1) Root a compatible device. Not every Android phone or tablet will be able to crack a WPS PIN. The device must have a Broadcom bcm4329 or bcm4330 wireless chipset, and must be rooted. The Cyanogen ROM will provide the best chance of success. Some of the known supported devices include:
2) Download and install bcmon. This tool enables Monitor Mode on your Broadcom chipset, which is essential for being able to crack the PIN. The bcmon APK file is available for free from the bcmon page on the Google Code website.
To install an APK file, you will need to allow installation from unknown sources in your Security menu. Step 2 of this article goes into more detail.
3) Run bcmon. After installing the APK file, run the app. If prompted, install the firmware and tools. Tap the "Enable Monitor Mode" option. If the app crashes, open it and try again. If it fails for a third time, your device is most likely not supported.
Your device must be rooted in order to run bcmon.
4) Download and install Reaver. Reaver is a program developed to crack the WPS PIN in order to retrieve the WPA2 passphrase. The Reaver APK can be downloaded from the developers' thread on the XDA-developers forums.
5) Launch Reaver. Tap the Reaver for Android icon in your App drawer. After confirming that you are no using it for illegal purposes, Reaver will scan for available access points. Tap the access point you want to crack to continue.
You may need to verify Monitor Mode before proceeding. If this is the case, bcmon will open again.
6) Verify your settings. In most cases you can leave the settings that appear at their default. Make sure that the "Automatic advanced settings" box is checked.
7) Start the cracking process. Tap the "Start attack" button at the bottom of the Reaver Settings menu. The monitor will open and you will see the results of the ongoing crack displayed.
Cracking WPS can take anywhere from 2-10+ hours to complete, and it is not always successful.