Scanning problem for hidden SSIDs

Holger Schurig hs4233 at mail.mn-solutions.de
Thu Jun 21 11:14:26 EDT 2007 

> Please note that in the 0x0006 command above there was just an
> SSID TLV and an CHANLIST TLV, but no OPRATES TLV. On page 139
> of the v5.1 firmware spec, they wrote that for the manual for
> v5.1 made the OPRATES TLV optional. So I guess for an older
> firmware it was mandatory.
>
> So I guess I have an angle of attack :-)

This turned out to be true. I hand-crafted a SCAN_CMD and sent it
down, the CF card did an active probe and got a result:

libertas enter: DownloadcommandToStation():944
libertas cmd: DNLD_CMD: before download, size 54
libertas cmd: DNLD_CMD: sent command 0x0006, jiffies 4294909826
libertas CMD: 06 00 36 00 0d 00 00 00 03 00 00 00 00 00 00 00
libertas CMD: 00 06 00 4d 4e 54 45 53 54 01 01 07 00 00 01 00
libertas CMD: 00 00 64 00 01 00 0e 00 82 84 8b 96 0c 12 18 24
libertas CMD: 30 48 60 6c 00 00

This is just scanning on channel 1 (where the AP is).

libertas leave: DownloadcommandToStation():1009, ret 0
libertas leave: libertas_execute_next_command():1764
libertas enter: libertas_process_rx_command():743
libertas cmd: CMD_RESP: 0x8006 result: 0 length: 116, jiffies 4294909855
libertas CMD_RESP: 06 80 6c 00 0d 00 00 00 61 00 01 5f 00 00 1b 53
libertas CMD_RESP: 11 e2 b0 1c ed ba fb 0a 00 00 00 00 64 00 11 00
libertas CMD_RESP: 00 06 4d 4e 54 45 53 54 01 04 82 84 8b 96 03 01
libertas CMD_RESP: 01 2a 01 00 96 06 00 40 96 00 0a 00 dd 06 00 40
libertas CMD_RESP: 96 01 01 00 dd 05 00 40 96 03 04 dd 05 00 40 96
libertas CMD_RESP: 0b 01 dd 18 00 50 f2 02 01 01 81 00 03 a5 00 00
libertas CMD_RESP: 27 a5 00 00 42 54 5e 00 62 43 2f 00 00 00 00 00
libertas CMD_RESP: 00 00 00 00

So I got something back.

libertas enter: libertas_ret_80211_scan():1949
libertas scan: SCAN_RESP: bssdescriptsize 97
libertas scan: SCAN_RESP: returned 1 AP before parsing
libertas enter: wlan_ret_802_11_scan_get_tlv_ptrs():1071
libertas scan: SCAN_RESP: tlvbufsize = 0
libertas leave: wlan_ret_802_11_scan_get_tlv_ptrs():1101
libertas enter: libertas_process_bss():1128
libertas scan: process_bss: AP BSSID 00:1b:53:11:e2:b0
libertas scan: process_bss: RSSI=1C
libertas scan: process_bss: capabilities = 0x  11
libertas scan: process_bss: AP WEP enabled
libertas scan: process_bss: IE length for this AP = 76
libertas scan: ssid 'MNTEST', ssid length 6

and this actually makes sense :-)

More information about the libertas-dev mailing list