From de16c557853c9ed5f94a8e695658ab169620c9ee Mon Sep 17 00:00:00 2001
From: Joseph <162703152+josephnef@users.noreply.github.com>
Date: Tue, 2 Jun 2026 17:29:53 +0300
Subject: [PATCH] =?UTF-8?q?HalModule:=20port=20StopTxBeacon=20=E2=80=94=20?=
 =?UTF-8?q?clears=20REG=5FFWHW=5FTXQ=5FCTRL[22]=20in=20monitor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

T1 canary residual at MAC 0x420 byte 2: kernel `0x31` vs devourer
`0x71`. Bit 22 of REG_FWHW_TXQ_CTRL (= BIT6 of byte 2 = "HW treats
packet as real beacon" enable) was at the chip's reset-state 1 on
devourer, while kernel ran a setup that cleared it.

Root cause: upstream's `rtw_hal_set_hwreg(HW_VAR_NET_TYPE, ...)`
path (`hal_com.c:14283`) calls `StopTxBeacon(Adapter)` whenever the
MSR transitions to `_HW_STATE_NOLINK_` or `_HW_STATE_STATION_` and
no AP/mesh port is up. The body of `StopTxBeacon` (hal_com.c:14158):

  rtw_write8(REG_FWHW_TXQ_CTRL + 2,
             rtw_read8(REG_FWHW_TXQ_CTRL + 2) & ~BIT6);
  rtw_write8(REG_TBTT_PROHIBIT + 1, TBTT_HOLD_STOP_BCN & 0xff);
  rtw_write8(REG_TBTT_PROHIBIT + 2,
             (rtw_read8(REG_TBTT_PROHIBIT + 2) & 0xf0) |
             (TBTT_HOLD_STOP_BCN >> 8));

devourer's `_InitNetworkType_8812A` set MSR to NT_NO_LINK (PR #64)
but didn't call StopTxBeacon afterwards. Port the body inline so
monitor-mode init matches the kernel's MSR-transition handler.

`TBTT_PROHIBIT_HOLD_TIME_STOP_BCN = 0x64` (3.2 ms, 32 µs units) is
the canonical hold-time-when-stopping-beacon value from
`include/hal_com.h:341`.

Functional effect: monitor mode wasn't going to use HW beacon TX
either way, so the bit-state was cosmetic to live operation. The
fix is canary-parity only — closes another line of the T1 init-drift
diff against `aircrack-ng/88XXau`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/HalModule.cpp | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/HalModule.cpp b/src/HalModule.cpp
index a9428d4..4c88780 100644
--- a/src/HalModule.cpp
+++ b/src/HalModule.cpp
@@ -1597,6 +1597,25 @@ void HalModule::_InitNetworkType_8812A() {
   auto value32 = _device.rtw_read32(REG_CR);
   value32 = (value32 & ~MASK_NETTYPE) | _NETTYPE(NT_NO_LINK);
   _device.rtw_write32(REG_CR, value32);
+
+  /* Port of upstream `StopTxBeacon(Adapter)` (hal_com.c:14158). The
+   * kernel's `rtw_hal_set_hwreg(HW_VAR_NET_TYPE, ...)` path calls
+   * StopTxBeacon when MSR transitions to NO_LINK or STATION mode and
+   * no AP/mesh port is up. devourer skips this, which leaves
+   * `0x420[22]` (BIT6 of byte 2 = "HW treats packet as real beacon"
+   * enable) at the chip's reset-state 1. The T1 canary diff caught
+   * this as MAC 0x420 byte 2 = `0x71` (devourer) vs `0x31` (kernel).
+   * Also program TBTT hold-time-when-stopping-beacon to match. */
+  uint8_t txqctl_b2 = _device.rtw_read8(REG_FWHW_TXQ_CTRL + 2);
+  _device.rtw_write8(REG_FWHW_TXQ_CTRL + 2,
+                     static_cast<uint8_t>(txqctl_b2 & ~BIT6));
+  constexpr uint16_t TBTT_HOLD_STOP_BCN = 0x64; /* 3.2ms, unit 32us */
+  _device.rtw_write8(REG_TBTT_PROHIBIT + 1,
+                     static_cast<uint8_t>(TBTT_HOLD_STOP_BCN & 0xFF));
+  uint8_t tbtt_b2 = _device.rtw_read8(REG_TBTT_PROHIBIT + 2);
+  _device.rtw_write8(REG_TBTT_PROHIBIT + 2,
+                     static_cast<uint8_t>((tbtt_b2 & 0xF0) |
+                                          (TBTT_HOLD_STOP_BCN >> 8)));
 }
 
 void HalModule::_InitWMACSetting_8812A() {