This is an old revision of the document!
NOTE: Unless you have an old kernel, consider using the mac80211 version of the driver and follow these instructions. It is a much simpler way to obtain injection capability.
This driver supports the zd1211 and the newer zd1211b chipsets by Zydas. Atheros has acquired Zydas and renamed this chipset to AR5007UG.
In pre-2.6.25 kernels, the older zd1211 chipset only partially supports injection. Any injection which requires the device to receive a packet does not work correctly. So the fake authentication, chopchop, and fragmentation attacks plus injection testing do not work. Other basic functions such as monitor mode and the remaining attacks work.
The new zd1211b chipset only partially supports injection. Monitor mode and injection testing works. Assuming you use a MAC address already associated with an AP, normal injection and chopchop attack works. Fake authentication and the fragmentation attacks do not work although some people have reported limited success. Perhaps this depends on the revision level of the chipset.
Starting with kernels 2.6.25 and up, both chipsets support injection completely, except for the fragmentation attack, which is still being worked on. This page only deals with pre-2.6.25 kernels, for newer ones, see zd1211rw-mac80211.
Bottom line, the Zydas chipset is only recommended for use with the aircrack-ng suite if you have a fairly-recent kernel (2.6.25 or newer), due to the large number of problems with it. There are simply too many problems associated with the driver and the specific wireless devices. (Most of these problems are fixed by the mac80211-based driver in kernels 2.6.25 and up.)
The zd1211rw driver has been incorporated into the latest kernels. So you will have to patch the kernel source to obtain injection support. This is described below in detail.
The following links may be helpful to you to learn more about the driver and which devices are supported by it:
Some material to help with patching:
There are some new patches developed by SuD. They are especially designed for 2.6.24 kernels but the also work on previous versions. The patches are still being tested. So any feedback would be especially valued.
Obtain SuD's softMAC and zd1211rw patches from here:
For zd1211rw, either use aircrack's 2.6.23 zydas patch, or SuD's zd1211rw 126.96.36.199 or 2.6.25 patch.
This section will describe how to patch your driver for injection. There is quite a bit of variation between distributions so this describe the general steps you must take. You will have to tweak the instructions for your specific distribution and kernel version. It assumes a reasonable level of unix knowledge and experience. If you don't have this, ask a friend to help you out. If you can't follow these instructions then you should not be messing with your kernel. Don't post to the Forum asking for detailed instructions.
You will need to have your kernel headers and full source already installed on your system. See Installing Fedora kernel headers and sources below for how to do this on Fedora.
Copy contents of /usr/src/linux/net/ieee80211 to a safe place. This is so you can recover if things go bad or if you want to apply a new version of the patch.
Copy contents of /usr/src/linux/drivers/net/wireless/zd1211rw to a safe place. This is so you can recover if things go bad or if you want to apply a new version of the patch.
Download and expand the latest version of the aircrack-ng suite to obtain the patches or download the from here. Typically, you will need the svn version to have best patches. Please note that the patch names might change so you may have to adjust the version numbers in the next few steps.
Copy zd1211rw_inject_2.6.23.patch to /usr/src/linux/
NOTE: In the following lines, verbose and dry-run have a double dash in front of them.
patch -Np1 --verbose --dry-run -i zd1211rw_inject_2.6.23.patch
If it was OK:
patch -Np1 --verbose -i zd1211rw_inject_2.6.23.patch
Copy ieee80211_inject.patch to /usr/src/linux
patch -Np1 --verbose --dry-run -i ieee80211_inject.patch
If it was OK:
patch -Np1 --verbose -i ieee80211_inject.patch
Recompile the modules:
cd /usr/src/linux/drivers/net/wireless/zd1211rw make -C /lib/modules/`uname -r`/build/ M=`pwd` modules cd /usr/src/linux/net/ieee80211 make -C /lib/modules/`uname -r`/build/ M=`pwd` modules
Now copy the new modules to the /lib/modules tree to be used.
cp /usr/src/linux/drivers/net/wireless/zd1211rw/zd1211rw.ko /lib/modules/`uname -r`/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko cp /usr/src/linux/net/ieee80211/*.ko /lib/modules/`uname -r`/kernel/net/ieee80211/ cp /usr/src/linux/net/ieee80211/softmac/*.ko /lib/modules/`uname -r`/kernel/net/ieee80211/softmac/
And finally, rebuild the module dependencies.
At this point, the simplest method to bring up the new modules live is to reboot your system.
If you have problems compiling zd1211rw, you can try:
CONFIG_ZD1211RW=m make -C /lib/modules/`uname -r`/build M=`pwd` clean CONFIG_ZD1211RW=m make -C /lib/modules/`uname -r`/build M=`pwd` modules
These instructions are specific to Fedora. Change 2.6.20-1.2944.fc6 to the particular kernel version you have installed. uname -r can help you determine what is currently installed.
You need these packages already installed:
Running the command rpm -qa | grep kernel will show which kernel packages are installed.
If the headers and development packages are not already installed then obtain them from your favourite repository then:
rpm -ivh kernel-headers-2.6.20-1.2944.fc6.i386.rpm rpm -ivh kernel-devel-2.6.20-1.2944.fc6.i686.rpm (obtain i586 or i686 depending on your architecture)
Alternatively, use yum -y install kernel-headers“ and yum -y install kernel-devel.
Now download and install the full kernel sources if they are not already on your system (This assumes you have downloaded this RPM from your favourite repository).
rpm -ivh kernel-2.6.20-1.2944.fc6.src.rpm
Change to the following directory:
Change ”–target=i586“ to the architecture of your system in the next line.
rpmbuild -bp --target=i586 kernel-2.6.spec
NOTE: Change references to versions to your specific version in the next few lines.
/bin/cp -a /usr/src/redhat/BUILD/kernel-2.6.20/linux-2.6.20.i586/* /usr/src/kernels/2.6.20-1.2944.fc6-i586/ ln -s /usr/src/kernels/2.6.20-1.2944.fc6-i586 /usr/src/linux
Some kernels incorporate the functionality built into the kernel. If you want to change the zd1211rw and ieee802.11 to loadable modules, the following describes how to do this. The source of this note is this thread in the forum.
These are the settings for menuconfig using 2.6.20-gentoo-r7, changing from kernel built-in to loadable modules for the purposes of these patches. This will likely work as well on other distributions.
First, change the appropriate items in menuconfig:
cd /usr/src/linux make menuconfig Networking ----> then set <M> Generic IEEE802.11 Networking Stack <M> Software MAC add-on to the IEEE 802.11 netowrking stack all other module capable IEEE 80211 items will have automatically set themselves to <M> Also check that: Device Drivers ----> Network device support ----> Wireless LAN (non-hamradio) ----> <M> ZyDAS ZD1211/ZD1211B USB-wireless support is also set to <M> Exit out and save the config
Now apply the zd1211 and ieee80211 inject patches and recompile/install the kernel and modules.
Apply the zd1211 inject and ieee80211 inject patches as per patch instructions but only do the 4 patch -Np1 commands, in gentoo doing the make commands and copying all the files is unnecessary!!
After the patches are applied, you can now recompile the kernel and modules with the following commands:
cd /usr/src make all modules modules_install install
Wait for it to finish and then reboot your system.
Lastly, test your drivers and the injection patch.
Use “lsusb” to ensure your device is recognized. For example, “ID 157e:300d” below is a Trendnet TEW-429UB zd1211b unit. Sample lsusb output:
Bus 003 Device 003: ID 157e:300d Bus 003 Device 001: ID 0000:0000 Bus 001 Device 001: ID 0000:0000 Bus 002 Device 001: ID 0000:0000
If your device is not listed then you first need to determine why and correct it.
Use “dmesg” to ensure your device was properly loaded. You may have do “modprobe zd1211rw” to cause the kernel module to be loaded. Below is an example of the zd1211rw module being successfully loaded. Sample dmesg output:
ieee80211_crypt: registered algorithm 'NULL' ieee80211: 802.11 data/management/control stack, git-1.1.13 ieee80211: Copyright (C) 2004-2005 Intel Corporation <firstname.lastname@example.org> usb 3-1: reset high speed USB device using ehci_hcd and address 3 usb 3-1: firmware version 0x4810 and device bootcode version 0x4802 differ zd1211rw 3-1:1.0: firmware version 4725 zd1211rw 3-1:1.0: zd1211b chip 157e:300d v4802 high 00-14-d1 AL2230_RF pa0 ----- zd1211rw 3-1:1.0: eth1 usbcore: registered new interface driver zd1211rw
Depending on the error messages in dmesg, take the appropriate action.
Use “lsmod” and ensure the zd1211rw module is loaded. Below is a subset of the output from lsmod showing the zd1211rw in memory. Notice there are other dependencies. Sample lsmod output:
Module Size Used by zd1211rw 52740 0 ieee80211softmac 35265 1 zd1211rw ieee80211 35784 2 zd1211rw,ieee80211softmac ieee80211_crypt 10112 1 ieee80211
A common problem on new kernels is that the new mac80211 version of the driver gets loaded instead of the older legacy driver covered on this page. The newer driver doesn't need any patches and has better injection support, but it requires aircrack-ng 1.0 beta, and doesn't work with 0.9 or earlier. The new driver can be identified by an lsmod output that looks like this:
Module Size Used by zd1211rw 67204 0 mac80211 229108 1 zd1211rw cfg80211 27528 1 mac80211
If that is the case, and you are having problems with the new driver, then you need to blacklist the modules by editing /etc/modprobe.d/blacklist and add the following, and reboot:
#zd1211rw wireless drivers blacklist zd1211rw blacklist zd1211rw_mac80211
Also ensure that the time stamp on zd1211rw.ko module matches the date and time you compiled it. Otherwise this may mean you are running the wrong version of the module. (Of course, you might also just update aircrack-ng to 1.0-rc1 or 1.0-svn, and use the unpatched mac80211 driver with it.)
Note however, that starting with kernel v2.6.25, zd1211rw is only available in the new mac80211 flavor, so you need to use an updated aircrack-ng for it.
If dmesg has an error similar to the following:
usb 1-1: Could not load firmware file zd1211/zd1211b_ub. Error number -2 zd1211rw 1-1:1.0: couldn't load firmware. Error number -2
This means you are missing the firmware for your device or it is located in the wrong location. The firmware is downloaded to the device each time it is initialized by the kernel module and is required for your device to operate. The typical location is /lib/firmware/zd1211. Please keep in mind that this may vary for your specific distribution. Try this location first, if that fails then seek out help from your distribution support group or review the source code of the zd1211rw module on your distribution.
On some distributions, the kernel version is included in the firmware path: /lib/firmware/<kernel version from uname -r>/zd1211. If this is the case then you may have to copy the firmware to the standard driver location or add a symbolic link. One way or another, the driver needs to be able to find the firmware.
You can obtain the firmware from:
If you get error messages similar to:
Then See this FAQ entry.