<div dir="ltr"><div>Hi All,</div><div><br></div><div>I manage an open source project called Smart Phone Ad-hoc Networking (SPAN):</div><div><a href="https://github.com/ProjectSPAN">https://github.com/ProjectSPAN</a></div><div>
<br></div><div>The idea is to enable ad-hoc networking on Android phones and tablets so that people can form a MANET during a natural disaster, terrorist incident, or other times when traditional infrastructure (i.e. cell towers) are not available, go down, are overloaded, or simply not trusted.</div>
<div><br></div><div>We're able to get several kinds of Android devices in ad-hoc mode using wext + iwconfig, but that approach is outdated, so we're now focusing on nl80211 + iw. I'm able to get a Galaxy S III GT-I9300 in ad-hoc mode using iw. The next step is to secure the network with IBSS RSN using the wpa_supplicant. I get to the point where I can use the wpa_cli to run "ibss_rsn <mac addr>" to start the 4-way handshake between two devices in the same IBSS. Here's a condensed version of the wpa_supplicant output in logcat from the initiator's side:</div>
<div><br></div><div><br></div><div>D/wpa_supplicant(16465): RX ctrl_iface - hexdump(len=26): 49 42 53 53 5f 52 53 4e 20 39 30 3a 31 38 3a 37 63 3a 63 38 3a 30 36 3a 37 39</div><div>D/wpa_supplicant(16465): wlan0: Control interface command 'IBSS_RSN 90:18:7c:c8:06:79'</div>
<div>D/wpa_supplicant(16465): RSN: Starting IBSS Authenticator and Supplicant for peer 90:18:7c:c8:06:79</div><div><br></div><div>D/wpa_supplicant(16465): wlan0: WPA: RX message 1 of 4-Way Handshake from 90:18:7c:c8:06:79 (ver=2)</div>
<div><br></div><div>D/wpa_supplicant(16465): WPA: WPA IE for msg 2/4 - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 02 00 00</div><div><br></div><div>D/wpa_supplicant(16465): wlan0: WPA: RX message 3 of 4-Way Handshake from 90:18:7c:c8:06:79 (ver=2)</div>
<div><br></div><div>D/wpa_supplicant(16465): wlan0: WPA: Sending EAPOL-Key 4/4</div><div><br></div><div>D/wpa_supplicant(16465): RSN: received GTK in pairwise handshake - hexdump(len=18): [REMOVED]</div><div>D/wpa_supplicant(16465): WPA: Group Key - hexdump(len=16): [REMOVED]</div>
<div>D/wpa_supplicant(16465): wlan0: WPA: Installing GTK to the driver (keyidx=1 tx=0 len=16)</div><div><br></div><div>D/wpa_supplicant(16465): RSN IBSS RX GTK</div><div>D/wpa_supplicant(16465): nl80211: set_key failed; err=-22 Invalid argument)</div>
<div><br></div><div>W/wpa_supplicant(16465): wlan0: WPA: Failed to set GTK to the driver (alg=3 keylen=16 keyidx=1)</div><div>D/wpa_supplicant(16465): wlan0: RSN: Failed to install GTK</div><div>I/wpa_supplicant(16465): wlan0: RSN: Failed to configure GTK</div>
<div><br></div><div>D/wpa_supplicant(16465): RSN: IBSS RX EAPOL for Authenticator</div><div>D/wpa_supplicant(16465): WPA: Received EAPOL-Key from 90:18:7c:c8:06:79 key_info=0x30a type=2 key_data_length=0</div><div><br></div>
<div>D/wpa_supplicant(16465): AUTH: 90:18:7c:c8:06:79 - received EAPOL-Key frame (4/4 Pairwise)</div><div>D/wpa_supplicant(16465): WPA: 90:18:7c:c8:06:79 WPA_PTK entering state PTKINITDONE</div><div>D/wpa_supplicant(16465): AUTH: auth_set_key(alg=3 addr=90:18:7c:c8:06:79 key_idx=0)</div>
<div>D/wpa_supplicant(16465): AUTH: set_key - key - hexdump(len=16): [REMOVED]</div><div>D/wpa_supplicant(16465): AUTH: Do not use this PTK</div><div>D/wpa_supplicant(16465): AUTH: 90:18:7c:c8:06:79 authorizing port</div>
<div>D/wpa_supplicant(16465): Could not set station 90:18:7c:c8:06:79 flags for kernel driver (errno=22)</div><div>D/wpa_supplicant(16465): AUTH: eapol event not handled 1</div><div>D/wpa_supplicant(16465): AUTH: eapol event not handled 5</div>
<div>D/wpa_supplicant(16465): AUTH: eapol event not handled 6</div><div>D/wpa_supplicant(16465): AUTH: 90:18:7c:c8:06:79 - pairwise key handshake completed (RSN)</div><div><br></div><div><br></div><div>Basically, what's happening is that the 4-way handshake completes but the devices aren't able to install the group key to the driver (which I don't care so much about right now, but I will in the future). More importantly, the devices aren't able to set station flags using the kernel driver.</div>
<div><br></div><div>The GT-I9300 uses the bcmdhd driver. Taking a look at ibss_rsn.c I see that ibss_set_sta_authorized() calls wpa_drv_sta_set_flags(), which calls wpa_driver_nl80211_sta_set_flags() in driver_nl80211.c. In turn that issues the NL80211_CMD_SET_STATION command, which eventually attempts to invoke cfg80211_ops.change_station(). Sadly, bcmdhd's implementation of cfg80211_ops, wl_cfg80211_ops, does not define change_station(), which causes wpa_drv_sta_set_flags() to fail.</div>
<div><br></div><div>Thus, I'm led to believe that bcmdhd does not support IBSS RSN. In the future versions of Android Broadcom is looking to drop bcmdhd in favor of brcmfmac. I took a look at the AOSP kernel and Linux kernel upstream and cfg80211_ops.change_station() is not defined for brcmfmac. The only AOSP driver I noticed that defines cfg80211_ops.change_station() is ath6kl. I then started looking into devices with Atheros chips, specifically the new WCN3680, such as the Moto X phone. Motorola open sourced the Wi-Fi driver code for the Moto X and it's called vendor-qcom-opensource-wlan-prima. That driver defines cfg80211_ops.change_station(), so I am hopeful that it supports IBSS RSN.</div>
<div><br></div><div>I'm relatively new to this area, so I feel like I'm jumping down a rabbit hole. Please let me know if I'm way off here.</div><div><br></div><div>Is there an easy way to modify bcmdhd to support cfg80211_ops.change_station() or are we limited by the firmware (it seems that ath6kl does DMA with the firmware to set flags)? What's the best driver to focus on? What drivers has IBSS RSN been known to work with?</div>
<div><br></div><div>Thanks for your help everyone,</div><div><br></div><div>- Jeff Robble</div></div>