Crashing after a few idle seconds on TP-Link WN722N-V2 (8188eu custom driver)

[Sparkpy]

Describe the bug
AngryOxide does not run on TP-Link WN722N-V2 (8188eu chipset), it starts for about 3-4 seconds and then closes with the error messages shown below

To Reproduce
Steps to reproduce the behavior:

1. Kill NetworkManager and WpaSupplicant
2. Run the command "sudo angryoxide -i wlan1 -b 2"

Expected behavior
AngryOxide should find networks and attack them

Screenshots
If applicable, add screenshots to help explain your problem.

** Hardware (please complete the following information):**

• Device: Baremetal Lenovo Thinkpad with
• OS: Kali Linux (6.8.11-amd64)
• Interface: TP_Link WN722N-V2 (8188eu driver)

Additional context

Add any other context about the problem here.
─$ sudo RUST_BACKTRACE=full angryoxide -i wlan1                                                     
Starting AngryOxide... 😈
💲 Interface Summary:
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Interface: wlan1                                                       ┃
┃ Index: 4 | Driver: 8188eu                                              ┃
┃ Mode: IftypeMonitor | Active Monitor: false                            ┃
┃ Modes: Adhoc, Station, Ap, Monitor, P2P Client, P2P Go                 ┃
┃ State: Dormant                                                         ┃
┃ Current Frequency: None                                                ┃
┃ Enabled Bands/Channels:                                                ┃
┃                                                                        ┃
┃ Band2GHz:                                                              ┃
┃   [2412 (1)]       [2417 (2)]       [2422 (3)]       [2427 (4)]        ┃
┃   [2432 (5)]       [2437 (6)]       [2442 (7)]       [2447 (8)]        ┃
┃   [2452 (9)]       [2457 (10)]      [2462 (11)]      [2467 (12)]       ┃
┃   [2472 (13)]                                                          ┃
┃                                                                        ┃
┃                                                                        ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
💲 No target list provided... everything is a target 😏
💲 No whitelist list provided.

======== Hop Channels ========
 └ Band 2 Channels:
   ├ 1
   ├ 6
   └ 11
==============================

💲 Dwell Time: 2
💲 Attack Rate: Normal (2)
💲 Mouse Capture: true
💲 Setting wlan1 down.
💲 Randomizing wlan1 mac to e222476b0f14
💲 Setting wlan1 to Monitor mode. ("active" flag: false)
💲 Setting wlan1 up.
💲 OUI Records Imported: 50153
💲 Sockets Opened [Rx: 5 | Tx: 6]

🎩 KICKING UP THE 4D3D3D3 🎩

======================================================================

thread 'main' panicked at src/main.rs:1221:9:
Channel is None. Current Frequency: Frequency { frequency: None, width: Some(ChanWidth20Noht), channel: None, pwr: Some(1300) }
stack backtrace:
   0:     0x5580b926b415 - <unknown>
   1:     0x5580b929680b - <unknown>
   2:     0x5580b9267b9f - <unknown>
   3:     0x5580b926b1ee - <unknown>
   4:     0x5580b926c909 - <unknown>
   5:     0x5580b926c6aa - <unknown>
   6:     0x5580b926cf0b - <unknown>
   7:     0x5580b926cc84 - <unknown>
   8:     0x5580b926b8d9 - <unknown>
   9:     0x5580b926c9b7 - <unknown>
  10:     0x5580b8dfcbe3 - <unknown>
  11:     0x5580b8e1de01 - <unknown>
  12:     0x5580b8e2523f - <unknown>
  13:     0x5580b8ea7b43 - <unknown>
  14:     0x5580b8e919b9 - <unknown>
  15:     0x5580b926157d - <unknown>
  16:     0x5580b8e3c125 - <unknown>
  17:     0x7f0dfa641c8a - __libc_start_call_main
                               at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
  18:     0x7f0dfa641d45 - __libc_start_main_impl
                               at ./csu/../csu/libc-start.c:360:3
  19:     0x5580b8dfd3fe - <unknown>
  20:                0x0 - <unknown>

[PhialsBasement]

I get a similiar issue when running it on my computer using the same one

[Ragnt]

I know you say you shut down network manager and wpa_supplicant, but the only case I have seen this error is when the device is set down or another station mode VIF is brought up for the same device.

Can you run a watch on iwconfig/ipconfig and dmesg and see what my may be happening in the background when this occurs?

I worked really hard to try and find the source of this previously but couldn’t.

[Sparkpy]

iwconfig's output (nothing changes while starting angryoxide):

lo        no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          
docker0   no wireless extensions.

wlan1     unassociated  Nickname:"<WIFI@REALTEK>"
          Mode:Monitor  Frequency=2.412 GHz  Access Point: Not-Associated   
          Sensitivity:0/0  
          Retry:off   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

dmesg's output while running angryoxide is as follows:

[ 2474.316722] ------------[ cut here ]------------
[ 2474.316733] WARNING: CPU: 3 PID: 12922 at /var/lib/dkms/realtek-rtl8188eus/5.3.9~git20230921.3fae723/build/core/rtw_mlme_ext.c:12567 rtw_mlmeext_disconnect+0x115/0x170 [8188eu]
[ 2474.316996] Modules linked in: mptcp_diag xsk_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag 8188eu(OE) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat nf_tables libcrc32c br_netfilter bridge stp llc ctr ccm overlay qrtr sunrpc binfmt_misc nls_ascii nls_cp437 vfat fat snd_sof_pci_intel_cnl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation uvcvideo snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda videobuf2_vmalloc snd_sof_pci uvc videobuf2_memops videobuf2_v4l2 snd_sof_xtensa_dsp snd_sof snd_sof_utils videodev soundwire_bus videobuf2_common mc intel_rapl_msr intel_rapl_common intel_uncore_frequency snd_soc_skl intel_uncore_frequency_common snd_soc_hdac_hda intel_pmc_core_pltdrv snd_hda_ext_core intel_pmc_core snd_soc_sst_ipc snd_soc_sst_dsp intel_vsec snd_soc_acpi_intel_match pmt_telemetry snd_soc_acpi
[ 2474.317139]  pmt_class ath10k_pci ath10k_core x86_pkg_temp_thermal snd_soc_core ath snd_compress snd_pcm_dmaengine intel_powerclamp coretemp mac80211 kvm_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic btusb mei_hdcp mei_pxp snd_hda_intel btrtl btintel libarc4 mei_me btbcm snd_intel_dspcfg btmtk snd_intel_sdw_acpi snd_hda_codec kvm snd_hda_core bluetooth cfg80211 snd_hwdep mei snd_pcm iTCO_wdt intel_pmc_bxt sha3_generic jitterentropy_rng iTCO_vendor_support watchdog drbg ansi_cprng ecdh_generic ecc snd_timer snd soundcore ideapad_laptop irqbypass rapl intel_cstate evdev joydev sparse_keymap intel_uncore platform_profile rfkill sg pcspkr intel_pch_thermal intel_wmi_thunderbolt wmi_bmof serio_raw acpi_pad ac acpi_tad efi_pstore configfs nfnetlink efivarfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic i915 sd_mod t10_pi crc64_rocksoft_generic crc64_rocksoft crc_t10dif crct10dif_generic drm_buddy crc64 i2c_algo_bit drm_display_helper ahci libahci hid_rmi cec libata rmi_core rc_core
[ 2474.317311]  hid_generic crct10dif_pclmul crct10dif_common ttm crc32_pclmul xhci_pci crc32c_intel xhci_hcd i2c_hid_acpi scsi_mod i2c_hid drm_kms_helper ghash_clmulni_intel sha512_ssse3 usbcore intel_lpss_pci hid video intel_lpss i2c_i801 sha512_generic drm sha256_ssse3 sha1_ssse3 i2c_smbus idma64 usb_common scsi_common battery wmi button aesni_intel crypto_simd cryptd
[ 2474.317375] CPU: 3 PID: 12922 Comm: RTW_CMD_THREAD Tainted: G        W  OE      6.8.11-amd64 #1  Kali 6.8.11-1kali2
[ 2474.317385] Hardware name: LENOVO 81MV/LNVNB161216, BIOS ASCN19WW 01/25/2019
[ 2474.317389] RIP: 0010:rtw_mlmeext_disconnect+0x115/0x170 [8188eu]
[ 2474.317562] Code: 83 6a 06 00 00 00 c7 83 6c 06 00 00 00 00 00 00 48 8b 44 24 08 65 48 2b 04 25 28 00 00 00 75 60 48 83 c4 10 5b c3 cc cc cc cc <0f> 0b e9 1f ff ff ff c6 44 24 04 00 48 8d 54 24 04 be 59 00 00 00
[ 2474.317568] RSP: 0018:ffffb30449b9fe58 EFLAGS: 00010286
[ 2474.317575] RAX: 0000000080000000 RBX: ffffb30449b19000 RCX: 00000000000001f4
[ 2474.317580] RDX: 0000000000000004 RSI: ffff9f53db34b200 RDI: ffffb30449b19000
[ 2474.317584] RBP: ffff9f53db34b200 R08: 00000000000001f4 R09: 0000000000000000
[ 2474.317589] R10: 0000000000000001 R11: 0000000000000000 R12: ffffb30449b1a128
[ 2474.317593] R13: ffffb30449b1a118 R14: ffffb30449b1a0e8 R15: ffff9f54d0658000
[ 2474.317597] FS:  0000000000000000(0000) GS:ffff9f552a580000(0000) knlGS:0000000000000000
[ 2474.317603] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2474.317608] CR2: 00005623fb0c47e8 CR3: 000000003f020001 CR4: 00000000003706f0
[ 2474.317613] Call Trace:
[ 2474.317619]  <TASK>
[ 2474.317623]  ? rtw_mlmeext_disconnect+0x115/0x170 [8188eu]
[ 2474.317785]  ? __warn+0x81/0x130
[ 2474.317799]  ? rtw_mlmeext_disconnect+0x115/0x170 [8188eu]
[ 2474.317962]  ? report_bug+0x171/0x1a0
[ 2474.317973]  ? handle_bug+0x3c/0x80
[ 2474.317982]  ? exc_invalid_op+0x17/0x70
[ 2474.317992]  ? asm_exc_invalid_op+0x1a/0x20
[ 2474.318006]  ? rtw_mlmeext_disconnect+0x115/0x170 [8188eu]
[ 2474.318167]  disconnect_hdl+0x44/0xc0 [8188eu]
[ 2474.318343]  rtw_cmd_thread+0x27d/0x3a0 [8188eu]
[ 2474.318460]  ? __pfx_disconnect_hdl+0x10/0x10 [8188eu]
[ 2474.318669]  ? __pfx_rtw_cmd_thread+0x10/0x10 [8188eu]
[ 2474.318863]  kthread+0xe5/0x120
[ 2474.318875]  ? __pfx_kthread+0x10/0x10
[ 2474.318885]  ret_from_fork+0x31/0x50
[ 2474.318898]  ? __pfx_kthread+0x10/0x10
[ 2474.318907]  ret_from_fork_asm+0x1b/0x30
[ 2474.318923]  </TASK>
[ 2474.318927] ---[ end trace 0000000000000000 ]---
[ 2475.878977] 8188eu 1-4:1.0 wlan1: entered promiscuous mode
[ 2493.611521] 8188eu 1-4:1.0 wlan1: left promiscuous mode

[Ragnt]

Which driver is this? It looks like it may be crashing. This was previously unexplained with the open-source drivers for Realtek, and I’m not sure what I am asking of the card that would cause a crash.

…

On Sat, Sep 7, 2024 at 12:50 PM, Daniel Bashukoski ***@***.***(mailto:On Sat, Sep 7, 2024 at 12:50 PM, Daniel Bashukoski <<a href=)> wrote: iwconfig's output (nothing changes while starting angryoxide): lo no wireless extensions. wlan0 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on docker0 no wireless extensions. wlan1 unassociated ***@***.***>" Mode:Monitor Frequency=2.412 GHz Access Point: Not-Associated Sensitivity:0/0 Retry:off RTS thr:off Fragment thr:off Power Management:off Link Quality:0 Signal level:0 Noise level:0 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 dmesg's output while running angryoxide is as follows: [ 2474.316722] ------------[ cut here ]------------ [ 2474.316733] WARNING: CPU: 3 PID: 12922 at /var/lib/dkms/realtek-rtl8188eus/5.3.9~git20230921.3fae723/build/core/rtw_mlme_ext.c:12567 rtw_mlmeext_disconnect+0x115/0x170 [8188eu] [ 2474.316996] Modules linked in: mptcp_diag xsk_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag 8188eu(OE) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat nf_tables libcrc32c br_netfilter bridge stp llc ctr ccm overlay qrtr sunrpc binfmt_misc nls_ascii nls_cp437 vfat fat snd_sof_pci_intel_cnl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation uvcvideo snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda videobuf2_vmalloc snd_sof_pci uvc videobuf2_memops videobuf2_v4l2 snd_sof_xtensa_dsp snd_sof snd_sof_utils videodev soundwire_bus videobuf2_common mc intel_rapl_msr intel_rapl_common intel_uncore_frequency snd_soc_skl intel_uncore_frequency_common snd_soc_hdac_hda intel_pmc_core_pltdrv snd_hda_ext_core intel_pmc_core snd_soc_sst_ipc snd_soc_sst_dsp intel_vsec snd_soc_acpi_intel_match pmt_telemetry snd_soc_acpi [ 2474.317139] pmt_class ath10k_pci ath10k_core x86_pkg_temp_thermal snd_soc_core ath snd_compress snd_pcm_dmaengine intel_powerclamp coretemp mac80211 kvm_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic btusb mei_hdcp mei_pxp snd_hda_intel btrtl btintel libarc4 mei_me btbcm snd_intel_dspcfg btmtk snd_intel_sdw_acpi snd_hda_codec kvm snd_hda_core bluetooth cfg80211 snd_hwdep mei snd_pcm iTCO_wdt intel_pmc_bxt sha3_generic jitterentropy_rng iTCO_vendor_support watchdog drbg ansi_cprng ecdh_generic ecc snd_timer snd soundcore ideapad_laptop irqbypass rapl intel_cstate evdev joydev sparse_keymap intel_uncore platform_profile rfkill sg pcspkr intel_pch_thermal intel_wmi_thunderbolt wmi_bmof serio_raw acpi_pad ac acpi_tad efi_pstore configfs nfnetlink efivarfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic i915 sd_mod t10_pi crc64_rocksoft_generic crc64_rocksoft crc_t10dif crct10dif_generic drm_buddy crc64 i2c_algo_bit drm_display_helper ahci libahci hid_rmi cec libata rmi_core rc_core [ 2474.317311] hid_generic crct10dif_pclmul crct10dif_common ttm crc32_pclmul xhci_pci crc32c_intel xhci_hcd i2c_hid_acpi scsi_mod i2c_hid drm_kms_helper ghash_clmulni_intel sha512_ssse3 usbcore intel_lpss_pci hid video intel_lpss i2c_i801 sha512_generic drm sha256_ssse3 sha1_ssse3 i2c_smbus idma64 usb_common scsi_common battery wmi button aesni_intel crypto_simd cryptd [ 2474.317375] CPU: 3 PID: 12922 Comm: RTW_CMD_THREAD Tainted: G W OE 6.8.11-amd64 #1 Kali 6.8.11-1kali2 [ 2474.317385] Hardware name: LENOVO 81MV/LNVNB161216, BIOS ASCN19WW 01/25/2019 [ 2474.317389] RIP: 0010:rtw_mlmeext_disconnect+0x115/0x170 [8188eu] [ 2474.317562] Code: 83 6a 06 00 00 00 c7 83 6c 06 00 00 00 00 00 00 48 8b 44 24 08 65 48 2b 04 25 28 00 00 00 75 60 48 83 c4 10 5b c3 cc cc cc cc <0f> 0b e9 1f ff ff ff c6 44 24 04 00 48 8d 54 24 04 be 59 00 00 00 [ 2474.317568] RSP: 0018:ffffb30449b9fe58 EFLAGS: 00010286 [ 2474.317575] RAX: 0000000080000000 RBX: ffffb30449b19000 RCX: 00000000000001f4 [ 2474.317580] RDX: 0000000000000004 RSI: ffff9f53db34b200 RDI: ffffb30449b19000 [ 2474.317584] RBP: ffff9f53db34b200 R08: 00000000000001f4 R09: 0000000000000000 [ 2474.317589] R10: 0000000000000001 R11: 0000000000000000 R12: ffffb30449b1a128 [ 2474.317593] R13: ffffb30449b1a118 R14: ffffb30449b1a0e8 R15: ffff9f54d0658000 [ 2474.317597] FS: 0000000000000000(0000) GS:ffff9f552a580000(0000) knlGS:0000000000000000 [ 2474.317603] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2474.317608] CR2: 00005623fb0c47e8 CR3: 000000003f020001 CR4: 00000000003706f0 [ 2474.317613] Call Trace: [ 2474.317619] <TASK> [ 2474.317623] ? rtw_mlmeext_disconnect+0x115/0x170 [8188eu] [ 2474.317785] ? __warn+0x81/0x130 [ 2474.317799] ? rtw_mlmeext_disconnect+0x115/0x170 [8188eu] [ 2474.317962] ? report_bug+0x171/0x1a0 [ 2474.317973] ? handle_bug+0x3c/0x80 [ 2474.317982] ? exc_invalid_op+0x17/0x70 [ 2474.317992] ? asm_exc_invalid_op+0x1a/0x20 [ 2474.318006] ? rtw_mlmeext_disconnect+0x115/0x170 [8188eu] [ 2474.318167] disconnect_hdl+0x44/0xc0 [8188eu] [ 2474.318343] rtw_cmd_thread+0x27d/0x3a0 [8188eu] [ 2474.318460] ? __pfx_disconnect_hdl+0x10/0x10 [8188eu] [ 2474.318669] ? __pfx_rtw_cmd_thread+0x10/0x10 [8188eu] [ 2474.318863] kthread+0xe5/0x120 [ 2474.318875] ? __pfx_kthread+0x10/0x10 [ 2474.318885] ret_from_fork+0x31/0x50 [ 2474.318898] ? __pfx_kthread+0x10/0x10 [ 2474.318907] ret_from_fork_asm+0x1b/0x30 [ 2474.318923] </TASK> [ 2474.318927] ---[ end trace 0000000000000000 ]--- [ 2475.878977] 8188eu 1-4:1.0 wlan1: entered promiscuous mode [ 2493.611521] 8188eu 1-4:1.0 wlan1: left promiscuous mode — Reply to this email directly, [view it on GitHub](#45 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AF4YMEXH3SVGX4PT3FR7S63ZVJEWBAVCNFSM6AAAAABNZP4UAGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZUHE3TKNBTGA). You are receiving this because you commented.Message ID: ***@***.***>

[Sparkpy]

It's saying the crash is occuring at src/main.rs:1221:9, I've recently reinstalled these drivers, and they work flawlessly with hcxdumptool, wifite and the aircrack-ng suite of tools, it could be a very niche issue, or potentially just genuine incompatibility, either way thank you for taking the time to look over this

[Sparkpy]

Sorry for forgetting, I used these drivers made by aircrack-ng:
https://github.com/aircrack-ng/rtl8188eus

[Ragnt]

Realtek isn’t officially supported because the custom drivers aren’t stable. The driver crashing from normal NL80211 commands isn’t something I can likely fix, if anything I would have to research and implement a custom workaround and I just don’t have time when there are plenty of good chipsets out there.

…

On Sat, Sep 7, 2024 at 1:05 PM, Daniel Bashukoski ***@***.***(mailto:On Sat, Sep 7, 2024 at 1:05 PM, Daniel Bashukoski <<a href=)> wrote: Sorry for forgetting, I used these drivers made by aircrack-ng: https://github.com/aircrack-ng/rtl8188eus — Reply to this email directly, [view it on GitHub](#45 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AF4YMEUQZJJHT2FDNCIWO5TZVJGNJAVCNFSM6AAAAABNZP4UAGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZUHE4DAMZVGQ). You are receiving this because you commented.Message ID: ***@***.***>

[Ragnt]

The issue is very specifically that the driver isn’t sending a channel as part of a Nl80211 New Interface message, and without knowing the channel the AO attack engine can’t continue to run. Other tools generally just ignore it because they aren’t using it directly. (Or they just trust it’s on the right channel) I have tried to dig into it before and always come up empty handed.

…

On Sat, Sep 7, 2024 at 12:59 PM, Daniel Bashukoski ***@***.***(mailto:On Sat, Sep 7, 2024 at 12:59 PM, Daniel Bashukoski <<a href=)> wrote: It's saying the crash is occuring at src/main.rs:1221:9, I've recently reinstalled these drivers, and they work flawlessly with hcxdumptool, wifite and the aircrack-ng suite of tools, it could be a very niche issue, or potentially just genuine incompatibility, either way thank you for taking the time to look over this — Reply to this email directly, [view it on GitHub](#45 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AF4YMETB4QD4UKJHNBLTKDTZVJFV7AVCNFSM6AAAAABNZP4UAGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZUHE3TQMRTGU). You are receiving this because you commented.Message ID: ***@***.***>

[Sparkpy]

Thank you for the help, eventually I'll find the time and try to fork your repo and make a workaround myself

[Ragnt]

I’m going to keep this open for now as a reference. I have rewrote a bunch of my underlying library that handles netlink for the 2.0 release of AO, and I noticed the same issues, so no promises on a fix anytime soon. But if anyone wants to research and identify the root of this issue (whether it’s AO or the driver) that would be cool.