[PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[Paul]

[-- Attachment #1: Type: text/plain, Size: 904 bytes --]

I made this patch using bits and pieces from various other "ipw2200
injection patches".  I can not take credit for the content, as I
basically just changed the line numbers in the .diff files.  However I
applied this patch to the version of ipw2200 included in kernel
2.6.27-rc6  (i believe it's ipw2200-1.2.2) and it worked like a charm.

Previously I was unable to inject wifi packets using aireplay-ng due
to this error:

"ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211 or
ARPHRD_IEEE80211_PRISM instead.  Make sure RFMON is enabled: run
'ifconfig wifi0 up; iwconfig wifi0 mode Monitor channel <#>' Sysfs
injection support was not found either."

However, after switching to Monitor mode, even though aireplay would
ACT AS IF it was working, it wasn't.

After applying this patch, everything worked great.

I don't see why this patch isnt already included in ipw2200.

Thanks,
- Paul

[-- Attachment #2: ipw2200-1.2.2-inject-patch.patch --]
[-- Type: application/octet-stream, Size: 3769 bytes --]

--- drivers/net/wireless/ipw2200.c	2008-09-09 19:27:49.000000000 -0400
+++ drivers/net/wireless/ipw2200-new.c	2008-09-27 15:48:03.000000000 -0400
@@ -179,7 +179,7 @@ static int ipw_queue_reset(struct ipw_pr
 
 static int ipw_queue_tx_hcmd(struct ipw_priv *priv, int hcmd, void *buf,
 			     int len, int sync);
-
+static int ipw_tx_skb(struct ipw_priv *priv, struct ieee80211_txb *txb, int pri);
 static void ipw_tx_queue_free(struct ipw_priv *);
 
 static struct ipw_rx_queue *ipw_rx_queue_alloc(struct ipw_priv *);
@@ -1862,6 +1862,62 @@ static ssize_t store_net_stats(struct de
 static DEVICE_ATTR(net_stats, S_IWUSR | S_IRUGO,
 		   show_net_stats, store_net_stats);
 
+/* SYSFS INJECT */
+static ssize_t store_inject(struct device *d,
+        struct device_attribute *attr,
+        const char *buf, size_t count)
+{
+        struct ipw_priv *priv = (struct ipw_priv *)d->driver_data;
+        struct ieee80211_device *ieee = priv->ieee;
+        struct ieee80211_txb * txb;
+        struct sk_buff *skb_frag;
+        unsigned char * newbuf;
+        unsigned long flags;
+
+        // should test (ieee->is_queue_full)
+
+        // Fw only accepts data, so avoid accidental fw errors.
+        if ( (buf[0]&0x0c) != '\x08') {
+              //printk("ipw2200: inject: discarding non-data frame (type=%02X)\n",(int)(unsigned char)buf[0]);
+              return count;
+        }
+
+        if (count>1500) {
+              count=1500;
+              printk("ipw2200: inject: cutting down frame to 1500 bytes\n");
+        }
+
+        spin_lock_irqsave(&priv->lock, flags);
+
+        // Create a txb with one skb
+        txb = kmalloc(sizeof(struct ieee80211_txb) + sizeof(u8 *), GFP_ATOMIC);
+        if (!txb)
+              goto nosepuede;
+        txb->nr_frags=1;
+        txb->frag_size = ieee->tx_headroom;
+        txb->fragments[0]=__dev_alloc_skb(count + ieee->tx_headroom, GFP_ATOMIC);
+        if (!txb->fragments[0]) {
+              kfree(txb);
+              goto nosepuede;
+        }
+        skb_reserve(txb->fragments[0], ieee->tx_headroom);
+        txb->encrypted=0;
+        txb->payload_size=count;
+        skb_frag = txb->fragments[0];
+        newbuf=skb_put(skb_frag, count);
+
+        // copy data into txb->skb and send it
+        memcpy(newbuf, buf, count);
+
+        ipw_tx_skb(priv, txb, 0);
+
+nosepuede:
+        spin_unlock_irqrestore(&priv->lock, flags);
+        return count;
+}
+
+static DEVICE_ATTR(inject, S_IWUSR, NULL, store_inject);
+
 static ssize_t show_channels(struct device *d,
 			     struct device_attribute *attr,
 			     char *buf)
@@ -10512,6 +10568,10 @@ static int ipw_net_set_mac_address(struc
 	mutex_lock(&priv->mutex);
 	priv->config |= CFG_CUSTOM_MAC;
 	memcpy(priv->mac_addr, addr->sa_data, ETH_ALEN);
+
+        if (rtap_iface)
+               memcpy(priv->prom_net_dev->dev_addr, addr->sa_data, ETH_ALEN);
+
 	printk(KERN_INFO "%s: Setting MAC to %s\n",
 	       priv->net_dev->name, print_mac(mac, priv->mac_addr));
 	queue_work(priv->workqueue, &priv->adapter_restart);
@@ -11478,6 +11538,7 @@ static struct attribute *ipw_sysfs_entri
 #ifdef CONFIG_IPW2200_PROMISCUOUS
 	&dev_attr_rtap_iface.attr,
 	&dev_attr_rtap_filter.attr,
+	&dev_attr_inject.attr,
 #endif
 	NULL
 };
--- drivers/net/wireless/ipw2200.h	2008-09-09 19:27:49.000000000 -0400
+++ drivers/net/wireless/ipw2200-new.h	2008-09-27 15:32:23.000000000 -0400
@@ -2007,4 +2007,13 @@ struct ipw_cmd_log {
 
 #define IPW_MAX_CONFIG_RETRIES 10
 
+/*
+ * Hhack to get code compiling on new kernels, the define below
+ * seem to be removed from the linux headers.
+ */
+#ifndef MAC_ARG
+#define MAC_ARG(x) ((u8*)(x))[0],((u8*)(x))[1],((u8*)(x))[2],((u8*)(x))[3],((u8*)(x))[4],((u8*)(x))[5]
+#endif
+
+
 #endif				/* __ipw2200_h__ */

Re: [PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[Paul]

Here is the patch, in text form:

--- drivers/net/wireless/ipw2200.c      2008-09-09 19:27:49.000000000
-0400
+++ drivers/net/wireless/ipw2200-new.c  2008-09-27 15:48:03.000000000
-0400
@@ -179,7 +179,7 @@ static int ipw_queue_reset(struct ipw_pr

 static int ipw_queue_tx_hcmd(struct ipw_priv *priv, int hcmd, void
*buf,
                             int len, int sync);
-
+static int ipw_tx_skb(struct ipw_priv *priv, struct ieee80211_txb
*txb, int pri);
 static void ipw_tx_queue_free(struct ipw_priv *);

 static struct ipw_rx_queue *ipw_rx_queue_alloc(struct ipw_priv *);
@@ -1862,6 +1862,62 @@ static ssize_t store_net_stats(struct de
 static DEVICE_ATTR(net_stats, S_IWUSR | S_IRUGO,
                   show_net_stats, store_net_stats);

+/* SYSFS INJECT */
+static ssize_t store_inject(struct device *d,
+        struct device_attribute *attr,
+        const char *buf, size_t count)
+{
+        struct ipw_priv *priv = (struct ipw_priv *)d->driver_data;
+        struct ieee80211_device *ieee = priv->ieee;
+        struct ieee80211_txb * txb;
+        struct sk_buff *skb_frag;
+        unsigned char * newbuf;
+        unsigned long flags;
+
+        // should test (ieee->is_queue_full)
+
+        // Fw only accepts data, so avoid accidental fw errors.
+        if ( (buf[0]&0x0c) != '\x08') {
+              //printk("ipw2200: inject: discarding non-data frame
(type=%02X)\n",(int)(unsigned char)buf[0]);
+              return count;
+        }
+
+        if (count>1500) {
+              count=1500;
+              printk("ipw2200: inject: cutting down frame to 1500
bytes\n");
+        }
+
+        spin_lock_irqsave(&priv->lock, flags);
+
+        // Create a txb with one skb
+        txb = kmalloc(sizeof(struct ieee80211_txb) + sizeof(u8 *),
GFP_ATOMIC);
+        if (!txb)
+              goto nosepuede;
+        txb->nr_frags=1;
+        txb->frag_size = ieee->tx_headroom;
+        txb->fragments[0]=__dev_alloc_skb(count + ieee->tx_headroom,
GFP_ATOMIC);
+        if (!txb->fragments[0]) {
+              kfree(txb);
+              goto nosepuede;
+        }
+        skb_reserve(txb->fragments[0], ieee->tx_headroom);
+        txb->encrypted=0;
+        txb->payload_size=count;
+        skb_frag = txb->fragments[0];
+        newbuf=skb_put(skb_frag, count);
+
+        // copy data into txb->skb and send it
+        memcpy(newbuf, buf, count);
+
+        ipw_tx_skb(priv, txb, 0);
+
+nosepuede:
+        spin_unlock_irqrestore(&priv->lock, flags);
+        return count;
+}
+
+static DEVICE_ATTR(inject, S_IWUSR, NULL, store_inject);
+
 static ssize_t show_channels(struct device *d,
                             struct device_attribute *attr,
                             char *buf)
@@ -10512,6 +10568,10 @@ static int ipw_net_set_mac_address(struc
        mutex_lock(&priv->mutex);
        priv->config |= CFG_CUSTOM_MAC;
        memcpy(priv->mac_addr, addr->sa_data, ETH_ALEN);
+
+        if (rtap_iface)
+               memcpy(priv->prom_net_dev->dev_addr, addr->sa_data,
ETH_ALEN);
+
        printk(KERN_INFO "%s: Setting MAC to %s\n",
               priv->net_dev->name, print_mac(mac, priv->mac_addr));
        queue_work(priv->workqueue, &priv->adapter_restart);
@@ -11478,6 +11538,7 @@ static struct attribute *ipw_sysfs_entri
 #ifdef CONFIG_IPW2200_PROMISCUOUS
        &dev_attr_rtap_iface.attr,
        &dev_attr_rtap_filter.attr,
+       &dev_attr_inject.attr,
 #endif
        NULL
 };
--- drivers/net/wireless/ipw2200.h      2008-09-09 19:27:49.000000000 -0400
+++ drivers/net/wireless/ipw2200-new.h  2008-09-27 15:32:23.000000000 -0400
@@ -2007,4 +2007,13 @@ struct ipw_cmd_log {

 #define IPW_MAX_CONFIG_RETRIES 10

+/*
+ * Hhack to get code compiling on new kernels, the define below
+ * seem to be removed from the linux headers.
+ */
+#ifndef MAC_ARG
+#define MAC_ARG(x)
((u8*)(x))[0],((u8*)(x))[1],((u8*)(x))[2],((u8*)(x))[3],((u8*)(x))[4],((u8*)(x))[5]
+#endif
+
+
 #endif                         /* __ipw2200_h__ */


On Sat, Sep 27, 2008 at 4:43 PM, Paul <paul14075@gmail.com> wrote:
> I made this patch using bits and pieces from various other "ipw2200
> injection patches".  I can not take credit for the content, as I
> basically just changed the line numbers in the .diff files.  However I
> applied this patch to the version of ipw2200 included in kernel
> 2.6.27-rc6  (i believe it's ipw2200-1.2.2) and it worked like a charm.
>
> Previously I was unable to inject wifi packets using aireplay-ng due
> to this error:
>
> "ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211 or
> ARPHRD_IEEE80211_PRISM instead.  Make sure RFMON is enabled: run
> 'ifconfig wifi0 up; iwconfig wifi0 mode Monitor channel <#>' Sysfs
> injection support was not found either."
>
> However, after switching to Monitor mode, even though aireplay would
> ACT AS IF it was working, it wasn't.
>
> After applying this patch, everything worked great.
>
> I don't see why this patch isnt already included in ipw2200.
>
> Thanks,
> - Paul
>

Re: [PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[Stefanik Gábor]

On Sat, Sep 27, 2008 at 10:45 PM, Paul <paul14075@gmail.com> wrote:
> I made this patch using bits and pieces from various other "ipw2200
> injection patches".  I can not take credit for the content, as I
> basically just changed the line numbers in the .diff files.  However =
I
> applied this patch to the version of ipw2200 included in kernel
> 2.6.27-rc6  (i believe it's ipw2200-1.2.2) and it worked like a charm=
=2E
>
> Previously I was unable to inject wifi packets using aireplay-ng due
> to this error:
>
> "ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211 or
> ARPHRD_IEEE80211_PRISM instead.  Make sure RFMON is enabled: run
> 'ifconfig wifi0 up; iwconfig wifi0 mode Monitor channel <#>' Sysfs
> injection support was not found either."
>
> However, after switching to Monitor mode, even though aireplay would
> ACT AS IF it was working, it wasn't.
>
> After applying this patch, everything worked great.
>
> I don't see why this patch isnt already included in ipw2200.
>
> Thanks,
> - Paul
>

This is not a proper packet injection support patch - it is a rather
dirty hack. Please don't submit such patches to linux-wireless.
Also, when submitting patches, avoid whitespace-damage (the best way
to do this in Gmail is to attach the patch as a file *and* add it
inline, with a warning that the attached version should be applied,
not the inline one) and always include a Signed-off-by: line.

--G=E1bor

--=20
Vista: [V]iruses, [I]ntruders, [S]pyware, [T]rojans and [A]dware. :-)
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[Zhu Yi]

On Sat, 2008-09-27 at 14:45 -0600, Paul wrote:
> I made this patch using bits and pieces from various other "ipw2200
> injection patches".  I can not take credit for the content, as I
> basically just changed the line numbers in the .diff files.  However I
> applied this patch to the version of ipw2200 included in kernel
> 2.6.27-rc6  (i believe it's ipw2200-1.2.2) and it worked like a charm.
> 
> Previously I was unable to inject wifi packets using aireplay-ng due
> to this error:
> 
> "ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211 or
> ARPHRD_IEEE80211_PRISM instead.  Make sure RFMON is enabled: run
> 'ifconfig wifi0 up; iwconfig wifi0 mode Monitor channel <#>' Sysfs
> injection support was not found either."
> 
> However, after switching to Monitor mode, even though aireplay would
> ACT AS IF it was working, it wasn't.

Isn't the rtap_iface does the same thing? Did you try it?

Thanks,
-yi

Re: [PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[Stefanik Gábor]

On Sun, Sep 28, 2008 at 5:15 AM, Zhu Yi <yi.zhu@intel.com> wrote:
> Isn't the rtap_iface does the same thing? Did you try it?
>
> Thanks,
> -yi

AFAIK rtap_iface only gives a receive-only Radiotap monitor interface
- it doesn't support injection.

-- 
Vista: [V]iruses, [I]ntruders, [S]pyware, [T]rojans and [A]dware. :-)

Re: [PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[Paul]

The rtap interface works exactly as it should (allows me to capture
packets whether in managed or monitor mode), but it is still
insufficient for the packet injection feature of aireplay-ng (and >
others) to work.

As I understand it, the ipw2200 will not allow for sending of the
injection packets unless it is in Managed mode.  For whats it worth
the injection packets are typically *raw* [replayed] 802.11 encrypted
data frames containing ARP request packets.  aireplay-ng will listen
on the rtap interface for what it believes to be an encrypted ARP
packet (which it surmises from the length of the frame payload, and
the broadcast wlan address), and then it 'replays" this packet
repeatedly on the eth1 (or wifi) interface.

But in Managed mode, aireplay-ng still does not work, saying:

> "ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211 or
> ARPHRD_IEEE80211_PRISM instead.  Make sure RFMON is enabled: run
> 'ifconfig wifi0 up; iwconfig wifi0 mode Monitor channel <#>' Sysfs
> injection support was not found either."

The error sugegsts going to Monitor mode, but in monitor mode the
injection packets cannot be sent at all, which I understand is a quirk
specific to this particular Intel wifi chipset.  After applying this
patch, the injection packets *can* successfully be sent while in
*managed* mode.

Basically, if I was going to audit my own wifi access point, by trying
to obtain the WEP key without knowing it, I'd do this:

iwconfig eth1 channel <CHANNEL#>
iwconfig eth1 ap <BSSID>
iwconfig eth1 key s:fakekey
iwconfig eth1 mode Managed

This essentially tricks it into going into managed mode, even though I
don't know the WEP key.  At this point, iwconfig reports that I am
associated with the AP.  Next step is to use aireplay-ng to listen on
the rtap interface for an ARP packet, which it then "replays" on the
wifi interface about 300 times a second (in order to generate a lot of
encrypted traffic on the network, which allows one to record many WEP
initialization vectors (IV's) which are then used in heuristic crypto
attacks to obtain the key).

Before applying the patch, the injection would not work, displaying
the above error.  After the patch, it works great.

Thanks,
Paul



> On Sat, Sep 27, 2008 at 11:15 PM, Zhu Yi <yi.zhu@intel.com> wrote:
>> On Sat, 2008-09-27 at 14:45 -0600, Paul wrote:
>>> I made this patch using bits and pieces from various other "ipw2200
>>> injection patches".  I can not take credit for the content, as I
>>> basically just changed the line numbers in the .diff files.  However I
>>> applied this patch to the version of ipw2200 included in kernel
>>> 2.6.27-rc6  (i believe it's ipw2200-1.2.2) and it worked like a charm.
>>>
>>> Previously I was unable to inject wifi packets using aireplay-ng due
>>> to this error:
>>>
>>> "ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211 or
>>> ARPHRD_IEEE80211_PRISM instead.  Make sure RFMON is enabled: run
>>> 'ifconfig wifi0 up; iwconfig wifi0 mode Monitor channel <#>' Sysfs
>>> injection support was not found either."
>>>
>>> However, after switching to Monitor mode, even though aireplay would
>>> ACT AS IF it was working, it wasn't.
>>
>> Isn't the rtap_iface does the same thing? Did you try it?
>>
>> Thanks,
>> -yi
>>
>>
>

Re: [PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[Zhu Yi]

On Sun, 2008-09-28 at 13:28 -0600, Paul wrote:
> The rtap interface works exactly as it should (allows me to capture
> packets whether in managed or monitor mode), but it is still
> insufficient for the packet injection feature of aireplay-ng (and >
> others) to work.
> 
> As I understand it, the ipw2200 will not allow for sending of the
> injection packets unless it is in Managed mode.  For whats it worth
> the injection packets are typically *raw* [replayed] 802.11 encrypted
> data frames containing ARP request packets.  aireplay-ng will listen
> on the rtap interface for what it believes to be an encrypted ARP
> packet (which it surmises from the length of the frame payload, and
> the broadcast wlan address), and then it 'replays" this packet
> repeatedly on the eth1 (or wifi) interface.

The rtap interface does use the managed mode firmware. This is what we
call the promiscuous mode. It allows the STA to receive data frames not
direct to the STA and management frames in this BSS network. So nothing
prevents you to Tx in the rtap interface. But the current driver
implementation makes the Tx handler Rx all the frames (apply filter
also) the stack provides. My suggestion is if you can add an option so
that the prom_net->hard_start_xmit handler could call ipw_tx_skb() to
inject frames.

> But in Managed mode, aireplay-ng still does not work, saying:
> 
> > "ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211 or
> > ARPHRD_IEEE80211_PRISM instead.  Make sure RFMON is enabled: run
> > 'ifconfig wifi0 up; iwconfig wifi0 mode Monitor channel <#>' Sysfs
> > injection support was not found either."
> 
> The error sugegsts going to Monitor mode, but in monitor mode the
> injection packets cannot be sent at all, which I understand is a quirk
> specific to this particular Intel wifi chipset.  After applying this
> patch, the injection packets *can* successfully be sent while in
> *managed* mode.
> 
> Basically, if I was going to audit my own wifi access point, by trying
> to obtain the WEP key without knowing it, I'd do this:
> 
> iwconfig eth1 channel <CHANNEL#>
> iwconfig eth1 ap <BSSID>
> iwconfig eth1 key s:fakekey
> iwconfig eth1 mode Managed
> 
> This essentially tricks it into going into managed mode, even though I
> don't know the WEP key.  At this point, iwconfig reports that I am
> associated with the AP.  Next step is to use aireplay-ng to listen on
> the rtap interface for an ARP packet, which it then "replays" on the
> wifi interface about 300 times a second (in order to generate a lot of
> encrypted traffic on the network, which allows one to record many WEP
> initialization vectors (IV's) which are then used in heuristic crypto
> attacks to obtain the key).
> 
> Before applying the patch, the injection would not work, displaying
> the above error.  After the patch, it works great.

I understand the current ipw2200 driver doesn't support packet
injection. But the sysfs entry in your patch doesn't seem clean to me.
If you can put together a patch to make the rtap interface be able to
inject packets, I'd like to accept it.

Thanks,
-yi

Re: [PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 403 bytes --]

On Mon, 2008-10-06 at 17:11 +0800, Zhu Yi wrote:

> I understand the current ipw2200 driver doesn't support packet
> injection. But the sysfs entry in your patch doesn't seem clean to me.
> If you can put together a patch to make the rtap interface be able to
> inject packets, I'd like to accept it.

how about making use of cfg80211 to create the monitor interface to
start with?

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[Zhu Yi]

On Mon, 2008-10-06 at 03:17 -0600, Johannes Berg wrote:
> 
> how about making use of cfg80211 to create the monitor interface to
> start with?

Nice try. It is not a mac80211 based driver. I don't know how much
effort it takes. But it will be great if it works. Maybe we can also
replace ieee80211 with cfg80211 or lib80211 in the future? ;-)

Thanks,
-yi

Re: [PATCH] Working packet injection patch for ipw2200 - enables aireplay-ng and others to work

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 667 bytes --]

On Mon, 2008-10-06 at 17:31 +0800, Zhu Yi wrote:
> On Mon, 2008-10-06 at 03:17 -0600, Johannes Berg wrote:
> > 
> > how about making use of cfg80211 to create the monitor interface to
> > start with?
> 
> Nice try. It is not a mac80211 based driver. 

I know.

> I don't know how much
> effort it takes. But it will be great if it works. 

Well it's surely possible, just register a wiphy and implement the
callbacks you want like mac80211 does in net/mac80211/cfg.c.

> Maybe we can also
> replace ieee80211 with cfg80211 or lib80211 in the future? ;-)

Not really, though internalising ieee80211 into the ipw drivers would be
good.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]