RX working but TX not working (regulatory domain unset)

[neilalexander]

So I've tried to set up Owl today on a Linux box and haven't been able to get it to communicate with Macs over AWDL (note that the Macs are not running Owl but are instead using the built-in AWDL driver).

Owl starts normally, reports that it is discovering nearby peers and the awdl0 interface gets created.

If I tcpdump on the awdl0 interface then I can hear packets coming from other nodes, but if I ping to ff02::1%awdl0 (which works between the Macs), the packets are never received by the Macs.

The wireless adapter is a TP-Link Archer T1U using the mt76 DKMS driver.

Arch Linux:

Linux wireless 5.2.10-arch1-1-ARCH #1 SMP PREEMPT Sun Aug 25 18:01:31 UTC 2019 x86_64 GNU/Linux

Device capabilities:

Wiphy phy0
	max # scan SSIDs: 4
	max scan IEs length: 2247 bytes
	max # sched scan SSIDs: 0
	max # match sets: 0
	max # scan plans: 1
	max scan plan interval: -1
	max scan plan iterations: 0
	Retry short limit: 7
	Retry long limit: 4
	Coverage class: 0 (up to 0m)
	Device supports RSN-IBSS.
	Supported Ciphers:
		* WEP40 (00-0f-ac:1)
		* WEP104 (00-0f-ac:5)
		* TKIP (00-0f-ac:2)
		* CCMP-128 (00-0f-ac:4)
		* CCMP-256 (00-0f-ac:10)
		* GCMP-128 (00-0f-ac:8)
		* GCMP-256 (00-0f-ac:9)
		* CMAC (00-0f-ac:6)
		* CMAC-256 (00-0f-ac:13)
		* GMAC-128 (00-0f-ac:11)
		* GMAC-256 (00-0f-ac:12)
	Available Antennas: TX 0x1 RX 0x1
	Supported interface modes:
		 * IBSS
		 * managed
		 * AP
		 * AP/VLAN
		 * monitor
		 * mesh point
	Band 2:
		Capabilities: 0x17e
			HT20/HT40
			SM Power Save disabled
			RX Greenfield
			RX HT20 SGI
			RX HT40 SGI
			RX STBC 1-stream
				Max AMSDU length: 3839 bytes
			No DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: 4 usec (0x05)
		HT TX/RX MCS rate indexes supported: 0-7
		VHT Capabilities (0x31800120):
			Max MPDU length: 3895
			Supported Channel Width: neither 160 nor 80+80
			short GI (80 MHz)
			RX antenna pattern consistency
			TX antenna pattern consistency
		VHT RX MCS set:
			1 streams: MCS 0-7
			2 streams: not supported
			3 streams: not supported
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT RX highest supported: 0 Mbps
		VHT TX MCS set:
			1 streams: MCS 0-7
			2 streams: not supported
			3 streams: not supported
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT TX highest supported: 0 Mbps
		Bitrates (non-HT):
			* 6.0 Mbps
			* 9.0 Mbps
			* 12.0 Mbps
			* 18.0 Mbps
			* 24.0 Mbps
			* 36.0 Mbps
			* 48.0 Mbps
			* 54.0 Mbps
		Frequencies:
			* 5180 MHz [36] (16.0 dBm) (no IR)
			* 5200 MHz [40] (16.0 dBm) (no IR)
			* 5220 MHz [44] (16.0 dBm) (no IR)
			* 5240 MHz [48] (16.0 dBm) (no IR)
			* 5260 MHz [52] (16.0 dBm) (no IR, radar detection)
			* 5280 MHz [56] (16.0 dBm) (no IR, radar detection)
			* 5300 MHz [60] (16.0 dBm) (no IR, radar detection)
			* 5320 MHz [64] (16.0 dBm) (no IR, radar detection)
			* 5500 MHz [100] (16.0 dBm) (no IR, radar detection)
			* 5520 MHz [104] (16.0 dBm) (no IR, radar detection)
			* 5540 MHz [108] (16.0 dBm) (no IR, radar detection)
			* 5560 MHz [112] (16.0 dBm) (no IR, radar detection)
			* 5580 MHz [116] (16.0 dBm) (no IR, radar detection)
			* 5600 MHz [120] (16.0 dBm) (no IR, radar detection)
			* 5620 MHz [124] (16.0 dBm) (no IR, radar detection)
			* 5640 MHz [128] (16.0 dBm) (no IR, radar detection)
			* 5660 MHz [132] (16.0 dBm) (no IR, radar detection)
			* 5680 MHz [136] (16.0 dBm) (no IR, radar detection)
			* 5700 MHz [140] (16.0 dBm) (no IR, radar detection)
			* 5745 MHz [149] (16.0 dBm) (no IR)
			* 5765 MHz [153] (16.0 dBm) (no IR)
			* 5785 MHz [157] (16.0 dBm) (no IR)
			* 5805 MHz [161] (16.0 dBm) (no IR)
			* 5825 MHz [165] (16.0 dBm) (no IR)
	Supported commands:
		 * new_interface
		 * set_interface
		 * new_key
		 * start_ap
		 * new_station
		 * new_mpath
		 * set_mesh_config
		 * set_bss
		 * authenticate
		 * associate
		 * deauthenticate
		 * disassociate
		 * join_ibss
		 * join_mesh
		 * set_tx_bitrate_mask
		 * frame
		 * frame_wait_cancel
		 * set_wiphy_netns
		 * set_channel
		 * set_wds_peer
		 * probe_client
		 * set_noack_map
		 * register_beacons
		 * start_p2p_device
		 * set_mcast_rate
		 * connect
		 * disconnect
		 * set_qos_map
		 * set_multicast_to_unicast
	Supported TX frame types:
		 * IBSS: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * mesh point: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * P2P-device: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
	Supported RX frame types:
		 * IBSS: 0x40 0xb0 0xc0 0xd0
		 * managed: 0x40 0xd0
		 * AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
		 * AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
		 * mesh point: 0xb0 0xc0 0xd0
		 * P2P-client: 0x40 0xd0
		 * P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
		 * P2P-device: 0x40 0xd0
	software interface modes (can always be added):
		 * AP/VLAN
		 * monitor
	valid interface combinations:
		 * #{ IBSS } <= 1, #{ managed, AP, mesh point } <= 2,
		   total <= 2, #channels <= 1, STA/AP BI must match
	HT Capability overrides:
		 * MCS: ff ff ff ff ff ff ff ff ff ff
		 * maximum A-MSDU length
		 * supported channel width
		 * short GI for 40 MHz
		 * max A-MPDU length exponent
		 * min MPDU start spacing
	Device supports TX status socket option.
	Device supports HT-IBSS.
	Device supports SAE with AUTHENTICATE command
	Device supports low priority scan.
	Device supports scan flush.
	Device supports AP scan.
	Device supports per-vif TX power setting
	Driver supports full state transitions for AP/GO clients
	Driver supports a userspace MPM
	Device supports active monitor (which will ACK incoming frames)
	Device supports configuring vdev MAC-addr on create.
	Supported extended features:
		* [ VHT_IBSS ]: VHT-IBSS
		* [ RRM ]: RRM
		* [ FILS_STA ]: STA FILS (Fast Initial Link Setup)
		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
		* [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
		* [ TXQS ]: FQ-CoDel-enabled intermediate TXQs

The device does get put into monitor mode:

wlan0     IEEE 802.11  Mode:Monitor  Frequency:5.22 GHz  Tx-Power=16 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

With debugging enabled, I see entries like this:

17:05:31 INFO : WLAN device: wlan0 (addr aa:aa:aa:aa:aa:aa)
17:05:31 INFO : Host device: awdl0
17:05:31 DEBUG: switch channel to 6 (slot 0)
17:05:31 DEBUG: peer bb:bb:bb:bb:bb:bb () changed channel sequence to 44,44,44,0,0,0,0,0,6,44,44,0,0,0,0,0
17:05:31 INFO : add peer bb:bb:bb:bb:bb:bb (Neils-iMac)
17:05:32 DEBUG: new election tree: aa:aa:aa:aa:aa:aa -> bb:bb:bb:bb:bb:bb -> cc:cc:cc:cc:cc:cc (met 521, ctr 249895)
17:05:34 DEBUG: peer bb:bb:bb:bb:bb:bb (Neils-iMac) changed channel sequence to 44,44,44,44,44,44,0,0,6,44,44,44,44,44,0,0
17:05:36 DEBUG: peer bb:bb:bb:bb:bb:bb (Neils-iMac) changed channel sequence to 44,44,44,0,0,0,0,0,6,44,44,0,0,0,0,0
17:05:43 DEBUG: peer bb:bb:bb:bb:bb:bb (Neils-iMac) changed channel sequence to 44,44,44,44,44,44,0,0,6,44,44,44,44,44,0,0

The behaviour is much the same if I supply -c 6 or -c 44 and supplying -N seems to make no difference either.

I'm not sure if this is a driver issue or if there is something I can do to debug this further?

[schmittner]

I suspect that there might be a problem in the handling of multicast frames. I've just pushed a fix that should prevent frames from getting stuck in the TX queue. Let me know if that helped.

[neilalexander]

Sadly this doesn't appear to have helped. The behaviour looks to be the same regardless of whether it's a multicast ping or a link-local unicast ping.

[schmittner]

Then let's first check if frame injection works at all: run ndp -an on the iMac and see if wlan0's MAC address appears there. Best use -c 44.

[neilalexander]

It looks like not, since the Mac is never learning about Owl looking at ndp -an. Same with -c 6 and -c 44.

Similarly, doing something like sudo tcpdump -ni awdl0 ip6 host fe80::aaaa:aaaa:aaaa:aaaa or ether host aa:aa:aa:aa:aa:aa on the Mac with the MAC address and link-local IPv6 of the Owl host isn't showing any traffic either.

[schmittner]

Can you also run wireshark on the Wi-Fi interface in monitor mode? Make sure to set the correct channel.

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -z
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -c 44

[neilalexander]

Not seeing anything either - I used Wireless Diagnostics on the Mac to sniff on channel 4 in both 20MHz and 40MHz mode for a bit, while restarting Owl and running ping6 on the Linux side.

When opening both captures in Wireshark, I see lots of wireless traffic from nearby but absolutely nothing originating from the Owl MAC when filtering, e.g. using eth.addr == aa:aa:aa:aa:aa:aa.

Looks decidedly like the frame injection isn't actually happening at all.

[schmittner]

Might just not be supported, probably should ask the mt76 folks.

[neilalexander]

I've opened an issue with the mt76 guys, they seem to think that active frame injection is indeed supported so not really sure what is going on. They suggested downgrading to an older kernel before some radiotap header changes were made but that doesn't seem to have made any difference.

In the meantime, I ran a tcpdump on the wireless interface while Owl was running and captured the radio packets and then opened the capture in Wireshark 3.0.3. It does look like packets that are sent into awdl0 are being sent from Owl to the wlan0 wireless interface correctly and I see master indication/periodic sync and even my ICMPv6 pings originating from the Linux host (in addition to various other nearby Apple devices chattering away).

So this would firmly imply that the problem lies within the wireless driver if these packets never make it onto the air?

[schmittner]

Yes, that would imply that the wireless driver/card does not send out the frames. Might also be that the driver does not like the radiotap headers created by owl (openwrt/mt76#310). I just updated the code according to https://www.kernel.org/doc/Documentation/networking/mac80211-injection.txt and reduced the injection rate (even though they should have been fine before).

owl/src/tx.c

Lines 297 to 319 in d16adec

	int ieee80211_init_radiotap_header(uint8_t *buf) {
	/*
	* TX radiotap headers and mac80211
	* https://www.kernel.org/doc/Documentation/networking/mac80211-injection.txt
	*/
	struct ieee80211_radiotap_header *hdr = (struct ieee80211_radiotap_header *) buf;
	uint8_t *ptr = buf + sizeof(struct ieee80211_radiotap_header);
	uint32_t present = 0;
	hdr->it_version = 0;
	hdr->it_pad = 0;
	/* TODO Adjust PHY parameters based on receiver capabilities */
	present |= ieee80211_radiotap_type_to_mask(IEEE80211_RADIOTAP_RATE);
	*ptr = htole16(ieee80211_radiotap_rate_to_val(12));
	ptr += sizeof(uint8_t);
	hdr->it_len = htole16((uint16_t) (ptr - buf));
	hdr->it_present = htole32(present);
	return ptr - buf;
	}

[neilalexander]

Just tried d16adec, which does look like it makes sense as I am seeing AWDL frames from real Macs being received at 12Mb/s, but that doesn't seem to have resolved the problem either.

I'll keep on with the driver guys and see if they can provide some insight. It might be a simple fix in mt76 with any luck.

[magicxyyz]

Hi,
Isn't it an issue with (no IR) near the channel 44 in iw list?
When I was trying owl, any time I had regulatory domain unset (global regulatory domain), I had no IR on some channels and the packet injection did not work.

According to commit message from linux-wireless:

NO-IR means you can't initiate radiation, it doesn't mean they are disabled. The NO-IR flag then means you cannot use modes of operation that require you to initiate radiation first...

You can try iw reg get to see the reg domain set, than iw reg set <two letter iso country code> to set it.
Look here for more on similar issue with no IR

Hope it helps

[schmittner]

I don‘t think that this is the problem here as it persists with channel 6 which does not have any restrictions in any reg dom as far as I know.

[neilalexander]

It hadn't even occurred to me to check the regulatory domain — it was indeed unset. I did try setting the regulatory domain and that seems to have removed the No IR next to the 5GHz channels, but I haven't been able to put another machine into monitor mode yet to test if the frames are actually transmitted now. I'll do that later today.

I am also wondering whether the 2.4GHz bands not being listed under iw list is also not helping matters?

[neilalexander]

OK, so setting the regulatory domain does indeed fix the TX problem for channels 44 and 149. I can run Wireshark on another machine and see those frames hitting the air.

Nothing on channel 6, however. Since iw list doesn't report 2.4GHz band availability on the card, I am guessing this is to be expected.

However, I can at least exchange pings between a Mac and a Linux OWL host over the awdl0 interface now when running with -c 44.

[neilalexander]

Additionally, it seems nl80211 has the following nl80211_frequency_attr properties: NL80211_FREQUENCY_ATTR_DISABLED and NL80211_FREQUENCY_ATTR_NO_IR.

It would perhaps be a good idea for OWL to check the usability of configured frequencies at startup and print some kind of warning if they are not available due to regulatory restrictions. 😄