NexMon: A Cookbook for Firmware Modifications on Smartphones to Enable Monitor Mode

Full control over a Wi-Fi chip for research purposes is often limited by its firmware, which makes it hard to evolve communication protocols and test schemes in practical environments. Monitor mode, which allows eavesdropping on all frames on a wireless communication channel, is a first step to lower this barrier. Use cases include, but are not limited to, network packet analyses, security research and testing of new medium access control layer protocols. Monitor mode is generally offered by SoftMAC drivers that implement the media access control sublayer management entity (MLME) in the driver rather than in the Wi-Fi chip. On smartphones, however, mostly FullMAC chips are used to reduce power consumption, as MLME tasks do not need to wake up the main processor. Even though, monitor mode is also possible in FullMAC scenarios, it is generally not implemented in today's Wi-Fi firmwares used in smartphones. This work focuses on bringing monitor mode to Nexus 5 smartphones to enhance the interoperability between applications that require monitor mode and BCM4339 Wi-Fi chips. The implementation is based on our new C-based programming framework to extend existing Wi-Fi firmwares.