rt61pci, oops, mac change, dead card

Live forum: http://rt2x00.serialmonkey.com/viewtopic.php?t=4894

Mike123

17-07-2008 02:31:20

[b1zkj8etf]My card[/b1zkj8etf]

Network controller [0280] RaLink RT2561/RT61 802.11g PCI [18140301]

[b1zkj8etf]My system[/b1zkj8etf]

Fedora8, kernel-2.6.25.10-47.fc8

According to changelog these patches should be in place
- Upstream wireless fixes from 2008-07-02 (http//marc.info/?l=linux-netdev&m=121503163124089&w=2)
- Upstream wireless updates from 2008-06-30 (http//marc.info/?l=linux-wireless&m=12 ... 315033&w=2)
- Upstream wireless fixes from 2008-06-30 (http//marc.info/?l=linux-wireless&m=12 ... 702728&w=2)
- Upstream wireless updates from 2008-06-27 (http//marc.info/?l=linux-wireless&m=12 ... 930953&w=2)
- Upstream wireless fixes from 2008-06-27 (http//marc.info/?l=linux-wireless&m=12 ... 021061&w=2)
- Upstream wireless fixes from 2008-06-25 (http//marc.info/?l=linux-wireless&m=12 ... 502527&w=2)
- Upstream wireless updates from 2008-06-14 (http//marc.info/?l=linux-netdev&m=121346686508160&w=2)

[b1zkj8etf]Problem Cannot change MAC address in monitor mode[/b1zkj8etf]

ifconfig wlan0 down
iwconfig wlan0 mode managed
ifconfig wlan0 hw ether 001111111111
iwconfig wlan0 mode ad-hoc
ifconfig wlan0 hw ether 001111111111
iwconfig wlan0 mode monitor
ifconfig wlan0 hw ether 001111111111
SIOCSIFHWADDR Invalid argument
iwconfig wlan0 mode managed
ifconfig wlan0 hw ether 002222222222

[b1zkj8etf]Problem 'ifconfig wlan0 down' kills card[/b1zkj8etf]

After boot rt61pci is in down state.
I can change mode to monitor/managed, up card and operate in that mode.
Works fine until I issue 'ifconfig wlan0 down'.
After that card is dead and needs reboot.

[b1zkj8etf]Problem oops[/b1zkj8etf]

Sometimes, when wlan0 is up and I issue 'rmmod rt61pci crc_itu_t rt2x00pci rt2x00lib rfkill input_polldev mac80211 cfg80211 eeprom_93cx6'.

phy0 -> rt2x00queue_write_tx_frame Error - Arrived at non-free entry in the non-full queue 0.
Please file bug report to http//rt2x00.serialmonkey.com.
phy0 -> rt2x00queue_write_tx_frame Error - Arrived at non-free entry in the non-full queue 0.
Please file bug report to http//rt2x00.serialmonkey.com.
phy0 -> rt2x00queue_write_tx_frame Error - Arrived at non-free entry in the non-full queue 0.
Please file bug report to http//rt2x00.serialmonkey.com.
phy0 -> rt2x00queue_write_tx_frame Error - Arrived at non-free entry in the non-full queue 0.
Please file bug report to http//rt2x00.serialmonkey.com.
phy0 -> rt2x00queue_write_tx_frame Error - Arrived at non-free entry in the non-full queue 0.
Please file bug report to http//rt2x00.serialmonkey.com.
phy0 -> rt2x00queue_write_tx_frame Error - Arrived at non-free entry in the non-full queue 0.
Please file bug report to http//rt2x00.serialmonkey.com.
------------[ cut here ]------------
WARNING at net/mac80211/tx.c1214 ieee80211_master_start_xmit+0x1b6/0x203
[mac80211]() (Tainted P )
Modules linked in rt61pci crc_itu_t rt2x00pci rt2x00lib rfkill input_polldev mac80211 cfg80211 eeprom_93cx6 hfsplus sha256_generic aes_i586 aes_generic cbc dm_crypt ipv6 loop dm_multipath snd_emu10k1_synth snd_emux_synth snd_seq_virmidi snd_seq_midi_emul snd_emu10k1 arc4 ecb snd_rawmidi crypto_blkcipher snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_device snd_timer snd_page_alloc snd_util_mem nvidia(P)(U) 8139cp pcspkr snd_hwdep 8139too snd soundcore mii i2c_nforce2 i2c_core button sr_mod cdrom sg joydev dm_snapshot dm_zero dm_mirror dm_mod pata_acpi ata_generic pata_amd libata sd_mod
scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd [last unloaded eeprom_93cx6]
Pid 3908, comm rt61pci Tainted P 2.6.25.10-47.fc8 #1
[<c0426697>] warn_on_slowpath+0x47/0x57
[<c04271a6>] ? printk+0x15/0x17
[<f8baf386>] ? rt2x00queue_write_tx_frame+0x64/0xeb [rt2x00lib]
[<c05b573c>] ? skb_release_data+0x82/0x87
[<f8bae153>] ? rt2x00mac_tx+0x1f7/0x245 [rt2x00lib]
[<f89bcc6f>] ? __ieee80211_tx+0x16/0xe9 [mac80211]
[<f89bd087>] ieee80211_master_start_xmit+0x1b6/0x203 [mac80211]
[<c05ba5d1>] dev_hard_start_xmit+0x20b/0x268
[<c05c925e>] __qdisc_run+0xa0/0x17a
[<c043965d>] ? enqueue_hrtimer+0xcb/0xd7
[<c05bc89a>] dev_queue_xmit+0x17f/0x281
[<f89b221d>] ieee80211_sta_tx+0x64/0x6c [mac80211]
[<f89b3650>] ieee80211_send_probe_req+0x2e7/0x2ef [mac80211]
[<f89b612b>] ? ieee80211_sta_scan_work+0x0/0x17c [mac80211]
[<f89b627e>] ieee80211_sta_scan_work+0x153/0x17c [mac80211]
[<f89b612b>] ? ieee80211_sta_scan_work+0x0/0x17c [mac80211]
[<c04345e8>] run_workqueue+0x77/0xf9
[<c0434d4e>] ? worker_thread+0x0/0xbf
[<c0434e02>] worker_thread+0xb4/0xbf
[<c0437115>] ? autoremove_wake_function+0x0/0x33
[<c0437041>] kthread+0x3b/0x62
[<c0437006>] ? kthread+0x0/0x62
[<c04067af>] kernel_thread_helper+0x7/0x10
=======================
---[ end trace 15a6ff9a02d5112b ]---

IvD

18-07-2008 16:21:40


[b1b9xpqgb]Problem Cannot change MAC address in monitor mode[/b1b9xpqgb]
[/quote1b9xpqgb]

And why do you _want_ to change the MAC addess in monitor mode?
In monitor mode the MAC address is quite useless...


[b1b9xpqgb]Problem 'ifconfig wlan0 down' kills card[/b1b9xpqgb]
[/quote1b9xpqgb]

Please be more specific, what behavior falls under 'kills card'?


[b1b9xpqgb]Problem oops[/b1b9xpqgb]

Sometimes, when wlan0 is up and I issue 'rmmod rt61pci crc_itu_t rt2x00pci rt2x00lib rfkill input_polldev mac80211 cfg80211 eeprom_93cx6'.

phy0 -> rt2x00queue_write_tx_frame Error - Arrived at non-free entry in the non-full queue 0.
Please file bug report to http//rt2x00.serialmonkey.com.
[/quote1b9xpqgb]

Thanks, I'll look into this.

Mike123

18-07-2008 16:58:52


[b1wfsac8r]Problem Cannot change MAC address in monitor mode[/b1wfsac8r]
[/quote1wfsac8r]And why do you _want_ to change the MAC addess in monitor mode?
In monitor mode the MAC address is quite useless...
[/quote1wfsac8r]Because aireplay-ng is yelling at me that wlan0 MAC is different than injected one.
I understand that in monitor mode user can push any frame to air,
but I feel that something important might leak.

[b1wfsac8r]Problem 'ifconfig wlan0 down' kills card[/b1wfsac8r]
[/quote1wfsac8r]Please be more specific, what behavior falls under 'kills card'?
[/quote1wfsac8r]Everything )

I cannot see any packets (no RX)
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
airodump-ng wlan0

or get list of APs (empty list)
ifconfig wlan0 down
iwconfig wlan0 mode managed
ifconfig wlan0 up
iwlist wlan0 scan

or connect to any network by specyfing it via iwconfig.

Issuing rmmod rt61pci; modprobe rt61pci does not solve above problem.

IvD

18-07-2008 18:07:06

Please enable debugfs, and use the following script:
http//kernel.org/pub/linux/kernel/peop ... regdump.sh

run this script (and output the contents to a file) when
* the interface is working
* the interface is back up (but broken)
* the interface is up after rmmod/insmid

Mike123

18-07-2008 19:05:40

Please enable debugfs, and use the following script:
http//kernel.org/pub/linux/kernel/peop ... regdump.sh

run this script (and output the contents to a file) when
* the interface is working
* the interface is back up (but broken)
* the interface is up after rmmod/insmid[/quote3qrqk9cm]boot
iwconfig wlan0 mode monitor
airodump-ng wlan0 (this brings wlan0 up)

card is working - up_working_monitor_mode.txt

ifconfig wlan0 down
ifconfig wlan0 up
airodump-ng wlan0

no RX - down_up_not_working_monitor_mode.txt

ifconfig wlan0 down
rmmod rt61pci
modprobe rt61pci (this makes card up in managed mode)
iwlist wlan0 scan

no APs - rmmmod_modprobe_up_not_working_managed_mode.txt

IvD

20-07-2008 18:36:56


[b3h5b6vjj]Problem 'ifconfig wlan0 down' kills card[/b3h5b6vjj]

After boot rt61pci is in down state.
I can change mode to monitor/managed, up card and operate in that mode.
Works fine until I issue 'ifconfig wlan0 down'.
After that card is dead and needs reboot.
[/quote3h5b6vjj]

This particular issue should have been fixed in latest rt2x00.git,
could you please test this?

Mike123

20-07-2008 21:59:07


This particular issue should have been fixed in latest rt2x00.git,[/quote1mul3wkm]commit[/url1mul3wkm]
[quote="IvD"1mul3wkm]could you please test this?[/quote1mul3wkm]Yes, sure.
Where can I get snapshot to build against Fedora kernel?

IvD

21-07-2008 08:17:57

You can't, you should download/compile/install the rt2x00.git kernel

Mike123

22-07-2008 13:11:36

You can't, you should download/compile/install the rt2x00.git kernel[/quote2hqbht3l]Sorry, I'm not skilled enough to do this.phy0 -> rt2x00queue_write_tx_frame Error - Arrived at non-free entry in the non-full queue 0.
Please file bug report to http//rt2x00.serialmonkey.com.
[/quote2hqbht3l]Is it related (link[/url2hqbht3l])? Ivo, You are my hero. )[quote="Mike123"2hqbht3l][quote="IvD"2hqbht3l]And why do you _want_ to change the MAC addess in monitor mode?
In monitor mode the MAC address is quite useless...
[/quote2hqbht3l]Because aireplay-ng is yelling at me that wlan0 MAC is different than injected one.
I understand that in monitor mode user can push any frame to air,
but I feel that something important might leak.[/quote2hqbht3l]From [url=http://www.aircrack-ng.org/doku.php?id=fake_authentication#setting_mac_address2hqbht3l]aircrack-ng page[/url2hqbht3l]
[i2hqbht3l]> It is good practice to set your card's MAC address to the one you specify via the -h parameter if they are different.
> Having them the same, ensures that wireless ACKs are sent by your card. This means subsequent attacks work smoothly.[/i2hqbht3l]
Is above issue related to particular wi-fi drivers?

Zi7

22-07-2008 15:26:54

You can't, you should download/compile/install the rt2x00.git kernel[/quote2yvd7ucb]Sorry, I'm not skilled enough to do this.[/quote2yvd7ucb]
It isn't _that_ difficult.
And there are a lot of good tutorials about it on the net (choose one that fits your distro, if available).

phy0 -> rt2x00queue_write_tx_frame Error - Arrived at non-free entry in the non-full queue 0.
Please file bug report to http//rt2x00.serialmonkey.com.
[/quote2yvd7ucb]Is it related (link[/url2yvd7ucb])? Ivo, You are my hero. )[/quote2yvd7ucb]
It is indeed addressing this issue. )
However, it is only available on rt2x00.git so far...

[quote="Mike123"2yvd7ucb][quote="Mike123"2yvd7ucb][quote="IvD"2yvd7ucb]And why do you _want_ to change the MAC addess in monitor mode?
In monitor mode the MAC address is quite useless...
[/quote2yvd7ucb]Because aireplay-ng is yelling at me that wlan0 MAC is different than injected one.
I understand that in monitor mode user can push any frame to air,
but I feel that something important might leak.[/quote2yvd7ucb]From [url=http://www.aircrack-ng.org/doku.php?id=fake_authentication#setting_mac_address2yvd7ucb]aircrack-ng page[/url2yvd7ucb]
[i2yvd7ucb]> It is good practice to set your card's MAC address to the one you specify via the -h parameter if they are different.
> Having them the same, ensures that wireless ACKs are sent by your card. This means subsequent attacks work smoothly.[/i2yvd7ucb]
Is above issue related to particular wi-fi drivers?[/quote2yvd7ucb]
It probably is i've never needed it to achieve successful fake auth with ralink hardware (admittedly, i was running legacy drivers, but iirc you can't set the MAC address on legacy either).

IvD

22-07-2008 16:44:36

You can't, you should download/compile/install the rt2x00.git kernel[/quote1obq01wk]Sorry, I'm not skilled enough to do this.[/quote1obq01wk]
It isn't _that_ difficult.
And there are a lot of good tutorials about it on the net (choose one that fits your distro, if available).

phy0 -> rt2x00queue_write_tx_frame Error - Arrived at non-free entry in the non-full queue 0.
Please file bug report to http//rt2x00.serialmonkey.com.
[/quote1obq01wk]Is it related (link[/url1obq01wk])? Ivo, You are my hero. )[/quote1obq01wk]
It is indeed addressing this issue. )
However, it is only available on rt2x00.git so far...
[/quote1obq01wk]

Fortunately this means that Fedora will soon have an updated kernel with the patch. That is one of the benefits of having the linux-wireless maintainer also being the Fedora Kernel maintainer. ;)

Mike123

14-08-2008 21:13:24

Bump.

[b1rlevwuf]My system[/b1rlevwuf]

Fedora8, kernel-2.6.25.14-69.fc8

Patches up to
Upstream wireless updates from 2008-07-14 (http//marc.info/?l=linux-wireless&m=12 ... 000705&w=2)
Upstream wireless fixes from 2008-07-29 (http//marc.info/?l=linux-wireless&m=12 ... 023195&w=2)

[b1rlevwuf]Problem 'ifconfig wlan0 down' kills card[/b1rlevwuf]

Rmmod/modprobe resurrects card altrough modprobe brings wlan0 up. How to avoid that?

boot
iwconfig wlan0 mode monitor
airodump-ng wlan0 (this brings wlan0 up)
[i1rlevwuf]card is working - take2-up_working_monitor_mode.txt[/i1rlevwuf]
ifconfig wlan0 down
ifconfig wlan0 up
airodump-ng wlan0
[i1rlevwuf]no RX - take2-down_up_not_working_monitor_mode.txt[/i1rlevwuf]

Is above issue related to http//git.kernel.org/?p=linux/kernel/g ... d64f85ef3d ?

IvD

14-08-2008 21:25:30

This should be fixed in rt2x00.git.

Mike123

14-08-2008 21:30:30

This should be fixed in rt2x00.git.[/quote3u8e3ywn]Fixed by this[/url3u8e3ywn] or [url=http://git.kernel.org/?p=linux/kernel/git/ivd/rt2x00.git;a=commit;h=2d71dfc9a3e8eddf636d38c6ac6c540d555a44613u8e3ywn]that[/url3u8e3ywn]?

IvD

14-08-2008 21:39:42

both (one depends on the other)