For all BananapiM4Zero - Both versions!

Massive updates

Now supporting both versions (lol) of the Banana Pi M4 Zero: original with Realtek 8821CU, and the new ones with the Broadcom 43455 wifi. RNDIS is working, tested against latest MacOS and Windows 10. The image is based on Armbian 24.11.0, Debian bookworm "current" branch, Linux Kernel 6.6.54

Original M4zero

The original m4zero is "fully" supported, with reliable wifi, working bluetooth, Pisugar I2C (mostly) and GPIO support for some/most screens in pwnagotchi (tested with displayhatmini. waveshare_2/3/4 should work, too. Others may work, or may need edits to pick a different SPI device). Displayhatmini required an edit to the main DTB to change one of the SPI pins that the DHM uses differently.

I2C on pins 3 & 5 has been tested with a Pisugar 3. Pisugar 2 probably works, since it uses the same pins (edit the plugin file to change from i2c bus 1 to bus 4). This required a custom DTB overlay "i2c4-pg", which is a modified copy of the stock i2c4-ph. There are transient errors on that i2c bus, so reads sometimes fail. I have modified the pisugar3 plugin to try a few times until it gets a value, and it seems pretty decent. Turn off "shutdown on low battery", because the transient fails end up returning "0%" and will trigger shut down randomly. The plugin also tries to track how long since you plugged in or unplugged, but that timer gets reset sometimes due to bad reads. The BAT display rotates between voltage, capacity%, battery temperature, and battery timer.

M4zero V2

The V2 boards are new, and not fully supported. Headless pwning works. The first boot for the new board includes a reboot to enable the dtb overlay that activates the "new" wifi chip. After it reboots, it should come up pwning in a minute or so.

The V2 has the same Wifi chip as a Raspberry Pi 4, and uses the nexmon driver to get monitor mode. This has the same drawbacks as nexmon on the pi 4. It might not really send deaths. It does eventually go "blind" due to a driver crash, especially if it is deauthing. Deauths are DISABLED by default. It dumps kernel errors in the console. Reloading the driver fixes it sometimes. The fix_brcmf_plugin.py is an old version of the fix_services.py plugin in Jayofelony pwnagotchi. It is disabled by default, because I have not done a lot of testing with it. It might work, but it may be overaggressive and reset when it isn't needed. In config.toml, you can change personality.throttle_an and throttle_d to adjust the delay after the attacks to slow it down and maybe crash less.

New in agent.py: You can also set personality.assoc_prob and personality.deauth_prob (in config.toml) to a value between 0.0 and 1.0, as a probability of performing the attack at the time of each attack. So if there are 10 clients on an AP, and you set deauth_prob to 0.1, it will probably only deauth one of them each epoch, instead of all 10 every time, and might not go as blind. This has not been fully tested, but doesn't break anything.

V2 boards do not have working bluetooth. "No default controller".

GPIO/displays are not yet supported on V2, due to changes in the GPIO pin mapping. On the plus side, someone has made lgpio, RPi:GPIO and WiringPi packages that support the new layout, so it shouldn't be too hard (famous last words) to get it working for the next image.

Pisugar should work to power the V2 boards, but the programmable button will not work and plugins will not be able to get battery info, due to the changed pins. Internally the "PG" pins that were connected to physical pins 3 and 5 now seem to be connected to the Broadcom bluetooth chip. GPIO 3 and 5 are now "PI" pins. The stock DTB file has definitions for i2c4-ph and i2c4-pg, but not one for i2c4-pi. The custom dtb overlay that enables i2c on the v1 boards enables the already defined i2c5-pg interface. Fixing this is another goal for the next image.

("PG" and "PI" refer to different sets of pins on the H618 processor chip itself. Bananapi changed a few of the connections between the processor and the GPIO header, so a few things need to be updated to deal with both layouts. next image.)

Both boards

RNDIS

RNDIS should work on either board. It is configured with NetworkManager during the first boot in /etc/rc.local. /etc/rc.local gets moved to /etc/rc.local.FIRSTBOOT and the "original" is put in place at the end, so you can see what it did.

USB Ethernet

If you have a usb ethernet dongle attached on the first boot, it should enable it for DHCP. If you attach one later, and it does not automatically connect, you can run "sudo /usr/bin/fix_pwny_ethernet.sh" and it will create a /etc/network/interfaces.d file for the interface and set it up. This probably should be done in NetworkManager instead next time.

Networking is managed by NetworkManager/nmcli

The wifi interface used by pwnagotchi is added to /etc/NetworkManager/NetworkManager.conf as unmanaged. You can use nmcli to configure USB wifi dongles to connect to your home network. How to is beyond the scope of this README ;)

pwnlib modifications

pwnlib has been changed to set variables for the WIFI interface and MONitor interface. PWNY_WIFI_IFACE is the name of the device in "managed" mode (wlan0 on m4zerov2). PWNY_MON_IFACE is the name of the device in monitor mode (wlan0mon on m4zerov2). start_monitor_interface and stop_monitor_interface have two different methods of enabling monitor mode. airmon-ng is used on the old m4zeros (using iw hangs the system). iw is used for the v2 boards, because airmon-ng does not do it. The device name on old m4zero is "wlxLONGHEXVALUE", and is unique per device.

On first boot, /usr/bin/fix_pwny_iface.sh runs and figures out what the correct interface is, and edits /usr/bin/pwnlib and /etc/pwnagotchi/config.toml to set them up. Bettercap and pwngrid launchers use the pwnlib variables to pass the interface names to bettercap and pwngrid, so changing pwny to use an external device requires fewer edits.

If you want to use an external for pwning, it is easier to do now. Here's some hints.

• First figure out how to get the device into monitor mode. Try "sudo airmon-ng start ifacename". If that fails, try the "iw dev" lines in start_monitor_interface in pwnlib. Use the interface name instead of ${PWNY_WIFI_IFACE} and "wlan0mon" (or similar) instead of ${PWNY_MON_IFACE}. Run "iwconfig" to verify that the device has "Mode:Monitor".
• Note the monitor interface name, if it changed (airmon-ng may change it, or if you use iw and set it to "wlan0mon").
• Edit /usr/bin/pwnlib and fix start/stop_monitor_iface to uses the correct method for your interface (probably by adjusting the 'if' conditions)
• Edit /usr/bin/pwnlib and put the name of the wifi interface before monitor mode into PWNY_EXT_WLAN at the top.
• Edit /etc/pwnagotchi/config.toml and put the monitor mode iface name in as main.iface, like main.iface = "wlan0mon"
• Edit /etc/NetworkManager/NetworkManager.conf and add a line in the [keyfile] section to make it ignore the device, like (or add to the bottom if there is no [keyfile] section):

[keyfile]
unmanaged-devices=interface-name:wlx8675309

• Bonus: if you want to use the internal interface for joining networks, remove the "unmanaged-devices" line for it, then configure with nmcli.

• SUPER CRAZY BONUS: if you have a USB dongle that you know works with airmon-ng, it MIGHT JUST WORK on a V2 m4zero if you have it plugged in during the first boot. I have not tested this because I do not have a good dongle, but I think it will work. The V2 boots up as a "V1", and if it does not find a wifi device, it enables the "V2" overlay and reboots. But if it DOES find your usb dongle in /sys/class/net, it will run fix_pwny_iface.sh, which will use airmon-ng to put it into monitor mode, then configure pwnlib and config.toml, then restart bettercap, pwngrid and pwnagotchi. Please let me know if you try this, especially if it works.

• if it does work, and you want to enable the internal wifi (for not pwning), run sudo sed -i.ORIG 's/overlays=\ *i2c4-pg/overlays=bananapi-m4-sdio-wifi-bt/' /boot/armbianEnv.txt

/boot partition is VFAT

This image has a separate /boot partition, like the raspberry pi images. Unlike raspberry pi images, my Mac does not mount the boot partition when I plug the card in. Disk Utility can see the two partitions, but it does not recognize it as mountable. I don't know what the deal is with that. Eventually I want to set it up with /boot/handshakes on the FAT partition, so you could go pwning, then come home pop the card out of the pwny and have easy access to the handshakes on any system. For now it is a waste of 1G of the SD card. ;)

Default logins

For ssh, the username is pwnagotchi and the password is pwny1234

For pwnagotchi webUI, username is pwny and the password is pwny1234. pwnagotchi has sudo privileges.

Quirks

• root password is "1234" the first time you log in as root. Just found this now. It will take you through the "choose a shell, add pi user, etc". After that, the root password is "pwny1234". I set that up with /root/.not.logged.in.yet as described here, https://docs.armbian.com/User-Guide_Autoconfig/ but I must have left too many things blank.
• I2C has transient errors. Disable pisugar automatic shutdown (in the plugin and in the pisugar interface), because it will automatically shutdown randomly. Also it gets phantom presses on the pisugar button. I would not assign a command to single click, because it will randomly trigger. Long press and Double press are probably a lot less likely to false trigger.
• pwnagotchi version number hasn't changed. It is still using this fork for the pwnagotchi code. It does not have the "-wizard" and some other features from jayofelony version, but the pwning is the same.

Files are timestamped. Get the highest number if there are mul...

One Banana Two Banana Three Banana M4Zero!

Another pwnagotchi build for bananapim4zero. This one is based on Armbian-build, and is Armbian 24.11.0 with linux kernel 6.6.44.

Still based on my repo, so none of the new jayofelony stuff (wizard, lots of new screens, etc). I have not figured out GPIO/screens yet on Armbian, so this one is headless.

Stable_baselines3 has been reverted to version 1.8.0, so the AI works. The 2.0.0 and higher version have some dependencies that break the backwards compatibility that pwnagotchi was depending on with the port to torch/sb3.

But the build process seems to be working on Armbian, so future builds should be easier (at least for a while)

**** Fixed a bug where it was using the wrong wifi driver.
Bananagotchi-Armbian_24.11.0-trunk_Bananapim4zero_bookworm_current_6.6.44.img.xz is the new image file. If you have the other image, and it is not getting handshakes, edit /etc/modprobe/blacklist-bananapim4zero.conf, uncomment the first two lines (remove the #) and comment out the 3rd line (put a # in the front). The file should look like:

blacklist rtw88_8821c
blacklist rtw88_8821cu
#blacklist 8821cu

Another try, basically the same as last time. But it should boot this time.

I fixed the missing "\" in pwnlib, so the startup configures things properly. I tested this one, until it worked. then flashed this image to an SD and booted it up and didn't do anything but watch and it worked. Well, the first boot (after the disk-expansion, then reboot) didn't. I had to power cycle it once because it came up blind. But it has worked every time since then.

This is pretty much the same as last time. Most of the changes were in the build, and not in the repo. I'm not sure how to do it. A fork of Debian-image-build? Do I make d-i-b a sub-repo, or whatever? I don't know these things. This one has all the "hand fixes" incorporated into the build. Except for editing the /etc/modprobe.d/blacklist-bananapim4zero.conf. It was booting up using the wrong wifi driver, and pwngrid wasn't pwngridding. Unblocking the rtw88_8821cu driver fixed it. I think I fixed it in the build, too, but it's late and I don't want to wait for another build (<15 minutes, then another 5 for pishrink).

• config.toml is not in /boot this time. It is in /etc/pwnagotchi so fix_pwny_iface.sh can modify it on first boot, which happens before pwnagotchi moves it from /boot. I suppose I could do that in the script. Maybe next time. If you replace config.toml, be sure to copy the "main.iface" setting from the one it generates, or run "fix_pwny_iface.sh" again

• built on the latest debian-image-build, "git pull"ed just a few hours ago. I think they must have fixed the usb issues. 99% of the time this works every time [sample size of about 10 boots, margin of error 9%]. It "might" be blind on first boot, but subsequent boots seem to work. Reboots maybe not. Ugh.

So slightly better than last time.

There was a bad upload. The "-SDCARD" version is bad. "-NEW" is the right one.

bananapwnm4zero-2.1.1b1 pwn in venv

Another banana for the bunch. This one runs pwnagotchi in a venv. To activate it in your shell, run source ~pwnagotchi/.venv/bin/activate. DTC changes are being applied as part of the build. One to disable UART5, which conflicts with some display hat mini pins, and the main one which remaps one of the SPI pins to not conflict with OPi.GPIO.

Login as user pwnagotchi password pwny1234

venv moves all of the pwnagotchi python dependencies into ~pwnagotchi/.venv/lib/python... instead of /usr/lib and /usr/local/lib. This should make pwnagotchi safe from "apt update/upgrade". it will always uses its own version of numpy, etc, no matter what its in the apt repositories. This should make it easier to integrate other things, like Wall of Flippers, or Angry Oxide, that may need other versions.

Known issues:

• pwnkill does not work. I don't know what changed, but "killall" does not recognize the python process as "pwnagotchi" anymore.
• user pwnagotchi has wrong shell (/bin/sh). Run "chsh", enter the password, and change the shell to "/usr/bin/bash"
• ifconfig not in pwnagotchi PATH. edit .bashrc and add PATH=$PATH:/sbin:/usr/sbin
• wifi did not come up properly on one of my bananapis. Not sure if it's a hardware thing or usb thing. Kinda seeming like its that one board.
• wlan0 is missing sometimes when it boots. Super annoying. (I'll check debian-image-build differences. bananapwny-hydra uses an earlier debian-image-build, and I did not notice this issue on it.)
• no EMMC version in this build yet

Future Ideas:

• instead of modifying the main dtb, create a .dtbo that just changes the spi pins. Anyone know how to do that? :)
• make SPI device configurable, probably with environment variable, or maybe pass through display initializer.
• pwny-hydra

bpwn-m4zero

First version of a bananapim4zero pwnagotchi image. Based off the BPI Debian bullseye image. Added libpcap1.9, bettercap, pwngrid, and pwnagotchi.

DTB change

The image has a modified /boot/dtb/allwinner/sun50i-h618-bananapi-m4zero.dtb to support the Pimoroni display hat mini. The MOSI (or MISO?) data pin from the display back to the bpi was remapped, since displays don't really send data back. The pimoroni uses that pin for a different function and was conflicting. "PH8" is the original pin. "PC4" is used for the same purpose on another SPI interface that pwnagotchi doesn't use, so I chose to remap it to that pin, leaving PH8 as an "unused" GPIO pin. The original DTB is backed up in the same directory, if you want to compare, you can do something like:

$ dtc -I dtb -O dts -o ~/original.dts /boot/dtb/allwinner/sun50i-h618-bananapi-m4zero.dtb.ORIG
...[lots of warnings]...
$ dtc -I dtb -O dts -o ~/modified.dts /boot/dtb/allwinner/sun50i-h618-bananapi-m4zero.dtb
...[lots more warnings]...
$ diff original.dts modified.dts 
527c527
< 				pins = "PH6\0PH7\0PH8";
---
> 				pins = "PH6\0PH7\0PC4";

GPIO

Also running a modified version of OPi.GPIO (https://github.com/Sniffleupagus/OPi.GPIO/tree/BPIm4zero) to support banana pi m4zero pin mappings. Tested with waveshare v2 and v3, and Pimoroni display hat mini. Other displays may work. The files in pwnagotchi/ui/hw associated with the display will need to be edited and changed to SPIDev(1,1,...). If they do not work with that change, there may be other changes needed in the dtb file. Let me know by raising an Issue.

I'm making progress on BPI's version of the compiled RPi.GPIO, which should bring PWM modulation for the display hat mini backlight, and maybe better gpio performance. OPi.GPIO only supports hardware PWM channels, and the bananapi PWM pins do not coincide with the display hat mini backlight.

RNDIS

RNDIS works. It’s on the outermost usbc port, not the inner one.

.You will probably need an HDMI monitor and USBC-A adapter to connect a keyboard (or an usb-c keyboard, I suppose) to do initial set up. If you know how to get RNDIS working, please let me know in an Iss

I used a usb hub+ethernet to connect my keyboard. The usb ethernet did not get DHCP. I had to copy /etc/network/interfaces.d/eth0-cfg to /etc/network/interfaces.d/MYETHERNETDEVICE-cfg (substitute the actual device name), and edit the file to replace eth0 with my device name. Next time I plugged in the dongle it got an IP from my router and I could ssh to it.

SSH is enabled. Default hostname is bpwn-m4zero, user pi, password pwny1234
Also user pwnagotchi, password pwny1234

pwngrid log is in ~pwnagotchi/log/
pnwagotchi log will probably move there in the future, but for now it is still in /var/log/pwnagotchi.log

pwngrid does not do advertising/peers/mesh. It will connect with opwngrid and do pwnmail, but it does not do the hacked-beacon mesh peering thing. The driver for the built-in wifi does not support the IOCTL needed for it. Maybe another driver. Maybe USB dongle. Or maybe it's not that critical of a feature.

webUI is http://bpwn-m4zero:8080 changeme/changeme

Default config is for Pimoroni display hat mini. If you have one, try it out (it's in color) If you do not have a display hat mini connected, pwnaogtchi will fail to start. In that case, you will need to edit /etc/pwnagotchi/config.toml to either change the type or disable the display.

Touch_UI is broken since there is no touchscreen (yet). Delete /usr/local/share/pwnagotchi/custom_plugins/Touch_UI.py if it becomes problematic. For example, Enable_assoc and enable_deauth will create useless buttons instead of toggling associations and deauths.

First boot takes 10 minutes

Oh yeah. The first boot takes a LONG TIME. It boots and expands the filesystem, but then it seems stuck for a while. Sometimes it doesn't actually boot. Check for the red blinking light. if it isn't on, power cycle.

I watched the fresh image boot up with HDMI plugged into my TV. The expansion goes ok, then it hangs on seemingly random services shutting down. It took a little over 10 minutes, but it did eventually reboot and start up pwnagotchi.

On the second boot a "one time" /etc/rc.local runs /usr/bin/fix_pwny_iface.sh. Then rc.local moves itself out of the way, and puts back the original one that "does nothing"

Easy Wifi Device setup

The fix_pwny_iface.sh script stops the pwnagotchi services, figures out what the built in wifi and monitor devices are named (I'll give you a hint. it isn't "wlan0" and "mon0"), and edits default.toml, config.toml, and pwnlib to set them up for the device. Then it restarts the services. Pwnagotchi should go right into "Generating keys", which goes pretty quickly on the bpi-m4zero. After that it should start pwning.

The fix_pwny_iface.sh script can also be used to change pwnagotchi to use a USB wifi dongle, if you so desire. Instructions are in the script. It will not work on other pwnagotchi distributions yet. It needs modifications to /usr/bin/pwnlib, bettercap-launcher, and pwngrid-launcher to lookup devices and use variables instead of hard coded device names.

I used my test bpi-m4zero for the last two weeks with a display hat mini, pisugar3 and gpio-uart GPS. It seems pretty stable. Wifi and bluetooth have pretty good range with a small external antenna attached. The banana m4zero runs hotter than my other pwny's. I underclocked mine by editing /etc/default/cpufrequtils, but it still gets hot (>70C) when enclosed. I have aluminum heatsinks on all 3 chips. Mine overheated (>80C) in my pocket and devices stopped working. It worked again the next day.

The pwnagotchi code running on this image is actually the master branch with some hand edits. I made the edits on my test device to get it working. After building the image with packer/ansible using the build files in this (not master) branch, I copied the edited files from the test device into the mounted image before shrinking and uploading. Edited files include (but not necessarily limited to): /usr/bin/{pwnlib, bettercap-launcher, pwngrid-launcher}, ...pwnagotchi/ui/hw/displayhatmini.py, ui/hw/libs/pimoroni/displayhatmini/ST7789.py, ui/hw/libs/waveshare/v2/waveshare.py, waveshare/v3/epdconfig.py. That's most of them, anyway.

Plugin Event Queues

This version has a new version of pwnagotchi/plugins/__init__.py that uses an event queue to handle plugin events in a single thread per plugin instead of spawning new threads for every new event. It logs more plugin errors than the previous version. If you find some plugins are incompatible or don't work quite right, please let me know in an issue. Possibly solves the "unable to spawn new thread" that eventually happens with gps_more and other plugins with lots of events.

UI uses all default settings. I highly recommend the tweak_view plugin to move, resize and colorize everything.

Bug fixes in this image

• ST7789.py does not depend on rpi_hardware_pwm
• displayhatmini and waveshare v2, v3 use SPIDev(1,1)
• gym and shimmy python packages required
• python3-prctl apt package installed for thread naming
• plugins/init.py event queue updated to handle old plugins better
• fix_pwny_ethernet.sh runs on first boot to set up /network/interfaces.d/*-cfg files for any ethernet it finds
• fix_pwny_iface.sh runs on first boot to pick "correct" internal wifi device name for monitor mode, puts in default.toml and pwnlib
• disable-uart0 overlay added, but ttyS0 getty still seems to start somehow
• bluetooth.service does not have extra "ExecStart"

bananapwnm4zero-2.0.1b0-EMMC.img.xz is suitable for writing to the EMMC on the bananapi. It does not expand the filesystem to fill the card, and should boot into pwnagotchi face "Generating keys" in about a minute.

For SD card, use bananapwnm4zero-2.0.1b0-SDCARD.img.xz (uploading now, if not yet visible) and it will expand to fill the card on first boot, then reboot into pwnagotchi. First boot could take 10 minutes, then it should take about a minute to get to a face after the reboot.

Second image

Big upgrade. This image has been test on Raspberry Pi Zero w, Zero 2W, and a 4B. It should work on a 3B, too. Tested with Pimoroni Display Hat Mini and Waveshare 2.13 e-paper.

The default configuration expects a display hat mini, but will probably still work without a display.

If you are using a backup of an existing pwnagotchi, you will probably have to delete the /root/brain.nn file, because the neural network will be different. This one uses a different neural network backend.

If you use this with an existing pwnagotchi config.toml, it should work, but there are some differences. If it does not get into AI mode, please look for "ai.params.alpha", "ai.params.epsilon" and "ai.params.lr_schedule" from your config.toml and see if that fixes it.

There was a bug where rc.local would go into an infinite loop and use up 100% of cpu. It should be gone on this one.

Known bugs:

• some plugins are "invisible" because their foreground color did not get set correctly. This version adds some changes to try to support color screens. It does it by changing "view.BLACK" and "view.WHITE", which are used for foreground and background colors in the plugins. It seems like the plugins only check the colors on initialization, and when they are changed it does not propagate. WORKAROUND is to use tweak_view plugin to assign a visible color to those items. There's got to be a way.
• pwnagotchi may try to change to "disabled" channels (like 12,13,14 in the US), generating error messages in /var/log/syslog. It also might cause false positives with the fix_brcmfmac plugin, leading to lots of driver reloads and blindness. Disable that plugin for now. Next version will probably get jayofelony's updated version.

First public test

The build built and worked on a pwnagotchi. Putting it up for others to try.

This image is for Raspberry Pi Zero W only. It does not have nexmon installed properly for the other boards (yet). Pwnagotchi is branched from original evil-socket version. This build uses torch and stable-baselines-3 AI backend instead of Tensor-flow and stable-baselines. Tested on waveshare 2.13 e-paper, waveshare 1.3" LCD, and Pimoroni display hat mini (with PWM backlight!).

It has the built-in plugins and a few that I made in the custom-plugins directory.

The main improvement over the original is in the AI startup speed, getting into AI mode in about 5 minutes instead of 20-30.

Please let me know about any problems by reporting an issue. Thanks!