[kismac] Re: Some interesting tidbits

  • From: "Matthew Watson" <matt.watsonm@xxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Wed, 12 Sep 2007 22:56:29 -0700

Thanks none the less for your efforts in exploring this.
Being a macbook pro user I am eager to hear of any news.  Who knows, I am
entering 1st year of comp sci so I might be able to bring some expertise in
the near future.

Thanks again

On 9/12/07, Michael Miller <1337mail@xxxxxxxxx> wrote:
>
> Unfortunately no. First off, I don't have a ton of time on my hands(I
> really have near no free time, not exaggurating). Second of all, I
> lack driver programming experience(specifically IOKit).
>
> I did have a conversation with someone who stated that it would be
> possible to inject packets by simply opening a socket with the driver
> and writing the binary data for packets to the socket interface.
> Perhaps someone wants to investigate this further?
>
> Also, note that kismet(not kismac) supports passive sniffing on all
> AirPort cards under darwin(Mac OSX).
>
> I'd be happy to help out anyone by explaining what I already know, but
> don't expect anything usable for a while.
>
> Sorry,
> Mike
>
> On 9/12/07, Wouter Minderhoud <wouter@xxxxxxxxxxxxxx> wrote:
> > Hi Michael,
> >
> > any progres on the HAL ???
> >
> > i am very anxious and curious about the progress......
> >
> > cheers!
> >
> >
> >
> > Op 3-sep-2007, om 21:46 heeft Michael Miller het volgende geschreven:
> >
> > For those of you who don't know, Apple started including Atheros
> > 802.11n chipsets in new Macs(not iMacs, but Macbook Pros, and (I
> > think) Mac Pros). These are based around the same HAL(hardware
> > abstraction layer) as the Linux (partially open source) Atheros
> > driver. Thus, since we know how the HAL works(it is closed source, but
> > the interfaces are documented), we can possibly gain
> > injection/sniffing on any Atheros chipset. This is a possibility, but
> > if it can be done, it will be great.
> >
> > Now for the good stuff ;). I looked through
> > /System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/
> > AirPortAtheros.kext/Contents/MacOS/AirPortAtheros.
> > The main problem is that the startraw function is missing(I know very
> > little about how the HAL works, so please, if you know anything about
> > this, let me know.). However, I did manage to get some interesting
> > symbols showing that the Mac OS driver is based around the HAL.
> > Because the madwifi project is based around it, perhaps we can create
> > a wrapper driver with raw capabilities. Now for the interesting
> > symbols:
> >
> > Atheros-related functions(grep _ath):
> > __Z21ath_copy_scan_resultsPvPK20ieee80211_scan_entry
> > __ZN15IORegistryEntry13childFromPathEPKcPK15IORegistryPlanePcPi
> > __ZN15IORegistryEntry17matchPathLocationEPKcPK15IORegistryPlane
> > __ZN18AirPort_Athr5424ab19getPktlogClientAddrEP15ath_pktlog_info
> > __ZNK15IORegistryEntry16getPathComponentEPcPiPK15IORegistryPlane
> > __ZNK15IORegistryEntry7getPathEPcPiPK15IORegistryPlane
> > __ZZN18AirPort_Athr5424ab19getPktlogClientAddrEP15ath_pktlog_infoE8__fun
> > c__
> > _ath_CCAThreshold
> > _ath_add_regclassid
> > _ath_addba_ignore
> > _ath_aggr_addba_requestprocess
> > _ath_aggr_addba_requestsetup
> > _ath_aggr_addba_responseprocess
> > _ath_aggr_addba_responsesetup
> > _ath_aggr_addba_timertimeout
> > _ath_aggr_ba_requestsetup
> > _ath_aggr_delba_process
> > _ath_aggrackMPDU
> > _ath_aggraddMPDU
> > _ath_aggrcreateMPDU
> > _ath_aggrfmax
> > _ath_aggrmovebaw
> > _ath_aggrqmin
> > _ath_aggrresetMPDU
> > _ath_ampdu_rxq_postprocess
> > _ath_ampdu_rxq_preprocess
> > _ath_ampdu_tx_release
> > _ath_attach
> > _ath_bad_rxbuf
> > _ath_bad_rxdesc
> > _ath_bar_tx
> > _ath_beacon_config
> > _ath_beacon_free
> > _ath_beacon_proc
> > _ath_beaconq_config
> > _ath_bgscan
> > _ath_calcrxfilter
> > _ath_calibrate
> > _ath_calinterval
> > _ath_chan2flags
> > _ath_chan_change
> > _ath_countrycode
> > _ath_debug
> > _ath_desc_free
> > _ath_descdma_cleanup
> > _ath_descdma_setup
> > _ath_detach
> > _ath_draintxq
> > _ath_dupie
> > _ath_ff_always
> > _ath_forcebad_rx
> > _ath_getchannels
> > _ath_hal_6mb_ack
> > _ath_hal_additional_swba_backoff
> > _ath_hal_attach
> > _ath_hal_buildopts
> > _ath_hal_chan2wmode
> > _ath_hal_checkchannel
> > _ath_hal_clksel
> > _ath_hal_computetxtime
> > _ath_hal_delay
> > _ath_hal_dma_beacon_response_time
> > _ath_hal_eepromDetach
> > _ath_hal_enableTPC
> > _ath_hal_ether_sprintf
> > _ath_hal_forceBias
> > _ath_hal_free
> > _ath_hal_getChanNoise
> > _ath_hal_getTxQProps
> > _ath_hal_get_regdmn
> > _ath_hal_getantennareduction
> > _ath_hal_getcapability
> > _ath_hal_getcc
> > _ath_hal_getccstr
> > _ath_hal_getdiagstate
> > _ath_hal_getnfcheckrequired
> > _ath_hal_getuptime
> > _ath_hal_getwirelessmodes
> > _ath_hal_init_channels
> > _ath_hal_is_valid_country_code
> > _ath_hal_ispublicsafetysku
> > _ath_hal_japan_checkeeprom
> > _ath_hal_mac_clks
> > _ath_hal_mac_usec
> > _ath_hal_malloc
> > _ath_hal_maxTPC
> > _ath_hal_memcmp
> > _ath_hal_memcpy
> > _ath_hal_memzero
> > _ath_hal_mhz2ieee
> > _ath_hal_ppmupdate
> > _ath_hal_printf
> > _ath_hal_probe
> > _ath_hal_process_noisefloor
> > _ath_hal_readEepromIntoDataset
> > _ath_hal_reg_read
> > _ath_hal_reg_write
> > _ath_hal_reverseBits
> > _ath_hal_setTxQProps
> > _ath_hal_setcapability
> > _ath_hal_setupratetable
> > _ath_hal_setvendor
> > _ath_hal_soft_eeprom
> > _ath_hal_sort
> > _ath_hal_sw_beacon_response_time
> > _ath_hal_update_regdomain
> > _ath_hal_version
> > _ath_hal_vprintf
> > _ath_hal_wait
> > _ath_init
> > _ath_intr
> > _ath_ioctl
> > _ath_ioctl_pktlog
> > _ath_key_alloc
> > _ath_key_delete
> > _ath_key_set
> > _ath_key_update_begin
> > _ath_key_update_end
> > _ath_keyprint
> > _ath_keyset
> > _ath_led_blink
> > _ath_led_done
> > _ath_led_event
> > _ath_led_off
> > _ath_media_change
> > _ath_newassoc
> > _ath_newstate
> > _ath_node_alloc
> > _ath_node_cleanup
> > _ath_node_free
> > _ath_node_getrssi
> > _ath_outdoor
> > _ath_pktlog_attach
> > _ath_pktlog_detach
> > _ath_pktlog_getbuf
> > _ath_pktlog_rcfindfunc
> > _ath_pktlog_rcupdate
> > _ath_pktlog_rx
> > _ath_pktlog_text
> > _ath_pktlog_text
> > _ath_pktlog_txctl
> > _ath_pktlog_txstatus
> > _ath_postprocess_bf
> > _ath_ppmupdate
> > _ath_rate_attach
> > _ath_rate_detach
> > _ath_rate_findrate
> > _ath_rate_maprix
> > _ath_rate_newassoc
> > _ath_rate_newstate
> > _ath_rate_node_cleanup
> > _ath_rate_node_init
> > _ath_rate_setup
> > _ath_rate_setupxtxdesc
> > _ath_rate_tx_complete
> > _ath_recv_mgmt
> > _ath_regdomain
> > _ath_reset
> > _ath_resume
> > _ath_rx_proc
> > _ath_rxbuf_init
> > _ath_rxbuf_shift
> > _ath_rxbuftimeout
> > _ath_rxnodeq_timeout
> > _ath_scan_end
> > _ath_scan_start
> > _ath_set11dcountry
> > _ath_set_channel
> > _ath_set_mac_address
> > _ath_setcurmode
> > _ath_setdefantenna
> > _ath_setdefaultcc
> > _ath_setpwrsave_state
> > _ath_setslottime
> > _ath_setup_stationkey
> > _ath_shutdown
> > _ath_start
> > _ath_startrecv
> > _ath_stop
> > _ath_stop_locked
> > _ath_stoprecv
> > _ath_suspend
> > _ath_sysctl_aggrfmax
> > _ath_sysctl_aggrqmin
> > _ath_sysctl_ath_CCAThreshold
> > _ath_sysctl_athaddbaignore
> > _ath_sysctl_athbadrxbuf
> > _ath_sysctl_athbadrxdesc
> > _ath_sysctl_athbgscan
> > _ath_sysctl_athdupie
> > _ath_sysctl_athforceBias
> > _ath_sysctl_athforcebadrx
> > _ath_sysctl_athpowermode
> > _ath_sysctl_athppmupdate
> > _ath_sysctl_athvendorie
> > _ath_sysctl_debug
> > _ath_tx_cleanup
> > _ath_tx_cleanupq
> > _ath_tx_cryptosetup
> > _ath_tx_descsetup
> > _ath_tx_draintxq
> > _ath_tx_proc
> > _ath_tx_start
> > _ath_tx_stopdma
> > _ath_txq_getprops
> > _ath_txq_setup
> > _ath_txq_update
> > _ath_update_ppm
> > _ath_update_ps_mode
> > _ath_update_txpow
> > _ath_updateslot
> > _ath_vendorie
> > _ath_wme_update
> > _ath_xchanmode
> > _atheros_setuptable
> > _athpowermode
> > _ieee80211_add_ath
> > _ieee80211_parse_athparams
> > _ieee80211_saveath
> > _sysctl__debug_athdriver
> > _sysctl__net_athCCAThreshold
> > _sysctl__net_athaddbaignore
> > _sysctl__net_athaggrfmax
> > _sysctl__net_athaggrqmin
> > _sysctl__net_athbadrxbuf
> > _sysctl__net_athbadrxdesc
> > _sysctl__net_athbgscan
> > _sysctl__net_athdupie
> > _sysctl__net_athforceBias
> > _sysctl__net_athforcebadrx
> > _sysctl__net_athpowermode
> > _sysctl__net_athppmupdate
> >
> > Things possibly relating to monitor mode(grep monitor):
> > __ZN16IO80211Interface22monitorModeInputPacketEP6__mbuf
> > __ZN18AirPort_Athr5424ab10monitorDLTEP16IO80211Interface
> > __ZN18AirPort_Athr5424ab21monitorModeSetEnabledEP16IO80211Interfaceb
> > __ZN18AirPort_Athr5424ab25monitorPacketHeaderLengthEP16IO80211Interface
> >
> > Things having to do with start(grep start):
> > _AirPort_Athr5424ab__serviceRestart
> > __ZN18AirPort_Athr5424ab5startEP9IOService
> > __ZN9IOService13startMatchingEm
> > __ZN9IOService14startCandidateEPS_
> > __ZN9IOService19start_PM_idle_timerEv
> > __ZN9IOService5startEPS_
> > __ZZN18AirPort_Athr5424ab5startEP9IOServiceE12__FUNCTION__
> > __start
> > _adhoc_start
> > _ap_restart
> > _ap_start
> > _ar5212AniRestart
> > _ath_scan_start
> > _ath_start
> > _ath_startrecv
> > _ath_tx_start
> > _ieee80211_start_scan
> > _p_rx_buf_pool_phys_start
> > _scan_restart
> > _sta_restart
> > _sta_start
> > _tx99_start
> >
> >
> >
> >
> >
>
>


-- 
Matt Watson | (250) 686-5457

Other related posts: