Skip to content

For all BananapiM4Zero - Both versions!

Latest
Latest
Compare
Choose a tag to compare
@Sniffleupagus Sniffleupagus released this 20 Nov 23:16
ForAllM4Zero
adc72d9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Massive updates

Now supporting both versions (lol) of the Banana Pi M4 Zero: original with Realtek 8821CU, and the new ones with the Broadcom 43455 wifi. RNDIS is working, tested against latest MacOS and Windows 10. The image is based on Armbian 24.11.0, Debian bookworm "current" branch, Linux Kernel 6.6.54

Original M4zero

The original m4zero is "fully" supported, with reliable wifi, working bluetooth, Pisugar I2C (mostly) and GPIO support for some/most screens in pwnagotchi (tested with displayhatmini. waveshare_2/3/4 should work, too. Others may work, or may need edits to pick a different SPI device). Displayhatmini required an edit to the main DTB to change one of the SPI pins that the DHM uses differently.

I2C on pins 3 & 5 has been tested with a Pisugar 3. Pisugar 2 probably works, since it uses the same pins (edit the plugin file to change from i2c bus 1 to bus 4). This required a custom DTB overlay "i2c4-pg", which is a modified copy of the stock i2c4-ph. There are transient errors on that i2c bus, so reads sometimes fail. I have modified the pisugar3 plugin to try a few times until it gets a value, and it seems pretty decent. Turn off "shutdown on low battery", because the transient fails end up returning "0%" and will trigger shut down randomly. The plugin also tries to track how long since you plugged in or unplugged, but that timer gets reset sometimes due to bad reads. The BAT display rotates between voltage, capacity%, battery temperature, and battery timer.

M4zero V2

The V2 boards are new, and not fully supported. Headless pwning works. The first boot for the new board includes a reboot to enable the dtb overlay that activates the "new" wifi chip. After it reboots, it should come up pwning in a minute or so.

The V2 has the same Wifi chip as a Raspberry Pi 4, and uses the nexmon driver to get monitor mode. This has the same drawbacks as nexmon on the pi 4. It might not really send deaths. It does eventually go "blind" due to a driver crash, especially if it is deauthing. Deauths are DISABLED by default. It dumps kernel errors in the console. Reloading the driver fixes it sometimes. The fix_brcmf_plugin.py is an old version of the fix_services.py plugin in Jayofelony pwnagotchi. It is disabled by default, because I have not done a lot of testing with it. It might work, but it may be overaggressive and reset when it isn't needed. In config.toml, you can change personality.throttle_an and throttle_d to adjust the delay after the attacks to slow it down and maybe crash less.

New in agent.py: You can also set personality.assoc_prob and personality.deauth_prob (in config.toml) to a value between 0.0 and 1.0, as a probability of performing the attack at the time of each attack. So if there are 10 clients on an AP, and you set deauth_prob to 0.1, it will probably only deauth one of them each epoch, instead of all 10 every time, and might not go as blind. This has not been fully tested, but doesn't break anything.

V2 boards do not have working bluetooth. "No default controller".

GPIO/displays are not yet supported on V2, due to changes in the GPIO pin mapping. On the plus side, someone has made lgpio, RPi:GPIO and WiringPi packages that support the new layout, so it shouldn't be too hard (famous last words) to get it working for the next image.

Pisugar should work to power the V2 boards, but the programmable button will not work and plugins will not be able to get battery info, due to the changed pins. Internally the "PG" pins that were connected to physical pins 3 and 5 now seem to be connected to the Broadcom bluetooth chip. GPIO 3 and 5 are now "PI" pins. The stock DTB file has definitions for i2c4-ph and i2c4-pg, but not one for i2c4-pi. The custom dtb overlay that enables i2c on the v1 boards enables the already defined i2c5-pg interface. Fixing this is another goal for the next image.

("PG" and "PI" refer to different sets of pins on the H618 processor chip itself. Bananapi changed a few of the connections between the processor and the GPIO header, so a few things need to be updated to deal with both layouts. next image.)

Both boards

RNDIS

RNDIS should work on either board. It is configured with NetworkManager during the first boot in /etc/rc.local. /etc/rc.local gets moved to /etc/rc.local.FIRSTBOOT and the "original" is put in place at the end, so you can see what it did.

USB Ethernet

If you have a usb ethernet dongle attached on the first boot, it should enable it for DHCP. If you attach one later, and it does not automatically connect, you can run "sudo /usr/bin/fix_pwny_ethernet.sh" and it will create a /etc/network/interfaces.d file for the interface and set it up. This probably should be done in NetworkManager instead next time.

Networking is managed by NetworkManager/nmcli

The wifi interface used by pwnagotchi is added to /etc/NetworkManager/NetworkManager.conf as unmanaged. You can use nmcli to configure USB wifi dongles to connect to your home network. How to is beyond the scope of this README ;)

pwnlib modifications

pwnlib has been changed to set variables for the WIFI interface and MONitor interface. PWNY_WIFI_IFACE is the name of the device in "managed" mode (wlan0 on m4zerov2). PWNY_MON_IFACE is the name of the device in monitor mode (wlan0mon on m4zerov2). start_monitor_interface and stop_monitor_interface have two different methods of enabling monitor mode. airmon-ng is used on the old m4zeros (using iw hangs the system). iw is used for the v2 boards, because airmon-ng does not do it. The device name on old m4zero is "wlxLONGHEXVALUE", and is unique per device.

On first boot, /usr/bin/fix_pwny_iface.sh runs and figures out what the correct interface is, and edits /usr/bin/pwnlib and /etc/pwnagotchi/config.toml to set them up. Bettercap and pwngrid launchers use the pwnlib variables to pass the interface names to bettercap and pwngrid, so changing pwny to use an external device requires fewer edits.

If you want to use an external for pwning, it is easier to do now. Here's some hints.

  • First figure out how to get the device into monitor mode. Try "sudo airmon-ng start ifacename". If that fails, try the "iw dev" lines in start_monitor_interface in pwnlib. Use the interface name instead of ${PWNY_WIFI_IFACE} and "wlan0mon" (or similar) instead of ${PWNY_MON_IFACE}. Run "iwconfig" to verify that the device has "Mode:Monitor".
  • Note the monitor interface name, if it changed (airmon-ng may change it, or if you use iw and set it to "wlan0mon").
  • Edit /usr/bin/pwnlib and fix start/stop_monitor_iface to uses the correct method for your interface (probably by adjusting the 'if' conditions)
  • Edit /usr/bin/pwnlib and put the name of the wifi interface before monitor mode into PWNY_EXT_WLAN at the top.
  • Edit /etc/pwnagotchi/config.toml and put the monitor mode iface name in as main.iface, like main.iface = "wlan0mon"
  • Edit /etc/NetworkManager/NetworkManager.conf and add a line in the [keyfile] section to make it ignore the device, like (or add to the bottom if there is no [keyfile] section):

[keyfile]
unmanaged-devices=interface-name:wlx8675309

  • Bonus: if you want to use the internal interface for joining networks, remove the "unmanaged-devices" line for it, then configure with nmcli.

  • SUPER CRAZY BONUS: if you have a USB dongle that you know works with airmon-ng, it MIGHT JUST WORK on a V2 m4zero if you have it plugged in during the first boot. I have not tested this because I do not have a good dongle, but I think it will work. The V2 boots up as a "V1", and if it does not find a wifi device, it enables the "V2" overlay and reboots. But if it DOES find your usb dongle in /sys/class/net, it will run fix_pwny_iface.sh, which will use airmon-ng to put it into monitor mode, then configure pwnlib and config.toml, then restart bettercap, pwngrid and pwnagotchi. Please let me know if you try this, especially if it works.

  • if it does work, and you want to enable the internal wifi (for not pwning), run sudo sed -i.ORIG 's/overlays=\ *i2c4-pg/overlays=bananapi-m4-sdio-wifi-bt/' /boot/armbianEnv.txt

/boot partition is VFAT

This image has a separate /boot partition, like the raspberry pi images. Unlike raspberry pi images, my Mac does not mount the boot partition when I plug the card in. Disk Utility can see the two partitions, but it does not recognize it as mountable. I don't know what the deal is with that. Eventually I want to set it up with /boot/handshakes on the FAT partition, so you could go pwning, then come home pop the card out of the pwny and have easy access to the handshakes on any system. For now it is a waste of 1G of the SD card. ;)

Default logins

For ssh, the username is pwnagotchi and the password is pwny1234

For pwnagotchi webUI, username is pwny and the password is pwny1234. pwnagotchi has sudo privileges.

Quirks

  • root password is "1234" the first time you log in as root. Just found this now. It will take you through the "choose a shell, add pi user, etc". After that, the root password is "pwny1234". I set that up with /root/.not.logged.in.yet as described here, https://docs.armbian.com/User-Guide_Autoconfig/ but I must have left too many things blank.
  • I2C has transient errors. Disable pisugar automatic shutdown (in the plugin and in the pisugar interface), because it will automatically shutdown randomly. Also it gets phantom presses on the pisugar button. I would not assign a command to single click, because it will randomly trigger. Long press and Double press are probably a lot less likely to false trigger.
  • pwnagotchi version number hasn't changed. It is still using this fork for the pwnagotchi code. It does not have the "-wizard" and some other features from jayofelony version, but the pwning is the same.

Files are timestamped. Get the highest number if there are multiple. Still buggy on V2. I will upload another one tomorrow.

  • 202411202155 - first one. probably ok on V1, but does not initialize correctly on V2.
    - 202411210148 - Better, but V2 will still probably not pwn after its first/re-boot, because it gets created as "mon0" for.... reasons... probably. Reboot it after it is all "done" and it seems to come up correctly. If you can't ssh into it over RNDIS or ethernet, 5 minutes is much longer than should take, so power cycle it after 5 minutes and it should come up correctly from then on.

    • V1 should be fine still.

  • 202411212313 - works, but reloads brcmfmac too aggressively.

  • 202411220135 - This one booted, then rebooted into pwning with RNDIS up on my V2 bananapi. This one fixes the "needs to be rebooted" problem from the previous image. RNDIS is on the OUTER usb-c port, not the normal "data" port.

Assets 5
Loading