T1: port StopTxBeacon — clears MAC 0x420[22] in monitor mode init#68
Merged
Conversation
T1 canary residual at MAC 0x420 byte 2: kernel `0x31` vs devourer
`0x71`. Bit 22 of REG_FWHW_TXQ_CTRL (= BIT6 of byte 2 = "HW treats
packet as real beacon" enable) was at the chip's reset-state 1 on
devourer, while kernel ran a setup that cleared it.
Root cause: upstream's `rtw_hal_set_hwreg(HW_VAR_NET_TYPE, ...)`
path (`hal_com.c:14283`) calls `StopTxBeacon(Adapter)` whenever the
MSR transitions to `_HW_STATE_NOLINK_` or `_HW_STATE_STATION_` and
no AP/mesh port is up. The body of `StopTxBeacon` (hal_com.c:14158):
rtw_write8(REG_FWHW_TXQ_CTRL + 2,
rtw_read8(REG_FWHW_TXQ_CTRL + 2) & ~BIT6);
rtw_write8(REG_TBTT_PROHIBIT + 1, TBTT_HOLD_STOP_BCN & 0xff);
rtw_write8(REG_TBTT_PROHIBIT + 2,
(rtw_read8(REG_TBTT_PROHIBIT + 2) & 0xf0) |
(TBTT_HOLD_STOP_BCN >> 8));
devourer's `_InitNetworkType_8812A` set MSR to NT_NO_LINK (PR #64)
but didn't call StopTxBeacon afterwards. Port the body inline so
monitor-mode init matches the kernel's MSR-transition handler.
`TBTT_PROHIBIT_HOLD_TIME_STOP_BCN = 0x64` (3.2 ms, 32 µs units) is
the canonical hold-time-when-stopping-beacon value from
`include/hal_com.h:341`.
Functional effect: monitor mode wasn't going to use HW beacon TX
either way, so the bit-state was cosmetic to live operation. The
fix is canary-parity only — closes another line of the T1 init-drift
diff against `aircrack-ng/88XXau`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
josephnef
force-pushed
the
t1-mac-420-stop-tx-beacon
branch
from
b6be1af to
de16c55
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes one more T1 canary-diff line. Pre-fix at any channel:
MAC 0x420 byte 2: kernel = 0x31, devourer = 0x71
Bit 22 (= BIT6 of byte 2 = "HW treats packet as real beacon" enable) was at the chip's reset-state 1 on devourer; kernel had it cleared by
StopTxBeacon.Root cause
Upstream's
rtw_hal_set_hwreg(HW_VAR_NET_TYPE, ...)path (hal_com.c:14283) callsStopTxBeacon(Adapter)whenever the MSR transitions to_HW_STATE_NOLINK_or_HW_STATE_STATION_and no AP/mesh port is up.StopTxBeaconbody (hal_com.c:14158):devourer's
_InitNetworkType_8812Aset MSR to NT_NO_LINK (PR #64) but didn't call StopTxBeacon afterwards. Port the body inline so monitor-mode init matches the kernel's MSR-transition handler.Test plan
DEVOURER_DUMP_CANARY=1at ch6 confirmsMAC 0x420now matches kernel0xFF311F00(was0xFF711F00). Verification pending: 8812 dongle dropped off USB during this PR's prep — re-plug + re-capture once the rig stabilises.🤖 Generated with Claude Code