search

seemoo-lab / mobisys2018_nexmon_channel_state_information_extractor

Example project for extracting channel state information of up to 80 MHz wide 802.11ac Wi-Fi transmissions using the BCM4339 Wi-Fi chip of Nexus 5 smartphones.
Other
98 stars 39 forks source link

AP configuration #19

Closed NovaNekmit closed 5 years ago

NovaNekmit commented 5 years ago

Hi, We are currently trying to reproduce the CSI extraction with the Nexus 5 (Android version 6.0.1, M4B30Z).

We followed the Getting Started guide but are unable to receive CSI from or connect to the access point if it is running in HT80 mode. (We do get data for HT40 channels, although it it looks weird, see below). The chanspec has been adjust (24e3/0xe324 for HT80 on channel 36 with upper sidebands).

Which wifi chip/router (and settings) did you use? We are currently starting the AP using hostapd and an ath10k chip on channel 36.

In HT40 mode we are getting weird random spikes in the data: plot example (Gathered with chanspec 2cd9/0xd92c from channel 44 and HT40 with upper sideband)

Do you have an idea what we are doing wrong here? We would greatly appreciate any advise.

matthiasseemoo commented 5 years ago

We used the example with the access point to have a simple example setup that everyone can easily reproduce, as you only need an access point that operates in the 5 GHz range. If you want to reproduce our experiments from the paper, you should use another Nexus 5 to inject frames with chosen modulation rates, without retransmissions and without AMPDUs.

Here, is some code that can be used as an ioctl. If you need 80 MHz bandwidth you need to transmit VHT frames instead of HT frames:

    case 504:
    {
        // deactivate scanning
        set_scansuppress(wlc, 1);

        // deactivate minimum power consumption
        set_mpc(wlc, 0);

        // set the channel
        set_chanspec(wlc, 0x1006);

        // deactivate the transmission of ampdus
        wlc_ampdu_tx_set(wlc->ampdu_tx, 0);

        // set the retransmission settings
        set_intioctl(wlc, WLC_SET_LRL, 1);
        set_intioctl(wlc, WLC_SET_SRL, 1);

        unsigned int fifo = 0;
        unsigned int rate = RATES_OVERRIDE_MODE | RATES_ENCODE_HT | RATES_BW_20MHZ | RATES_HT_MCS(0);
        int txdelay = 0;
        int txrepetitions = -1;
        int txperiodicity = 50;

        uint16 payload_length = 1000;

        struct sk_buff *p = pkt_buf_get_skb(osh, sizeof(wlandata_ipv4_udp_header) + payload_length + 202);

        // pull to have space for d11txhdrs
        skb_pull(p, 202);

        // pull as prepend_wlandata_ipv4_udp_header pushes
        skb_pull(p, sizeof(wlandata_ipv4_udp_header));

        memset(p->data, 0x23, payload_length);

        prepend_wlandata_ipv4_udp_header(p);

        wlc_d11hdrs_ext(wlc, p, wlc->band->hwrs_scb, 0, 0, 1, 1, 0, 0, rate /* data_rate */, 0);
        p->scb = wlc->band->hwrs_scb;

        sendframe_with_timer(wlc, p, fifo, 0, txdelay, txrepetitions, txperiodicity);
        ret = IOCTL_SUCCESS;
    }
    break;
intarian commented 5 years ago

@matthiasseemoo can you suggest in which file we should place the above piece of code. I am running into the same issue as @NovaNekmit

gkpln3 commented 5 years ago

Add these lines to the ioctl.c file.