bcm43436b0 crashes when injecting frames

[aluminum-ice]

Similar to issue #335, bcm43436b0 on the Pi Zero 2 W dies immediately after doing a few successful injections. Here is my process and forensic data:

1. Fresh install of old stable buster lite (5.10.103-v7+)
2. Clone nexmon and run through the compile process
3. Copy nexmon’s brcmfmac43436-sdio.bin into /lib/firmware/lib/firmware/brcm/ (replacing the original file)
4. Copy nexmon’s brcmfmac.ko (from patches/driver/brcmfmac_5.10.y-nexmon/) into /lib/modules/5.10.103-v7+/kernel/drivers/net/wireless/broadcom/brcm80211/brcmfmac/ (replacing the original file)
5. rmmod brcmfmac
6. modprobe brcmfmac
7. ifconfig wlan0 up && iw phy “$(iw phy | head -1 | cut -d” “ -f2)” interface add mon0 type monitor && ifconfig mon0 up
8. dmesg shows:

[ 39.886635] brcmfmac: brcmf_cfg80211_set_power_mgmt: Forcing power management [ 39.886651] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save disabled [ 62.172612] brcmfmac: brcmf_vif_add_validate: Attempt to add a MONITOR interface… [ 62.172647] brcmfmac: brcmf_mon_add_vif: brcmf_mon_add_vif called [ 62.172661] brcmfmac: brcmf_mon_add_vif: Adding vif “mon0” [ 249.031857] ieee80211 phy0: brcmf_psm_watchdog_notify: PSM’s watchdog has fired!

9. aireplay-ng —test mon0

00:10:05 Trying broadcast probe requests… 00:10:06 Injection is working! 00:10:07 Found 6 APs

00:10:07 Trying directed probe requests… 00:10:07 XXXXXXXXXXXXXX - channel: 3 - ‘’ 00:10:12 Ping (min/avg/max): 8.145ms/80.416ms/160.601ms Power: -53.00 00:10:12 3/30: 10%

00:10:17 XXXXXXXXXXXXXX - channel: 3 - ‘TheMatrix’ 00:10:23 0/30: 0%

00:10:28 XXXXXXXXXXXXXX - channel: 3 - ‘TheMatrix’ 00:10:35 0/30: 0%

00:10:40 XXXXXXXXXXXXXX - channel: 3 - ‘’ 00:10:47 0/30: 0%

00:10:52 XXXXXXXXXXXXXX - channel: 3 - ‘TheMatrix’ 00:11:00 0/30: 0%

00:11:05 XXXXXXXXXXXXXX - channel: 3 - ‘’ 00:11:12 0/30: 0%

10. dmesg shows the firmware crashes:

[ 446.671066] device mon0 entered promiscuous mode [ 516.769922] ieee80211 phy0: brcmf_fw_crashed: Firmware has halted or crashed [ 523.996562] ieee80211 phy0: brcmf_proto_bcdc_query_dcmd: brcmf_proto_bcdc_msg failed w/status -110 [ 523.996587] ieee80211 phy0: brcmf_cfg80211_get_channel: chanspec failed (-110)

11. cat /sys/kernel/debug/ieee80211/$(iw wlan0 info | gawk '/wiphy/ {printf "phy" $2}')/forensics

dongle trap info: type 0xc @ epc 0x000204ca cpsr 0x6000000c spsr 0x61000000 sp 0x0003f260 lr 0x008777a9 pc 0x000204ca offset 0x6ff7c r0 0x00000000 r1 0x00002011 r2 0x00000000 r3 0x00000000 r4 0x0007b4ea r5 0x00065574 r6 0x00000000 r7 0x0003f268 address ff:ff:8a:d8:1b:af wl0: wlc_recv: dropping a frame with invalid src mac address ff:ff:56:c7:bf:a6 wl0: wlc_recv: dropping a frame with invalid src mac address ff:ff:8a:d8:1b:af wl0: wlc_iovar_op: BCME -23 :ndoe wl0: wlc_iovar_op: BCME -23 :ndoe wl0: wlc_iovar_op: BCME -23 :ndoe wl0: wlc_iovar_op: BCME -23 :ndoe wl0: wlc_recv: dropping a frame with invalid src mac address ff:ff:50:c7:bf:a6 wl0: wlc_iovar_op: BCME -23 :ndoe

FWID 01-f40f3270 flags 1

TRAP c(6ff7c): pc 204ca, lr 8777a9, sp 3f260, cpsr 6000000c, spsr 61000000 r0 0, r1 2011, r2 0, r3 0, r4 7b4ea, r5 65574, r6 0 r7 3f268, r8 7b510, r9 1a3c, r10 14, r11 18, r12 3f18c

sp+0 0003f268 00000000 00000000 00000000 sp+10 0000d8ff 00000000 00000000 00000000

sp+10 0000d8ff sp+5c 00875a5f sp+9c 0001b3a1 sp+dc 0001dd6d sp+104 0082eed3 sp+12c 0082f215 sp+13c 0081f351 sp+14c 00004dc7 sp+154 00004bc1 sp+16c 008251a5 sp+32c 0080919d sp+37c 00001101 sp+480 00000829 sp+764 00000f0f sp+768 00000fff

[aluminum-ice]

If you bring down wlan0 before doing any injections, the firmware appears to not crash:

ifconfig wlan0 down && iw phy “$(iw phy | head -1 | cut -d” “ -f2)” interface add mon0 type monitor && ifconfig mon0 up && ifconfig wlan0 down

I will test it further

[sfjuocekr]

I have yet to get injection working at all!

What firmware is actually loaded for you after make install-firmware?

Do:

dmesg  |grep brcm

brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43436s-sdio for chip BCM43430/1
***
brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Jun 14 2023 07:27:45 version 7.45.96.s1 (gf031a129) FWID 01-70bd2af7 es7

As you can see, for me it tries to load the brcmfmac43436s-sdio.bin instead of the brcmfmac43436-sdio.bin that was put in to place by make install-firmware.

I assume it would report back with version "9.88.4.65" if the correct firmware was loaded?

I tried replacing the firmware, but it wont work at all.

[aluminum-ice]

Resolved by rebuilding nexmon from source