diff --git a/README.md b/README.md index 6ea134c..a23f42e 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ zcu102_9371|[Xilinx ZCU102 board](https://www.xilinx.com/products/boards-and-kit [[Application notes](doc/app_notes/README.md)] ## Quick start -- Burn openwifi board specific img file (from the table) into a SD card ("Open With Disk Image Writer". Or "dd" command after unzip). The SD card has two partitions: BOOT and rootfs. You need to config the **correct files in the BOOT partition** according to the **board you have** by operation on your computer: +- Restore openwifi board specific img file (from the table) into a SD card. To do this, program "Disks" in Ubuntu can be used (Install: "sudo apt install gnome-disk-utility"). After restoring, the SD card should have two partitions: BOOT and rootfs. You need to config the **correct files in the BOOT partition** according to the **board you have** by operation on your computer: - Copy files in **openwifi/board_name** to the base directory of BOOT partition. - Copy **openwifi/zynqmp-common/Image** (zcu102 board) or **openwifi/zynq-common/uImage** (other boards) to the base directory of BOOT partition - Connect two antennas to RXA/TXA ports. Config the board to SD card boot mode (check the board manual). Insert the SD card to the board. Power on. @@ -122,11 +122,13 @@ The board actually is an Linux/Ubuntu computer which is running **hostapd** to o Since the pre-built SD card image might not have the latest bug-fixes/updates, it is recommended to update the fpga bitstream on board. -- Install Vivado/SDK 2018.3 (If you don't need to generate new FPGA bitstream, WebPack version without license is enough) +- Install Vivado/SDK 2018.3 (Vivado Design Suite - HLx Editions - 2018.3 Full Product Installation. If you don't need to generate new FPGA bitstream, WebPack version without license is enough) - Setup environment variables (use absolute path): ``` - export XILINX_DIR=your_Xilinx_directory + export XILINX_DIR=your_Xilinx_install_directory + (Example: export XILINX_DIR=/opt/Xilinx. The Xilinx directory should include sth like: Downloads, SDK, Vivado, xic) export OPENWIFI_HW_DIR=your_openwifi-hw_directory + (The directory where you store the open-sdr/openwifi-hw repo via git clone) export BOARD_NAME=your_board_name ``` - Pick the FPGA bitstream from openwifi-hw, and generate BOOT.BIN and transfer it on board via ssh channel: @@ -181,7 +183,7 @@ Since the pre-built SD card image might not have the latest bug-fixes/updates, i ## Easy Access and etc - FPGA and driver on board update scripts - - Setup [ftp server](https://help.ubuntu.com/lts/serverguide/ftp-server.html) on PC, allow anonymous and change ftp root directory to the openwifi directory. + - Setup [ftp server](https://ubuntu.com/server/docs/service-ftp) on PC, allow anonymous and change ftp root directory to the openwifi directory. - On board: ``` ./sdcard_boot_update.sh $BOARD_NAME @@ -198,7 +200,7 @@ Since the pre-built SD card image might not have the latest bug-fixes/updates, i - Insert the SD card to your Linux PC. Find out the mount point (that has two sub directories BOOT and rootfs), and setup environment variables (use absolute path): ``` export SDCARD_DIR=sdcard_mount_point - export XILINX_DIR=your_Xilinx_directory + export XILINX_DIR=your_Xilinx_install_directory export OPENWIFI_HW_DIR=your_openwifi-hw_directory export BOARD_NAME=your_board_name ``` diff --git a/doc/app_notes/README.md b/doc/app_notes/README.md index 8f6882f..2b14486 100644 --- a/doc/app_notes/README.md +++ b/doc/app_notes/README.md @@ -10,8 +10,10 @@ Application notes collect many small topics about using openwifi in different sc - [Communication between two SDR boards under AP and client mode](ap-client-two-sdr.md) - [Communication between two SDR boards under ad-hoc mode](ad-hoc-two-sdr.md) - [From CSI (Channel State Information) to CSI (Chip State Information)](csi.md) +- [WiFi CSI radar via self CSI capturing](radar-self-csi.md) - [Capture IQ sample, AGC gain, RSSI with many types of trigger condition](iq.md) - [Capture dual antenna TX/RX IQ for multi-purpose (capture collision)](iq_2ant.md) +- [WiFi packet and IQ sample self loopback test (over-the-air and FPGA internal)](packet-iq-self-loopback-test.md) - [IEEE 802.11n (Wi-Fi 4)](ieee80211n.md) - [802.11 packet injection and fuzzing](inject_80211.md) - [CSI fuzzer](csi_fuzzer.md) diff --git a/doc/app_notes/csi-screen-shot-radar-matlab.jpg b/doc/app_notes/csi-screen-shot-radar-matlab.jpg new file mode 100644 index 0000000..b3b7efd Binary files /dev/null and b/doc/app_notes/csi-screen-shot-radar-matlab.jpg differ diff --git a/doc/app_notes/csi-screen-shot-radar.jpg b/doc/app_notes/csi-screen-shot-radar.jpg new file mode 100644 index 0000000..47a6b0e Binary files /dev/null and b/doc/app_notes/csi-screen-shot-radar.jpg differ diff --git a/doc/app_notes/iq.md b/doc/app_notes/iq.md index bd11a4e..585194b 100644 --- a/doc/app_notes/iq.md +++ b/doc/app_notes/iq.md @@ -7,6 +7,8 @@ SPDX-License-Identifier: AGPL-3.0-or-later We implement the **IQ sample capture** with interesting extensions: many **trigger conditions**; **RSSI**, RF chip **AGC** **status (lock/unlock)** and **gain**. +(By default, openwifi Rx baseband is muted during self Tx, to unmute Rx baseband and capture self Tx signal you need to run "./sdrctl dev sdr0 set reg xpu 1 1" after the test running) + ## Quick start - Power on the SDR board. - Connect a computer to the SDR board via Ethernet cable. The computer should have static IP 192.168.10.1. Open a terminal on the computer, and then in the terminal: diff --git a/doc/app_notes/iq_2ant.md b/doc/app_notes/iq_2ant.md index a99a9d9..6799098 100644 --- a/doc/app_notes/iq_2ant.md +++ b/doc/app_notes/iq_2ant.md @@ -7,6 +7,8 @@ SPDX-License-Identifier: AGPL-3.0-or-later Instead of [**normal IQ sample capture**](iq.md), this app note introduces how to enable the I/Q capture for dual antennas. Besides the I/Q from the main antenna (that is selected by baseband), the I/Q samples from the other antenna (monitoring antenna) is captured as well (coherently synchronized) in this dual antenna mode. You are suggested to read the [**normal IQ sample capture**](iq.md) to understand how we use the side channel to capture I/Q samples by different trigger conditions. +(By default, openwifi Rx baseband is muted during self Tx, to unmute Rx baseband and capture self Tx signal you need to run "./sdrctl dev sdr0 set reg xpu 1 1" after the test running) + This feature also support capturing TX I/Q (loopback) to test the baseband transmitter. - [[Quick start for collision capture](#Quick-start-for-collision-capture)] diff --git a/doc/app_notes/openwifi-iq-loopback.jpg b/doc/app_notes/openwifi-iq-loopback.jpg new file mode 100644 index 0000000..365910a Binary files /dev/null and b/doc/app_notes/openwifi-iq-loopback.jpg differ diff --git a/doc/app_notes/openwifi-loopback-principle.jpg b/doc/app_notes/openwifi-loopback-principle.jpg new file mode 100644 index 0000000..6388963 Binary files /dev/null and b/doc/app_notes/openwifi-loopback-principle.jpg differ diff --git a/doc/app_notes/openwifi-radar.jpg b/doc/app_notes/openwifi-radar.jpg new file mode 100644 index 0000000..43e2692 Binary files /dev/null and b/doc/app_notes/openwifi-radar.jpg differ diff --git a/doc/app_notes/packet-iq-self-loopback-test.md b/doc/app_notes/packet-iq-self-loopback-test.md new file mode 100644 index 0000000..0cace46 --- /dev/null +++ b/doc/app_notes/packet-iq-self-loopback-test.md @@ -0,0 +1,115 @@ + + +One super power of the openwifi platform is "**Full Duplex**" which means that openwifi baseband can receive its own TX signal. +This makes the IQ sample and WiFi packet self loopback test possible. Reading the normal IQ sample capture [app note](iq.md) will help if you have issue or +want to understand openwifi side channel (for IQ and CSI) deeper. +![](./openwifi-loopback-principle.jpg) + +[[IQ self loopback quick start](#IQ-self-loopback-quick-start)] +[[Check the packet loopback on board](#Check-the-packet-loopback-on-board)] +[[Self loopback config](#Self-loopback-config)] + +## IQ self loopback quick start +(Please replace the IQ length **8187** by **4095** if you use low end FPGA board: zedboard/adrv9464z7020/antsdr/zc702) +- Power on the SDR board. +- Put the Tx and Rx antenna as close as possible. +- Connect a computer to the SDR board via Ethernet cable. The computer should have static IP 192.168.10.1. Open a terminal on the computer, and then in the terminal: + ``` + ssh root@192.168.10.122 + (password: openwifi) + cd openwifi + ./wgd.sh + (Bring up the openwifi NIC sdr0) + ./monitor_ch.sh sdr0 44 + (Setup monitor mode in WiFi channel 44. You should find a channel as clean as possible in your location) + insmod side_ch.ko iq_len_init=8187 + ./side_ch_ctl wh11d0 + (Set 0 to register 11. It means the pre trigger length is 0, so we only capture IQ after trigger condition is met) + ./side_ch_ctl wh8d16 + (Set 16 to register 8 -- set trigger condition to phy_tx_started signal from openofdm tx core) + ./sdrctl dev sdr0 set reg xpu 1 1 + (Unmute the baseband self-receiving to receive openwifi own TX signal/packet -- important for self loopback!) + ./side_ch_ctl wh5h0 + (Set the loopback mode to over-the-air) + ./side_ch_ctl g0 + (Relay the FPGA IQ capture to the host computer that will show the captured IQ later on) + ``` + You should see on outputs like: + ``` + loop 22848 side info count 0 + loop 22912 side info count 0 + ... + ``` + Now the count is always 0, because we haven't instructed openwifi to send packet for loopback test. + +- Leave above ssh session untouched. Open a new ssh session to the board from your computer. Then run on board: + ``` + cd openwifi/inject_80211/ + make + (Build our example packet injection program) + ./inject_80211 -m n -r 5 -n 1 sdr0 + (Inject one packet to openwifi sdr0 NIC) + ``` + Normally in the previous ssh session, the count becomes 1. It means one packet (of IQ sample) is sent and captured via loopback over the air. + +- On your computer (NOT ssh onboard!), run: + ``` + cd openwifi/user_space/side_ch_ctl_src + python3 iq_capture.py 8187 + ``` + You might need to install beforehand: "sudo apt install python3-numpy", and "sudo apt install python3-matplotlib". + +- Leave the above host session untouched. Let's go to the second ssh session (packet injection), and do single packet Tx again: + ``` + ./inject_80211 -m n -r 5 -n 1 sdr0 + ``` + Normally in the 1st ssh session, the count becomes 2. You should also see IQ sample capture figures like this: + ![](./openwifi-iq-loopback.jpg) + +- Stop the python3 script, which plots above, in the host session. A file **iq.txt** is generated. You can use the Matlab script test_iq_file_display.m +to do further offline analysis, or feed the IQ sample to the openwifi receiver simulation, etc. + +## Check the packet loopback on board + +- While signal/packet is looped back, you can capture it on board via normal sniffer program for further check/analysis on the packet (bit/byte level instead of IQ level), such as tcpdump or tshark. + A new ssh session to the board should be opened to do this before running the packet injection: + ``` + tcpdump -i sdr0 + ``` + Run the packet injection "./inject_80211 -m n -r 5 -n 1 sdr0" in another session, you should see the packet information printed by tcpdump from self over-the-air loopback. + +- You can also see the openwifi printk message of Rx packet (self Tx looped back) while the packet comes to the openwifi Rx interrupt. + A new ssh session to the board should be opened to do this before running the packet injection: + ``` + cd openwifi + ./sdrctl dev sdr0 set reg drv_rx 7 7 + ./sdrctl dev sdr0 set reg drv_tx 7 7 + (Turn on the openwifi Tx/Rx printk logging) + ``` + Stop the "./side_ch_ctl g0" in the very first ssh session. Run the packet injection, then check the printk message: + ``` + ./inject_80211/inject_80211 -m n -r 5 -n 1 sdr0 + dmesg + ``` + You should see the printk message of packet Tx and Rx from the openwifi driver (sdr.c). + +## Self loopback config + +- By default, the loopback is via the air (from Tx antenna to Rx antenna). FPGA inernal loopback option is offered to have IQ sample and packet without + any interference. To have FPGA internal loopback, replace the "./side_ch_ctl wh5h0" during setup (the very 1st ssh session) by: + ``` + ./side_ch_ctl wh5h4 + ``` +- Lots of packet injection parameters can be set: number of packet, type (data/control/management), MCS/rate, size, interval, etc. Please run the packet injection + program without any arguments to see the help. + +- Besides the packet Tx via injection over monitor mode for loopback test, normal WiFi mode (AP/Client/ad-hoc) can also run together with self loopback. + For instance, run **fosdem.sh** instead of **wgd.sh** to setup an openwifi AP that will transmit beacons. The wgd.sh can also be replaced with other scenario + setup scripts. Please check [Application notes](README.md) + +- To understand deeper of all above commands/settings, please refer to [Capture IQ sample, AGC gain, RSSI with many types of trigger condition](iq.md) and + [Capture dual antenna TX/RX IQ for multi-purpose (capture collision)](iq_2ant.md) diff --git a/doc/app_notes/radar-self-csi.md b/doc/app_notes/radar-self-csi.md new file mode 100644 index 0000000..d8c940d --- /dev/null +++ b/doc/app_notes/radar-self-csi.md @@ -0,0 +1,51 @@ + + +One super power of the openwifi platform is "**Full Duplex**" which means that openwifi baseband can receive its own TX signal. Just like a radar! This brings a unique capability of "**joint radar and communication**" to openwifi. For instance, put two directional antennas to openwifi TX and RX, and the **CSI** (Channel State Information) of the self-TX signal will refect the change of the target object. + ![](./openwifi-radar.jpg) + +## Quick start +- Power on the SDR board. +- Connect a computer to the SDR board via Ethernet cable. The computer should have static IP 192.168.10.1. Open a terminal on the computer, and then in the terminal: + ``` + ssh root@192.168.10.122 + (password: openwifi) + cd openwifi + ./fosdem.sh + (After the AP started by above command, you can connect a WiFi client to this openwifi AP) + (Or setup other scenario according to your requirement) + ./ifconfig + (Write down the openwifi AP MAC address. For example 66:55:44:33:22:5a) + insmod side_ch.ko num_eq_init=0 + ./side_ch_ctl wh1h4001 + ./side_ch_ctl wh7h4433225a + (Above two commands ensure receiving CSI only from XX:XX:44:33:22:5a. In this case, it is the openwifi self-TX) + ./sdrctl dev sdr0 set reg xpu 1 1 + (Above unmute the baseband self-receiving to receive openwifi own TX signal/packet) + ./side_ch_ctl g0 + ``` + You should see on board outputs like: + ``` + loop 64 side info count 4 + loop 128 side info count 5 + ... + ``` + If the second number (4, 5, ...) keeps increasing, that means the CSI is going to the computer smoothly. + +- On your computer (NOT ssh onboard!), run: + ``` + cd openwifi/user_space/side_ch_ctl_src + python3 side_info_display.py 0 + ``` + The python script needs "matplotlib.pyplot" and "numpy" packages installed. Now you should see figures showing run-time **CSI** and **frequency offset**. Meanwhile the python script prints the **timestamp**. + ![](./csi-screen-shot-radar.jpg) + + While running, all CSI data is also stored into a file **side_info.txt**. A matlab script **test_side_info_file_display.m** is offered to help you do CSI analysis offline. In this case, run **test_side_info_file_display(0)** in Matlab. + ![](./csi-screen-shot-radar-matlab.jpg) + +Please learn the python and Matlab script for CSI data structure per packet according to your requirement. + +Do read the [normal CSI app note](csi.md) to understand the basic implementation architecture. diff --git a/doc/publications.md b/doc/publications.md index 26fe574..fb89456 100644 --- a/doc/publications.md +++ b/doc/publications.md @@ -9,21 +9,22 @@ If your work uses openwifi, please cite the first VTC2020 openwifi paper: [LaTex You can also cite openwifi github code: [LaTex example](cite-openwifi-github-code.md). Other openwifi related publications: -- [VTC2020 spring Antwerp. openwifi: a free and open-source IEEE802.11 SDR implementation on SoC](https://www.orca-project.eu/wp-content/uploads/sites/4/2020/03/openwifi-vtc-antwerp-PID1249076.pdf) -- [ORCA project opencall: CSI MURDER](https://ans.unibs.it/projects/csi-murder/) -- [ELSEVIER Computer Networks, 2021. IEEE 802.11 CSI randomization to preserve location privacy: An empirical evaluation in different scenarios](https://www.sciencedirect.com/science/article/abs/pii/S138912862100102X) -- [ICIT2021. Enabling TSN over IEEE 802.11: Low-overhead Time Synchronization for Wi-Fi Clients](https://biblio.ugent.be/publication/8700714/file/8700715.pdf) -- [ACM WiSec 2021. Openwifi CSI fuzzer for authorized sensing and covert channels](https://dl.acm.org/doi/pdf/10.1145/3448300.3468255) -- [Microwaves&RF, 2021. Wireless Time-Sensitive Networks: When Every Microsecond Counts](https://www.mwrf.com/technologies/systems/article/21164984/wireless-timesensitive-networks-when-every-microsecond-counts) -- [CNERT2021. High precision time synchronization on Wi-Fi based multi-hop network](https://biblio.ugent.be/publication/8709058/file/8709060.pdf) -- [Blackhat asia 2021, OWFuzz: WiFi Protocol Fuzzing Tool Based on OpenWiFi](https://www.blackhat.com/asia-21/arsenal/schedule/#owfuzz-wifi-protocol-fuzzing-tool-based-on-openwifi-22569), [[**code**]](https://github.com/alipay/Owfuzz) -- [UGent master thesis 2021. The initial 802.11n 2*2 MIMO and diversity (CSD/Combining) work by Cedric Den Haese](https://users.ugent.be/~xjiao/Cedric_Den_Haese_masterproef.pdf) -- [UGent master thesis 2021. IEEE 802.11 Physical Layer Fuzzing Using OpenWifi by Steven Heijse](https://users.ugent.be/~xjiao/Steven_Heijse_masterproef.pdf) -- [Interoperable Time-Sensitive Networking Towards 6G (invited presentation)](https://biblio.ugent.be/publication/8719532/file/8719533.pdf) -- [Arxiv. A Just-In-Time Networking Framework for Minimizing Request-Response Latency of Wireless Time-Sensitive Applications](https://arxiv.org/abs/2109.03032) -- [Wireless Personal Communications (2021). Bringing Time-Sensitive Networking to Wireless Professional Private Networks](https://link.springer.com/article/10.1007/s11277-021-09056-0) -- [MethodsX. A novel method for utilizing RF information from IEEE 802.11 frames in Software Defined Networks](https://www.sciencedirect.com/science/article/pii/S2215016121003368) -- [IEEE Transactions on Industrial Informatics. Hardware Efficient Clock Synchronization across Wi-Fi and Ethernet Based Network Using PTP](https://ieeexplore.ieee.org/document/9573364) -- [INFOCOM 2022. ChARM: NextG Spectrum Sharing Through Data-Driven Real-Time O-RAN Dynamic Control](https://ece.northeastern.edu/wineslab/papers/BaldesiInfocom22.pdf) +- [Xianjun Jiao, et al. openwifi: a free and open-source IEEE802.11 SDR implementation on SoC. VTC2020 spring Antwerp](https://www.orca-project.eu/wp-content/uploads/sites/4/2020/03/openwifi-vtc-antwerp-PID1249076.pdf) +- [Marco Cominelli, et al. CSI MURDER. ORCA project opencall 2019](https://ans.unibs.it/projects/csi-murder/) +- [Marco Cominelli, et al. IEEE 802.11 CSI randomization to preserve location privacy: An empirical evaluation in different scenarios. ELSEVIER Computer Networks, 2021](https://www.sciencedirect.com/science/article/abs/pii/S138912862100102X) +- [Jetmir Haxhibeqiri, et al. Enabling TSN over IEEE 802.11: Low-overhead Time Synchronization for Wi-Fi Clients. ICIT2021](https://biblio.ugent.be/publication/8700714/file/8700715.pdf) +- [Xianjun Jiao, et al. Openwifi CSI fuzzer for authorized sensing and covert channels. ACM WiSec 2021](https://dl.acm.org/doi/pdf/10.1145/3448300.3468255) +- [Ingrid Moerman, et al. Wireless Time-Sensitive Networks: When Every Microsecond Counts. Microwaves&RF, 2021](https://www.mwrf.com/technologies/systems/article/21164984/wireless-timesensitive-networks-when-every-microsecond-counts) +- [Muhammad Aslam, et al. High precision time synchronization on Wi-Fi based multi-hop network. CNERT2021](https://biblio.ugent.be/publication/8709058/file/8709060.pdf) +- [Hongjian Cao, et al. OWFuzz: WiFi Protocol Fuzzing Tool Based on OpenWiFi. Blackhat asia 2021](https://www.blackhat.com/asia-21/arsenal/schedule/#owfuzz-wifi-protocol-fuzzing-tool-based-on-openwifi-22569), [[**code**]](https://github.com/alipay/Owfuzz) +- [Cedric Den Haese, The initial 802.11n 2*2 MIMO and diversity (CSD/Combining) work. UGent master thesis 2021](https://users.ugent.be/~xjiao/Cedric_Den_Haese_masterproef.pdf) +- [Steven Heijse, IEEE 802.11 Physical Layer Fuzzing Using OpenWifi. UGent master thesis 2021](https://users.ugent.be/~xjiao/Steven_Heijse_masterproef.pdf) +- [Ingrid Moerman, et al. Interoperable Time-Sensitive Networking Towards 6G (invited presentation)](https://biblio.ugent.be/publication/8719532/file/8719533.pdf) +- [Lihao Zhang, et al. A Just-In-Time Networking Framework for Minimizing Request-Response Latency of Wireless Time-Sensitive Applications. Arxiv 2021](https://arxiv.org/abs/2109.03032) +- [Jetmir Haxhibeqiri, et al. Bringing Time-Sensitive Networking to Wireless Professional Private Networks. Wireless Personal Communications 2021](https://link.springer.com/article/10.1007/s11277-021-09056-0) +- [Paul Zanna, et al. A novel method for utilizing RF information from IEEE 802.11 frames in Software Defined Networks. MethodsX 2021](https://www.sciencedirect.com/science/article/pii/S2215016121003368) +- [Muhammad Aslam, et al. Hardware Efficient Clock Synchronization across Wi-Fi and Ethernet Based Network Using PTP. IEEE Transactions on Industrial Informatics 2021](https://ieeexplore.ieee.org/document/9573364) +- [Luca Baldesi, et al. ChARM: NextG Spectrum Sharing Through Data-Driven Real-Time O-RAN Dynamic Control. INFOCOM 2022](https://ece.northeastern.edu/wineslab/papers/BaldesiInfocom22.pdf) +- [Zelin Yun, et al. RT-WiFi on Software-Defined Radio: Design and Implementation. accepted RTAS2022 paper and demo](https://arxiv.org/abs/2203.10390) **Openwifi was born in ORCA project (EU's Horizon2020 programme under agreement number 732174).** diff --git a/doc/videos.md b/doc/videos.md index ce46139..2c0677e 100644 --- a/doc/videos.md +++ b/doc/videos.md @@ -2,9 +2,10 @@ - FOSDEM2020 presentation [[Youtube](https://youtu.be/Mq48cGthk7M)], [[link for CHN user](https://www.zhihu.com/zvideo/1280673506397425664)] - Low latency for gaming and general introduction [[Youtube](https://youtu.be/Notn9X482LI)], [[link for CHN user](https://www.zhihu.com/zvideo/1273823153371385856)] - CSI (Channel State Information) [[Youtube](https://youtu.be/DanB1ClVamU)], [[link for CHN user](https://www.zhihu.com/zvideo/1297662571618148352)] -- FOSDEM2021 presentation [[Flash back](https://twitter.com/jxjputaoshu/status/1358462741703491584?s=20)], [[link for CHN user](https://www.zhihu.com/zvideo/1340748826311974912)]; [[Presentation](https://mirror.as35701.net/video.fosdem.org/2021/D.radio/fsr_openwifi_opensource_wifi_chip.webm)], [[link for CHN user](https://www.zhihu.com/zvideo/1345036055104360448)] +- FOSDEM2021 presentation [[Flash back](https://twitter.com/jxjputaoshu/status/1358462741703491584?s=20)], [[link for CHN user](https://www.zhihu.com/zvideo/1340748826311974912)]; [[Presentation](https://video.fosdem.org/2021/D.radio/fsr_openwifi_opensource_wifi_chip.webm)], [[link for CHN user](https://www.zhihu.com/zvideo/1345036055104360448)] - FSF Libreplanet 2021 presentation [[Official](https://media.libreplanet.org/u/libreplanet/m/openwifi-project-the-dawn-of-the-free-libre-wifi-chip/)], [[LinuxReviews](https://linuxreviews.org/Openwifi_project:_The_dawn_of_the_free/libre_WiFi_chip)], [[link for CHN user](https://www.zhihu.com/zvideo/1373649688906883072)] - Openwifi industrial real-time high reliable low latency applications (EU Horizon 2020 SHOP4CF project) [[Youtube](https://youtu.be/p7zkkdMvPNc)], [[link for CHN user](https://www.zhihu.com/zvideo/1378413483944538113)] - CSI fuzzer [[Youtube](https://youtu.be/aOPYwT77Qdw)], [[link for CHN user](https://www.zhihu.com/zvideo/1378409348163506177)] - NGI zero, nlnet online session on future of European open hardware [[Session](https://nlnet.nl/news/2021/20210507-NGI-Zero-workshop-open-hardware.html)], [[Original record](https://archive.org/details/ngiforum-open-hardware-workshop-ngizero)], [[Youtube](https://youtu.be/m9Tw5VuHAfk)], [[link for CHN user](https://www.zhihu.com/zvideo/1379302398096285696)] - High Precision Time Synchronization on Wi-Fi based Multi-Hop Network [[Youtube](https://youtu.be/m5ryRArbdC8)], [[link for CHN user](https://www.zhihu.com/zvideo/1418222775224492032)] +- FOSDEM2022 presentation [[Presentation](https://video.fosdem.org/2022/D.radio/radio_openwifi.webm)], [[link for CHN user](https://www.bilibili.com/video/BV12b4y1j7YK?share_source=copy_web)] diff --git a/user_space/inject_80211/inject_80211.c b/user_space/inject_80211/inject_80211.c index 7609e36..cc189bc 100644 --- a/user_space/inject_80211/inject_80211.c +++ b/user_space/inject_80211/inject_80211.c @@ -24,6 +24,9 @@ #include "inject_80211.h" #include "radiotap.h" +#define BUF_SIZE_MAX (1536) +#define BUF_SIZE_TOTAL (BUF_SIZE_MAX+1) // +1 in case the sprintf insert the last 0 + /* wifi bitrate to use in 500kHz units */ static const u8 u8aRatesToUse[] = { 6*2, @@ -58,15 +61,37 @@ static const u8 u8aRadiotapHeader[] = #define MCS_RATE_OFFSET 0x1b /* IEEE80211 header */ -static const u8 ieee_hdr[] = +static u8 ieee_hdr_data[] = { - 0x08, 0x01, 0x00, 0x00, // FC 0x0801. 0--subtype; 8--type&version; 01--toDS1 fromDS0 (data packet to DS) + 0x08, 0x02, 0x00, 0x00, // FC 0x0801. 0--subtype; 8--type&version; 02--toDS0 fromDS1 (data packet from DS to STA) 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, // BSSID/MAC of AP 0x66, 0x55, 0x44, 0x33, 0x22, 0x22, // Source address (STA) 0x66, 0x55, 0x44, 0x33, 0x22, 0x33, // Destination address (another STA under the same AP) 0x10, 0x86, // 0--fragment number; 0x861=2145--sequence number }; +static u8 ieee_hdr_mgmt[] = +{ + 0x00, 0x00, 0x00, 0x00, // FC 0x0000. 0--subtype; 0--type&version; + 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, // BSSID/MAC of AP + 0x66, 0x55, 0x44, 0x33, 0x22, 0x22, // Source address (STA) + 0x66, 0x55, 0x44, 0x33, 0x22, 0x33, // Destination address (another STA under the same AP) + 0x10, 0x86, // 0--fragment number; 0x861=2145--sequence number +}; + +static u8 ieee_hdr_ack_cts[] = +{ + 0xd4, 0x00, 0x00, 0x00, // FC 0xd400. d--subtype; 4--type&version; + 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, // mac addr of the peer +}; + +static u8 ieee_hdr_rts[] = +{ + 0xb4, 0x00, 0x00, 0x00, // FC 0xb400. b--subtype; 4--type&version; + 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, // mac addr of the peer + 0x66, 0x55, 0x44, 0x33, 0x22, 0x22, // mac addr of the peer +}; + // Generate random string void gen_rand_str(int size, char *rand_char) { @@ -97,11 +122,19 @@ void usage(void) { printf( "(c)2006-2007 Andy Green Licensed under GPL2\n" - "(r)2020 Michael Tetemke Mehari " + "(r)2020 Michael Tetemke Mehari \n" + "(r)2022 Xianjun Jiao " "\n" "Usage: inject_80211 [options] \n\nOptions\n" "-m/--hw_mode (a,g,n)\n" "-r/--rate_index (0,1,2,3,4,5,6,7)\n" + "-t/--packet_type (m/c/d/r for management/control/data/reserved)\n" + "-e/--sub_type (hex value. example:\n" + " 8/A/B/C for Beacon/Disassociation/Authentication/Deauth, when packet_type m\n" + " A/B/C/D for PS-Poll/RTS/CTS/ACK, when packet_type c\n" + " 0/1/2/8 for Data/Data+CF-Ack/Data+CF-Poll/QoS-Data, when packet_type d)\n" + "-a/--addr1 \n" + "-b/--addr2 \n" "-i/--sgi_flag (0,1)\n" "-n/--num_packets \n" "-s/--payload_size \n" @@ -118,9 +151,10 @@ void usage(void) int main(int argc, char *argv[]) { - u8 buffer[1536]; - char szErrbuf[PCAP_ERRBUF_SIZE], rand_char[1484], hw_mode = 'n'; + u8 buffer[BUF_SIZE_TOTAL], addr1=1, addr2=2, sub_type=1, *ieee_hdr; + char szErrbuf[PCAP_ERRBUF_SIZE], rand_char[1484], hw_mode = 'n', packet_type = 'd'; int i, nLinkEncap = 0, r, rate_index = 0, sgi_flag = 0, num_packets = 10, payload_size = 64, packet_size, nDelay = 100000; + int ieee_hdr_len, payload_len; pcap_t *ppcap = NULL; while (1) @@ -130,6 +164,10 @@ int main(int argc, char *argv[]) { { "hw_mode", required_argument, NULL, 'm' }, { "rate_index", required_argument, NULL, 'r' }, + { "packet_type", required_argument, NULL, 't' }, + { "sub_type", required_argument, NULL, 'e' }, + { "addr1", required_argument, NULL, 'a' }, + { "addr2", required_argument, NULL, 'b' }, { "sgi_flag", no_argument, NULL, 'i' }, { "num_packets", required_argument, NULL, 'n' }, { "payload_size", required_argument, NULL, 's' }, @@ -137,7 +175,7 @@ int main(int argc, char *argv[]) { "help", no_argument, &flagHelp, 1 }, { 0, 0, 0, 0 } }; - int c = getopt_long(argc, argv, "m:r:i:n:s:d:h", optiona, &nOptionIndex); + int c = getopt_long(argc, argv, "m:r:t:e:a:b:i:n:s:d:h", optiona, &nOptionIndex); if (c == -1) break; @@ -157,6 +195,22 @@ int main(int argc, char *argv[]) rate_index = atoi(optarg); break; + case 't': + packet_type = optarg[0]; + break; + + case 'e': + sub_type = strtol(optarg, NULL, 16); + break; + + case 'a': + addr1 = strtol(optarg, NULL, 16); + break; + + case 'b': + addr2 = strtol(optarg, NULL, 16); + break; + case 'i': sgi_flag = atoi(optarg); break; @@ -210,10 +264,65 @@ int main(int argc, char *argv[]) pcap_setnonblock(ppcap, 1, szErrbuf); + // Fill the IEEE hdr + if (packet_type == 'd') // data packet + { + ieee_hdr_data[0] = ( ieee_hdr_data[0]|(sub_type<<4) ); + ieee_hdr_data[9] = addr1; + ieee_hdr_data[15] = addr2; + ieee_hdr_len = sizeof(ieee_hdr_data); + ieee_hdr = ieee_hdr_data; + } + else if (packet_type == 'm') // managment packet + { + ieee_hdr_mgmt[0] = ( ieee_hdr_mgmt[0]|(sub_type<<4) ); + ieee_hdr_mgmt[9] = addr1; + ieee_hdr_mgmt[15] = addr2; + ieee_hdr_len = sizeof(ieee_hdr_mgmt); + ieee_hdr = ieee_hdr_mgmt; + } + else if (packet_type == 'c') + { + payload_size = 0; + if (sub_type == 0xC || sub_type == 0xD) + { + ieee_hdr_ack_cts[0] = ( ieee_hdr_ack_cts[0]|(sub_type<<4) ); + ieee_hdr_ack_cts[9] = addr1; + ieee_hdr_len = sizeof(ieee_hdr_ack_cts); + ieee_hdr = ieee_hdr_ack_cts; + } + else if (sub_type == 0xA || sub_type == 0xB) + { + ieee_hdr_rts[0] = ( ieee_hdr_rts[0]|(sub_type<<4) ); + ieee_hdr_rts[9] = addr1; + ieee_hdr_rts[15] = addr2; + ieee_hdr_len = sizeof(ieee_hdr_rts); + ieee_hdr = ieee_hdr_rts; + } + else + { + printf("!!! sub_type %x is not supported yet!\n", sub_type); + return (1); + } + } + else + { + printf("!!! packet_type %c is not supported yet!\n", packet_type); + return (1); + } + // Generate random string - gen_rand_str(payload_size, rand_char); - packet_size = sizeof(u8aRadiotapHeader) + sizeof(ieee_hdr) + strlen(rand_char); + gen_rand_str(payload_size+4, rand_char); //4 for space reserved for crc + payload_len = strlen(rand_char); + + packet_size = sizeof(u8aRadiotapHeader) + ieee_hdr_len + payload_len; printf("mode = 802.11%c, rate index = %d, SHORT GI = %d, number of packets = %d and packet size = %d bytes, delay = %d usec\n", hw_mode, rate_index, sgi_flag, num_packets, packet_size, nDelay); + printf("packet_type %c sub_type %x payload_len %d ieee_hdr_len %d addr1 %02x addr2 %02x\n", packet_type, sub_type, payload_len, ieee_hdr_len, addr1, addr2); + + if (packet_size > BUF_SIZE_MAX) { + printf("packet_size %d > %d! Quite\n", packet_size, BUF_SIZE_MAX); + return(1); + } // Clear storage buffer memset(buffer, 0, sizeof (buffer)); @@ -234,9 +343,9 @@ int main(int argc, char *argv[]) buffer[MCS_RATE_OFFSET] = rate_index; } // Insert IEEE DATA header - memcpy(buffer + sizeof(u8aRadiotapHeader), ieee_hdr, sizeof (ieee_hdr)); + memcpy(buffer + sizeof(u8aRadiotapHeader), ieee_hdr, ieee_hdr_len); // Insert IEEE DATA payload - sprintf((char *)(buffer + sizeof(u8aRadiotapHeader) + sizeof(ieee_hdr)), "%s", rand_char); + sprintf((char *)(buffer + sizeof(u8aRadiotapHeader) + ieee_hdr_len), "%s", rand_char); // Inject packets for(i = 1; i <= num_packets; i++) diff --git a/user_space/side_ch_ctl_src/iq_capture.py b/user_space/side_ch_ctl_src/iq_capture.py index 1a0e046..54156a7 100755 --- a/user_space/side_ch_ctl_src/iq_capture.py +++ b/user_space/side_ch_ctl_src/iq_capture.py @@ -74,6 +74,7 @@ UDP_PORT = 4000 #Local port to listen sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP sock.bind((UDP_IP, UDP_PORT)) +sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 464) # for low latency. 464 is the minimum udp length in our case (CSI only) # align with side_ch_control.v and all related user space, remote files MAX_NUM_DMA_SYMBOL = 8192 diff --git a/user_space/side_ch_ctl_src/iq_capture_2ant.py b/user_space/side_ch_ctl_src/iq_capture_2ant.py index 20e9361..f42f295 100755 --- a/user_space/side_ch_ctl_src/iq_capture_2ant.py +++ b/user_space/side_ch_ctl_src/iq_capture_2ant.py @@ -53,6 +53,7 @@ UDP_PORT = 4000 #Local port to listen sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP sock.bind((UDP_IP, UDP_PORT)) +sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 464) # for low latency. 464 is the minimum udp length in our case (CSI only) # align with side_ch_control.v and all related user space, remote files MAX_NUM_DMA_SYMBOL = 8192 diff --git a/user_space/side_ch_ctl_src/side_info_display.py b/user_space/side_ch_ctl_src/side_info_display.py index 0e3560f..67aad6e 100755 --- a/user_space/side_ch_ctl_src/side_info_display.py +++ b/user_space/side_ch_ctl_src/side_info_display.py @@ -112,6 +112,7 @@ UDP_PORT = 4000 #Local port to listen sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP sock.bind((UDP_IP, UDP_PORT)) +sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 464) # for low latency. 464 is the minimum udp length in our case (CSI only) # align with side_ch_control.v and all related user space, remote files MAX_NUM_DMA_SYMBOL = 8192 diff --git a/user_space/side_ch_ctl_src/test_side_info_file_display.m b/user_space/side_ch_ctl_src/test_side_info_file_display.m index 471a28f..a4dcbbb 100644 --- a/user_space/side_ch_ctl_src/test_side_info_file_display.m +++ b/user_space/side_ch_ctl_src/test_side_info_file_display.m @@ -1,11 +1,17 @@ % Xianjun Jiao. xianjun.jiao@imec.be; putaoshu@msn.com -clear all; +function test_side_info_file_display(num_eq, side_info_filename) close all; -num_eq = 8; +if exist('num_eq', 'var')==0 || isempty(num_eq) + num_eq = 8; +end -a = load('side_info.txt'); +if exist('side_info_filename', 'var')==0 || isempty(side_info_filename) + side_info_filename = 'side_info.txt'; +end + +a = load(side_info_filename); len_a = floor(length(a)/4)*4; a = a(1:len_a);