Closed neilalexander closed 5 years ago
I believe frame injection is supported and working as it was reported that the driver works with hcxdumptool. However there where some problems with radiotap frame format. Hcxdumptool format worked on older kernels, but stopped working more recent kernels . See those hcxdumptool commits and https://www.kernel.org/doc/Documentation/networking/mac80211-injection.txt
commit 4b58011ad4dc337273ff6a79a1d2436f50ff4c3a Author: ZeroBeat ZeroBeat@gmx.de Date: Tue Apr 2 10:39:52 2019 +0200
another radiotap change
commit c38cba1dbb22180767f0e24ff29e70a94bf6b9a5 Author: ZeroBeat ZeroBeat@gmx.de Date: Tue Apr 2 10:33:21 2019 +0200
changed radiotap header, again - see changelog
commit c34058b21e9c075c8ab55e71c1700c823f78ffe8 Author: ZeroBeat ZeroBeat@gmx.de Date: Mon Apr 1 17:15:18 2019 +0200
modified tx radiotap header
I believe frame injection is supported and working as it was reported that the driver works with hcxdumptool. However there where some problems with radiotap frame format. Hcxdumptool format worked on older kernels, but stopped working more recent kernels . See those hcxdumptool commits and https://www.kernel.org/doc/Documentation/networking/mac80211-injection.txt
commit 4b58011ad4dc337273ff6a79a1d2436f50ff4c3a Author: ZeroBeat ZeroBeat@gmx.de Date: Tue Apr 2 10:39:52 2019 +0200
another radiotap change
commit c38cba1dbb22180767f0e24ff29e70a94bf6b9a5 Author: ZeroBeat ZeroBeat@gmx.de Date: Tue Apr 2 10:33:21 2019 +0200
changed radiotap header, again - see changelog
commit c34058b21e9c075c8ab55e71c1700c823f78ffe8 Author: ZeroBeat ZeroBeat@gmx.de Date: Mon Apr 1 17:15:18 2019 +0200
modified tx radiotap header
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/openwrt/mt76/issues/310?email_source=notifications&email_token=AAOA2CITGIMQRI5APDOQUHLQHEEKFA5CNFSM4ISLNEN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5ROTXI#issuecomment-526576093, or mute the thread https://github.com/notifications/unsubscribe-auth/AAOA2CPHE7KLTZTGD7LADBDQHEEKFANCNFSM4ISLNENQ .
I tested mt76x0u with aircrack-ng and it was working fine
Lorenzo
-- UNIX is Sexy: who | grep -i blonde | talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; gasp; mount; fsck; more; yes; gasp; umount; make clean; sleep
I believe frame injection is supported and working as it was reported that the driver works with hcxdumptool. However there where some problems with radiotap frame format. Hcxdumptool format worked on older kernels, but stopped working more recent kernels
I am using a 5.2 kernel if that is useful to know?
Linux wireless 5.2.10-arch1-1-ARCH #1 SMP PREEMPT Sun Aug 25 18:01:31 UTC 2019 x86_64 GNU/Linux
I would check it things work on some older kernel i.e. 4.20 . Also if changing the band from 5GHz to 2.4GHz make difference.
Downgraded to kernel 4.20.1 and the situation is the same. No difference between 2.4GHz and 5GHz bands.
Some other details from dmesg
when connecting the adapter:
[ 3218.726692] usb 1-1: new high-speed USB device number 4 using ehci-pci
[ 3219.296100] usb 1-1: New USB device found, idVendor=2357, idProduct=0105, bcdDevice= 1.00
[ 3219.296119] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 3219.296131] usb 1-1: Product: WiFi
[ 3219.296141] usb 1-1: Manufacturer: MediaTek
[ 3219.296150] usb 1-1: SerialNumber: 1.0
[ 3219.843368] usb 1-1: reset high-speed USB device number 4 using ehci-pci
[ 3220.442629] mt76x0u 1-1:1.0: ASIC revision: 76100002 MAC revision: 76502000
[ 3221.842912] mt76x0u 1-1:1.0: EEPROM ver:02 fae:01
[ 3221.967528] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
... which led me to wonder whether the firmware has something to do with this? Is there a specific firmware .bin
that I should be using?
The md5sum
s for the firmware that I have are below:
b9539ae93957792fb98c62cb96e6f4a8 /lib/firmware/mediatek/mt7610e.bin
9a047587617c9c8732b9c546fb4a0152 /lib/firmware/mediatek/mt7610u.bin
... and they came from Arch somewhere I think. The mt7610e.bin
is the same md5sum
as the one in the mt76
repository, but there is no mt7610u.bin
in the repository to compare against.
Is there anything else I can try?
@LorenzoBianconi Is this the same mt7610u.bin
that you had locally when you tested with aircrack-ng
?
Are there some easy steps to reproduce on two linux hosts (one running owl and second wireshark for example )?
Firmware should make no difference, but you can try to use mt7610u.bin , just by removing mt7610e.bin from /lib/firmware/mediatek/ and re-plug the device.
Firmware should make no difference, but you can try to use mt7610u.bin , just by removing mt7610e.bin from /lib/firmware/mediatek/ and re-plug the device.
Gave this a go and sadly no difference.
Are there some easy steps to reproduce on two linux hosts (one running owl and second wireshark for example )?
Yes - that is pretty much exactly what I did to test.
To build Owl on a Linux machine I followed the instructions at https://github.com/seemoo-lab/owl - in my case I was using the Arch package. The code has relatively few dependencies though to build from scratch.
I then started Owl on one machine:
owl -i wlan0 -c 44 -v
... which creates an awdl0
virtual adapter and puts wlan0
into monitor mode.
Although having Owl running should ordinarily should be enough to see some AWDL election/synchronisation traffic on channel 44, you can also push some extra traffic over the new AWDL interface for good measure:
ping6 ff02::1%awdl0
I then watched channel 44 from a nearby Mac using Wireshark in monitor mode.
Although Owl on the first device reports being able to "hear" other nearby AWDL hosts (suggesting monitor mode at least works), and I could see traffic on the channel from other hosts in Wireshark on the second device, there was absolutely no traffic originating from the address of the TP-LINK card attached to the Linux host on the air.
Running 'owl -i wlan0 -c 44 -v' seems to work for me . I can see lot's of ACTION frames in monitor mode on second system.
I tested on kernel 5.3-rc7 using driver shipped with that kernel and owl updated to
commit d16adeca558eb6decaeb2ca8208910aaa8a99020 (HEAD -> master, origin/master, origin/HEAD) Author: Milan Stute mstute@seemoo.tu-darmstadt.de Date: Fri Aug 30 15:17:52 2019 +0200
Remove unused flag in TX radiotap header and use lower rate
Thanks for taking the time to test, I'll try using kernel 5.3rc7 as well and see if I can recreate your conditions. I'm really not sure where else to look or what else to try apart from that.
This issue could be also device specific, I tested on: Bus 001 Device 002: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter
I tested on this one. But I have also a T1U device and will retest on it, but currently I have no access to it.
I finally get this tested on T1U. It works for me (mean I can receive owl frames in monitor mode on remote system, not checked if owl link works).
Device is nano adapter showed in lsusb as: Bus 001 Device 007: ID 2357:0105 TP-Link Archer T1U 802.11a/n/ac Wireless Adapter [MediaTek MT7610U]
@neilalexander I'm not sure why it does not work for you. I would check for some obvious mistakes, i.e. owl compilation with wrong kernel headers, or wireshark/interface misconfiguration on remote system, etc.
So it turns out that this was a regulatory domain problem. I hadn't configured one so it had defaulted to DFS-UNSET
.
The hint was actually in the iw list
output above all along—active frame injection will not work when there are no IR
entries next to the channels, which is actually correct behaviour for the driver.
Setting the regulatory domain correctly removed the no IR
restrictions on the channels and resolved the issue.
Really appreciate your help in investigating this with me!
I know this is an older thread and it is closed, so this is for your information, only.
Active monitor mode is working like a charm (on all mt76 devices). Recently I added this feature to hcxlabtool: https://github.com/ZerBea/wifi_laboratory/commit/bacb796b7997b5a40d74aff3cce8e38132d4be13
Now hcxlabtool use a minimal radiotap header (only 8 bytes long). Everything else is done via NL80211 and RTNETLINK.
mt76
driver was built from commit 2a0edbb .Card is a TP-LINK ARCHER T1U connected via USB, which is a MT7610U:
The
mt76
driver reports active frame injection (asDevice supports active monitor (which will ACK incoming frames)
is available.Attempts to use active frame injection in monitor mode using Owl seem to fail (as per issue seemoo-lab/owl#10).
Using monitor mode on another host confirms that no TX frames are transmitted whatsoever from the host trying to use active frame injection, even though monitor mode to RX frames from other devices seems to be working normally.
Card reports the following capabilities:
Following drivers are loaded: