ath10k fails station mode for QCA986x/988x
Username: Andrey
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=723
Set-Up:
Board: NXP/Freescale Layerscape TWR-LS1021A Router/AP
Wireless Network Adapter: Qualcomm Atheros PCI QCA986x/988x 802.11ac
OS
: LEDE (derivative from OpenWrt) Reboot/SNAPSHOT/r3044-21356a6
On host: menuconfig:
Kernel modules > Wireless Drivers: kmod-ath10k, kmod-ath, kmod-cfg80211, kmod-mac80211
Firmware: ath10k-firmware-qca988x
Network: wpad, wpa-cli
netifd + ubus + uci
On TWR-LS1021A:
Just in order to test if WiFi card is really QCA986x/988x 802.11ac:
root@lede:/#
cat /sys/bus/pci/devices/0000:01:00.0/vendor
0x168c
root@lede:/#
cat /sys/bus/pci/devices/0000:01:00.0/device
0x003c
Google:
PCI 168c 0x003c
gives QCA986x/988x
During the first boot, boot scripts create: /etc/config/wireless with the following contents:
config wifi-device 'radio0' option type 'mac80211' option channel '36' option hwmode '11a' option path 'soc/3400000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' option htmode 'VHT80' option disabled '1'
config wifi-iface 'default_radio0' option device 'radio0' option network 'lan' option mode 'ap' option ssid 'LEDE' option encryption 'none'
We remove: option disabled ‘1’ (WiFi is disabled by default → enable it) and reboot.
Boot with USB-serial output:
… [ 6.270954] ath10k_pci 0000:01:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0 [ 6.450972] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:01:00.0.bin failed with error -2 [ 6.461643] ath10k_pci 0000:01:00.0: Falling back to user helper [ 6.474916] firmware ath10k!pre-cal-pci-0000:01:00.0.bin: firmware_loading_store: map pages failed [ 6.484102] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/cal-pci-0000:01:00.0.bin failed with error -2 [ 6.494431] ath10k_pci 0000:01:00.0: Falling back to user helper [ 6.507497] firmware ath10k!cal-pci-0000:01:00.0.bin: firmware_loading_store: map pages failed [ 6.528736] ath10k_pci 0000:01:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000 [ 6.537986] ath10k_pci 0000:01:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 1 [ 6.548737] ath10k_pci 0000:01:00.0: firmware ver 10.2.4-1.0-00016 api 5 features no-p2p,raw-mode,mfp crc32 0c5668f8 [ 6.599443] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/board-2.bin failed with error -2 [ 6.609853] ath10k_pci 0000:01:00.0: Falling back to user helper [ 6.623269] firmware ath10k!QCA988X!hw2.0!board-2.bin: firmware_loading_store: map pages failed [ 6.632927] ath10k_pci 0000:01:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08 [ 7.775018] ath10k_pci 0000:01:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal otp max-sta 128 raw 0 hwcrypto 1 … [ 11.014199] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 11.022336] device wlan0 entered promiscuous mode [ 11.336732] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready …
Remarks:
pre-cal/cal-pci error messages are connected to pre-calibration issues, so ignore them
board-2.bin error: indeed /lib/firmware/ath10k/QCA988X/hw2.0/ contains only board.bin and firmware-5.bin. we have tried to copy hw2.0/board-2.bin from QCA proprietary driver but then: [ 6.590282] ath10k_pci 0000:01:00.0: failed to fetch board data for bus=pci,vendor=168c,device=003c,subsystem-vendor=0000,subsystem-device=0000 from ath10k/QCA988X/hw2.0/board-2.bin
Nevertheless, the driver is correctly started in AP mode:
root@lede:/#
iwconfig
wlan0 IEEE 802.11 Mode:Master Tx-Power=20 dBm
RTS thr:off Fragment thr:off
Power Management:off
root@lede:/#
ifconfig
wlan0 Link encap:Ethernet HWaddr 00:0E:8E:59:7D:8F
inet6 addr: fe80::20e:8eff:fe59:7d8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:128 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:15588 (15.2 KiB)
Now try to switch to station mode with WPA:
AP: 802.11a, channel 36: 5.18
GHz
, SSID: iwl3xxx, Security mode: WPA/PSK, CCMP/AES (WPA/RSN), Password: password
TWR-LS1021A: /etc/config/wireless:
config wifi-device 'radio0' option type 'mac80211' option channel '36' option hwmode '11a' option path 'soc/3400000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
config wifi-iface 'default_radio0' option device 'radio0' option network 'wlan' option mode 'sta' option ssid 'iwl3xxx' option encryption 'psk' option key 'password'
config interface 'wlan' option ifname 'default_radio0' option proto 'static' option ipaddr '192.168.0.2' option netmask '255.255.255.0'
root@lede:/#
iwconfig
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=0 dBm
RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
It correctly switches to managed mode but no ESSID and no AP are assigned. Direct WPA supplicant employment also fails:
We create WPA config file /a:
country=00 network={ ssid="iwl3xxx" psk="password" scan_ssid=1 key_mgmt=WPA-PSK pairwise=CCMP TKIP group=CCMP TKIP }
Start WPA supplicant:
root@lede:/#
wpa_supplicant -c /a -i wlan0 -D nl80211
Successfully initialized wpa_supplicant wlan0: SME: Trying to authenticate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz) [ 2736.691425] wlan0: authenticate with 00:18:92:05:b6:ec [ 2736.702348] wlan0: send auth to 00:18:92:05:b6:ec (try 1/3) [ 2736.709540] wlan0: authenticated wlan0: Trying to associate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz) [ 2736.717183] wlan0: associate with 00:18:92:05:b6:ec (try 1/3) [ 2736.725522] wlan0: RX AssocResp from 00:18:92:05:b6:ec (capab=0x411 status=0 aid=1) [ 2736.734827] wlan0: associated [ 2736.738114] wlan0: deauthenticating from 00:18:92:05:b6:ec by local choice (Reason: 3=DEAUTH_LEAVING) wlan0: Associated with 00:18:92:05:b6:ec wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlan0: CTRL-EVENT-DISCONNECTED bssid=00:18:92:05:b6:ec reason=3 locally_generated=1 wlan0: WPA: 4-Way Handshake failed - pre-shared key may be incorrect wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="iwl3xxx" auth_failures=1 duration=10 reason=WRONG_KEY
Though the key is correct, the driver delivers WRONG_KEY message. In order to eliminate any security issues, we switch to insecure communication:
AP: 802.11a, channel 36: 5.18
GHz
, SSID: iwl3xxx, Security mode: NONE
TWR-LS1021A: WPA config file /a:
country=00 network={ ssid="iwl3xxx" scan_ssid=1 key_mgmt=NONE }
Start WPA supplicant:
root@lede:/#
wpa_supplicant -c /a -i wlan0 -D nl80211
Successfully initialized wpa_supplicant wlan0: SME: Trying to authenticate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz) [ 26.011997] wlan0: authenticate with 00:18:92:05:b6:ec [ 26.069291] wlan0: send auth to 00:18:92:05:b6:ec (try 1/3) [ 26.075992] wlan0: authenticated wlan0: Trying to associate with 00:18:92:05:b6:ec (SSID='iwl3xxx' freq=5180 MHz) [ 26.087236] wlan0: associate with 00:18:92:05:b6:ec (try 1/3) [ 26.094140] wlan0: RX AssocResp from 00:18:92:05:b6:ec (capab=0x401 status=0 aid=1) [ 26.103088] wlan0: associated [ 26.106163] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready wlan0: Associated with 00:18:92:05:b6:ec wlan0: CTRL-EVENT-CONNECTED - Connection to 00:18:92:05:b6:ec completed [id=0 id_str=] wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 [ 36.117315] wlan0: deauthenticating from 00:18:92:05:b6:ec by local choice (Reason: 3=DEAUTH_LEAVING) wlan0: CTRL-EVENT-DISCONNECTED bssid=00:18:92:05:b6:ec reason=3 locally_generated=1
So, WPA supplicant reports: we were authenticated and associated, connection completed. And then we leave WiFi by local choice. WireShark shows that deauthenticate-request comes from from us to access point.
Result: ath10k fails station mode for QCA986x/988x