Main Donate Github Blog

Wi-Fi chip with SPI/SDIO interface that supports monitoring and packet injection

Looking for Modern Wi-Fi chipset for hacking

Since we decided to drop Rasbperry Pi board and make new system board from scratch, we need a suitable WiFi chipset that supports all kinds of attacks.

WiFi chip requirements:

  • Low price $3-5

  • SDIO 2.0/3.0 interface — We want to keep USB lines accessible for user, so USB chipset is not recommended. But we can change mind if it will be 100% suitable out of the box.

  • 2.4 GHz and 5GHz in single antenna port

  • System in Package (SiP) module — This modules already have all RF components like LNA, filters, etc packaged in one tiny PCB covered with metal shield. Usually this modules have Bluetooth too.

  • Monitor mode — passively listen wireless traffic with RadioTap headers.

  • Packets injection

  • Supported by: aircrack-ng/airodump/airplay, reaver, wash, wifite, pixie WPS, PMKID capture.

Broadcom/Cypress chipsets

Currently we are looking on Cypress/Broadcom chipsets + nexmon patches because of complete lack of alternatives. There are many SiP (System in Package) modules based on Cypress/Broadcom chipsets on market: Murata, Ampak, Alinket, Laird, Inventek and many other.

Maybe suitable chipsets:

CYW4334WKUBGT
CYW43340HKUBGT
CYW43340XKUBGT
CYCHPSET-P62S143438-1

Less suitable chipsets

BCM4339XKUBGT
CYW4343WKUBGT
CYW4343W1KUBGT
CYW4343WKWBGT
CYW43455XKUBGT
CYW4339XKUBGT
BCM88335L2CUBGT

Ampak modules

Currently our best candidate is Chinese module Ampak APxxxx based on Cypress/Broadcom chipsets. This module has no clear datasheet because of hiding real version of WiFi chipset inside. So we need to test all modules and create our datasheets of these devices.

How can I help?

Ampak modules are used in some Chinese Raspberry Pi clones like Banana Pi, Orange Pi, Nano Pi and so on.
If you have board with one of Ampak module, you can test it against all types of attacks and stability.

How to test my WiFi chipset

  1. Check the exact version of your chipset by looking on it, check dmesg and firmware version
  2. Install nexmon patches
  3. Test airdoump with channel hoping, deauthentication attack, wps attack, PMKID capturing and so on. Keep device in monitor mode for a long time to check stability.
  4. Post your result here.

Turris MOX router comes with SDIO Wi-Fi card on Marvell chipset, which uses mwifiex driver. It’s not clear if it supports injection. Check their forum for useful information.
https://forum.turris.cz/c/mox-hw

https://www.lesswire.com/en/products/wireless-modules/wlan-bluetooth/wibear-11n/overview/

http://www.wi2wi.com/wireless-connectivity/maximum-performance-series

I’m not familiar with wifi attacks, but there are several WiFi SOCs used in IoT, namely ESP8266, ESP32 and RTL8710/8711/8195. All of these have integrated MCU (which also could possibly be used for low-power mode instead of one in C1111) and flexible to some degree SDK.

I’m no expert regarding these chips, but I believe it could be possible to write firmware for one of them that communicates with Raspberry over SPI and enables it to perform attacks you mentioned.

Would it be possible to somehow switch the master-slave mode of usb in runtime? Because that would allow an optional external second adapter, alongside with a keyboard connection, usb file transfer and other useful things. That’s not really on the topic of this thread, but it was somewhat mentioned here

We should test them all

  • AMPAK AP6181 - SDIO (02d0:a962) BCM43362 (WiFi) (1T1R 802.11bgn)
  • AMPAK AP6210 - SDIO (02d0:a962) BCM43362 (WiFi)/BCM20710 (BT 4.0)
  • AMPAK AP6212 - SDIO (02d0:a9a6) BCM43430 (WiFi/BT 4.0) (1T1R 802.11bgn)
  • AMPAK AP6212A - SDIO (02d0:a9a6) BCM43438 (WiFi/BT 4.0) • ZQ6-AP6212A
  • AMPAK AP6234A - SDIO (02d0:a94c) BCM43340 (WiFi/BT 4.0) (1T1R 802.11abgn)
  • AMPAK AP6255 - SDIO (02d0:a9bf) BCM43455C0 (802.11abgn/ac) (BT 4.2)
  • [AMPAK AP6256] - SDIO (02d0:a9bf SAME ID’s AS AP6255) BCM43456 (802.11ac) (BT 5.0)
  • AMPAK AP6330 - SDIO (02d0:4330) BCM4330 (WiFi)/BCM40183 (BT 4.0 + HS)

I see the easiest way to test all potentially suitable modules in to grab all Chinese rpi clones banana/orange/ODROID and so on. So please add suitable boards with wifi module names

AMPAK AP6212

  • Banana Pi M2 Zero
  • Banana Pi M3

AMPAK AP6212A

  • Orange Pi Zero Plus2 H3
  • Red Bear IoT pHAT for Raspberry Pi

AMPAK AP6181

  • Banana Pi M2

AP6255

  • Orange Pi Lite 2

AP6256 802.11ac (bcm43455)

  • Orange Pi 3

Hidden list of Ampak wireless modules http://www.plyworks.co.kr/pw_assets/down/WIFI_Module_LIST_2018.pdf

Raspberry pi Zero/3 has a tiny Broadcom chipset BCM43438KUBG that is wifi SDIO 802.11n (bcm43430a1) + UART Bluetooth.
It has an issue with nexmon patch which cause a crash under load: nexmon blindness bug (brcmf_cfg80211_nexmon_set_channel)

So we should test all Ampak modules against this problem.

I think that better choice is to switch from SDIO to usb and choose Realtek 88(12/14)au module.

IMHO it’s better to use community supported (Kali, OpenWrt, etc) hardware and drivers.

  • These chipsets is USB 3.0 and we have only USB 2.0. Seems they have backward compatibility to USB 2.0
  • I can’t find any offers to buy it.

Or another approach is to try rtl8812au driver and RTL8821AS module.
Like this one.

But it’s a completely untested approach.

I have three modules in my lab and I can confirm that they have a backward compatibility.
Also these modules can work through USB hub.

Maybe you know some Atheros wifi modules in SiP formfactor?

Like this one?

https://www.8devices.com/products/blue-bean

https://www.8devices.com/products/red-bean

These are fine also.

It looks interesting, but when I googled “QCA9377 monitor mode” the are only issues with monitor mode and packet injection.

We should look closer at Qualcomm QCA9377 chip family. During to this datasheet there are three versions of this chip with different connection interfaces:

  • QCA9377-3
    supports a low-power SDIO 3.0 interface for WLAN and a UART/PCM interface for Bluetooth

  • QCA9377-5
    Supports a low-power PCIe 2.1 (with L1 sub-state) interfaces for WLAN and a USB 1.1 interface for Bluetooth

  • QCA9377-7
    supports a low-power USB 2.0 interface for WLAN and a USB 1.1 interface for Bluetooth

Here is the discussion about monitor mode on official forum https://developer.qualcomm.com/forum/qdn-forums/hardware/qca9377/34827 with controversial information about the topic. Vendor suggest to use proprietary driver QDN and tells that it supports monitor mode and packet injection but anyone can’t prove this.

Here is the announce of patch for QCA9377-3 (SDIO version) support in ath10k driver https://www.silextechnology.com/unwired/ath10k-sdio-wi-fi-patch-for-qca9377-3-available

But there is still not clear if QCA9377-3 really support monitor/injection or not.
@klukonin can you please help to figure out this?
We will buy dev kits of 8devices boards and test it, but maybe you have more information.

Another SDIO modules based on QCA9377-3:
https://www.silextechnology.com/connectivity-solutions/embedded-wireless/sx-sdmac-plus

Strange chinese module https://www.alibaba.com/product-detail/Low-Cost-5GHz-WiFi-Module-With_60833937153.html
on official website it marked as QCA1023 based module http://www.fn-link.com/product/25.html Fn-link tells:

Qca9377 is same with Qca1023, but qualcomm name it different for china market only.

Noname chinese module WCT8830 https://www.alibaba.com/product-detail/dual-band-iot-5g-combo-wifi_60708398983.html

LTM8830 https://www.arrow.com/en/products/ltm8830/shenzhen-longsys-electronics-co-ltd