Android: qcacld-3.0 driver (not part of the Linux kernel)

[brokestar233]

When using hcxdumptool and airodump-ng on the qcacld3 driver, I encountered a freeze for a period of time whenever the second capture opened on the same channel as the first. Airodump-ng even stuttered during each refresh. After reviewing the logs, I discovered that the freeze occurs when switching to the same channel, specifically at

status = qdf_wait_for_event_completion(
				       &adapter->qdf_monitor_mode_vdev_up_event,
                    WLAN_MONITOR_MODE_VDEV_UP_EVT);

This operation would hang indefinitely until a timeout occurred.

I tried modifying the code, and after the changes, airodump-ng worked fine. However, after launching hcdumptool once, it became impossible to start it again—it even prevented airodump-ng from launching. What should I do?

Below are the changes I made for testing and the video after modification:

static int __wlan_hdd_cfg80211_set_mon_ch(struct wiphy *wiphy,
				       struct cfg80211_chan_def *chandef)
{
	struct hdd_context *hdd_ctx = wiphy_priv(wiphy);
	struct hdd_adapter *adapter;
	struct hdd_monitor_ctx *mon_ctx;
	QDF_STATUS status;
	mac_handle_t mac_handle;
	struct qdf_mac_addr bssid;
	struct channel_change_req *req;
	struct ch_params ch_params = {0};
	int ret;
	enum channel_state chan_freq_state;
	uint8_t max_fw_bw;
	enum phy_ch_width ch_width;
	qdf_freq_t sec_ch_2g_freq = 0;

	hdd_enter();

	ret = wlan_hdd_validate_context(hdd_ctx);
	if (ret)
		return ret;

	mac_handle = hdd_ctx->mac_handle;

	adapter = hdd_get_adapter(hdd_ctx, QDF_MONITOR_MODE);
	if (!adapter)
		return -EIO;

	hdd_debug("%s: set monitor mode freq %d",
		  adapter->dev->name, chandef->chan->center_freq);

	/* Verify channel state before accepting this request */
	chan_freq_state =
		wlan_reg_get_channel_state_for_pwrmode(
						hdd_ctx->pdev,
						chandef->chan->center_freq,
						REG_CURRENT_PWR_MODE);
	if (chan_freq_state == CHANNEL_STATE_DISABLE ||
	    chan_freq_state == CHANNEL_STATE_INVALID) {
		hdd_err("Invalid chan freq received for monitor mode aborting");
		return -EINVAL;
	}

	/* Verify the BW before accepting this request */
	ch_width = hdd_map_nl_chan_width(chandef->width);

	if (ch_width > CH_WIDTH_10MHZ ||
	   (!cds_is_sub_20_mhz_enabled() && ch_width > CH_WIDTH_160MHZ)) {
		hdd_err("invalid BW received %d", ch_width);
		return -EINVAL;
	}

+	mon_ctx = WLAN_HDD_GET_MONITOR_CTX_PTR(adapter->deflink);
+	/* Check if target channel is same as current channel */
+	if (mon_ctx->freq == chandef->chan->center_freq &&
+	    mon_ctx->bandwidth == ch_width) {
+		hdd_info("Target channel and mode is same as current channel and mode channel freq %d and mode %d",
+			  mon_ctx->freq, mon_ctx->bandwidth);
+		return 0;
+	}

	max_fw_bw = sme_get_vht_ch_width();

	if ((ch_width == CH_WIDTH_160MHZ &&
	    max_fw_bw <= WNI_CFG_VHT_CHANNEL_WIDTH_80MHZ) ||
	    (ch_width == CH_WIDTH_80P80MHZ &&
	    max_fw_bw <= WNI_CFG_VHT_CHANNEL_WIDTH_160MHZ)) {
		hdd_err("FW does not support this BW %d max BW supported %d",
			ch_width, max_fw_bw);
		return -EINVAL;
	}

-   mon_ctx = WLAN_HDD_GET_MONITOR_CTX_PTR(adapter->deflink);
	if (WLAN_REG_IS_24GHZ_CH_FREQ(chandef->chan->center_freq) &&
	    chandef->width == NL80211_CHAN_WIDTH_40 &&
	    chandef->center_freq1) {
		if (chandef->center_freq1 > chandef->chan->center_freq)
			sec_ch_2g_freq = chandef->chan->center_freq + 20;
		else if (chandef->center_freq1 < chandef->chan->center_freq)
			sec_ch_2g_freq = chandef->chan->center_freq - 20;
	}
	hdd_debug("set mon ch:width=%d, freq %d sec_ch_2g_freq=%d",
		  chandef->width, chandef->chan->center_freq, sec_ch_2g_freq);
	qdf_mem_copy(bssid.bytes, adapter->mac_addr.bytes,
		     QDF_MAC_ADDR_SIZE);

	ch_params.ch_width = ch_width;
	wlan_reg_set_channel_params_for_pwrmode(hdd_ctx->pdev,
						chandef->chan->center_freq,
						sec_ch_2g_freq, &ch_params,
						REG_CURRENT_PWR_MODE);
	if (wlan_hdd_change_hw_mode_for_given_chnl(adapter,
						   chandef->chan->center_freq,
						   POLICY_MGR_UPDATE_REASON_SET_OPER_CHAN)) {
		hdd_err("Failed to change hw mode");
		return -EINVAL;
	}

	if (adapter->monitor_mode_vdev_up_in_progress) {
		hdd_err_rl("monitor mode vdev up in progress");
		return -EBUSY;
	}

	status = qdf_event_reset(&adapter->qdf_monitor_mode_vdev_up_event);
	if (QDF_IS_STATUS_ERROR(status)) {
		hdd_err_rl("failed to reinit monitor mode vdev up event");
		return qdf_status_to_os_return(status);
	}
	adapter->monitor_mode_vdev_up_in_progress = true;

	qdf_mem_zero(&ch_params, sizeof(struct ch_params));

	req = qdf_mem_malloc(sizeof(struct channel_change_req));
	if (!req)
		return -ENOMEM;

	req->vdev_id = adapter->deflink->vdev_id;
	req->target_chan_freq = chandef->chan->center_freq;
	req->ch_width = ch_width;

	ch_params.ch_width = ch_width;
	hdd_select_cbmode(adapter, chandef->chan->center_freq, sec_ch_2g_freq,
			  &ch_params);

	req->sec_ch_offset = ch_params.sec_ch_offset;
	req->center_freq_seg0 = ch_params.center_freq_seg0;
	req->center_freq_seg1 = ch_params.center_freq_seg1;

	sme_fill_channel_change_request(mac_handle, req, mon_ctx->phy_mode);
	status = sme_send_channel_change_req(mac_handle, req);
	qdf_mem_free(req);

	if (status) {
		hdd_err_rl("Failed to set sme_RoamChannel for monitor mode status: %d",
			   status);
		adapter->monitor_mode_vdev_up_in_progress = false;
		ret = qdf_status_to_os_return(status);
		return ret;
	}

	/* block on a completion variable until vdev up success*/
	status = qdf_wait_for_event_completion(
				       &adapter->qdf_monitor_mode_vdev_up_event,
					WLAN_MONITOR_MODE_VDEV_UP_EVT);
	if (QDF_IS_STATUS_ERROR(status)) {
		hdd_err_rl("monitor vdev up event time out vdev id: %d",
			  adapter->deflink->vdev_id);
		if (adapter->qdf_monitor_mode_vdev_up_event.force_set)
			/*
			 * SSR/PDR has caused shutdown, which has
			 * forcefully set the event.
			 */
			hdd_err_rl("monitor mode vdev up event forcefully set");
		else if (status == QDF_STATUS_E_TIMEOUT)
			hdd_err_rl("monitor mode vdev up timed out");
		else
			hdd_err_rl("Failed monitor mode vdev up(status-%d)",
				  status);

		adapter->monitor_mode_vdev_up_in_progress = false;
		return qdf_status_to_os_return(status);
	}

	hdd_exit();
 
 	return 0;
 }

8aa04b10b76be3945cf3745081eec0f4.2.mp4

[ZerBea]

You can't compare airodump-ng and and hcxdumptool.
The difference between this tools:

• airodump-ng is a passive tool that reads packets from an interface which is running in monitor mode (monitor mode must be supported)
• hcxdumptool is an interactive tool that reads packets from an interface and transmits packets via this interface.(full monitor mode and full packet injection must be supported)

Neither Linux drivers >= ath10k nor the qcacld-3.0 driver support full packet injection:
From Linux Wireless documentation:
Known bugs/limitations:

• packet injection isn’t supported yet

From hcxdumptool's README.md Requirements section:

• WLAN device driver must support monitor and full frame injection mode.

hcxdumptool does not work because the qcacld3 driver does not support full packet injection.

And there are much more limitations on this driver:
Known issues:

• Assoc Request frames not captured (Assoc Response shows up fine)
• cannot see Add BA action frames
• frames do not come up with FCS value in them
• the management frames do not contain mac timestamp as data/control frames

More information about this driver issue is here and here.

[brokestar233]

My native language is not English, so my description may not be clear enough. My main problem is that before this change, although hcxdumptool couldn't send deauth packets, it could capture packets normally. However, after the change, if I start hcxdumptool on the same channel as the current channel of the network card, it can't capture any packets, and it will also prevent airodump-ng from starting after being closed. I want to know how I should modify the source code of qcacld3 to fix this problem.

[ZerBea]

Your code set monitor mode, but packet injection is still not possible.
Without your modification, the driver reports that it can't do full monitor mode and full packet injection and hcxdumptool respects this.
After your modification the driver reports that it can do full monitor mode and full packet injection - but that is not the case. As a result, the driver crashes straight after hcxdumptool transmit a packet.
As long as you don't add full packet injection mode to the driver, hcxdumptool will not work and the driver crashes.

[brokestar233]

Because the driver crashed straight after hcxdumptool tries to AUTHENTICATE with a target. Your code set monitor mode, but packet injection is still not possible. As a result, the driver crashes straight after hcxdumptool transmit a packet. As long as you don't add full packet injection mode to the driver, hcxdumptool will not work and the driver crashes.

Okay, I'll try to add frame injection.

[ZerBea]

Important notice:
It's not enough to patch the driver. The firmware must support full monitor mode and full frame injection, too!
Not every firmware support this!

[brokestar233]

Important notice: It's not enough to patch the driver. The firmware must support full monitor mode and full frame injection, too! Not every firmware support this!

The worst-case scenario may have occurred. I've tried to add frame injection support at the driver layer, and according to the logs, the transmission was indeed successful. However, in reality, no frames were sent. I'm not sure if there's a problem with my handling. Here are my changes.

Terminal output:

~/wifi $ sudo ifconfig wlan0                                                                       
wlan0: flags=867<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI>  mtu 1500
        unspec A8-C5-6F-0C-BD-B1-94-32-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 1110  bytes 347718 (339.5 KiB)
        RX errors 0  dropped 927  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

~/wifi $ sudo aireplay-ng -9 wlan0                                                                 
01:08:24  Trying broadcast probe requests...
01:08:26  No Answer...
01:08:26  Found 13 APs

01:08:26  Trying directed probe requests...
01:08:26  20:6B:E7:DA:89:EB - channel: 6 - 'TP-LINK_89EB'
^C/21:   0%
~/wifi $ sudo ifconfig wlan0
wlan0: flags=867<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI>  mtu 1500
        unspec A8-C5-6F-0C-BD-B1-94-32-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 3113  bytes 943041 (920.9 KiB)
        RX errors 0  dropped 2290  overruns 0  frame 0
        TX packets 87  bytes 2730 (2.6 KiB)
        TX errors 0  dropped 21 overruns 0  carrier 0  collisions 0

dmesg:

[   76.806429] dp_start_xmit: Starting packet transmission
[   76.806430] dp_start_xmit: Updated tx statistics
[   76.806430] dp_start_xmit: Setting notify completion flag
[   76.806431] dp_start_xmit: Getting packet type
[   76.806431] dp_start_xmit: Processing packet type 0
[   76.806432] dp_start_xmit: Adding timestamp to packet
[   76.806432] dp_start_xmit: Getting transmit MAC address
[   76.806433] dp_start_xmit: Getting TX resources
[   76.806433] dp_start_xmit: Checking IPA ownership
[   76.806434] dp_start_xmit: Orphaning nbuf
[   76.806434] dp_start_xmit: Acquiring skb for tracking
[   76.806435] dp_start_xmit: Updating network statistics
[   76.806435] dp_start_xmit: Regular packet, incrementing packet count
[   76.806436] dp_start_xmit: Logging EAPOL packet
[   76.806436] dp_start_xmit: Setting DP trace tracking
[   76.806437] dp_start_xmit: Recording DP trace
[   76.806437] dp_start_xmit: Checking packet type for ICMP processing
[   76.806437] dp_start_xmit: Linearizing nbuf if needed
[   76.806438] dp_start_xmit: Checking if TX function is registered
[   76.806438] dp_start_xmit: Fixing broadcast EAPOL if needed
[   76.806439] dp_start_xmit: Calling TX function
[   76.806440] dp_start_xmit: Packet transmitted successfully
[   76.806447] [soft_i][0x5d4aa8a9][16:52:01.062548] peach_v2: [0:I:HDD] __hdd_hard_start_xmit: Monitor mode: sending raw pack SUCCESS

[ZerBea]

It's inot a good dea to use ifconfig on modern drivers. This tool (and some other ones depend on Wireless Extensions (WEXT). This extensions are deprecated and replaced by modern tools.
Also you should know that aireplay-ng does not transmit all kinds of frame types. For you test, it only transmit PROBEREQUEST frames and count incoming ACK frames.

Your changes looking good. Unfortunately we don't know whether the firmware accepts them or not.
I love your expanded packet stats. It provide much more information than stupid counting ACK frames. Maybe @kimocoder has an idea. He did some great research about devices that support frame injection, so we should invite him here.

[kimocoder]

I have some info here. This fixed the monitor mode switching

kimocoder/android_kernel_oneplus_avicii@a8ac9d8

[kimocoder]

This fixed the "Monitor Mode not supported" issue, because Qcom removed it, and switching mode with iw will work again.

[ZerBea]

@kimocoder , great, thanks for this information. Unfortunately frame injection is still unsupported by the driver. On the bright side, this is not an issue of hcxdumptool.

[brokestar233]

This method doesn't seem to work. I tried to add it, but during today's test, I encountered a kernel panic.

logs:

[ 1625.255943][T18955] [kworke][0x74ddcf830][07:32:02.052894] peach_v2: [18955:E:WMA] wma_get_dp_peer_stats: Unable to find peer [00:00:00:**:**:00]
[ 1625.255948][T18955] [kworke][0x74ddcf88d][07:32:02.052899] peach_v2: [18955:E:HDD] wlan_hdd_cfg80211_link_layer_stats_callback: Obsolete request
[ 1625.255956][T18955] [kworke][0x74ddcf929][07:32:02.052907] peach_v2: [18955:E:WMA] wma_get_dp_peer_stats: Unable to find peer [00:00:00:**:**:00]
[ 1625.255961][T18955] [kworke][0x74ddcf983][07:32:02.052912] peach_v2: [18955:E:HDD] wlan_hdd_cfg80211_link_layer_stats_callback: Obsolete request
[ 1625.256003][T18955] [kworke][0x74ddcfcaf][07:32:02.052954] peach_v2: [18955:E:WMA] wma_get_dp_peer_stats: Unable to find peer [00:00:00:**:**:00]
[ 1625.256008][T18955] [kworke][0x74ddcfd18][07:32:02.052960] peach_v2: [18955:E:HDD] wlan_hdd_cfg80211_link_layer_stats_callback: Obsolete request
[ 1625.256017][T18955] [kworke][0x74ddcfdb5][07:32:02.052968] peach_v2: [18955:E:WMA] wma_get_dp_peer_stats: Unable to find peer [00:00:00:**:**:00]
[ 1625.256043][T18955] [kworke][0x74ddcffa4][07:32:02.052994] peach_v2: [18955:E:HDD] wlan_hdd_cfg80211_link_layer_stats_callback: Obsolete request
[ 1625.256051][T18955] [kworke][0x74ddd0046][07:32:02.053002] peach_v2: [18955:E:WMA] wma_get_dp_peer_stats: Unable to find peer [00:00:00:**:**:00]
[ 1625.256055][T18955] [kworke][0x74ddd009f][07:32:02.053007] peach_v2: [18955:E:HDD] wlan_hdd_cfg80211_link_layer_stats_callback: Obsolete request
[ 1625.561585][T14953] gsi soc:qcom,msm_gsi: gsi_stop_channel:3679 chan=1 busy try again
[ 1625.563646][T14953] gsi soc:qcom,msm_gsi: gsi_stop_channel:3679 chan=14 busy try again
[ 1625.593780][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] host pm_state:SYS ERROR Detect dev_state:SYS ERROR ee:RAMDUMP DOWNLOAD MODE
[ 1625.593800][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] device ee: RAMDUMP DOWNLOAD MODE dev_state: SYS ERROR
[ 1625.593807][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: BHI_ERRDBG2 val: 0x1325d2f, ret: 0
[ 1625.593820][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: BHI_ERRDBG3 val: 0x25c, ret: 0
[ 1625.593826][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: BHI_ERRDBG1 val: 0x0, ret: 0
[ 1625.593832][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: BHI_ERRCODE val: 0x0, ret: 0
[ 1625.593839][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: BHI_EXECENV val: 0x3, ret: 0
[ 1625.593845][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: BHI_STATUS val: 0x923db60c, ret: 0
[ 1625.593851][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: MHI_CNTRL val: 0x400, ret: 0
[ 1625.593857][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: MHI_STATUS val: 0xff05, ret: 0
[ 1625.593864][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: MHI_WAKE_DB val: 0x0, ret: 0
[ 1625.593870][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: BHIE_TXVEC_DB val: 0x0, ret: 0
[ 1625.593876][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: BHIE_TXVEC_STATUS val: 0x0, ret: 0
[ 1625.593883][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: BHIE_RXVEC_DB val: 0x11dbce37, ret: 0
[ 1625.593889][T24106] mhi mhi_110e_00.01.00: [E][mhi_debug_reg_dump] reg: BHIE_RXVEC_STATUS val: 0x0, ret: 0
[ 1625.898361][T24106] mhi mhi_110e_00.01.00: [E][mhi_process_sfr] cmnos_assert_patched.c:604:0x8Asserted in:0x18675f8:0x1814ea8, line#290
[ 1625.898558][T24106] Kernel panic - not syncing: subsys-restart: Resetting the SoC wlan crashed
[ 1625.898563][T24106] CPU: 3 PID: 24106 Comm: kworker/u16:4 Tainted: G        W  O       6.6.112-android15-8-gf4dc45704e54-abogki446052083-4k #1 6865eff5eee0593154ebabe2353bda2950f7be18
[ 1625.898570][T24106] Hardware name: Qualcomm Technologies, Inc. Sun MTP,dodge (DT)
[ 1625.898573][T24106] Workqueue: cnss_driver_event cnss_driver_event_work [cnss2]
[ 1625.898645][T24106] Call trace:
[ 1625.898647][T24106]  dump_backtrace+0xe8/0x120
[ 1625.898655][T24106]  show_stack+0x18/0x24
[ 1625.898658][T24106]  __dump_stack+0x28/0x34
[ 1625.898663][T24106]  dump_stack_lvl+0x2c/0x58
[ 1625.898668][T24106]  panic+0x2a4/0x394
[ 1625.898671][T24106]  cnss_recovery_handler+0x170/0x1d8 [cnss2 99e946836aa8a73f706b013eaff8e7ddb754a767]
[ 1625.898720][T24106]  cnss_pci_device_crashed+0x30/0xfc [cnss2 99e946836aa8a73f706b013eaff8e7ddb754a767]
[ 1625.898766][T24106]  cnss_bus_device_crashed+0x4c/0xa8 [cnss2 99e946836aa8a73f706b013eaff8e7ddb754a767]
[ 1625.898812][T24106]  cnss_driver_event_work+0x18d4/0x1d98 [cnss2 99e946836aa8a73f706b013eaff8e7ddb754a767]
[ 1625.898859][T24106]  process_scheduled_works+0x230/0x768
[ 1625.898866][T24106]  worker_thread+0x19c/0x3b0
[ 1625.898870][T24106]  kthread+0x100/0x154
[ 1625.898877][T24106]  ret_from_fork+0x10/0x20
[ 1625.898885][T24106] SMP: stopping secondary CPUs

[dart8888]

приветствую у меня похожая проблема?

режим монитора и Injection начинает полноценно работать только после применения связки команд:

rmmod rtw88_8821ce
modprobe rtw88_8821ce
rmmod rt2800usb
modprobe rt2800usb
airmon-ng check kill

как будто бы привязываются к домашнему каналу и не видит других точек доступа
Это можно исправить?

[dart8888]

Вот как выглядит ДО:

[dart8888]

опытном путём заметил, что команда:
systemctl disable NetworkManager.service
экспериментальным путём после перезагрузки оживляет режим монитора и инъекций пакетов, то есть всё начинает работать как и надо.
единственный минус этого опыта - это то что интернет не работает, но это решается командой:
systemctl restart NetworkManager. появляется интернет, но USB адаптер может "упасть" и "залипнуть" опять на "домашнем" канале.

[ZerBea]

@brokestar233 , the Qualcomm driver need a complete refresh. Otherwise, packet injection will never work.

@dart8888 it doesn't make sense to compare airodump-ng with hcxdumptool.
airodump -ng is passive (need monitor mode only)) while hcxdumptool is active (need monitor mode and packet injection support)

Never ever use commands designed for the aircrack-ng suite in combination with hcxdumptool!
This is mentioned in --help:

Important recommendation:
-------------------------
Do not run hcxdumptool on a shared interface, because this leads to an unexpected behavior!
Do not set monitor mode by third party tools (e.g. iwconfig)!
Do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)!
Do not use virtual machines or emulators!
Do not use tools to change the virtual MAC (like macchanger)!
Do not merge (pcapng) dump files, because this destroys assigned hash values!

Some additional information:

rtw88_8821ce is working:

$ uname -r
6.19.6-arch1-1

$ lspci
04:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter

$ hcxdumptool -l
  0	  3	f03f03b5bbc9	f03f03b5bbc9	+	wlp4s0          	rtw88_8821ce	NETLINK

$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
$ sudo hcxdumptool --rcascan=active
^C
143 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
exit on sigterm

rt2800usb is working:

$ uname -r
6.19.6-arch1-1
$ lsusb
Bus 005 Device 005: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter

$ hcxdumptool -l
  2	  5	c83a35cc88c9	c83a35cc88c9	+	wlp48s0f4u2u4   	rt2800usb	NETLINK

$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
$ sudo hcxdumptool --rcascan=active
^C
196 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
73 BEACON(s) received
4 PROBEREQUEST(s) transmitted
14 PROBERESPONSE(s) received
6 undirected PROBEREQUEST(s) received
10 ACCESS POINT(s) discovered
5 ACCESS POINT(s) responded
exit on sigterm

Please note:
Running an external usb adapter with an external antenna is a hundred times more effective than running an internal PCIe card!
From hcxdumptool's README.md:

Absolutely not recommended:
All kinds of WiFi PCIe cards, due to massive [interference](https://duckduckgo.com/?t=ffab&q=Static+Interference+from+PCIe+wifi&ia=web)

[brokestar233]

Got it. I'm going to refer to @dr1408's changes and add frame injection.

[dr1408]

I guess working fine first time for me to use this tool

[ZerBea]

That's exactly what it should look like. It's nice that it works now for you.

[dr1408]

Yes the tool is cool it captured 6 handshakes the issue is that hashcat 22000 mode doesnt work on nethunter but it cool you can crack on another setup

[ZerBea]

Same situation. Just as hcxdumptool needs a "working" WiFi driver, hashcat/john needs a working GPU driver. Usually, this is not the case on common smart phones.