Benutzer-Werkzeuge

Webseiten-Werkzeuge


hardware:vap11g_wlan_bridge

Configuration protocol of the VAP 11G wireless bridge

This device, manufactured by vonets.com, is a simple ethernet to wlan bridge. It allows any device with a wired (cat5) network connection to connect to a wlan network. I.e. it is a small device that builds up a wlan connection and fowards everything received on its wlan interface to the wired interface (and vice versa). The computer behind the bridge does not have to support wlan at all, all wlan settings are done on the device itself!

  • The configuration is done via a custom ethernet II protocol (ethertype 0x8888), so the device itself does NOT get an IP address.
  • There are two types of (binary) commands:
    • control commands (device detection, status request) and
    • configuration submission/retrieval commands. Their payload is a pure-text configuration format and is used by other devices, too (e.g. the HP2101nw wireless G USB print server and some other print servers and network USB server devices). Those other devices do use other configuration transports, though (the hp2101nw uses a USB connection, some print servers use ftp to transfer those configuration files).

The ethnernet II packet format (ethertype 8888)

A sample packet:

  0000  00 17 13 11 fc d0 08 00 27 51 a4 a2 88 88 01 01   ........'Q......
  0010  01 00 00 00 00 00 07 00 39 31 30 37 3a 0d 0a 00   ........9107:...
  0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
  0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

The first 14 bytes are the Ethernet II header (destination MAC, source MAC, Ethernet II proto), the rest is the actual 0x8888 packet, which will be described below. Both outgoing and incoming packets use the same format.

General structure of the 0x8888 packet (hex)

 cc cc uu 00 00 00 rr rr ll ll [dd dd dd dd dd ...]
byte description
0-1 command
2 FIXME: UNKNOWN
3-5 Always 0x00
6-7 # of remaining packets
8-9 Length of the data (bytes 10-…), in lower endian
10-length Data contents (in configuration file format)
(First two bytes of a return package are STATUS)
length+1 - 63 padding with 0x00 to have at least 64 bytes.

Known Commands

Command description data content return value comment
0x00 0x00 Device information NONE 0x38 bytes also sent as broadcast
0x00 0x01 Get devic status NONE 2 bytes (0=OK)
0x01 0x01 Send config data cfg data 2 bytes (status, 0=OK)
0x02 0x01 Request return config data NONE config data (variable length)

Order of commands to configure the device

  1. Broadcast of 0x00 0x00 (detect available devices, request device info), 5 seconds timeout
    1. device info response (0x00 0x00 command, 0x38 bytes return data)
  2. 0x00 0x00 to each detected MAC address, device info response
  3. Let the user select one of the detected devices to be configured
  4. 0x00 0x01 request status to selected device, status response
  5. 0x01 0x01 send config (command 9107: start WLAN scan), status response
    1. 0x02 0x01 request device response, 0x02 0x01 response with 2 bytes (0x00)
  6. Wait 10 seconds for the WLAN scan to complete
  7. 0x01 0x01 send config (command 9100: get config), status response
    1. 0x02 0x01 request device response, 0x02 0x01 response with full configuration (2 packets)
    2. 0x02 0x01 0x03 request for further packet, no response at all
  8. Ask the user for the wireless network, security settings and passphrase
  9. 0x00 0x01 request status, status response
  10. 0x01 0x01 send config (config format with all changed settings), status response
    1. 0x02 0x01 request device response, 0x02 0x01 response with 2 bytes (0x00)
  11. 0x00 0x01 request status, status response
  12. 0x01 0x01 send config (command 9002: reset device), status response
    1. 0x02 0x01 request device response, 0x02 0x01 response with 2 bytes (0x00)

Full packet sniff obtained with wireshark: vap11g_config.txt

Communication structure of configuration data exchange

Sending a command to the device

  1. 0x01 0x01 send config (command 9107: start WLAN scan), status response
    1. 0x02 0x01 request device response, 0x02 0x01 response with 2 bytes (0x00), some (random?) data after the end
0000  00 17 13 11 fc d0 08 00 27 51 a4 a2 88 88 01 01   ........'Q......
0010  01 00 00 00 00 00 07 00 39 31 30 37 3a 0d 0a      ........9107:..
    0000  08 00 27 51 a4 a2 00 17 13 11 fc d0 88 88 01 01   ..'Q............
    0010  00 00 00 00 00 00 02 00 00                        .........
0000  00 17 13 11 fc d0 08 00 27 51 a4 a2 88 88 02 01   ........'Q......
0010  02 00 00 00 00 00 00 00                           ........
    0000  08 00 27 51 a4 a2 00 17 13 11 fc d0 88 88 02 01   ..'Q............
    0010  01 00 00 00 00 00 02 00 00 00 00 00 8c 61 0e d0   .............a..

Requesting data from the device

  1. 0x01 0x01 send config (command 9100: get config), status response
    1. 0x02 0x01 request device response, 0x02 0x01 response with full configuration (2 packets)
    2. 0x02 0x01 0x03 request for further packet, no response at all
0000  00 17 13 11 fc d0 08 00 27 51 a4 a2 88 88 01 01   ........'Q......
0010  01 00 00 00 00 00 07 00 39 31 30 30 3a 0d 0a      ........9100:..
    0000  08 00 27 51 a4 a2 00 17 13 11 fc d0 88 88 01 01   ..'Q............
    0010  00 00 00 00 00 00 02 00 00                        .........
0000  00 17 13 11 fc d0 08 00 27 51 a4 a2 88 88 02 01   ........'Q......
0010  02 00 00 00 00 00 00 00                           ........
    0000  08 00 27 51 a4 a2 00 17 13 11 fc d0 88 88 02 01   ..'Q............
    0010  01 00 00 00 01 00 32 00 00 00 30 30 30 31 20 42   ......2...0001 B
    0020  4f 58 5f 4e 41 4d 45 3a 56 41 50 31 31 47 0a 30   OX_NAME:VAP11G.0
    0030  30 30 32 20 4d 41 43 5f 41 44 44 52 3a 30 30 31   002 MAC_ADDR:001
    0040  37 31 33 31 31 46 43 44 30 0a                     71311FCD0.
[2nd response packet directly afterward:
    0000  08 00 27 51 a4 a2 00 17 13 11 fc d0 88 88 02 01   ..'Q............
    0010  02 00 00 00 00 00 85 03 00 00 37 30 30 30 20 53   ..........7000 S
    0020  53 49 44 3a 54 72 61 66 6f 73 74 61 74 69 6f 6e   SID:Trafostation
    [... Rest of packet]
    0380  35 37 62 38 65 35 2c 32 2c 47 2c 31 2c 31 30 0b   57b8e5,2,G,1,10.
    0390  0a 37 30 32 32 20 42 41 4e 44 3a 30 0a            .7022 BAND:0.
0000  00 17 13 11 fc d0 08 00 27 51 a4 a2 88 88 02 01   ........'Q......
0010  03 00 00 00 00 00 00 00                           ........

Configuration data format

Configuration data consists of \n-separated lines (i.e. 0x0a linefeed). Each entry has the form

OPTIONID [OPTIONNAME]:VALUE

The OPTIONID followed by an ordinary space (0x20). The OPTIONNAME is typically empty when sending data from the USB host to the device. VALUE can be empty or any other string describing the option value.

Device option ranges

Range Command types
0xxx General system settings (hostname, L1/L2/L3)
4xxx IP-Address, dhcp, router, etc. settings
5xxx Unknown (only set, but not returned with configuration
70xx Infrastructure wireless settings
71xx Ad-hoc wireless settings
9xxx Device commands (sent to the device)

Device commands

To send a command (e.g. reset, retrieve config data, etc.) to the device, the same format is used as described above. All commands start with 9xxx and typically don't have any value.

Command Description Return value
9002 Reset device Empty responses (only header) until device is shut down and does not return anything
9100 Request configuration from the device full device config
9107 Start wlan scan empty (only header)

Sample configuration returned by the 9100 command:

0001 BOX_NAME:VAP11G
0002 MAC_ADDR:00171311FCD0
7000 SSID:Trafostation
7001 DOMAIN:16
7002 CHANNEL:
7003 SECMODE:3
7004 KEY_LEN:32
7005 DEFAULTKEY:0
7006 KEY0:0000000000000000000000000000000000000000000000000000000000000000
7007 KEY1:0000000000000000000000000000000000000000000000000000000000000000
7008 KEY2:0000000000000000000000000000000000000000000000000000000000036400
7009 KEY3:0000000000000000000000000000000364002B092A0900000000000000000000
7012 AUTHEN:3
7013 MODE:0
7014 LINKINFO:SSID:Trafostation\x0bSTATE:Scanning\x0bCHANNEL:\x0bSECURITY:3\x0bTX:0\x0bRX:0\x0bQUALITY:Poor(0%)\x0bSTRENGTH:Poor(0%)\x0b
7017 WPA:WPA2
7018 PSKALSET:1
7019 PSKKEY:12345678
7020 PSKAL:TKIP;
7021 SURVEY:[see below]
7022 BAND:0

Format of the 7021 SURVEY variable:

SSID[formfeed 0x0c]MAC-address,channel,A/B/G,encryption,signal,AP/Adhoc[linetab 0x0b]

where

variable
SSID String containing the SSID of the access point or ad-hoc network
MAC-address hex-string of AP MAC address (lower-case) without : delimiters
channel wifi channel (0-11)
A/B/G Wifi version (A, B, G)
encryption 0=None, 1=WEP, 4=WPA2-PSK, 6=WPA2-PSK, 7=WPA-PSK, 8=WPA2
signal 0/10/20/30/40/50 (max.50)
AP/Adhoc o=AP, 1=Ad-hoc network

Above example in human-readable format:

eduroam[formfeed]b4a4e3b4f720,5,G,8,10,0[linetab]
wlanipsec[formfeed]b4a4e3b4f721,5,G,0,20,0[linetab]
amaci.at[formfeed]001d7e30d80b,6,G,4,10,0[linetab]
UPC011025[formfeed]001e6962d1fa,1,G,1,10,0[linetab]
tunet[formfeed]b4a4e3b4f723,5,G,0,10,0[linetab]

Setting the wlan access point

Changing settings on the device works by simply sending a new configuration file containing only those options that should be changed. Example: WLAN settings: ESSID „kainhofer“, passphrase „reinhold“, addresses via DHCP

0000  00 17 13 11 fc d0 08 00 27 51 a4 a2 88 88 01 01   ........'Q......
0010  01 00 00 00 00 00 85 00 37 30 30 30 20 3a 6b 61   ........7000 :ka
0020  69 6e 68 6f 66 65 72 0a 37 30 30 31 20 3a 31 36   inhofer.7001 :16
0030  0a 37 30 30 32 20 3a 30 0a 37 30 30 33 20 3a 32   .7002 :0.7003 :2
0040  0a 37 30 30 34 20 3a 33 32 0a 37 30 30 35 20 3a   .7004 :32.7005 :
0050  30 0a 37 30 30 36 20 3a 0a 37 30 30 37 20 3a 0a   0.7006 :.7007 :.
0060  37 30 30 38 20 3a 0a 37 30 30 39 20 3a 0a 37 30   7008 :.7009 :.70
0070  31 32 20 3a 33 0a 37 30 31 33 20 3a 30 0a 37 30   12 :3.7013 :0.70
0080  31 38 20 3a 30 0a 37 30 31 39 20 3a 72 65 69 6e   18 :0.7019 :rein
0090  68 6f 6c 64 0a 37 30 32 32 20 3a 30 0a            hold.7022 :0.

Human-readable form of the config data sent to the device:

All configuration variables

Var.ID Var.Namevaluecomments
0001 „BOX_NAME“VAP11G
0002 „MAC_ADDR“00171311FCD0
7000 „SSID“kainhofer
7001 „DOMAIN“10
7002 „CHANNEL“5
7003 „SECMODE“0
7004 „KEY_LEN“0
7005 „DEFAULTKEY“0
7006 „KEY0“
7007 „KEY1“
7008 „KEY2“
7009 „KEY3“
7012 „AUTHEN“1
7013 „MODE“0
7014 „LINKINFO“Trafostation\x0bSTATE:Scanning\x0bCHANNEL:\x0bSECURITY:3\x0bTX:0\x0bRX:0\x0bQUALITY:Poor(0%)\x0bSTRENGTH:Poor(0%)\x0b
7017 „WPA“WPA2
7018 „PSKALSET“0
7019 „PSKKEY“
7020 „PSKAL“TKIP;AES;
7021 „SURVEY“
7022 „BAND“ 0
hardware/vap11g_wlan_bridge.txt · Zuletzt geändert: 2013/03/13 10:42 von 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki