From owner-freebsd-wireless@FreeBSD.ORG  Tue Feb  7 08:17:11 2012
Return-Path: <owner-freebsd-wireless@FreeBSD.ORG>
Delivered-To: freebsd-wireless@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D48401065676;
	Tue,  7 Feb 2012 08:17:11 +0000 (UTC)
	(envelope-from lars@e-new.0x20.net)
Received: from mail.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3])
	by mx1.freebsd.org (Postfix) with ESMTP id 184208FC0A;
	Tue,  7 Feb 2012 08:17:10 +0000 (UTC)
Received: from mail.0x20.net (mail.0x20.net [217.69.76.211])
	by mail.0x20.net (Postfix) with ESMTP id 9E1296A6647;
	Tue,  7 Feb 2012 09:17:09 +0100 (CET)
X-Virus-Scanned: amavisd-new at mail.0x20.net
Received: from mail.0x20.net ([217.69.76.211])
	by mail.0x20.net (mail.0x20.net [217.69.76.211]) (amavisd-new,
	port 10024)
	with ESMTP id tTyV2ELw0xL0; Tue,  7 Feb 2012 09:17:09 +0100 (CET)
Received: from e-new.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.0x20.net (Postfix) with ESMTPS id 408C96A6245;
	Tue,  7 Feb 2012 09:17:09 +0100 (CET)
Received: from e-new.0x20.net (localhost [127.0.0.1])
	by e-new.0x20.net (8.14.4/8.14.4) with ESMTP id q178H83I026819;
	Tue, 7 Feb 2012 09:17:08 +0100 (CET)
	(envelope-from lars@e-new.0x20.net)
Received: (from lars@localhost)
	by e-new.0x20.net (8.14.4/8.14.4/Submit) id q178H8BH026375;
	Tue, 7 Feb 2012 09:17:08 +0100 (CET) (envelope-from lars)
Date: Tue, 7 Feb 2012 09:17:08 +0100
From: Lars Engels <lars.engels@0x20.net>
To: Bernhard Schmidt <bschmidt@freebsd.org>
Message-ID: <20120207081707.GK4776@e-new.0x20.net>
References: <CACcnmU3NtUYiNqcU4L75DW6GS5gzGu-CAywJJFSRSm+RdMomDQ@mail.gmail.com>
	<201202061835.43116.bschmidt@freebsd.org>
	<CACcnmU3VYjEEjSdLT1DotAjUHcEujz8+LN31Xroqy19F8DqTig@mail.gmail.com>
	<201202062105.33007.bschmidt@freebsd.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="Ucgz5Oc/kKURWzXs"
Content-Disposition: inline
In-Reply-To: <201202062105.33007.bschmidt@freebsd.org>
X-Editor: VIM - Vi IMproved 7.3
X-Operation-System: FreeBSD 8.2-RELEASE-p3
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: freebsd-wireless@freebsd.org
Subject: Re: FreeBSD 9.0 ath driver injection with aireplay_ng returns
 input/output error in AHDemo and Monitor mode
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussions of 802.11 stack,
	tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
	<mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
	<mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2012 08:17:11 -0000


--Ucgz5Oc/kKURWzXs
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 06, 2012 at 09:05:32PM +0100, Bernhard Schmidt wrote:
> On Monday 06 February 2012 20:57:35 Merlin Corey wrote:
> > Hello,
> >=20
> > On Mon, Feb 6, 2012 at 5:35 PM, Bernhard Schmidt <bschmidt@freebsd.org>=
 wrote:
> > > On Monday 06 February 2012 15:32:42 Merlin Corey wrote:
> > >> Hello,
> > >>
> > >> Like some a year before me, from a thread two years before me (
> > >> http://forums.freebsd.org/showthread.php?t=3D10042 ), I am intereste=
d in
> > >> making my (pun intended) penultimate pen-testing netbook on my
> > >> favorite operating system, FreeBSD; alas, I am not able to make use =
of
> > >> the atheros card in said netbook for the purposes of injection.
> > >>
> > >> It is perhaps worth nothing that I started this project on FreeBSD
> > >> 8.x, but my card (AR9285 card=3D0x10891a3b chip=3D0x002b168c rev=3D0=
x01 hdr=3D
> > >> 0x00) was only working at what seemed half power and would constantly
> > >> take itself up/down.  I have since updated the system to 9.0-RELEASE
> > >> and experienced what appeared to be fully functioning wireless until
> > >> now.
> > >>
> > >> In the thread linked above, there is a mention of a kernel patch whi=
ch
> > >> allows writing in monitor mode - I desperately applied this patch
> > >> after finding that the instructions to patch aircrack itself seem to
> > >> have already been applied either in ports or upstream.
> > >>
> > >> Now, I can run airodump just fine, but when I try to do injection te=
st
> > >> with aireplay in either ahdemo or monitor mode, I simply end up with=
 a
> > >> bunch of "wi_write(): Input/output error" messages.
> > >>
> > >> I am not really sure how to proceed in further debugging this issue;
> > >> should I turn wlandebug on, and if so, which bit is best, or should I
> > >> just throw them all?  Perhaps something else entirely?
> > >>
> > >> Is this maybe a problem with my card itself?
> > >>
> > >> Any push in the right direction would be greatly appreciated.
> > >
> > > Can you set a channel and ssid before starting any kind of injection?=
 Something like
> > > ifconfig wlan0 create wlandev ath0 wlanmode ahdemo
> > > ifconfig wlan0 channel 1 ssid foobar up
> > >
> > > If I remember correctly, the interface will otherwise scan
> > > indefinitely trying to find an open network to connect to. Setting
> > > a channel/ssid will ensure that the interface moves into RUN state
> > > (you can verify that with wlandebug +state) which should allow
> > > injection. Trying to do so while in eg. SCAN state is really too
> > > racy due to all the channel changes going on.
> > >
> > > Basically, injection is a real mess currently and neither monitor
> > > nor ahdemo mode are really that well suited for that purpose.
> > > Monitor mode is designed to be totally mute while ahdemo is adhoc
> > > mode without mgmt frames but a lot of unnecessary logic behind it.
> > > Guess we should really think about a new mode specially designed
> > > to handle those needs, or re-enable injection in monitor mode
> > > which would break it's initial purpose.. thoughts?
> > >
> > > --
> > > Bernhard
> >=20
> > As per the directions given to me by Bernhard, I have tested ahdemo
> > and monitor mode injection with wlandebug +states.  In short, it seems
> > that indeed ahdemo mode complains about moving from INIT to RUN state
> > unexpectedly, and monitor mode goes back to SCAN state making it not
> > very useful for this purpose given the stated issues with SCAN state.
> >=20
> > First, the general output of aireplay-ng -9:
> > wi_write(): Input/output error
> > ... repeat last message 28 times ...
> > wi_write(): Input/output error
> > wi_write(): Input/output error
> > 19:34:43   0/30:   0%
> >=20
> > Finally, below my signature, I have included the /var/log/messages
> > output annotated with comments indicating which shell commands were
> > being run before the messages were output in the form of comments with
> > three hashmarks.
>=20
> Yeah.. air* does a lot of stuff, not all of it being that useful. It
> might simple be that it resets the device and therefore the
> configuration. I'll have a look tomorrow.

Yup, maybe we can improve aircrack-ng and get some patches upstream?


>=20
> I the mean time, can you give /usr/src/tools/tools/net80211/wlaninect
> a shot?

--Ucgz5Oc/kKURWzXs
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk8w3gMACgkQKc512sD3afhO0wCfeh5Vw3AoNHet++z4BlJxgdmT
IhsAnA5z29bPepg3967BY8xX6rMZzqHo
=e1tk
-----END PGP SIGNATURE-----

--Ucgz5Oc/kKURWzXs--