A high-performance, universal Nexmon userspace library for Broadcom Wi-Fi chips — supporting both AArch64 (Samsung S10/S21+, modern phones) and ARMHF (TicWatch Pro/Pro3, Raspberry Pi).
This library intercepts system calls via LD_PRELOAD to enable monitor mode, frame injection, and channel switching on Nexmon-patched Broadcom chips. It works with both bcmdhd (Samsung) and brcmfmac (TicWatch/RPi) kernel drivers, automatically detecting the correct injection method at runtime.
| Device | Chip | Driver | Arch | Injection Method |
|---|---|---|---|---|
| Samsung S10/S21+ | BCM4375b1 | bcmdhd |
aarch64 | NEX_INJECT_FRAME IOCTL |
| TicWatch Pro/Pro3 | BCM43436b0 | brcmfmac |
armhf | Raw socket → wl_send_hook |
| Raspberry Pi (64-bit) | Various | brcmfmac |
aarch64 | Raw socket → wl_send_hook |
| Raspberry Pi (32-bit) | Various | brcmfmac |
armhf | Raw socket → wl_send_hook |
| Tool | Use Case | Auto-Delay |
|---|---|---|
| Reaver / Bully | WPS attacks | 5ms |
| hcxdumptool | PMKID/Handshake capture | 10ms |
| aireplay-ng | Deauth / Injection | 15ms |
| Kismet | Scanning / Monitoring | 20ms |
| airodump-ng | Channel hopping / Scanning | 40ms |
| All others | General use | 70ms (safe) |
Hooks all major packet transmission syscalls: write(), sendto(), sendmsg(), send(), sendmmsg(). On bcmdhd devices, frames are routed through NEX_INJECT_FRAME IOCTL. On brcmfmac devices (TicWatch/RPi), frames pass through to the kernel where the firmware's wl_send_hook handles injection.
On init, the library probes /sys/module/brcmfmac/ and /sys/module/bcmdhd/ to determine which driver is loaded and selects the correct injection method. Falls back to architecture-based defaults (armhf → raw socket, aarch64 → IOCTL).
Forces WLC_SET_PM=0 (Constantly Awake Mode) to prevent the chip from sleeping during EAPOL handshakes. Promiscuous mode (WLC_SET_PROMISC=1) is enforced after every channel change.
Inspects /proc/self/comm to detect the running tool and automatically sets the optimal injection delay. Can be overridden with the NEXMON_DELAY environment variable.
Re-enforces wake and promiscuous state after every channel change. For Kismet and hcxdumptool, periodic stability enforcement runs every 50 injected frames.
- Fakes
NL80211_CMD_SET_INTERFACEsuccess (prevents "can't set monitor mode" errors) - Suppresses
EOPNOTSUPP/EINVALnetlink errors on read (prevents tool abort) - Forces
SIOCSIWMODEsuccess for Kismet's legacy monitor mode path
Set NEXMON_IFACE environment variable to override the default wlan0 interface name.
- Cross-compiler:
aarch64-linux-gnu-gccand/orarm-linux-gnueabihf-gcc - libnl3 development headers:
apt install libnl-3-dev libnl-genl-3-dev
# For Samsung S10/S21+ and modern 64-bit devices
make aarch64
# For TicWatch Pro/Pro3 and 32-bit ARM devices
make armhf
# Install globally (copies to /usr/lib/ and /usr/bin/)
sudo make installnexutil -m2 # or: nexutil -s0x613 -i -v2Option A: Single Command (Recommended)
# Auto-detect speed (let library choose optimal delay per tool)
nxsp 0 reaver -i wlan0 -b <BSSID> -c <CH>
# Manual delay override (e.g., 15ms)
nxsp 15 mdk4 wlan0 dOption B: Shell Mode
# Enter Nexmon shell (smart auto-detect per tool)
nxsp load
# Run tools — each tool gets its own optimal delay automatically
reaver -i wlan0 ...
airodump-ng wlan0
# Exit
exitOption C: Direct LD_PRELOAD
NEXMON_DELAY=0 LD_PRELOAD=/usr/lib/libnexmonkali.so reaver -i wlan0 ...| Variable | Default | Description |
|---|---|---|
NEXMON_DELAY |
Auto-detect | Injection delay in nanoseconds (0 = no delay) |
NEXMON_IFACE |
wlan0 |
Override interface name |
This software is for educational purposes and authorized security auditing only. The authors are not responsible for any misuse or damage caused by this software. Ensure you comply with all local laws and regulations regarding radio transmission and network security.
- Original Work: Nexmon Team
- Inspiration & Motivation: yesimxev
- Original Library: RoninNada
- S10 Optimization & Fork: qazianwar222