Aircrack-ng/aireplay-ng 3945ABG compat channel -1

[benthegreat]

All of this is done to my own wireless network, before anyone starts whining.

After a fair bit of work finding the correct wireless drivers for 10.04 to let me use packet injection with an intel 3945abg chip I've encountered another problem. When trying to use aireplay-ng for anything other than the test (-9), it complains about the AP being on a different channel to my wireless interface (mon0, created from wlan0). It says my interface is on channel -1, which I presume is hypothetical channel, I've only heard of wireless channels above 0! and that the AP is on channel 1 (or any conventional channel). I've checked, and there isn't an option for setting a channel in aireplay, so this has me stumped.

Code:

sudo aireplay-ng -1 0 -a 00:18:4D:B8:31:24  mon0
No source MAC (-h) specified. Using the device MAC (00:13:02:99:9F:1B)
18:06:25  Waiting for beacon frame (BSSID: 00:18:4D:B8:31:24) on channel -1
18:06:26  mon0 is on channel -1, but the AP uses channel 11

Airodump-ng has no problem, when a channel isn't specified it hops between channels without a problem; and can be forced onto only one without hitch. However when I do force it onto only one channel it does tell me it's on channel -1 as well as my desired channel, although this does not appear to effect performance.

Code:

CH 11 ][ BAT: 1 hour 30 mins ][ Elapsed: 16 s ][ 2010-05-25 18:08 ][ fixed channel mon0: -1                
                                                                                                            
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                         
                                                                                                            
 00:18:4D:B8:31:24  -78 100      184        0    0  11  54e. WEP  WEP         MyNetwork

So I'm asking, what is this strange, presumably hypothetical channel -1, what channel is my card actually in, and can I get aireplay-ng to work?

[jenovanomusuko]

I'm also only doing this on my own router.
Before anyone says "fix the channel with airodump-ng," please listen to what I have to say.

I've been working on this for quite some time. I too run the intel iwl3945 driver and have been having this same problem. I've found a way to fix the channel:

Code:

airodump-ng -c X,X

where X is the channel number. A comma and a repetition fixes it, so instead of getting something like this:

Code:

CH 11 ][ BAT: 1 hour 30 mins ][ Elapsed: 16 s ][ 2010-05-25 18:08 ][ fixed channel mon0: -1

You get something like this:

Code:

CH  6 ][ Elapsed: 2 mins ][ 2010-05-26 20:01                                         
                                                                                                                                                            
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

I have tried killing all processes that show up with airmon-ng check, and still get the error:

Code:

mon0 is on channel -1, but the AP uses channel 6

About a year ago I was able to use the iwl3945 driver just fine for packet injection. Between then and now I hopped OS's a few times, thus losing whatever magic configuration I once had. Anyone know what the deal is?

[benthegreat]

Thanks for the reply, it's nice to know someone else is in the same boat.

I have realised that the channel number is simply calculated form the frequency, so the -1 is either a low frequency, or a mistake somewhere. Not the hypothetical setting I was hoping for.

I'm in windows at the moment, but I'll try that airodump-ng syntax later, thank you.

I'm still confused as to how a card can be supposedly locked to a channel, yet connect fine, and channel hop in airodump-ng without a problem. Interesting...

[jenovanomusuko]

Dug up my old configuration. I had compat-wireless from 2009-06-20 and aircrack-ng 1.0 rc3. See what that does for you.

Now that I'm posting a configuration that I know works, I would like to reiterate that the software should be used for your own legal SECURITY and EDUCATION purposes ONLY. This software is NOT distributed for illegal purposes and should NOT be used for illegal purposes.

[DomInat3]

Same problem here only I'm using an Atheros AR9285 (Rev:2) chip. Its not supported in the current kernel (even though it was said to be supported in >= 2.6.29 its not but it is in the development kernel - I can't remember which one) and I didn't want to upgrade to a development kernel for the ath9k drivers so I used bleeding edge compat-wireless. All works well only I suffer from the exact same problem. Mine gets stuck on either -1 (which isn't possible??) or very rarely channel 6. I have gone ahead and killed everything. Stopped NetworkManger and wpa_supplicant and still I run into the same problem.

Code:

airodump-ng -c X,X

where X is the channel number. A comma and a repetition fixes it

I tried this. Airodump no longer tells me I am fixed to a channel which is good but then I tried to test:

airodump-ng -c 8,8 mon0

It still picked up a network broadcasting on channel 6. Airodump doesn't show that it's scanning other channels though. It shows as if it were fixed and all were well. I then tried:

airodump-ng -c 10,10 mon0

This didn't pick it up. The X,X thing might lack in accuracy when choosing a band of frequency's. I havn't tried to specify a bssid and channel yet though. I'll do that tonight and see if I can catch a handshake.

Thanks

[sensay]

I'm getting the same problem here too. Using a Zydas 1211 chipset with patched compat drivers. Using the comma trick as posted above simply changes the output to not display -1 but aireplay still gives the error.

I found this patch which is supposedly a fix for the problem (temporarily) but i cant seem to get it working.

https://patchwork.kernel.org/patch/103589/

It patches the chan.c file, i found this in my compat directory and placed the patch there (and in all possible subdirectorys) but it fails everytime. Id be very grateful if someone can explain exactly how to use this as it seems like just what i/we need.

[DomInat3]

Using the comma trick as posted above simply changes the output to not display -1 but aireplay still gives the error.

Same

I found this patch which is supposedly a fix for the problem (temporarily) but i cant seem to get it working.

https://patchwork.kernel.org/patch/103589/

It patches the chan.c file, i found this in my compat directory and placed the patch there (and in all possible subdirectorys) but it fails everytime. Id be very grateful if someone can explain exactly how to use this as it seems like just what i/we need.

Ill give it ago sometime today when I'm on my netbook. Did you save the code on the page u linked above as somthing like chan.patch in your home directory and then run somthing like

sudo patch -p0 < chan.patch

That should do the trick?

[DomInat3]

Ok.... so far it seems as if I have it working. It functions better than before anyway. It does a couple of weird things every now and then but it is locking into a channel and I no longer receive the error. Heres what I did:

I had to edit a few lines of the patch that sensay linked too. I attached the new version below but here's the new contents anyway:

Code:

--- chan.c.orig
+++ chan.c
@@ -49,9 +49,12 @@ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
 {
 	struct ieee80211_channel *chan;
 	int result;
+	struct wireless_dev *mon_dev = NULL;
 
-	if (wdev && wdev->iftype == NL80211_IFTYPE_MONITOR)
+	if (wdev && wdev->iftype == NL80211_IFTYPE_MONITOR) {
+		mon_dev = wdev;
 		wdev = NULL;
+	}
 
 	if (wdev) {
 		ASSERT_WDEV_LOCK(wdev);
@@ -76,5 +79,8 @@ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
 	if (wdev)
 		wdev->channel = chan;
 
+	if (mon_dev)
+		mon_dev->channel = chan;
+
 	return 0;
 }

Save it and copy it into the same directory as the chan.c file. Mine was is ~/compat*/net/wireless but you can do a search with somthing like the below to find it.

Code:

sudo find / -name chan.c -print

Now open a terminal and navigate to the directory where chan.c and the patch are located. Run (I had to use sudo because the owner was root as i had already edited the file as root but don't if you haven't already been screwing around):

Code:

sudo patch -p0 -i < watevaucalledthepatch.patch

Now if you had to run the above command with root privileges (like me) then run the below to restore the file permissions. Replace userhere in the first line below with your user name:

Code:

sudo chown userhere:userhere chan.c
sudo chmod 777 chan.c

It should now be patched successfully with the right permissions. All you need to do now is recompile and unload the old drivers. Navigate into the base directory of compat wireless (mine was ~/compat*). I ran the below to select the ath9k drivers but you may have to do different depending on your chipset:

Code:

./scripts/driver-select ath9k

Now run the below to build:

Code:

make
sudo make install

And unload the old drivers:

Code:

sudo make unload
sudo make wlunload

You may or may not have to run the below, it won't hurt if you do

Code:

sudo make btunload

Now reboot or alternatively run:

Code:

sudo modprobe <drivergoeshere>

Everything should be in working order and the problem semi-fixed

Hope this helps.

[sensay]

Hi. Tried your new version of the patch, unfortunately when i now run it i simply get a hang in the terminal... Ive left it for half hour and nothing happens..

This is frustrating, im glad its working for you though..

I thought perhaps my compat may be borked (ive messed around with it a bit) so im gonna download a new version and try patching and compiling with that... Any tips though would be appreciated.

EDIT: sudo patch -p0 < watevaucalledthepatch.patch is incorrect. sudo patch -p0 -i < watevaucalledthepatch.patchis the correct string. I am patched now, just about to recompile and test..

EDIT2: Working! Thanks a lot mate. Little FYI, you can skip rebooting by using sudo modprobe <drivergoeshere> after you have unloaded the wireless and bluetooth, For me it was sudo modprobe zd1211rw but will be dependant on your driver name obviously

[DomInat3]

EDIT: sudo patch -p0 < watevaucalledthepatch.patch is incorrect. sudo patch -p0 -i < watevaucalledthepatch.patchis the correct string. I am patched now, just about to recompile and test..

EDIT2: Working! Thanks a lot mate. Little FYI, you can skip rebooting by using sudo modprobe <drivergoeshere> after you have unloaded the wireless and bluetooth, For me it was sudo modprobe zd1211rw but will be dependant on your driver name obviously

Fixed no worries buddy. Glad to help.