wifi_send_pkt_freedom returning -1 about esp8266-injection-example HOT 20 CLOSED

Hi,

Actually I did not check the return value of the function. The chinese SDK is quite buggy anyway, especially these new functions, so I was just concerned about the practical aspect: if it sends the packet or not.

I suggest you to use wireless sniffer with a supported wifi card (I used wireshark) to check how it works. For me it worked, I could see 10 similar packets sent per wifi_send_pkt_freedom() invocation.

Unfortunately this is the only reliable way to debug ESP8266.

from esp8266-injection-example.

I'm having this issue as well. I've mechanically isolated the esp8266 and a usb wifi card in monitor mode and the card never picks anything up from the 8266. I also added a callback with wifi_register_send_pkt_freedom_cb, it's not getting called either.

Regarding debugging, Espressif recently released https://github.com/espressif/esp-gdbstub. I've only gotten it to work inside of visualgdb which I've not gotten to work with calls to wifi_send_pkt_freedom, but I think it's possible.

from esp8266-injection-example.

Can it be that your channel is too busy for ESP to both capture and send? Try sending some constant packet without capturing anything. Please report here in case of success/failure.

from esp8266-injection-example.

External wifi traffic has been minimal. my home router is the only device on channel 1, with 2-3 clients. I've removed the capturing portion but still haven't seen any traffic. I've put my changes and results into a gist: https://gist.github.com/stickytruth/91590343c9fce594479f

from esp8266-injection-example.

I'm experiencing the same issue as @stickytruth and @dnc40085. I get -1 as a result on the function call and can't pick anything up on wireshark. Promiscuous mode is disabled to make sure there's enough time for the packets to be sent. The freedom callback never gets called.

from esp8266-injection-example.

As an aside, I'm also getting failure when I try to register a freedom callback:

    os_printf("\t registering send_pkt_freedom_cb\n");
    result = wifi_register_send_pkt_freedom_cb(packet_freedom_cb);
    os_printf("\t wifi_register_send_pkt_freedom_cb=%s\n", result ? "true" : "false");

outputs wifi_register_send_pkt_freedom_cb=false

from esp8266-injection-example.

Ah, strike that last bit. result was set as 0 which printed false ... so actually it appears to be registering successfully.

from esp8266-injection-example.

I posted a question here:

http://bbs.espressif.com/viewtopic.php?f=7&t=1357

We'll see if there is an answer.

from esp8266-injection-example.

So I will quote the reply from Espressif:

1. wifi_send_pkt_freedom can not send management packets and encrypted packets, beacon is one kind of the management packets. We add this limitation because it may effect other devices.
2. If you really want to send beacon, please start from "0x80, 0x00 ... " which means that the first 26 bytes need to be deleted. If you start from "0x00,0x00", wifi_send_pkt_freedom will detect the 80211 header and find out that it's a management packet, and send fail.
3. wifi_send_pkt_freedom data format : start from 802.11 header, no more extra data in the front.

It can be that I have an older 1.4.0 SDK where this code actually works. I currently have some problems with my programmer; once I fix them I will definitely try to figure this out. Probably they indeed filter out management packets. Thank @bakercp for raising this issue on the forum.

from esp8266-injection-example.

Sending data frames works for me. I've put my changes in a fork, https://github.com/stickytruth/esp8266-injection-example . I can send a PR if you'd like.

from esp8266-injection-example.

So it looks like first few bytes (packet type) make the difference. Well, it's pretty much what they claim on the forum. Yet, it is an open question why it works for me (and some other users). My plan here is to update a toolchain and try once more.

from esp8266-injection-example.

FWIW, I'm using esp_iot_sdk_v1.4.0_15_09_18.zip - Do you have an earlier one?

from esp8266-injection-example.

Yes, I've also got data frames working now. Thanks for your help all. Now to figure out how to sniff some of that data ... right now I've got almost whole management frames and some control frames, but not much in the way of data frame data in "promiscuous" (isn't it actually more like monitor mode?) mode.

from esp8266-injection-example.

Hello, pulkin. Congratulations for the great work!
Can you share with us your SDK v1.4? I have the same problem related with management messages blocked. I'm also using esp_iot_sdk_v1.4.0_15_09_18.
Thanks.

from esp8266-injection-example.

Anyone found the old sdk needed?

from esp8266-injection-example.

So I finally managed to build up the circuit and test everything again. Initially I was using the following one:

esp_iot_sdk_v1.3.0_15_08_08.zip

And it worked. With more recent

esp_iot_sdk_v1.4.0_15_09_18.zip

it does not. When it works you can also see in the terminal:

Sending deauth seq_n = 0 ...
seq: 80

The second line is printed by SDK itself. By 'it works' or 'it does not work' I mean whether wireshark can see the packet. My SDK is here:

https://www.dropbox.com/s/lkjwiyk81ky7wfu/esp_iot_sdk_v1.3.0_15_08_08.zip?dl=0

I will look for the ways to do the same thing with th newest SDK.

from esp8266-injection-example.

I can confirm that. With the esp_iot_sdk_v1.3.0 SDK, I can compile and use the attack successfully, however, with 1.4.0, it does not work. Thanks already for sharing the old SDK with us 👍 :)

from esp8266-injection-example.

how to manually install this esp8266-2.1.0-rc2? please let us know its not in the list but I got it from github how to install it now is the question? I tried pasting in Arduino15/ folder but no luck

from esp8266-injection-example.

Why do you need it for Arduino?

from esp8266-injection-example.

No i'm using arduino ide 1.6.7 to upload the program on esp8266

from esp8266-injection-example.