[kismac] Howto spoof your MAC address on airport extreme cards [repost-nr.2]

  • From: Stefan Esser <stefan@xxxxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Fri, 22 Apr 2005 21:40:40 +0200

Sorry if this mail will end up several times in your mailbox, but it seems for me
now, that the strange freelists.org host refuses emails from several of my domains
for whatever reason...

like I had to subscribe with 3 different email adresses until subscription worked...


we all know the Broadcom dilemma. Because of no documentation I started
a new approach and learned the structure of the binary driver.

Right now I am able to present you two methods for spoofing your MAC
address on Airport Extreme cards by binary patching of the original driver.

See methods at http://www.suspekt.org/

Method 1 - Dynamic
This method links a small PPC assembly snipset to the original driver
and so adds an AirportPCI::setHardwareAddress function. This allows
MAC address changing with simple ifconfig en1 lladdr calls. The downside
is that there are some problems with some systems. (Could be a problem
in the assembly snipset)

Method 2 - Static
This method patches the startup of the driver, where the device is
queries for its MAC address. At this point a hardcoded value is returned instead. This kills all known problems with the dynamic method, but has
the downside that you have to patch a new MAC into the driver and reload
it, everytime you want to change your MAC.

Long Term Goal
Make use of passive RFMON mode by patching the binary driver. Idea for
this already exists and now must be tested for feasibility.

Stefan Esser

Stefan Esser                                               sesser@xxxxxxx
Hardened-PHP Project                         http://www.hardened-php.net/

GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78
Key fingerprint       7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78

Other related posts:

  • » [kismac] Howto spoof your MAC address on airport extreme cards [repost-nr.2]