Back in the day, when wardriving was still useful (read: before WPA2 was widespread), we used to wander around with a Zaurus in our pocket running Kismet. Today, every cellphone has WiFi and a significantly more powerful processor inside. But alas, the firmware is locked down.

mrmcd16-7748-deu-nexmon_-_make_wi-fi_hacking_on_smartphones_great_again_sdmp4-shot0005_thumbnailEnter the NexMon project. If you’ve got a Nexus 5 phone with the Broadcom BCM4339 WiFi chipset, you’ve now got a monitor-mode, packet-injecting workhorse in your pocket, and it looks a lot less creepy than that old Zaurus. But more to the point, NexMon is open. If you’d like to get inside what it took to reverse-engineer a hole into the phone’s WiFi, or make your own patches, here’s a great starting place.

But wait, there’s more! The recently released Raspberry Pi 3 has a similar Broadcom WiFi chipset, and has been given the same treatment, turning your RPi 3 into a wireless-sniffing powerhouse. How many Raspberry Pi “hacks” actually hack the Raspberry Pi? Well, here’s one.

We first learned of this project from a talk given at the MetaRhein-Main Chaos Days conference which took place last weekend. The NexMon talk (in German, but with slides in English) is just one of the many talks, all of which are available online.

The NexMon project is a standout, however. Not only do they reverse the WiFi firmware in the Nexus 5, but they show you how, and then apply the same methods to the RPi3. Kudos times three to [Matthias Schulz], [Daniel Wegemer], and [Matthias Hollick]!


  1. Do not mock my gorram Zaurus. It is TWICE the computer your Nexus is. Open by default, expandable and with a surprisingly default keyboard for a mobile device.

  2. I feel strongly that “surprisingly default” should enter the lexicon.

  3. “surprisingly default”?

  4. Probably meaning a layout that’s not effed up in some way

  5. Probably a typo for “decent.”

  6. Nexus isn’t “Open by default”?

  7. “Open” is such a wishy-washy word. The Nexus phones are not carrier locked (you can use them on most carriers and change networks simply by changing sims). They use stock Android and you can unlock the bootloader. But there are binaries that go into the software, and there are binaries running on the hardware inside (like the radios). In those ways, the Nexus line is not “Open”.

  8. AH, I miss my Z, best handheld computer until I got a N900. Now I am stuck again waiting for a replacement and considering libhybris or the promised kernel mainlining.
    Both the Zaurus and N900 have binary blobs though I remember someone finally hacked some FOSS drivers for the SL-5500 when they merged openZaurus into Angstrom but that was around EOL for me.

  9. I had both and miss them. A modern smartphone is somehow not a replacement even with all the extra CPU and GPU power. I guess a Pyra will soon fix my cravings for a real handheld computer.

  10. Echo_Hotel (@Echo_Hotel)

    Does the giant orange box, of what google is telling me is anti-itch cream, seem almost proudly displayed to anyone else?

  11. The motto of the MRMCD conference this year was “diagnosis:critical”, see The organizers were dressed in hospital cloth, globules were used as coffee sweetener, there were giant boxes of pharmaceutics everywhere. It was really great 😀
    I really appreciate having an article about our project here on hackaday, thanks 🙂

  12. Elliot Williams

    It’s a fantastic project, and I love the way you guys made it so open that it borders on tutorial. I hope it inspires a new batch of people to try similar hacks!

  13. Would you be willing to do subtitles on YouTube or an srt file? I understand the slides are English but I feel like I’m missing out of so much of the presentation not being able to understand what is being said.

  14. I should have held the talk in english in the first place :-/ Unfortunately I’ve never done any subtitleing before and I’m not sure if I got time to make it happen, sorry.

  15. dustin evans (@dl_evans)

    With the Maneki-neko (had to look that up on Google) on top, too. Good luck to not itching?

  16. What’s the big deal, if you get itchy the Hello Kitty (I heard once that Maneki Neko can be translated as Hello Kitty) can scratch your back.

  17. Elliot Williams

    The MRMCD conference theme this year was medical infosec/hacking, so there were a lot of random doctor-y stuff around, including that big box of anti-itch creme.
    Some people gave their presentations in lab coats. There was a skeleton in the background of some of the shots too. Looked like much fun.

  18. Gotta love the intro of this article.
    Wifi security may have gone up, but so has raw processing power, WPA2 isnt that much safer then WPA/WEP afaik.

  19. BCmon for the galaxy s2 and Nexus 7 was much much better without the need for a custom kernel

Leave a Comment

Your email address will not be published. Required fields are marked *