[kismac] Re: Some interesting tidbits

  • From: Wouter Minderhoud <wouter@xxxxxxxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Thu, 13 Sep 2007 08:05:44 +0200

1st year ?

ouch...i think this little thingie will come along in the curriculum of the 5th year! ;-)




Op 13-sep-2007, om 7:56 heeft Matthew Watson het volgende geschreven:

Thanks none the less for your efforts in exploring this.

Being a macbook pro user I am eager to hear of any news. Who knows, I am entering 1st year of comp sci so I might be able to bring some expertise in the near future.

Thanks again

On 9/12/07, Michael Miller <1337mail@xxxxxxxxx > wrote:
Unfortunately no. First off, I don't have a ton of time on my hands(I
really have near no free time, not exaggurating). Second of all, I
lack driver programming experience(specifically IOKit).

I did have a conversation with someone who stated that it would be
possible to inject packets by simply opening a socket with the driver
and writing the binary data for packets to the socket interface.
Perhaps someone wants to investigate this further?

Also, note that kismet(not kismac) supports passive sniffing on all
AirPort cards under darwin(Mac OSX).

I'd be happy to help out anyone by explaining what I already know, but
don't expect anything usable for a while.

Sorry,
Mike

On 9/12/07, Wouter Minderhoud <wouter@xxxxxxxxxxxxxx> wrote:
> Hi Michael,
>
> any progres on the HAL ???
>
> i am very anxious and curious about the progress......
>
> cheers!
>
>
>
> Op 3-sep-2007, om 21:46 heeft Michael Miller het volgende geschreven:
>
> For those of you who don't know, Apple started including Atheros
> 802.11n chipsets in new Macs(not iMacs, but Macbook Pros, and (I
> think) Mac Pros). These are based around the same HAL(hardware
> abstraction layer) as the Linux (partially open source) Atheros
> driver. Thus, since we know how the HAL works(it is closed source, but
> the interfaces are documented), we can possibly gain
> injection/sniffing on any Atheros chipset. This is a possibility, but
> if it can be done, it will be great.
>
> Now for the good stuff ;). I looked through
> /System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/
> AirPortAtheros.kext/Contents/MacOS/AirPortAtheros.
> The main problem is that the startraw function is missing(I know very
> little about how the HAL works, so please, if you know anything about
> this, let me know.). However, I did manage to get some interesting
> symbols showing that the Mac OS driver is based around the HAL.
> Because the madwifi project is based around it, perhaps we can create
> a wrapper driver with raw capabilities. Now for the interesting
> symbols:
>
> Atheros-related functions(grep _ath):
> __Z21ath_copy_scan_resultsPvPK20ieee80211_scan_entry
> __ZN15IORegistryEntry13childFr omPathEPKcPK15IORegistryPlanePcPi
> __ZN15IORegistryEntry17matchPathLocationEPKcPK15IORegistryPlane
> __ZN18AirPort_Athr5424ab19getPktlogClientAddrEP15ath_pktlog_info
> __ZNK15IORegistryEntry16getPathComponentEPcPiPK15IORegistryP lane
> __ZNK15IORegistryEntry7getPathEPcPiPK15IORegistryPlane
> __ZZN18AirPort_Athr5424ab19getPktlogClientAddrEP15ath_pktlog_infoE8__fun
> c__
> _ath_CCAThreshold
> _ath_add_regclassid
> _ath_addba_ignore
> _ath_aggr_addba_requestprocess
> _ath_aggr_addba_requestsetup
> _ath_aggr_addba_responseprocess
> _ath_aggr_addba_responsesetup
> _ath_aggr_addba_timertimeout
> _ath_aggr_ba_requestsetup
> _ath_aggr_delba_process
> _ath_aggrackMPDU
> _ath_aggraddMPDU
> _ath_aggrcreateMPDU
> _ath_aggrfmax
> _ath_aggrmovebaw
> _ath_aggrqmin
> _ath_aggrresetMPDU
> _ath_ampdu_rxq_postprocess
> _ath_ampdu_rxq_preprocess
> _ath_ampdu_tx_release
> _ath_attach
> _ath_bad_rxbuf
> _ath_bad_rxdesc
> _ath_bar_tx
> _ath_beacon_config
> _ath_beacon_free
> _ath_beacon_proc
> _ath_beaconq_config
> _ath_bgscan
> _ath_calcrxfilter
> _ath_calibrate
> _ath_calinterval
> _ath_chan2flags
> _ath_chan_change
> _ath_countrycode
> _ath_debug
> _ath_desc_free
> _ath_descdma_cleanup
> _ath_descdma_setup
> _ath_detach
> _ath_draintxq
> _ath_dupie
> _ath_ff_always
> _ath_forcebad_rx
> _ath_getchannels
> _ath_hal_6mb_ack
> _ath_hal_additional_swba _backoff
> _ath_hal_attach
> _ath_hal_buildopts
> _ath_hal_chan2wmode
> _ath_hal_checkchannel
> _ath_hal_clksel
> _ath_hal_computetxtime
> _ath_hal_delay
> _ath_hal_dma_beacon_response _time
> _ath_hal_eepromDetach
> _ath_hal_enableTPC
> _ath_hal_ether_sprintf
> _ath_hal_forceBias
> _ath_hal_free
> _ath_hal_getChanNoise
> _ath_hal_getTxQProps
> _ath_hal_get_regdmn
> _ath_hal_getantennareduction
> _ath_hal_getcapability
> _ath_hal_getcc
> _ath_hal_getccstr
> _ath_hal_getdiagstate
> _ath_hal_getnfcheckrequired
> _ath_hal_getuptime
> _ath_hal_getwirelessmodes
> _ath_hal_init_channels
> _ath_hal_is_valid_country_code
> _ath_hal_ispublicsafetysku
> _ath_hal_japan_checkeeprom
> _ath_hal_mac_clks
> _ath_hal_mac_usec
> _ath_hal_malloc
> _ath_hal_maxTPC
> _ath_hal_memcmp
> _ath_hal_memcpy
> _ath_hal_memzero
> _ath_hal_mhz2ieee
> _ath_hal_ppmupdate
> _ath_hal_printf
> _ath_hal_probe
> _ath_hal_process_noisefloor
> _ath_hal_readEepromIntoDataset
> _ath_hal_reg_read
> _ath_hal_reg_write
> _ath_hal_reverseBits
> _ath_hal_setTxQProps
> _ath_hal_setcapability
> _ath_hal_setupratetable
> _ath_hal_setvendor
> _ath_hal_soft_eeprom
> _ath_hal_sort
> _ath_hal_sw_beacon_response_time
> _ath_hal_update_regdomain
> _ath_hal_version
> _ath_hal_vprintf
> _ath_hal_wait
> _ath_init
> _ath_intr
> _ath_ioctl
> _ath_ioctl_pktlog
> _ath_key_alloc
> _ath_key_delete
> _ath_key_set
> _ath_key_update_begin
> _ath_key_update_end
> _ath_keyprint
> _ath_keyset
> _ath_led_blink
> _ath_led_done
> _ath_led_event
> _ath_led_off
> _ath_media_change
> _ath_newassoc
> _ath_newstate
> _ath_node_alloc
> _ath_node_cleanup
> _ath_node_free
> _ath_node_getrssi
> _ath_outdoor
> _ath_pktlog_attach
> _ath_pktlog_detach
> _ath_pktlog_getbuf
> _ath_pktlog_rcfindfunc
> _ath_pktlog_rcupdate
> _ath_pktlog_rx
> _ath_pktlog_text
> _ath_pktlog_text
> _ath_pktlog_txctl
> _ath_pktlog_txstatus
> _ath_postprocess_bf
> _ath_ppmupdate
> _ath_rate_attach
> _ath_rate_detach
> _ath_rate_findrate
> _ath_rate_maprix
> _ath_rate_newassoc
> _ath_rate_newstate
> _ath_rate_node_cleanup
> _ath_rate_node_init
> _ath_rate_setup
> _ath_rate_setupxtxdesc
> _ath_rate_tx_complete
> _ath_recv_mgmt
> _ath_regdomain
> _ath_reset
> _ath_resume
> _ath_rx_proc
> _ath_rxbuf_init
> _ath_rxbuf_shift
> _ath_rxbuftimeout
> _ath_rxnodeq_timeout
> _ath_scan_end
> _ath_scan_start
> _ath_set11dcountry
> _ath_set_channel
> _ath_set_mac_address
> _ath_setcurmode
> _ath_setdefantenna
> _ath_setdefaultcc
> _ath_setpwrsave_state
> _ath_setslottime
> _ath_setup_stationkey
> _ath_shutdown
> _ath_start
> _ath_startrecv
> _ath_stop
> _ath_stop_locked
> _ath_stoprecv
> _ath_suspend
> _ath_sysctl_aggrfmax
> _ath_sysctl_aggrqmin
> _ath_sysctl_ath_CCAThreshold
> _ath_sysctl_athaddbaignore
> _ath_sysctl_athbadrxbuf
> _ath_sysctl_athbadrxdesc
> _ath_sysctl_athbgscan
> _ath_sysctl_athdupie
> _ath_sysctl_athforceBias
> _ath_sysctl_athforcebadrx
> _ath_sysctl_athpowermode
> _ath_sysctl_athppmupdate
> _ath_sysctl_athvendorie
> _ath_sysctl_debug
> _ath_tx_cleanup
> _ath_tx_cleanupq
> _ath_tx_cryptosetup
> _ath_tx_descsetup
> _ath_tx_draintxq
> _ath_tx_proc
> _ath_tx_start
> _ath_tx_stopdma
> _ath_txq_getprops
> _ath_txq_setup
> _ath_txq_update
> _ath_update_ppm
> _ath_update_ps_mode
> _ath_update_txpow
> _ath_updateslot
> _ath_vendorie
> _ath_wme_update
> _ath_xchanmode
> _atheros_setuptable
> _athpowermode
> _ieee80211_add_ath
> _ieee80211_parse_athparams
> _ieee80211_saveath
> _sysctl__debug_athdriver
> _sysctl__net_athCCAThreshold
> _sysctl__net_athaddbaignore
> _sysctl__net_athaggrfmax
> _sysctl__net_athaggrqmin
> _sysctl__net_athbadrxbuf
> _sysctl__net_athbadrxdesc
> _sysctl__net_athbgscan
> _sysctl__net_athdupie
> _sysctl__net_athforceBias
> _sysctl__net_athforcebadrx
> _sysctl__net_athpowermode
> _sysctl__net_athppmupdate
>
> Things possibly relating to monitor mode(grep monitor):
> __ZN16IO80211Interface22monitorModeInputPacketEP6__mbuf
> __ZN18AirPort_Athr5424ab10monitorDLTEP16IO80211Interface
> __ZN18AirPort_Athr5424ab21moni torModeSetEnabledEP16IO80211Interfaceb
> __ZN18AirPort_Athr5424ab25monitorPacketHeaderLengthEP16IO80211Interface
>
> Things having to do with start(grep start):
> _AirPort_Athr5424ab__serviceRestart
> __ZN18AirPort_Athr5424ab5startEP9IOService
> __ZN9IOService13startMatchingEm
> __ZN9IOService14startCandidateEPS_
> __ZN9IOService19start_PM_idle_timerEv
> __ZN9IOService5startEPS_
> __ZZN18AirPort_Athr5424ab5star tEP9IOServiceE12__FUNCTION__
> __start
> _adhoc_start
> _ap_restart
> _ap_start
> _ar5212AniRestart
> _ath_scan_start
> _ath_start
> _ath_startrecv
> _ath_tx_start
> _ieee80211_start_scan
> _p_rx_buf_pool_phys_start
> _scan_restart
> _sta_restart
> _sta_start
> _tx99_start
>
>
>
>
>




--
Matt Watson | (250) 686-5457

Other related posts: