## Chumby Wifi Sniffer

For ETech08, I built the “Chumby Tower” and one of the hacks featured in the tower is a version of the chumby that sniffs wifi and renders captured packets onto the display. The chumby is a great device for passively monitoring wifi signals, because it has a screen for rendering the data real-time, sufficient CPU power to do the data processing, and it’s cheap enough that you don’t mind dedicating it to that application. It’s handy, for example, to see if your neighbors are stealing your wifi link to surf the web; at a glance you can see what URLs are going by over the air.

The sniffer application sets the wifi radio in the chumby to monitor mode, so it picks up any and all packets on the selected channel. The application then relies on a cross-compiled version of tshark and dumpcap to capture 802.11 packets in raw form. The dumps are processed with a perl script that identifies certain headers and keywords that delimit strings of interest. These strings are then output in an XML container, which is then read by a Flash movie and rendered to the screen. You can adjust what interesting strings are selected by modifying the perl script. Currently, the script just extracts http link strings, To/From/Subject of unencrypted POP mail, and HTML page titles and headers. However, it’s fairly easy to extend the script to do things like capture plaintext username/password pairs that are transmitted over wifi, which happens surprisingly often.

For those who just want to use the sniffer, you can download this zipfile and extract it to a blank USB drive, plug it into a chumby, reboot, and when the chumby comes back it should be running the application. At the point where the screen goes dark, it will take up to a minute for data to start appearing, as it takes about 20-30 seconds for the huge tshark executable to load (depending upon the performance of your USB drive), and then the script pools data over a few sampling periods before reporting summary information. For those who wish to hack the program a bit, here is a link to the Flash movie—it’s the only piece of code in the zipfile that isn’t available in source form some other way.

The default frequency of the radio will be the last frequency used, but you can add a line to the “userhook2” perl script right after monitor mode is set to configure the channel explicitly:

iwconfig rausb0 channel 3   # set channel number to desired number


The script is a little bit fragile, in that every time the firmware is updated something seems to break. I just repaired the script to work with firmware version 1.5, but let me know if you use the script and it doesn’t seem to work. Unfortunately, the only way to debug the script is via the serial port, because setting the wifi card in monitor mode makes it unable to transmit packets — although if you’re really clever you can hack the script to load drivers for a wired ethernet USB dongle and connect to the chumby via that interface.

For what it’s worth, cross-compiling tshark is a total pain in the butt. The make scripts really weren’t very friendly to the task, I had to do a lot of manual operations to facilitate the build. For example, it doesn’t differentiate between binaries that run on the host versus binaries that run on the target, so some helper programs meant to run on the x86 host would get complied to ARM (doh!); those cases had to be tweaked manually to get the whole thing to build right.

### 22 Responses to “Chumby Wifi Sniffer”

1. Beastlykings says:

this is great! I could have a lot of fun with it, I just wish the text didn’t dance around so much. Does it have to do this? Can it be stopped or substituted with some sort of scroll?

2. bunnie says:

Sure thing! I included the .fla file so you can modify how the text is rendered. If you don’t have the Adobe Flash suite, you can also use FlashDevelop (which is a free tool) to write the back-end rendering script. I made the text dance around a bit because I was just learning how to use the Flash suite and decided to do some gratuitous animation. :-P

If you don’t feel comfortable with Flash coding I can see if I can jimmy something up inside FlashDevelop that you can use a template to get a soft-start at things. The ActionScript stuff (which is all I use in Flash anyways) is kind of C-like so I didn’t have too bad a time using it, and the nice thing about FlashDevelop is that it’s a tiny application, so you don’t feel like you’ve installed yet another useless hulking IDE on your computer.

3. Beastlykings says:

Well I’m “Purchasing” Adobe Flash CS3 Professional right now, so that should do the job, no?
I’ve never done any kind of programming before, so yeah anything you would do would be great, maybe you could point me towards some good resources?
I think flash would be a good place to start, really useful.

4. bunnie says:

Cool :-)

There’s actually a little getting started guide for FlashDevelop on the chumby wiki:

http://wiki.chumby.com/mediawiki/index.php/FlashDevelop

It’s quite helpful, but of course if you have access to Flash CS3 Professional right now, you’ll be able to open my .fla file and see the script code–you should be able to see pretty easily the lines where I assign random numbers to the X,Y locations of the text and replace that with a loop that just does an incrementing value on the Y axis…

Let me know if you have any more specific questions or run into any trouble getting the .fla to open!

5. Ryan says:

Have you considered adding image sniffing to it? I remember a linux program once called Driftnet that did similar things, but with images. I think the project has been abandoned though unfortunately.

6. Beastlykings says:

So.. this bit here

redArray[redIndex]._x = randRange(-50,319);
redArray[redIndex]._y = randRange(-5,239);

And this bit here

Should be changed to what? I mean, I can imagine, but I’m not sure. I assume I’d have to remove the randRange part, but replace it with what?

Would it be something like:

Either way, when I access the .fla with adobe flash using F9, change those parameters, and republish the file to an .swf. When I load it onto the chumby it is like there is no change. So I’m not sure how to save changes…

7. bunnie says:

Let’s see…

Sad to say, the code is a bit ugly and I apologize for the lack of comments. I should have done a clean-up pass before I published it.

There are three places where the indices are set:

* once at the top, to initially seed
* once in the onEnterFrame() method, which makes it shift every frame
* once in the onLoad() method, which makes sure that when text is loaded for the first time it has a random position.

You can probably take the onLoad function and just set it to something constant–onLoad is a callback that happens whenever a new XML file is loaded in successfully. It’s the onEnterFrame() method that you need to change–this is a callback that happens every time the frame counter advances for the animation of the movie.

You’d probably want to do something like this:

for( var i:Number = 0; i < numRender; i++ ) { idx = (i + renderIndex + redIndex) % numRedText; redArray[idx].textColor = 0xFF0000 - (i * 0x220000); // this makes old entries fade out with time, comment out if you want them eternally persistant redArray[idx]._x = 10; // fix the x-location redArray[idx]._y = 10 + i * 15; // 15 is the height, in pixels, between lines. 10 keeps you from having your text render off the top of the screen } I think that should be a good start. Remember, you have to change the code in a couple of places--if you just changed the top loop, then you won't see a difference because it only changes the initial values of the text. Hope that helps!

8. bunnie says:

Ryan–btw, I did implement a demo of GIF decoding at one point in time, where I had the parser discover things that looked like GIF headers and then decode as much of the data as it could out of the single packet. I had some success with it, but my skill in Flash coding wasn’t good enough to figure out how to pass a GIF object into Flash via XML…it would probably involve base64-ing it and then undoing that on the Flash side, but that’s a lot of work. So I settled for text-only :-)

9. Beastlykings says:

Well it seems to work now, except all the text shows up in the lower left corner. Idk, I’m gonna tinker with it, thanks for the help bunnie! I really appreciate it!

10. bunnie says:

Doh! There might be some trick to get the text’s position to update. I don’t profess to be a crack Flash coder–this is one of the first scripts I’ve written in this language myself. I did it partially as a learning exercise for myself, so it’s a bit of the blind leading the blind :-)

but good luck!

11. […] Chumby Wifi Sniffer […]

12. Mark says:

Can something like this be made for Pocket PC?

13. […] [bunnie] is one of the main people behind the Chumby, and even he can’t resist modding the things. He decided to outfit one with a larger LCD – using a stereo microscope to do the really fine pitch work – and a laser cutter to create a custom bezel for the finished piece. The new LCD is still a touchscreen and allows the Chumby to display 640×480 resolution over the stock 320×240. The mod requires a few parts, but the ultimate difficulty is caused by the surface mount connectors. If you’d rather have some software fun, you might want to check out [bunnie]’s Chumby wifi sniffer. […]

14. […] [bunnie] is one of the main people behind the Chumby, and even he can’t resist modding the things. He decided to outfit one with a larger LCD – using a stereo microscope to do the really fine pitch work – and a laser cutter to create a custom bezel for the finished piece. The new LCD is still a touchscreen and allows the Chumby to display 640×480 resolution over the stock 320×240. The mod requires a few parts, but the ultimate difficulty is caused by the surface mount connectors. If you’d rather have some software fun, you might want to check out [bunnie]’s Chumby wifi sniffer. […]

15. […] Picked this up off of hackaday but found the blog post pretty cool. Imagine, as one commenter pointed out, running this puppy in a hotel with Driftnet working? Could be fun! […]

16. Jay Marm says:

I think the new firmware 1.6 has messed it up. :-(

All I get now is an IP address displayed (eg: 192.168.0.1:5678), no text.

I love the notion of going to a friend’s house and plugging in Chumby to show them their unprotected wireless AP ain’t so private!

17. mini says:

MCU ATTACK、Remove lock bits from mcu、
MCU break、MCU Code Extraction、break IC、crack IC、attack IC、hack IC、microprobing、MCU unlock、attack ic hacker,
mcu hacker,pld hacker,ic reverse engineering,mcu reverse engineering
Our lab activity focuses on: Research into security vulnerabilities of microcontrollers,
MCUs,CPLDs and FPGAsDeveloping attack methods for MaskROM,
EPROM, EEPROM, Flash, Antifuse and FRAM memories Research into
innovative attack technologies Evaluating of existing products against
non-invasive, semi-invasive and invasive attacks The main goal of our
company is to support our customers in creation of new products and competitive
studies.Microcontroller、copy protection

18. Maj says:

appreciate the info guys, thanks

19. jitender says:

i want an wifi software to break an wifi password immidiately

20. […] panda enclosure on the Chumby (Shamu the whale, too!). And, of course, there’s the Chumby WiFi Sniffer–perfect for seeing what your wireless-leeching neighbors are up to on your connection. True […]

21. […] panda enclosure on the Chumby (Shamu the whale, too!). And, of course, there’s the Chumby WiFi Sniffer–perfect for seeing what your wireless-leeching neighbors are up to on your connection. True […]

22. […] procyonid enclosure on the Chumby (Shamu the whale, too!). And, of course, there’s the Chumby WiFi Sniffer–perfect for sight what your wireless-leeching neighbors are up to on your connection. True […]