Knowledgebase/Digging Into AirOS8: Unterschied zwischen den Versionen
K (Add to category) |
K (Add to category) |
||
Zeile 1: | Zeile 1: | ||
As AirOS AC devices don't have a setting to disable AirMAX, I started to dig into the default firmware in the hopes of finding a way to disable it. | As AirOS AC devices don't have a setting to disable AirMAX, I started to dig into the default firmware in the hopes of finding a way to disable it. | ||
The device examined is a IsoStation AC so all findings are specific for this device, although it probably is very similar for all AirMAX AC devices. | The device examined is a IsoStation AC so all findings are specific for this device, although it probably is very similar for all AirMAX AC devices. | ||
Zeile 230: | Zeile 228: | ||
It is used either for the 2.4GHz management radio or the spectral view, which is why the spectral view is disabled while the management radio is enabled. | It is used either for the 2.4GHz management radio or the spectral view, which is why the spectral view is disabled while the management radio is enabled. | ||
When started in spectral view mode it is set to the 5GHz band and monitor mode, while it is set to 2.4GHz in normal HostAPd-driven AP mode. | When started in spectral view mode it is set to the 5GHz band and monitor mode, while it is set to 2.4GHz in normal HostAPd-driven AP mode. | ||
[[Category:Knowledgebase]] |
Version vom 6. Oktober 2021, 11:30 Uhr
As AirOS AC devices don't have a setting to disable AirMAX, I started to dig into the default firmware in the hopes of finding a way to disable it. The device examined is a IsoStation AC so all findings are specific for this device, although it probably is very similar for all AirMAX AC devices.
As of now I have not found a way to disable it but some things I found are interesting nonetheless so let's get started.
Linux System
After logging in via SSH the first thing I noticed is the ancient Linux and GCC version of the firmware...
Linux version 2.6.32.68 (jenkins@1a1f8fa80aab) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.01 unknown) ) #1 Tue Jun 23 16:48:07 EEST 2020
While the firmware seems to be based on OpenWrt it doesn't really share anything in the userspace with OpenWrt (no overlayfs, no UCI, ...).
The init system also is very different to OpenWrt with /etc/init.d
being completely empty but all init scritps residing in /etc/sysinit
and being called by a single entry in /etc/rc.d
.
Main Radio
The main radio is a U-AME-G1-BR4A
which seems to be a customized version of the QCA988X v2 with added support for AirMAX hardware acceleration according to UBNT.
When running normal OpenWrt on the device the radio accepts a normal, unmodified firmware for the QCA988X v2 and just works with the ath10k driver but without support for AirMAX (sadly).
The driver used by UBNT seems to be some driver built by Atheros that is not the normal ath9k/ath10k driver as lsmod
reports the following:
Module Size Used by Tainted: P ebt_redirect 880 0 ebt_mark 704 0 ebt_vlan 1552 0 ebt_stp 1840 0 ebt_pkttype 544 0 ebt_mark_m 624 0 ebt_limit 1200 0 ebt_among 2144 0 ebt_802_3 704 0 ebtable_nat 880 0 ebtable_filter 896 0 ebtable_broute 720 1 ebtables 15173 3 ebtable_nat,ebtable_filter,ebtable_broute ebt_ip6 1376 0 ebt_snat 864 0 ebt_dnat 800 0 ebt_arpreply 1040 0 ebt_ip 1248 0 ebt_arp 1552 0 ubnt_poll_host 150776 2 ath_dfs 1188829 1 em_text 1280 0 act_ipt 2400 0 sch_teql 3696 0 em_nbyte 688 0 sch_red 3472 0 cls_basic 3392 0 sch_gred 6288 0 em_meta 4608 0 em_cmp 720 0 sch_dsmark 3584 0 act_mirred 2176 0 em_u32 544 0 cls_tcindex 4160 0 cls_flow 5840 0 cls_route 5072 0 cls_fw 3264 0 sch_hfsc 14160 0 rssi_leds 2064 0 umac 2005522 2 ubnt_poll_host,rssi_leds ath_dfs_prescan 22736 0 ath_dev 221833 3 ath_dfs,umac,ath_dfs_prescan ath_spectral 24777 3 umac,ath_dev ath_rate_atheros 31174 1 ath_dev ath_hal 328906 3 umac,ath_dev,ath_rate_atheros asf 7121 7 ubnt_poll_host,ath_dfs,umac,ath_dfs_prescan,ath_dev,ath_spectral,ath_hal adf 10072 3 umac,ath_dev,ath_hal urd 54448 2 umac,ath_hal ip_gre 11952 0 pppoe 8160 0 pppox 1370 1 pppoe ppp_mppe 5168 0 ppp_async 6544 0 ppp_generic 20373 4 pppoe,pppox,ppp_mppe,ppp_async slhc 4971 1 ppp_generic nls_base 5102 0 ar724x_eth 54446 0 sha1_generic 1392 0 michael_mic 1552 0 md5 1440 0 hmac 2272 0 ecb 1296 0 des_generic 18377 0 arc4 832 0 aes_generic 30153 0 ts_fsm 2640 0 ts_bm 1440 0 ts_kmp 1296 0 crc_ccitt 1003 1 ppp_async ubnthal 303371 9 ubnt_poll_host,ath_dfs,rssi_leds,umac,ath_dev,ath_hal,ar724x_eth
While iwconfig
seems to sort-of work (wlan0 is the same radio as ath0 and wlan1 is the same radio as airview1 which is replaced by ath1 if the management radio is enabled)
WA# iwconfig lo no wireless extensions. eth0 no wireless extensions. gre0 no wireless extensions. wifi1 no wireless extensions. teql0 no wireless extensions. br0 no wireless extensions. wifi0 no wireless extensions. ath0 IEEE 802.11ac ESSID:"" Mode:Managed Frequency:5.57 GHz Access Point: Not-Associated Bit Rate:0 kb/s Tx-Power=16 dBm RTS thr:off Fragment thr:off Center1-Freq: 5.57 GHz Encryption key:off Power Management:off Link Quality=0/94 Signal level=-96 dBm Noise level=-96 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 airview1 IEEE 802.11na ESSID:"spectral" Mode:Monitor Frequency:4.92 GHz Access Point: Not-Associated Bit Rate:130 Mb/s Tx-Power=13 dBm RTS thr:off Fragment thr:off Center1-Freq: 4.92 GHz Encryption key:off Power Management:off Link Quality=0/94 Signal level=-96 dBm Noise level=-105 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0
the iw
tool does not work even though it is installed.
WA# iw list nl80211 not found.
The main radio is initialized using the following script in /etc/sysinit
:
WA# cat radio.conf plugin_start() { insmod ath_dfs 1>/dev/null 2>&1 || true rmmod ubnt_poll_host 1>/dev/null 2>&1 || true echo 0 > /sys/module/umac/parameters/is_ubnt_ptp echo 0 > /sys/module/umac/parameters/tgdeb echo 1 > /sys/module/umac/parameters/is_ubnt_ff echo 0 > /sys/module/umac/parameters/ubnt_op_mode iwpriv "wifi0" SetTargetReset 0 i=0; while [ $i -lt 3 ]; do [ ! -d /sys/class/net/wifi0 ] && break; i=$(($i+1)); sleep 1; done i=0; while [ $i -lt 3 ]; do sleep 1; [ -d /sys/class/net/wifi0 ] && break; i=$(($i+1)); done insmod ubnt_poll_host 1>/dev/null 2>&1 || true iwpriv "wifi0" setCountryID 40 echo wifi0 0 1 1 > /proc/sys/dev/uph/addradio echo 1 > /proc/sys/dev/uph_wifi0/enable echo 0 > /proc/sys/dev/uph_wifi0/noack_mode echo 0 > /proc/sys/dev/uph_wifi0/daprot echo 2 0 > /proc/sys/dev/uph_wifi0/sta_priority echo 0 > /proc/sys/dev/uph_wifi0/ff_cap_rep echo 0 > /proc/sys/dev/uph_wifi0/cms_bias echo 10 > /proc/sys/dev/uph_wifi0/ff_mcast_airtime_limit echo 0 50 3 12 12 10 10 0 0 1 > /proc/sys/dev/uph_wifi0/fixed_frame echo 12 > /proc/sys/dev/uph_wifi0/sta_rx_rssi_th iwpriv "wifi0" band 2 /sbin/wlanconfig "ath0" create wlandev wifi0 wlanmode ap > /dev/null 2>&1 if [ $? -eq 0 ]; then echo wifi0 > /tmp/.wifi_ath0 else echo "WLANCONFIG: ath0 could not created, waiting for 5 secs" > /dev/kmsg sleep 5; /sbin/wlanconfig "ath0" create wlandev wifi0 wlanmode ap > /dev/null 2>&1 if [ $? -eq 0 ]; then echo wifi00 > /tmp/.wifi_ath00 fi fi radartool -i "wifi0" dfsdebug 0x00000003 >/dev/null 2>&1 iwpriv "ath0" mode 11ACVHT40 iwpriv "wifi0" chanbw 40 iwpriv "wifi0" RegObey 1 iwpriv "wifi0" ant_gain 14 iwpriv "wifi0" cable_loss 0 iwpriv "wifi0" txchainmask 3 iwpriv "wifi0" rxchainmask 3 athchans -i ath0 0 iwconfig "ath0" center1 5190M iwconfig "ath0" freq 5180M iwconfig "ath0" rate auto if [ -e /proc/sys/dev/ubnt_poll/no_ack_rate ]; then echo 1 -1 > /proc/sys/dev/ubnt_poll/no_ack_rate fi iwconfig "ath0" rts off iwconfig "ath0" txpower auto echo 0 0 0 0 -128 > /proc/sys/dev/uph_wifi0/atpc iwpriv "wifi0" ani_enable 0 iwpriv "wifi0" sens_level -96 iwpriv "ath0" shortgi 1 iwpriv "ath0" cwmenable 0 iwpriv "ath0" cwmmode 1 iwpriv "wifi0" distance 600 iwpriv "wifi0" damode 0 iwpriv "wifi0" dacount 25 iwpriv "ath0" puren 0 iwpriv "wifi0" enable_ol_stats 1 iwconfig "ath0" commit iwpriv "ath0" rc_mode 0 true } plugin_stop() { killall scand pkill -9 radarmon ifconfig "wifi0" down /sbin/wlanconfig "ath0" destroy rm -f /tmp/.wifi_ath0 rmmod ath_dfs 1>/dev/null 2>&1 || true true }
While I don't know yet how to disable AirMAX, the entries in /proc/sys/dev/uph_wifi0
and /sys/module/umac
look very promising to poke around with.
Management/Spectral-View Radio
Next to the main radio the device has a dual Band 802.11abgn AR9340 radio. It is used either for the 2.4GHz management radio or the spectral view, which is why the spectral view is disabled while the management radio is enabled. When started in spectral view mode it is set to the 5GHz band and monitor mode, while it is set to 2.4GHz in normal HostAPd-driven AP mode.