Android IBSS RSN

Jeffrey Robble fejjro at
Thu Sep 26 20:01:20 EDT 2013

Hi All,

I manage an open source project called Smart Phone Ad-hoc Networking (SPAN):

The idea is to enable ad-hoc networking on Android phones and tablets so
that people can form a MANET during a natural disaster, terrorist incident,
or other times when traditional infrastructure (i.e. cell towers) are not
available, go down, are overloaded, or simply not trusted.

We're able to get several kinds of Android devices in ad-hoc mode using
wext + iwconfig, but that approach is outdated, so we're now focusing on
nl80211 + iw. I'm able to get a Galaxy S III GT-I9300 in ad-hoc mode using
iw. The next step is to secure the network with IBSS RSN using the
wpa_supplicant. I get to the point where I can use the wpa_cli to run
"ibss_rsn <mac addr>" to start the 4-way handshake between two devices in
the same IBSS. Here's a condensed version of the wpa_supplicant output in
logcat from the initiator's side:

D/wpa_supplicant(16465): RX ctrl_iface - hexdump(len=26): 49 42 53 53 5f 52
53 4e 20 39 30 3a 31 38 3a 37 63 3a 63 38 3a 30 36 3a 37 39
D/wpa_supplicant(16465): wlan0: Control interface command 'IBSS_RSN
D/wpa_supplicant(16465): RSN: Starting IBSS Authenticator and Supplicant
for peer 90:18:7c:c8:06:79

D/wpa_supplicant(16465): wlan0: WPA: RX message 1 of 4-Way Handshake from
90:18:7c:c8:06:79 (ver=2)

D/wpa_supplicant(16465): WPA: WPA IE for msg 2/4 - hexdump(len=22): 30 14
01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 02 00 00

D/wpa_supplicant(16465): wlan0: WPA: RX message 3 of 4-Way Handshake from
90:18:7c:c8:06:79 (ver=2)

D/wpa_supplicant(16465): wlan0: WPA: Sending EAPOL-Key 4/4

D/wpa_supplicant(16465): RSN: received GTK in pairwise handshake -
hexdump(len=18): [REMOVED]
D/wpa_supplicant(16465): WPA: Group Key - hexdump(len=16): [REMOVED]
D/wpa_supplicant(16465): wlan0: WPA: Installing GTK to the driver (keyidx=1
tx=0 len=16)

D/wpa_supplicant(16465):    RSN IBSS RX GTK
D/wpa_supplicant(16465): nl80211: set_key failed; err=-22 Invalid argument)

W/wpa_supplicant(16465): wlan0: WPA: Failed to set GTK to the driver (alg=3
keylen=16 keyidx=1)
D/wpa_supplicant(16465): wlan0: RSN: Failed to install GTK
I/wpa_supplicant(16465): wlan0: RSN: Failed to configure GTK

D/wpa_supplicant(16465): RSN: IBSS RX EAPOL for Authenticator
D/wpa_supplicant(16465): WPA: Received EAPOL-Key from 90:18:7c:c8:06:79
key_info=0x30a type=2 key_data_length=0

D/wpa_supplicant(16465): AUTH: 90:18:7c:c8:06:79 - received EAPOL-Key frame
(4/4 Pairwise)
D/wpa_supplicant(16465): WPA: 90:18:7c:c8:06:79 WPA_PTK entering state
D/wpa_supplicant(16465): AUTH: auth_set_key(alg=3 addr=90:18:7c:c8:06:79
D/wpa_supplicant(16465): AUTH: set_key - key - hexdump(len=16): [REMOVED]
D/wpa_supplicant(16465): AUTH: Do not use this PTK
D/wpa_supplicant(16465): AUTH: 90:18:7c:c8:06:79 authorizing port
D/wpa_supplicant(16465): Could not set station 90:18:7c:c8:06:79 flags for
kernel driver (errno=22)
D/wpa_supplicant(16465): AUTH: eapol event not handled 1
D/wpa_supplicant(16465): AUTH: eapol event not handled 5
D/wpa_supplicant(16465): AUTH: eapol event not handled 6
D/wpa_supplicant(16465): AUTH: 90:18:7c:c8:06:79 - pairwise key handshake
completed (RSN)

Basically, what's happening is that the 4-way handshake completes but the
devices aren't able to install the group key to the driver (which I don't
care so much about right now, but I will in the future). More importantly,
the devices aren't able to set station flags using the kernel driver.

The GT-I9300 uses the bcmdhd driver. Taking a look at ibss_rsn.c I see that
ibss_set_sta_authorized() calls wpa_drv_sta_set_flags(), which calls
wpa_driver_nl80211_sta_set_flags() in driver_nl80211.c. In turn that issues
the NL80211_CMD_SET_STATION command, which eventually attempts to invoke
cfg80211_ops.change_station(). Sadly, bcmdhd's implementation of
cfg80211_ops, wl_cfg80211_ops, does not define change_station(), which
causes wpa_drv_sta_set_flags() to fail.

Thus, I'm led to believe that bcmdhd does not support IBSS RSN. In the
future versions of Android Broadcom is looking to drop bcmdhd in favor of
brcmfmac. I took a look at the AOSP kernel and Linux kernel upstream and
cfg80211_ops.change_station() is not defined for brcmfmac. The only AOSP
driver I noticed that defines cfg80211_ops.change_station() is ath6kl. I
then started looking into devices with Atheros chips, specifically the new
WCN3680, such as the Moto X phone. Motorola open sourced the Wi-Fi driver
code for the Moto X and it's called vendor-qcom-opensource-wlan-prima. That
driver defines cfg80211_ops.change_station(), so I am hopeful that it
supports IBSS RSN.

I'm relatively new to this area, so I feel like I'm jumping down a rabbit
hole. Please let me know if I'm way off here.

Is there an easy way to modify bcmdhd to support
cfg80211_ops.change_station() or are we limited by the firmware (it seems
that ath6kl does DMA with the firmware to set flags)? What's the best
driver to focus on? What drivers has IBSS RSN been known to work with?

Thanks for your help everyone,

- Jeff Robble
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the HostAP mailing list