Page 1 of 2

Hacking Pocket PC WLAN drivers

PostPosted: Thu Mar 24, 2005 12:21 am
by 17hz
Are there currently any tools or hacked drivers for the Pocket PC that allow a WLAN card to be put into Monitor mode? I'm not asking about any specific chipset - but any chipsets. I have been developing for Pocket PC for almost 3 years now using the .NET Compact Framework since it was pre-release. I haven't taken the time to learn how to develop unmanaged code that may be able to do more powerful things than what i've done, yet - but I'm looking into this now.

Is there anybody out there who has experience developing applications for the Pocket PC with Microsoft's emmbedded Visual C++ who would be interested in working with me to develop a packet capture application for the Pocket PC? I believe this would be useful for a number of reasons:

- It would allow technicians who carry a laptop and a pocket PC device to use the device as a third party packing sniffer, without needing to get another machine involved.

- It would open the door for other WAN analysis applications to be developed for the pocket PC, such as packet injectors and wep cracking applications.

- It would be a fun and challenging project for me that I'd be willing to put some time into.

I'm looking for people who have experience hacking drivers (not nesissaraly on the pocket PC) as well as people who have experience with the strange world of 'device' operating systems to offer some advice.

Another reason why I'd like to see this is that they finally have dual pocket PC devices that have both 802.11b/g cards, but also Cellular interfaces. This would allow for some pretty nice 3rd party proactive monitoring for attacks; with alerts sent out on a completely different network (Cellular provider) notifying administrators of potential intruders.

-17hz

PostPosted: Thu Mar 24, 2005 12:27 am
by Dutch
[quote="17hz"]Are there currently any tools or hacked drivers for the Pocket PC that allow a WLAN card to be put into Monitor mode? I'm not asking about any specific chipset - but any chipsets. I have been developing for Pocket PC for almost 3 years now using the .NET Compact Framework since it was pre-release. I haven't taken the time to learn how to develop unmanaged code that may be able to do more powerful things than what i've done, yet - but I'm looking into this now.

Is there anybody out there who has experience developing applications for the Pocket PC with Microsoft's emmbedded Visual C++ who would be interested in working with me to develop a packet capture application for the Pocket PC? I believe this would be useful for a number of reasons:

- It would allow technicians who carry a laptop and a pocket PC device to use the device as a third party packing sniffer, without needing to get another machine involved.

- It would open the door for other WAN analysis applications to be developed for the pocket PC, such as packet injectors and wep cracking applications.

- It would be a fun and challenging project for me that I'd be willing to put some time into.

I'm looking for people who have experience hacking drivers (not nesissaraly on the pocket PC) as well as people who have experience with the strange world of 'device' operating systems to offer some advice.

Another reason why I'd like to see this is that they finally have dual pocket PC devices that have both 802.11b/g cards, but also Cellular interfaces. This would allow for some pretty nice 3rd party proactive monitoring for attacks]


No, and I don't tink there will be. Try to think it through...

One thing is that the pocket pc side has a standardized api, but the driver also need to speak to specialized hardware in the form of the WLAN card. Different chipsets, different registers, different ways of doing the same stuff.
It would be the same as asking for a single videocard driver that supports all videocards whether it's from Nvidia, ATI, S3, including all their high resolutions, and turbo this and that.

Dutch

PostPosted: Thu Mar 24, 2005 1:33 am
by 17hz
I don't think that you understood my question; perhaps I worded it incorrectly. I was asking about ANY chipset - not ALL chipsets; if Monitor mode has been enabled for a specific chipset type (but i dont care what that type is). Due to it's popularity, if I cannot find work that's already been done on a different chipset that would change my mind; I'll be focusing stricly on the prism2 chipset. Right now I havn't been able to find any PocketPC device (regardless of chipset) that can be put into Monitor mode.

17Hz

PostPosted: Thu Mar 24, 2005 2:43 am
by G8tK33per
[quote="17hz"]I don't think that you understood my question]
Have you checked Airscanner? They discontinued their project but it does work.

http://airscanner.com/downloads/sniffer/sniffer.html

PostPosted: Thu Mar 24, 2005 3:37 pm
by tekn0
G8tK33per wrote:Have you checked Airscanner? They discontinued their project but it does work.

http://airscanner.com/downloads/sniffer/sniffer.html


Im getting a 404 not found on that link G8tK33per and i can not seem to find a refrence to any sort of sniffer on there main site. Any suggestions?

PostPosted: Thu Mar 24, 2005 4:08 pm
by wrzwaldo

PostPosted: Thu Mar 24, 2005 4:11 pm
by wrzwaldo
tekn0 wrote:Im getting a 404 not found on that link G8tK33per and i can not seem to find a refrence to any sort of sniffer on there main site. Any suggestions?



30 seconds with GOOGLE!

http://www.pdagold.com/software/detail.asp?s=223


And FYI...

In the other news, AirScanner announced the discontinuation of Airscanner Mobile Sniffer. This extremely useful tool, capable of detecting and sniffing wireless networks, was supposed to be updated for the Microsoft Mobile 2003 platform until the end of this year. The official reason for the closure was a lack of user demand. Partially good ending to this story is that another company licenced the code, so I presume that soon we will see "the son of the Sniffer".

PostPosted: Fri Mar 25, 2005 4:10 am
by G8tK33per
tekn0 wrote:Im getting a 404 not found on that link G8tK33per and i can not seem to find a refrence to any sort of sniffer on there main site. Any suggestions?

Looks like they have yanked it from their site. Oh well.

PostPosted: Fri Mar 25, 2005 11:57 am
by 17hz
They did yank it from their site; but not before I had a breif communications with one of the company representatives, as follows (slighly edited from it's original version)

Responce from inquiry:

"Subject: Re: Discontinued Airscanner Mobile Sniffer

Thanks, we still get companies that want to license it, so we're not planning to open source it.

------------------------

responce to my response:

thanks, i think the problem lies in the card itself; most won't support promiscuous. and the new devices have really crappy built in cards (worse that winmodems to develop for, according to the ministumbler forum i think).

-
-----------------------
17Hz originally wrote:

"I was wondering if you've put any thought into releasing the source code for your discontinued Mobile Wireless Sniffer into the public domain so that it might be continued by others in the pocket PC community. I am very interested in a scanner capable of running on 2003, I understand that the networking services and objects were completely redone; and that custom driver modifications may need to be made. I have been developing for the pocket pc for over 3 years now and would enjoy a good new challenge."

------------------------

I did get a chance to download their latest version before they pulled it; it does however only work for Pocket PC 2002. I will have further information on this in the next week or so when I sumarize all of my research.
-17hz

PostPosted: Mon Mar 28, 2005 5:53 pm
by tbronez
-----------------------
17Hz originally wrote:

I did get a chance to download their latest version before they pulled it; it does however only work for Pocket PC 2002. I will have further information on this in the next week or so when I sumarize all of my research.
-17hz
-----------------------

17Hz-

I, too, have been working primarily with the .NET Compact Framework on the Pocket PC, but I've also done some reasonably difficult EVC++ programming, primarily to supplement the Compact Framework. I've looked at the source code for some simple drivers and am taking an intermediate Windows CE programming class next week that includes an introduction to driver development.

I'd like to help you take a shot at developing a packet capture application for the Pocket PC. Like you, I'd be happy to get such an application running with ANY chip set. I've got a couple of different WiFi-enabled Windows CE devices. If you've got working code for Pocket PC 2002 (Windows CE 3.0), I don't expect it will be difficult to upgrade it to Windows Mobile 2003 (Windows CE 4.2). Assuming we can legally examine the source, of course. Contact me!

PostPosted: Tue Mar 29, 2005 12:56 pm
by 17hz
tbronez wrote:-----------------------
I'd like to help you take a shot at developing a packet capture application for the Pocket PC. Like you, I'd be happy to get such an application running with ANY chip set. I've got a couple of different WiFi-enabled Windows CE devices. If you've got working code for Pocket PC 2002 (Windows CE 3.0), I don't expect it will be difficult to upgrade it to Windows Mobile 2003 (Windows CE 4.2). Assuming we can legally examine the source, of course. Contact me!


Tbronez,

I am very excited to hear that there is somebody else that would like to work on this with me. I will be privately communicating my email address with you.

I am very intersted in obtaining any course matterial that you might be able to share]www.ipaqdevelopers.com[/url], an HP organized site dedicated to helping developers develop applications for iPAQS. To gain developer access you either need to pay a $200 yearly subscription, or work very closely with HP and product development. The forums are not as usefull as I had hoped for, but I did get some information that might help.

Before CE4.0, it seems most manufacters needed to produced a .dll that applications could communicate with to find out certain properties of a network devices, as well as set them, with CE4.0, Pocket PC now supports NDIS5 interfaces. I know that NDIS5 doesn't directly support monitory or permiscuous mode for wireless connections. I've ready many reports in the forums of people who used to get values (such as signal level) from the provided manufacturer object; and as of CE4 that object no longer retreives a value - although no errors are thrown. Many people have changed their code to look at the .NET Compact Frameworks NDIS5 objects.

I personally have an iPAQ PocketPC h4100 series, this device uses Pocket PC 2003, the network card is provided by Texas Instruments although they won't support it, and directed me to HP. I have not been able to get an answer from anyone about weather or not the network card even supports monitor mode at the hardware level; let alone driver capabilities.

I have access to an iPAQ H3800 that runs Pocket PC 2002; That device also has a PCMCIA sleeve that I could get for testing, if we wanted to study how software runs in 2002, however I have no intentions of trying to write software that is backwards compatible with 2002. 2003 is my goal platform.

I have access to a Dell TrueMobile 1150 Wireless PCMCIA card, an 802.11B card that supports 40 and 128 bit WEP and uses the Prism2 chipset.

I have access to an Orinoco GOLD 802.11b wireless PCMICA card.

-------------------------------------------
I have done very very little work with Microsoft emmbedded C++, and even that work was done years ago. I know C/C++ from the conceptual level very well; however i've never actually used it over a long period of time so my syntax is VERY rusty and I am not very familiar with most class libraries or includes. I use VB.NET for most of my .NET programming, however I can READ C# code just as fast as I can read VB because I know the syntax and am familiar with the libraries.
--------------------------------------------
I do have access to a copy of emmbedded C++ but do not have it installed at this time. I don't have any good books or reading sources outside of the MSDN library at this time, so any reading recomendations would be appreciated.
--------------------------------------------
I would like to do most of my work with the equipment I have now, but come next month, I will have a small amount of financial rescources I can allocate to this project.
--------------------------------------------
I would appreciated if anybody has had experience cracking drivers for ANY platform, if they could contact me and provide for me the written resources they used to accomplish this task.
--------------------------------------------

The current step i'm on is this:

Deturmine which hardware is physically capiable of what I want to do, and what is not. Out of these possibilities, deturmine, based on the resources available, which equipment should be chosen as a test platform for an alpha product.

after I've deturmined this i'll go to work attempting to force the device into monitor mode and view packets at a very very low level.

Next I'll develop a class library with tools used to grab this information and organize it into objects that will be consumed more easily by my User Interface level code.

I'm not planning further ahead than this; as I don't want to widen my scope to far beyond where I am.

--------------------------------------

What prompted you to take a course on Driver Development? What types of projects have you completed? You can respond both publically or privatly, depending on if you wish to share with the entire group.

-17hz

Current project status:

PostPosted: Wed Mar 30, 2005 11:57 pm
by 17hz
We’re attempting to write a packet capture application for the Pocket PC, which is not as straightforward as we would like. Specifically I’m talking of Pocket PC 2003 running on Windows CE4.0; Pocket PC 2002 ran on top of Windows CE 3.0, which had a very different network layer.

Pocket PC 2003 supports NDIS5 miniport drivers for networking devices. NDIS5 specifications do not support setting the NDIS packet filter to “NDIS_PACKET_TYPE_PROMISCUOUS”. As a result, you can’t develop (or hack) drivers into supporting rf-monitor or promiscuous modes by using standard NIDS5 miniport drivers.

All of the networking services of the Pocket PC expect an NDIS5 interface. If we’re going to develop a RAW 802.11 wireless packet capture application. We’re going to need to develop or hack existing drivers into exposing an interface other than NDIS5, and then consuming that interface with our custom application.

The only developers reference manual that I’ve seen for developing WLAN drivers has been RM0251.pdf (google it), PRISM Driver Programmers Manual; for the Prism2.0 chipset. I would like to get my hands on more of these programming manuals, perhaps one newer than this June 2002 one, or one for another chipset. (comments anyone?)

Very soon I need to decide which chipset I’m going to attempt to produce drivers for. Based on the information I have now it will be for the PRISM2.x cards because I’ve found the most information about them. In the meantime I’m still researching more information. It would be nice to be able to hack one of the embedded devices; although at this point I do not know if a Pocket PC device that has an embedded 802.11 device that uses the Prism2 chipset. (comments anyone?).

I am also going to compile a database of all of the known Pocket PC devices that use Pocket PC 2003, and the manufacturer / chipset of the integrated 802.11b device, as well as which type of external cards can be used with the device; with or without a ‘sleve’. Also in this database will be all WLAN cards that have drivers available for the Pocket PC 2003 OS; and which chipset they use. I will be publishing this as soon as it’s complete and I find web space to host it.

-17hz

PostPosted: Thu Mar 31, 2005 12:12 am
by Dutch
[quote="17hz"]We’re attempting to write a packet capture application for the Pocket PC, which is not as straightforward as we would like. Specifically I’m talking of Pocket PC 2003 running on Windows CE4.0]

Albeit the project sounds interesting, it is actually outside the scope of netstumbler.org.
My suggestion is that you start it up as a project on sourceforge or freshmeat. They have the tools to support a community based opensource project.
Feel free to post progress reports in the news section, when you have more "meat" and betas to present.

Dutch

Dutch

PostPosted: Fri Apr 01, 2005 11:06 am
by 17hz
Dutch wrote:Albeit the project sounds interesting, it is actually outside the scope of netstumbler.org.
My suggestion is that you start it up as a project on sourceforge or freshmeat. They have the tools to support a community based opensource project.
Feel free to post progress reports in the news section, when you have more "meat" and betas to present.

Dutch

Dutch


I don't want to step out of line here, but what's the difference between this project and others posted about this forum, such as those on kismet, aireplay, chopchop attacks, and various wepcracking applications? I've had a lot of questions answered in those forums by people taking the time to post what they've learned. I thought that having a nitch in Pocket PC Development myself I could provide knowledge to others as well as bring other people into the pocket pc conversations; which seemed to be lacking behind many of the other forums as far as possible applications to work with.

Willing to help

PostPosted: Mon Apr 04, 2005 4:16 am
by blad3
It's a shame that we only have active scanning on Windows (and/or Pocket PC).
It would be very cool to support RFMON on Pocket PC.
Unfortunatelly, I don't have much experience with device driver development but I'm pretty good at Windows programming.
17hz, if I can help your project in some way please let me know.

p.s.
I have an iPaq rx3715, ministumbler is not working on it.
The application that I'm currently using is WiFiFoFum.
The chipset on rx3715 is tnetw1100b and there is some linux driver available for this chipset : http://acx100.sourceforge.net/
Familiar (linux for iPaq) is not yet supported on this iPaq model.