RTL8814AU: align TX descriptor with aircrack-ng monitor-injection format#54
Merged
Conversation
josephnef
force-pushed
the
8814-tx-descriptor-align
branch
from
8959073 to
9c63d8a
Compare
In RtlJaguarDevice::send_packet the SET_TX_DESC_*_8812 macros are
bit-identical to the SET_TX_DESC_*_8814A macros (verified against
hal/rtl8814a_xmit.h), so devourer can keep using the 8812 macro set
on 8814A. But a usbmon byte-diff against a working VM-passthrough
88XXau monitor-injection session (qemu USB-host-passthrough → VM
kernel 88XXau → bulk-OUT URBs back through host xhci) shows three
field-value mismatches on 8814A:
Dword 0 bit 31 — 8812 calls it OWN, 8814A calls it DISQSELSEQ.
88XXau leaves bit 31 = 0 for monitor-injected frames; devourer's
SET_TX_DESC_OWN_8812(..., 1) sets it to 1, which on 8814A means
DISQSELSEQ=1 (disable queue-select-based sequence numbering).
Dword 2 bits 24-29 (GID) — 88XXau leaves at 0 for injection;
devourer writes 0x3F.
Dword 4 bits 18-23 (DATA_RETRY_LIMIT) — 88XXau leaves at 0 for
injection; devourer writes 12 (RETRY_LIMIT_ENABLE stays 1 in both).
Skip those writes on 8814A so the emitted descriptor byte-matches
aircrack-ng's reference monitor-injection format. Add a
DEVOURER_TX_LEGACY_8812_DESC=1 env-gate to restore the old behaviour
without rebuilding, in case anything downstream depends on it.
This does NOT resolve #50 (8814AU on-air silence has a separate root
cause that vendor-control-write replay cannot reach — both sessions on
2026-05-26 ruled out 9 distinct hypotheses including a binary
URB-flag diff, see comment-4546974748). The change is purely about
descriptor correctness — aligning devourer's TX descriptor format
with the byte-level reference that the working kernel driver produces.
8812AU and 8821AU paths are bit-for-bit identical to current master
(is_8814a is false there and all writes fire as before). Smoke-tested
on the live bench:
8812AU: 760 submits / 760 complete / 0 fail
8814AU (new): 3572 submits / 3572 complete / 0 fail (vs current
master's behaviour, which is identical at libusb level
because devourer's descriptor differences from 88XXau
are no-ops at the bulk-OUT path post-PR-#49)
8814AU (DEVOURER_TX_LEGACY_8812_DESC=1): same as without env
Refs #50 (partial — descriptor alignment only, not the on-air gate).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
josephnef
force-pushed
the
8814-tx-descriptor-align
branch
from
9c63d8a to
83ca75b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SET_TX_DESC_*_8812macros are bit-identical toSET_TX_DESC_*_8814A(verified againsthal/rtl8814a_xmit.h), so devourer can keep using the 8812 macro set on 8814A. But a usbmon byte-diff against a working VM-passthrough 88XXau monitor-injection session surfaced three field-value mismatches on the 8814A path. Each represents devourer writing a value that 88XXau leaves at zero for monitor-injected frames:OWN, 8814A calls itDISQSELSEQ. 88XXau leaves it 0 for monitor injection; devourer'sSET_TX_DESC_OWN_8812(..., 1)sets it to 1, which on 8814A means disable queue-select-based sequence numbering.GID) — 88XXau leaves at 0 for injection; devourer writes0x3F.DATA_RETRY_LIMIT) — 88XXau leaves at 0 for injection; devourer writes 12. (RETRY_LIMIT_ENABLEstays 1 in both.)ICType == CHIP_8814A. New env gateDEVOURER_TX_LEGACY_8812_DESC=1restores the old descriptor for emergency rollback without rebuilding.Scope
is_8814ais false there and all writes fire as before).Test plan
WiFiDriverTxDemo: 760 submits / 760 complete / 0 fail (no regression — different code path).WiFiDriverTxDemo(new descriptor): 3572 submits / 3572 complete / 0 fail.DEVOURER_TX_LEGACY_8812_DESC=1: matches current master's behaviour.<cstdlib>is portable, no platform-specific guards changed.Refs #50 (partial — descriptor alignment only).
🤖 Generated with Claude Code