[FS#723] ath10k fails station mode for QCA986x/988x

LEDE Bugs lede-bugs at lists.infradead.org
Wed Apr 19 09:12:22 PDT 2017 

A new Flyspray task has been opened.  Details are below. 

User who did this - Andrey (Stern) 

Attached to Project - LEDE Project
Summary - ath10k fails station mode for QCA986x/988x
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Medium
Priority - Very Low
Reported Version - lede-17.01
Due in Version - Undecided
Due Date - Undecided
Details - Set-Up:
  * Board: NXP/Freescale Layerscape TWR-LS1021A Router/AP
  * Wireless Network Adapter: Qualcomm Atheros PCI QCA986x/988x 802.11ac
  * OS: LEDE (derivative from OpenWrt) Reboot/SNAPSHOT/r3044-21356a6

----
On host: menuconfig:
  * Kernel modules > Wireless Drivers: kmod-ath10k, kmod-ath, kmod-cfg80211, kmod-mac80211
  * Firmware: ath10k-firmware-qca988x
  * Network: wpad, wpa-cli
  * netifd + ubus + uci

----
On TWR-LS1021A:
Just in order to test if WiFi card is really QCA986x/988x 802.11ac:
root at lede:/# **cat /sys/bus/pci/devices/0000\:01\:00.0/vendor**

0x168c

root at lede:/# **cat /sys/bus/pci/devices/0000\:01\:00.0/device**

0x003c

Google: **PCI 168c 0x003c**
gives QCA986x/988x

----
During the first boot, boot scripts create: /etc/config/wireless with the following contents:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/3400000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'LEDE'
        option encryption 'none'


We remove: option disabled '1' (WiFi is disabled by default → enable it) and reboot.

Boot with USB-serial output:

…
[    6.270954] ath10k_pci 0000:01:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0
[    6.450972] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:01:00.0.bin failed with error -2
[    6.461643] ath10k_pci 0000:01:00.0: Falling back to user helper
[    6.474916] firmware ath10k!pre-cal-pci-0000:01:00.0.bin: firmware_loading_store: map pages failed
[    6.484102] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/cal-pci-0000:01:00.0.bin failed with error -2
[    6.494431] ath10k_pci 0000:01:00.0: Falling back to user helper
[    6.507497] firmware ath10k!cal-pci-0000:01:00.0.bin: firmware_loading_store: map pages failed
[    6.528736] ath10k_pci 0000:01:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000
[    6.537986] ath10k_pci 0000:01:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 1
[    6.548737] ath10k_pci 0000:01:00.0: firmware ver 10.2.4-1.0-00016 api 5 features no-p2p,raw-mode,mfp crc32 0c5668f8
[    6.599443] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/board-2.bin failed with error -2
[    6.609853] ath10k_pci 0000:01:00.0: Falling back to user helper
[    6.623269] firmware ath10k!QCA988X!hw2.0!board-2.bin: firmware_loading_store: map pages failed
[    6.632927] ath10k_pci 0000:01:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08
[    7.775018] ath10k_pci 0000:01:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal otp max-sta 128 raw 0 hwcrypto 1
…
[   11.014199] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   11.022336] device wlan0 entered promiscuous mode
[   11.336732] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
…


Remarks:
  * pre-cal/cal-pci error messages are connected to pre-calibration issues, so ignore them
  * board-2.bin error: indeed /lib/firmware/ath10k/QCA988X/hw2.0/ contains only board.bin and firmware-5.bin. we have tried to copy hw2.0/board-2.bin from QCA proprietary driver but then: [    6.590282] ath10k_pci 0000:01:00.0: failed to fetch board data for bus=pci,vendor=168c,device=003c,subsystem-vendor=0000,subsystem-device=0000 from ath10k/QCA988X/hw2.0/board-2.bin

Nevertheless, the driver is correctly started in AP mode:
root at lede:/# **iwconfig**

wlan0     IEEE 802.11  Mode:Master  Tx-Power=20 dBm   
          RTS thr:off   Fragment thr:off
          Power Management:off


root at lede:/# **ifconfig**

wlan0     Link encap:Ethernet  HWaddr 00:0E:8E:59:7D:8F  
          inet6 addr: fe80::20e:8eff:fe59:7d8f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:128 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:15588 (15.2 KiB)


----
Now try to switch to station mode with WPA:
AP: 802.11a, channel 36: 5.18 GHz, SSID: iwl3xxx, Security mode: WPA/PSK, CCMP/AES (WPA/RSN), Password: password

TWR-LS1021A: /etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/3400000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'wlan'
        option mode 'sta'
        option ssid 'iwl3xxx'
        option encryption 'psk'
        option key 'password'

config interface 'wlan'
        option ifname 'default_radio0'
        option proto 'static'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'


root at lede:/# **iwconfig**

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=0 dBm   
          RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off


It correctly switches to managed mode but no ESSID and no AP are assigned. Direct WPA supplicant employment also fails:

We create WPA config file /a:

country=00
network={
  ssid="iwl3xxx"
  psk="password"
  scan_ssid=1
  key_mgmt=WPA-PSK
  pairwise=CCMP TKIP
  group=CCMP TKIP
}


Start WPA supplicant:
root at lede:/# **wpa_supplicant -c /a -i wlan0 -D nl80211**

Successfully initialized wpa_supplicant
wlan0: SME: Trying to authenticate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz)
[ 2736.691425] wlan0: authenticate with 00:18:92:05:b6:ec
[ 2736.702348] wlan0: send auth to 00:18:92:05:b6:ec (try 1/3)
[ 2736.709540] wlan0: authenticated
wlan0: Trying to associate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz)
[ 2736.717183] wlan0: associate with 00:18:92:05:b6:ec (try 1/3)
[ 2736.725522] wlan0: RX AssocResp from 00:18:92:05:b6:ec (capab=0x411 status=0 aid=1)
[ 2736.734827] wlan0: associated
[ 2736.738114] wlan0: deauthenticating from 00:18:92:05:b6:ec by local choice (Reason: 3=DEAUTH_LEAVING)
wlan0: Associated with 00:18:92:05:b6:ec
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: CTRL-EVENT-DISCONNECTED bssid=00:18:92:05:b6:ec reason=3 locally_generated=1
wlan0: WPA: 4-Way Handshake failed - pre-shared key may be incorrect
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="iwl3xxx" auth_failures=1 duration=10 reason=WRONG_KEY


Though the key is correct, the driver delivers WRONG_KEY message. In order to eliminate any security issues, we switch to insecure communication:
AP: 802.11a, channel 36: 5.18 GHz, SSID: iwl3xxx, Security mode: NONE

TWR-LS1021A: WPA config file /a:

country=00
network={
  ssid="iwl3xxx"
  scan_ssid=1
  key_mgmt=NONE
}


Start WPA supplicant:
root at lede:/# **wpa_supplicant -c /a -i wlan0 -D nl80211**

Successfully initialized wpa_supplicant
wlan0: SME: Trying to authenticate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz)
[   26.011997] wlan0: authenticate with 00:18:92:05:b6:ec
[   26.069291] wlan0: send auth to 00:18:92:05:b6:ec (try 1/3)
[   26.075992] wlan0: authenticated
wlan0: Trying to associate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz)
[   26.087236] wlan0: associate with 00:18:92:05:b6:ec (try 1/3)
[   26.094140] wlan0: RX AssocResp from 00:18:92:05:b6:ec (capab=0x401 status=0 aid=1)
[   26.103088] wlan0: associated
[   26.106163] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
wlan0: Associated with 00:18:92:05:b6:ec
wlan0: CTRL-EVENT-CONNECTED - Connection to 00:18:92:05:b6:ec completed [id=0 id_str=]
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
[   36.117315] wlan0: deauthenticating from 00:18:92:05:b6:ec by local choice (Reason: 3=DEAUTH_LEAVING)
wlan0: CTRL-EVENT-DISCONNECTED bssid=00:18:92:05:b6:ec reason=3 locally_generated=1


So, WPA supplicant reports: we were authenticated and associated, connection completed. And then we leave WiFi by local choice. WireShark shows that deauthenticate-request comes from from us to access point.

Result: ath10k fails station mode for QCA986x/988x

More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=723

More information about the lede-bugs mailing list