HackTricksEnable NexMon Monitor Mode & Packet Injection on Android (Broadcom chips)
Reading time: 6 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Overview
Most modern Android phones embed a Broadcom/Cypress Wi-Fi chipset that ships without 802.11 monitor mode or frame-injection capabilities. The open-source NexMon framework patches the proprietary firmware to add those features and exposes them through a shared library (libnexmon.so) and a CLI helper (nexutil). By pre-loading that library into the stock Wi-Fi driver, a rooted device can capture raw 802.11 traffic and inject arbitrary frames β eliminating the need for an external USB adapter.
This page documents a fast workflow that takes a fully-patched Samsung Galaxy S10 (BCM4375B1) as an example, using:
- NexMon Magisk module containing the patched firmware +
libnexmon.so - Hijacker Android application to automate monitor-mode toggling
- Optional Kali NetHunter chroot to run classic wireless tools (aircrack-ng, wifite, mdk4 β¦) directly against the internal interface
The same technique applies to any handset that has a publicly available NexMon patch (Pixel 1, Nexus 6P, Galaxy S7/S8, etc.).
Prerequisites
- Android handset with a supported Broadcom/Cypress chipset (e.g. BCM4358/59/43596/4375B1)
- Root with Magisk β₯ 24
- BusyBox (most ROMs/NetHunter already include it)
- NexMon Magisk ZIP or self-compiled patch providing:
/system/lib*/libnexmon.so/system/xbin/nexutil
- Hijacker β₯ 1.7 (arm/arm64) β https://github.com/chrisk44/Hijacker
- (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools
Flashing the NexMon patch (Magisk)
- Download the ZIP for your exact device/firmware (example:
nexmon-s10.zip). - Open Magisk -> Modules -> Install from storage -> select the ZIP and reboot.
The module copies
libnexmon.sointo/data/adb/modules/<module>/lib*/and ensures SELinux labels are correct. - Verify installation:
ls -lZ $(find / -name libnexmon.so 2>/dev/null) sha1sum $(which nexutil)
Configuring Hijacker
Hijacker can toggle monitor mode automatically before running airodump, wifite, etc. In Settings -> Advanced add the following entries (edit the library path if your module differs):
Prefix:
LD_PRELOAD=/data/user/0/com.hijacker/files/lib/libnexmon.so
Enable monitor mode:
svc wifi disable; ifconfig wlan0 up; nexutil -s0x613 -i -v2
Disable monitor mode:
nexutil -m0; svc wifi enable
Enable βStart monitor mode on airodump startβ so every Hijacker scan happens in native monitor mode (wlan0 instead of wlan0mon).
If Hijacker shows errors at launch, create the required directory on shared storage and reopen the app:
mkdir -p /storage/emulated/0/Hijacker
What do those nexutil flags mean?
-s0x613Write firmware variable 0x613 (FCAP_FRAME_INJECTION) β1(enable TX of arbitrary frames).-iPut interface in monitor mode (radiotap header will be prepended).-v2Set verbose level;2prints confirmation and firmware version.-m0Restore managed mode (used in the disable command).
After running Enable monitor mode you should see the interface in monitor state and be able to capture raw frames with:
airodump-ng --band abg wlan0
Manual one-liner (without Hijacker)
# Enable monitor + injection
svc wifi disable && ifconfig wlan0 up && nexutil -s0x613 -i -v2
# Disable and return to normal Wi-Fi
nexutil -m0 && svc wifi enable
If you only need passive sniffing, omit the -s0x613 flag.
Using libnexmon inside Kali NetHunter / chroot
Stock user-space tools in Kali do not know about NexMon, but you can force them to use it via LD_PRELOAD:
- Copy the pre-built shared object into the chroot:
cp /sdcard/Download/kalilibnexmon.so <chroot>/lib/ - Enable monitor mode from the Android host (command above or through Hijacker).
- Launch any wireless tool inside Kali with the preload:
sudo su export LD_PRELOAD=/lib/kalilibnexmon.so wifite -i wlan0 # or aircrack-ng, mdk4 β¦ - When finished, disable monitor mode as usual on Android.
Because the firmware already handles radiotap injection, user-space tools behave just like on an external Atheros adapter.
Typical Attacks Possible
Once monitor + TX is active you can:
- Capture WPA(2/3-SAE) handshakes or PMKID with
wifite,hcxdumptool,airodump-ng. - Inject deauthentication / disassociation frames to force clients to reconnect.
- Craft arbitrary management/data frames with
mdk4,aireplay-ng, Scapy, etc. - Build rogue APs or perform KARMA/MANA attacks directly from the phone.
Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-3 M pps RX).
Troubleshooting
Device or resource busyβ make sure Android Wi-Fi service is disabled (svc wifi disable) before enabling monitor mode.nexutil: ioctl(PRIV_MAGIC) failedβ the library is not pre-loaded; double-checkLD_PRELOADpath.- Frame injection works but no packets captured β some ROMs hard-block channels; try
nexutil -c <channel>oriwconfig wlan0 channel <n>. - SELinux blocking library β set device to Permissive or fix module context:
chcon u:object_r:system_lib_file:s0 libnexmon.so.
References
- Hijacker on the Samsung Galaxy S10 with wireless injection
- NexMon β firmware patching framework
- Hijacker (aircrack-ng GUI for Android)
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.