Symbol Spectrum24 CF works with Ethereal, AirSnort

Ian Goldberg ian at cypherpunks.ca
Sat Jun 29 09:16:41 EST 2002 

On Fri, 2002-06-28 at 17:46, Ian Goldberg wrote:
> On Fri, 2002-06-28 at 12:07, Ian Goldberg wrote:
> > I had done the equivalent thing with the 0.3.3 version of your driver
> > and the orinoco 0.11 patch, and found that it did work, but only for
> > about a minute.  Then it would stop receiving packets for some reason.
> 
> OK, I've started tracking down this problem.
> 
> The packet flow stoppage (hereinafter, "badness") happens more often if
> orinono_hopper's interval setting is lower.  [orinoco_hopper basically
> does:
> 
> while(1) {
>   iwpriv eth0 monitor 2 $chan
>   usleep(interval)
>   chan = (chan % numchans) + 1
> }
> ]
> 
> My guess is that the badness happens if the iwpriv monitor ioctl happens
> at just the wrong time.  Maybe a locking issue?  I notice that the
> monitor call does orinoco_lock_user() while the interrupt handler for
> packet reception does orinoco_lock().  [This makes sense, of course.]
> These two routines do the right thing if invoked concurrently?
> 
> I also note that the iwpriv monitor ioctl does quite a bit of work,
> including turning on RFMonitor mode, *even* if it was on before, and
> we're just changing the channel.
> 
> I think if I get a bit of time this weekend, I'll do something like make
> "iwpriv eth0 monitor 3 x" set the monitor channel to x by calling
> 
>   hermes_write_wordrec(hw, USER_BAP, HERMES_RID_CNF_CHANNEL, channel);
> 
> and not doing a whole lot of the other work.  [I guess I'll make sure
> that monitor mode is in fact on in the first place.]  Then
> orinoco_hopper could do "iwpriv eth0 monitor 2 1" to begin with, and
> then a bunch of "iwpric eth0 monitor 3 x"'s.
> 
> If the problem is that the *firmware/chipset* has sensitive timing
> issues involving enabling RFMonitor mode (which I could belive), then
> perhaps just setting the channel and not continually calling
> 
>   hermes_docmd_wait(hw,
>     HERMES_CMD_MONITOR | (HERMES_MONITOR_ENABLE << 8), 0, &resp);
> 
> may prevent the badness from happening.  But this is at this point just
> a guess.  If anyone has any other ideas about this, please let me know.

So it's amazing how much kernel hacking you can get done while
procrastinating.  :-)

The "monitor 3 x" trick worked.  I'm now able to wander around my
neighbourhood with my Zaurus and kismet!  Yay!

Here are some patches.  Start with the version of orinoco.c 0.12 that's
in the spectrum24-0.3.4.  Apply the airsnort orinoco patch at
http://airsnort.shmoo.com/orinoco-0.12-patch.diff.  Apply the attached
patch.

Also apply the attached patch to orinoco_hopper.c [which you can find at
http://airsnort.shmoo.com/orinoco_hopper.c ].

Then in one window run "orinoco_hopper eth0", and in another run
"kismet", and away you go!

   - Ian

-------------- next part --------------
--- spectrum24-0.3.4/orinoco.c	Fri Jun 28 19:08:25 2002
+++ spectrum24-0.3.4-arm/orinoco.c	Fri Jun 28 19:09:12 2002
@@ -3362,9 +3362,9 @@
 	if (err)
 		return err;
 
-	switch (enable)
+	switch (parms[0])
 	{
-	case P80211ENUM_truth_false:
+	case 0:
 		/* Confirm that we're in monitor mode */
 		if ( dev->type == ARPHRD_ETHER ) {
 			result = -EFAULT;
@@ -3404,7 +3404,8 @@
 		}
 
 		break;
-	case P80211ENUM_truth_true:
+	case 1:
+	case 2:
 		/* Disable the port (if enabled), only check Port 0 */
 		if ( hw->port_enabled[0] ) {
 			/* Save macport 0 state */
@@ -3470,6 +3471,24 @@
 		  dev->type = ARPHRD_IEEE80211_PRISM;
 		else 
 		  dev->type = ARPHRD_IEEE80211;
+		break;
+	case 3:
+		if (dev->type != ARPHRD_IEEE80211_PRISM &&
+			dev->type != ARPHRD_IEEE80211) {
+		    /* We're not in monitor mode right now */
+		    result = -EFAULT;
+		    break;
+		}
+
+		/* Set the channel we want to sniff */
+		if (parms[1] > 0 && parms[1] < 15) {
+ 		  word = parms[1];
+		  result = hermes_write_wordrec(hw, USER_BAP, 
+				  HERMES_RID_CNF_CHANNEL, word);
+		} else {
+ 		  result = -EFAULT;
+		}
+
 		break;
 	default:
 		result = -EFAULT;
-------------- next part --------------
--- orinoco_hopper.c.orig	Fri Jun  7 20:10:29 2002
+++ orinoco_hopper.c	Fri Jun 28 19:13:03 2002
@@ -41,8 +41,14 @@
 
 void changeChannel(int x) {
    static int chan = 0;
+   int result;
    chan = (chan % max) + 1;
-   setChannel(chan);
+   result = setChannel(chan);
+   if (!result) {
+      fprintf(stderr, "%2d\r", chan);
+   } else {
+      perror("iwpriv");
+   }
 }
 
 int setChannel( unsigned char channel )
@@ -104,6 +110,11 @@
          usage(argv[0]);
       }
    } 
+
+  //Go to channel 1 in the mode the user selected, then go into
+  //just-change-channel mode.
+  setChannel(1);
+  mode = 3;
 
   //this sets up the kchannel scanning stuff
   signal(SIGALRM, changeChannel);

More information about the wireless mailing list