search

qca / open-ath9k-htc-firmware

The firmware for QCA AR7010/AR9271 802.11n USB NICs
Other
429 stars 182 forks source link

Seq num and frag num over written in injection mode. #16

Open mothran opened 11 years ago

mothran commented 11 years ago

Device: TP-WN722N with AR9271

I have noticed that the sequence number and fragment number are overwritten by A) the firmware or B) the ath9k_htc driver. I have believe it is being overwritten in the firmware because I have gutted all sequence number logic and DMA out of the most modern version of compat-wireless and still had the issue using both the older closed source firmware and this open 1.4 firmware.

This is the only reference to this issue I could find: http://forum.aircrack-ng.org/index.php?topic=8775.0

I know injection mode is not a priority but these chipsets have a wonderful RX sensitivity for the price and it would be massively helpful to have full control over the outbound packets.

Thanks.

erikarn commented 11 years ago

So I believe ath9k does overwrite the frame sequence number, at least when doing aggregation.

However, yes, you're right. A quick look at ath9k_htc source shows that the driver is overriding the sequence number:

target_firmware/wlan/if_owl.c:ath_tgt_tx_seqno_normal(), called by ath_tgt_txbuf_setup().

Now, you could likely disable this - but then you risk having to disable aggregation in its entirety.

erikarn commented 11 years ago

Well, I should be clear - you have to disable aggregation and software retransmission in its entirety, as self-generated sequence numbers will definitely screw up aggregation.

mothran commented 11 years ago

Hmmm well thanks for pointing me in the right direction. I am going to play with disabling this and see how it handles in both injection and regular operations. Also thanks for the speedy response!

Ced2142 commented 4 years ago

I ran into this just now and i was wondering if a patch is possible for this since the mac80211 module avoids writing over the sequence number and dosent signal the driver to. https://elixir.bootlin.com/linux/v5.8/source/net/mac80211/tx.c#L811 From what I recall, the driver dosent assign a sequence number (since its assigned in the fw). Maybe theres a way to check if IEEE80211_TX_CTL_ASSIGN_SEQ is set and only over write the sequence number then?