Hijacker on TicWatch Pro 3 with wireless injection

It is finally here! The Hijacker v1.7 is now available for the TicWatch Pro 3 (all variants that uses bcm43436b0 firmware).

10000104411024×802 127 KB

Absolutely huge huge thanks to Jakob Link from Secure Mobile Networking Lab with the help of porting Nexmon. 3 years, hundreds of emails. Amazing collaboration

Also big thanks to Chris Kyriakopoulos creating Hijacker. It was possibe for me to port thanks to his coding style.

And thank YOU for being patient waiting to this day!

Downloads
Hijacker app
Nexmon files

Instructions
Confirm your watch uses the supported chip and firmware in adb shell:

dmesg | grep fw_bcm43436b0

If there are no results, your chip is bcm43438a1. You have to be patient again until I patch that firmware too.

If you see results of bcm43436b0, continue.

Unzip to nexmon local dir and copy the files to watch with adb:

mkdir nexmon
unzip nexmon-twp3.zip -d nexmon
adb push nexmon /sdcard
adb shell
su

Copy and paste from here:

mount -o rw,remount /vendor
mount -o rw,remount /
cp /sdcard/nexmon/nexutil /system/bin/nexutil
cp /sdcard/nexmon/iw* /system/bin/
cp /sdcard/nexmon/air* /system/bin/
cp /sdcard/nexmon/libfakeioctl.so /system/lib/
chmod a+x /system/bin/iw*
chmod a+x /system/bin/air*
chmod a+x /system/bin/nexutil
cp /sdcard/nexmon/fw_bcm43436b0.bin /vendor/firmware/
ifconfig wlan0 down
ifconfig wlan0 up

Install Hijacker through adb:

adb install Hijacker-release-v1.7.apk

I disabled a few items to fit watch screen. Injection and airodump-ng simultaneously is still experimental. You may need to press Capture a few times to catch a handshake. Probably the best would be to compile the latest aircrack binaries for Android which I couldn’t figure out yet.

Great work to all involved!

I’ll have to add a TicWatch to my letter to Santa Claus.

Amazing work, brotha! The whole community is indebted to you for your hard work and kindness.

I have two ticwatches and still didn’t come around to build a working adapter.. the one available from the vendor does not have data lanes -.-

Well to be fair, being a category moderator is pretty much a full time job. Presumably you have a full time job as well, so you can be forgiven for not getting around to building an adapter.

Here’s one if you don’t have time to build. Although the seller is away at the moment TicWatch Pro 3 GPS LTE Ultra Smartwatch USB Data Dock 4 Pin For Kali NetHunter | eBay

i actually printed that already, and got a lot of adapters with matching pogo pin distances from alibaba.. just didn’t have the time to get it working

Especially getting the magnets at the right place without making the filament warp too far away so that the pins dont connect has been a nightmare

Hi everybody, I was tryna set up my Ticwatch Pro 2020 with the normal nethunter image, and then I saw this forum. After some research I found out that the bcm43436b0 firmware is compatible with my watch’s chip. The folder with current firmware is /system/etc/firmware/brcm/ with those files:
bcm43xx_hdr-o.fw
bcm43xx-0.fw
brcmfmac4335-sdio.bin
brcmfmac4339-sdio.bin
brcmfmac4354-sdio.bin
And I downloaded the fw_bcm43436b0.bin firmware from git.

What files should I change or replace?
Thanks

Heya, TicWatch Pro is not supported yet because it reboots when injection happens. But not always. You can simply rename the fw I provided and copy to /vendor/firmware/fw_bcmdhd.bin. I’m not sure when can I look into what causes reboot