One question: using your patched driver, can tcpdump or wireshark output the signal strength of received wireless frames?
Would you agree it's a tertiary firmware issue that's stopping live packet injection without being associated to an AP?