Monitor Mode Feature on CYW43455

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
maku_2263101
Level 3
Level 3
First like received First like given

Hi,

We would like to bring-up monitor mode on CYW43455 (Murata 1MW) module.

We tried using wl command to enable monitor mode as below but not successful

wl monitor 1

Also tried using iw commands to create Monitor mode interface but it returns below error

#ip link set IFACE down

#iw IFACE set monitor control

#command failed: Operation not supported (-95)

When we checked the discussion on below link it says "There is no limitation on the firmware side as such for entering monitor mode."

https://community.cypress.com/message/177118#177118

Let us know do we need to use specific Drivers/Firmware to enable this feature.

Please share us necessary steps to bring-up monitor mode

Let us know if any more details are required.

Below are the S/W version details:

Drivers Loading log:
Loading modules backported from Linux version v4.14.52-manda-RTM-0-g897c6ce
Backport generated by backports.git v4.14-rc2-1-70-g694b78f
brcmfmac: brcmf_fw_map_chip_to_name: using brcm/brcmfmac43455-sdio.bin for chip 0x004345(17221) rev 0x000006
usbcore: registered new interface driver brcmfmac
brcmfmac: brcmf_c_preinit_dcmds: Murata Customized Version: imx-rocko-manda_r1.0;
brcmfmac: brcmf_c_preinit_dcmds: Firmware version = wl0: Sep 21 2018 04:08:34 version 7.45.173 (r707987 CY) FWID 01-d2799ea2
wl ver:
1.21 RC0.0
wl0: Sep 21 2018 04:08:34 version 7.45.173 (r707987 CY) FWID 01-d2799ea2
wl revinfo:
vendorid 0x14e4
deviceid 0x43ab
radiorev 0x58030b
chipnum 0x4345
chiprev 0x6
chippackage 0x2
corerev 54.0
boardid 0x6e4
boardvendor 0x14e4
boardrev P201
driverrev 7.45.173.0
ucoderev 0x0
bus 0x0
phytype 0xb
phyrev 20.0
anarev 0x0
nvramrev 498373

Below is the output of iw phy phy0 info

Wiphy phy0

        max # scan SSIDs: 10

        max scan IEs length: 2048 bytes

        max # sched scan SSIDs: 16

        max # match sets: 16

        max # scan plans: 1

        max scan plan interval: 508

        max scan plan iterations: 0

        Retry short limit: 7

        Retry long limit: 4

        Coverage class: 0 (up to 0m)

        Device supports roaming.

        Supported Ciphers:

                * WEP40 (00-0f-ac:1)

                * WEP104 (00-0f-ac:5)

                * TKIP (00-0f-ac:2)

                * CCMP-128 (00-0f-ac:4)

                * CMAC (00-0f-ac:6)

        Available Antennas: TX 0 RX 0

        Supported interface modes:

                 * IBSS

                 * managed

                 * AP

                 * P2P-client

                 * P2P-GO

                 * P2P-device

        Band 1:

                Capabilities: 0x1022

                        HT20/HT40

                        Static SM Power Save

                        RX HT20 SGI

                        No RX STBC

                        Max AMSDU length: 3839 bytes

                        DSSS/CCK HT40

                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)

                Minimum RX AMPDU time spacing: 16 usec (0x07)

                HT TX/RX MCS rate indexes supported: 0-7

                Bitrates (non-HT):

                        * 1.0 Mbps

                        * 2.0 Mbps (short preamble supported)

                        * 5.5 Mbps (short preamble supported)

                        * 11.0 Mbps (short preamble supported)

                        * 6.0 Mbps

                        * 9.0 Mbps

                        * 12.0 Mbps

                        * 18.0 Mbps

                        * 24.0 Mbps

                        * 36.0 Mbps

                        * 48.0 Mbps

                        * 54.0 Mbps

                Frequencies:

                        * 2412 MHz [1] (20.0 dBm)

                        * 2417 MHz [2] (20.0 dBm)

                        * 2422 MHz [3] (20.0 dBm)

                        * 2427 MHz [4] (20.0 dBm)

                        * 2432 MHz [5] (20.0 dBm)

                        * 2437 MHz [6] (20.0 dBm)

                        * 2442 MHz [7] (20.0 dBm)

                        * 2447 MHz [8] (20.0 dBm)

                        * 2452 MHz [9] (20.0 dBm)

                        * 2457 MHz [10] (20.0 dBm)

                        * 2462 MHz [11] (20.0 dBm)

                        * 2467 MHz [12] (20.0 dBm)

                        * 2472 MHz [13] (20.0 dBm)

                        * 2484 MHz [14] (20.0 dBm)

        Band 2:

                Capabilities: 0x1062

                        HT20/HT40

                        Static SM Power Save

                        RX HT20 SGI

                        RX HT40 SGI

                        No RX STBC

                        Max AMSDU length: 3839 bytes

                        DSSS/CCK HT40

                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)

                Minimum RX AMPDU time spacing: 16 usec (0x07)

                HT TX/RX MCS rate indexes supported: 0-7

                VHT Capabilities (0x00001020):

                        Max MPDU length: 3895

                        Supported Channel Width: neither 160 nor 80+80

                        short GI (80 MHz)

                        SU Beamformee

                VHT RX MCS set:

                        1 streams: MCS 0-9

                        2 streams: not supported

                        3 streams: not supported

                        4 streams: not supported

                        5 streams: not supported

                        6 streams: not supported

                        7 streams: not supported

                        8 streams: not supported

                VHT RX highest supported: 0 Mbps

                VHT TX MCS set:

                        1 streams: MCS 0-9

                        2 streams: not supported

                        3 streams: not supported

                        4 streams: not supported

                        5 streams: not supported

                        6 streams: not supported

                        7 streams: not supported

                        8 streams: not supported

                VHT TX highest supported: 0 Mbps

                Bitrates (non-HT):

                        * 6.0 Mbps

                        * 9.0 Mbps

                        * 12.0 Mbps

                        * 18.0 Mbps

                        * 24.0 Mbps

                        * 36.0 Mbps

                        * 48.0 Mbps

                        * 54.0 Mbps

                Frequencies:

                        * 5170 MHz [34] (20.0 dBm)

                        * 5180 MHz [36] (20.0 dBm)

                        * 5190 MHz [38] (20.0 dBm)

                        * 5200 MHz [40] (20.0 dBm)

                        * 5210 MHz [42] (20.0 dBm)

                        * 5220 MHz [44] (20.0 dBm)

                        * 5230 MHz [46] (20.0 dBm)

                        * 5240 MHz [48] (20.0 dBm)

                        * 5260 MHz [52] (20.0 dBm)

                        * 5280 MHz [56] (20.0 dBm)

                        * 5300 MHz [60] (20.0 dBm)

                        * 5320 MHz [64] (20.0 dBm)

                        * 5500 MHz [100] (20.0 dBm)

                        * 5520 MHz [104] (20.0 dBm)

                        * 5540 MHz [108] (20.0 dBm)

                        * 5560 MHz [112] (20.0 dBm)

                        * 5580 MHz [116] (20.0 dBm)

                        * 5600 MHz [120] (20.0 dBm)

                        * 5620 MHz [124] (20.0 dBm)

                        * 5640 MHz [128] (20.0 dBm)

                        * 5660 MHz [132] (20.0 dBm)

                        * 5680 MHz [136] (20.0 dBm)

                        * 5700 MHz [140] (20.0 dBm)

                        * 5720 MHz [144] (20.0 dBm)

                        * 5745 MHz [149] (20.0 dBm)

                        * 5765 MHz [153] (20.0 dBm)

                        * 5785 MHz [157] (20.0 dBm)

                        * 5805 MHz [161] (20.0 dBm)

                        * 5825 MHz [165] (20.0 dBm)

        Supported commands:

                 * new_interface

                 * set_interface

                 * new_key

                 * start_ap

                 * set_bss

                 * join_ibss

                 * set_pmksa

                 * del_pmksa

                 * flush_pmksa

                 * remain_on_channel

                 * frame

                 * set_wiphy_netns

                 * set_channel

                 * start_sched_scan

                 * start_p2p_device

                 * connect

                 * disconnect

                 * crit_protocol_start

                 * crit_protocol_stop

                 * update_connect_params

        Supported TX frame types:

                 * managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0

                 * P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0

                 * P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0

                 * P2P-device: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0

        Supported RX frame types:

                 * managed: 0x40 0xd0

                 * P2P-client: 0x40 0xd0

                 * P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0

                 * P2P-device: 0x40 0xd0

        WoWLAN support:

                 * wake up on disconnect

                 * wake up on magic packet

                 * wake up on pattern match, up to 8 patterns of 1-128 bytes,

                   maximum packet offset 1500 bytes

        software interface modes (can always be added):

        valid interface combinations:

                 * #{ managed } <= 1, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,

                   total <= 3, #channels <= 2

                 * #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,

                   total <= 4, #channels <= 1

        Device supports scan flush.

ip link set wlan0 down

0 Likes
1 Solution

Do confirm that you are following the sequence below:

wl mpc 0

wl up

wl monitor 1

ifconfig <monitor_mode_interface> up

Use the monitor_mode_interface in  wireshark.

Regards,

Vinayak

View solution in original post

8 Replies
maku_2263101
Level 3
Level 3
First like received First like given

Hi All,

Are there any patches available to support Monitor Mode on CYW43455 module ?

0 Likes

Adding vnak

0 Likes
mame_1363116
Level 2
Level 2
Welcome!

I don't know if there's support for monitor mode on fw side, but the supplied brcmfmac driver doesn't handle it.

vnak  could you tell us something about it?

Thank you

0 Likes

Do confirm that you are following the sequence below:

wl mpc 0

wl up

wl monitor 1

ifconfig <monitor_mode_interface> up

Use the monitor_mode_interface in  wireshark.

Regards,

Vinayak

Hi, thank you or your reply.

Unfortunately I'm using this chipset on a different platform (RPi 3B+), and I don't have wl (I'm using fw+driver from your latest release).

As far as I can understand it'is just a matter of handling ioctl cmds 107/108, rigth?

Is there a simple way to do it on my platform or I have to implement it by myself in brcmfmac?

Thank you

Regards

0 Likes

Hi

Yes, the implementation of monitor mode in brcmfmac for the ioctls isi currently not present. You could try moving ahead to implement this in the driver, but that would be a hassle. Better way would be to use the compiled wl utility for you platform(arm64 compiled wl utility). Please contact our local  FAE/sales for more details on getting compiled wl utility

Regards,

Vinayak

lock attach
Attachments are accessible only for community members.

Thank You Vinayak for your response.

We have tried the steps shared by you and we are able to capture the packets using tcpdump on linux. but not able to parse the radio header.

We would like to fetch channel,data rate and signal level information from the radio header.

Looks like first 25bytes of the packet is related to broadcom specific radio header and from 26th octet 802.11 MAC Header is started.

Needed help in parsing this broadcom specific radio header.

Sample header:

11:24:06.929119 00:00:24:d0:0c:00 (oui Unknown) > 00:00:00:00:04:00 (oui Ethernet) Null Information, send seq 0, rcv seq 0, Flags [Command], length 257

        0x0000:  0100 0000 d100 0000 f3e7 7e65 0000 0000  ..........~e....

        0x0010:  bdff ffff 0000 0000 0100 0000 0200 0000  ................

        0x0020:  0000 0000 0000 0000 0000 0000 1400 0000  ................

        0x0030:  0000

Below are the steps followed.

Monitor Mode Bring-up:

    wl mpc 0

    wl up

    wl monitor 1

    ifconfig wlan0 up

Setting Channel:

    wl channel 36

Capturing packets:  

    tcpdump -iwlan0

Attached tcpdump output for Channel36 and Channel44

0 Likes

Hi mmotamarri_2263101

Sorry for the late reply.

Frame received in monitor mode contains 802.11 header and starts with d11 header(internal headers recieved from the firmware).

The driver handles the conversion of d11rxhdr to radiotap header conversion.

We will have to look into the driver to see where that parsing is happening.

Regards