Differences

This shows you the differences between two versions of the page.

--- zd1211rw [2007/08/24 18:39] – updated to reflect new patch. darkaudax
+++ zd1211rw [2011/06/26 15:45] – firmware note for gentoo wicher
@@ Line 1: / Line 1: @@
 ====== zd1211rw ======
+authored by sleek
-This driver supports the zd1211 and the newer zd1211b chipsets by Zydas.
+**Review and injection tutorial**
-The older zd1211 chipset only partially supports injection.  Any injection which requires the device to receive a packet does not work correctly.  So the fake authentication, chopchop, and fragmentation attacks plus injection testing do not work.  Other basic functions such as monitor mode and the remaining attacks work.
-The new zd1211b chipset fully supports all functions.
-The zd1211rw driver has been incorporated into the latest kernels.  So you will have to patch the kernel source to obtain injection support.  This is described below in detail.
-The following links may be helpful to you to learn more about the driver and which devices are supported by it:
-  * [[http://sourceforge.net/projects/zd1211/|Sourceforge zd1211 project]]
-  * [[http://zd1211.wiki.sourceforge.net/|ZyDAS ZD1211 802.11b/g USB WLAN chipset Linux drivers Wiki]]
-  * [[http://www.linuxwireless.org/en/users/Drivers/zd1211rw/devices|Supported Zydas ZD1211 devices]]
-===== Patching zd1211rw =====
-This section will describe how to patch your driver for injection.  There is quite a bit of variation between distributions so this describe the general steps you must take.  You will have to tweak the instructions for your specific distribution and kernel version.  It assumes a reasonable level of unix knowledge and experience.  If you don't have this, ask a friend to help you out.   If you can't follow these instructions then you should not be messing with your kernel.  Don't post to the [[http://forum.tinyshell.be/|Forum]] asking for detailed instructions.
-You will need to have your kernel headers and full source already installed on your system. See [[zd1211rw#installing_fedora_kernel_headers_and_source|Installing Fedora kernel headers and sources]] below for how to do this on Fedora.
-Copy contents of **/usr/src/linux/net/ieee80211** to a safe place. This is so you can recover if things go bad or if you want to apply a new version of the patch.
-Copy contents of **/usr/src/linux/drivers/net/wireless/zd1211rw** to a safe place. This is so you can recover if things go bad or if you want to apply a new version of the patch.
-Download and expand the latest version of the aircrack-ng suite to obtain the patches or download the from [[http://patches.aircrack-ng.org/|here]]. Typically, you will need the svn version to have best patches. Please note that the patch names might change so you may have to adjust the version numbers in the next few steps.
-Copy zd1211rw_inject_2.6.20.patch to **/usr/src/linux/**
-  cd /usr/src/linux/
-NOTE: In the following lines, verbose and dry-run have a double dash in front of them.
-  patch -Np1  --verbose --dry-run -i zd1211rw_inject_2.6.22.patch
-If it was OK:
-  patch -Np1  --verbose  -i zd1211rw_inject_2.6.22.patch
-Copy ieee80211_inject.patch to /usr/scr/linux
+The ZyDAS zd1211 and zd1211b (//also known as AR5007UG//) chips are one of the most distributed wireless b/g chips in the market. They are also the cheapest, on eBay, you can get one for about 5-6USD shipping included. In the same time, these chips are very stable, with excellent range and sensitivity, both under Linux and Windows and you can purchase one with or without an external antenna. The [[http://linuxwireless.org/en/users/Drivers/zd1211rw|zd1211rw]] driver, which covers the chips under linux is very well built, offering reliable wireless connectivity as well as injection and monitoring support via aircrack-ng's utilities.
-  patch -Np1  --verbose --dry-run -i ieee80211_inject.patch
-If it was OK:
+The zd1211rw was included in mainline kernel 2.6.18 as a softmac driver, known to be notoriously unstable and heavily crippled in terms aircrack-ng support. Things turned for the better when the zd1211rw was ported as mac80211 driver since kernel 2.6.25, a move which led the zd1211rw to gain excellent support for injection and monitoring.
-  patch -Np1  --verbose  -i ieee80211_inject.patch
-**NOTE**: In the following lines, change "2.6.20-1.2944.fc6" to match your particular system.
+===== Patching: Kernel 2.26.24+ =====
-  cd /usr/src/linux/drivers/net/wireless/zd1211rw
+To enable injection, we'll have to patch the driver first. The easiest and most convenient way is to take the [[compat-wireless|compat-wireless]] route.
-  make -C /lib/modules/2.6.20-1.2944.fc6/build/ M=`pwd` modules
-  cd /usr/src/linux/net/ieee80211
-  make -C /lib/modules/2.6.20-1.2944.fc6/build/ M=`pwd` modules
-Now copy the new modules to the /lib/modules tree to be used.
+**1.** Go to http://wireless.kernel.org/download/compat-wireless-2.6/, download the latest version of compat-wireless and untar the package: **tar xfj compat-wireless-2.6.tar.bz2**
-  cp /usr/src/linux/drivers/net/wireless/zd1211rw/zd1211rw.ko /lib/modules/2.6.20-1.2944.fc6/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko
+**2.** Next up, **cd to your /path/to/compat-wireless** directory and download the patch, required for injection: [[http://www.zlaten.biz/tmp/zd1211rw-inject+dbi-fix-2.6.26.patch|zd1211rw-inject+dbi-fix-2.6.26.patch]], the fixed channel patch, [[http://patches.aircrack-ng.org/channel-negative-one-maxim.patch|channel-negative-one-maxim.patch]] and the [[http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch|mac80211.compat08082009.wl_frag+ack_v1.patch]] for higher injection speed. Visit the general [[mac80211|mac80211]] wiki page for details.
-  cp /usr/src/linux/net/ieee80211/*.ko /lib/modules/2.6.20-1.2944.fc6/kernel/net/ieee80211/
-  cp /usr/src/linux/net/ieee80211/softmac/*.ko /lib/modules/2.6.20-1.2944.fc6/kernel/net/ieee80211/softmac/
-And finally, rebuild the module dependencies.
+**3.** Apply the patches:
-   depmod -ae
+  patch -Np0 -i zd1211rw-inject+dbi-fix-2.6.26.patch.
+  patch -Np1 -i mac80211.compat08082009.wl_frag+ack_v1.patch.
+  patch -Np1 -i channel-negative-one-maxim.patch.
+__Note:__ //the **xxxxx-xxxx-xxxx.patch** files must be in your compat-wireles-xxxx-xx-xx directory while patching, otherwise you will be asked to provide full path of the file which needs to be patched, example: /home/user/compat-wireless-xxxx-xx-xx/drivers/net/wireless/zd1211rw/zd_mac.c//
-At this point, the simplest method to bring up the new modules live is to reboot your system.
+**4.** Patching is complete and we are ready to compile our driver, type **make** for the process to begin and wait for few minutes to complete.
-If you have problems compiling zd1211rw, you can try:
+**5.** Barring any errors, next up is installing, **sudo make install**
-   CONFIG_ZD1211RW=m make -C /lib/modules/`uname -r`/build M=`pwd` clean
+**6.** Now that the newly compiled driver is installed, we are ready to use it, but before that we have to unload the old driver by typing **sudo make wlunload**
-   CONFIG_ZD1211RW=m make -C /lib/modules/`uname -r`/build M=`pwd` modules
-===== Installing Fedora kernel headers and source =====
+**7.** To load the new driver, just type **sudo modprobe zd1211rw** or simply unplug and plug again your USB adapter. Reboot if you're unsure
-These instructions are specific to Fedora. Change **2.6.20-1.2944.fc6** to the particular kernel version you have installed. **uname -r** can help you   determine what is currently installed.
+**8.** That's it! This concludes the zd1211 injection tutorial. You should now be able to inject. [[injection_test|Test]] your USB device, by setting it to monitor mode (airmon-ng)
-You need these packages already installed:
-  kernel-headers-2.6.20-1.2944.fc6
-  kernel-devel-2.6.20-1.2944.fc6
-Running the command **rpm -qa | grep kernel** will show which kernel packages are installed.
+  # aireplay-ng -9 mon0
+:39:59  Trying broadcast probe requests...
+:39:59  Injection is working!
+:40:01  Found 1 AP
+:40:01  Trying directed probe requests...
+:40:01  00:00:00:00:00:00 - channel: 11 - 'LINKSYS'
+:40:01  Ping (min/avg/max): 0.881ms/12.418ms/37.725ms Power: -53.83
+:40:01  30/30: 100%
+Voila ;-)
-If the headers and development packages are not already installed then obtain them from your favourite repository then:
+Known issues at this point:
+Fragmentation attack is not yet supported.
-  rpm -ivh kernel-headers-2.6.20-1.2944.fc6.i386.rpm
-  rpm -ivh kernel-devel-2.6.20-1.2944.fc6.i686.rpm (obtain i586 or i686 depending on your architecture)
-Alternatively, use **yum -y install kernel-headers"** and **yum -y install kernel-devel**.
+===== Kernels 2.6.23 and lower =====
-Now download and install the full kernel sources if they are not already on your system (This assumes you have downloaded this RPM from your favourite repository).
+As mentioned above, kernels prior to 2.6.25 (2.6.2**4** with compat-wireless) are shipped with the softmac version of the driver which in its best day supports only half the functions, half the time. In other words, if you're stuck on an ancient kernel, you're pretty much out of luck. Your best bet is to either install a supported kernel, or utilize one of the many Live CDs with pre-configured settings for aircrack-ng.
-  rpm -ivh kernel-2.6.20-1.2944.fc6.src.rpm
+And if you're absolutely bent on installing the softmac driver on an old kernel, you can try [[http://www.zlaten.biz/tmp/zd1211rw-compat.tar.gz|this]] source code. Be warned, you'll be disappointed with the outcome.
-Change to the following directory:
+===== Troubleshooting =====
-  cd /usr/src/redhat/SPECS
+The most frequent road block you'll stumble upon is compilation errors with compat-wireless. They're not necessarily **//your//** fault. Every now and then compat-wireless tar balls are released with compilation errors which are subsequently fixed. If this happens to you, simply download and install a version from the previous day or two.
-Change "--target=i586" to the architecture of your system in the next line.
-  rpmbuild -bp --target=i586 kernel-2.6.spec
-**NOTE**: Change references to versions to your specific version in the next few lines.
+===== Couldn't load firmware. Error number -2 =====
-  /bin/cp -a /usr/src/redhat/BUILD/kernel-2.6.20/linux-2.6.20.i586/*  /usr/src/kernels/2.6.20-1.2944.fc6-i586/
+If dmesg has an error similar to the following:
-  ln -s /usr/src/kernels/2.6.20-1.2944.fc6-i586 /usr/src/linux
+   usb 1-1: Could not load firmware file zd1211/zd1211b_ub. Error number -2
+   zd1211rw 1-1:1.0: couldn't load firmware. Error number -2
-===== Recompiling Kernel with Loadable Modules =====
+This means you are missing the firmware for your device or it is located in the wrong location.  The firmware is downloaded to the device each time it is initialized by the kernel module and is required for your device to operate.  The typical location is /lib/firmware/zd1211.  Please keep in mind that this may vary for your specific distribution.  Try this location first, if that fails then seek out help from your distribution support group or review the source code of the zd1211rw module on your distribution.
-Some kernels incorporate the functionality built into the kernel.  If you want to change the zd1211rw and ieee802.11 to loadable modules, the following describes how to do this.  The source of this note is this [[http://tinyshell.be/aircrackng/forum/index.php?topic=1658.msg8736#msg8736|thread]] in the forum.
+On some distributions, the kernel version is included in the firmware path: /lib/firmware/<kernel version from uname -r>/zd1211.  If this is the case then you may have to copy the firmware to the standard driver location or add a symbolic link.  One way or another, the driver needs to be able to find the firmware.
-These are the settings for menuconfig using 2.6.20-gentoo-r7, changing from kernel built-in to loadable modules for the purposes of these patches.  This will likely work as well on other distributions.
+You can obtain the firmware from:
-First, change the appropriate items in menuconfig:
+   - http://sourceforge.net/project/showfiles.php?group_id=129083
+   - RPM for you distribution.  For example under fedora it is similar to  "zd1211-firmware-x.x-x.fcx". On Gentoo, you can emerge net-wireless/zd1211-firmware .
-   cd /usr/src/linux
+===== Why do I get ioctl(SIOCGIFINDEX) failed ? =====
-   make menuconfig
-   Networking ---->
-   then set
-   <M> Generic IEEE802.11 Networking Stack
-   <M> Software MAC add-on to the IEEE 802.11 netowrking stack
-   all other module capable IEEE 80211 items will have automatically set themselves to <M>
-   Also check that:
-   Device Drivers ----> Network device support ----> Wireless LAN (non-hamradio) ---->
-   <M> ZyDAS ZD1211/ZD1211B USB-wireless support is also set to <M>
-   Exit out and save the config
-Now apply the zd1211 and ieee80211 inject patches and recompile/install the kernel and modules.
+If you get error messages similar to:
-   Apply the zd1211 inject and ieee80211 inject patches as per patch instructions but only do the 4 patch -Np1  commands, in gentoo doing the make commands and copying all the files is unnecessary!!
+  * Error message: "SIOCSIFFLAGS : No such file or directory"
+  * Error message: "ioctl(SIOCGIFINDEX) failed: No such device"
-After the patches are applied, you can now recompile the kernel and modules with the following commands:
+Then [[faq#why_do_i_get_ioctl_siocgifindex_failedno_such_device|See this FAQ entry]].
-   cd /usr/src
+===== Fragmentation attack =====
-   make && make modules modules_install install
-Wait for it to finish and then reboot your system.
+The only unsupported function is the fragmentation "-5" attack. A bug in the firmware prevents that. Despite of this fact, we patch the mac80211 with the fragmentation patch to enable higher injection speed. The frag attack is not mandatory for the zd1211rw driver to inject or capture packets, its only one of the many attacks designed to penetrate WEP encryption.
+Overall, its a great all-purpose chip to have for wireless auditing and general connectivity.
-Lastly, test your drivers and the injection patch.
+===== Feedback =====
+  * Instructions and discussion about the zd1211rw in the forum [[http://forum.aircrack-ng.org/index.php?topic=5334.0|here]]