Injection in monitor mode (airjack)

KoreK · 09-11-2004

I adapted wlan-ng to work like airjack, but I am kind of stuck with a nasty problem. Injection works, but whenever the packet gets ack'ed, the transmission rate drops to less than a packet per second. I tried different firmwares, I also tried airjack and got the same problem. Has anybody got good results with airjack, or injection in monitor mode against an AP?

Hardware: MA401, component ID 800c, sec firmware 1.0.3/1.3.6/1.4.9/1.7.4/1.8.3

KoreK · 09-12-2004

Got a solution. Use "transmit exception suppression" mode (0x0a) instead of "monitor" mode (0x0b). You lose the ack frames, but transmission works fine. Now chopchop takes 1m40s to crack a 62 byte ARP packet (and the associated 58-byte PRGA).

If you encounter the same problem with airjack, just replace 0x0b by 0x0a in the following line in airjack.h:
#define HFA384X_MONITOR_ENABLE ((__u16)(0x0b))
Note that with wlan-ng, I need to set up monitor,do a dot11req_reset, then set up monitor once more. After that everything is a peach.

Even though days seem to take weeks, chopchop should be out very soon. I'll also check airjack.

Notice: Some testmodes can damage your card, so beware.

devine · 09-13-2004

Quote:

Originally Posted by KoreK

Got a solution. Use "transmit exception suppression" mode (0x0a) instead of "monitor" mode (0x0b). You lose the ack frames, but transmission works fine. Now chopchop takes 1m40s to crack a 62 byte ARP packet (and the associated 58-byte PRGA).

If you encounter the same problem with airjack, just replace 0x0b by 0x0a in the following line in airjack.h:
#define HFA384X_MONITOR_ENABLE ((__u16)(0x0b))
Note that with wlan-ng, I need to set up monitor,do a dot11req_reset, then set up monitor once more. After that everything is a peach.

Even though days seem to take weeks, chopchop should be out very soon. I'll also check airjack.

Notice: Some testmodes can damage your card, so beware.

Great job, well done

Can your modifications be applied to hostap as well ?

sylvain · 09-13-2004

great job Korek, I really have to buy a prism2 card !!

Tubez · 09-21-2004

Devine is raising an interesting point. Are your changes are wlan-ng specific or can any driver be patched in a similar manner? I took a look at the patches and, while more complex than the hostap one that is bundled with aireplay, it looks rather (deceptively?) simple. Are you relying on wlan-ng specific functionality in the chopchop app as well?
Because if you tell us it's not too hard and reusable, well, there might be some interest from some parties (like, I dunno, devine and I) to give patching other systems a shot (hostap and madwifi?).

On the other hand, if the specifics of the card/driver permeate all through the application code, then it's not as advantageous and I might just as well run out and get myself a prism2 on the side

KoreK · 09-21-2004

Quote:

Originally Posted by Tubez

Devine is raising an interesting point. Are your changes are wlan-ng specific or can any driver be patched in a similar manner? I took a look at the patches and, while more complex than the hostap one that is bundled with aireplay, it looks rather (deceptively?) simple. Are you relying on wlan-ng specific functionality in the chopchop app as well?
Because if you tell us it's not too hard and reusable, well, there might be some interest from some parties (like, I dunno, devine and I) to give patching other systems a shot (hostap and madwifi?).

On the other hand, if the specifics of the card/driver permeate all through the application code, then it's not as advantageous and I might just as well run out and get myself a prism2 on the side

It's prism2 specific. It relies on a testmode specific to the firmware. I don't know anything about other chipsets (madwifi = atheros, does it have a firmware?). It should work with hostap, but hostap is fucked up. Injection works, but monitor is half broken, unicast packets are dropped (I worked on it, and giving it another 24 hours - if anybody wants the incomplete patch, send me a message).
Nice thing about wlan-ng is that the module is just an interface to the firmware. What you type on the command line (wlanctl-ng, wlancfg) are the firmware commands. Hostap does a whole lot of initialization by default, and breaks the testmode. It's not like those were designed to be reliable anyway...
BTW, stay away from 0.2.1-pre20 (it's an half-finished dev module), as it tends to kernel-panic when you remove an active card... Though I did not test 0.2.0 that much, it should be more stable.

KoreK · 09-21-2004

Ok, cleared things up, and hostap still screws things up. Monitoring is now OK, but injection fails after a few packets (that does not happen with wlan-ng). I might have missed something obvious (it's my second kernel patch), but I think that hostap is too broken to use in monitor/injection mode. Fine tool to drive an AP, maybe, lousy to modify, probably. Has anybody counted the number of element in the local struct? Over 140 elements. KISS, anybody? For the moment, I am going to stick to wlan, see what the firmware can do... If anybody wants to give it a try, and needs my (broken) patch, send me a message.

Tubez · 09-22-2004

I'm not sure what the anatomy of the atheros card is exactly, but the driver has no explicit firmware files. I'm guessing it uploads code that is compiled in the drivers, either in the open part or in the closed source "HAL". Firmwareless operation for such a complex device would be at least a bit silly from an engineering standpoint. You can't talk to it without goign through the HAL though.

At any rate it is capable to emitting arbitrary frames with the wilpackets drivers, but at least with airopeek it cannot capture at the same time. Whether that's a failure of the card or of the program, i can't tell without additional work. For the moment I fear the worst

Anyway, thanks for the off-topic aside

rips123 · 10-11-2004

Quote:

It should work with hostap, but hostap is fucked up. Injection works, but monitor is half broken, unicast packets are dropped (I worked on it, and giving it another 24 hours - if anybody wants the incomplete patch, send me a message).

If this hasn't been looked at yet, I wouldn't mind having a go. Could you send me your half-finished patch? I'll try and compare it to what goes on in wlan-ng.

09-11-2004	#1 (permalink)
KoreK Banned in DC Join Date: Jul 2004 Posts: 102	Injection in monitor mode (airjack) I adapted wlan-ng to work like airjack, but I am kind of stuck with a nasty problem. Injection works, but whenever the packet gets ack'ed, the transmission rate drops to less than a packet per second. I tried different firmwares, I also tried airjack and got the same problem. Has anybody got good results with airjack, or injection in monitor mode against an AP? Hardware: MA401, component ID 800c, sec firmware 1.0.3/1.3.6/1.4.9/1.7.4/1.8.3

09-12-2004	#2 (permalink)
KoreK Banned in DC Join Date: Jul 2004 Posts: 102	Got a solution. Use "transmit exception suppression" mode (0x0a) instead of "monitor" mode (0x0b). You lose the ack frames, but transmission works fine. Now chopchop takes 1m40s to crack a 62 byte ARP packet (and the associated 58-byte PRGA). If you encounter the same problem with airjack, just replace 0x0b by 0x0a in the following line in airjack.h: #define HFA384X_MONITOR_ENABLE ((__u16)(0x0b)) Note that with wlan-ng, I need to set up monitor,do a dot11req_reset, then set up monitor once more. After that everything is a peach. Even though days seem to take weeks, chopchop should be out very soon. I'll also check airjack. Notice: Some testmodes can damage your card, so beware. Last edited by KoreK : 09-12-2004 at 05:42 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

09-13-2004	#4 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	great job Korek, I really have to buy a prism2 card !!

09-21-2004	#5 (permalink)
Tubez Registered Member Join Date: Sep 2004 Posts: 8	Devine is raising an interesting point. Are your changes are wlan-ng specific or can any driver be patched in a similar manner? I took a look at the patches and, while more complex than the hostap one that is bundled with aireplay, it looks rather (deceptively?) simple. Are you relying on wlan-ng specific functionality in the chopchop app as well? Because if you tell us it's not too hard and reusable, well, there might be some interest from some parties (like, I dunno, devine and I) to give patching other systems a shot (hostap and madwifi?). On the other hand, if the specifics of the card/driver permeate all through the application code, then it's not as advantageous and I might just as well run out and get myself a prism2 on the side

09-21-2004	#7 (permalink)
KoreK Banned in DC Join Date: Jul 2004 Posts: 102	Ok, cleared things up, and hostap still screws things up. Monitoring is now OK, but injection fails after a few packets (that does not happen with wlan-ng). I might have missed something obvious (it's my second kernel patch), but I think that hostap is too broken to use in monitor/injection mode. Fine tool to drive an AP, maybe, lousy to modify, probably. Has anybody counted the number of element in the local struct? Over 140 elements. KISS, anybody? For the moment, I am going to stick to wlan, see what the firmware can do... If anybody wants to give it a try, and needs my (broken) patch, send me a message.

09-22-2004	#8 (permalink)
Tubez Registered Member Join Date: Sep 2004 Posts: 8	I'm not sure what the anatomy of the atheros card is exactly, but the driver has no explicit firmware files. I'm guessing it uploads code that is compiled in the drivers, either in the open part or in the closed source "HAL". Firmwareless operation for such a complex device would be at least a bit silly from an engineering standpoint. You can't talk to it without goign through the HAL though. At any rate it is capable to emitting arbitrary frames with the wilpackets drivers, but at least with airopeek it cannot capture at the same time. Whether that's a failure of the card or of the program, i can't tell without additional work. For the moment I fear the worst Anyway, thanks for the off-topic aside