cnss_pci: Unexpected behavior of the tool

[BobNich]

Hello, @ZerBea !

I encountered an incomprehensible behavior of the tool.

• Version: hcxdumptool-6.2.9

• Driver: cnss_pci

• Protocol: netlink

• Some Wireless Extensions are unavailable

The interface is in managed mode:

# iw dev
phy#0
        Interface wifi-aware0
                ifindex 23
                wdev 0x3
                addr d2:49:7c:25:bf:b8
                type NAN
        Interface p2p0
                ifindex 22
                wdev 0x2
                addr d2:49:7c:24:bf:b8
                type managed
        Interface wlan0
                ifindex 21
                wdev 0x1
                addr 5e:ef:f7:78:88:88
                type managed

Switching to monitor mode via:

# ip link set wlan0 down
# echo 4 > /sys/module/wlan/parameters/con_mode
# ip link set wlan0 up

# iw dev
phy#0
        Interface wlan0
                ifindex 36
                wdev 0x10
                addr d0:49:7c:a2:bf:b8
                type monitor
                txpower 0.00 dBm

After switching to monitor mode:

# hcxdumptool -I
wlan interfaces:

As I see in src, wlan0 is not visible because this system call fails:

if(ioctl(fd_info, SIOCGIWNAME, &iwr) < 0)
	{
#ifdef DEBUG
	fprintf(stdout, "testing %s %s\n", ifname, drivername);
	perror("not a wireless interface");
#endif
	close(fd_info);
	return false;
	}

And after this run f.e.:

# hcxdumptool -i wlan0 --check_driver

This is a penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
Don't report bugs if this tool does exactly what it was coded to do!

initialization of hcxdumptool 6.2.9 (depending on the capabilities of the device, this may take some time)...
starting driver test...
failed to detect wlan interface: Operation not supported
warning: failed to init socket

terminating...
1 driver error encountered
usually this error is related to pselect() after SIGTERM has been received
ERRORs < 10 are related to a slow initialization and can be ignored
failed to restore old SIOCSIWMODE: No such device
failed to restore old SIOCSIFFLAGS and to bring interface up: No such device

The behavior is logical.

BUT!

After this run:

# hcxdumptool -I
wlan interfaces:
phy0    d0497ca2bfb8    wlan0   (driver:cnss_pci)

Why wlan0 is visible now?

After reviewing the src, it became clear that if a socket is created in opensocket()
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)
then later wlan0 becomes visible to the tool.

[ZerBea]

hcxdumptool <= 6.2.9 depend on WIRELESS EXTENSIONS. They are called via ioctl() system calls. If this calls are not available, hcxdumptool will not work as expected.
The RAW socket is only created if the system call is successful.
By using a third party tool to set monitor mode (like iw) you skip this check. As a result hcxdumptool will show the interface, now.
But be sure hcxdumptool will not work as expected.

This is not an unexpected behavior (because all tests are skipped) and it is mentioned in help first section (usage):

        do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
        do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) 

I started to remove WIRELESS EXTENSIONS from hcxdumptool and move to NL80211.
The old WIRELESS EXTENSION version and the new NL80211 version set monitor mode by internal functions.
The old version by WIRELESS EXTENSIONS
The new version by RTNETLINK and NL80211
If that failed both version will not start.
As mentioned above, running a third party tool (which is not recommended) this check is skipped and you run into "an unexpected behavior" as you mentioned above.

You can try latest git head, but I guess it will not work, too, if the driver does not support an AF_PACKET SOCK_RAW and an AF_NETLINK SOCK_RAW, e.g. as commented here:
#251

[ZerBea]

Please compile latest git head and comment output if
$ hcxdumptool -L
and
$ hcxdumptool -I interfacename
where interfacename is the name of the interface on which you will run hcxdumptool.

Do not use a third party tool to bring interface up/down or to set monitor mode, because that skip the internal tests.

[BobNich]

# hcxdumptool -L

Requesting interface capabilities. This may take some time.
Please be patient...


available wlan devices:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0  21 000000000000 02eb96779b31 + wlan0            cnss_pci (NETLINK & WIRELESS EXTENSIONS)

* active monitor mode available
+ monitor mode available
- no monitor mode available

# hcxdumptool -I wlan0             

Requesting interface capabilities. This may take some time.
Please be patient...


interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0  21 000000000000 02eb96779b31 + wlan0            cnss_pci (NETLINK & WIRELESS EXTENSIONS)


available frequencies: frequency [channel] tx-power of Regulatory Domain: 00

  2412 [  1] 30.0 dBm     2417 [  2] 30.0 dBm     2422 [  3] 30.0 dBm     2427 [  4] 30.0 dBm
  2432 [  5] 30.0 dBm     2437 [  6] 30.0 dBm     2442 [  7] 30.0 dBm     2447 [  8] 30.0 dBm
  2452 [  9] 30.0 dBm     2457 [ 10] 30.0 dBm     2462 [ 11] 30.0 dBm     2467 [ 12] 30.0 dBm
  2472 [ 13] 30.0 dBm     2484 [ 14] disabled     5180 [ 36] 30.0 dBm     5200 [ 40] 30.0 dBm
  5220 [ 44] 30.0 dBm     5240 [ 48] 30.0 dBm     5260 [ 52] 30.0 dBm     5280 [ 56] 30.0 dBm
  5300 [ 60] 30.0 dBm     5320 [ 64] 30.0 dBm     5500 [100] 30.0 dBm     5520 [104] 30.0 dBm
  5540 [108] 30.0 dBm     5560 [112] 30.0 dBm     5580 [116] 30.0 dBm     5600 [120] 30.0 dBm
  5620 [124] 30.0 dBm     5640 [128] 30.0 dBm     5660 [132] 30.0 dBm     5680 [136] 30.0 dBm
  5700 [140] 30.0 dBm     5720 [144] 30.0 dBm     5745 [149] 30.0 dBm     5765 [153] 30.0 dBm
  5785 [157] 30.0 dBm     5805 [161] 30.0 dBm     5825 [165] 30.0 dBm     5845 [169] disabled
  5865 [173] disabled

bye-bye

[ZerBea]

This is the (old) way like deprecated hcxdumptool (WIRELESS EXTENSION version )handling monitor mode:

1. check presence of WIRELESS EXTENSIONS via ioctl(WIRELESS EXTENSIONS) system call
2. get hardware MAC via ioctl(ETHTOOL) system call
3. set interface down via ioctl() system call
4. set monitor mode via ioctl(WIRELESS EXTENSIONS) system call
5. check supported frequencies via ioctl(WIRELESS EXTENSIONS) system call
6. set interface up via ioctl() system call
7. use ioctl(WIRELESS EXTENSIONS) system calls to control interface / use PF_PACKET raw socket to send frames to the interface and to receive frames from the interface

This ioctl(WIRELESS EXTENSIONS) are deprecated and they will not receive new features.
That is the major reason to drop WIRELESS EXTENSIONS and to move to NL80211.

This is the way like latest hcxdumtool (NL80211 version )handling monitor mode:

1. check presence of NL80211
2. get hardware MAC via RTNETLINK
3. get interface capabilities via NL80211
4. set interface down via RTNETLINK
5. set monitor mode via NL80211 and activate active monitor mode if supported by the interface/driver
6. set interface up via RTNETLINK
7. use NL80211 to control interface / use PF_PACKET raw socket to send frames to the interface and to receive frames from the interface

It is mandatory that the driver support all steps (1..6).

[BobNich]

Thank you. I understand the reason for switching to nl80211.
Unfortunately, the current netlink based version of hcxdumptool does not work on my device either.

If the interface is in managed mode an error occurs in nl_set_monitormode() function:

# hcxdumptool -i wlan0

Requesting interface capabilities. This may take some time.
Please be patient...

failed to arm interface

2 errors during runtime

bye-bye

If in monitor via

# ip link set wlan0 down
# echo 4 > /sys/module/wlan/parameters/con_mode
# ip link set wlan0 up

then

# hcxdumptool -i wlan0

Requesting interface capabilities. This may take some time.
Please be patient...

failed to arm interface

2 errors during runtime

bye-bye

in rt_set_interfacemac(void) function or more precisely in

if((write(fd_socket_rt, nltxbuffer, i)) != i) {
	return false;
}

[ZerBea]

Thanks for the comments.

If you take a look at this line:
0 21 000000000000 02eb96779b31 + wlan0 cnss_pci (NETLINK & WIRELESS EXTENSIONS)
You'll notice that the RTNETLINK call to get the hardware MAC failed.
That is step 2 (get hardware MAC via RTNETLINK) of the list.
I'm sure, that steps 3 to 6 will fail, too.

As I mentioned here:
#251
Neither the old version nor the new version of hcxdumptool will work on this driver.
Looks like the NETLINK features are very limited on this driver.

[ZerBea]

Most of the functions of hcxdumptool require an up-to-date kernel.
E.g. the function to get the hardware MAC address (IFLA_PERM_ADDRESS) is present since kernel 5.5
The same applies to other features, too.

What is the version of your installed kernel.

My recommendation (from README.md Requirements section) is at least kernel 5.15:
operating system: Linux distribution, Kernel >= 5.15

[ZerBea]

Maybe this will work:
git clone leatest version
starting with this line hcxdumptool set some init values
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L3647

f(ifaktfrequencylist == NULL) return false;
if(rt_set_interface(0) == false) return false;
if(rt_set_interfacemac() == false) return false;
if(nl_set_monitormode() == false) return false;
if(rt_set_interface(IFF_UP) == false) return false;
nl_set_powersave_off();
if(nl_get_interfacestatus() == false) return false;
if(rt_get_interfacestatus() == false) return false;

Now comment this lines:

//if(rt_set_interface(0) == false) return false;
//if(rt_set_interfacemac() == false) return false;
//if(nl_set_monitormode() == false) return false;
//if(rt_set_interface(IFF_UP) == false) return false;

set monitor mode

ip link set wlan0 down
echo 4 > /sys/module/wlan/parameters/con_mode
ip link set wlan0 up

Steps 2 -> 6 are now disabled and hcxdumptool accept that third party tool has set monitor mode.
Unfortunately we can't disable step 7 because it is mandatory to control the interface and to send/receive packets.

Run hcxdumptool on wlan0 and let's see what happens.

[BobNich]

You were right about the raw packet socket.

# hcxdumptool -i wlan0 

Requesting interface capabilities. This may take some time.
Please be patient...


interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0  24 000000000000 d0497ca2bfb8 + wlan0            cnss_pci (NETLINK)


available frequencies: frequency [channel] tx-power of Regulatory Domain: 00

  2412 [  1] 30.0 dBm     2417 [  2] 30.0 dBm     2422 [  3] 30.0 dBm     2427 [  4] 30.0 dBm
  2432 [  5] 30.0 dBm     2437 [  6] 30.0 dBm     2442 [  7] 30.0 dBm     2447 [  8] 30.0 dBm
  2452 [  9] 30.0 dBm     2457 [ 10] 30.0 dBm     2462 [ 11] 30.0 dBm     2467 [ 12] 30.0 dBm
  2472 [ 13] 30.0 dBm     2484 [ 14] disabled     5180 [ 36] 30.0 dBm     5200 [ 40] 30.0 dBm
  5220 [ 44] 30.0 dBm     5240 [ 48] 30.0 dBm     5260 [ 52] 30.0 dBm     5280 [ 56] 30.0 dBm
  5300 [ 60] 30.0 dBm     5320 [ 64] 30.0 dBm     5500 [100] 30.0 dBm     5520 [104] 30.0 dBm
  5540 [108] 30.0 dBm     5560 [112] 30.0 dBm     5580 [116] 30.0 dBm     5600 [120] 30.0 dBm
  5620 [124] 30.0 dBm     5640 [128] 30.0 dBm     5660 [132] 30.0 dBm     5680 [136] 30.0 dBm
  5700 [140] 30.0 dBm     5720 [144] 30.0 dBm     5745 [149] 30.0 dBm     5765 [153] 30.0 dBm
  5785 [157] 30.0 dBm     5805 [161] 30.0 dBm     5825 [165] 30.0 dBm     5845 [169] disabled
  5865 [173] disabled


scan frequencies: frequency [channel] of Regulatory Domain: 00

  2412 [  1]      2437 [  6]      2462 [ 11]
failed to open raw packet socket

1 errors during runtime

bye-bye

[BobNich]

I tried the same command again immediately after the first attempt:

# hcxdumptool -i wlan0

Requesting interface capabilities. This may take some time.
Please be patient...

failed to arm interface

2 errors during runtime

bye-bye

[ZerBea]

Ok, thanks for testing that.

Unfortunately this "failed to open raw packet socket" is definitely the end of the tests.
The raw packet socket (step 7) is mandatory. It looks like this driver is not suitable for hcxdumptool.

[BobNich]

This may not be relevant to the current discussion, but I'll tell you what I'm trying to accomplish.

I was trying to rewrite the function that works through ioctl() to a function that works with the netlink protocol to set the channel/frequency interface, because that was what was preventing the program from working properly.

This was also said here: #192 (comment)

However, after rewriting it turned out that in the process_packet() function, when trying to get a message from a socket

packetlen = recvfrom(fd_socket, epb +EPB_SIZE, PCAPNG_MAXSNAPLEN, 0, NULL, NULL);

The length of the message turns out to be < 0.

This seemed strange to me, since the fd_socket assignment check succeeds. What could prevent the socket from processing the packets?

if((fd_socket = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) < 0)
    {
    perror("socket failed");
    return false;
    }

As I understand it, in the case of my driver this will not work. And because of the setting the monitor mode through third-party utilities, the behavior of the program and socket operation becomes unpredictable. Am I right?

[ZerBea]

It looks like creating raw sockets running Android is not possible.
I found several comments like this one:
https://www.quora.com/How-do-I-create-a-raw-socket-in-Android?share=1

How do I create a raw socket in Android?
You can't.

or this one:
https://android-developers.narkive.com/BK5uGK4f/android-ndk-raw-socket-creation-problem

or this one:
https://programmersought.com/article/75771904462/

or this one:
https://stackoverflow.com/questions/44974357/access-to-raw-sockets-in-android-instrumented-tests

or this one:
https://stackoverflow.com/questions/12162069/sending-a-raw-packet-to-a-networkinterface-in-android-doesnt-work

[BobNich]

It looks strange.
My device is obviously rooted.

And it also works fine with airodump-ng, which, if I understand correctly, also uses raw socket:

https://github.com/aircrack-ng/aircrack-ng/blob/2c8ff3f517a4e5692536d08b9b99360c86e49a52/lib/osdep/linux.c#L1812

[ZerBea]

"As I understand it, in the case of my driver this will not work. And because of the setting the monitor mode through third-party utilities, the behavior of the program and socket operation becomes unpredictable. Am I right?"

Looks like it is a combination of Android behavior and the driver (monitor mode by con_mode=4 and not by NL80211).
Even if you set monitor mode by con_mode=4 (successfully) it is not possible to create a raw socket to control the interface and to receive / send packets.

[BobNich]

"Even if you set monitor mode by con_mode=4 (successfully) it is not possible to create a raw socket to control the interface and to receive / send packets"

That seems to be the answer to all the questions that have arisen.

It might be worth doing more tests. After testing, I will post the results here.

[ZerBea]

Please use latest git head of hcxdumptool of hcxdumptool, because socket handling is completely different to the WIRELESS EXTENSION version.
We now have 5 different sockets:
PF_PACKET SOCK_RAW -> TX
PF_PACKET SOCK_RAW -> RX
AF_NETLINK SOCK_RAW -> NETLINK_ROUTE
AF_NETLINK SOCK_RAW -> GENERIC_NETLINK
AF_UNIX SOCK_DGRAM -> check presence of WIRELESS EXTENSIONS

BTW:
you mentioned airodump-ng = passive tool that receive only
is aireplay-ng (= active tool sending packets) working, too

[BobNich]

Is that what you're asking?

With monitor mode enabled:

# aireplay-ng --test wlan0
13:40:49  Trying broadcast probe requests...
13:40:50  No Answer...
13:40:50  Found 0 APs

Without:

# aireplay-ng --test wlan0
ioctl(SIOCSIWMODE) failed: Operation not supported
ioctl(SIOCSIWMODE) failed: Operation not supported
Error setting monitor mode on wlan0

[ZerBea]

Thanks.
As you can see, aireplay-ng is not able to transmit. Either no packet is transmitted
13:40:49 Trying broadcast probe requests...
13:40:50 No Answer...
13:40:50 Found 0 APs

or you get an ERROR similar to hcxdumptool (WIRELESS EXTENSION version):
ioctl(SIOCSIWMODE) failed: Operation not supported

Android doesn't alow you to send raw packets.

While the aircrack-ng suite is divided into several tools (e.g. airodump-ng = receive, aireplay-ng = transmit), transmit and receive functions are part of hcxdumptool. If this functions (control, receive and transmit) are not working, hcxdumptool will terminated.

[BobNich]

Thank you for your help and for supporting the community so well. Again ;)

[ZerBea]

No problem, you're welcome.

BTW:
Unfortunately, you can't compare aircrack-ng to hcxdumptool.
The passive dumper (airodump-ng) will work, the active tool (aireplay-ng) doesn't.

Some options may look similar, but they are not. The engine is completely different.
hcxdumptool is interactive. It combine a passive part (reception) and an active part (transmission). You can't have one without the other. As a result, if one init failed, hcxdumptool will not start.

[ZerBea]

By latest commit, I added Qualcomm chipsets to the list of not recommended interfaces, because they don't support frame injection:

Known bugs/limitations
* packet injection isn't supported yet

https://wireless.wiki.kernel.org/en/users/Drivers/ath10k

The same applies to Android (cnss).