[FS#723] ath10k fails station mode for QCA986x/988x
LEDE Bugs
lede-bugs at lists.infradead.org
Wed Apr 19 09:12:22 PDT 2017
A new Flyspray task has been opened. Details are below.
User who did this - Andrey (Stern)
Attached to Project - LEDE Project
Summary - ath10k fails station mode for QCA986x/988x
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To -
Operating System - All
Severity - Medium
Priority - Very Low
Reported Version - lede-17.01
Due in Version - Undecided
Due Date - Undecided
Details - Set-Up:
* Board: NXP/Freescale Layerscape TWR-LS1021A Router/AP
* Wireless Network Adapter: Qualcomm Atheros PCI QCA986x/988x 802.11ac
* OS: LEDE (derivative from OpenWrt) Reboot/SNAPSHOT/r3044-21356a6
----
On host: menuconfig:
* Kernel modules > Wireless Drivers: kmod-ath10k, kmod-ath, kmod-cfg80211, kmod-mac80211
* Firmware: ath10k-firmware-qca988x
* Network: wpad, wpa-cli
* netifd + ubus + uci
----
On TWR-LS1021A:
Just in order to test if WiFi card is really QCA986x/988x 802.11ac:
root at lede:/# **cat /sys/bus/pci/devices/0000\:01\:00.0/vendor**
0x168c
root at lede:/# **cat /sys/bus/pci/devices/0000\:01\:00.0/device**
0x003c
Google: **PCI 168c 0x003c**
gives QCA986x/988x
----
During the first boot, boot scripts create: /etc/config/wireless with the following contents:
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/3400000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'LEDE'
option encryption 'none'
We remove: option disabled '1' (WiFi is disabled by default → enable it) and reboot.
Boot with USB-serial output:
…
[ 6.270954] ath10k_pci 0000:01:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0
[ 6.450972] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:01:00.0.bin failed with error -2
[ 6.461643] ath10k_pci 0000:01:00.0: Falling back to user helper
[ 6.474916] firmware ath10k!pre-cal-pci-0000:01:00.0.bin: firmware_loading_store: map pages failed
[ 6.484102] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/cal-pci-0000:01:00.0.bin failed with error -2
[ 6.494431] ath10k_pci 0000:01:00.0: Falling back to user helper
[ 6.507497] firmware ath10k!cal-pci-0000:01:00.0.bin: firmware_loading_store: map pages failed
[ 6.528736] ath10k_pci 0000:01:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000
[ 6.537986] ath10k_pci 0000:01:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 1
[ 6.548737] ath10k_pci 0000:01:00.0: firmware ver 10.2.4-1.0-00016 api 5 features no-p2p,raw-mode,mfp crc32 0c5668f8
[ 6.599443] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/board-2.bin failed with error -2
[ 6.609853] ath10k_pci 0000:01:00.0: Falling back to user helper
[ 6.623269] firmware ath10k!QCA988X!hw2.0!board-2.bin: firmware_loading_store: map pages failed
[ 6.632927] ath10k_pci 0000:01:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08
[ 7.775018] ath10k_pci 0000:01:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal otp max-sta 128 raw 0 hwcrypto 1
…
[ 11.014199] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 11.022336] device wlan0 entered promiscuous mode
[ 11.336732] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
…
Remarks:
* pre-cal/cal-pci error messages are connected to pre-calibration issues, so ignore them
* board-2.bin error: indeed /lib/firmware/ath10k/QCA988X/hw2.0/ contains only board.bin and firmware-5.bin. we have tried to copy hw2.0/board-2.bin from QCA proprietary driver but then: [ 6.590282] ath10k_pci 0000:01:00.0: failed to fetch board data for bus=pci,vendor=168c,device=003c,subsystem-vendor=0000,subsystem-device=0000 from ath10k/QCA988X/hw2.0/board-2.bin
Nevertheless, the driver is correctly started in AP mode:
root at lede:/# **iwconfig**
wlan0 IEEE 802.11 Mode:Master Tx-Power=20 dBm
RTS thr:off Fragment thr:off
Power Management:off
root at lede:/# **ifconfig**
wlan0 Link encap:Ethernet HWaddr 00:0E:8E:59:7D:8F
inet6 addr: fe80::20e:8eff:fe59:7d8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:128 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:15588 (15.2 KiB)
----
Now try to switch to station mode with WPA:
AP: 802.11a, channel 36: 5.18 GHz, SSID: iwl3xxx, Security mode: WPA/PSK, CCMP/AES (WPA/RSN), Password: password
TWR-LS1021A: /etc/config/wireless:
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/3400000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'wlan'
option mode 'sta'
option ssid 'iwl3xxx'
option encryption 'psk'
option key 'password'
config interface 'wlan'
option ifname 'default_radio0'
option proto 'static'
option ipaddr '192.168.0.2'
option netmask '255.255.255.0'
root at lede:/# **iwconfig**
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=0 dBm
RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
It correctly switches to managed mode but no ESSID and no AP are assigned. Direct WPA supplicant employment also fails:
We create WPA config file /a:
country=00
network={
ssid="iwl3xxx"
psk="password"
scan_ssid=1
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP
}
Start WPA supplicant:
root at lede:/# **wpa_supplicant -c /a -i wlan0 -D nl80211**
Successfully initialized wpa_supplicant
wlan0: SME: Trying to authenticate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz)
[ 2736.691425] wlan0: authenticate with 00:18:92:05:b6:ec
[ 2736.702348] wlan0: send auth to 00:18:92:05:b6:ec (try 1/3)
[ 2736.709540] wlan0: authenticated
wlan0: Trying to associate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz)
[ 2736.717183] wlan0: associate with 00:18:92:05:b6:ec (try 1/3)
[ 2736.725522] wlan0: RX AssocResp from 00:18:92:05:b6:ec (capab=0x411 status=0 aid=1)
[ 2736.734827] wlan0: associated
[ 2736.738114] wlan0: deauthenticating from 00:18:92:05:b6:ec by local choice (Reason: 3=DEAUTH_LEAVING)
wlan0: Associated with 00:18:92:05:b6:ec
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: CTRL-EVENT-DISCONNECTED bssid=00:18:92:05:b6:ec reason=3 locally_generated=1
wlan0: WPA: 4-Way Handshake failed - pre-shared key may be incorrect
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="iwl3xxx" auth_failures=1 duration=10 reason=WRONG_KEY
Though the key is correct, the driver delivers WRONG_KEY message. In order to eliminate any security issues, we switch to insecure communication:
AP: 802.11a, channel 36: 5.18 GHz, SSID: iwl3xxx, Security mode: NONE
TWR-LS1021A: WPA config file /a:
country=00
network={
ssid="iwl3xxx"
scan_ssid=1
key_mgmt=NONE
}
Start WPA supplicant:
root at lede:/# **wpa_supplicant -c /a -i wlan0 -D nl80211**
Successfully initialized wpa_supplicant
wlan0: SME: Trying to authenticate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz)
[ 26.011997] wlan0: authenticate with 00:18:92:05:b6:ec
[ 26.069291] wlan0: send auth to 00:18:92:05:b6:ec (try 1/3)
[ 26.075992] wlan0: authenticated
wlan0: Trying to associate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz)
[ 26.087236] wlan0: associate with 00:18:92:05:b6:ec (try 1/3)
[ 26.094140] wlan0: RX AssocResp from 00:18:92:05:b6:ec (capab=0x401 status=0 aid=1)
[ 26.103088] wlan0: associated
[ 26.106163] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
wlan0: Associated with 00:18:92:05:b6:ec
wlan0: CTRL-EVENT-CONNECTED - Connection to 00:18:92:05:b6:ec completed [id=0 id_str=]
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
[ 36.117315] wlan0: deauthenticating from 00:18:92:05:b6:ec by local choice (Reason: 3=DEAUTH_LEAVING)
wlan0: CTRL-EVENT-DISCONNECTED bssid=00:18:92:05:b6:ec reason=3 locally_generated=1
So, WPA supplicant reports: we were authenticated and associated, connection completed. And then we leave WiFi by local choice. WireShark shows that deauthenticate-request comes from from us to access point.
Result: ath10k fails station mode for QCA986x/988x
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=723
More information about the lede-bugs
mailing list