Bug 208483

Summary: mt76x0u packet injection not working on 5GHz channels
Product: Drivers Reporter: Michael (ZeroBeat)
Component: network-wirelessAssignee: drivers_network-wireless (drivers_network-wireless)
Status: RESOLVED OBSOLETE    
Severity: normal CC: lorenzo.bianconi83
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.7.7 Tree: Mainline
Regression: No

Description Michael 2020-07-07 08:05:22 UTC
Packet injection on 5GHz is probably not working on mt76x0u devices, while 2.4GHz injection is working fine.

kernel:
5.7.7-arch1-1

tested devices:
Bus 005 Device 006: ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]

Bus 005 Device 007: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter

2.4GHz injection test:
channels: 1,2,3,4,5,6,7,8,9,10,11,12,13
$ sudo hcxdumptool -i wlp39s0f3u1u1u2 -s 1 --check_injection
initialization...
starting packet injection test (that can take up to two minutes)...
packet injection is working!
ratio: 38 to 18 

terminating...


5GHz injection test:
channels: 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
$ sudo hcxdumptool -i wlp39s0f3u1u1u2 -s 2 --check_injection
initialization...
starting packet injection test (that can take up to two minutes)...
warning: no PROBERESPONSE received - packet injection is probably not working!

terminating...

dmesg doesn't show an error:
[ 7778.671642] usb 5-1.1.2: USB disconnect, device number 8
[ 7782.506462] usb 5-1.1.2: new high-speed USB device number 9 using xhci_hcd
[ 7782.711427] usb 5-1.1.2: New USB device found, idVendor=0b05, idProduct=17d1, bcdDevice= 1.00
[ 7782.711429] usb 5-1.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 7782.711430] usb 5-1.1.2: Product: WiFi
[ 7782.711431] usb 5-1.1.2: Manufacturer: MediaTek
[ 7782.711432] usb 5-1.1.2: SerialNumber: 1.0
[ 7782.899864] usb 5-1.1.2: reset high-speed USB device number 9 using xhci_hcd
[ 7783.094384] mt76x0u 5-1.1.2:1.0: ASIC revision: 76100002 MAC revision: 76502000
[ 7783.803449] audit: type=1131 audit(1594108631.465:369): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-rfkill comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 7784.121190] mt76x0u 5-1.1.2:1.0: EEPROM ver:02 fae:01
[ 7784.152801] ieee80211 phy11: Selected rate control algorithm 'minstrel_ht'
[ 7784.172411] mt76x0u 5-1.1.2:1.0 wlp39s0f3u1u1u2: renamed from wlan0
...
hcxdumptool start:
[ 7791.943188] device wlp39s0f3u1u1u2 entered promiscuous mode
...
hcxdumptool stop:
[ 7797.627678] device wlp39s0f3u1u1u2 left promiscuous mode
...

Wireshark showing outgoing 5GHz packets, but they are not transmitted over the air by the interface.


Devices are connected to an USB2 hub, due to xhci issue on USB3 as reported here:
https://bugzilla.kernel.org/show_bug.cgi?id=202541

hcxdumptool is available here (latest version):
https://github.com/ZerBea/hcxdumptool
or via distribution packet manager.
Comment 1 Michael 2020-07-07 10:02:49 UTC
This is the standard Radiotap Header used by hcxdumptool:

static const uint8_t hdradiotap[] =
{
0x00, 0x00, /* radiotap version and padding */
0x0e, 0x00, /* radiotap header length */
0x06, 0x8c, 0x00, 0x00, /* bitmap */
0x02, /* flags */
0x02, /* rate */
0x14, /* tx power */
0x01, /* antenna */
0x08, 0x00 /* tx flags */
};
#define HDRRT_SIZE sizeof(hdradiotap)

All ioctl() system calls (SIOCGIFFLAGS, SIOCSIFFLAGS, SIOCGIWMODE, SIOCSIWMODE, SIOCGIWFREQ, SIOCSIWFREQ) are working as expected. hcxdumptool is running an PF_PACKET - SOCK_RAW socket.
Comment 2 Lorenzo Bianconi 2020-07-09 20:35:58 UTC
(In reply to Michael from comment #0)
> Packet injection on 5GHz is probably not working on mt76x0u devices, while
> 2.4GHz injection is working fine.
> 
> kernel:
> 5.7.7-arch1-1
> 
> tested devices:
> Bus 005 Device 006: ID 0b05:17d1 ASUSTek Computer, Inc. AC51
> 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]
> 
> Bus 005 Device 007: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer
> T2U" 2.4G+5G WLAN Adapter
> 
> 2.4GHz injection test:
> channels: 1,2,3,4,5,6,7,8,9,10,11,12,13
> $ sudo hcxdumptool -i wlp39s0f3u1u1u2 -s 1 --check_injection
> initialization...
> starting packet injection test (that can take up to two minutes)...
> packet injection is working!
> ratio: 38 to 18 
> 
> terminating...
> 
> 
> 5GHz injection test:
> channels:
> 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,
> 157,161,165
> $ sudo hcxdumptool -i wlp39s0f3u1u1u2 -s 2 --check_injection
> initialization...
> starting packet injection test (that can take up to two minutes)...
> warning: no PROBERESPONSE received - packet injection is probably not
> working!
> 
> terminating...
> 
> dmesg doesn't show an error:
> [ 7778.671642] usb 5-1.1.2: USB disconnect, device number 8
> [ 7782.506462] usb 5-1.1.2: new high-speed USB device number 9 using xhci_hcd
> [ 7782.711427] usb 5-1.1.2: New USB device found, idVendor=0b05,
> idProduct=17d1, bcdDevice= 1.00
> [ 7782.711429] usb 5-1.1.2: New USB device strings: Mfr=1, Product=2,
> SerialNumber=3
> [ 7782.711430] usb 5-1.1.2: Product: WiFi
> [ 7782.711431] usb 5-1.1.2: Manufacturer: MediaTek
> [ 7782.711432] usb 5-1.1.2: SerialNumber: 1.0
> [ 7782.899864] usb 5-1.1.2: reset high-speed USB device number 9 using
> xhci_hcd
> [ 7783.094384] mt76x0u 5-1.1.2:1.0: ASIC revision: 76100002 MAC revision:
> 76502000
> [ 7783.803449] audit: type=1131 audit(1594108631.465:369): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-rfkill comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> [ 7784.121190] mt76x0u 5-1.1.2:1.0: EEPROM ver:02 fae:01
> [ 7784.152801] ieee80211 phy11: Selected rate control algorithm 'minstrel_ht'
> [ 7784.172411] mt76x0u 5-1.1.2:1.0 wlp39s0f3u1u1u2: renamed from wlan0
> ...
> hcxdumptool start:
> [ 7791.943188] device wlp39s0f3u1u1u2 entered promiscuous mode
> ...
> hcxdumptool stop:
> [ 7797.627678] device wlp39s0f3u1u1u2 left promiscuous mode
> ...
> 
> Wireshark showing outgoing 5GHz packets, but they are not transmitted over
> the air by the interface.
> 
> 
> Devices are connected to an USB2 hub, due to xhci issue on USB3 as reported
> here:
> https://bugzilla.kernel.org/show_bug.cgi?id=202541
> 
> hcxdumptool is available here (latest version):
> https://github.com/ZerBea/hcxdumptool
> or via distribution Hi packet manager.

Hi Michael,

can you please double check you have configured a regdomain that allows active scanning @ 5GHz?

[~/workspace/hcxdumptool]$ sudo iw reg set US
[~/workspace/hcxdumptool]$ sudo iw reg get
global
country US: DFS-FCC
        (2402 - 2472 @ 40), (N/A, 30), (N/A)
        (5170 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW
        (5250 - 5330 @ 80), (N/A, 23), (0 ms), DFS, AUTO-BW
        (5490 - 5730 @ 160), (N/A, 23), (0 ms), DFS
        (5735 - 5835 @ 80), (N/A, 30), (N/A)
        (57240 - 71000 @ 2160), (N/A, 40), (N/A)

[~/workspace/hcxdumptool]$ sudo ./hcxdumptool -i wlp0s4u1 -s 2 --check_injection
initialization...
[  851.926217] IPv6: ADDRCONF(NETDEV_CHANGE): wlp0s4u1: link becomes ready
[  851.961037] device wlp0s4u1 entered promiscuous mode
starting packet injection test (that can take up to two minutes)...
packet injection is working!
ratio: 24 to 13 

terminating...
[  858.457865] device wlp0s4u1 left promiscuous mode

[~/workspace/hcxdumptool]$ sudo iw reg set 00
[~/workspace/hcxdumptool]$ sudo iw reg get
global
country 00: DFS-UNSET
        (2402 - 2472 @ 40), (N/A, 20), (N/A)
        (2457 - 2482 @ 20), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
        (2474 - 2494 @ 20), (N/A, 20), (N/A), NO-OFDM, PASSIVE-SCAN
        (5170 - 5250 @ 80), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
        (5250 - 5330 @ 80), (N/A, 20), (0 ms), DFS, AUTO-BW, PASSIVE-SCAN
        (5490 - 5730 @ 160), (N/A, 20), (0 ms), DFS, PASSIVE-SCAN
        (5735 - 5835 @ 80), (N/A, 20), (N/A), PASSIVE-SCAN
        (57240 - 63720 @ 2160), (N/A, 0), (N/A)

[~/workspace/hcxdumptool]$ sudo ./hcxdumptool -i wlp0s4u1 -s 2 --check_injection
initialization...
[  908.610232] IPv6: ADDRCONF(NETDEV_CHANGE): wlp0s4u1: link becomes ready
[  908.650314] device wlp0s4u1 entered promiscuous mode
starting packet injection test (that can take up to two minutes)...
warning: no PROBERESPONSE received - packet injection is probably not working!

terminating...
[  915.588560] device wlp0s4u1 left promiscuous mode
[~/workspace/hcxdumptool]$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub


Regards,
Lorenzo
Comment 3 Michael 2020-07-09 21:14:50 UTC
Hi Lorenzo.
Thanks for your reply and test. 


$ iw reg get
global
country US: DFS-FCC
	(2400 - 2483 @ 40), (N/A, 30), (N/A)
	(5150 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW
	(5250 - 5350 @ 80), (N/A, 23), (0 ms), DFS, AUTO-BW
	(5470 - 5730 @ 160), (N/A, 23), (0 ms), DFS
	(5730 - 5850 @ 80), (N/A, 30), (N/A)
	(57240 - 71000 @ 2160), (N/A, 40), (N/A)

$ sudo hcxdumptool -i wlp3s0f0u2 --check_injection -s 2
initialization...
starting packet injection test (that can take up to two minutes)...
warning: no PROBERESPONSE received - packet injection is probably not working!

terminating...

Now it looks more like a CRDA issue, than a driver issue
$ cat /sys/module/cfg80211/parameters/ieee80211_regdom
00

Please close this issue report, I'l do some more investigations.

Thanks.
Regards
Mike
Comment 4 Michael 2020-07-10 09:47:48 UTC
@lorenzo
At least you pointed me into the right direction. Regulatory domain is no longer ignored and everything is working as expected.
Now, I think about it to set regulatory domain by hcxdumptool (not by iw and without using NETLINK messages).

BTW:
The mt76 driver code is amazing and impressive. Everything is working like a charm. You're doing a great job, maintaining this driver.

Regards
Mike