Page 4 of 5
Re: Arbitrary probe request packets injection, this is how.
Posted:
Wed Jul 08, 2015 6:33 pmby ernacktob
Also, I have reverse-engineered most of the wdev.c functions, which include the wdev_go_sniffer and wDev_Process_Fiq interrupt handler. From what I see, I still am not sure whether full promiscuous mode is achievable, because it may be that the hardware itself gets incomplete frames when entering promiscuous mode (this is just a hypothesis for now). One might be able to play with some of these register flags to find more info on what's going on here.
Re: Arbitrary probe request packets injection, this is how.
Posted:
Thu Jul 09, 2015 2:36 pmby ernacktob
Oddly enough, my previous post did not go through, but I was mentioning that I sucessfully managed to send arbitrary wifi frames (with some caveats as mentionned in my repo) with the ESP, and also receive complete wifi frames without being necessarily associated to a router.
I can receive broadcast frames and frames directed to the device's own MAC address, and don't have the 128 byte limitation of the sniffer API. I have a public github repository: ernacktob/esp8266_wifi_raw that demonstrates a proof-of-concept.
Re: Arbitrary probe request packets injection, this is how.
Posted:
Mon Jul 13, 2015 1:00 pmby cnlohr
I don't need full promiscuous. I'm just trying to send/receive out-of-band data, so I can communicate from ESP to ESP while they maintain their roles as APs.
Re: Arbitrary probe request packets injection, this is how.
Posted:
Mon Jul 13, 2015 1:07 pmby cnlohr
I was able to send raw packets that do not appear to have any sort of 802.11 header associated with them at all, so they are MACless.
https://github.com/cnlohr/esp8266rawpackets/It actually looks almost the same as what you are doing :-p
Looks like I only beat you by ~5 days.