Skip to content

Hijacker on the Samsung Galaxy S10 with wireless injection #1097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
- [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
- [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
- [Pentesting Wifi](generic-methodologies-and-resources/pentesting-wifi/README.md)
- [Enable Nexmon Monitor And Injection On Android](generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md)
- [Evil Twin EAP-TLS](generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md)
- [Phishing Methodology](generic-methodologies-and-resources/phishing-methodology/README.md)
- [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ iwlist wlan0 scan #Scan available wifis

## Tools

### Hijacker & NexMon (Android internal Wi-Fi)

{{#ref}}
enable-nexmon-monitor-and-injection-on-android.md
{{#endref}}

### EAPHammer

```
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
# Enable NexMon Monitor Mode & Packet Injection on Android (Broadcom chips)

{{#include ../../banners/hacktricks-training.md}}

## Overview
Most modern Android phones embed a Broadcom/Cypress Wi-Fi chipset that ships without 802.11 monitor mode or frame-injection capabilities. The open-source NexMon framework patches the proprietary firmware to add those features and exposes them through a shared library (`libnexmon.so`) and a CLI helper (`nexutil`). By pre-loading that library into the stock Wi-Fi driver, a rooted device can capture raw 802.11 traffic and inject arbitrary frames – eliminating the need for an external USB adapter.

This page documents a fast workflow that takes a fully-patched Samsung Galaxy S10 (BCM4375B1) as an example, using:

* NexMon Magisk module containing the patched firmware + `libnexmon.so`
* Hijacker Android application to automate monitor-mode toggling
* Optional Kali NetHunter chroot to run classic wireless tools (aircrack-ng, wifite, mdk4 …) directly against the internal interface

The same technique applies to any handset that has a publicly available NexMon patch (Pixel 1, Nexus 6P, Galaxy S7/S8, etc.).

---

## Prerequisites
* Android handset with a supported Broadcom/Cypress chipset (e.g. BCM4358/59/43596/4375B1)
* Root with Magisk ≥ 24
* BusyBox (most ROMs/NetHunter already include it)
* NexMon Magisk ZIP or self-compiled patch providing:
* `/system/lib*/libnexmon.so`
* `/system/xbin/nexutil`
* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker
* (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools

---

## Flashing the NexMon patch (Magisk)
1. Download the ZIP for your exact device/firmware (example: `nexmon-s10.zip`).
2. Open Magisk -> Modules -> Install from storage -> select the ZIP and reboot.
The module copies `libnexmon.so` into `/data/adb/modules/<module>/lib*/` and ensures SELinux labels are correct.
3. Verify installation:
```bash
ls -lZ $(find / -name libnexmon.so 2>/dev/null)
sha1sum $(which nexutil)
```

---

## Configuring Hijacker
Hijacker can toggle monitor mode automatically before running `airodump`, `wifite`, etc. In **Settings -> Advanced** add the following entries (edit the library path if your module differs):

```
Prefix:
LD_PRELOAD=/data/user/0/com.hijacker/files/lib/libnexmon.so

Enable monitor mode:
svc wifi disable; ifconfig wlan0 up; nexutil -s0x613 -i -v2

Disable monitor mode:
nexutil -m0; svc wifi enable
```

Enable “Start monitor mode on airodump start” so every Hijacker scan happens in native monitor mode (`wlan0` instead of `wlan0mon`).

If Hijacker shows errors at launch, create the required directory on shared storage and reopen the app:
```bash
mkdir -p /storage/emulated/0/Hijacker
```

### What do those `nexutil` flags mean?
* **`-s0x613`** Write firmware variable 0x613 (FCAP_FRAME_INJECTION) → `1` (enable TX of arbitrary frames).
* **`-i`** Put interface in monitor mode (radiotap header will be prepended).
* **`-v2`** Set verbose level; `2` prints confirmation and firmware version.
* **`-m0`** Restore managed mode (used in the *disable* command).

After running *Enable monitor mode* you should see the interface in monitor state and be able to capture raw frames with:
```bash
airodump-ng --band abg wlan0
```

---

## Manual one-liner (without Hijacker)
```bash
# Enable monitor + injection
svc wifi disable && ifconfig wlan0 up && nexutil -s0x613 -i -v2

# Disable and return to normal Wi-Fi
nexutil -m0 && svc wifi enable
```

If you only need passive sniffing, omit the `-s0x613` flag.

---

## Using `libnexmon` inside Kali NetHunter / chroot
Stock user-space tools in Kali do not know about NexMon, but you can force them to use it via `LD_PRELOAD`:

1. Copy the pre-built shared object into the chroot:
```bash
cp /sdcard/Download/kalilibnexmon.so <chroot>/lib/
```
2. Enable monitor mode from the **Android host** (command above or through Hijacker).
3. Launch any wireless tool inside Kali with the preload:
```bash
sudo su
export LD_PRELOAD=/lib/kalilibnexmon.so
wifite -i wlan0 # or aircrack-ng, mdk4 …
```
4. When finished, disable monitor mode as usual on Android.

Because the firmware already handles radiotap injection, user-space tools behave just like on an external Atheros adapter.

---

## Typical Attacks Possible
Once monitor + TX is active you can:
* Capture WPA(2/3-SAE) handshakes or PMKID with `wifite`, `hcxdumptool`, `airodump-ng`.
* Inject deauthentication / disassociation frames to force clients to reconnect.
* Craft arbitrary management/data frames with `mdk4`, `aireplay-ng`, Scapy, etc.
* Build rogue APs or perform KARMA/MANA attacks directly from the phone.

Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-3 M pps RX).

---

## Troubleshooting
* `Device or resource busy` – make sure **Android Wi-Fi service is disabled** (`svc wifi disable`) before enabling monitor mode.
* `nexutil: ioctl(PRIV_MAGIC) failed` – the library is not pre-loaded; double-check `LD_PRELOAD` path.
* Frame injection works but no packets captured – some ROMs hard-block channels; try `nexutil -c <channel>` or `iwconfig wlan0 channel <n>`.
* SELinux blocking library – set device to *Permissive* or fix module context: `chcon u:object_r:system_lib_file:s0 libnexmon.so`.

---

## References
* [Hijacker on the Samsung Galaxy S10 with wireless injection](https://forums.kali.org/t/hijacker-on-the-samsung-galaxy-s10-with-wireless-injection/10305)
* [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon)
* [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)

{{#include ../../banners/hacktricks-training.md}}