iPhone Wireless Scanner iOS5


As followers know, last year Apple has blocked wifi scanners from App Store, however till iOS5 it was still available for private usage via WiFiManager bundle:

Old Path: /System/Library/SystemConfiguration/WiFiManager.bundle/WiFiManager

in iOS5, WifiManager bundle no more exists however 80211 functions are still available via IPConfiguration bundle

New Path: /System/Library/SystemConfiguration/IPConfiguration.bundle/IPConfiguration

The scanning functions are the same as previous version
(For detailed information: http://code.google.com/p/iphone-wireless/ )
but there is one thing you need to pay attention while developing

Your application requires super user privileges in order to perform network scan.
That’s why, you need to put your application in Root’s Applications folder

Correct Path in IOS: /Applications (in this path, app runs with root user permissions)
Wrong Path in IOS: /private/var/mobile/Applications (in this path, app runs with mobile user permissions)

I have prepared a sample project for using Stumbler class on iOS5,
you can download it via

Stumbler Class on iOS5 Usage Sample Download Link.

Also I would like to share couple of screens that may be interesting for some developers.

1) Disassembled screen of iPConfiguration (Processed with IDA Evaluation by HEx Rays )

2) Screenshots of sample project on iPod Touch 4G running iOS 5


WifiFofum, They are the first developers who realized IPConfiguration.bundle.
Stumbler “iphone-wireless”, they have provided a lot to community. many thanks.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Post Metadata

November 5th, 2011

Guvener Gokce




  1. Purnima

    We noticed a strange phenomenon. When running the app on a non-jailbroken device via the debugger the Wi-Fi scans would not work. However as soon as we hit the stop button on Xcode for debugger the scan results came through. Is there a way around it by programatically issuing a stop that mimics the stop issued from debugger.
    with best regards

  2. Hi Jagan,

    That’s very interesting phenomenon. Although I haven’t tried (yet) hitting a break point programmatically, I will check and let you know if I can succeed.

    Many thanks for letting me know, really interesting notice.

  3. Dwarf


    How can I put my application in Root’s Applications folder instead of /private/var/mobile/Applications?

    I can´t get the sample working…


  4. Hi Dwarf,

    I’m assuming that your device is already jailbroken (otherwise not possible)
    You shall create release build of sample app and upload release build in to /Applications folder.
    (you can use open ssh for that )


  5. Dwarf


    I want to distribute my app in the App Store…

    This may work for Cydia apps, but Stumbler class will never work in “official” apps, am I right?


  6. Hi Dwarf,

    You’re right, it’s not allowed to publish an app that uses private frameworks,
    and just to be clear, Apple has never published an iOS API for wifi scanning.


  7. Dwarf

    My app is in the Store, using this framework and working in iOS4, but it crashes in iOS5.

  8. that’s lucky, good for u.

  9. Purnima

    Any progress on doing Wi-Fi scans for non-jailbroken devices with the workaround I mentioned.

  10. nimesh

    i have tried wifi neworks scanning using stumbler class but when i tried


    It gives “file not find”

    Please help me out in this.

  11. kimtaeil


    I tried to build in Xcode 4.2 but it does’t work.

    Is it only work on Device???

    please tell me how to test T.T

  12. tpnolan

    I’m curious, has anyone tested the monitor mode support ?
    Can captured packets be successfully parsed into aircrack-ng ?

  13. Dan O

    I am trying to get this to work in an private app that needs to know what WiFi Connection the Ipad is on. Any way when I put the SOStumber.h/m in my code I get an error with the following
    apple80211Scan(airportHandle, &scan_networks, parameters);

    It gives me an “implicit conversion of Objectiv-C pointer type ‘NSDictionary *’ to C pointer type ‘void *’ requires a bridged cast

    I have looked at all the settings from your test app and they all look the same. I know I am missing something but can’t figure it out.

    I just need to see what WiFi I am currently attached to.

    Any help would be great.

  14. pengpeng

    I test the sample on my jailbroken iPod 4G running IOS5.0.1. I copy StumblerIOS5.app to /Applications, but it will terminate immediately so I can’t see the scan results. I try using Xcode4.2 to build and run on my iPod, this time it will not exit, but the results is nil, I am sure there is a Wi-Fi network nearby.
    Any help would be great. Sorry for my poor English.

  15. henry

    I test the sample on my ipod without jb and IOS 5.0.1

    but when I scan Networks, I never find wifi server.

    it’s always null….

    can you help me ? thanks~

  16. Jeff

    Everyone only finds the dlsym for Apple80211Open, Apple80211Close, Apple80211BindToInterface, and Apple80211Scan. But what about WirelessGetAssociationInfo and alike? Are there other parts of Apple80211 available in the IPConfiguration bundle according to your library dumps?

  17. Horst Kopper

    The Apple80211Scan only provides empty results on iOS-5.1.1 (iPhone4S). Furthermore, the WiFiFoFum app seems not to link against the Apple80211* methods, but to use a DLWiFiManager class.

  18. theman

    @ Horst

    im getting the same results on 5.1.1. Are you running as root and
    is your /Applications ’stashed’ - which still point to a private folder on the iPad1.
    Also, what DLWiFiManager class are you referring to?

  19. Hello everyone,

    I should update my post sometime, since it’s a bit old right now.

    however till then if you would like to try some code,
    please check stumbler code via:

    one of my follower got successful result with this.

    Actually i haven’t noticed the difference between their code:

    void *handle = dlopen(”/System/Library/SystemConfiguration/IPConfiguration.bundle/IPConfiguration”, RTLD_LAZY);
    int (*open)(void *) = dlsym(handle, “Apple80211Open”);
    int (*bind)(void *, CFStringRef) = dlsym(handle, “Apple80211BindToInterface”);
    int (*close)(void *) = dlsym(handle, “Apple80211Close”);
    int (*scan)(void *, CFArrayRef *, void *) = dlsym(handle, “Apple80211Scan”);
    bind(handle, CFSTR(”en0″));

    and mine:

    libHandle = dlopen(”/System/Library/SystemConfiguration/IPConfiguration.bundle/IPConfiguration”, RTLD_LAZY);

    apple80211Open = dlsym(libHandle, “Apple80211Open”);
    apple80211Bind = dlsym(libHandle, “Apple80211BindToInterface”);
    apple80211Close = dlsym(libHandle, “Apple80211Close”);
    apple80211Scan = dlsym(libHandle, “Apple80211Scan”);
    apple80211Bind(airportHandle, @”en0″);

    however something genius might be in there,
    please feel free to comment if you’re successful on your experiments, we’ll all be celebrating with you :)
    I’ll keep the post updated as soon,


  20. Naren

    How can I put my application in Root’s Applications folder instead of /private/var/mobile/Applications How toi Change to root applications i am New to this plz give me some guide about how to change root application folder in device….


  21. Clay

    if you are now wanting to jail break your phone but still get signal strength on the current connection you can use this…


  22. Vielen Dank für den Artikel, ich habe ihn auf meinen Blog erwähnt.

  23. Nam Nguyen

    Dear Guvener Gokce, I have successfully tested the “Apple80211GetPower” and “Apple80211Scan” methods, however when it comes to “Apple80211SetPower” to turn on/off the wifi interface, I could not make it worked on my Iphone(IOS 5.1.1).
    wificontroller[774] : Wifi Power=1
    kernel[0] : AppleBCMWLANCore::setPOWER(): state(1) stateFlags(34a23)
    the Log said that my phone executed the same command as when I manually set Wi-Fi on/off via Settings. Still, it still did not turn on/off as I expected.
    Have anyone succeeded with “Apple80211SetPower”?

  24. Blair

    Hi Guvener Gokce. I ‘m still confused about how to put my application into root folder. could you explain it more clearly.
    Or could you give me a website to solve this problem?
    best regards

  25. moses

    i want to turn on/off wifi

    is any succeeded with Apple80211SetPower?

  26. Patrick

    hey,ive got a working implementation of this as part of a package but I was wondering if you know how come noise always is measured as 0? can it not measure it properly?? other desktop tools measure the noise so I have a benchmark to compare with..

  27. Steve

    I was wondering if it is possible to programatically access a list of nearby WIFI AP MAC addresses from a webapp using iPhone/Safari?

  28. Mark.elliot@bt.com

    Hi there - does anybody know if the wifi Apis are made public again with ios 7 -!guess probably not but worth an ask :)

  29. anand

    But i can find an application called Wififofum in appstore for wifi scanning….

  30. Austin

    I find a free one: Fing

  31. outeran

    how is it that Fing is doing this (IN the app store), and EVERYONE else on the internet says its not possible : /

  32. outeran

    nvm, fing is only scanning the network that you have already connected to.
    and Wififofum is using location based services and just data mining

  33. Serj

  34. Great post. I was checking continuously this blog and I’m impressed!

    Extremely useful information particularly the last part :
    ) I care for such info much. I was seeking this particular information for a very
    long time. Thank you and good luck.

    Check out my homepage; battlefront heroes hack tool

  35. Hey i am wondering if there is a working solution for iOS 7? if so, could you contact me?

  36. March 2015.

    I built and ran it on Xcode 6.1.1 on iPhone6+ with iOS 8.1.3
    and it crashed at apple80211Open() on line 27 of SOLStumbler.m

  37. Naveen Goyal


    I am not get the list of scan wifi network with the use of private library. Please help to get the list of wifi network SSID in ios.

  38. guvenergokce.com has potential, you can make your
    blog go viral easily using one tricky method. Just type in google:
    Isud’s Method To Go Viral

  39. Highly descriptive post, I enjoyed that a lot. Will there be
    a part 2?

    Feel free to visit my homepage :: Boom Beach
    Hack (https://Pinterest.com/pin/380202393520783462/)

Leave a Reply