Rpi 3A+/3B+/4B wifi - BCM4345 and CTRL-EVENT-ASSOC-REJECT when using handshake offloading

I encountered an issue with the wifi on my 3A+/4B not willing to connect to my AP, while my 3B was perfectly happy with it. Turns out it's a driver issue with 'brcmfmac' and the BCM4345 chipset that's in newer RPI models.
I'm using raspios bullseye (2022-09-22-raspios-bullseye-arm64-lite.img.xz).

wpa_supplicant kept insisting that CTRL-EVENT-ASSOC-REJECT, i.e: 

sudo wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0
Successfully initialized wpa_supplicant
wlan0: Trying to associate with **:**:**:**:**:** (SSID='foo' freq=2417 MHz)
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=**:**:**:**:**:** status_code=16
wlan0: Trying to associate with **:**:**:**:**:** (SSID='foo' freq=2417 MHz)
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=**:**:**:**:**:** status_code=16
wlan0: Trying to associate with **:**:**:**:**:** (SSID='foo' freq=2417 MHz)
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=**:**:**:**:**:** status_code=16
[etc]

Why is this happening ?

After a LOT of troubleshooting and tests, and web searching, I stumbled upon several interesting pages and bug reports :

From the wiki linked above :

Certain drivers support offloading the 4-way handshake as well as SAE/WPA3 into the firmware. For drivers which do not support user space driven Authenticate/Associate frames this is the only way to enable features such as SAE/WPA3 or Fast Transition roaming. Handshake offloading (both WPA2 and WPA3) is enabled in IWD by default for drivers which advertise support. The driver support, however, can be disabled on brcmfmac which will be discussed further. Handshake offloading has only been tested on the brcmfmac driver, and this wiki page assumes this driver is being used.

If you are using brcmfmac and are experiencing problems such as not being able to connect to a network which you previously could, you may want to disable handshake offloading.

The brcmfmac driver has a module parameter called 'feature_disable'. It expects a hex value (bitmask) where each bit corresponds to a feature [...]. The features we care about here are 'SAE' and 'FWSUP'. These features (when enabled) are listed in /sys/kernel/debug/ieee80211//features so you can first see if your card even supports these before trying to debug further.

On the rpi 3A+ and 4B, here'is what /sys/kernel/debug/ieee80211/<phy>/features gives us : 

# cat /sys/kernel/debug/ieee80211/phy0/features
Features: 001428d6
    MCHAN
    PNO
    P2P
    TDLS
    SCAN_RANDOM_MAC
    MFP
    FWSUP
    DOT11H
    FWAUTH

Quirks:   00000000

To turn off offloading you need to remove the brcmfmac module, then reinsert it with the feature_disable option:

sudo rmmod brcmfmac
sudo modprobe brcmfmac feature_disable=0x82000

This will disable both SAE (0x80000) and FWSUP (0x02000). You could disable just one, but this is not suggested due to a bug which prevents EAPoL frames from being forwarded after offloading is used for the first time.

The workaround

You can resolve the issue by using only feature_disable=0x02000 if you're sure you won't ever have a WPA3/SAE AP around, but due to the bug mentionned above, you might want to be on the safe side and disable SAE as well while this bug exists.

sudo rmmod brcmfmac  
sudo modprobe brcmfmac roamoff=1 feature_disable=0x82000

Driver options on boot

If that fixes things for you and you want to make this setting persistent, you can create a file with these options in '/etc/modprobe.d', e.g ; 

echo 'options brcmfmac roamoff=1 feature_disable=0x82000' | sudo tee /etc/modprobe.d/brcmfmac.conf

This will make sure the settings are applied when the driver loads.

The 3A+/3B+/4B are equipped with a BCM4345 chipset so this should solve wifi issues with those models.

0 comments

Write a comment