Android Operation not supported on transport endpoint

[ghost]

I have a ath9k usb interface already in monitor mode created as virtual interface
iw phy phy1 interface add mon0 type monitor
I tested airodump-ng 1.6.0 and works without issue but when I run hcxdumptool -i mon0 on android 11 LOS 18.1 I have this error

# ./hcxdumptool -i mon0                                                                                                                                               
initialization of hcxdumptool 6.2.4-21-g0fe3b96...
warning possible interfere: wpa_supplicant is running with pid 5043

failed to detect wlan interface: Operation not supported on transport endpoint
warning: failed to init socket

terminating...
1 driver error encountered
failed to restore old SIOCSIWMODE: No such device
failed to restore old SIOCSIFFLAGS and to bring interface up: No such device

# iw dev
phy#9
	Interface mon0
		ifindex 57
		wdev 0x900000002
		addr c4:e9:XX:XX:XX:XX
		type monitor

I tried also to set selinux in permissive mode but no changes.

[ZerBea]

From --help:

         do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
         do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon) created by airmon-ng and iw

From README.md Adapters section:

hcxdumptool need full (monitor mode and full packet injection running all packet types) and exclusive access to the adapter! Otherwise it will not start!
The driver must support monitor mode and full packet injection, as well as ioctl() system calls!
Virtual Netlink (libnl) interfaces are not supported!

Please comment output of:
$ hcxdumptool -i your_interface_which_is_not_in_monitor_mode --check_driver
to figure out, if the driver support all ioctl() system calls and to make sure that there is no emulator or wrapper is in use.
From README.md Brief description:
Unsupported: Windows OS, macOS, Android, emulators or wrappers and NETLINK!

If all mandatory ioctl() system calls are supported by the driver(!), output should look like this:

$ sudo hcxdumptool -i wlp5s0f3u3 --check_driver
initialization of hcxdumptool 6.2.4-14-g69872e0...
starting driver test...

driver tests passed...
all required ioctl() system calls are supported by driver

terminating...

If the driver doesn't support this ioctl() system calls, there is nothing we can do.

[ghost]

there is only one error

./hcxdumptool -i mon0 --check_driver                                                                                                                                
initialization of hcxdumptool 6.2.4-21-g0fe3b96...
starting driver test...
warning possible interfere: wpa_supplicant is running with pid 5043

interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls
several driver errors encountered during the test - monitor mode and ioctl() system calls failed

terminating...
1 driver error encountered

I solved with this patch

diff --git a/hcxdumptool.c b/hcxdumptool.c
index eb20ef8..5779b58 100644
--- a/hcxdumptool.c
+++ b/hcxdumptool.c
@@ -504,7 +504,7 @@ if(fd_socket > 0)
        if(ioctl(fd_socket, SIOCGIFFLAGS, &ifr) < 0) perror("failed to get interface information");
        ifr.ifr_flags = 0;
        if(ioctl(fd_socket, SIOCSIFFLAGS, &ifr) < 0) perror("failed to set interface down");
-       if(ioctl(fd_socket, SIOCSIWMODE, &iwr_old) < 0) perror("failed to restore old SIOCSIWMODE");
+       //if(ioctl(fd_socket, SIOCSIWMODE, &iwr_old) < 0) perror("failed to restore old SIOCSIWMODE");
        if(ioctl(fd_socket, SIOCSIFFLAGS, &ifr_old) < 0) perror("failed to restore old SIOCSIFFLAGS and to bring interface up");
        if(close(fd_socket) != 0) perror("failed to close raw socket");
        }
@@ -6985,7 +6985,7 @@ if((fd_socket = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0)
 memset(interfaceprotocol, 0, IFNAMSIZ);
 memset(&iwr, 0, sizeof(iwr));
 strncpy(iwr.ifr_name, interfacename, IFNAMSIZ -1);
-if(ioctl(fd_socket, SIOCGIWNAME, &iwr) < 0)
+if(ioctl(fd_socket, SIOCGIFINDEX, &iwr) < 0)
        {
        perror("failed to detect wlan interface");
        return false;
@@ -7002,6 +7002,7 @@ if(ioctl(fd_socket, SIOCGIFFLAGS, &ifr_old) < 0)
        perror("failed to backup current interface flags, ioctl(SIOCGIFFLAGS) not supported by driver");
        return false;
        }
+/*
 memset(&iwr_old, 0, sizeof(iwr));
 strncpy(iwr_old.ifr_name, interfacename, IFNAMSIZ -1);
 if(ioctl(fd_socket, SIOCGIWMODE, &iwr_old) < 0)
@@ -7068,6 +7069,7 @@ if((iwr_old.u.mode & IW_MODE_MONITOR) != IW_MODE_MONITOR)
                return false;
                }
        }
+*/
 else
        {
        fprintf(stderr, "interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls\n");

I removed the set of monitor mode.

[ZerBea]

I tested airodump-ng 1.6.0 and works without issue but when I run hcxdumptool -i mon0 on android 11 LOS 18.1 I have this error
For sure: airodump-ng is a passive dumper that doesn't transmit. In addition to that, it will use NETLINK!
hcxdumptool is an active dumper that doesn't use NETLINK.

Please read more here:
https://www.quora.com/What-are-the-differences-between-netlink-sockets-and-ioctl-calls?share=1
and you'll understand why we don't use NETLINK stuff to perform fast attacks.

[ZerBea]

If you run iw to set monitor mode, NETLINK will be in use. You can verify this by running iw in debug mode:

$ sudo iw --debug phy phy0 interface add mon0 type monitor
-- Debug: Sent Message:
--------------------------   BEGIN NETLINK MESSAGE ---------------------------
  [NETLINK HEADER] 16 octets
    .nlmsg_len = 48
    .type = 33 <0x21>
    .flags = 5 <REQUEST,ACK>
    .seq = 1635076500
    .port = -1820302216
  [GENERIC NETLINK HEADER] 4 octets
    .cmd = 7
    .version = 0
    .unused = 0
  [PAYLOAD] 28 octets
    08 00 01 00 00 00 00 00 09 00 04 00 6d 6f 6e 30 ............mon0
    00 00 00 00 08 00 05 00 06 00 00 00             ............
---------------------------  END NETLINK MESSAGE   ---------------------------

[ghost]

Ok thank you

[ZerBea]

Also you received a warning that hcxdumptool has no full access to the adapter to control it:
warning possible interfere: wpa_supplicant is running with pid 5043
That is mandatory to set the channel!

[ghost]

Also you received a warning that hcxdumptool has no full access to the adapter to control it: warning possible interfere: wpa_supplicant is running with pid 5043 That is mandatory to set the channel!

this appear because the first I tried to run the tool from adb shell, now the wifi is off and wpa_supplicant is off

[ZerBea]

Please comment output of --check_driver.

[ghost]

This is the output of --check_driver and there is only one error, I think is acceptable because the interface is already in monitor mode

./hcxdumptool -i mon0 --check_driver                                                                                                                                
initialization of hcxdumptool 6.2.4-21-g0fe3b96...
starting driver test...
warning possible interfere: wpa_supplicant is running with pid 5043

interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls
several driver errors encountered during the test - monitor mode and ioctl() system calls failed

terminating...
1 driver error encountered

[ZerBea]

No, please do not run hcxdumptool on the monitor interface.
Remove mon0 and make sure, interface is managed.
Than run --check_driver!

[ZerBea]

Running hcxdumptool on the hardware interface, it will show exactly what ioctl() system calls are not supported by the driver.
This test is skipped, when interface is already in monitor mode.

[ZerBea]

Running hcxdumptool if monitor mode was set before, all this tests are skipped:
interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls

[ghost]

No, please do not run hcxdumptool on the monitor interface. Remove mon0 and make sure, interface is managed. Than run --check_driver!

without patch I got

# ./hcxdumptool -i wlan1 --check_driver                                                                                                                               
initialization of hcxdumptool 6.2.4-21-g0fe3b96...
starting driver test...
warning possible interfere: wpa_supplicant is running with pid 6798

failed to detect wlan interface: Operation not supported on transport endpoint
warning: failed to init socket

terminating...
1 driver error encountered
failed to restore old SIOCSIWMODE: No such device
failed to restore old SIOCSIFFLAGS and to bring interface up: No such device

with patch SIOCGIFNAME replaced with SIOCGIFINDEX I got

# ./hcxdumptool -i wlan1 --check_driver                                                                                                                               
initialization of hcxdumptool 6.2.4-21-g0fe3b96...
starting driver test...
warning possible interfere: wpa_supplicant is running with pid 6798

failed to backup  current interface mode, ioctl(SIOCGIWMODE) not supported by driver: Operation not supported on transport endpoint
warning: failed to init socket

terminating...
1 driver error encountered
failed to restore old SIOCSIWMODE: Operation not supported on transport endpoint

not commands executed on wlan1, it's the default interface created I attach usb

# iw dev
phy#13
	Interface wlan1
		ifindex 64
		wdev 0xd00000001
		addr c4:e9:XX:XX:XX:XX
		type managed

[ghost]

After I removed all code which set the monitor mode works when the interface is already in monitor mode, is not perfect but is good for me.
It's not change the channel, I need to set with iw dev mon0 set channel X, wpa_supplicant while the test is down.

[ZerBea]

Ok, thanks for the tests. Now we knot that not all ioctl() system calls are supported.
It looks like the driver can be controlled by running NETLINK, only.
Unfortunately, there is nothing I can do, because using NETLINK is a "no go" for hcxdumptool.
Is the packet injection (-i mon0 --check_injection) working under NETLINK?

[ghost]

yes injections works I have always used with aireplay-ng

./hcxdumptool -i mon0 --check_injection                                                                                                                             
initialization of hcxdumptool 6.2.4-21-g0fe3b96...
warning possible interfere: wpa_supplicant is running with pid 6798

interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls
starting antenna test and packet injection test (that can take up to two minutes)...
available channels: packet injection is working on 2.4GHz!
injection ratio: 100% (BEACON: 12 PROBERESPONSE: 14)
your injection ratio is huge - say kids what time is it?
antenna ratio: 100% (NETWORK: 1 PROBERESPONSE: 1)
your antenna ratio is huge - say kids what time is it?
1 driver error encountered during the test

terminating...
1 driver error encountered

[ZerBea]

Looking good.
Let me think about how we can handle mon0 in a better way....

[ghost]

Sure, my patch is temporary just for understand if works on android and virtual interface.
I'd like implement an improvement.
I don't understand because the switch channel doesn't work, but I think also for this will be a solution.

[ZerBea]

Please try latest commit:
9babddc

Now we don't try to restore the settings on exit if the interface is already in monitor mode during init.

[ZerBea]

To remove NETLINK detection is dangerous, and will lead to many issue reports that some attakcs are not working as expected or that channels couldn't be changed.

[ghost]

Please try latest commit:

With lastest commit errors on exit disappear but I have issue also on

if(ioctl(fd_socket, SIOCGIWNAME, &iwr) < 0)

and I replace with

if(ioctl(fd_socket, SIOCGIFINDEX, &iwr) < 0)

I have issue also with read of status of monitor mode

if(ioctl(fd_socket, SIOCGIWMODE, &iwr_old) < 0)

[ZerBea]

By this commit
ce29b49
I added a new option:

--force_interface                  : ignore all ioctl() warnings
                                     do not report issues, if attacks or channel switch is not working as expected

[ghost]

Good without patch works, I have still the issue on switch channel

./hcxdumptool --force_interface -i mon0 --enable_status=1                                                                                                           
initialization of hcxdumptool 6.2.4-24-g5d12ed0...
warning possible interfere: wpa_supplicant is running with pid 8537

failed to detect wlan interface: Operation not supported on transport endpoint
failed to backup  current interface mode, ioctl(SIOCGIWMODE) not supported by driver: Operation not supported on transport endpoint
failed to get interface information, ioctl(SIOCGIWMODE) not supported by driver: Operation not supported on transport endpoint
failed to set monitor mode, ioctl(SIOCSIWMODE) not supported by driver: Operation not supported on transport endpoint
failed to get interface information, ioctl(SIOCGIWMODE) not supported by driver: Operation not supported on transport endpoint
warning: interface is not in monitor mode

start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
INTERFACE NAME............: mon0
INTERFACE PROTOCOL........: 
INTERFACE TX POWER........: 0 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: c4e9XXXXXXXX (not used for the attack)
INTERFACE VIRTUAL MAC.....: c4e9XXXXXXXX (not used for the attack)
DRIVER....................: ath9k_htc
DRIVER VERSION............: 3.18.113-perf-gc0cf2a6e
DRIVER FIRMWARE VERSION...: 1.3
openSSL version...........: 1.1
ERRORMAX..................: 100 errors
BPF code blocks...........: 0
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: 000c533734e2 (BROADCAST HIDDEN used for the attack)
ACCESS POINT (ROGUE)......: 000c533734e3 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 000c533734e4 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: b4e1eb81f0b8
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 62211
ANONCE....................: dff8054a7c59d773fd6d6784f6ae7bf667876dd1XXXXXXXXXXXXXXXXXXXX
SNONCE....................: aeacfde469b05a9807475b803e51b85befecdXXXXXXXXXXXXXXXXXXXX

15:33:03   5 7028XXXXXXXX b04eXXXXXXXX TESTNET [EAPOL:M1M2ROGUE EAPOLTIME:2523 RC:62211 KDV:2]

^C
terminating...
26 driver errors encountered
15 radiotap errors encountered
failed to restore old SIOCSIWMODE: Operation not supported on transport endpoint

[ZerBea]

I can't fix that issue, because this ioctl() call isn't supported by the driver.
if(ioctl(fd_socket, SIOCSIWFREQ, &pwrq) < 0) return false;
if(ioctl(fd_socket, SIOCGIWFREQ, &pwrq) == 0) aktchannel = pwrq.u.freq.m;

I think we can close this issue, because doing channel switch by NETLINK is no option.
If you find an Android replacement for ioctl() SIOCSIWFREQ, please let me know.

[ghost]

the driver ath9k is the same used on normal linux
Original hcxdumptool works on kernel 5.10 with the same usb wifi interface

[ZerBea]

Looks like the Android driver is compiled with NETLINK dependency. I've seen something similar on rt2800 driver , too:
#60

[ZerBea]

BTW:
aircrack-ng suite has an option to compile without NETLINK dependency. It can be disabled by passing --disable-libnl to configure. Than you can find out, if airodump-ng still is able to switch channel.

[ZerBea]

Here is a nice example.
Set channel via NETLINK:
https://stackoverflow.com/questions/21846965/set-wireless-channel-using-netlink-api
(much overhead due to additional NETLINK header, message is enqueue)

vs. set channel via ioctl():

memset(&pwrq, 0, sizeof(pwrq));
strncpy(pwrq.ifr_name, interfacename, IFNAMSIZ -1);
pwrq.u.freq.flags = IW_FREQ_FIXED;
pwrq.u.freq.m = channelscanlist[cpa];
pwrq.u.freq.e = 0;
if(ioctl(fd_socket, SIOCSIWFREQ, &pwrq) < 0) return false;

(no overhead, immediate channel change)

BTW:
Doing channel change via iw is not a solution, because hcxdumptool expect that the target will respond (on the same channel) after a request. That is not the case, if an external tool change the channel. Using --force_interface, this check is disabled, too:

here we set the channel:
if(ioctl(fd_socket, SIOCSIWFREQ, &pwrq) < 0) return false;

here we check that the interface is really on the chanell we have set:

if(ioctl(fd_socket, SIOCGIWFREQ, &pwrq) == 0) aktchannel = pwrq.u.freq.m;
return true;

If this is not the case, we increase errorcount:
if(set_channel() == false) errorcount++;

By force_interface, we ignore this count:

	if(errorcount >= maxerrorcount)
		{
		fprintf(stderr, "\nmaximum number of errors is reached\n");
		if(forceinterfaceflag == false) globalclose();

That is dangerous and can cause that hcxdumptool jam (transmitting requests as long as no response was received) a complete WiFi channel.

[ZerBea]

Is CONFIG_CFG80211_WEXT=y present in your kernel defconfig file?
If you don't know where the defconfig file is located or how the kernel was compiled, just run iwlist or iwconfig.
If you got
wlan0 no wireless extensions.
ioctl() calls are disabled by default.
This message is similar to hcxdumptool error message:
failed to detect wlan interface: Operation not supported on transport endpoint

[ghost]

Is CONFIG_CFG80211_WEXT=y present in your kernel defconfig file?

Sorry for the big delay and big thank you for your work and your support. CONFIG_CFG80211_WEXT is not present in my kernel on android.
I'm testing the latest commits and I will give you asap a feedback.

My enviroment is:

• TP-Link WN722N (Qualcomm driver ath9k) never an issue with aircrack-ng
• Debian 11 kernel 5.10 => with this your tool works well, I need to create a virtual device in monitor mode I receive only a warning which is already in monitor mode, but after it all works, I recovered many PMKID and many handshake, so I decided to bring it to android
• LG G5 with android 11 Lineageos 18.1 kernel 3.18.113 (may be it's too old)

I have 2 raspberry Zero W and not W, I'm evaluating to use W and the actual usb adapter or buy a device with mediatek MT601.

I will try also to enable CONFIG_CFG80211_WEXT

[ghost]

I tested latest commit and works very well, with virtual device created in monitor mode I got many PMKIDROGUE

[ghost]

Switch channel apparently doesn't work (iw dev show always 1), but when the tool show informations, the second column (now I understand is channel) has different numbers.

[ZerBea]

Part of my kernel default config:

$ zcat /proc/config.gz | grep 80211
CONFIG_CFG80211=m
# CONFIG_NL80211_TESTMODE is not set
# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
CONFIG_CFG80211_REQUIRE_SIGNED_REGDB=y
CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y
CONFIG_CFG80211_DEFAULT_PS=y
CONFIG_CFG80211_DEBUGFS=y
CONFIG_CFG80211_CRDA_SUPPORT=y
CONFIG_CFG80211_WEXT=y
CONFIG_CFG80211_WEXT_EXPORT=y
CONFIG_LIB80211=m
CONFIG_LIB80211_CRYPT_WEP=m
CONFIG_LIB80211_CRYPT_CCMP=m
CONFIG_LIB80211_CRYPT_TKIP=m
# CONFIG_LIB80211_DEBUG is not set
CONFIG_MAC80211=m
CONFIG_MAC80211_HAS_RC=y
CONFIG_MAC80211_RC_MINSTREL=y
CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
CONFIG_MAC80211_MESH=y
CONFIG_MAC80211_LEDS=y
CONFIG_MAC80211_DEBUGFS=y
# CONFIG_MAC80211_MESSAGE_TRACING is not set
# CONFIG_MAC80211_DEBUG_MENU is not set
CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
CONFIG_MAC80211_HWSIM=m

As you can see, WEXT is enabled:

CONFIG_CFG80211_WEXT=y
CONFIG_CFG80211_WEXT_EXPORT=y

CRDA is enabled, too:

CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y
CONFIG_CFG80211_CRDA_SUPPORT=y

It is mandatory to set wireless regulatory domain. If the domain is unset (kernel default settings), hcxdumptool will not transmit on several channels (e.g. 12, 13, (14) and nearly all upper 5GHz channels).

[ghost]

Today I compiled the kernel for android and I inserted

CONFIG_CFG80211_WEXT=y

all errors on ioctls disappear, --check_driver works give me only a warning on "interface already in monitor mode".
Get channel works better before start from 0 now the first channel is 1.
CONFIG_CFG80211_WEXT_EXPORT exist only from kernel 4.xx and I have a 3.18, my device is old.
I removed the parameter --force_interface from my run and works, sorry for my stupid issue and thank you for all your help and suggestions

[ZerBea]

No, it isn't a stupid issue. The problem is related to the maintainer of the kernel. If he decide to disable some values, some features will not work (as expected).
BTW:
On "CONFIG_CFG80211_WEXT" hcxdumptool is able to set monitor and you don't need a third party tool to do this.
In that case, the remaining warning "interface already in monitor mode" will disappear.