Fixing EAP auth in wpa_supplicant (or how I spent my Monday evening)

[lnbot]

I got my touchpad just last week, and noticed that it had the same wifi issues at work as my pre+. The device connects once to the wifi network at work then fails to associate every single time after that. Using a copy of wpa_cli, I managed to get an error message: "WPA: Failed to get master session key from EAPOL state machines".

Searching for the wpa_supplicant version (0.6.10) and the error message led me to this bug fix: h__ps://github.com/CyanogenMod/android_external_wpa_supplicant_6/commit/d5d738f45b0b8de2d459d44877c74b01eb45a874.

Long story short, wpa_supplicant on webOS seems to be modified from the original source, and the patch isn't on HP's open source site. Applying the patch and recompiling is out of the question. Out comes objdump.

After over an hour of tracing through spaghetti code, we reach the site of the Cyanogen fix (annotations are mine)

Quote:

32a84: e2505000 subs r5, r0, #0
wpa.c:284 if (!buf) ... return -1 ... goto failed
32a88: 0affffba beq 32978 <wpa_supplicant_process_1_of_4+0x22c>
32a8c: e59a4128 ldr r4, [sl, #296] ; 0x128
32a90: e28a1f61 add r1, sl, #388 ; 0x184
32a94: e59de04c ldr lr, [sp, #76] ; 0x4c
32a98: e308288e movw r2, #34958 ; 0x888e
32a9c: e1a03005 mov r3, r5
32aa0: e5940000 ldr r0, [r4]
32aa4: e58de000 str lr, [sp]
32aa8: e1a0e00f mov lr, pc
32aac: e594f020 ldr pc, [r4, #32]
32ab0: e1a00005 mov r0, r5
(free)
32ab4: ebff6789 bl c8e0 <_init+0x44c>
if (buf) { ... } return -1 ... goto failed
(change to eaffffb3 - jump to return instead of "failed:" label)
32ab8: eaffffae b 32978 <wpa_supplicant_process_1_of_4+0x22c>

Anyway, what this means is if you find these bytes in wpa_supplicant (touchpad, 3.0.2 only):

89 67 ff eb ae ff ff ea

and change them to:

89 67 ff eb b3 ff ff ea

You'll fix an EAP authentication bug that may be affecting your ability to connect to a WPA Enterprise network. It's been working for me, at least... I've had no problems connecting to the wifi network at work since I patched.

Hope this helps someone else.

[gtkansan]

Anyway to have you give us some specific instructions? Id love to fix this issue in both my pre2 and my touchpad.

[lnbot]

Oh, and if you're not handy with a hex editor, get to a command prompt and run these two commands:

cp /usr/sbin/wpa_supplicant /usr/sbin/wpa_supplicant.old
sed -i 's/\x89\x67\xff\xeb\xae\xff\xff\xea/\x89\x67\xff\xeb\xb3\xff\xff\xea/' /usr/sbin/wpa_supplicant

Then at the very least restart luna. And of course, do this at your own risk. This is only for touchpad (3.0.2).

[gtkansan]

Is this the same command needed for the pre2?

[lnbot]

Quote:

Originally Posted by gtkansan

Is this the same command needed for the pre2?

Doubt it. A patch for my 2.1.0 pre+ would almost certainly be different. Don't really have the time to try to patch it at the moment.

[lnbot]

On my pre+ (2.1.0), I edited the byte at offset 0x26c74. The change is the same: ae -> b3. The assembly code is the same except for branch targets, so I won't repost. Surrounding bytes are:

24 76 ff eb ae ff ff ea

It might possibly be the same file on your 2.1.0 pre2, but you should check before editing.

Filesize: 367540
md5sum of the original: 19f90e2d1c9b3a31a06541d4c2ef2d64
md5sum of the fixed file: ada4f2d1ebab280406a1a7d01984641f

As with the touchpad patch, this adds the CyanogenMod fix except for the wpa_printf() call.

One more thing. I found that the sed command I gave before doesn't actually work with the busybox sed that comes with webos. If you have a real linux install somewhere (even the ubuntu chroot one), that command should work... that's actually what I tested it with.

[professordes]

If anyone knows the hex to edit on the pre3, I'm interested

[professordes]

Still no joy on a PEAP-MSCHAPv2 eduroam network with the edit in place on a TouchPad

As far as I know all the relevant certificates are in place too....

[gl2011]

Thanks very much for this, it worked for me. Was a little tough not having used linux commands or a hex editor for 20 years.

Probably not the best or easiest way but I used something call Hexexplorer (first one I found, there are probably better but it worked) in Win7 and the terminal in Webos Quick Install.(was easier than Xterm for me )

Using the terminal I backed up the wpa_supplicant then copied to downloads folder in TP then connected with usb and edited wpa_supplicant with Hexexplorer. I had to do a find for HEX 8967ffebaeffffea and changed as OP said. Then I replaced the original wpa_supplicant and restarted TP and connected to my home wireless with no problem.

Took it to work and tried wireless again, it took a long time then failed where it used to fail quick. Second try it connected quick and stayed connected all day.

P.S. I had already installed our cert and I had to use a proxy app by Rob to be able to browse Internet (forums.precentral.net/hp-touchpad/296589-touchpad-proxy-server-support.html[/url]). My Exchange email works but I don't think my hotmail account did. I got messages to check my account settings and Skype would not sign on.

[wcdolphin]

Great post, does not work for me currently, however.

Stock md5sum
9b4d3b71a1417bbccdf697e749b8f7c9 wpa_supplicant.old

After modding as you said:
1d567cce0292ef799f1a2795a38e4335 wpa_supplicant

Rebooted and I am still receiving a "security certificate required" message-- I am not sure if this is the error you were intending to fix, but it is an issue that is plaguing me!

[professordes]

The webOS 3.04 update fixes PEAP-MSCHAPv2 for me (on eduroam) - a tick box has been added to make it possible to ignore certificate verification.

[lnbot]

Quote:

Originally Posted by professordes

If anyone knows the hex to edit on the pre3, I'm interested

On the Pre3 (2.2.3), the wpa_supplicant is nearly byte for byte identical (except for a handful of bytes) to the touchpad 3.0.2 one. The bytes to edit are the same as in the first post.

md5sums:
1bc9ff9e0af5482b59017b036544063b original
eb3f8b0f66ca13e762f34706c36d41d3 fixed

[professordes]

Quote:

Originally Posted by lnbot

On the Pre3 (2.2.3), the wpa_supplicant is nearly byte for byte identical (except for a handful of bytes) to the touchpad 3.0.2 one. The bytes to edit are the same as in the first post.

md5sums:
1bc9ff9e0af5482b59017b036544063b original
eb3f8b0f66ca13e762f34706c36d41d3 fixed

Thanks,
I'll try that - my pre3 is an international one on 2.2.0, with a bit of luck that may be close enough.

Do you know if this actually works? The edit didn't sort things out for me on the TouchPad, though the 3.04 update did.

[professordes]

Quote:

Originally Posted by professordes

Thanks,
I'll try that - my pre3 is an international one on 2.2.0, with a bit of luck that may be close enough.

Do you know if this actually works? The edit didn't sort things out for me on the TouchPad, though the 3.04 update did.

No joy after making the edit, unfortunately. The md5sums are different on the international 2.2.0 pre3, but the edited byte string looks similar.

As with the touchpad I guess I'll just have to wait/hope for an update....

[lnbot]

Quote:

Originally Posted by professordes

Thanks,
I'll try that - my pre3 is an international one on 2.2.0, with a bit of luck that may be close enough.

Do you know if this actually works? The edit didn't sort things out for me on the TouchPad, though the 3.04 update did.

Yes, I test all of these before I send out the new info. I think the underlying cause of your wifi association problem isn't the same for my problem even though the symptoms are the same.

[gizmo21]

hhm on Pre2 2.2.4 the byte-line is the same as in the first posting but the sed command on wterm did not change the file so i changed it manually on windows using tiny hexer.

b96cbd7dcf5f1b1461877f585951d179 original 2.2.4
937d935f42c580a8f820aadd4716b667 (fixed)

But sadly did not help with my eduroam problem.

I even just copied over the binary wpa_supplicant from 3.0.5 but that did fix it either with eduroam (but works on other working wifi accesspoints)

Will have to look at this: Advanced Wifi - WebOS Internals