[kismac] Re: Some interesting tidbits

  • From: Wouter Minderhoud <wouter@xxxxxxxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Wed, 12 Sep 2007 21:09:39 +0200

Hi Michael,

any progres on the HAL ???

i am very anxious and curious about the progress......

cheers!



Op 3-sep-2007, om 21:46 heeft Michael Miller het volgende geschreven:

For those of you who don't know, Apple started including Atheros
802.11n chipsets in new Macs(not iMacs, but Macbook Pros, and (I
think) Mac Pros). These are based around the same HAL(hardware
abstraction layer) as the Linux (partially open source) Atheros
driver. Thus, since we know how the HAL works(it is closed source, but
the interfaces are documented), we can possibly gain
injection/sniffing on any Atheros chipset. This is a possibility, but
if it can be done, it will be great.

Now for the good stuff ;). I looked through
/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/ AirPortAtheros.kext/Contents/MacOS/AirPortAtheros.
The main problem is that the startraw function is missing(I know very
little about how the HAL works, so please, if you know anything about
this, let me know.). However, I did manage to get some interesting
symbols showing that the Mac OS driver is based around the HAL.
Because the madwifi project is based around it, perhaps we can create
a wrapper driver with raw capabilities. Now for the interesting
symbols:

Atheros-related functions(grep _ath):
__Z21ath_copy_scan_resultsPvPK20ieee80211_scan_entry
__ZN15IORegistryEntry13childFromPathEPKcPK15IORegistryPlanePcPi
__ZN15IORegistryEntry17matchPathLocationEPKcPK15IORegistryPlane
__ZN18AirPort_Athr5424ab19getPktlogClientAddrEP15ath_pktlog_info
__ZNK15IORegistryEntry16getPathComponentEPcPiPK15IORegistryPlane
__ZNK15IORegistryEntry7getPathEPcPiPK15IORegistryPlane
__ZZN18AirPort_Athr5424ab19getPktlogClientAddrEP15ath_pktlog_infoE8__fun c__
_ath_CCAThreshold
_ath_add_regclassid
_ath_addba_ignore
_ath_aggr_addba_requestprocess
_ath_aggr_addba_requestsetup
_ath_aggr_addba_responseprocess
_ath_aggr_addba_responsesetup
_ath_aggr_addba_timertimeout
_ath_aggr_ba_requestsetup
_ath_aggr_delba_process
_ath_aggrackMPDU
_ath_aggraddMPDU
_ath_aggrcreateMPDU
_ath_aggrfmax
_ath_aggrmovebaw
_ath_aggrqmin
_ath_aggrresetMPDU
_ath_ampdu_rxq_postprocess
_ath_ampdu_rxq_preprocess
_ath_ampdu_tx_release
_ath_attach
_ath_bad_rxbuf
_ath_bad_rxdesc
_ath_bar_tx
_ath_beacon_config
_ath_beacon_free
_ath_beacon_proc
_ath_beaconq_config
_ath_bgscan
_ath_calcrxfilter
_ath_calibrate
_ath_calinterval
_ath_chan2flags
_ath_chan_change
_ath_countrycode
_ath_debug
_ath_desc_free
_ath_descdma_cleanup
_ath_descdma_setup
_ath_detach
_ath_draintxq
_ath_dupie
_ath_ff_always
_ath_forcebad_rx
_ath_getchannels
_ath_hal_6mb_ack
_ath_hal_additional_swba_backoff
_ath_hal_attach
_ath_hal_buildopts
_ath_hal_chan2wmode
_ath_hal_checkchannel
_ath_hal_clksel
_ath_hal_computetxtime
_ath_hal_delay
_ath_hal_dma_beacon_response_time
_ath_hal_eepromDetach
_ath_hal_enableTPC
_ath_hal_ether_sprintf
_ath_hal_forceBias
_ath_hal_free
_ath_hal_getChanNoise
_ath_hal_getTxQProps
_ath_hal_get_regdmn
_ath_hal_getantennareduction
_ath_hal_getcapability
_ath_hal_getcc
_ath_hal_getccstr
_ath_hal_getdiagstate
_ath_hal_getnfcheckrequired
_ath_hal_getuptime
_ath_hal_getwirelessmodes
_ath_hal_init_channels
_ath_hal_is_valid_country_code
_ath_hal_ispublicsafetysku
_ath_hal_japan_checkeeprom
_ath_hal_mac_clks
_ath_hal_mac_usec
_ath_hal_malloc
_ath_hal_maxTPC
_ath_hal_memcmp
_ath_hal_memcpy
_ath_hal_memzero
_ath_hal_mhz2ieee
_ath_hal_ppmupdate
_ath_hal_printf
_ath_hal_probe
_ath_hal_process_noisefloor
_ath_hal_readEepromIntoDataset
_ath_hal_reg_read
_ath_hal_reg_write
_ath_hal_reverseBits
_ath_hal_setTxQProps
_ath_hal_setcapability
_ath_hal_setupratetable
_ath_hal_setvendor
_ath_hal_soft_eeprom
_ath_hal_sort
_ath_hal_sw_beacon_response_time
_ath_hal_update_regdomain
_ath_hal_version
_ath_hal_vprintf
_ath_hal_wait
_ath_init
_ath_intr
_ath_ioctl
_ath_ioctl_pktlog
_ath_key_alloc
_ath_key_delete
_ath_key_set
_ath_key_update_begin
_ath_key_update_end
_ath_keyprint
_ath_keyset
_ath_led_blink
_ath_led_done
_ath_led_event
_ath_led_off
_ath_media_change
_ath_newassoc
_ath_newstate
_ath_node_alloc
_ath_node_cleanup
_ath_node_free
_ath_node_getrssi
_ath_outdoor
_ath_pktlog_attach
_ath_pktlog_detach
_ath_pktlog_getbuf
_ath_pktlog_rcfindfunc
_ath_pktlog_rcupdate
_ath_pktlog_rx
_ath_pktlog_text
_ath_pktlog_text
_ath_pktlog_txctl
_ath_pktlog_txstatus
_ath_postprocess_bf
_ath_ppmupdate
_ath_rate_attach
_ath_rate_detach
_ath_rate_findrate
_ath_rate_maprix
_ath_rate_newassoc
_ath_rate_newstate
_ath_rate_node_cleanup
_ath_rate_node_init
_ath_rate_setup
_ath_rate_setupxtxdesc
_ath_rate_tx_complete
_ath_recv_mgmt
_ath_regdomain
_ath_reset
_ath_resume
_ath_rx_proc
_ath_rxbuf_init
_ath_rxbuf_shift
_ath_rxbuftimeout
_ath_rxnodeq_timeout
_ath_scan_end
_ath_scan_start
_ath_set11dcountry
_ath_set_channel
_ath_set_mac_address
_ath_setcurmode
_ath_setdefantenna
_ath_setdefaultcc
_ath_setpwrsave_state
_ath_setslottime
_ath_setup_stationkey
_ath_shutdown
_ath_start
_ath_startrecv
_ath_stop
_ath_stop_locked
_ath_stoprecv
_ath_suspend
_ath_sysctl_aggrfmax
_ath_sysctl_aggrqmin
_ath_sysctl_ath_CCAThreshold
_ath_sysctl_athaddbaignore
_ath_sysctl_athbadrxbuf
_ath_sysctl_athbadrxdesc
_ath_sysctl_athbgscan
_ath_sysctl_athdupie
_ath_sysctl_athforceBias
_ath_sysctl_athforcebadrx
_ath_sysctl_athpowermode
_ath_sysctl_athppmupdate
_ath_sysctl_athvendorie
_ath_sysctl_debug
_ath_tx_cleanup
_ath_tx_cleanupq
_ath_tx_cryptosetup
_ath_tx_descsetup
_ath_tx_draintxq
_ath_tx_proc
_ath_tx_start
_ath_tx_stopdma
_ath_txq_getprops
_ath_txq_setup
_ath_txq_update
_ath_update_ppm
_ath_update_ps_mode
_ath_update_txpow
_ath_updateslot
_ath_vendorie
_ath_wme_update
_ath_xchanmode
_atheros_setuptable
_athpowermode
_ieee80211_add_ath
_ieee80211_parse_athparams
_ieee80211_saveath
_sysctl__debug_athdriver
_sysctl__net_athCCAThreshold
_sysctl__net_athaddbaignore
_sysctl__net_athaggrfmax
_sysctl__net_athaggrqmin
_sysctl__net_athbadrxbuf
_sysctl__net_athbadrxdesc
_sysctl__net_athbgscan
_sysctl__net_athdupie
_sysctl__net_athforceBias
_sysctl__net_athforcebadrx
_sysctl__net_athpowermode
_sysctl__net_athppmupdate

Things possibly relating to monitor mode(grep monitor):
__ZN16IO80211Interface22monitorModeInputPacketEP6__mbuf
__ZN18AirPort_Athr5424ab10monitorDLTEP16IO80211Interface
__ZN18AirPort_Athr5424ab21monitorModeSetEnabledEP16IO80211Interfaceb
__ZN18AirPort_Athr5424ab25monitorPacketHeaderLengthEP16IO80211Interface

Things having to do with start(grep start):
_AirPort_Athr5424ab__serviceRestart
__ZN18AirPort_Athr5424ab5startEP9IOService
__ZN9IOService13startMatchingEm
__ZN9IOService14startCandidateEPS_
__ZN9IOService19start_PM_idle_timerEv
__ZN9IOService5startEPS_
__ZZN18AirPort_Athr5424ab5startEP9IOServiceE12__FUNCTION__
__start
_adhoc_start
_ap_restart
_ap_start
_ar5212AniRestart
_ath_scan_start
_ath_start
_ath_startrecv
_ath_tx_start
_ieee80211_start_scan
_p_rx_buf_pool_phys_start
_scan_restart
_sta_restart
_sta_start
_tx99_start




Other related posts: