Hi friends.
There is very little information on commissioning native debugging in several different threads. I met with a variety of problems, I would like to summarize them and some followed up.
What can we do now (a huge thanks to Ultrashot):
- Debug managed application in VS2010.
- See trace output of unmanaged code in VS2008.
- See trace output of unmanaged dll in managed Output window VS2010, tutorial added here.
What I would like as soon as possible:
- Debug unmanaged code with full tracing, breakpoints, etc. working in VS2008.
As for the future:
- Debug combined code, ideally in one IDE (Can be VS2012 adapted?).
- Debug 3rd attached Processes.
Please write your experience with debugging, solving even the smallest problems, to many people it can help.
Sorry for my English!
First issue
I have 2 identical devices HTC7Pro. One of them had DFT ROM, Second Dynamics (Nr. 1 Ultrashot version).
First one works well with VS2008 native debugger. Debugger runs fast. Extracts from AtlTrace appear in the output. Only when the application is finished, debugger must be closed manually.
Second device worked well too, but two weeks ago stopped it. Native VS2008 debugger hangs totally, managed VS2010 debugger says "could not debug, screenlock occured". All remote tools stay worked.
Solution:
It is unbelievable, but this device probably lost two important registry sz values (empty string needed):
[HKEY_LOCAL_MACHINE\System\OOM\DoNotKillApps]
"\Application Data\Phone Tools\10.0\CoreCon\bin\ConmanClient3.exe"
"\Application Data\Phone Tools\10.0\CoreCon\bin\edm3.exe"
See http://forum.xda-developers.com/showthread.php?t=1336137#5, Ultrashot summarized all necessary unlock and debugging registry changes here.
May be this values was not present full time, but two weeks ago managed debugging worked well. Now this values adding soluted managed debugging problem.
Unmanaged problem was bigger. When PC debugger hanged and VS2008 killed by TaskManager, edm2.exe still runned on device. I tried many things with no succes. I flashed five other ROMS - no success! I used three PCs - no success (I installed totally new Windows 7, VS and SDK to one)! Then I was convinced it must be hardware dependent, first device works well on all PCs debuggers.
But yesterday I tried 1. to flash Dynamics2 ROM to problematic device, 2. to delete all edm*.exe files on one from PCs and replace by Ultrashot edm2p.exe only. Now I have next unbelievable behaviour of this device:
... Native debugger, which is quick on first device, there wait about 30s to start debugging (deploying is also slow) on second one.
... After pause debugger seems to work normally.
... Output (dlls loading) is showed, but AtlTrace output is not present! (from first device is showed).
... When I stop application on device, debugger correctly ends too. On first (better) device I must stop it manually.
Dynamics 2 ROM is almost pure on device.
Some words of caution: If you enable WiFi tethering, debugger (even WMDC) are brought together. If tethering is switched off, then WMDC connects fine, but debugger sometimes does not connect well (on both my devices). After WiFi tethering I have to restart device to have the debugger always well connected.
Small notes:
- It is pleasant to use WPConnect instead Zune, above mentioned registry control is needed.
- WMDC Launcher http://forum.xda-developers.com/showthread.php?t=1521763 adds more functionality than older native debugger http://forum.xda-developers.com/showthread.php?t=1429383 .
- Ultrashot told me native breakpoits worked in past, but he has no time to search, why they stopped working. Can you confirm somebody native breakpoints worked for you? We can compare our device and PC states, I never seen worked it on any my PCs-ROMs-Devices combination.
Update 1st issue:
On Second PC:
1st (better) device - debugger works (shows trace output) and sometimes stops automatically after application finishing too:
... There is 20s delay here
Load module: Pok4.exe
Load module: coredll.dll.0405.MUI
Load module: LPCRT.dll
Load module: RPCRT4LEGACY.dll
Load module: OLEAUT32.dll
Load module: ole32.dll
Load module: FPCRT.dll
Load module: coredll.dll
Toto je zacatek ... message from AtlTrace
Load module: AYGSHELL.dll
Load module: eventsnd.dll
Load module: waveapic.dll
Load module: ossvcs.dll
Load module: shlwapi.dll
Load module: phone.dll
Load module: shcore.dll
Load module: PACMANCLIENT.dll
Load module: EMCLIENT.dll
Load module: ZTrace.dll
Load module: ril.dll
The thread 0x1923000e has exited with code 16 (0x10).
... There I must stop PC debugger manually sometimes, or kill edm2p.exe on device, Pok4.xe is unkillable sometime. But sometimes debugger stops itself.
The program '[0x18DA000E] Pok4.exe' has exited with code 1067 (0x42b).
2nd (worse) device - debugger works, but does not show trace output and does not stop automatically after application finishing:
... There is 30s delay here (only first time, may be it is devivice debugger starting pause, debugger is not killed automatically)
Load module: Pok4.exe
Load module: coredll.dll.0405.MUI
Load module: RPCRT4LEGACY.dll
Load module: OLEAUT32.dll
Load module: ole32.dll
Load module: FPCRT.dll
Load module: coredll.dll
Load module: AYGSHELL.dll
Load module: ossvcs.dll
Load module: waveapic.dll
Load module: shlwapi.dll
Load module: shcore.dll
... There I must stop PC debugger manually everytime here
Do you somebody understand output difference? Application project, PC and VS is the same, device is changed (and WPConnect called) only.
LPCRT.dll miss in second output. This seems second device has no registered ATL COM proxy dll (I found something here http://cboard.cprogramming.com/cplu...-proxy-dll-difficulties-windows-ce-5-0-a.html). Do you understand COM somebody better then me?
Edit: After any minutes, WITHOUT any changing, second (worst) device begin better behaviour - debugger is closed corretly and immediatelly:
Load module: Pok4.exe
Load module: coredll.dll.0405.MUI
Load module: RPCRT4LEGACY.dll
Load module: OLEAUT32.dll
Load module: ole32.dll
Load module: FPCRT.dll
Load module: coredll.dll
Load module: AYGSHELL.dll
Load module: ossvcs.dll
Load module: waveapic.dll
Load module: shlwapi.dll
Load module: shcore.dll
The thread 0x1ae4034e has exited with code 0 (0x0).
The program '[0x1B1D036A] Pok4.exe' has exited with code 0 (0x0).
Now this behaviour is similar to my first PC yasterday. I do not understand it totally. On first device still AtlTrace works and thread has exited with code 16. There is debugger problem probably to handle application exception.
Application Pok4 contains this code only:
extern "C" int WINAPI _tWinMain(HINSTANCE /*hInstance*/, HINSTANCE /*hPrevInstance*/,
LPTSTR /*lpCmdLine*/, int nShowCmd)
{
ATLTRACE2(L"Toto je zacatek\n");
MessageBox(NULL, L"Po začátku", L"_tWinMain", MB_OK);
int i = 0;
return 0;
}
It looks like ATL COM proxy generates Trace output on first device, but it generates also undebuggable exception on it (EDIT: Probably not true, see next post!). But this behaviour is sometimes very random.
When I change ATLTRACE2 to OutputDebugString, behaviour of both devices is exactly the same as with ATLTRACE2..
I made the simpliest console application:
// Simple.cpp : Defines the entry point for the console application.
#include <windows.h>
int _tmain(int argc, _TCHAR* argv[])
{
OutputDebugString(L"OutputDebugString\n");
::MessageBox(NULL, L"MessageBox", L"_tmain", MB_OK);
return 0;
}
First device debug output:
Load module: Simple.exe
Load module: coredll.dll.0405.MUI
Load module: coredll.dll
OutputDebugString
Load module: AYGSHELL.dll
Load module: ole32.dll
Load module: RPCRT4LEGACY.dll
Load module: LPCRT.dll
Load module: eventsnd.dll
Load module: waveapic.dll
Load module: OLEAUT32.dll
Load module: FPCRT.dll
Load module: ossvcs.dll
Load module: shlwapi.dll
Load module: phone.dll
Load module: shcore.dll
Load module: PACMANCLIENT.dll
Load module: EMCLIENT.dll
Load module: ZTrace.dll
Load module: ril.dll
The thread 0x1d4500be has exited with code 0 (0x0).
... I must close debugger manually here, no exception here (after debug manual stopping only - see next line). Visual Studio crashed here, when connection is manually killed (cable unplug etc.)!
The program '[0x1DE300B6] Simple.exe' has exited with code 1067 (0x42b).
Second device debug output:
... longer waiting here, if it is first debugger attempt
Load module: Simple.exe
Load module: coredll.dll.0405.MUI
Load module: coredll.dll
Load module: AYGSHELL.dll
Load module: ole32.dll
Load module: RPCRT4LEGACY.dll
Load module: ossvcs.dll
Load module: waveapic.dll
Load module: shlwapi.dll
Load module: OLEAUT32.dll
Load module: FPCRT.dll
Load module: shcore.dll
The thread 0x1e030036 has exited with code 0 (0x0).
The program '[0x1E730036] Pok5.exe' has exited with code 0 (0x0).
... Debugger stops immediatelly and succesfully here.
All above behaviour is stable, but everytime any (3-10) minutes after plugged device changing. This seems WMDC green state is not finish of reconnection, debugger issues need much more time to make stable connection.
VSDTeam: ""If desktop component finds that conmanclient.exe is not of the same version it tries to shut it down, bootstrap the device (copy the device side binaries to device and start them)." I mean similar behaviour is to debugger components. Can not be debugger starting delay dependent of killing, deploying (or timeout) of different debugging components version?
By web search there exists also other debugging delay causes:
... .Net PC-Application-Device difference.
... Definitions updating from web on every debug time.
... Any policy issues.
Delay occures mostly, when:
- change connection or device
- rebuild applicatin.
http://blogs.msdn.com/b/vsdteam/archive/2007/01/18/connectivity-issues-after-installing-sp1.aspx
I will try prepare debugging files from unupdated VS2008 and from SP1 and compare its behaviour. Also all pre- and post- steps from http://support.microsoft.com/kb/957912 may be usable. Even SP1 and updates I found also CE Compact 7 update, do you know anybody, if it is related and backward compatible? http://support.microsoft.com/kb/2483802
I mean breakpoints disfunction must be edm2 dependent, but any other issues (missing core features, policy) can have influence to problem.
I gradually installed Visual Studio 2008 Service Pack 1, VS2008-PatchRemovalTool, Remote debugger installation for Visual Studio 2008 Service Pack 1, KB957912, KB2483802.
Ultrashot distributed edm2p.exe seems equal to armv4i\edm2.exe installed as part of KB2483802 update, but breakpoints problem is not fixed still. I tried all another (unpatched) edm2.exe arm4vi versions, but this one is able to communicate with destkop debugger only, still with mistakes.
Notes:
- IsDebuggerPresent() returns true.
- The same programm without MessageBox ends succesfully, debugger stops immediately itself on both devices.
TRACE from Native Dll to VS 2010 managed Output window
Hi guys. So it is done ... TRACE, which writes from native dll to the Output window in Visual Studio 2010. It's a dreadful job, maybe it is unnecessarily synchronized. I guess it could be done somehow and standard way, bat I solved it enough on their own, when Microsoft does it right. It's dirty, but it works. The picture follow the red text. The principle will be published cleaned up a little.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Martin7Pro said:
Hi guys. So it is done ... TRACE, which writes from native dll to the Output window in Visual Studio 2010. It's a dreadful job, maybe it is unnecessarily synchronized. I guess it could be done somehow and standard way, bat I solved it enough on their own, when Microsoft does it right. It's dirty, but it works. The picture follow the red text. The principle will be published cleaned up a little.
Click to expand...
Click to collapse
EDIT:
It is finished now. See tutorial here.
Interesting issue, urgent question (for ultrashot probably)
Hi friends. I have got partial solution of my mysterious issue:
My DFT ROM HTC7PPro device works with native VS2008 debugger on all computers. TRACE output is shown, breakpoints do not works, debugger must be stopped manually.
My second, Dynamics ROM HTC7Pro device did not work with native VS2008 debugger on one computer. On second computer application was launched under debugger, but TRACE output was not showen. Debugger stops automatically, when application is exited.
I found next:
On first device edm2p.exe is launched, then debugger works on all machines (without breakpoints only).
On second device edm2.exe is deployed every time from computer and launched to make debugging. When is installed VS2010 together with VS2008, edm2.exe is deployed from VS2010 debugger subdirectory! Difference between computers was in edm2.exe missing in VS2010 subdirectory. I soluted issue by next way: I renamed ultrashot's patched debugger edm2p.exe to edm2.exe and copied to VS2010 debugger Armv4i subdirectory. Now debugging is working (without breakpoints).
Questions:
1. Why two ConManClient2.exe instances run on my Dynamics device everytime after debugger connecting?
2. Why edm2.exe is deployed instead using patched edm2p.exe one from device, when WMDC.xap is installed the same on both devices?
3. Why is patching needed (called CMCCDLL.dll implements any missed COREDLL.dll API) to be TRACE output working?
4. Can not be patched also another API part to be breakpoints working?
5. Why debugger connected to Dynamics stops automatically after debugged appplication is closed, but debugger connected to DFT one not?
Martin7Pro said:
Hi friends. I have got partial solution of my mysterious issue:
My DFT ROM HTC7PPro device works with native VS2008 debugger on all computers. TRACE output is shown, breakpoints do not works, debugger must be stopped manually.
My second, Dynamics ROM HTC7Pro device did not work with native VS2008 debugger on one computer. On second computer application was launched under debugger, but TRACE output was not showen. Debugger stops automatically, when application is exited.
I found next:
On first device edm2p.exe is launched, then debugger works on all machines (without breakpoints only).
On second device edm2.exe is deployed every time from computer and launched to make debugging. When is installed VS2010 together with VS2008, edm2.exe is deployed from VS2010 debugger subdirectory! Difference between computers was in edm2.exe missing in VS2010 subdirectory. I soluted issue by next way: I renamed ultrashot's patched debugger edm2p.exe to edm2.exe and copied to VS2010 debugger Armv4i subdirectory. Now debugging is working (without breakpoints).
Questions:
1. Why two ConManClient2.exe instances run on my Dynamics device everytime after debugger connecting?
2. Why edm2.exe is deployed instead using patched edm2p.exe one from device, when WMDC.xap is installed the same on both devices?
3. Why is patching needed (called CMCCDLL.dll implements any missed COREDLL.dll API) to be TRACE output working?
4. Can not be patched also another API part to be breakpoints working?
5. Why debugger connected to Dynamics stops automatically after debugged appplication is closed, but debugger connected to DFT one not?
Click to expand...
Click to collapse
I don't like your question-based post style.
Also, DFT and Dynamics comparison isn't really valid considering first rom's build date, i.e. newest binaries don't even work on older ROMs.
ultrashot said:
I don't like your question-based post style.
Also, DFT and Dynamics comparison isn't really valid considering first rom's build date, i.e. newest binaries don't even work on older ROMs.
Click to expand...
Click to collapse
I understand. But, debugging on very old DFT V3 (with your WMDC installed) works better then on much newer Dynamics V2.
Martin7Pro said:
I understand. But, debugging on very old DFT V3 (with your WMDC installed) works better then on much newer Dynamics V2.
Click to expand...
Click to collapse
My answer is still valid
ultrashot said:
My answer is still valid
Click to expand...
Click to collapse
I do not want to disturb you by PM, then I write questions here. May be somebody will able to answer them. Native development without working debugging is very slow and much projects stay due it now. Especially HaRET is very wanted now by community, but probably unfinishable in usable time without online heap tracing etc. For now it is total blackbox, every added low-level functionality increases more and more strange behaviour, danger for devices. Tracelogging not helps me much.
There is log from EDM2:
...
Config key HKLM\SOFTWARE\Microsoft\VSD\Debugger not present
INFO10: DeviceDebugProcess::LoadConfiguration: Config values: CopyWriteOn:00, CopyWriteROM:00, CopyWriteEXE:00, CopyWriteDLL:00
...
This may be cause of disfunctioned breakpoints. Full log is attached. Can you anybody corecon/debugging experienced explain it and help to make debugging working. All projects participated by me (HaRET WP7, Console WP7, MortScript WP7, FTP Client, WMWCEWECLauncherWP7 etc.) are dependent of good debugging possibility.
Martin7Pro said:
There is log from EDM2:
...
Config key HKLM\SOFTWARE\Microsoft\VSD\Debugger not present
INFO10: DeviceDebugProcess::LoadConfiguration: Config values: CopyWriteOn:00, CopyWriteROM:00, CopyWriteEXE:00, CopyWriteDLL:00
...
This may be cause of disfunctioned breakpoints. Full log is attached. Can you anybody corecon/debugging experienced explain it and help to make debugging working. All projects participated by me (HaRET WP7, Console WP7, MortScript WP7, FTP Client, WMWCEWECLauncherWP7 etc.) are dependent of good debugging possibility.
Click to expand...
Click to collapse
I tried to create CopyWriteOn etc. values in registry key above and fill to 1, but I am not sure of result.
When breakpoint setting debugger edm2 crashed in function CE_CopyWrite.
Attached log is after returning to 0. Sometimes occured EXCEPTION:80000003 (HW breakpoint), but not accepted by debugger.
PwnAir
WiFi monitor mode & AirCrack
ONLY for Galaxy S1 with any compatible ROM
"STABLE" RELEASE /* YOUR WARRANTY IS NOW VOID */
05/2014 [NEW] 1.03 TARGET-SCAN (airodump-ng) is now part of PwnAir Lite!
06/2014 [NEW] 1.05/1.06 Signal strength indication is now reported in TARGET-SCAN
07/2014 [NEW] 1.07 The app will try again if you fail to give superuser rights at first launch. Tested with several ROMs.
11/2014 [NEW] PwnAir Pro is now free! No ads. No trackers added.
PwnAir is a package (kernel + app) that will turn your Galaxy S1 phone into a WiFi cracking device.
* Enable WiFi monitor mode, like bcmon did
* Recover WEP and WPA-PSK keys, through AirCrack
* Capture WiFi traffic, through AirCrack too
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I couldn't resist to put this reference to the Watch Dogs game.
What a better timing to launch PwnAir than Watch Dogs game release ? (PwnAir is not sponsored by Ubisoft, btw!)
What's new is that PwnAir intends to:
* port bcmon to recent ROMs/kernels. As you may have noticed, bcmon won't run on recent ROMs, except if you've built it yourself. That's normal.
* bring a new graphical user interface to bcmon app (LOAD)
* bring a new graphical user interface to airodump-ng (TARGET-SCAN)
* [Pro only] bring a new graphical user interface for the main AirCrack-ng command-line tools (TARGET-LOG, ATTACK, CRACK) with terminal scrolling optimizations
[more screenshots]
PRE-REQUISITES
* Your phone is a Galaxy S1 (galaxysmtd, GT-I9000). It is NOT going to work on S2/S3/S4, or any other phones that are using anything else than the Aries kernel, and especially anything else than a Broadcom 4329 WiFi chipset.
* You are using a KitKat ROM* (or you swear to do a kernel/NANDROID backup in case you're unsure). PwnAir Kernel has been tested on CyanogenMod v11 (best supported snapshot: cm-11-20140504-SNAPSHOT-M6-galaxysmtd.zip), CyanFox 2.0.2 (dead download link) and C-RoM v7.1.
* You have a custom recovery installed, like CWM or TWRP. I recommend CWM Philz Touch (philz_touch_6.19.3-galaxysmtd.img).
* You are not afraid of loosing your phone warranty and/or data, making your phone bootloop until you get to reflash it, and all those funny stuff that kernel/ROM flashers surprisingly enjoy.
*About KitKat ROM compatibility: To be more exact, you need a ROM compatible with CyanogenMod 11 kernel (a.k.a. Aries stable/cm11.0, this version is the KitKat release), which is generally the case of KitKat ROMs. It is possible that older non-KitKat ROM work also. There should be no reason your ROM is not compatible with PwnAir kernel, if you use a fairly recent ROM (ie. KitKat, i.e. 4.4) without strong kernel customizations. The risk as for any kernel is that some peripherals may not work or that the phone may bootloop until reflashed. On Linux/Android, the approach of flashing a full kernel is safer than forcing a Wi-Fi driver to load into an unknown kernel. For the compatibility paranoïds, you can use the indicated CyanogenMod ROM snapshot.
INSTALL INSTRUCTIONS
Download PwnAir Kernel zip file
Open PwnAir kernel zip archive with 7zip or similar zip tool
Download the monitor mode firmware: fw_bcm4329.bcmon.bin
Copy fw_bcm4329.bcmon.bin into the system/vendor/firmware folder of the PwnAir kernel zip file
Save the zip file
Transfer the zip file to your sdcard
Reboot your phone in Recovery Mode (from the menu, or power off and power on with Volume Up + Home + Power)
Do a NANDROID backup or at least a quicker kernel backup
Flash the zip file from recovery mode
Reboot your phone
MONITOR MODE ACTIVATION & WHAT'S NEXT
The PwnAir Lite app has been installed during the process. Open it and "Load Monitor Mode".
First option, "Mode monitor" appears. -- You're happy.
So then, go to the target tab and launch a scan to see access points and clients ("stations") traffic.
Additional functions are part of the (free) Pro App or can be used with free Command Line Interface tools : Wireless Tools (mandatory) + Aircrack (see "sources" section, check "bin" folders).
Second option, an error message appears or you're stuck into a bootloop.
If an error message appears...
1. Post the error message here.
2. Connect your phone in USB debugging mode
3. Post the output of
Code:
adb shell su -c dmesg
4. Don't pay me a beer, I don't deserve it
If the error message when trying to flash is "This package is for "galaxys,galaxysmtd,GT-I9000,GT-I9000M,GT-I9000T" devices; this is a "". Status 7.", then you need to install CWM Philz Touch (philz_touch_6.19.3-galaxysmtd.img), which is a CWM Advanced Recovery, and try again to install PwnAir from Recovery Mode.
To install Philz Touch, go to Download Mode (not Recovery Mode) and run from your computer:
Code:
heimdall flash --KERNEL philz_touch_6.19.3-galaxysmtd.img
If you're stuck into a bootloop or frozen boot -- Don't cry, you're not alone, that happens.
First of all, remove the battery and reboot. Still in trouble?
Sometimes Often, CWM isn't working properly so re-flash the PwnAir kernel with Heimdall.
Connect your phone USB cable to your PC, put your phone in Download Mode (long press Volume Down + Home + Power), extract boot.img from the zip file and run from your PC command prompt:
Code:
heimdall flash --KERNEL boot.img
You can do this with ODIN if you prefer.
Still in trouble, again?
From Download Mode, flash your working ROM/Kernel boot.img the same way as described just before.
Or from Recovery Mode, restore your NANDROID backup or flash another working kernel or ROM.
DOWNLOADS :laugh: DOWNLOADS!
pwnair-no-firmware.zip: PwnAir Kernel+App flashable zip - Mirror: XDA Download - FIRMWARE NOT INCLUDED, GET FIRMWARE FROM THE LINK BELOW AND CHECK INSTALL INSTRUCTIONS!
fw_bcm4329.bcmon.bin: Bcmon monitor mode firmware for Broadcom 4329 WiFi chipset
[OPTIONAL] PwnAir Pro App For FREE, an easy-to-use graphical interface that implements Aircrack automated scan/attack/cracking tools on WEP and WPA networks (WPA: includes the 10k most commonly used password dictionnary). You can also download it from this thread Download section but in this case you need to install it manually (adb install or whatever).
KNOWN ISSUES
Unload was supposed to bring my normal WiFi back, not "kill" all the WiFi drivers! dmesg log will show some info about memory usage. From what I understand, the WiFi driver, especially the "normal" one (Mode: managed), is asking the kernel to reserve too much memory aligned space to store the wifi interface class. And the kernel, as a result of time and driver load/unload, is too much fragmented to satisfy this request. That's the strange way the Linux kernel works. So you just need to realign your kernel memory. So just "Reboot".
EDIT: NIK510 reported that clicking the Unload button and then running iwconfig eth0 power off and iwconfig eth0 power on in a terminal can bring your normal WiFi back without rebooting. Try your luck!
Having airodump-ng (SCAN) launched for a long time may cause the phone to freeze or reboot Well, for this, I've no idea. You know my answer: "Reboot". The hard way if necessary.
LIMITATIONS
PwnAir Lite App is limited to loading the monitor mode and scanning for networks. Get the (free) Pro version for attacks and cracking. Otherwise, if you like typing command-lines with MAC addresses on your touch phone, here's the deal: AirCrack is open source GNU GPL. That means you can get the CLI sources of the Android port directly on my repo and compile it or get the CLI binaries.
PwnAir is not compatible with Aircrack-ng-GUI, Reaver-WPS-GUI apps or any "normal" WiFi app. Either use the PwnAir Pro app or the free Wireless Tools binaries + Aircrack CLI binaries (see "sources" section). Try your luck with "Unload" but the only clean way to get your normal WiFi back is just to reboot your phone.
Not all possible WiFi attacks are implemented. Attack of hidden SSID, client attack (Caffe Latte) and client MAC spoofing need to be manually (CLI) performed. Get the aircrack-ng CLI tools from my repo if you want to perform such attacks. Like other client attacks, Hirte Attack is not implemented and it's possible that the driver doesn't support it anyway: Get a Caffe Latte instead, it's quite the same.
Q&A
Q: Can I use a custom dictionnary for WPA-PSK cracking?
A: Yes. See Tips about WPA dictionnary attacks
Q: Can I use Reaver command line or Reaver for Android (RfA) with this app?
A: Yes and no. There is no evidence that bcmon bcm4329 firmware (the one on Google Code or the one bundled with the bcmon app) can actually perform reaver-based attacks. If you managed to do it, contact me and I'll update the app with a RfA launch script.[/post]
SOURCES, CREDITS, BUILD INSTRUCTIONS, PRIVACY POLICY, SUPPORT...
[PWNED SOURCES]
I have ported all the CLI tools to Android/Aries/CM11:
AirCrack-ng suite for Android
Wireless Tools for Android
GNU Macchanger for Android
Airpcap Android static library for Aries (this recent version is needed for reaver-wps to work)
Reaver-WPS for Android (UNTESTED)
PwnAir Kernel (CM11 stable Aries with dual standard/bcmon WiFi drivers)
[UNPWNED SOURCES / CREDITS]
Adapted from Bcmon work
Android Terminal Emulator
Android Bootstrap
Java Installer's execpty
[BUILD INSTRUCTIONS FOR ADVENTUROUS USERS]
CLI executables: Use Cyanogenmod build system, check instructions in Android.mk and Aircrack for Android README file.
Detailed kernel build instructions/porting to other devices with broadcom 4329 chipset: check this post. In addition, to have the CLI executables bundled during the build: Use Cyanogenmod build system, copy manifest from build dir of PwnAir Kernel (bcmon_aries) repo to cyanogenmod .repo/local_manifests/, copy config file in kernel/samsung/aries/arch/arm/configs, init the repo, breakfast galaxysmtd and build (check my wiki section "How to (edit and) build an officially supported kernel?" on CM integrated kernel building wiki page for kernel building).
[PRIVACY POLICY]
This app doesn't leak your private information. The code doesn't use any ads or tracker libraries. Root permissions are only used to provide the described functionalities.
Note that if you are downloading through the Google Play Store, general statistics are collected by Google (number of installs, user country, crash log, etc.): refer to Play Store privacy policy. As seens from the Android Developer Console and not from Google eyes, there's nothing like private data, even the crash logs look like this: java.lang.NullPointerException at a.a.a.r.run(Unknown Source). (nothing more and in this case it needs to be un-ProGuard-ed).
On you side, by using this app, you agree not to use it to leak private information without consent.
[SUPPORT]
Support is done in this thread preferably. If you don't have posting rights, send me a PM.
Bug reports and feature requests are also managed in this thread: see the tabs in the XDA DevDB dark bar above this post.
If you like the Pro app, please leave a comment on the Play Store page.
It's not a good idea to use Play Store contact link, I don't check it often.
Issues clearly specific to CLI tools source code (except Reaver) can be raised as GitHub issues.
XDA:DevDB Information
[GALAXYSMTD][KERNEL]+[APP] [PRO FREE] PwnAir WiFi monitor mode, Kernel for the Samsung GT-I9000 Galaxy S
Contributors
n01ce
Source Code: https://github.com/kriswebdev/bcmon_aries
Kernel Special Features: wifi monitor mode, cm11
Version Information
Status: Stable
Current Stable Version: 1.07
Stable Release Date: 2014-06-22
Beta Release Date: 2014-05-30
Created 2014-05-22
Last Updated 2016-01-23
Anyone tried this?
Hello!
After installing normal mode is ok, but after enabling monitor mode Wi-Fi doesn't work (nothing). Normal is identified as wlan0, and monitor is eth0. Modules loads, but sometimes we must enable/disable again, because dhd isn't loaded.
Best regards.
devloz said:
Hello!
After installing normal mode is ok, but after enabling monitor mode Wi-Fi doesn't work (nothing). Normal is identified as wlan0, and monitor is eth0. Modules loads, but sometimes we must enable/disable again, because dhd isn't loaded.
Best regards.
Click to expand...
Click to collapse
Hello devloz,
Do you see "Mode: Monitor" in eth0 when enabling monitor mode ?
If not, please run "adb shell su -c dmesg" from your PC or "su -c dmesg" from your phone and paste the output here for debug purposes.
If yes, it works. It is normal that standard Wi-Fi apps don't work in monitor mode. Monitor mode is a special Wi-Fi mode made to run CLI tools such as aircrack or airodump (you'll also need iwpriv and iwconfig installed in /system/bin or in the same directory). Apps such as the browser app and general apps won't work (i.e. have network/Internet connectivity) in monitor mode. Also, apps such as Aircrack-ng-GUI, reaver-GUI are not supported and won't work also because they are too closely related to bcmon app, and PwnAir is not bcmon, it's more bare-metal. Please use the CLI Tools (or the Pro App).
It is a known issue that you can't return to normal mode without rebooting the phone (see "Known issues" section in first post).
Hope it helps. Keep me informed.
Thank you for sharing your work!
Unfortunately I run into this stack overflow exception when trying to "Load monitor mode":
E/AndroidRuntime( 1061): FATAL EXCEPTION: AsyncTask #1
E/AndroidRuntime( 1061): Process: com.air.pwnair, PID: 1061
E/AndroidRuntime( 1061): java.lang.RuntimeException: An error occured while exec
uting doInBackground()
E/AndroidRuntime( 1061): at android.os.AsyncTask$3.done(AsyncTask.java:30
0)
E/AndroidRuntime( 1061): at java.util.concurrent.FutureTask.finishComplet
ion(FutureTask.java:355)
E/AndroidRuntime( 1061): at java.util.concurrent.FutureTask.setException(
FutureTask.java:222)
E/AndroidRuntime( 1061): at java.util.concurrent.FutureTask.run(FutureTas
k.java:242)
E/AndroidRuntime( 1061): at android.os.AsyncTask$SerialExecutor$1.run(Asy
ncTask.java:231)
E/AndroidRuntime( 1061): at java.util.concurrent.ThreadPoolExecutor.runWo
rker(ThreadPoolExecutor.java:1112)
E/AndroidRuntime( 1061): at java.util.concurrent.ThreadPoolExecutor$Worke
r.run(ThreadPoolExecutor.java:587)
E/AndroidRuntime( 1061): at java.lang.Thread.run(Thread.java:841)
E/AndroidRuntime( 1061): Caused by: java.lang.StackOverflowError
E/AndroidRuntime( 1061): at java.lang.AbstractStringBuilder.<init>(Abstra
ctStringBuilder.java:89)
E/AndroidRuntime( 1061): at java.lang.StringBuilder.<init>(StringBuilder.
java:95)
E/AndroidRuntime( 1061): at com.air.airpwner.AirCrack$AsyncAssets.copyAss
etsRecursive(AirCrack.java:285)
E/AndroidRuntime( 1061): at com.air.airpwner.AirCrack$AsyncAssets.copyAss
etsRecursive(AirCrack.java:305)
.......hundred lines later.....
E/AndroidRuntime( 1061): at com.air.airpwner.AirCrack$AsyncAssets.copyAss
etsRecursive(AirCrack.java:305)
E/AndroidRuntime( 1061): at com.air.airpwner.AirCrack$AsyncAssets.copyAss
ets
W/ActivityManager( 482): Force finishing activity com.air.pwnair/com.air.airp
wner.AirCrack
Click to expand...
Click to collapse
thmy said:
Thank you for sharing your work!
Unfortunately I run into this stack overflow exception when trying to "Load monitor mode":
Click to expand...
Click to collapse
Hello thmy,
Thanks for the logcat, I'm going to investigate. By the time, to skip this error, you can extract the "assets" folder from the PwnAir Lite apk file and copy its content (especially the "xbin" folder) to your device /data/data/com.air.pwnrlite/ folder.
Regards,
n01ce
n01ce said:
Hello thmy,
Thanks for the logcat, I'm going to investigate. By the time, to skip this error, you can extract the "assets" folder from the PwnAir Lite apk file and copy its content (especially the "xbin" folder) to your device /data/data/com.air.aircrack/ folder.
Regards,
n01ce
Click to expand...
Click to collapse
Not sure what exactly is causing this error but I've reworked the copyAssetsRecursive function.
Please try with the new Lite or Pro version (same links as before). For Lite version: Reflash the kernel or get the apk from the zip file and install it.
By the way, SCAN (airodump-ng GUI) is now included in the Lite version, except for logging.
Hi n01ce,
I already tried to copy the binaries by myself and I was successfully able to activate the promiscuous mode and to capture wifi traffic (without the graphical interface though).
I havent tested a lot, but it seemed to work properly - I am really impressed!
I'll retry your new GUI next time.
Cheers,
thmy
Bump
Sent from my GT-I9000 using Tapatalk
Hello n01ce i want to thank you for this great app of pwnair already that I will buy the vercion pro and it works well in my galaxy s jejej i9000 can i ask you one question you will be able to make an app for the galaxy s2 i9100 since i also have this s2 galaxy you will be able to do this app for that galaxy ?? The driver is not working and not communicating with my insurance i can donate to you thanks again
legionpr said:
Hello n01ce i want to thank you for this great app of pwnair already that I will buy the vercion pro and it works well in my galaxy s jejej i9000 can i ask you one question you will be able to make an app for the galaxy s2 i9100 since i also have this s2 galaxy you will be able to do this app for that galaxy ?? The driver is not working and not communicating with my insurance i can donate to you thanks again
Click to expand...
Click to collapse
Hi legionpr,
Thanks for your feedback.
Regarding Galaxy S2, the bcmon app should work, along with AircrackGUI app.
If it fails, try this.
The graphical interface of AircrackGUI is not as intuitive as PwnAir but it should do the job, and kernel flashing is not needed (that's because the S2 uses a broadcom 4330 chipset, and the phone official driver can be tricked easily).
I don't own a Galaxy S2 so I can't port PwnAir to this device without remote help (some files to put on the device and some commands to launch. If someone is interrested, PM me).
Regards,
n01ce
n01ce said:
Hi legionpr,
Thanks for your feedback.
Regarding Galaxy S2, the bcmon app should work, along with AircrackGUI app.
If it fails, try this.
The graphical interface of AircrackGUI is not as intuitive as PwnAir but it should do the job, and kernel flashing is not needed (that's because the S2 uses a broadcom 4330 chipset, and the phone official driver can be tricked easily).
I don't own a Galaxy S2 so I can't port PwnAir to this device without remote help (some files to put on the device and some commands to launch. If someone is interrested, PM me).
Regards,
n01ce
Click to expand...
Click to collapse
Hello friend n01ce thank you for answering my question hehe and if your app is large and successful as it can remove a passward of wep with the hidden SSID and i worked at 100 thanks i try with the galaxy s2 with the files that you said but cannot take the pass but with your app pwnairpro i function but if you want to you can testiar my galaxy s2 since I have several devices here I look forward to your reply thanks
Hi all,
is there any chance at all that there will be a adaption of the great:
[APP][ROOT][WiFi] Reaver-GUI for Android
I think when bcmon works with Aircrack on a galaxysmtd it should work with reaver as well?
handyflo said:
Hi all,
is there any chance at all that there will be a adaption of the great:
[APP][ROOT][WiFi] Reaver-GUI for Android
I think when bcmon works with Aircrack on a galaxysmtd it should work with reaver as well?
Click to expand...
Click to collapse
Hello handyflo,
PwnAir is currently not compatible with RfA but we're working on it.
You can still use the command line tool Reaver-WPS for Android (UNTESTED). reaver-wash is working properly to find WPS-enabled networks, but I've not managed to successfully hack a network with reaver. Someone also tested it previously without success. I still don't know if I met all the pre-requisites (PIN-code based WPS router with good signal strength) or if there's a firmware issue preventing reaver attacks. But it would be interessting to have more people testing reaver command line tool due to these pre-requisites.
Potential causes for incompatibility between PwnAir and Reaver-GUI are:
RfA needs a special bcmon activation => this will change (see below)
bcmon bcm4329 firmware may not support reaver => I still don't have sufficient proofs that Reaver ever worked on galaxysmtd with bcmon firmware
The Airpcap library bundled with PwnAir may not be compatible with reaver => we can still use bcmon LD_LIBRARY_PATH to get one that is supposed to work
First potential issue (RfA monitor mode activation)
I've talked with RfA app developer, SOEDI, two weeks ago about our app compatibility and here's his answer:
SOEDI said:
(...) RfA scans active in managed-mode.
When you start the attack, then RfA starts to load the bcmon stuff and activates monitor mode.
The commands are:
Code:
su
LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
cd /data/data/com.bcmon.bcmon/files/tools
[I]ReaverCommands[/I]
RfA tries to identify the interface. It searches for "wlan0" and "eth0".
However, the next update of RfA will support custom startup commands and custom interfaces.
This will make RfA independent from bcmon and compatible to your app
Click to expand...
Click to collapse
Still, I don't see why it would not work, eventually because of libfake_driver preloading but that's strange.
I think I've already tried using reaver command line tools bundled with bcmon but without better success too.
Second potential issue (bcmon bcm4329 firmware compatibility):
I've only seen one report of reaver-GUI that seemed to work on galaxy S Advance:
nitinknsl said:
guys successfully installed both apk's but having hard time finding wps enabeled networks
i found wps enabeled network but then rfa shows monitor mode activision failed , but when i run monitor mode from bcmon it's running fine !
using galaxy s advance
Click to expand...
Click to collapse
Still it's not clear if he actually manged to hack a network.
I really start to doubt that reaver ever worked on Galaxy S1 due to bcmon bcm4329 firmware potential incompatibility with this tool. From a post named "Injection support for BCM4329" on Bcmon blog:
Ruby Feinstein said:
Radiotap - we don't handle radiotap on packet injection. 'aireplay-ng' works fine with it but tools like 'reaver' seem to require it.
(...) reaver - NOT WORKING
It seems like reaver injects packets with radiotap header.
Click to expand...
Click to collapse
There's no evidence in the following posts with newer firmware updates that this issue was solved. Maybe it was, maybe not.
One point to notice: PwnAir is not using the firmware from the bcmmon apk package, but the firmware from the bcmon source dir, due to driver issues. Maybe it has evolved in the apk and not the source. That's somethign to investigate.
Last potential issue (Airpcap library compatibility):
I don't get different results on reaver and wash comand line tools by using PwnAir or bcmon Airpcap library. So there's limited probability that's really an issue.
Hi n01ce,
thanks for your detailed response.
Good to see that you are making progress to investigate the use of reaver on a galaxysmtd.
Very interesting was this ansfer from SOEDI:
This will make RfA independent from bcmon and compatible to your app
Click to expand...
Click to collapse
Is there anything we (this community) can support you on something? I think a lot of guys using a galaxysmtd with CM11 ROM and may provide you with some testing results or similar?
handyflo said:
Is there anything we (this community) can support you on something? I think a lot of guys using a galaxysmtd with CM11 ROM and may provide you with some testing results or similar?
Click to expand...
Click to collapse
What I need is an actual proof that reaver (either command-line or GUI) works on bcm4329 phones (Galaxy S1, Nexus One, Evo 4G...).
The next question will be how it works (bcmon app, self-compiled kernel, CLI or GUI reaver, wifi access point model...).
To do proper testing and to ensure bcmon support, this would mean for the testers to go back to CyanogenMod 7 and install bcmon apk + Reaver for Android.
Testing is done the following way with bcmon on CyanogenMod 7:
Code:
su
LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
cd /data/data/com.bcmon.bcmon/files/tools
wash -i eth0
reaver -i eth0 -b ENTER_BSSID_HERE
I also don't exclude that I've just not been able to test it successfully due to the networks I've tested. So some tests even with PwnAir might be interresting.
Testing is done the following way with PwnAir after enabling monitor mode in PwnAir:
Code:
su
cd /data/data/com.air.pwnrlite/xbin
reaver-wash -i eth0
reaver -i eth0 -b ENTER_BSSID_HERE
During my tests, reaver was always stuck at:
Code:
[+] Waiting for beacon from <BSSID>
DEBUG external/reaver-wps/80211.c (229): Red AP beacon
DEBUG external/reaver-wps/80211.c (235): deauthenticate() done
DEBUG external/reaver-wps/80211.c (241): authenticate() done
DEBUG external/reaver-wps/80211.c (241): authenticate() done
DEBUG external/reaver-wps/80211.c (241): authenticate() done
DEBUG external/reaver-wps/80211.c (241): authenticate() done
DEBUG external/reaver-wps/80211.c (241): authenticate() done
DEBUG external/reaver-wps/80211.c (245): end while associate_recv_loop()
(...)
[!] WARNING: Failed to associate with <BSSID> (ESSID: <ESSID>)
Tips about WPA dictionnary attacks
Since I have received several quesitons about WPA dictionnaries, I post a few general tips here:
There is about 5% chance to crack a WPA key since WPA keys are minimum 8 charaters long and there are no known statistical attacks for WPA. If the key is not in the dicitonnary, it will fail.
It would take a year to brute force a WPA key with 8 lowercase alphabetic characters (check this brute-force calculator and pyrit performance chart), using GPU cracking with a good video card. So a dictionnary is needed.
PwnAir Pro supports custom dictionnaries. This will be used instead of the app default 10k dictionnary.
Name your custom dictionnary "/sdcard/aircrack/dict.lst" (this is indeed internal storage, not the external SD card). When you are over with the custom dictionnary, remove it to return to the 10k dictionnary.
But for better cracking performances, it's better to use a computer video card to do GPU cracking (instead of the limited phone CPU), with software like pyrit or oclHashCat. Aircack on galaxy S1 can crack about 120 keys/seconds, whereas pyrit can crack 20 000 k/s with a good standard video card.
There are some sites specialized in WPA cracking where you upload the handshake and they provide the computing resources; but generally you'll have to pay and you have no guarantee of success.
Regarding the dictionnaries, it's generally better to use dictionnaries in local language, especially people and place names. There are some links to dictionnaries here. Don't trust the wordlists with sevral GB of data: that's generally purely randomly generated sequences of less than 8 characters, it's useless. It's good to generate your own dictionnaries with wordlist generators like John The Ripper, Crunch, CUPP, RSMangler, AWLG... There are some good articles on the net on the science of password selection. You'll learn that the best wordlist are specific to each attackee and based on words very specific to the attackee (names, places, SSID, activity, passions...) eventually mixed with eg. the current year, some numbers and basic special characters.
Otherwise, there are also some others ways to get a WPA key with social engineering, like creating a fake Wi-Fi hotspot and ask for the user credentials; but this is not the purpose of PwnAir.
Where is airmon-ng ? Cause i can't find this one on your github.
devloz said:
Where is airmon-ng ? Cause i can't find this one on your github.
Click to expand...
Click to collapse
Airmon-ng is a tool, or to be more specific a Linux shell script, that enables and disables WiFi monitor mode.
It contains a set of tests to determine the chipset type and then, if it knows about this chipset, it will run the command that will activate monitor mode for this particular chipset.
But airmon-ng is not needed as the PwnAir app already does that ("Load" tab).
Moreover, airmon-ng is not compatible with Android for two reasons:
- It's a shell script, built for Linux. To be able to run it on Android, it needs busybox tricks. And it is highly possible that much of the code will throw errors when run on Android.
- It's not made to activate PwnAir monitor mode.
It's located in Aicrack-ng source scripts folder but for the above reasons, it has not been ported to Android.
If you absolutely want to activate PwnAir kernel monitor mode through CLI instead of the App, there's a PwnAir tool called "bcm" in /data/data/com.air.pwnrlite/xbin ==> "./bcm load".
I installed riru core from magisk manager and reboot. then i installed riru apk to verify riru installed then reboot x4. installed edxposed manager and rebooted twice. everytime i try to install edxposed framework from magisk i get redirected to github riru release page. what am i doing wrong?
Use LSposed. EdXposed hasn't been updated in ages.
Do not try to install the latest riru version.
It doesn't play nice with magisk.
Install version v25.4.4 for example.
Have that running without any problems here.
Had same issue and solved it by installing version v25.4.4 by following the video below. You can mute it and follow instructions,works beautifully.
Magisk service.d not working is that due EdXposed riru messed up something? I can see it in Magisk log but it's lying
Code:
02-10 16:22:43.785 618 1321 I : * Running service.d scripts
02-10 16:22:43.786 618 1321 I : service.d: exec [40_sdext]
dmesg
Code:
[ 38.647857] type=1400 audit(1644782200.992:1609): avc: denied { ioctl } for comm="busybox" path="/mnt/media_rw/4D47-9860/.data.sdext2.img" dev="mmcblk0p1" ino=1850 ioctlcmd=0x1272 scontext=u:r:magisk:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
edit: moved mount script into /data/local/tmp and created helper script in service.d which calls mount script. I don't know why but it "works" (at least the mount itself, still avc: denied)
@mlgmxyysd maybe you have any idea why this is permissive=1 and do you think it's normal that we get several avc denied in dmesg on android 10? kindly refer to Magisk github issue #5476
so this seems unrelated to EdXposed as it is same problem without any modules at all. Tried also Zygisk no success. I want to inject supolicy --live how do I do that?
It worked!! Riru 25.4.4 is the way to go, but now my edxposed manager freezes... Which version do you use? @Bunecarera @RAMBO29
Thanks
tommydotwav said:
It worked!! Riru 25.4.4 is the way to go, but now my edxposed manager freezes... Which version do you use? @Bunecarera @RAMBO29
Thanks
Click to expand...
Click to collapse
4.6.2
@Bunecarera ultimately I have it working with latest riru + lsposed