# Enable NexMon Monitor Mode & Packet Injection on Android (Broadcom chips) {{#include ../../banners/hacktricks-training.md}} ## Overview Most modern Android phones embed a Broadcom/Cypress Wi-Fi chipset that ships without 802.11 monitor mode or frame-injection capabilities. The open-source NexMon framework patches the proprietary firmware to add those features and exposes them through a shared library (`libnexmon.so`) and a CLI helper (`nexutil`). By pre-loading that library into the stock Wi-Fi driver, a rooted device can capture raw 802.11 traffic and inject arbitrary frames – eliminating the need for an external USB adapter. This page documents a fast workflow that takes a fully-patched Samsung Galaxy S10 (BCM4375B1) as an example, using: * NexMon Magisk module containing the patched firmware + `libnexmon.so` * Hijacker Android application to automate monitor-mode toggling * Optional Kali NetHunter chroot to run classic wireless tools (aircrack-ng, wifite, mdk4 …) directly against the internal interface The same technique applies to any handset that has a publicly available NexMon patch (Pixel 1, Nexus 6P, Galaxy S7/S8, etc.). --- ## Prerequisites * Android handset with a supported Broadcom/Cypress chipset (e.g. BCM4358/59/43596/4375B1) * Root with Magisk ≥ 24 * BusyBox (most ROMs/NetHunter already include it) * NexMon Magisk ZIP or self-compiled patch providing: * `/system/lib*/libnexmon.so` * `/system/xbin/nexutil` * Hijacker ≥ 1.7 (arm/arm64) – [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker) * (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools --- ## Flashing the NexMon patch (Magisk) 1. Download the ZIP for your exact device/firmware (example: `nexmon-s10.zip`). 2. Open Magisk -> Modules -> Install from storage -> select the ZIP and reboot. The module copies `libnexmon.so` into `/data/adb/modules//lib*/` and ensures SELinux labels are correct. 3. Verify installation: ```bash ls -lZ $(find / -name libnexmon.so 2>/dev/null) sha1sum $(which nexutil) ``` --- ## Configuring Hijacker Hijacker can toggle monitor mode automatically before running `airodump`, `wifite`, etc. In **Settings -> Advanced** add the following entries (edit the library path if your module differs): ``` Prefix: LD_PRELOAD=/data/user/0/com.hijacker/files/lib/libnexmon.so Enable monitor mode: svc wifi disable; ifconfig wlan0 up; nexutil -s0x613 -i -v2 Disable monitor mode: nexutil -m0; svc wifi enable ``` Enable “Start monitor mode on airodump start” so every Hijacker scan happens in native monitor mode (`wlan0` instead of `wlan0mon`). If Hijacker shows errors at launch, create the required directory on shared storage and reopen the app: ```bash mkdir -p /storage/emulated/0/Hijacker ``` ### What do those `nexutil` flags mean? * **`-s0x613`** Write firmware variable 0x613 (FCAP_FRAME_INJECTION) → `1` (enable TX of arbitrary frames). * **`-i`** Put interface in monitor mode (radiotap header will be prepended). * **`-v2`** Set verbose level; `2` prints confirmation and firmware version. * **`-m0`** Restore managed mode (used in the *disable* command). After running *Enable monitor mode* you should see the interface in monitor state and be able to capture raw frames with: ```bash airodump-ng --band abg wlan0 ``` --- ## Manual one-liner (without Hijacker) ```bash # Enable monitor + injection svc wifi disable && ifconfig wlan0 up && nexutil -s0x613 -i -v2 # Disable and return to normal Wi-Fi nexutil -m0 && svc wifi enable ``` If you only need passive sniffing, omit the `-s0x613` flag. --- ## Using `libnexmon` inside Kali NetHunter / chroot Stock user-space tools in Kali do not know about NexMon, but you can force them to use it via `LD_PRELOAD`: 1. Copy the pre-built shared object into the chroot: ```bash cp /sdcard/Download/kalilibnexmon.so /lib/ ``` 2. Enable monitor mode from the **Android host** (command above or through Hijacker). 3. Launch any wireless tool inside Kali with the preload: ```bash sudo su export LD_PRELOAD=/lib/kalilibnexmon.so wifite -i wlan0 # or aircrack-ng, mdk4 … ``` 4. When finished, disable monitor mode as usual on Android. Because the firmware already handles radiotap injection, user-space tools behave just like on an external Atheros adapter. --- ## Typical Attacks Possible Once monitor + TX is active you can: * Capture WPA(2/3-SAE) handshakes or PMKID with `wifite`, `hcxdumptool`, `airodump-ng`. * Inject deauthentication / disassociation frames to force clients to reconnect. * Craft arbitrary management/data frames with `mdk4`, `aireplay-ng`, Scapy, etc. * Build rogue APs or perform KARMA/MANA attacks directly from the phone. Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-3 M pps RX). --- ## Troubleshooting * `Device or resource busy` – make sure **Android Wi-Fi service is disabled** (`svc wifi disable`) before enabling monitor mode. * `nexutil: ioctl(PRIV_MAGIC) failed` – the library is not pre-loaded; double-check `LD_PRELOAD` path. * Frame injection works but no packets captured – some ROMs hard-block channels; try `nexutil -c ` or `iwconfig wlan0 channel `. * SELinux blocking library – set device to *Permissive* or fix module context: `chcon u:object_r:system_lib_file:s0 libnexmon.so`. --- ## References * [Hijacker on the Samsung Galaxy S10 with wireless injection](https://forums.kali.org/t/hijacker-on-the-samsung-galaxy-s10-with-wireless-injection/10305) * [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon) * [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker) {{#include ../../banners/hacktricks-training.md}}