Wrongly reacting to and sending 802.11 beacons with Channel Switch Announcement

[st0ff3r]

Still the same with wifi_station_set_reconnect_policy(0):

-> wifi_start_scan(WIFI_SCAN_INTERVAL)
@@ set csa state to CSA done
-> wifi_scan_timer_func()
RSSI: -65
@@ set csa state to CSA start 2
@@ add csa 1
@@ add csa 1
@@ add csa 3
@@ add csa 1
@@ add csa 1
@@ add csa 3
@@ add csa 1
@@ add csa 1
@@ add csa 3
@@ add csa 1
@@ add csa 1
@@ add csa 3
@@ add csa 1
@@ add csa 1
switch to channel 2
scandone
-> wifi_scan_done_cb(3fff37b8, 1)
-> wifi_start_scan(WIFI_SCAN_INTERVAL)
@@ set csa state to CSA done

[ESP_Faye]

Could you test with this libnet80211.a?

libnet80211.a.zip

(112.81 KiB) Downloaded 6746 times

And provide the entire logs for debugging?

[st0ff3r]

Same result, but no debugging message besides "switch to channel 2" after calling wifi_station_scan(). Should I try to change wifi_station_set_reconnect_policy(1) to wifi_station_set_reconnect_policy(0) as well?

[ESP_Faye]

Hi st0ff3r,

Could you have a try with the new test lib?

libnet80211-test2.a.zip

(113.11 KiB) Downloaded 6570 times

If possible, could you provide captured Wi-Fi packets for analyzing?

Thanks.

[st0ff3r]

Sure, I'll do that

[st0ff3r]

Hereby attached tcpdump wifi capture file and serial debugging output of the following scenario:
1. esp 8266 connected to ssid "Loppen Public" on channel 1
2. "beacon_spammer" sending out CSA's on channel 2
3. tcpdump running on same host as "beacon_spammer" on channel 2

Thanx a lot for your help to debug

[Her Mary]

May I ask if the SSID & BSSID of beacon sent from beacon_spammer be the same as the SSID & BSSID of the router which ESP8266 connected to？

[st0ff3r]

its not the same ssid/bssi thats what is strange - totally unrelated ssid

[st0ff3r]

Hi, sorry i havent have time to write back, but sadly the csa attack bug still there, even in the latest git master. Could I do anything to help debugging it?

Here is a simple program:

Code: Select all

static os_timer_t wifi_scan_timer;
static void wifi_scan_timer_func(void *arg);

ICACHE_FLASH_ATTR
void wifi_scan_done_cb(void *arg, STATUS status) {
   struct bss_info *info;
   
   if ((arg != NULL) && (status == OK)) {
      info = (struct bss_info *)arg;
      
      while (info != NULL) {
         os_printf("channel: %d, ssid: %s, bssid %02x:%02x:%02x:%02x:%02x:%02x, rssi: %d, freq_offset: %d, freqcal_val: %d\n\r", info->channel,
            info->ssid,
            info->bssid[0],
            info->bssid[1],
            info->bssid[2],
            info->bssid[3],
            info->bssid[4],
            info->bssid[5],
            info->rssi,
            info->freq_offset,
            info->freqcal_val
         );
         info = info->next.stqe_next;
      }
   }
}

static void ICACHE_FLASH_ATTR wifi_scan_timer_func(void *arg) {
   wifi_station_scan(NULL, wifi_scan_done_cb);
}

ICACHE_FLASH_ATTR void system_init_done(void) {
   struct station_config stationConf;

   wifi_set_opmode_current(STATIONAP_MODE);
   memset(&stationConf, 0, sizeof(struct station_config));
   wifi_station_get_config(&stationConf);
   
   os_memcpy(&stationConf.ssid, "Loppen Public", 32);
   os_memcpy(&stationConf.password, "", 64);
   
   wifi_station_set_config_current(&stationConf);
   wifi_station_connect();

   os_timer_disarm(&wifi_scan_timer);
   os_timer_setfn(&wifi_scan_timer, (os_timer_func_t *)wifi_scan_timer_func, NULL);
   os_timer_arm(&wifi_scan_timer, 5000, 1);
}

ICACHE_FLASH_ATTR void user_init(void) {
   system_update_cpu_freq(160);
   uart_init(BIT_RATE_115200, BIT_RATE_115200);

   wifi_set_opmode_current(NULL_MODE);
   wifi_station_disconnect();

   system_init_done_cb(&system_init_done);
}



and this is the output, while it runs simultaniously with another one also scanning. So as my earlier debugging shows (https://github.com/espressif/ESP8266_NONOS_SDK/issues/312) the code honour 802.11 beacons containing CSA when scanning, even if its sent from another ap than its connected to:

mode : sta(ec:fa:bc:21:27:94) + softAP(ee:fa:bc:21:27:94)
add if0
add if1
dhcp server start:(ip:192.168.4.1,mask:255.255.255.0,gw:192.168.4.1)
bcn 100
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1

connected with Loppen Public, channel 1
dhcp client start...
cnt
ip:10.0.1.177,mask:255.255.255.0,gw:10.0.1.1
switch to channel 6
scandone
switch to channel 6
scandone
switch to channel 6
scandone
switch to channel 6
scandone
scandone
switch to channel 6
scandone
switch to channel 6
scandone
[...]

[st0ff3r]

Looking closer to libnet80211.a it looks like its based on FreeBSD net80211 https://github.com/freebsd/freebsd-src/ ... s/net80211

So in a desparate try to force the esp to _not_ sending out CSA while scanning, I patched the function ieee80211_add_csa() in ieee80211_output.o like this:

40214748 <ieee80211_add_csa>:
40214748: f00d ret.n

so it completely skips the adding of CSA.

It worked!
I am not seeing "switch to channel X" anymore if there are no ESP's with unpatched ieee80211_add_csa close.

But a better solution would be if it would not _react_ to CSA's sent from other ESP's acting as an access points, when the client is not connected to that specific access point.

Any chances you could look into it? As it is now, the ESP's connection to an access point can be disconnected by anybody sending "evil" beacon packages.