Tutorial Time!

I see a lot of people looking for help in the announcement thread.
I think that thread should be left for ideas, testing and development. Not help.
I am going to list up all required help here.
Post required help here..

BUT! Only if you have read and do everything written here!

Don't skip a single step and you won't need help! I SWEAR!

Pre Stage:
xTerm and Type:

sudo apt-get moo

Without this: You can not gain Super Cow Powers!

First thing is first!
Open Package Manager and install "rootsh".
Install: Power kernel


sudo apt-get install python
sudo apt-get install aircrack-ng
sudo apt-get install nano
sudo apt-get install sudser
sudo apt-get install John (John the Ripper)

Main Parts!

Step 1:
Donate lxp for the wifi drivers to get the files.
You will receive the drivers. Or find these elsewhere.
or form here

Step 2:
When you received these (140MB'ish) drivers and downloaded them to (or copy) your MyDocs [N900], File = wl1251-maemo-0.1.tar.gz.

Step 3:
This is also in the Readme file

Open X Terminal

type the following commands to untar the file:

cd MyDocs
/MyDocs$ tar -xzvf wl1251-maemo-0.1.tar.gz

Step 4:
Driver Time:

cd /MyDocs
sudo gainroot
cd /home/user/MyDocs/
cd wl1251-maemo/binary/kernel-power

Time to install!


/home/user/MyDocs/wl1251-maemo/binary/kernel-power: dpkg -i kernel-power_2.6.28-maemo46-wl1_armel.deb


/home/user/MyDocs/wl1251-maemo/binary/kernel-power: dpkg -i kernel-power-modules_2.6.28-maemo46-wl1_armel.deb


/home/user/MyDocs/wl1251-maemo/binary/kernel-power: dpkg -i kernel-power-flasher_2.6.28-maemo46-wl1_armel.deb


/home/user/MyDocs/wl1251-maemo/binary/kernel-power: dpkg -i kernel-power-bootimg_2.6.28-maemo46-wl1_armel.deb

Step 5:
This step is only needed if you have multiboot on your N900


cd /home/user/MyDocs/wl1251-maemo/binary/kernel-power: cd /boot
/boot: mv zImage-2.6.28-maemo46-wl1 multiboot/vmlinuz-


Next, create the file
cd /etc/multiboot.d/
nano 01-Maemo- (or using leafpad)

Write this:


Ctrl (on touch screen) + W to exit and save

Select the kernel from the boot list:

Now time for fAIRCRACK!

download the fircrack form attach below and extract the file on ur pc and u will find two file faircrack.tar.gz and hildon.tar.gz and now copy faircrack.tar.gz AND hildon.tar.gz to MyDocs on your N900.

Part 2:

cd /home/user/MyDocs/

Part 3:

mkdir FAS

Part 4:

cd FAS

Part 5:

tar -xzvf /home/user/MyDocs/faircrack.tar.gz

Part 6:
Make sure all the files have been extracted to the MyDocs/FAS/ directory and that the following folders exist:
By Typing


and look for these folders


Part 7: (icon!)

cd .. (which brings you back to MyDocs/Or just goto MyDocs in xTerm!)

Part 8:

tar -xzvf /home/user/MyDocs/hildon.tar.gz

part 9:

sudo gainroot

Part 10:

mv faircrack.desktop /usr/share/applications/hildon/

Part 11:

mv faircrack.png /usr/share/icons/hicolor/48x48/hildon/

Usage (Direct Copy from Announcement thread):

---------------------- Usage ----------------------------------------

To run fAircrack, you can use the shortcut (recommended), or issue the following command:

sh /home/user/MyDocs/FAS/launch.sh

Bear in mind that if you are running it from xterm you will probably see a few warning messages like "*.cap does not exist" and "basename usage". This is a result of my messy coding and does not cause any problems. This will be fixed in v0.2.


Firstly a little background information from the aircrack wiki

"A little theory first. WEP is a really crappy and old encryption techinque to secure a wireless connection. A 3-byte vector, called an Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know... think of it as the network key you need to authenticate.

Well if its on (almost) every packet generated by the client or AP, then if we collect enough of them, like a few hundred thousand, we should be able to dramatically reduce the keyspace to check and brute force becomes a realistic proposition.

First things first, from the 'Monitor' tab enable the packet injection drivers and then monitor mode. At the moment there is no way to check if the drivers are enabled or not so if you aren't sure then just click the enable button anyway.

Next, you will need to click on the 'Access Point' tab. From here select how many seconds to run a scan for (default is 5) and click the scan button. Make sure the WEP button is highlighted to show only WEP networks. Select your desired target and click the "Start Packet Capture" button. This will load airodump in an xterm. Be sure to leave this window open until you are ready to crack.

Now you must click the "Authenticate" button to attempt to authenticate with the network, which will allow you to perform packet injection. This will launch a new xterm which will display information about your authentication request. If you see a line similar to "AID 1 :-)" then all is good. If not, try changing your mac address to the same as an already authenticated client (you can see them at the bottom of the airodump xterm). Bear in mind that changing your mac requires the stopping and starting of your interface and it WILL close your airodump window

Once authenticated, click the "Injection" button, this will launch a new xterm and start listening for ARP and ACK packets. As soon as a ARP packet is captured it SHOULD start re-injecting it at about 500pps (packets per second). At this point the number of ARP requests should start to skyrocket! If injection starts but the ARP number remains static, it means you need to authenticate with the router. Leave the authentication and injection windows open.

To check how many IVs you have successfully captured, click on the "Decryption" tab, and select your current CAP file from the list. This will be the name of the network and a number. Now click the "Decrypt" button. It will load aircrack in a new xterm and after reading the packets it will display how many IVs have been captured and attempt to crack the key. You will normally need at least 50,000 IVs in order to perform a successful decryption, so if it is much less than this then you may as well close this window.

Once you are ready to crack, press the decrypt button and if you have enough IVs, the password should be broken in seconds. At this point the aircrack xterm will close and you can view the key by selecting it from the list and clicking the "Show Key" button. If it doesn't show up, just press the "Refresh" button. (Keys are also stored in your MyDocs/FAS/keys/ directory).

If all went well then the whole process should take around 8-15 minutes.


WPA is different. Read the FAQs for more information.

First scan for networks as before and select WPA to display the WPA access points. Now click on which one you want to crack and press the "Start Packet Capture" button.

Now you will have to wait for a client to connect to the access point, at which point you will see a message in the top right of your airodump window saying "WPA Handshake" followed by the mac address of the router.

Now click on the "Decryption" tab. From here select the current cap from the list (being sure to select WPA and not WEP), now select either a dictionary or specify an attack method for John. When you are ready, highlight either "wordlist" or "john" and press decrypt.

------------------------------ FAQs -----------------------------------

Q. It keeps asking me for a password. Wtf?
A. Install Sudser

Q. What's an access point?
A. Wireless router.

Q. What will I use this for?
A. If you don't know the answer to that then you don't need it.

Q. Why do I keep receiving deauth packets when authenticating?
A. I assume this is due to router security. Try changing your mac (from the main menu) to match a client that is already connected. You can find this from the already opened airodump window.

Q. Why am I not receiving any ARP packets when trying to perform injection?
A. Depending on the access point, it may be very difficult to capture/relay ARP requests, particularly if:
> You are not close enough to the access point.
> There is no traffic on the access point.
I find the number starts rising rapidly as soon as a client connects.

Q. I have tried everything, but just cannot inject/authenticate/anything. What gives?
A. Unfortunately, each make/model of router is different and no matter how hard you try you may not be able to get into it. fAircrack includes the settings that in my experience have been the most successful, but you may have better luck using aircrack directly and experimenting. (in future releases there will be far more options)

Q. Why is WPA so much harder to crack?
A. WEP encryption is weak. Each IV (initialization vector) contains a small portion of the key, so when enough of these are captured the key can be deciphered. WPA however is far more secure and cannot be "cracked". However, when an authenticated client connects to a WPA access point a "handshake" is generated. This handshake can be captured by airodump and aircrack can subsequently run a bruteforce dictionary attack against it, possibly finding the key (however if the exact key is not in the dictionary, it will obviously not work). To capture the handshake you can either wait for a client to connect, or you can launch a deauthentication attack (using my script) to force a client to disconnect and reconnect to the AP, allowing you to capture the handshake.

However, a word list big enough to 100% GUARANTEE to crack an 8-digit alphanumeric case-sensitive wpa key would have up to 62771017353866807638357894232076664161023554444640 34512896 different combinations. And this is WITHOUT symbols.

On the same basis, a 64-digit wpa key would have up to 39402006196394479212279040100143613805079739270465 44666794829340424572177149721061141426625488491564 0806627990306816 different combinations.

These wordlists would be thousands of terabytes in their totality.

In short, it's possible but not feasible. Bearing in mind that a device like the N900 could probably only check around 20-30 keys per second. The best you could do is capture the handshake with the N900 then use a desktop to attempt to crack the password.

Realistically, the only way you are going to bruteforce a wpa key is if the person who the network belongs to (obviously you ) has set something really mundane or stupid as their key. Any default key containing letters and numbers would be near enough impossible and take possibly years to break.

Enjoy. Press Thanks!

Credit goes to:FRuMMaGe for GUI