115 | break; 116 | 117 | case NEX_WRITE_OBJMEM: 118 | if(wlc->hw->up && len >= 5) 119 | { 120 | int addr = ((int *) arg)[0]; 121 | int i = 0; 122 | 123 | for (i = 0; i < (len-4)/8; i+=2) { 124 | wlc_bmac_write_objmem64_objaddr(wlc->hw, addr + i, ((unsigned int *) arg)[i + 1], ((unsigned int *) arg)[i + 2]); 125 | } 126 | 127 | switch((len-4) % 8) { 128 | case 4: 129 | wlc_bmac_write_objmem32_objaddr(wlc->hw, addr + i, ((unsigned int *) arg)[i + 1]); 130 | break; 131 | } 132 | 133 | ret = IOCTL_SUCCESS; 134 | } 135 | break; 136 | 137 | case NEX_INJECT_FRAME: 138 | { 139 | sk_buff *p; 140 | int bytes_used = 0; 141 | struct inject_frame *frm = (struct inject_frame *) arg; 142 | 143 | while ((frm->len > 0) && (bytes_used + frm->len <= len)) { 144 | // add a dummy radiotap header if frame does not contain one 145 | if (frm->type == 0) { 146 | p = pkt_buf_get_skb(wlc->osh, frm->len + 202 + 8 - 4); 147 | skb_pull(p, 202); 148 | struct ieee80211_radiotap_header *radiotap = 149 | (struct ieee80211_radiotap_header *) p->data; 150 | 151 | memset(radiotap, 0, sizeof(struct ieee80211_radiotap_header)); 152 | 153 | radiotap->it_len = 8; 154 | 155 | skb_pull(p, 8); 156 | memcpy(p->data, frm->data, frm->len - 4); 157 | skb_push(p, 8); 158 | } else { 159 | p = pkt_buf_get_skb(wlc->osh, frm->len + 202 - 4); 160 | skb_pull(p, 202); 161 | 162 | memcpy(p->data, frm->data, frm->len - 4); 163 | } 164 | 165 | inject_frame(wlc, p); 166 | 167 | bytes_used += frm->len; 168 | 169 | frm = (struct inject_frame *) (arg + bytes_used); 170 | } 171 | 172 | ret = IOCTL_SUCCESS; 173 | } 174 | break; 175 | 176 | case NEX_PRINT_TIMERS: 177 | { 178 | struct _ctimeout *timers = (struct _ctimeout *) 0x180E6C; 179 | struct _ctimeout *this; 180 | int bytes_written = 0; 181 | 182 | if ((this = timers->next) == 0) { 183 | printf("No timers\n"); 184 | ret = IOCTL_ERROR; 185 | } else { 186 | while (this != 0 && len >= bytes_written + 64) { 187 | bytes_written += sprintf(arg + bytes_written, 188 | "timer %p, fun %p, arg %p, %d ms\n", 189 | this, this->fun, this->arg, this->ms); 190 | this = this->next; 191 | } 192 | 193 | ret = IOCTL_SUCCESS; 194 | } 195 | } 196 | break; 197 | 198 | case NEX_GET_SECURITYCOOKIE: 199 | if (len == 4) { 200 | *(int *) arg = get_securitycookie(); 201 | ret = IOCTL_SUCCESS; 202 | } 203 | break; 204 | 205 | case NEX_SET_SECURITYCOOKIE: 206 | if (len == 4) { 207 | set_securitycookie(*(int *) arg); 208 | ret = IOCTL_SUCCESS; 209 | } 210 | break; 211 | 212 | case NEX_GET_WL_CNT: 213 | if (len >= sizeof(wl_cnt_t)) { 214 | wlc_statsupd(wlc); 215 | memcpy(arg, wlc->pub->_cnt, sizeof(wl_cnt_t)); 216 | ret = IOCTL_SUCCESS; 217 | } 218 | break; 219 | 220 | case NEX_GET_VERSION_STRING: 221 | { 222 | if (len >= strlen(version)) { 223 | memcpy(arg, version, strlen(version)); 224 | ret = IOCTL_SUCCESS; 225 | } 226 | } 227 | break; 228 | } 229 | 230 | return ret; 231 | } -------------------------------------------------------------------------------- /src/ioctl_5xx.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // wrapper definitions for functions that already exist in the firmware 39 | #include // structures that are used by the code in the firmware 40 | #include // useful helper functions 41 | #include // macros used to craete patches such as BLPatch, BPatch, ... 42 | #include // ioctls added in the nexmon patch 43 | #include // allows to execute argprintf to print into the arg buffer 44 | 45 | int 46 | wlc_ioctl_5xx(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if) 47 | { 48 | int ret = IOCTL_ERROR; 49 | 50 | switch (cmd) { 51 | 52 | } 53 | 54 | return ret; 55 | } -------------------------------------------------------------------------------- /src/ioctl_6xx.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // wrapper definitions for functions that already exist in the firmware 39 | #include // structures that are used by the code in the firmware 40 | #include // useful helper functions 41 | #include // macros used to craete patches such as BLPatch, BPatch, ... 42 | #include // ioctls added in the nexmon patch 43 | #include // allows to execute argprintf to print into the arg buffer 44 | 45 | int 46 | wlc_ioctl_6xx(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if) 47 | { 48 | int ret = IOCTL_ERROR; 49 | 50 | switch (cmd) { 51 | 52 | } 53 | 54 | return ret; 55 | } -------------------------------------------------------------------------------- /src/ioctl_7xx.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // wrapper definitions for functions that already exist in the firmware 39 | #include // structures that are used by the code in the firmware 40 | #include // useful helper functions 41 | #include // macros used to craete patches such as BLPatch, BPatch, ... 42 | #include // ioctls added in the nexmon patch 43 | #include // allows to execute argprintf to print into the arg buffer 44 | #include 45 | #include 46 | 47 | #define ACPHY_RfseqCoreActv2059(rev) (0x401) 48 | #define ACPHY_RfseqCoreActv2059_EnTx_SHIFT(rev) (0) 49 | #define ACPHY_RfseqCoreActv2059_EnTx_MASK(rev) ((0x7 << ACPHY_RfseqCoreActv2059_EnTx_SHIFT(rev))) 50 | #define ACPHY_RfseqCoreActv2059_DisRx_SHIFT(rev) (12) 51 | #define ACPHY_RfseqCoreActv2059_DisRx_MASK(rev) ((0x7 << ACPHY_RfseqCoreActv2059_DisRx_SHIFT(rev))) 52 | 53 | int 54 | wlc_ioctl_7xx(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if) 55 | { 56 | int ret = IOCTL_ERROR; 57 | 58 | switch (cmd) { 59 | case 700: // TSSI Measurements for different power indices 60 | case 701: 61 | case 702: 62 | case 703: 63 | case 704: 64 | case 705: 65 | { 66 | int i; 67 | struct phy_info *pi = wlc->hw->band->pi; 68 | ac_txgain_setting_t gains = { 0 }; 69 | int16 idle_tssi[1] = {0}; 70 | int16 tssi[1] = {0}; 71 | uint16 orig_RfseqCoreActv2059; 72 | 73 | switch (cmd) { 74 | case 700: 75 | set_chanspec(wlc, CH20MHZ_CHSPEC(7)); 76 | argprintf("%% 7/20\n"); 77 | break; 78 | 79 | case 701: 80 | set_chanspec(wlc, CH40MHZ_CHSPEC(7, WL_CHANSPEC_CTL_SB_L)); 81 | argprintf("%% 7/40L\n"); 82 | break; 83 | 84 | case 702: 85 | set_chanspec(wlc, CH80MHZ_CHSPEC(7, WL_CHANSPEC_CTL_SB_L)); 86 | argprintf("%% 7/80L\n"); 87 | break; 88 | 89 | case 703: 90 | set_chanspec(wlc, CH20MHZ_CHSPEC(106)); 91 | argprintf("%% 106/20\n"); 92 | break; 93 | 94 | case 704: 95 | set_chanspec(wlc, CH40MHZ_CHSPEC(106, WL_CHANSPEC_CTL_SB_L)); 96 | argprintf("%% 106/40L\n"); 97 | break; 98 | 99 | case 705: 100 | set_chanspec(wlc, CH80MHZ_CHSPEC(106, WL_CHANSPEC_CTL_SB_L)); 101 | argprintf("%% 106/80L\n"); 102 | break; 103 | } 104 | argprintf("%% chanspec: 0x%04x\n", get_chanspec(wlc)); 105 | argprintf("%% tssi-idle_tssi ipa txlpf pga pad txgm bbmult \n"); 106 | 107 | set_mpc(wlc, 0); 108 | set_scansuppress(wlc, 1), 109 | 110 | wlc_phy_stay_in_carriersearch_acphy(pi, 1); 111 | 112 | wlc_phy_tssi_phy_setup_acphy(pi, 0); 113 | wlc_phy_tssi_radio_setup_acphy(pi, pi->sh->hw_phyrxchain, 0); 114 | 115 | /* force all TX cores on */ 116 | orig_RfseqCoreActv2059 = READ_PHYREG(pi, RfseqCoreActv2059); 117 | MOD_PHYREG(pi, RfseqCoreActv2059, EnTx, pi->sh->hw_phyrxchain); 118 | MOD_PHYREG(pi, RfseqCoreActv2059, DisRx, pi->sh->hw_phyrxchain); 119 | 120 | switch (cmd) { 121 | case 700: 122 | argprintf("tssi_7_20 = [ ...\n"); 123 | break; 124 | case 701: 125 | argprintf("tssi_7_40L = [ ...\n"); 126 | break; 127 | case 702: 128 | argprintf("tssi_7_80L = [ ...\n"); 129 | break; 130 | case 703: 131 | argprintf("tssi_106_20 = [ ...\n"); 132 | break; 133 | case 704: 134 | argprintf("tssi_106_40L = [ ...\n"); 135 | break; 136 | case 705: 137 | argprintf("tssi_106_80L = [ ...\n"); 138 | break; 139 | } 140 | 141 | wlc_phy_poll_samps_WAR_acphy(pi, idle_tssi, 1 /* is_tssi */, 1 /* for_idle */, &gains /* gains */, 0 /* for_iqcal */, 1 /* init_adc_inside */, 0 /* core */); 142 | argprintf(" %d %d %d %d %d %d %d; ... %% idle_tssi\n", idle_tssi[0], 0, 0, 0, 0, 0, 0); 143 | 144 | for (i = 0; i < 128; i++) { 145 | wlc_phy_get_txgain_settings_by_index_acphy(pi, &gains, i); 146 | wlc_phy_poll_samps_WAR_acphy(pi, tssi, 1 /* is_tssi */, 0 /* for_idle */, &gains /* gains */, 0 /* for_iqcal */, 1 /* init_adc_inside */, 0 /* core */); 147 | argprintf(" %d %d %d %d %d %d %d; ... %% tssi[%d]\n", tssi[0] - idle_tssi[0], gains.ipa, gains.txlpf, gains.pga, gains.pad, gains.txgm, gains.bbmult, i); 148 | } 149 | 150 | argprintf("];\n"); 151 | 152 | WRITE_PHYREG(pi, RfseqCoreActv2059, orig_RfseqCoreActv2059); 153 | 154 | wlc_phy_stay_in_carriersearch_acphy(pi, 0); 155 | 156 | ret = IOCTL_SUCCESS; 157 | } 158 | break; 159 | } 160 | 161 | return ret; 162 | } -------------------------------------------------------------------------------- /src/ioctl_8xx.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // wrapper definitions for functions that already exist in the firmware 39 | #include // structures that are used by the code in the firmware 40 | #include // useful helper functions 41 | #include // macros used to craete patches such as BLPatch, BPatch, ... 42 | #include // ioctls added in the nexmon patch 43 | #include // allows to execute argprintf to print into the arg buffer 44 | 45 | int 46 | wlc_ioctl_8xx(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if) 47 | { 48 | int ret = IOCTL_ERROR; 49 | 50 | switch (cmd) { 51 | 52 | } 53 | 54 | return ret; 55 | } -------------------------------------------------------------------------------- /src/monitormode.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // contains macros to access the debug hardware 39 | #include // wrapper definitions for functions that already exist in the firmware 40 | #include // structures that are used by the code in the firmware 41 | #include // useful helper functions 42 | #include // macros used to craete patches such as BLPatch, BPatch, ... 43 | #include // rates used to build the ratespec for frame injection 44 | #include 45 | 46 | #define RADIOTAP_MCS 47 | #define RADIOTAP_VENDOR 48 | #include 49 | 50 | // plcp length in bytes 51 | #define PLCP_LEN 6 52 | 53 | #define MONITOR_DISABLED 0 54 | #define MONITOR_IEEE80211 1 55 | #define MONITOR_RADIOTAP 2 56 | #define MONITOR_LOG_ONLY 3 57 | #define MONITOR_DROP_FRM 4 58 | #define MONITOR_IPV4_UDP 5 59 | 60 | extern void prepend_ethernet_ipv4_udp_header(struct sk_buff *p); 61 | 62 | static int 63 | channel2freq(struct wl_info *wl, unsigned int channel) 64 | { 65 | int freq = 0; 66 | void *ci = 0; 67 | 68 | wlc_phy_chan2freq_acphy(wl->wlc->band->pi, channel, &freq, &ci); 69 | 70 | return freq; 71 | } 72 | 73 | static void 74 | wl_monitor_radiotap(struct wl_info *wl, struct wl_rxsts *sts, struct sk_buff *p, unsigned char tunnel_over_udp) 75 | { 76 | struct osl_info *osh = wl->wlc->osh; 77 | unsigned int p_len_new; 78 | struct sk_buff *p_new; 79 | 80 | if (tunnel_over_udp) { 81 | p_len_new = p->len + sizeof(struct ethernet_ip_udp_header) + 82 | sizeof(struct nexmon_radiotap_header); 83 | } else { 84 | p_len_new = p->len + sizeof(struct nexmon_radiotap_header); 85 | } 86 | 87 | // We figured out that frames larger than 2032 will not arrive in user space 88 | if (p_len_new > 2032) { 89 | printf("ERR: frame too large\n"); 90 | return; 91 | } else { 92 | p_new = pkt_buf_get_skb(osh, p_len_new); 93 | } 94 | 95 | if (!p_new) { 96 | printf("ERR: no free sk_buff\n"); 97 | return; 98 | } 99 | 100 | if (tunnel_over_udp) 101 | skb_pull(p_new, sizeof(struct ethernet_ip_udp_header)); 102 | 103 | struct nexmon_radiotap_header *frame = (struct nexmon_radiotap_header *) p_new->data; 104 | 105 | memset(p_new->data, 0, sizeof(struct nexmon_radiotap_header)); 106 | 107 | frame->header.it_version = 0; 108 | frame->header.it_pad = 0; 109 | frame->header.it_len = sizeof(struct nexmon_radiotap_header) + PLCP_LEN; 110 | frame->header.it_present = 111 | (1<tsf.tsf_l = sts->mactime; 120 | frame->tsf.tsf_h = 0; 121 | frame->flags = IEEE80211_RADIOTAP_F_FCS; 122 | frame->chan_freq = channel2freq(wl, CHSPEC_CHANNEL(sts->chanspec)); 123 | 124 | if (frame->chan_freq > 3000) 125 | frame->chan_flags |= IEEE80211_CHAN_5GHZ; 126 | else 127 | frame->chan_flags |= IEEE80211_CHAN_2GHZ; 128 | 129 | if (sts->encoding == WL_RXS_ENCODING_OFDM) 130 | frame->chan_flags |= IEEE80211_CHAN_OFDM; 131 | if (sts->encoding == WL_RXS_ENCODING_DSSS_CCK) 132 | frame->chan_flags |= IEEE80211_CHAN_CCK; 133 | 134 | frame->data_rate = sts->datarate; 135 | 136 | frame->dbm_antsignal = sts->signal; 137 | frame->dbm_antnoise = sts->noise; 138 | 139 | if (sts->encoding == WL_RXS_ENCODING_HT) { 140 | frame->mcs[0] = 141 | IEEE80211_RADIOTAP_MCS_HAVE_BW 142 | | IEEE80211_RADIOTAP_MCS_HAVE_MCS 143 | | IEEE80211_RADIOTAP_MCS_HAVE_GI 144 | | IEEE80211_RADIOTAP_MCS_HAVE_FMT 145 | | IEEE80211_RADIOTAP_MCS_HAVE_FEC 146 | | IEEE80211_RADIOTAP_MCS_HAVE_STBC; 147 | switch(sts->htflags) { 148 | case WL_RXS_HTF_40: 149 | frame->mcs[1] |= IEEE80211_RADIOTAP_MCS_BW_40; 150 | break; 151 | case WL_RXS_HTF_20L: 152 | frame->mcs[1] |= IEEE80211_RADIOTAP_MCS_BW_20L; 153 | break; 154 | case WL_RXS_HTF_20U: 155 | frame->mcs[1] |= IEEE80211_RADIOTAP_MCS_BW_20U; 156 | break; 157 | case WL_RXS_HTF_SGI: 158 | frame->mcs[1] |= IEEE80211_RADIOTAP_MCS_SGI; 159 | break; 160 | case WL_RXS_HTF_STBC_MASK: 161 | frame->mcs[1] |= ((sts->htflags & WL_RXS_HTF_STBC_MASK) >> WL_RXS_HTF_STBC_SHIFT) << IEEE80211_RADIOTAP_MCS_STBC_SHIFT; 162 | break; 163 | case WL_RXS_HTF_LDPC: 164 | frame->mcs[1] |= IEEE80211_RADIOTAP_MCS_FEC_LDPC; 165 | break; 166 | } 167 | frame->mcs[2] = sts->mcs; 168 | } 169 | 170 | frame->vendor_oui[0] = 'N'; 171 | frame->vendor_oui[1] = 'E'; 172 | frame->vendor_oui[2] = 'X'; 173 | frame->vendor_sub_namespace = 0; 174 | frame->vendor_skip_length = PLCP_LEN; 175 | 176 | memcpy(p_new->data + sizeof(struct nexmon_radiotap_header), p->data, p->len); 177 | 178 | if (tunnel_over_udp) { 179 | prepend_ethernet_ipv4_udp_header(p_new); 180 | } 181 | 182 | //wl_sendup(wl, 0, p_new); 183 | wl->dev->chained->funcs->xmit(wl->dev, wl->dev->chained, p_new); 184 | } 185 | 186 | void 187 | wl_monitor_hook(struct wl_info *wl, struct wl_rxsts *sts, struct sk_buff *p) { 188 | switch(wl->wlc->monitor & 0xFF) { 189 | case MONITOR_RADIOTAP: 190 | wl_monitor_radiotap(wl, sts, p, 0); 191 | break; 192 | 193 | case MONITOR_IEEE80211: 194 | wl_monitor(wl, sts, p); 195 | break; 196 | 197 | case MONITOR_LOG_ONLY: 198 | printf("frame received\n"); 199 | break; 200 | 201 | case MONITOR_DROP_FRM: 202 | break; 203 | 204 | case MONITOR_IPV4_UDP: 205 | wl_monitor_radiotap(wl, sts, p, 1); 206 | break; 207 | } 208 | } 209 | 210 | // Hook the call to wl_monitor in wlc_monitor 211 | __attribute__((at(0x18DA30, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_40_r581243))) 212 | __attribute__((at(0x18DB20, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 213 | BLPatch(wl_monitor_hook, wl_monitor_hook); 214 | -------------------------------------------------------------------------------- /src/patch.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // contains macros to access the debug hardware 39 | #include // wrapper definitions for functions that already exist in the firmware 40 | #include // structures that are used by the code in the firmware 41 | #include // useful helper functions 42 | #include // macros used to craete patches such as BLPatch, BPatch, ... 43 | #include // rates used to build the ratespec for frame injection 44 | #include // capabilities included in a nexmon patch 45 | 46 | int capabilities = NEX_CAP_MONITOR_MODE | NEX_CAP_MONITOR_MODE_RADIOTAP | NEX_CAP_FRAME_INJECTION; 47 | 48 | // Hook the call to wlc_ucode_write in wlc_ucode_download 49 | __attribute__((at(0x1F4F08, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_40_r581243))) 50 | __attribute__((at(0x1F4F14, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 51 | BLPatch(wlc_ucode_write_compressed, wlc_ucode_write_compressed); 52 | 53 | // reduce the amount of ucode memory freed to become part of the heap 54 | __attribute__((at(0x1816E0, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 55 | GenericPatch4(hndrte_reclaim_0_end, PATCHSTART); 56 | 57 | extern unsigned char templateram_bin[]; 58 | 59 | // Moving template ram to another place in the ucode region 60 | __attribute__((at(0x185544, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 61 | GenericPatch4(templateram_bin, templateram_bin); 62 | -------------------------------------------------------------------------------- /src/regulations.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * Warning: * 17 | * * 18 | * Our software may damage your hardware and may void your hardware’s * 19 | * warranty! You use our tools at your own risk and responsibility! * 20 | * * 21 | * License: * 22 | * Copyright (c) 2015 NexMon Team * 23 | * * 24 | * Permission is hereby granted, free of charge, to any person obtaining * 25 | * a copy of this software and associated documentation files (the * 26 | * "Software"), to deal in the Software without restriction, including * 27 | * without limitation the rights to use, copy, modify, merge, publish, * 28 | * distribute copies of the Software, and to permit persons to whom the * 29 | * Software is furnished to do so, subject to the following conditions: * 30 | * * 31 | * The above copyright notice and this permission notice shall be included * 32 | * in all copies or substantial portions of the Software. * 33 | * * 34 | * Any use of the Software which results in an academic publication or * 35 | * other publication which includes a bibliography must include a citation * 36 | * to the author's publication "M. Schulz, D. Wegemer and M. Hollick. * 37 | * NexMon: A Cookbook for Firmware Modifications on Smartphones to Enable * 38 | * Monitor Mode.". * 39 | * * 40 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * 41 | * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * 42 | * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * 43 | * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * 44 | * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * 45 | * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * 46 | * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. * 47 | * * 48 | **************************************************************************/ 49 | 50 | #pragma NEXMON targetregion "patch" 51 | 52 | #include 53 | #include 54 | #include 55 | #include 56 | #include 57 | 58 | // Nop the following call to keep user tx power targets 59 | // Choose least of user and now combined regulatory/hw targets 60 | // ppr_compare_min(tx_pwr_target, srom_max_txpwr); 61 | __attribute__((at(0x1C50B8, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 62 | GenericPatch4(nop_ppr_compare_min, 0); 63 | 64 | // This allows 80 MHz channels in the 2 GHz band 65 | int 66 | wf_chspec_malformed_hook(unsigned short chanspec) 67 | { 68 | return 0; 69 | } 70 | 71 | __attribute__((at(0x13778, "flashpatch", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 72 | BPatch(wf_chspec_malformed_hook, wf_chspec_malformed_hook); 73 | 74 | __attribute__((at(0x1fa034, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_40_r581243))) 75 | __attribute__((at(0x1fa040, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 76 | __attribute__((aligned(1))) 77 | unsigned char _locale_channels[] = { 78 | 0x00, 79 | 0x01, 0xFF, 80 | 0x01, 0xFF, 81 | 0x02, 0xFF, 0xFF, 82 | 0x04, 0xFF, 0xFF, 0xFF, 0xFF, 83 | 0x02, 0xFF, 0xFF, 84 | 0x02, 0xFF, 0xFF, 85 | 0x01, 0xFF, 86 | 0x04, 0xFF, 0xFF, 0xFF, 0xFF, 87 | 0x03, 0xFF, 0xFF, 0xFF, 88 | 0x04, 0xFF, 0xFF, 0xFF, 0xFF, 89 | 0x04, 0xFF, 0xFF, 0xFF, 0xFF, 90 | 0x03, 0xFF, 0xFF, 0xFF, 91 | 0x03, 0xFF, 0xFF, 0xFF, 92 | 0x03, 0xFF, 0xFF, 0xFF, 93 | 0x02, 0xFF, 0xFF, 94 | 0x02, 0xFF, 0xFF, 95 | 0x02, 0xFF, 0xFF, 96 | 0x01, 0xFF, 97 | 0x02, 0xFF, 0xFF, 98 | 0x02, 0xFF, 0xFF, 99 | 0x02, 0xFF, 0xFF, 100 | 0x02, 0xFF, 0xFF, 101 | 0x02, 0xFF, 0xFF, 102 | 0x02, 0xFF, 0xFF, 103 | 0x02, 0xFF, 0xFF, 104 | 0x01, 0xFF, 105 | 0x02, 0xFF, 0xFF, 106 | 0x02, 0xFF, 0xFF, 107 | 0x01, 0xFF, 108 | 0x01, 0xFF, 109 | 0x02, 0xFF, 0xFF, 110 | 0x02, 0xFF, 0xFF, 111 | 0x01, 0xFF, 112 | 0x01, 0xFF, 113 | 0x01, 0xFF 114 | }; 115 | 116 | __attribute__((at(0x1fa480, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_40_r581243))) 117 | __attribute__((at(0x1fa48c, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 118 | __attribute__((aligned(1))) 119 | unsigned char _valid_channel_2g_20m[] = { 0x01, 0x0f, 0x01, 0x00 }; 120 | 121 | __attribute__((at(0x1fb082, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_40_r581243))) 122 | __attribute__((at(0x1fb08e, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 123 | __attribute__((aligned(1))) 124 | unsigned char _valid_channel_5g_20m[] = { 0x22, 0x2e, 0x04, 0x24 }; 125 | 126 | unsigned short additional_valid_chanspecs[] = { 127 | CH80MHZ_CHSPEC(6, WL_CHANSPEC_CTL_SB_L), 128 | CH20MHZ_CHSPEC(7), 129 | CH40MHZ_CHSPEC(7, WL_CHANSPEC_CTL_SB_L), 130 | CH80MHZ_CHSPEC(7, WL_CHANSPEC_CTL_SB_L), 131 | CH20MHZ_CHSPEC(7), 132 | CH40MHZ_CHSPEC(7, WL_CHANSPEC_CTL_SB_U), 133 | CH80MHZ_CHSPEC(7, WL_CHANSPEC_CTL_SB_U), 134 | CH20MHZ_CHSPEC(9), 135 | CH40MHZ_CHSPEC(9, WL_CHANSPEC_CTL_SB_L), 136 | CH80MHZ_CHSPEC(9, WL_CHANSPEC_CTL_SB_L), 137 | CH20MHZ_CHSPEC(13), 138 | CH40MHZ_CHSPEC(13, WL_CHANSPEC_CTL_SB_L), 139 | CH80MHZ_CHSPEC(13, WL_CHANSPEC_CTL_SB_L), 140 | CH20MHZ_CHSPEC(106), 141 | CH40MHZ_CHSPEC(106, WL_CHANSPEC_CTL_SB_L), 142 | CH80MHZ_CHSPEC(106, WL_CHANSPEC_CTL_SB_L), 143 | CH20MHZ_CHSPEC(116), 144 | CH40MHZ_CHSPEC(118, WL_CHANSPEC_CTL_SB_L), 145 | CH80MHZ_CHSPEC(122, WL_CHANSPEC_CTL_SB_L), 146 | }; 147 | 148 | int 149 | wlc_valid_chanspec_ext_hook(void *wlc_cm, unsigned short chanspec, int dualband) 150 | { 151 | int valid = wlc_valid_chanspec_ext(wlc_cm, chanspec, dualband); 152 | int i; 153 | 154 | if (!valid && dualband == 1) 155 | for (i = 0; i < sizeof(additional_valid_chanspecs)/sizeof(additional_valid_chanspecs[0]); i++) 156 | valid |= additional_valid_chanspecs[i] == chanspec; 157 | 158 | return valid; 159 | } 160 | 161 | __attribute__((at(0x5BA28, "flashpatch", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 162 | BPatch(wlc_valid_chanspec_ext, wlc_valid_chanspec_ext_hook) 163 | -------------------------------------------------------------------------------- /src/sendframe.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // contains macros to access the debug hardware 39 | #include // wrapper definitions for functions that already exist in the firmware 40 | #include // structures that are used by the code in the firmware 41 | #include // useful helper functions 42 | #include // macros used to craete patches such as BLPatch, BPatch, ... 43 | #include // rates used to build the ratespec for frame injection 44 | #include // ioctls added in the nexmon patch 45 | #include // capabilities included in a nexmon patch 46 | 47 | struct tx_task { 48 | struct wlc_info *wlc; 49 | struct sk_buff *p; 50 | unsigned int fifo; 51 | unsigned int rate; 52 | int txrepetitions; 53 | int txperiodicity; 54 | }; 55 | 56 | void 57 | sendframe(struct wlc_info *wlc, struct sk_buff *p, unsigned int fifo, unsigned int rate) 58 | { 59 | if (wlc->band->bandtype == WLC_BAND_5G && rate < RATES_RATE_6M) { 60 | rate = RATES_RATE_6M; 61 | } 62 | 63 | if (wlc->hw->up) { 64 | if (p->flags & 0x80) { // WLF_TXHDR = 0x80 65 | if (wlc_prec_enq(wlc, wlc->active_queue + 4, p, 5)) { 66 | wlc_send_q(wlc, wlc->active_queue); 67 | } else { 68 | pkt_buf_free_skb(wlc->osh, p, 0); 69 | } 70 | } else { 71 | wlc_sendctl(wlc, p, wlc->active_queue, wlc->band->hwrs_scb, fifo, rate, 0); 72 | } 73 | } else { 74 | pkt_buf_free_skb(wlc->osh, p, 0); 75 | printf("ERR: wlc down\n"); 76 | } 77 | } 78 | 79 | static void 80 | sendframe_copy(struct tx_task *task) 81 | { 82 | // first, we create a copy copy of the frame that should be transmitted 83 | struct sk_buff *p_copy = pkt_buf_get_skb(task->wlc->osh, task->p->len + 202); 84 | skb_pull(p_copy, 202); 85 | memcpy(p_copy->data, task->p->data, task->p->len); 86 | p_copy->flags = task->p->flags; 87 | p_copy->scb = task->p->scb; 88 | 89 | sendframe(task->wlc, p_copy, task->fifo, task->rate); 90 | 91 | if (task->txrepetitions > 0) { 92 | task->txrepetitions--; 93 | } 94 | } 95 | 96 | static void 97 | sendframe_timer_handler(struct hndrte_timer *t) 98 | { 99 | struct tx_task *task = (struct tx_task *) t->data; 100 | 101 | if (task->txrepetitions == 0) { 102 | // there must have been a mistake, just delete the frame task and timer 103 | pkt_buf_free_skb(task->wlc->osh, task->p, 0); 104 | goto free_timer_and_task; 105 | } else if (task->txrepetitions == 1) { 106 | // transmit the last frame 107 | sendframe(task->wlc, task->p, task->fifo, task->rate); 108 | free_timer_and_task: 109 | hndrte_del_timer(t); 110 | hndrte_free_timer(t); 111 | free(task); 112 | } else { 113 | sendframe_copy(task); 114 | } 115 | } 116 | 117 | static void 118 | sendframe_repeatedly(struct tx_task *task) 119 | { 120 | struct hndrte_timer *t; 121 | 122 | sendframe_copy(task); 123 | if (task->txrepetitions == 0) 124 | return; 125 | 126 | t = hndrte_init_timer(sendframe_repeatedly, task, sendframe_timer_handler, 0); 127 | 128 | if (!t) { 129 | free(task); 130 | return; 131 | } 132 | 133 | if (!hndrte_add_timer(t, task->txperiodicity, 1)) { 134 | hndrte_free_timer(t); 135 | free(task); 136 | 137 | printf("ERR: could not add timer"); 138 | } 139 | } 140 | 141 | /** 142 | * Is scheduled to transmit a frame after a delay 143 | */ 144 | static void 145 | sendframe_task_handler(struct hndrte_timer *t) 146 | { 147 | struct tx_task *task = (struct tx_task *) t->data; 148 | 149 | if (task->txrepetitions != 0 && task->txperiodicity > 0) { 150 | sendframe_repeatedly(task); 151 | } else { 152 | sendframe(task->wlc, task->p, task->fifo, task->rate); 153 | free(task); 154 | } 155 | } 156 | 157 | void 158 | sendframe_with_timer(struct wlc_info *wlc, struct sk_buff *p, unsigned int fifo, unsigned int rate, int txdelay, int txrepetitions, int txperiodicity) 159 | { 160 | struct tx_task *task = 0; 161 | 162 | // if we need to send the frame with a delay or repeatedly, we create a task 163 | if (txdelay > 0 || (txrepetitions != 0 && txperiodicity > 0)) { 164 | task = (struct tx_task *) malloc(sizeof(struct tx_task), 0); 165 | memset(task, 0, sizeof(struct tx_task)); // will be freed after finishing the task 166 | task->wlc = wlc; 167 | task->p = p; 168 | task->fifo = fifo; 169 | task->rate = rate; 170 | task->txrepetitions = txrepetitions; 171 | task->txperiodicity = txperiodicity; 172 | } 173 | 174 | if (txdelay > 0) { 175 | hndrte_schedule_work(sendframe_with_timer, task, sendframe_task_handler, txdelay); 176 | } else if (txrepetitions != 0 && txperiodicity > 0) { 177 | sendframe_repeatedly(task); 178 | } else { 179 | sendframe(wlc, p, fifo, rate); 180 | } 181 | } 182 | -------------------------------------------------------------------------------- /src/signalgeneration.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // wrapper definitions for functions that already exist in the firmware 39 | #include // structures that are used by the code in the firmware 40 | #include // useful helper functions 41 | #include // macros used to craete patches such as BLPatch, BPatch, ... 42 | #include 43 | #include 44 | 45 | 46 | void 47 | my_gen_samples(struct phy_info *pi, int f_kHz, unsigned short max_val, unsigned short num_samps, cint32* tone_buf, int32 theta) 48 | { 49 | uint8 phy_bw; 50 | uint16 t; 51 | int32 rot = 0; 52 | 53 | /* check phy_bw */ 54 | if (CHSPEC_IS80(pi->radio_chanspec)) 55 | phy_bw = 160; 56 | else if (CHSPEC_IS40(pi->radio_chanspec)) 57 | phy_bw = 80; 58 | else 59 | phy_bw = 40; 60 | 61 | rot = FIXED((f_kHz * 36)/phy_bw) / 100; /* 2*pi*f/bw/1000 Note: f in KHz */ 62 | //theta = 0; /* start angle 0 */ 63 | theta = FIXED(theta); 64 | 65 | /* tone freq = f_c MHz ; phy_bw = phy_bw MHz ; # samples = phy_bw (1us) */ 66 | for (t = 0; t < num_samps; t++) { 67 | /* compute phasor */ 68 | wlc_phy_cordic(theta, &tone_buf[t]); 69 | /* update rotation angle */ 70 | theta += rot; 71 | /* produce sample values for play buffer */ 72 | tone_buf[t].q = (int32)FLOAT(tone_buf[t].q * max_val); 73 | tone_buf[t].i = (int32)FLOAT(tone_buf[t].i * max_val); 74 | } 75 | } 76 | 77 | uint32 78 | pwr(cint32 *tone_buf, uint16 num_samps) 79 | { 80 | uint16 t; 81 | uint32 pwrval = 0; 82 | for (t = 0; t < num_samps; t++) 83 | { 84 | pwrval += tone_buf[t].i * tone_buf[t].i + tone_buf[t].q * tone_buf[t].q; 85 | } 86 | return pwrval/num_samps; 87 | } 88 | 89 | uint32 90 | ipwr(cint32 *tone_buf, uint16 num_samps) 91 | { 92 | uint16 t; 93 | uint32 pwrval = 0; 94 | for (t = 0; t < num_samps; t++) 95 | { 96 | pwrval += tone_buf[t].i * tone_buf[t].i; 97 | } 98 | return pwrval/num_samps; 99 | } 100 | 101 | uint32 102 | qpwr(cint32 *tone_buf, uint16 num_samps) 103 | { 104 | uint16 t; 105 | uint32 pwrval = 0; 106 | for (t = 0; t < num_samps; t++) 107 | { 108 | pwrval += tone_buf[t].q * tone_buf[t].q; 109 | } 110 | return pwrval/num_samps; 111 | } 112 | 113 | void 114 | ifft(struct phy_info *pi, cint16ap *freq_dom_samps, uint16 num_samps, cint32 *tone_buf) 115 | { 116 | uint8 phy_bw; 117 | uint16 t; 118 | uint16 c; 119 | cint32* tone_buf_local = (cint32 *) malloc(sizeof(cint32) * num_samps, 0); 120 | memset(tone_buf, 0, sizeof(cint32) * num_samps); 121 | memset(tone_buf_local, 0, sizeof(cint32) * num_samps); 122 | 123 | /* check phy_bw */ 124 | if (CHSPEC_IS80(pi->radio_chanspec)) 125 | phy_bw = 160; 126 | else if (CHSPEC_IS40(pi->radio_chanspec)) 127 | phy_bw = 80; 128 | else 129 | phy_bw = 40; 130 | 131 | for (c = 0; c < num_samps; c++) { 132 | if (freq_dom_samps[c].amplitude > 0) { 133 | my_gen_samples(pi, phy_bw * 1000 / num_samps * ((c >= num_samps/2) ? c - num_samps : c), freq_dom_samps[c].amplitude, num_samps, tone_buf_local, freq_dom_samps[c].phase); 134 | for (t = 0; t < num_samps; t++) { 135 | tone_buf[t].q += tone_buf_local[t].q; 136 | tone_buf[t].i += tone_buf_local[t].i; 137 | } 138 | } 139 | } 140 | 141 | int32 maxi = 0, maxq = 0; 142 | for (t = 0; t < num_samps; t++) { 143 | if (ABS(tone_buf[t].q) > maxq) maxq = ABS(tone_buf[t].q); 144 | if (ABS(tone_buf[t].i) > maxi) maxi = ABS(tone_buf[t].i); 145 | } 146 | printf("c %d maxi %d maxq %d\n", c, maxi, maxq); 147 | 148 | printf("pwr: %d ipwr: %d qpwr: %d\n", pwr(tone_buf, num_samps), ipwr(tone_buf, num_samps), qpwr(tone_buf, num_samps)); 149 | } 150 | 151 | void 152 | my_phy_tx_tone_acphy_ext(struct phy_info *pi, int32 f_kHz, uint16 max_val, uint8 iqmode, uint8 mac_based, uint8 modify_bbmult, uint8 runsamples, uint16 loops, unsigned int num_samps) 153 | { 154 | uint16 wait = 0; 155 | 156 | cint32* tone_buf = (cint32 *) malloc(sizeof(cint32) * num_samps, 0); 157 | 158 | my_gen_samples(pi, f_kHz, max_val, num_samps, tone_buf, 0); 159 | 160 | wlc_phy_loadsampletable_acphy(pi, tone_buf, num_samps); 161 | 162 | if (runsamples) 163 | wlc_phy_runsamples_acphy(pi, num_samps, loops, wait, iqmode, mac_based); 164 | 165 | if (tone_buf != NULL) free(tone_buf); 166 | } 167 | 168 | int 169 | my_phy_tx_ifft_acphy_ext(struct phy_info *pi, cint16ap *freq_dom_samps, uint8 iqmode, uint8 mac_based, uint8 modify_bbmult, uint8 runsamples, uint16 loops, unsigned int num_samps) 170 | { 171 | uint16 wait = 0; 172 | 173 | cint32 *tone_buf = (cint32 *) malloc(sizeof(cint32) * num_samps, 0); 174 | 175 | ifft(pi, freq_dom_samps, num_samps, tone_buf); 176 | 177 | wlc_phy_loadsampletable_acphy(pi, tone_buf, num_samps); 178 | 179 | if (tone_buf != NULL) free(tone_buf); 180 | 181 | if (runsamples) 182 | wlc_phy_runsamples_acphy(pi, num_samps, loops, wait, iqmode, mac_based); 183 | 184 | return 0; 185 | } 186 | 187 | int 188 | my_phy_tx_tone_acphy(struct phy_info *pi, int32 f_kHz, uint16 max_val, uint8 iqmode, uint8 mac_based, uint8 modify_bbmult) 189 | { 190 | uint8 runsamples = 1; 191 | uint16 loops = 0xffff; 192 | unsigned int num_samps = 512; 193 | 194 | my_phy_tx_tone_acphy_ext(pi, f_kHz, max_val, iqmode, mac_based, modify_bbmult, runsamples, loops, num_samps); 195 | 196 | return 0; 197 | } 198 | 199 | void 200 | clear_sample_play_buffer(struct phy_info *pi) 201 | { 202 | unsigned int num_samps = 512; 203 | 204 | cint32* tone_buf = (cint32 *) malloc(sizeof(cint32) * num_samps, 0); 205 | 206 | if (tone_buf == NULL) return; 207 | 208 | memset(tone_buf, 0, sizeof(cint32) * num_samps); 209 | 210 | wlc_phy_loadsampletable_acphy(pi, tone_buf, num_samps); 211 | 212 | free(tone_buf); 213 | } -------------------------------------------------------------------------------- /src/ucode-controlpower-3states-full-frm.patch: -------------------------------------------------------------------------------- 1 | --- ../gen/ucode.asm 2017-05-30 00:12:22.184098274 +0200 2 | +++ ucode-controlpower-3states-full-frm.asm 2017-05-30 00:15:58.728196342 +0200 3 | @@ -3,0 +4,38 @@ 4 | +#include "../include/macros.inc" 5 | +#include "../include/wlc_phyreg_ac.inc" 6 | +#define SPARE1 r54 7 | +#define SPARE2 r55 8 | +#define SPARE3 r56 9 | +#define PHY400 r57 10 | +#define SPARE4 r58 11 | +#define SPINNING r60 12 | +#define TONE_REPETITION 36 13 | +#define QOSDATA [SHM(0x1340)] 14 | +#define BEACON [SHM(0x1342)] 15 | +#define OTHER [SHM(0x1344)] 16 | +#define PACK3838 [SHM(0x1346)] 17 | +#define PACK3939 [SHM(0x1348)] 18 | +#define PACKLATE [SHM(0x134A)] 19 | +#define SENDACK3838 [SHM(0x134C)] 20 | +#define SENDACK3939 [SHM(0x134E)] 21 | +#define DELTACLOCK1 [SHM(0x1350)] 22 | +#define DELTACLOCK2 [SHM(0x1352)] 23 | +#define DELTACLOCK3 [SHM(0x1354)] 24 | +#define CLOCKREAD [SHM(0x1356)] 25 | +#define PGA_NEXT [SHM(0x1358)] 26 | +#define IPA_NEXT [SHM(0x135A)] 27 | +#define TXGM_NEXT [SHM(0x135C)] 28 | +#define BBMULT_NEXT [SHM(0x135E)] 29 | +#define TARGETTOTAL [SHM(0x1360)] 30 | +#define ACKTRANSMITTED [SHM(0x1362)] 31 | +#define TARGETRECEIVED [SHM(0x1364)] 32 | +#define TARGETNAV [SHM(0x1366)] 33 | +#define STATE_JAMMER [SHM(0x1370)] 34 | +#define STATE_LEARNING 0 35 | +#define STATE_JAMACK 1 36 | +#define STATE_CHECK 2 37 | +#define ACKMAC1 [SHM(0x1380)] 38 | +#define ACKMAC2 [SHM(0x1382)] 39 | +#define ACKMAC3 [SHM(0x1384)] 40 | +#define WAITACK [SHM(0x1386)] 41 | +#define CLOCKACKTO [SHM(0x1388)] 42 | @@ -31,0 +70,10 @@ 43 | + je SPINNING, 0, keep_spinning 44 | + mov 0x403, r33 45 | + calls L52 46 | + jnzxh SPR_Ext_IHR_Data & 0x1, keep_spinning 47 | + mov 0x400, r33 48 | + mov PHY400, r34 49 | + calls L54 50 | + mov 0, SPINNING 51 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK2 52 | +keep_spinning: 53 | @@ -2589,0 +2638 @@ 54 | + jne STATE_JAMMER, STATE_JAMACK, never_tx_ack 55 | @@ -2590,0 +2640 @@ 56 | +never_tx_ack: 57 | @@ -2591,0 +2642,5 @@ 58 | + je SENDACK3838, 0, skipacktrace+ 59 | +skipacktrace: 60 | + je SENDACK3939, 0, skipacktrace+ 61 | + calls prepare_hell 62 | +skipacktrace: 63 | @@ -2708,0 +2764,5 @@ 64 | + mov SPR_TSF_WORD0, CLOCKREAD 65 | + mov 0, SPINNING 66 | + mov 0, SENDACK3838 67 | + mov 0, SENDACK3939 68 | + mov 0, TARGETRECEIVED 69 | @@ -2853,0 +2914,150 @@ 70 | +#define SPIN_LENGTH (6 + 26 + 8 + 20 + 8) 71 | +#define MIN_LENGTH 10 72 | +spin_rx_header: 73 | + jext COND_RX_COMPLETE, spin_rx_end 74 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, spin_rx_header 75 | +spin_rx_end: 76 | + jl SPR_RXE_FRAMELEN, MIN_LENGTH, skip+ 77 | + mov 0x454e, SPARE1 78 | + jne [5,off1], SPARE1, L652 79 | + mov 0x4d58, SPARE1 80 | + jne [6,off1], SPARE1, L652 81 | + mov 0x4e4f, SPARE1 82 | + jne [7,off1], SPARE1, L652 83 | + mov 0x414a, SPARE1 84 | + jne [8,off1], SPARE1, L652 85 | + mov 0x4d4d, SPARE1 86 | + jne [9,off1], SPARE1, L652 87 | + mov 0x5245, SPARE1 88 | + jne [10,off1], SPARE1, L652 89 | +#define TYPE_QOS_DATA 0x88 90 | +#define TYPE_BEACON 0x80 91 | +#define TYPE_ACK 0xd4 92 | + and [3,off1], 0xff, SPARE1 93 | + jne SPARE1, TYPE_ACK, not_ack 94 | +#define MIN_ACK_LENGTH (6 + 14) 95 | + jl SPR_RXE_FRAMELEN, MIN_ACK_LENGTH, skip+ 96 | + je WAITACK, 0, skip+ 97 | + mov ACKMAC1, SPARE1 98 | + jne [5,off1], SPARE1, skip+ 99 | + mov ACKMAC2, SPARE1 100 | + jne [6,off1], SPARE1, skip+ 101 | + mov ACKMAC3, SPARE1 102 | + jne [7,off1], SPARE1, skip+ 103 | + add CLOCKACKTO, 40, CLOCKACKTO 104 | + jg SPR_TSF_WORD0, CLOCKACKTO, skip+ 105 | + je STATE_JAMMER, STATE_JAMACK, skip_count+ 106 | + add ACKTRANSMITTED, 1, ACKTRANSMITTED 107 | +skip_count: 108 | + jmp skip+ 109 | +not_ack: 110 | + jne SPARE1, TYPE_QOS_DATA, not_qos_data 111 | + add QOSDATA, 1, QOSDATA 112 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, skip+ 113 | + and [20,off1], 0xff, SPARE1 114 | + jne SPARE1, 0x45, skip+ 115 | + sr [24,off1], 8, SPARE1 116 | + je SPARE1, 0x11, protocol_found+ 117 | + je SPARE1, 0x06, protocol_found+ 118 | + jmp skip+ 119 | +protocol_found: 120 | + mov 0xFE0E, SPARE1 121 | + je [30,off1], SPARE1, port_found+ 122 | + je [31,off1], SPARE1, port_found+ 123 | + jmp nextport+ 124 | +port_found: 125 | + add PACK3838, 1, PACK3838 126 | + jext COND_RX_COMPLETE, too_late 127 | + mov 1, SENDACK3838 128 | + jmp skip+ 129 | +nextport: 130 | + mov 0x630F, SPARE1 131 | + je [30,off1], SPARE1, port_found+ 132 | + je [31,off1], SPARE1, port_found+ 133 | + jmp skip+ 134 | +port_found: 135 | + add PACK3939, 1, PACK3939 136 | + jext COND_RX_COMPLETE, too_late 137 | + mov 1, SENDACK3939 138 | + mov 1, TARGETRECEIVED 139 | + jne STATE_JAMMER, STATE_LEARNING, next_state+ 140 | +#define WINDOW_LEARN 16 141 | + jl TARGETTOTAL, WINDOW_LEARN, window_not_reached+ 142 | +#define THRESH_LEARN_SWITCHTOJAMACK 0 143 | + jg ACKTRANSMITTED, THRESH_LEARN_SWITCHTOJAMACK, keep_state+ 144 | + mov STATE_JAMACK, STATE_JAMMER 145 | + mov 0, TARGETTOTAL 146 | + mov 0, ACKTRANSMITTED 147 | + jmp state_end 148 | +keep_state: 149 | +#define THRESHOLD_LEARN_CHANGEPOWER 3 150 | + jl ACKTRANSMITTED, THRESHOLD_LEARN_CHANGEPOWER, dont_increase_power 151 | +#define POWER_ADD_INCREASE 10 152 | + add PGA_NEXT, POWER_ADD_INCREASE, PGA_NEXT 153 | +dont_increase_power: 154 | + mov 0, TARGETTOTAL 155 | + mov 0, ACKTRANSMITTED 156 | +window_not_reached: 157 | + mov [4,off1], TARGETNAV 158 | + mov [8,off1], ACKMAC1 159 | + mov [9,off1], ACKMAC2 160 | + mov [10,off1], ACKMAC3 161 | + jmp state_end 162 | +next_state: 163 | + jne STATE_JAMMER, STATE_JAMACK, next_state+ 164 | +#define WINDOW_JAMACK 128 165 | + jl TARGETTOTAL, WINDOW_JAMACK, window_not_reached+ 166 | + mov STATE_CHECK, STATE_JAMMER 167 | + mov 0, TARGETTOTAL 168 | + mov 0, ACKTRANSMITTED 169 | +window_not_reached: 170 | + jmp state_end 171 | +next_state: 172 | + jne STATE_JAMMER, STATE_CHECK, next_state+ 173 | +#define WINDOW_CHECK 4 174 | + jl TARGETTOTAL, WINDOW_CHECK, window_not_reached+ 175 | + jg ACKTRANSMITTED, 1, go_back_learning 176 | + je ACKTRANSMITTED, 1, increase_power 177 | +#define POWER_SMALL 1 178 | + sub PGA_NEXT, POWER_SMALL, PGA_NEXT 179 | + jmp finalise 180 | +increase_power: 181 | + add PGA_NEXT, POWER_SMALL, PGA_NEXT 182 | +finalise: 183 | + mov STATE_JAMACK, STATE_JAMMER 184 | + mov 0, TARGETTOTAL 185 | + mov 0, ACKTRANSMITTED 186 | + jmp state_end 187 | +go_back_learning: 188 | + mov STATE_LEARNING, STATE_JAMMER 189 | + mov 0, TARGETTOTAL 190 | + mov 0, ACKTRANSMITTED 191 | +window_not_reached: 192 | + mov [4,off1], TARGETNAV 193 | + mov [8,off1], ACKMAC1 194 | + mov [9,off1], ACKMAC2 195 | + mov [10,off1], ACKMAC3 196 | +next_state: 197 | +state_end: 198 | + add TARGETTOTAL, 1, TARGETTOTAL 199 | +#define PGA_MAXIMUM 255 200 | + jles PGA_NEXT, PGA_MAXIMUM, check_lower 201 | + mov PGA_MAXIMUM, PGA_NEXT 202 | +check_lower: 203 | +#define PGA_MINIMUM 5 204 | + jgs PGA_NEXT, PGA_MINIMUM, power_done 205 | + mov PGA_MINIMUM, PGA_NEXT 206 | +power_done: 207 | + jmp skip+ 208 | +too_late: 209 | + add PACKLATE, 1, PACKLATE 210 | + jmp skip+ 211 | +not_qos_data: 212 | + jne SPARE1, TYPE_BEACON, not_beacon 213 | + add BEACON, 1, BEACON 214 | + jmp found+ 215 | +not_beacon: 216 | + add OTHER, 1, OTHER 217 | +found: 218 | +skip: 219 | + mov 0, WAITACK 220 | @@ -3239,0 +3450,3 @@ 221 | + je SENDACK3939, 0, skipclock+ 222 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK3 223 | +skipclock: 224 | @@ -3291,0 +3505,6 @@ 225 | + je STATE_JAMMER, STATE_JAMACK, skip_ackto 226 | + je TARGETRECEIVED, 0, skip_ackto 227 | + add SPR_TSF_WORD0, TARGETNAV, CLOCKACKTO 228 | + mov 1, WAITACK 229 | +skip_ackto: 230 | + jne SENDACK3939, 0, L588 231 | @@ -3382,0 +3602,5 @@ 232 | + je SENDACK3838, 0, skip_sched_ack+ 233 | +skip_sched_ack: 234 | + je SENDACK3939, 0, skip_sched_ack+ 235 | + mov 0x4001, r17 236 | +skip_sched_ack: 237 | @@ -3758,0 +3983,6 @@ 238 | + je SENDACK3838, 0, skipack+ 239 | + jmp L442 240 | +skipack: 241 | + je SENDACK3939, 0, skipack+ 242 | + jmp L442 243 | +skipack: 244 | @@ -6933,0 +7164,16 @@ 245 | + rets 246 | +prepare_hell: 247 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK1 248 | + sl PGA_NEXT, 8, SPARE1 249 | + or SPARE1, 0xff, SPARE1 250 | + phy_table_write_word(7, 0x103, SPARE1) 251 | + phy_reg_and(ACPHY_macbasedDACPlay(rev), 0xFFFE) 252 | + phy_reg_write(ACPHY_sampleDepthCount(rev), 511) 253 | + phy_reg_write(ACPHY_sampleLoopCount(rev), TONE_REPETITION) 254 | + phy_reg_write(ACPHY_sampleInitWaitCount(rev), 0) 255 | + phy_reg_read(ACPHY_RfseqMode(rev), PHY400) 256 | + phy_reg_or(ACPHY_RfseqMode(rev), ACPHY_RfseqMode_CoreActv_override_MASK(rev)) 257 | + phy_reg_and(ACPHY_sampleCmd(rev), 0xfffa) 258 | + phy_reg_and(ACPHY_iqloCalCmdGctl(0), 0x3fff) 259 | + phy_reg_or(ACPHY_sampleCmd(rev), 1) 260 | + mov 1, SPINNING 261 | -------------------------------------------------------------------------------- /src/ucode-jammer-20in80mhz.patch: -------------------------------------------------------------------------------- 1 | --- ../gen/ucode.asm 2017-05-30 00:12:22.184098274 +0200 2 | +++ ucode-jammer-20in80mhz.asm 2017-05-30 00:15:58.932204111 +0200 3 | @@ -3,0 +4,16 @@ 4 | +#include "../include/macros.inc" 5 | +#define SPARE1 r54 6 | +#define SPARE2 r55 7 | +#define SPARE3 r56 8 | +#define SPINNING r60 9 | +#define TONE_REPETITION 40 10 | +#define QOSDATA [SHM(0x1340)] 11 | +#define BEACON [SHM(0x1342)] 12 | +#define OTHER [SHM(0x1344)] 13 | +#define PACK3838 [SHM(0x1350)] 14 | +#define PACK3939 [SHM(0x1352)] 15 | +#define PACKLATE [SHM(0x1354)] 16 | +#define DELTACLOCK1 [SHM(0x1360)] 17 | +#define DELTACLOCK2 [SHM(0x1362)] 18 | +#define DELTACLOCK3 [SHM(0x1364)] 19 | +#define CLOCKREAD [SHM(0x1380)] 20 | @@ -31,0 +48,10 @@ 21 | + je SPINNING, 0, keep_spinning 22 | + mov 0x403, r33 23 | + calls L52 24 | + jnzxh SPR_Ext_IHR_Data & 0x1, keep_spinning 25 | + mov 0x400, r33 26 | + mov SPARE3, r34 27 | + calls L54 28 | + mov 0, SPINNING 29 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK2 30 | +keep_spinning: 31 | @@ -2708,0 +2735 @@ 32 | + mov SPR_TSF_WORD0, CLOCKREAD 33 | @@ -2853,0 +2881,52 @@ 34 | +#define SPIN_LENGTH (6 + 26 + 8 + 20 + 8) 35 | +#define MIN_LENGTH 10 36 | +spin_rx_header: 37 | + jext COND_RX_COMPLETE, spin_rx_end 38 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, spin_rx_header 39 | +spin_rx_end: 40 | + jl SPR_RXE_FRAMELEN, MIN_LENGTH, skip+ 41 | + mov 0x454e, SPARE1 42 | + jne [5,off1], SPARE1, L652 43 | + mov 0x4d58, SPARE1 44 | + jne [6,off1], SPARE1, L652 45 | + mov 0x4e4f, SPARE1 46 | + jne [7,off1], SPARE1, L652 47 | + mov 0x414a, SPARE1 48 | + jne [8,off1], SPARE1, L652 49 | + mov 0x4d4d, SPARE1 50 | + jne [9,off1], SPARE1, L652 51 | + mov 0x5245, SPARE1 52 | + jne [10,off1], SPARE1, L652 53 | +#define TYPE_QOS_DATA 0x88 54 | +#define TYPE_BEACON 0x80 55 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, skip+ 56 | + and [3,off1], 0xff, SPARE1 57 | + jne SPARE1, TYPE_QOS_DATA, not_qos_data 58 | + add QOSDATA, 1, QOSDATA 59 | + and [20,off1], 0xff, SPARE1 60 | + jne SPARE1, 0x45, skip+ 61 | + sr [24,off1], 8, SPARE1 62 | + jne SPARE1, 0x11, skip+ 63 | + mov 0xFE0E, SPARE1 64 | + jne [31,off1], SPARE1, nextport+ 65 | + add PACK3838, 1, PACK3838 66 | + jext COND_RX_COMPLETE, too_late 67 | + jmp skip+ 68 | +nextport: 69 | + mov 0x630F, SPARE1 70 | + jne [31,off1], SPARE1, skip+ 71 | + add PACK3939, 1, PACK3939 72 | + jext COND_RX_COMPLETE, too_late 73 | + calls prepare_hell 74 | + jmp skip+ 75 | +too_late: 76 | + add PACKLATE, 1, PACKLATE 77 | + jmp skip+ 78 | +not_qos_data: 79 | + jne SPARE1, TYPE_BEACON, not_beacon 80 | + add BEACON, 1, BEACON 81 | + jmp found+ 82 | +not_beacon: 83 | + add OTHER, 1, OTHER 84 | +found: 85 | +skip: 86 | @@ -6933,0 +7013,38 @@ 87 | + rets 88 | +prepare_hell: 89 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK1 90 | + mov 0x471, r33 91 | + calls L52 92 | + mov 0xFFFE, SPARE1 93 | + and SPR_Ext_IHR_Data, SPARE1, r34 94 | + calls L54 95 | + mov 0x463, r33 96 | + mov 511, r34 97 | + calls L54 98 | + mov 0x461, r33 99 | + mov TONE_REPETITION, r34 100 | + calls L54 101 | + mov 0x462, r33 102 | + mov 0x3c, r34 103 | + calls L54 104 | + mov 0x400, r33 105 | + calls L52 106 | + mov SPR_Ext_IHR_Data, SPARE3 107 | + or SPARE3, 1, r34 108 | + calls L54 109 | + mov 0x460, r33 110 | + calls L52 111 | + mov 0xfffa, SPARE1 112 | + and SPR_Ext_IHR_Data, SPARE1, r34 113 | + calls L54 114 | + mov 0x3fff, SPARE1 115 | + mov 0x382, r33 116 | + calls L52 117 | + and SPR_Ext_IHR_Data, SPARE1, r34 118 | + calls L54 119 | + mov 0x460, r33 120 | + calls L52 121 | + or SPR_Ext_IHR_Data, 1, r34 122 | + calls L54 123 | + mov 1, SPINNING 124 | +exit_hell: 125 | -------------------------------------------------------------------------------- /src/ucode-jammer-40in80mhz.patch: -------------------------------------------------------------------------------- 1 | --- ../gen/ucode.asm 2017-05-30 00:12:22.184098274 +0200 2 | +++ ucode-jammer-40in80mhz.asm 2017-05-30 00:15:59.112210967 +0200 3 | @@ -3,0 +4,16 @@ 4 | +#include "../include/macros.inc" 5 | +#define SPARE1 r54 6 | +#define SPARE2 r55 7 | +#define SPARE3 r56 8 | +#define SPINNING r60 9 | +#define TONE_REPETITION 20 10 | +#define QOSDATA [SHM(0x1340)] 11 | +#define BEACON [SHM(0x1342)] 12 | +#define OTHER [SHM(0x1344)] 13 | +#define PACK3838 [SHM(0x1350)] 14 | +#define PACK3939 [SHM(0x1352)] 15 | +#define PACKLATE [SHM(0x1354)] 16 | +#define DELTACLOCK1 [SHM(0x1360)] 17 | +#define DELTACLOCK2 [SHM(0x1362)] 18 | +#define DELTACLOCK3 [SHM(0x1364)] 19 | +#define CLOCKREAD [SHM(0x1380)] 20 | @@ -31,0 +48,10 @@ 21 | + je SPINNING, 0, keep_spinning 22 | + mov 0x403, r33 23 | + calls L52 24 | + jnzxh SPR_Ext_IHR_Data & 0x1, keep_spinning 25 | + mov 0x400, r33 26 | + mov SPARE3, r34 27 | + calls L54 28 | + mov 0, SPINNING 29 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK2 30 | +keep_spinning: 31 | @@ -2708,0 +2735 @@ 32 | + mov SPR_TSF_WORD0, CLOCKREAD 33 | @@ -2853,0 +2881,52 @@ 34 | +#define SPIN_LENGTH (6 + 26 + 8 + 20 + 8) 35 | +#define MIN_LENGTH 10 36 | +spin_rx_header: 37 | + jext COND_RX_COMPLETE, spin_rx_end 38 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, spin_rx_header 39 | +spin_rx_end: 40 | + jl SPR_RXE_FRAMELEN, MIN_LENGTH, skip+ 41 | + mov 0x454e, SPARE1 42 | + jne [5,off1], SPARE1, L652 43 | + mov 0x4d58, SPARE1 44 | + jne [6,off1], SPARE1, L652 45 | + mov 0x4e4f, SPARE1 46 | + jne [7,off1], SPARE1, L652 47 | + mov 0x414a, SPARE1 48 | + jne [8,off1], SPARE1, L652 49 | + mov 0x4d4d, SPARE1 50 | + jne [9,off1], SPARE1, L652 51 | + mov 0x5245, SPARE1 52 | + jne [10,off1], SPARE1, L652 53 | +#define TYPE_QOS_DATA 0x88 54 | +#define TYPE_BEACON 0x80 55 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, skip+ 56 | + and [3,off1], 0xff, SPARE1 57 | + jne SPARE1, TYPE_QOS_DATA, not_qos_data 58 | + add QOSDATA, 1, QOSDATA 59 | + and [20,off1], 0xff, SPARE1 60 | + jne SPARE1, 0x45, skip+ 61 | + sr [24,off1], 8, SPARE1 62 | + jne SPARE1, 0x11, skip+ 63 | + mov 0xFE0E, SPARE1 64 | + jne [31,off1], SPARE1, nextport+ 65 | + add PACK3838, 1, PACK3838 66 | + jext COND_RX_COMPLETE, too_late 67 | + jmp skip+ 68 | +nextport: 69 | + mov 0x630F, SPARE1 70 | + jne [31,off1], SPARE1, skip+ 71 | + add PACK3939, 1, PACK3939 72 | + jext COND_RX_COMPLETE, too_late 73 | + calls prepare_hell 74 | + jmp skip+ 75 | +too_late: 76 | + add PACKLATE, 1, PACKLATE 77 | + jmp skip+ 78 | +not_qos_data: 79 | + jne SPARE1, TYPE_BEACON, not_beacon 80 | + add BEACON, 1, BEACON 81 | + jmp found+ 82 | +not_beacon: 83 | + add OTHER, 1, OTHER 84 | +found: 85 | +skip: 86 | @@ -6933,0 +7013,38 @@ 87 | + rets 88 | +prepare_hell: 89 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK1 90 | + mov 0x471, r33 91 | + calls L52 92 | + mov 0xFFFE, SPARE1 93 | + and SPR_Ext_IHR_Data, SPARE1, r34 94 | + calls L54 95 | + mov 0x463, r33 96 | + mov 511, r34 97 | + calls L54 98 | + mov 0x461, r33 99 | + mov TONE_REPETITION, r34 100 | + calls L54 101 | + mov 0x462, r33 102 | + mov 0x3c, r34 103 | + calls L54 104 | + mov 0x400, r33 105 | + calls L52 106 | + mov SPR_Ext_IHR_Data, SPARE3 107 | + or SPARE3, 1, r34 108 | + calls L54 109 | + mov 0x460, r33 110 | + calls L52 111 | + mov 0xfffa, SPARE1 112 | + and SPR_Ext_IHR_Data, SPARE1, r34 113 | + calls L54 114 | + mov 0x3fff, SPARE1 115 | + mov 0x382, r33 116 | + calls L52 117 | + and SPR_Ext_IHR_Data, SPARE1, r34 118 | + calls L54 119 | + mov 0x460, r33 120 | + calls L52 121 | + or SPR_Ext_IHR_Data, 1, r34 122 | + calls L54 123 | + mov 1, SPINNING 124 | +exit_hell: 125 | -------------------------------------------------------------------------------- /src/ucode-jammer-80in80mhz.patch: -------------------------------------------------------------------------------- 1 | --- ../gen/ucode.asm 2017-05-30 00:12:22.184098274 +0200 2 | +++ ucode-jammer-80in80mhz.asm 2017-05-30 00:15:59.268216908 +0200 3 | @@ -3,0 +4,16 @@ 4 | +#include "../include/macros.inc" 5 | +#define SPARE1 r54 6 | +#define SPARE2 r55 7 | +#define SPARE3 r56 8 | +#define SPINNING r60 9 | +#define TONE_REPETITION 10 10 | +#define QOSDATA [SHM(0x1340)] 11 | +#define BEACON [SHM(0x1342)] 12 | +#define OTHER [SHM(0x1344)] 13 | +#define PACK3838 [SHM(0x1350)] 14 | +#define PACK3939 [SHM(0x1352)] 15 | +#define PACKLATE [SHM(0x1354)] 16 | +#define DELTACLOCK1 [SHM(0x1360)] 17 | +#define DELTACLOCK2 [SHM(0x1362)] 18 | +#define DELTACLOCK3 [SHM(0x1364)] 19 | +#define CLOCKREAD [SHM(0x1380)] 20 | @@ -31,0 +48,10 @@ 21 | + je SPINNING, 0, keep_spinning 22 | + mov 0x403, r33 23 | + calls L52 24 | + jnzxh SPR_Ext_IHR_Data & 0x1, keep_spinning 25 | + mov 0x400, r33 26 | + mov SPARE3, r34 27 | + calls L54 28 | + mov 0, SPINNING 29 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK2 30 | +keep_spinning: 31 | @@ -2708,0 +2735 @@ 32 | + mov SPR_TSF_WORD0, CLOCKREAD 33 | @@ -2853,0 +2881,52 @@ 34 | +#define SPIN_LENGTH (6 + 26 + 8 + 20 + 8) 35 | +#define MIN_LENGTH 10 36 | +spin_rx_header: 37 | + jext COND_RX_COMPLETE, spin_rx_end 38 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, spin_rx_header 39 | +spin_rx_end: 40 | + jl SPR_RXE_FRAMELEN, MIN_LENGTH, skip+ 41 | + mov 0x454e, SPARE1 42 | + jne [5,off1], SPARE1, L652 43 | + mov 0x4d58, SPARE1 44 | + jne [6,off1], SPARE1, L652 45 | + mov 0x4e4f, SPARE1 46 | + jne [7,off1], SPARE1, L652 47 | + mov 0x414a, SPARE1 48 | + jne [8,off1], SPARE1, L652 49 | + mov 0x4d4d, SPARE1 50 | + jne [9,off1], SPARE1, L652 51 | + mov 0x5245, SPARE1 52 | + jne [10,off1], SPARE1, L652 53 | +#define TYPE_QOS_DATA 0x88 54 | +#define TYPE_BEACON 0x80 55 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, skip+ 56 | + and [3,off1], 0xff, SPARE1 57 | + jne SPARE1, TYPE_QOS_DATA, not_qos_data 58 | + add QOSDATA, 1, QOSDATA 59 | + and [20,off1], 0xff, SPARE1 60 | + jne SPARE1, 0x45, skip+ 61 | + sr [24,off1], 8, SPARE1 62 | + jne SPARE1, 0x11, skip+ 63 | + mov 0xFE0E, SPARE1 64 | + jne [31,off1], SPARE1, nextport+ 65 | + add PACK3838, 1, PACK3838 66 | + jext COND_RX_COMPLETE, too_late 67 | + jmp skip+ 68 | +nextport: 69 | + mov 0x630F, SPARE1 70 | + jne [31,off1], SPARE1, skip+ 71 | + add PACK3939, 1, PACK3939 72 | + jext COND_RX_COMPLETE, too_late 73 | + calls prepare_hell 74 | + jmp skip+ 75 | +too_late: 76 | + add PACKLATE, 1, PACKLATE 77 | + jmp skip+ 78 | +not_qos_data: 79 | + jne SPARE1, TYPE_BEACON, not_beacon 80 | + add BEACON, 1, BEACON 81 | + jmp found+ 82 | +not_beacon: 83 | + add OTHER, 1, OTHER 84 | +found: 85 | +skip: 86 | @@ -6933,0 +7013,38 @@ 87 | + rets 88 | +prepare_hell: 89 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK1 90 | + mov 0x471, r33 91 | + calls L52 92 | + mov 0xFFFE, SPARE1 93 | + and SPR_Ext_IHR_Data, SPARE1, r34 94 | + calls L54 95 | + mov 0x463, r33 96 | + mov 511, r34 97 | + calls L54 98 | + mov 0x461, r33 99 | + mov TONE_REPETITION, r34 100 | + calls L54 101 | + mov 0x462, r33 102 | + mov 0x3c, r34 103 | + calls L54 104 | + mov 0x400, r33 105 | + calls L52 106 | + mov SPR_Ext_IHR_Data, SPARE3 107 | + or SPARE3, 1, r34 108 | + calls L54 109 | + mov 0x460, r33 110 | + calls L52 111 | + mov 0xfffa, SPARE1 112 | + and SPR_Ext_IHR_Data, SPARE1, r34 113 | + calls L54 114 | + mov 0x3fff, SPARE1 115 | + mov 0x382, r33 116 | + calls L52 117 | + and SPR_Ext_IHR_Data, SPARE1, r34 118 | + calls L54 119 | + mov 0x460, r33 120 | + calls L52 121 | + or SPR_Ext_IHR_Data, 1, r34 122 | + calls L54 123 | + mov 1, SPINNING 124 | +exit_hell: 125 | -------------------------------------------------------------------------------- /src/ucode-jammer-ack-full-frm.patch: -------------------------------------------------------------------------------- 1 | --- ../gen/ucode.asm 2017-05-30 00:12:22.184098274 +0200 2 | +++ ucode-jammer-ack-full-frm.asm 2017-05-30 00:15:59.424222848 +0200 3 | @@ -3,0 +4,38 @@ 4 | +#include "../include/macros.inc" 5 | +#include "../include/wlc_phyreg_ac.inc" 6 | +#define SPARE1 r54 7 | +#define SPARE2 r55 8 | +#define SPARE3 r56 9 | +#define PHY400 r57 10 | +#define SPARE4 r58 11 | +#define SPINNING r60 12 | +#define TONE_REPETITION 36 13 | +#define QOSDATA [SHM(0x1340)] 14 | +#define BEACON [SHM(0x1342)] 15 | +#define OTHER [SHM(0x1344)] 16 | +#define PACK3838 [SHM(0x1346)] 17 | +#define PACK3939 [SHM(0x1348)] 18 | +#define PACKLATE [SHM(0x134A)] 19 | +#define SENDACK3838 [SHM(0x134C)] 20 | +#define SENDACK3939 [SHM(0x134E)] 21 | +#define DELTACLOCK1 [SHM(0x1350)] 22 | +#define DELTACLOCK2 [SHM(0x1352)] 23 | +#define DELTACLOCK3 [SHM(0x1354)] 24 | +#define CLOCKREAD [SHM(0x1356)] 25 | +#define PGA_NEXT [SHM(0x1358)] 26 | +#define IPA_NEXT [SHM(0x135A)] 27 | +#define TXGM_NEXT [SHM(0x135C)] 28 | +#define BBMULT_NEXT [SHM(0x135E)] 29 | +#define TARGETTOTAL [SHM(0x1360)] 30 | +#define ACKTRANSMITTED [SHM(0x1362)] 31 | +#define TARGETRECEIVED [SHM(0x1364)] 32 | +#define TARGETNAV [SHM(0x1366)] 33 | +#define STATE_JAMMER [SHM(0x1370)] 34 | +#define STATE_LEARNING 0 35 | +#define STATE_JAMACK 1 36 | +#define STATE_CHECK 2 37 | +#define ACKMAC1 [SHM(0x1380)] 38 | +#define ACKMAC2 [SHM(0x1382)] 39 | +#define ACKMAC3 [SHM(0x1384)] 40 | +#define WAITACK [SHM(0x1386)] 41 | +#define CLOCKACKTO [SHM(0x1388)] 42 | @@ -31,0 +70,10 @@ 43 | + je SPINNING, 0, keep_spinning 44 | + mov 0x403, r33 45 | + calls L52 46 | + jnzxh SPR_Ext_IHR_Data & 0x1, keep_spinning 47 | + mov 0x400, r33 48 | + mov PHY400, r34 49 | + calls L54 50 | + mov 0, SPINNING 51 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK2 52 | +keep_spinning: 53 | @@ -2589,0 +2638 @@ 54 | + jne STATE_JAMMER, STATE_JAMACK, never_tx_ack 55 | @@ -2590,0 +2640 @@ 56 | +never_tx_ack: 57 | @@ -2591,0 +2642,5 @@ 58 | + je SENDACK3838, 0, skipacktrace+ 59 | +skipacktrace: 60 | + je SENDACK3939, 0, skipacktrace+ 61 | + calls prepare_hell 62 | +skipacktrace: 63 | @@ -2708,0 +2764,5 @@ 64 | + mov SPR_TSF_WORD0, CLOCKREAD 65 | + mov 0, SPINNING 66 | + mov 0, SENDACK3838 67 | + mov 0, SENDACK3939 68 | + mov 0, TARGETRECEIVED 69 | @@ -2853,0 +2914,152 @@ 70 | +#define SPIN_LENGTH (6 + 26 + 8 + 20 + 8) 71 | +#define MIN_LENGTH 10 72 | +spin_rx_header: 73 | + jext COND_RX_COMPLETE, spin_rx_end 74 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, spin_rx_header 75 | +spin_rx_end: 76 | + jl SPR_RXE_FRAMELEN, MIN_LENGTH, skip+ 77 | + mov 0x454e, SPARE1 78 | + jne [5,off1], SPARE1, L652 79 | + mov 0x4d58, SPARE1 80 | + jne [6,off1], SPARE1, L652 81 | + mov 0x4e4f, SPARE1 82 | + jne [7,off1], SPARE1, L652 83 | + mov 0x414a, SPARE1 84 | + jne [8,off1], SPARE1, L652 85 | + mov 0x4d4d, SPARE1 86 | + jne [9,off1], SPARE1, L652 87 | + mov 0x5245, SPARE1 88 | + jne [10,off1], SPARE1, L652 89 | +#define TYPE_QOS_DATA 0x88 90 | +#define TYPE_BEACON 0x80 91 | +#define TYPE_ACK 0xd4 92 | + and [3,off1], 0xff, SPARE1 93 | + jne SPARE1, TYPE_ACK, not_ack 94 | +#define MIN_ACK_LENGTH (6 + 14) 95 | + jl SPR_RXE_FRAMELEN, MIN_ACK_LENGTH, skip+ 96 | + je WAITACK, 0, skip+ 97 | + mov ACKMAC1, SPARE1 98 | + jne [5,off1], SPARE1, skip+ 99 | + mov ACKMAC2, SPARE1 100 | + jne [6,off1], SPARE1, skip+ 101 | + mov ACKMAC3, SPARE1 102 | + jne [7,off1], SPARE1, skip+ 103 | + add CLOCKACKTO, 40, CLOCKACKTO 104 | + jg SPR_TSF_WORD0, CLOCKACKTO, skip+ 105 | + je STATE_JAMMER, STATE_JAMACK, skip_count+ 106 | + add ACKTRANSMITTED, 1, ACKTRANSMITTED 107 | +skip_count: 108 | + jmp skip+ 109 | +not_ack: 110 | + jne SPARE1, TYPE_QOS_DATA, not_qos_data 111 | + add QOSDATA, 1, QOSDATA 112 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, skip+ 113 | + and [20,off1], 0xff, SPARE1 114 | + jne SPARE1, 0x45, skip+ 115 | + sr [24,off1], 8, SPARE1 116 | + je SPARE1, 0x11, protocol_found+ 117 | + je SPARE1, 0x06, protocol_found+ 118 | + jmp skip+ 119 | +protocol_found: 120 | + mov 0xFE0E, SPARE1 121 | + je [30,off1], SPARE1, port_found+ 122 | + je [31,off1], SPARE1, port_found+ 123 | + jmp nextport+ 124 | +port_found: 125 | + add PACK3838, 1, PACK3838 126 | + jext COND_RX_COMPLETE, too_late 127 | + mov 1, SENDACK3838 128 | + jmp skip+ 129 | +nextport: 130 | + mov 0x630F, SPARE1 131 | + je [30,off1], SPARE1, port_found+ 132 | + je [31,off1], SPARE1, port_found+ 133 | + jmp skip+ 134 | +port_found: 135 | + add PACK3939, 1, PACK3939 136 | + jext COND_RX_COMPLETE, too_late 137 | + mov 1, SENDACK3939 138 | + mov 1, TARGETRECEIVED 139 | + mov STATE_JAMACK, STATE_JAMMER 140 | + mov 0, TARGETTOTAL 141 | + jne STATE_JAMMER, STATE_LEARNING, next_state+ 142 | +#define WINDOW_LEARN 16 143 | + jl TARGETTOTAL, WINDOW_LEARN, window_not_reached+ 144 | +#define THRESH_LEARN_SWITCHTOJAMACK 0 145 | + jg ACKTRANSMITTED, THRESH_LEARN_SWITCHTOJAMACK, keep_state+ 146 | + mov STATE_JAMACK, STATE_JAMMER 147 | + mov 0, TARGETTOTAL 148 | + mov 0, ACKTRANSMITTED 149 | + jmp state_end 150 | +keep_state: 151 | +#define THRESHOLD_LEARN_CHANGEPOWER 3 152 | + jl ACKTRANSMITTED, THRESHOLD_LEARN_CHANGEPOWER, dont_increase_power 153 | +#define POWER_ADD_INCREASE 10 154 | + add PGA_NEXT, POWER_ADD_INCREASE, PGA_NEXT 155 | +dont_increase_power: 156 | + mov 0, TARGETTOTAL 157 | + mov 0, ACKTRANSMITTED 158 | +window_not_reached: 159 | + mov [4,off1], TARGETNAV 160 | + mov [8,off1], ACKMAC1 161 | + mov [9,off1], ACKMAC2 162 | + mov [10,off1], ACKMAC3 163 | + jmp state_end 164 | +next_state: 165 | + jne STATE_JAMMER, STATE_JAMACK, next_state+ 166 | +#define WINDOW_JAMACK 128 167 | + jl TARGETTOTAL, WINDOW_JAMACK, window_not_reached+ 168 | + mov STATE_CHECK, STATE_JAMMER 169 | + mov 0, TARGETTOTAL 170 | + mov 0, ACKTRANSMITTED 171 | +window_not_reached: 172 | + jmp state_end 173 | +next_state: 174 | + jne STATE_JAMMER, STATE_CHECK, next_state+ 175 | +#define WINDOW_CHECK 4 176 | + jl TARGETTOTAL, WINDOW_CHECK, window_not_reached+ 177 | + jg ACKTRANSMITTED, 1, go_back_learning 178 | + je ACKTRANSMITTED, 1, increase_power 179 | +#define POWER_SMALL 1 180 | + sub PGA_NEXT, POWER_SMALL, PGA_NEXT 181 | + jmp finalise 182 | +increase_power: 183 | + add PGA_NEXT, POWER_SMALL, PGA_NEXT 184 | +finalise: 185 | + mov STATE_JAMACK, STATE_JAMMER 186 | + mov 0, TARGETTOTAL 187 | + mov 0, ACKTRANSMITTED 188 | + jmp state_end 189 | +go_back_learning: 190 | + mov STATE_LEARNING, STATE_JAMMER 191 | + mov 0, TARGETTOTAL 192 | + mov 0, ACKTRANSMITTED 193 | +window_not_reached: 194 | + mov [4,off1], TARGETNAV 195 | + mov [8,off1], ACKMAC1 196 | + mov [9,off1], ACKMAC2 197 | + mov [10,off1], ACKMAC3 198 | +next_state: 199 | +state_end: 200 | + add TARGETTOTAL, 1, TARGETTOTAL 201 | +#define PGA_MAXIMUM 255 202 | + jles PGA_NEXT, PGA_MAXIMUM, check_lower 203 | + mov PGA_MAXIMUM, PGA_NEXT 204 | +check_lower: 205 | +#define PGA_MINIMUM 5 206 | + jgs PGA_NEXT, PGA_MINIMUM, power_done 207 | + mov PGA_MINIMUM, PGA_NEXT 208 | +power_done: 209 | + jmp skip+ 210 | +too_late: 211 | + add PACKLATE, 1, PACKLATE 212 | + jmp skip+ 213 | +not_qos_data: 214 | + jne SPARE1, TYPE_BEACON, not_beacon 215 | + add BEACON, 1, BEACON 216 | + jmp found+ 217 | +not_beacon: 218 | + add OTHER, 1, OTHER 219 | +found: 220 | +skip: 221 | + mov 0, WAITACK 222 | @@ -3239,0 +3452,3 @@ 223 | + je SENDACK3939, 0, skipclock+ 224 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK3 225 | +skipclock: 226 | @@ -3291,0 +3507,6 @@ 227 | + je STATE_JAMMER, STATE_JAMACK, skip_ackto 228 | + je TARGETRECEIVED, 0, skip_ackto 229 | + add SPR_TSF_WORD0, TARGETNAV, CLOCKACKTO 230 | + mov 1, WAITACK 231 | +skip_ackto: 232 | + jne SENDACK3939, 0, L588 233 | @@ -3382,0 +3604,5 @@ 234 | + je SENDACK3838, 0, skip_sched_ack+ 235 | +skip_sched_ack: 236 | + je SENDACK3939, 0, skip_sched_ack+ 237 | + mov 0x4001, r17 238 | +skip_sched_ack: 239 | @@ -3758,0 +3985,6 @@ 240 | + je SENDACK3838, 0, skipack+ 241 | + jmp L442 242 | +skipack: 243 | + je SENDACK3939, 0, skipack+ 244 | + jmp L442 245 | +skipack: 246 | @@ -6933,0 +7166,15 @@ 247 | + rets 248 | +prepare_hell: 249 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK1 250 | + sl PGA_NEXT, 8, SPARE1 251 | + or SPARE1, 0xff, SPARE1 252 | + phy_reg_and(ACPHY_macbasedDACPlay(rev), 0xFFFE) 253 | + phy_reg_write(ACPHY_sampleDepthCount(rev), 511) 254 | + phy_reg_write(ACPHY_sampleLoopCount(rev), TONE_REPETITION) 255 | + phy_reg_write(ACPHY_sampleInitWaitCount(rev), 0) 256 | + phy_reg_read(ACPHY_RfseqMode(rev), PHY400) 257 | + phy_reg_or(ACPHY_RfseqMode(rev), ACPHY_RfseqMode_CoreActv_override_MASK(rev)) 258 | + phy_reg_and(ACPHY_sampleCmd(rev), 0xfffa) 259 | + phy_reg_and(ACPHY_iqloCalCmdGctl(0), 0x3fff) 260 | + phy_reg_or(ACPHY_sampleCmd(rev), 1) 261 | + mov 1, SPINNING 262 | -------------------------------------------------------------------------------- /src/ucode-jammer-full-frm.patch: -------------------------------------------------------------------------------- 1 | --- ../gen/ucode.asm 2017-05-30 00:12:22.184098274 +0200 2 | +++ ucode-jammer-full-frm.asm 2017-05-30 00:15:59.812237623 +0200 3 | @@ -3,0 +4,38 @@ 4 | +#include "../include/macros.inc" 5 | +#include "../include/wlc_phyreg_ac.inc" 6 | +#define SPARE1 r54 7 | +#define SPARE2 r55 8 | +#define SPARE3 r56 9 | +#define PHY400 r57 10 | +#define SPARE4 r58 11 | +#define SPINNING r60 12 | +#define TONE_REPETITION 36 13 | +#define QOSDATA [SHM(0x1340)] 14 | +#define BEACON [SHM(0x1342)] 15 | +#define OTHER [SHM(0x1344)] 16 | +#define PACK3838 [SHM(0x1346)] 17 | +#define PACK3939 [SHM(0x1348)] 18 | +#define PACKLATE [SHM(0x134A)] 19 | +#define SENDACK3838 [SHM(0x134C)] 20 | +#define SENDACK3939 [SHM(0x134E)] 21 | +#define DELTACLOCK1 [SHM(0x1350)] 22 | +#define DELTACLOCK2 [SHM(0x1352)] 23 | +#define DELTACLOCK3 [SHM(0x1354)] 24 | +#define CLOCKREAD [SHM(0x1356)] 25 | +#define PGA_NEXT [SHM(0x1358)] 26 | +#define IPA_NEXT [SHM(0x135A)] 27 | +#define TXGM_NEXT [SHM(0x135C)] 28 | +#define BBMULT_NEXT [SHM(0x135E)] 29 | +#define TARGETTOTAL [SHM(0x1360)] 30 | +#define ACKTRANSMITTED [SHM(0x1362)] 31 | +#define TARGETRECEIVED [SHM(0x1364)] 32 | +#define TARGETNAV [SHM(0x1366)] 33 | +#define STATE_JAMMER [SHM(0x1370)] 34 | +#define STATE_LEARNING 0 35 | +#define STATE_JAMACK 1 36 | +#define STATE_CHECK 2 37 | +#define ACKMAC1 [SHM(0x1380)] 38 | +#define ACKMAC2 [SHM(0x1382)] 39 | +#define ACKMAC3 [SHM(0x1384)] 40 | +#define WAITACK [SHM(0x1386)] 41 | +#define CLOCKACKTO [SHM(0x1388)] 42 | @@ -31,0 +70,10 @@ 43 | + je SPINNING, 0, keep_spinning 44 | + mov 0x403, r33 45 | + calls L52 46 | + jnzxh SPR_Ext_IHR_Data & 0x1, keep_spinning 47 | + mov 0x400, r33 48 | + mov PHY400, r34 49 | + calls L54 50 | + mov 0, SPINNING 51 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK2 52 | +keep_spinning: 53 | @@ -2590 +2638,2 @@ 54 | - orx 2, 0, 0x2, SPR_BRC, SPR_BRC 55 | + jne STATE_JAMMER, STATE_JAMACK, never_tx_ack 56 | +never_tx_ack: 57 | @@ -2591,0 +2641,5 @@ 58 | + je SENDACK3838, 0, skipacktrace+ 59 | +skipacktrace: 60 | + je SENDACK3939, 0, skipacktrace+ 61 | + calls prepare_hell 62 | +skipacktrace: 63 | @@ -2708,0 +2763,5 @@ 64 | + mov SPR_TSF_WORD0, CLOCKREAD 65 | + mov 0, SPINNING 66 | + mov 0, SENDACK3838 67 | + mov 0, SENDACK3939 68 | + mov 0, TARGETRECEIVED 69 | @@ -2853,0 +2913,152 @@ 70 | +#define SPIN_LENGTH (6 + 26 + 8 + 20 + 8) 71 | +#define MIN_LENGTH 10 72 | +spin_rx_header: 73 | + jext COND_RX_COMPLETE, spin_rx_end 74 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, spin_rx_header 75 | +spin_rx_end: 76 | + jl SPR_RXE_FRAMELEN, MIN_LENGTH, skip+ 77 | + mov 0x454e, SPARE1 78 | + jne [5,off1], SPARE1, L652 79 | + mov 0x4d58, SPARE1 80 | + jne [6,off1], SPARE1, L652 81 | + mov 0x4e4f, SPARE1 82 | + jne [7,off1], SPARE1, L652 83 | + mov 0x414a, SPARE1 84 | + jne [8,off1], SPARE1, L652 85 | + mov 0x4d4d, SPARE1 86 | + jne [9,off1], SPARE1, L652 87 | + mov 0x5245, SPARE1 88 | + jne [10,off1], SPARE1, L652 89 | +#define TYPE_QOS_DATA 0x88 90 | +#define TYPE_BEACON 0x80 91 | +#define TYPE_ACK 0xd4 92 | + and [3,off1], 0xff, SPARE1 93 | + jne SPARE1, TYPE_ACK, not_ack 94 | +#define MIN_ACK_LENGTH (6 + 14) 95 | + jl SPR_RXE_FRAMELEN, MIN_ACK_LENGTH, skip+ 96 | + je WAITACK, 0, skip+ 97 | + mov ACKMAC1, SPARE1 98 | + jne [5,off1], SPARE1, skip+ 99 | + mov ACKMAC2, SPARE1 100 | + jne [6,off1], SPARE1, skip+ 101 | + mov ACKMAC3, SPARE1 102 | + jne [7,off1], SPARE1, skip+ 103 | + add CLOCKACKTO, 40, CLOCKACKTO 104 | + jg SPR_TSF_WORD0, CLOCKACKTO, skip+ 105 | + je STATE_JAMMER, STATE_JAMACK, skip_count+ 106 | + add ACKTRANSMITTED, 1, ACKTRANSMITTED 107 | +skip_count: 108 | + jmp skip+ 109 | +not_ack: 110 | + jne SPARE1, TYPE_QOS_DATA, not_qos_data 111 | + add QOSDATA, 1, QOSDATA 112 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, skip+ 113 | + and [20,off1], 0xff, SPARE1 114 | + jne SPARE1, 0x45, skip+ 115 | + sr [24,off1], 8, SPARE1 116 | + je SPARE1, 0x11, protocol_found+ 117 | + je SPARE1, 0x06, protocol_found+ 118 | + jmp skip+ 119 | +protocol_found: 120 | + mov 0xFE0E, SPARE1 121 | + je [30,off1], SPARE1, port_found+ 122 | + je [31,off1], SPARE1, port_found+ 123 | + jmp nextport+ 124 | +port_found: 125 | + add PACK3838, 1, PACK3838 126 | + jext COND_RX_COMPLETE, too_late 127 | + mov 1, SENDACK3838 128 | + jmp skip+ 129 | +nextport: 130 | + mov 0x630F, SPARE1 131 | + je [30,off1], SPARE1, port_found+ 132 | + je [31,off1], SPARE1, port_found+ 133 | + jmp skip+ 134 | +port_found: 135 | + add PACK3939, 1, PACK3939 136 | + jext COND_RX_COMPLETE, too_late 137 | + mov 1, SENDACK3939 138 | + mov 1, TARGETRECEIVED 139 | + mov STATE_JAMACK, STATE_JAMMER 140 | + mov 0, TARGETTOTAL 141 | + jne STATE_JAMMER, STATE_LEARNING, next_state+ 142 | +#define WINDOW_LEARN 16 143 | + jl TARGETTOTAL, WINDOW_LEARN, window_not_reached+ 144 | +#define THRESH_LEARN_SWITCHTOJAMACK 0 145 | + jg ACKTRANSMITTED, THRESH_LEARN_SWITCHTOJAMACK, keep_state+ 146 | + mov STATE_JAMACK, STATE_JAMMER 147 | + mov 0, TARGETTOTAL 148 | + mov 0, ACKTRANSMITTED 149 | + jmp state_end 150 | +keep_state: 151 | +#define THRESHOLD_LEARN_CHANGEPOWER 3 152 | + jl ACKTRANSMITTED, THRESHOLD_LEARN_CHANGEPOWER, dont_increase_power 153 | +#define POWER_ADD_INCREASE 10 154 | + add PGA_NEXT, POWER_ADD_INCREASE, PGA_NEXT 155 | +dont_increase_power: 156 | + mov 0, TARGETTOTAL 157 | + mov 0, ACKTRANSMITTED 158 | +window_not_reached: 159 | + mov [4,off1], TARGETNAV 160 | + mov [8,off1], ACKMAC1 161 | + mov [9,off1], ACKMAC2 162 | + mov [10,off1], ACKMAC3 163 | + jmp state_end 164 | +next_state: 165 | + jne STATE_JAMMER, STATE_JAMACK, next_state+ 166 | +#define WINDOW_JAMACK 128 167 | + jl TARGETTOTAL, WINDOW_JAMACK, window_not_reached+ 168 | + mov STATE_CHECK, STATE_JAMMER 169 | + mov 0, TARGETTOTAL 170 | + mov 0, ACKTRANSMITTED 171 | +window_not_reached: 172 | + jmp state_end 173 | +next_state: 174 | + jne STATE_JAMMER, STATE_CHECK, next_state+ 175 | +#define WINDOW_CHECK 4 176 | + jl TARGETTOTAL, WINDOW_CHECK, window_not_reached+ 177 | + jg ACKTRANSMITTED, 1, go_back_learning 178 | + je ACKTRANSMITTED, 1, increase_power 179 | +#define POWER_SMALL 1 180 | + sub PGA_NEXT, POWER_SMALL, PGA_NEXT 181 | + jmp finalise 182 | +increase_power: 183 | + add PGA_NEXT, POWER_SMALL, PGA_NEXT 184 | +finalise: 185 | + mov STATE_JAMACK, STATE_JAMMER 186 | + mov 0, TARGETTOTAL 187 | + mov 0, ACKTRANSMITTED 188 | + jmp state_end 189 | +go_back_learning: 190 | + mov STATE_LEARNING, STATE_JAMMER 191 | + mov 0, TARGETTOTAL 192 | + mov 0, ACKTRANSMITTED 193 | +window_not_reached: 194 | + mov [4,off1], TARGETNAV 195 | + mov [8,off1], ACKMAC1 196 | + mov [9,off1], ACKMAC2 197 | + mov [10,off1], ACKMAC3 198 | +next_state: 199 | +state_end: 200 | + add TARGETTOTAL, 1, TARGETTOTAL 201 | +#define PGA_MAXIMUM 255 202 | + jles PGA_NEXT, PGA_MAXIMUM, check_lower 203 | + mov PGA_MAXIMUM, PGA_NEXT 204 | +check_lower: 205 | +#define PGA_MINIMUM 5 206 | + jgs PGA_NEXT, PGA_MINIMUM, power_done 207 | + mov PGA_MINIMUM, PGA_NEXT 208 | +power_done: 209 | + jmp skip+ 210 | +too_late: 211 | + add PACKLATE, 1, PACKLATE 212 | + jmp skip+ 213 | +not_qos_data: 214 | + jne SPARE1, TYPE_BEACON, not_beacon 215 | + add BEACON, 1, BEACON 216 | + jmp found+ 217 | +not_beacon: 218 | + add OTHER, 1, OTHER 219 | +found: 220 | +skip: 221 | + mov 0, WAITACK 222 | @@ -3239,0 +3451,3 @@ 223 | + je SENDACK3939, 0, skipclock+ 224 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK3 225 | +skipclock: 226 | @@ -3291,0 +3506,6 @@ 227 | + je STATE_JAMMER, STATE_JAMACK, skip_ackto 228 | + je TARGETRECEIVED, 0, skip_ackto 229 | + add SPR_TSF_WORD0, TARGETNAV, CLOCKACKTO 230 | + mov 1, WAITACK 231 | +skip_ackto: 232 | + jne SENDACK3939, 0, L588 233 | @@ -3382,0 +3603,5 @@ 234 | + je SENDACK3838, 0, skip_sched_ack+ 235 | +skip_sched_ack: 236 | + je SENDACK3939, 0, skip_sched_ack+ 237 | + mov 0x4001, r17 238 | +skip_sched_ack: 239 | @@ -3758,0 +3984,6 @@ 240 | + je SENDACK3838, 0, skipack+ 241 | + jmp L442 242 | +skipack: 243 | + je SENDACK3939, 0, skipack+ 244 | + jmp L442 245 | +skipack: 246 | @@ -6933,0 +7165,15 @@ 247 | + rets 248 | +prepare_hell: 249 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK1 250 | + sl PGA_NEXT, 8, SPARE1 251 | + or SPARE1, 0xff, SPARE1 252 | + phy_reg_and(ACPHY_macbasedDACPlay(rev), 0xFFFE) 253 | + phy_reg_write(ACPHY_sampleDepthCount(rev), 511) 254 | + phy_reg_write(ACPHY_sampleLoopCount(rev), TONE_REPETITION) 255 | + phy_reg_write(ACPHY_sampleInitWaitCount(rev), 0) 256 | + phy_reg_read(ACPHY_RfseqMode(rev), PHY400) 257 | + phy_reg_or(ACPHY_RfseqMode(rev), ACPHY_RfseqMode_CoreActv_override_MASK(rev)) 258 | + phy_reg_and(ACPHY_sampleCmd(rev), 0xfffa) 259 | + phy_reg_and(ACPHY_iqloCalCmdGctl(0), 0x3fff) 260 | + phy_reg_or(ACPHY_sampleCmd(rev), 1) 261 | + mov 1, SPINNING 262 | -------------------------------------------------------------------------------- /src/ucode-jammer.patch: -------------------------------------------------------------------------------- 1 | --- ../gen/ucode.asm 2017-05-30 00:12:22.184098274 +0200 2 | +++ ucode-jammer.asm 2017-05-30 00:15:59.628230617 +0200 3 | @@ -3,0 +4,15 @@ 4 | +#define SPARE1 r54 5 | +#define SPARE2 r55 6 | +#define SPARE3 r56 7 | +#define SPINNING r60 8 | +#define TONE_REPETITION 10 9 | +#define QOSDATA [SHM(0x1340)] 10 | +#define BEACON [SHM(0x1342)] 11 | +#define OTHER [SHM(0x1344)] 12 | +#define PACK3838 [SHM(0x1350)] 13 | +#define PACK3939 [SHM(0x1352)] 14 | +#define PACKLATE [SHM(0x1354)] 15 | +#define DELTACLOCK1 [SHM(0x1360)] 16 | +#define DELTACLOCK2 [SHM(0x1362)] 17 | +#define DELTACLOCK3 [SHM(0x1364)] 18 | +#define CLOCKREAD [SHM(0x1380)] 19 | @@ -31,0 +47,10 @@ 20 | + je SPINNING, 0, keep_spinning 21 | + mov 0x403, r33 22 | + calls L52 23 | + jnzxh SPR_Ext_IHR_Data & 0x1, keep_spinning 24 | + mov 0x400, r33 25 | + mov SPARE3, r34 26 | + calls L54 27 | + mov 0, SPINNING 28 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK2 29 | +keep_spinning: 30 | @@ -2708,0 +2734 @@ 31 | + mov SPR_TSF_WORD0, CLOCKREAD 32 | @@ -2853,0 +2880,52 @@ 33 | +#define SPIN_LENGTH (6 + 26 + 8 + 20 + 8) 34 | +#define MIN_LENGTH 10 35 | +spin_rx_header: 36 | + jext COND_RX_COMPLETE, spin_rx_end 37 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, spin_rx_header 38 | +spin_rx_end: 39 | + jl SPR_RXE_FRAMELEN, MIN_LENGTH, skip+ 40 | + mov 0x454e, SPARE1 41 | + jne [5,off1], SPARE1, L652 42 | + mov 0x4d58, SPARE1 43 | + jne [6,off1], SPARE1, L652 44 | + mov 0x4e4f, SPARE1 45 | + jne [7,off1], SPARE1, L652 46 | + mov 0x414a, SPARE1 47 | + jne [8,off1], SPARE1, L652 48 | + mov 0x4d4d, SPARE1 49 | + jne [9,off1], SPARE1, L652 50 | + mov 0x5245, SPARE1 51 | + jne [10,off1], SPARE1, L652 52 | +#define TYPE_QOS_DATA 0x88 53 | +#define TYPE_BEACON 0x80 54 | + jl SPR_RXE_FRAMELEN, SPIN_LENGTH, skip+ 55 | + and [3,off1], 0xff, SPARE1 56 | + jne SPARE1, TYPE_QOS_DATA, not_qos_data 57 | + add QOSDATA, 1, QOSDATA 58 | + and [20,off1], 0xff, SPARE1 59 | + jne SPARE1, 0x45, skip+ 60 | + sr [24,off1], 8, SPARE1 61 | + jne SPARE1, 0x11, skip+ 62 | + mov 0xFE0E, SPARE1 63 | + jne [31,off1], SPARE1, nextport+ 64 | + add PACK3838, 1, PACK3838 65 | + jext COND_RX_COMPLETE, too_late 66 | + jmp skip+ 67 | +nextport: 68 | + mov 0x630F, SPARE1 69 | + jne [31,off1], SPARE1, skip+ 70 | + add PACK3939, 1, PACK3939 71 | + jext COND_RX_COMPLETE, too_late 72 | + calls prepare_hell 73 | + jmp skip+ 74 | +too_late: 75 | + add PACKLATE, 1, PACKLATE 76 | + jmp skip+ 77 | +not_qos_data: 78 | + jne SPARE1, TYPE_BEACON, not_beacon 79 | + add BEACON, 1, BEACON 80 | + jmp found+ 81 | +not_beacon: 82 | + add OTHER, 1, OTHER 83 | +found: 84 | +skip: 85 | @@ -6933,0 +7012,38 @@ 86 | + rets 87 | +prepare_hell: 88 | + sub SPR_TSF_WORD0, CLOCKREAD, DELTACLOCK1 89 | + mov 0x471, r33 90 | + calls L52 91 | + mov 0xFFFE, SPARE1 92 | + and SPR_Ext_IHR_Data, SPARE1, r34 93 | + calls L54 94 | + mov 0x463, r33 95 | + mov 511, r34 96 | + calls L54 97 | + mov 0x461, r33 98 | + mov TONE_REPETITION, r34 99 | + calls L54 100 | + mov 0x462, r33 101 | + mov 0x3c, r34 102 | + calls L54 103 | + mov 0x400, r33 104 | + calls L52 105 | + mov SPR_Ext_IHR_Data, SPARE3 106 | + or SPARE3, 1, r34 107 | + calls L54 108 | + mov 0x460, r33 109 | + calls L52 110 | + mov 0xfffa, SPARE1 111 | + and SPR_Ext_IHR_Data, SPARE1, r34 112 | + calls L54 113 | + mov 0x3fff, SPARE1 114 | + mov 0x382, r33 115 | + calls L52 116 | + and SPR_Ext_IHR_Data, SPARE1, r34 117 | + calls L54 118 | + mov 0x460, r33 119 | + calls L52 120 | + or SPR_Ext_IHR_Data, 1, r34 121 | + calls L54 122 | + mov 1, SPINNING 123 | +exit_hell: 124 | -------------------------------------------------------------------------------- /src/vendor_radiotap.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include 38 | #include 39 | 40 | static const struct radiotap_align_size radiotap_nex_vendor_subns_0_sizes[] = { 41 | [RADIOTAP_NEX_TXDELAY] = { .align = 4, .size = 4, }, 42 | [RADIOTAP_NEX_TXREPETITIONS] = { .align = 8, .size = 8, }, 43 | [RADIOTAP_NEX_RATESPEC] = { .align = 4, .size = 4, }, 44 | }; 45 | 46 | static const struct ieee80211_radiotap_namespace radiotap_nex_vendor_ns[] = { 47 | [0] = { 48 | .n_bits = ARRAY_SIZE(radiotap_nex_vendor_subns_0_sizes), 49 | .align_size = radiotap_nex_vendor_subns_0_sizes, 50 | .oui = 0x004e4558, // NEX 51 | .subns = 0 52 | } 53 | }; 54 | 55 | const struct ieee80211_radiotap_vendor_namespaces rtap_vendor_namespaces = { 56 | .ns = radiotap_nex_vendor_ns, 57 | .n_ns = ARRAY_SIZE(radiotap_nex_vendor_ns), 58 | }; 59 | -------------------------------------------------------------------------------- /src/version.c: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * * 3 | * ########### ########### ########## ########## * 4 | * ############ ############ ############ ############ * 5 | * ## ## ## ## ## ## ## * 6 | * ## ## ## ## ## ## ## * 7 | * ########### #### ###### ## ## ## ## ###### * 8 | * ########### #### # ## ## ## ## # # * 9 | * ## ## ###### ## ## ## ## # # * 10 | * ## ## # ## ## ## ## # # * 11 | * ############ ##### ###### ## ## ## ##### ###### * 12 | * ########### ########### ## ## ## ########## * 13 | * * 14 | * S E C U R E M O B I L E N E T W O R K I N G * 15 | * * 16 | * This file is part of NexMon. * 17 | * * 18 | * Copyright (c) 2016 NexMon Team * 19 | * * 20 | * NexMon is free software: you can redistribute it and/or modify * 21 | * it under the terms of the GNU General Public License as published by * 22 | * the Free Software Foundation, either version 3 of the License, or * 23 | * (at your option) any later version. * 24 | * * 25 | * NexMon is distributed in the hope that it will be useful, * 26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 28 | * GNU General Public License for more details. * 29 | * * 30 | * You should have received a copy of the GNU General Public License * 31 | * along with NexMon. If not, see . * 32 | * * 33 | **************************************************************************/ 34 | 35 | #pragma NEXMON targetregion "patch" 36 | 37 | #include // definition of firmware version macros 38 | #include // macros used to craete patches such as BLPatch, BPatch, ... 39 | 40 | char version[] = "nexmon_ver: " GIT_VERSION "-" BUILD_NUMBER "\n"; 41 | 42 | __attribute__((at(0x1F2470, "", CHIP_VER_BCM4339, FW_VER_6_37_32_RC23_34_43_r639704))) 43 | GenericPatch4(version_patch, version); 44 | --------------------------------------------------------------------------------