CSI fuzzer feature -- document to be finished

README.md

@@ -28,8 +28,9 @@ Openwifi code has dual licenses. AGPLv3 is the opensource license. For non-opens
 - Mode tested: Ad-hoc; Station; AP, Monitor
 - DCF (CSMA/CA) low MAC layer in FPGA (10us SIFS is achieved)
 - [802.11 packet injection and fuzzing](doc/app_notes/inject_80211.md)
-- CSI (Channel State Information, freq offset, equalizer to computer) [[CSI notes](doc/app_notes/csi.md)]
-- IQ capture (real-time AGC, RSSI, IQ sample to computer) [[IQ notes](doc/app_notes/iq.md)][[IQ notes for dual antenna](doc/app_notes/iq_2ant.md)]
+- [CSI](doc/app_notes/csi.md): Channel State Information, freq offset, equalizer to computer
+- [CSI fuzzer](doc/app_notes/csi_fuzzer.md): Create fake CSI in WiFi transmitter
+- [[IQ capture](doc/app_notes/iq.md)]: real-time AGC, RSSI, IQ sample to computer. [[Dual antenna version](doc/app_notes/iq_2ant.md)]
 - Configurable channel access priority parameters:
   - duration of RTS/CTS, CTS-to-self
   - SIFS/DIFS/xIFS/slot-time/CW/etc

doc/app_notes/README.md

@@ -14,3 +14,4 @@ Application notes collect many small topics about using openwifi in different sc
 - [Capture dual antenna TX/RX IQ for multi-purpose (capture collision)](iq_2ant.md)
 - [IEEE 802.11n (Wi-Fi 4)](ieee80211n.md)
 - [802.11 packet injection and fuzzing](inject_80211.md)
+- [CSI fuzzer](csi_fuzzer.md)

doc/app_notes/csi_fuzzer.md

@@ -0,0 +1,15 @@
+<!--
+Author: Xianjun jiao
+SPDX-FileCopyrightText: 2021 UGent
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+Coming soon for details.
+
+CSI over the air loopback before fuzzing.
+
+![](./csi-fuzzer-beacon-ant-back-0.jpg)
+
+CSI over the air loopback after  fuzzing command: csi_fuzzer.sh 1 45 0 13
+
+![](./csi-fuzzer-beacon-ant-back-1-45-0-13.jpg)

driver/hw_def.h

@@ -27,7 +27,7 @@ const char *tx_intf_compatible_str = "sdr,tx_intf";
 #define TX_INTF_REG_WIFI_TX_MODE_ADDR              (2*4)
 #define TX_INTF_REG_IQ_SRC_SEL_ADDR                (3*4)
 #define TX_INTF_REG_CTS_TOSELF_CONFIG_ADDR         (4*4)
-#define TX_INTF_REG_START_TRANS_TO_PS_MODE_ADDR    (5*4)
+#define TX_INTF_REG_CSI_FUZZER_ADDR                (5*4)
 #define TX_INTF_REG_CTS_TOSELF_WAIT_SIFS_TOP_ADDR  (6*4)
 #define TX_INTF_REG_MISC_SEL_ADDR                  (7*4)
 #define TX_INTF_REG_NUM_DMA_SYMBOL_TO_PL_ADDR      (8*4)
@@ -71,7 +71,7 @@ struct tx_intf_driver_api {
 	u32 (*TX_INTF_REG_WIFI_TX_MODE_read)(void);
 	u32 (*TX_INTF_REG_IQ_SRC_SEL_read)(void);
 	u32 (*TX_INTF_REG_CTS_TOSELF_CONFIG_read)(void);
-	u32 (*TX_INTF_REG_START_TRANS_TO_PS_MODE_read)(void);
+	u32 (*TX_INTF_REG_CSI_FUZZER_read)(void);
 	u32 (*TX_INTF_REG_CTS_TOSELF_WAIT_SIFS_TOP_read)(void);
 	u32 (*TX_INTF_REG_MISC_SEL_read)(void);
 	u32 (*TX_INTF_REG_NUM_DMA_SYMBOL_TO_PL_read)(void);
@@ -91,7 +91,7 @@ struct tx_intf_driver_api {
 	void (*TX_INTF_REG_WIFI_TX_MODE_write)(u32 value);
 	void (*TX_INTF_REG_IQ_SRC_SEL_write)(u32 value);
 	void (*TX_INTF_REG_CTS_TOSELF_CONFIG_write)(u32 value);
-	void (*TX_INTF_REG_START_TRANS_TO_PS_MODE_write)(u32 value);
+	void (*TX_INTF_REG_CSI_FUZZER_write)(u32 value);
 	void (*TX_INTF_REG_CTS_TOSELF_WAIT_SIFS_TOP_write)(u32 value);
 	void (*TX_INTF_REG_MISC_SEL_write)(u32 value);
 	void (*TX_INTF_REG_NUM_DMA_SYMBOL_TO_PL_write)(u32 value);

driver/tx_intf/tx_intf.c

@@ -56,8 +56,8 @@ static inline u32 TX_INTF_REG_CTS_TOSELF_CONFIG_read(void){
 	return reg_read(TX_INTF_REG_CTS_TOSELF_CONFIG_ADDR);
 }
 
-static inline u32 TX_INTF_REG_START_TRANS_TO_PS_MODE_read(void){
-	return reg_read(TX_INTF_REG_START_TRANS_TO_PS_MODE_ADDR);
+static inline u32 TX_INTF_REG_CSI_FUZZER_read(void){
+	return reg_read(TX_INTF_REG_CSI_FUZZER_ADDR);
 }
 
 static inline u32 TX_INTF_REG_CTS_TOSELF_WAIT_SIFS_TOP_read(void){
@@ -134,8 +134,8 @@ static inline void TX_INTF_REG_CTS_TOSELF_CONFIG_write(u32 value){
 	reg_write(TX_INTF_REG_CTS_TOSELF_CONFIG_ADDR, value);
 }
 
-static inline void TX_INTF_REG_START_TRANS_TO_PS_MODE_write(u32 value){
-	reg_write(TX_INTF_REG_START_TRANS_TO_PS_MODE_ADDR, value);
+static inline void TX_INTF_REG_CSI_FUZZER_write(u32 value){
+	reg_write(TX_INTF_REG_CSI_FUZZER_ADDR, value);
 }
 
 static inline void TX_INTF_REG_CTS_TOSELF_WAIT_SIFS_TOP_write(u32 value){
@@ -283,7 +283,7 @@ static inline u32 hw_init(enum tx_intf_mode mode, u32 num_dma_symbol_to_pl, u32
 		tx_intf_api->TX_INTF_REG_MIXER_CFG_write(mixer_cfg);
 		tx_intf_api->TX_INTF_REG_MULTI_RST_write(0);
 		tx_intf_api->TX_INTF_REG_IQ_SRC_SEL_write(duc_input_ch_sel);
-		tx_intf_api->TX_INTF_REG_START_TRANS_TO_PS_MODE_write(2);
+		tx_intf_api->TX_INTF_REG_CSI_FUZZER_write(0);
 		tx_intf_api->TX_INTF_REG_CTS_TOSELF_WAIT_SIFS_TOP_write( ((16*10)<<16)|(10*10) );//high 16bit 5GHz; low 16 bit 2.4GHz. counter speed 10MHz is assumed
 
 		tx_intf_api->TX_INTF_REG_NUM_DMA_SYMBOL_TO_PL_write(num_dma_symbol_to_pl);
@@ -338,7 +338,7 @@ static int dev_probe(struct platform_device *pdev)
 	tx_intf_api->TX_INTF_REG_WIFI_TX_MODE_read=TX_INTF_REG_WIFI_TX_MODE_read;
 	tx_intf_api->TX_INTF_REG_IQ_SRC_SEL_read=TX_INTF_REG_IQ_SRC_SEL_read;
 	tx_intf_api->TX_INTF_REG_CTS_TOSELF_CONFIG_read=TX_INTF_REG_CTS_TOSELF_CONFIG_read;
-	tx_intf_api->TX_INTF_REG_START_TRANS_TO_PS_MODE_read=TX_INTF_REG_START_TRANS_TO_PS_MODE_read;
+	tx_intf_api->TX_INTF_REG_CSI_FUZZER_read=TX_INTF_REG_CSI_FUZZER_read;
 	tx_intf_api->TX_INTF_REG_CTS_TOSELF_WAIT_SIFS_TOP_read=TX_INTF_REG_CTS_TOSELF_WAIT_SIFS_TOP_read;
 	tx_intf_api->TX_INTF_REG_MISC_SEL_read=TX_INTF_REG_MISC_SEL_read;
 	tx_intf_api->TX_INTF_REG_NUM_DMA_SYMBOL_TO_PL_read=TX_INTF_REG_NUM_DMA_SYMBOL_TO_PL_read;
@@ -358,7 +358,7 @@ static int dev_probe(struct platform_device *pdev)
 	tx_intf_api->TX_INTF_REG_WIFI_TX_MODE_write=TX_INTF_REG_WIFI_TX_MODE_write;
 	tx_intf_api->TX_INTF_REG_IQ_SRC_SEL_write=TX_INTF_REG_IQ_SRC_SEL_write;
 	tx_intf_api->TX_INTF_REG_CTS_TOSELF_CONFIG_write=TX_INTF_REG_CTS_TOSELF_CONFIG_write;
-	tx_intf_api->TX_INTF_REG_START_TRANS_TO_PS_MODE_write=TX_INTF_REG_START_TRANS_TO_PS_MODE_write;
+	tx_intf_api->TX_INTF_REG_CSI_FUZZER_write=TX_INTF_REG_CSI_FUZZER_write;
 	tx_intf_api->TX_INTF_REG_CTS_TOSELF_WAIT_SIFS_TOP_write=TX_INTF_REG_CTS_TOSELF_WAIT_SIFS_TOP_write;
 	tx_intf_api->TX_INTF_REG_MISC_SEL_write=TX_INTF_REG_MISC_SEL_write;
 	tx_intf_api->TX_INTF_REG_NUM_DMA_SYMBOL_TO_PL_write=TX_INTF_REG_NUM_DMA_SYMBOL_TO_PL_write;

user_space/csi_fuzzer.sh

@@ -0,0 +1,61 @@
+  
+#!/bin/bash
+
+# Author: Xianjun Jiao
+# SPDX-FileCopyrightText: 2021 UGent
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+if [ "$#" -lt 4 ]; then
+    echo "You must enter 4 arguments: c1_rot90_en c1_raw(-64 to 63) c2_rot90_en c2_raw(-64 to 63)"
+    exit 1
+fi
+
+c1_rot90_en=$1
+c1_raw=$2
+c2_rot90_en=$3
+c2_raw=$4
+
+if (($c1_rot90_en != 0)) && (($c1_rot90_en != 1)); then
+    echo "c1_rot90_en must be 0 or 1!"
+    exit 1
+fi
+
+if (($c1_raw < -64)) || (($c1_raw > 63)); then
+    echo "c1_raw must be -64 to 63!"
+    exit 1
+fi
+
+if (($c2_rot90_en != 0)) && (($c2_rot90_en != 1)); then
+    echo "c2_rot90_en must be 0 or 1!"
+    exit 1
+fi
+
+if (($c2_raw < -64)) || (($c2_raw > 63)); then
+    echo "c2_raw must be -64 to 63!"
+    exit 1
+fi
+
+if (($c1_raw < 0)); then
+    unsigned_c1=$(expr 128 + $c1_raw)
+#    echo $unsigned_c1
+else
+    unsigned_c1=$c1_raw
+fi
+
+if (($c2_raw < 0)); then
+    unsigned_c2=$(expr 128 + $c2_raw)
+#    echo $unsigned_c2
+else
+    unsigned_c2=$c2_raw
+fi
+
+# echo $c1_rot90_en
+# echo $unsigned_c1
+# echo $c2_rot90_en
+# echo $unsigned_c2
+
+unsigned_dec_combined=$(($unsigned_c1 + 512 * $c1_rot90_en + 1024 * $unsigned_c2 + 524288 * $c2_rot90_en))
+# echo $unsigned_dec_combined
+
+echo "./sdrctl dev sdr0 set reg tx_intf 5 $unsigned_dec_combined"
+./sdrctl dev sdr0 set reg tx_intf 5 $unsigned_dec_combined

user_space/csi_fuzzer_scan.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+
+# Author: Xianjun Jiao
+# SPDX-FileCopyrightText: 2021 UGent
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+if [ "$#" -lt 1 ]; then
+    echo "You must enter 1 arguments: 1, 2, 3 or 4. For scan c1, c2, c2&c1 or c1&c2,"
+    exit 1
+fi
+
+SCAN_OPTION=$1
+
+if (($SCAN_OPTION == 1)); then
+    echo "Scan tap1:"
+    for j in {-64..63};
+    do
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 0 $i 0 0
+            sleep 0.01
+        done
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 1 $i 0 0
+            sleep 0.01
+        done
+    done
+    exit 1
+fi
+
+if (($SCAN_OPTION == 2)); then
+    echo "Scan tap2:"
+    for j in {-64..63};
+    do
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 0 0 0 $i
+            sleep 0.01
+        done
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 0 0 1 $i
+            sleep 0.01
+        done
+    done
+    exit 1
+fi
+
+if (($SCAN_OPTION == 3)); then
+    echo "Scan tap1 after tap2:"
+    for j in {-64..63};
+    do
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 0 $j 0 $i
+            # sleep 0.1
+        done
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 0 $j 1 $i
+            # sleep 0.1
+        done
+    done
+    for j in {-64..63};
+    do
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 1 $j 0 $i
+            # sleep 0.1
+        done
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 1 $j 1 $i
+            # sleep 0.1
+        done
+    done
+    exit 1
+fi
+
+if (($SCAN_OPTION == 4)); then
+    echo "Scan tap2 after tap1:"
+    for j in {-64..63};
+    do
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 0 $i 0 $j
+            # sleep 0.1
+        done
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 1 $i 0 $j
+            # sleep 0.1
+        done
+    done
+    for j in {-64..63};
+    do
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 0 $i 1 $j
+            # sleep 0.1
+        done
+        for i in {-64..63};
+        do
+            ./csi_fuzzer.sh 1 $i 1 $j
+            # sleep 0.1
+        done
+    done
+    exit 1
+fi