Knowledgebase/Digging Into AirOS8

Aus FunkFeuer Wiki
Version vom 6. Oktober 2021, 11:26 Uhr von XDjackieXD (Diskussion | Beiträge) (Document findings in AirOS so far)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

As AirOS AC devices don't have a setting to disable AirMAX, I started to dig into the default firmware in the hopes of finding a way to disable it. The device examined is a IsoStation AC so all findings are specific for this device, although it probably is very similar for all AirMAX AC devices.

As of now I have not found a way to disable it but some things I found are interesting nonetheless so let's get started.

Linux System

After logging in via SSH the first thing I noticed is the ancient Linux and GCC version of the firmware...

Linux version 2.6.32.68 (jenkins@1a1f8fa80aab) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.01 unknown) ) #1 Tue Jun 23 16:48:07 EEST 2020

While the firmware seems to be based on OpenWrt it doesn't really share anything in the userspace with OpenWrt (no overlayfs, no UCI, ...).

The init system also is very different to OpenWrt with /etc/init.d being completely empty but all init scritps residing in /etc/sysinit and being called by a single entry in /etc/rc.d.

Main Radio

The main radio is a U-AME-G1-BR4A which seems to be a customized version of the QCA988X v2 with added support for AirMAX hardware acceleration according to UBNT. When running normal OpenWrt on the device the radio accepts a normal, unmodified firmware for the QCA988X v2 and just works with the ath10k driver but without support for AirMAX (sadly).

The driver used by UBNT seems to be some driver built by Atheros that is not the normal ath9k/ath10k driver as lsmod reports the following:

Module                  Size  Used by    Tainted: P  
ebt_redirect             880  0 
ebt_mark                 704  0 
ebt_vlan                1552  0 
ebt_stp                 1840  0 
ebt_pkttype              544  0 
ebt_mark_m               624  0 
ebt_limit               1200  0 
ebt_among               2144  0 
ebt_802_3                704  0 
ebtable_nat              880  0 
ebtable_filter           896  0 
ebtable_broute           720  1 
ebtables               15173  3 ebtable_nat,ebtable_filter,ebtable_broute
ebt_ip6                 1376  0 
ebt_snat                 864  0 
ebt_dnat                 800  0 
ebt_arpreply            1040  0 
ebt_ip                  1248  0 
ebt_arp                 1552  0 
ubnt_poll_host        150776  2 
ath_dfs              1188829  1 
em_text                 1280  0 
act_ipt                 2400  0 
sch_teql                3696  0 
em_nbyte                 688  0 
sch_red                 3472  0 
cls_basic               3392  0 
sch_gred                6288  0 
em_meta                 4608  0 
em_cmp                   720  0 
sch_dsmark              3584  0 
act_mirred              2176  0 
em_u32                   544  0 
cls_tcindex             4160  0 
cls_flow                5840  0 
cls_route               5072  0 
cls_fw                  3264  0 
sch_hfsc               14160  0 
rssi_leds               2064  0 
umac                 2005522  2 ubnt_poll_host,rssi_leds
ath_dfs_prescan        22736  0 
ath_dev               221833  3 ath_dfs,umac,ath_dfs_prescan
ath_spectral           24777  3 umac,ath_dev
ath_rate_atheros       31174  1 ath_dev
ath_hal               328906  3 umac,ath_dev,ath_rate_atheros
asf                     7121  7 ubnt_poll_host,ath_dfs,umac,ath_dfs_prescan,ath_dev,ath_spectral,ath_hal
adf                    10072  3 umac,ath_dev,ath_hal
urd                    54448  2 umac,ath_hal
ip_gre                 11952  0 
pppoe                   8160  0 
pppox                   1370  1 pppoe
ppp_mppe                5168  0 
ppp_async               6544  0 
ppp_generic            20373  4 pppoe,pppox,ppp_mppe,ppp_async
slhc                    4971  1 ppp_generic
nls_base                5102  0 
ar724x_eth             54446  0 
sha1_generic            1392  0 
michael_mic             1552  0 
md5                     1440  0 
hmac                    2272  0 
ecb                     1296  0 
des_generic            18377  0 
arc4                     832  0 
aes_generic            30153  0 
ts_fsm                  2640  0 
ts_bm                   1440  0 
ts_kmp                  1296  0 
crc_ccitt               1003  1 ppp_async
ubnthal               303371  9 ubnt_poll_host,ath_dfs,rssi_leds,umac,ath_dev,ath_hal,ar724x_eth

While iwconfig seems to sort-of work (wlan0 is the same radio as ath0 and wlan1 is the same radio as airview1 which is replaced by ath1 if the management radio is enabled)

WA# iwconfig 
lo        no wireless extensions.

eth0      no wireless extensions.

gre0      no wireless extensions.

wifi1     no wireless extensions.

teql0     no wireless extensions.

br0       no wireless extensions.

wifi0     no wireless extensions.

ath0      IEEE 802.11ac  ESSID:""  
          Mode:Managed  Frequency:5.57 GHz  Access Point: Not-Associated   
          Bit Rate:0 kb/s   Tx-Power=16 dBm   
          RTS thr:off   Fragment thr:off
          Center1-Freq: 5.57 GHz
          Encryption key:off
          Power Management:off
          Link Quality=0/94  Signal level=-96 dBm  Noise level=-96 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

airview1  IEEE 802.11na  ESSID:"spectral"  
          Mode:Monitor  Frequency:4.92 GHz  Access Point: Not-Associated   
          Bit Rate:130 Mb/s   Tx-Power=13 dBm   
          RTS thr:off   Fragment thr:off
          Center1-Freq: 4.92 GHz
          Encryption key:off
          Power Management:off
          Link Quality=0/94  Signal level=-96 dBm  Noise level=-105 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

the iw tool does not work even though it is installed.

WA# iw list
nl80211 not found.

The main radio is initialized using the following script in /etc/sysinit:

WA# cat radio.conf 
plugin_start() {
  insmod ath_dfs 1>/dev/null 2>&1 || true
  rmmod ubnt_poll_host 1>/dev/null 2>&1 || true
  echo 0 > /sys/module/umac/parameters/is_ubnt_ptp
  echo 0 > /sys/module/umac/parameters/tgdeb
  echo 1 > /sys/module/umac/parameters/is_ubnt_ff
  echo 0 > /sys/module/umac/parameters/ubnt_op_mode
  iwpriv "wifi0" SetTargetReset 0
  i=0; while [ $i -lt 3 ]; do [ ! -d /sys/class/net/wifi0 ] && break; i=$(($i+1)); sleep 1; done
  i=0; while [ $i -lt 3 ]; do sleep 1; [ -d /sys/class/net/wifi0 ] && break; i=$(($i+1)); done
  insmod ubnt_poll_host 1>/dev/null 2>&1 || true
  iwpriv "wifi0" setCountryID 40
  echo wifi0 0 1 1 > /proc/sys/dev/uph/addradio
  echo 1 > /proc/sys/dev/uph_wifi0/enable
  echo 0 > /proc/sys/dev/uph_wifi0/noack_mode
  echo 0 > /proc/sys/dev/uph_wifi0/daprot
  echo 2 0 > /proc/sys/dev/uph_wifi0/sta_priority
  echo 0 > /proc/sys/dev/uph_wifi0/ff_cap_rep
  echo 0 > /proc/sys/dev/uph_wifi0/cms_bias
  echo 10 > /proc/sys/dev/uph_wifi0/ff_mcast_airtime_limit
  echo 0 50 3 12 12 10 10 0 0 1 > /proc/sys/dev/uph_wifi0/fixed_frame
  echo 12 > /proc/sys/dev/uph_wifi0/sta_rx_rssi_th
  iwpriv "wifi0" band 2
  /sbin/wlanconfig "ath0" create wlandev wifi0 wlanmode ap  > /dev/null 2>&1
  if [ $? -eq 0 ]; then
    echo wifi0 > /tmp/.wifi_ath0
  else
    echo "WLANCONFIG: ath0 could not created, waiting for 5 secs" > /dev/kmsg
    sleep 5;
    /sbin/wlanconfig "ath0" create wlandev wifi0 wlanmode ap  > /dev/null 2>&1
    if [ $? -eq 0 ]; then
      echo wifi00 > /tmp/.wifi_ath00
    fi
  fi
  radartool -i "wifi0" dfsdebug 0x00000003 >/dev/null 2>&1
  iwpriv "ath0" mode 11ACVHT40
  iwpriv "wifi0" chanbw 40
  iwpriv "wifi0" RegObey 1
  iwpriv "wifi0" ant_gain 14
  iwpriv "wifi0" cable_loss 0
  iwpriv "wifi0" txchainmask 3
  iwpriv "wifi0" rxchainmask 3
  athchans -i ath0 0
  iwconfig "ath0" center1 5190M
  iwconfig "ath0" freq 5180M
  iwconfig "ath0" rate auto
  if [ -e /proc/sys/dev/ubnt_poll/no_ack_rate ]; then
    echo 1 -1 > /proc/sys/dev/ubnt_poll/no_ack_rate
  fi
  iwconfig "ath0" rts off
  iwconfig "ath0" txpower auto

  echo 0 0 0 0 -128 > /proc/sys/dev/uph_wifi0/atpc
  iwpriv "wifi0" ani_enable 0
  iwpriv "wifi0" sens_level -96
  iwpriv "ath0" shortgi 1
  iwpriv "ath0" cwmenable 0
  iwpriv "ath0" cwmmode 1
  iwpriv "wifi0" distance 600
  iwpriv "wifi0" damode 0
  iwpriv "wifi0" dacount 25
  iwpriv "ath0" puren 0
  iwpriv "wifi0" enable_ol_stats 1
  iwconfig "ath0"  commit
  iwpriv "ath0" rc_mode 0
  true
}
plugin_stop() {
  killall scand
  pkill -9 radarmon
  ifconfig "wifi0" down
  /sbin/wlanconfig "ath0" destroy
  rm -f /tmp/.wifi_ath0
  rmmod ath_dfs 1>/dev/null 2>&1 || true
  true
}

While I don't know yet how to disable AirMAX, the entries in /proc/sys/dev/uph_wifi0 and /sys/module/umac look very promising to poke around with.

Management/Spectral-View Radio

Next to the main radio the device has a dual Band 802.11abgn AR9340 radio. It is used either for the 2.4GHz management radio or the spectral view, which is why the spectral view is disabled while the management radio is enabled. When started in spectral view mode it is set to the 5GHz band and monitor mode, while it is set to 2.4GHz in normal HostAPd-driven AP mode.