Comfast CF-953AX (MT7921u): Problems with pentesting / wardriving (wifite2, aircrack-ng, etc.)

[baltic-tea]

Subject links:

• Comfast Official Site (EN)
• AliExpress (not official shop; I bought it here - 16$, discount)

---

OS: Kali Linux 2023.3 [Kernel 6.3.0, Xfce 4.18.4]

Downloaded and installed these MediaTek drivers as advised here by @morrownr:

• WIFI_RAM_CODE_MT7961_1.bin
• WIFI_MT7961_patch_mcu_1_2_hdr.bin

Problems

1. The device sometimes stops working (detecting APs) – need to re-plug it in USB port.

2. CF-953AX in monitor control mode works correctly, but any attempt to capture handshakes by wifite2 on any WiFi point (with WPS or not) is very slow and always ends up with Failed status. When cracking WPS I only get fails and a large amount of timeouts (sometimes over 1500). This is true when wardriving any AP with any wifite call options. Often the wifite gets stuck at some stage, for example, when sending a PIN codes; all kinds of attacks are ineffective.

[!NOTE] When powered by USB 2.0, the adapter (in about 15-20 seconds) finds more than 140 APs. When powered by USB 3.0, it finds ~20-30 APs 🤔

INFO

USB information

lsusb usb

Output:

Bus 004 Device 002: ID 3574:6211 MediaTek Inc. Wireless_Device

Kernel message buffer on device re-plug.

dmesg --decode --time-format iso | grep -e 'usb' -e 'mt7921u'

Output ("-" is errors, "+" is drivers):

kern :info : 2023-11-03T03:18:38 usb 3-12: USB disconnect, device number 4
- kern :err  : 2023-11-03T03:18:40 mt7921u 3-12:1.0: timed out waiting for pending tx
kern :info : 2023-11-03T03:18:43 usb 3-12: new high-speed USB device number 5 using xhci_hcd
kern :info : 2023-11-03T03:18:43 usb 3-12: New USB device found, idVendor=3574, idProduct=6211, bcdDevice=1.00
kern :info : 2023-11-03T03:18:43 usb 3-12: New USB device strings: Mfr=2, Product=3, SerialNumber=4
kern :info : 2023-11-03T03:18:43 usb 3-12: Product: Wireless_Device
kern :info : 2023-11-03T03:18:43 usb 3-12: Manufacturer: MediaTek Inc.
kern :info : 2023-11-03T03:18:43 usb 3-12: SerialNumber: 000000000
+ kern :info : 2023-11-03T03:18:43 mt7921u 3-12:1.0: firmware: direct-loading firmware mediatek/WIFI_RAM_CODE_MT7961_1.bin
kern :info : 2023-11-03T03:18:43 usb 3-12: reset high-speed USB device number 5 using xhci_hcd
+ kern :info : 2023-11-03T03:18:43 mt7921u 3-12:1.0: firmware: direct-loading firmware mediatek/WIFI_MT7961_patch_mcu_1_2_hdr.bin
kern :info : 2023-11-03T03:18:43 3-12:1.0: HW/SW Version: 0x8a108a10, Build Time: 20230526130917a
+ kern :info : 2023-11-03T03:18:44 mt7921u 3-12:1.0: firmware: direct-loading firmware mediatek/WIFI_RAM_CODE_MT7961_1.bin
kern :info : 2023-11-03T03:18:44 mt7921u 3-12:1.0: WM Firmware Version: ____010000, Build Time: 20230526130958

---

Network information

iwconfig

Output:

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=3 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

---

Statistics in managed mode (wavemon)

Connected to your own WiFi router in the same room.

Screenshot of wavemon output

---

Kill the conflict processes (NetworkManager.service)

sudo airmon-ng check kill

Output:

Killing these processes:

    PID Name
   1231 wpa_supplicant

---

Switch to monitor control mode

sudo airmon-ng start wlan0

Output:

PHY	Interface	Driver		Chipset

phy0	wlan0		mt7921u		MediaTek Inc. Wireless_Device
		(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
		(mac80211 station mode vif disabled for [phy0]wlan0)

---

Check monitor control mode

First step.

iwconfig

Output:

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=3 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

Second step.

iw dev

Output:

phy#0
	Interface wlan0mon
		ifindex 4
		wdev 0x2
		addr e0:e1:a9:38:96:1b
		type monitor
		channel 10 (2457 MHz), width: 20 MHz (no HT), center1: 2457 MHz
		txpower 3.00 dBm

---

Region and power configuration

[!NOTE] These actions probably do not affect the real power of WiFi-adapters.

sudo iw reg get

Output:

global
country 00: DFS-UNSET
        (2402 - 2472 @ 40), (6, 20), (N/A)
        (2457 - 2482 @ 20), (6, 20), (N/A), AUTO-BW, PASSIVE-SCAN
        (2474 - 2494 @ 20), (6, 20), (N/A), NO-OFDM, PASSIVE-SCAN
        (5170 - 5250 @ 80), (6, 20), (N/A), AUTO-BW, PASSIVE-SCAN
        (5250 - 5330 @ 80), (6, 20), (0 ms), DFS, AUTO-BW, PASSIVE-SCAN
        (5490 - 5730 @ 160), (6, 20), (0 ms), DFS, PASSIVE-SCAN
        (5735 - 5835 @ 80), (6, 20), (N/A), PASSIVE-SCAN
        (57240 - 63720 @ 2160), (N/A, 0), (N/A)

Changing region to BZ (Belize) works correctly.

sudo iw reg set BZ
sudo iw reg get

Output:

global
country BZ: DFS-UNSET
        (2400 - 2494 @ 40), (N/A, 36), (N/A)
        (5735 - 5835 @ 80), (N/A, 30), (N/A)

[!WARNING] I couldn't change the txpower value of Comfast CF-953AX. It is always 3.00 dBm. Tried it:

iw [options] dev <devname> set txpower <auto|fixed|limit> [<tx power in mBm>]

I think the visible value of the force is not true.

---

Check hcxdumptool

Tool version: hcxdumptool 6.3.1 (C) 2023 ZeroBeat

hcxdumptool -i wlan0

Output:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0   3 e0e1a938961b e0e1a938961b * wlan0            mt7921u (NETLINK)


available frequencies: frequency [channel] tx-power of Regulatory Domain: 00

  2412 [  1] 20.0 dBm     2417 [  2] 20.0 dBm     2422 [  3] 20.0 dBm     2427 [  4] 20.0 dBm
  2432 [  5] 20.0 dBm     2437 [  6] 20.0 dBm     2442 [  7] 20.0 dBm     2447 [  8] 20.0 dBm
  2452 [  9] 20.0 dBm     2457 [ 10] 20.0 dBm     2462 [ 11] 20.0 dBm     2467 [ 12] 20.0 dBm
  2472 [ 13] 20.0 dBm     2484 [ 14] 20.0 dBm     5180 [ 36] 20.0 dBm     5200 [ 40] 20.0 dBm
  5220 [ 44] 20.0 dBm     5240 [ 48] 20.0 dBm     5260 [ 52] 20.0 dBm     5280 [ 56] 20.0 dBm
  5300 [ 60] 20.0 dBm     5320 [ 64] 20.0 dBm     5500 [100] 20.0 dBm     5520 [104] 20.0 dBm
  5540 [108] 20.0 dBm     5560 [112] 20.0 dBm     5580 [116] 20.0 dBm     5600 [120] 20.0 dBm
  5620 [124] 20.0 dBm     5640 [128] 20.0 dBm     5660 [132] 20.0 dBm     5680 [136] 20.0 dBm
  5700 [140] 20.0 dBm     5720 [144] 20.0 dBm     5745 [149] 20.0 dBm     5765 [153] 20.0 dBm
  5785 [157] 20.0 dBm     5805 [161] 20.0 dBm     5825 [165] 20.0 dBm     5845 [169] disabled
  5865 [173] disabled     5955 [  1] disabled     5975 [  5] disabled     5995 [  9] disabled
  6015 [ 13] disabled     6035 [ 17] disabled     6055 [ 21] disabled     6075 [ 25] disabled
  6095 [ 29] disabled     6115 [ 33] disabled     6135 [ 37] disabled     6155 [ 41] disabled
  6175 [ 45] disabled     6195 [ 49] disabled     6215 [ 53] disabled     6235 [ 57] disabled
  6255 [ 61] disabled     6275 [ 65] disabled     6295 [ 69] disabled     6315 [ 73] disabled
  6335 [ 77] disabled     6355 [ 81] disabled     6375 [ 85] disabled     6395 [ 89] disabled
  6415 [ 93] disabled     6435 [ 97] disabled     6455 [101] disabled     6475 [105] disabled
  6495 [109] disabled     6515 [113] disabled     6535 [117] disabled     6555 [121] disabled
  6575 [125] disabled     6595 [129] disabled     6615 [133] disabled     6635 [137] disabled
  6655 [141] disabled     6675 [145] disabled     6695 [149] disabled     6715 [153] disabled
  6735 [157] disabled     6755 [161] disabled     6775 [165] disabled     6795 [169] disabled
  6815 [173] disabled     6835 [177] disabled     6855 [181] disabled     6875 [185] disabled
  6895 [189] disabled     6915 [193] disabled     6935 [197] disabled     6955 [201] disabled
  6975 [205] disabled     6995 [209] disabled     7015 [213] disabled     7035 [217] disabled
  7055 [221] disabled     7075 [225] disabled     7095 [229] disabled     7115 [233] disabled


scan frequencies: frequency [channel] of Regulatory Domain: 00

  2412 [  1]      2437 [  6]      2462 [ 11]

Screenshot of hcxdumptool scan loop (empty)