This was written on August 06, 2007. Please note that these are necessarily my current views on the subjects discussed. I will post a follow up in the near future.

Following up on my MAC address patcher for PowerPC-based Macs with AirPort cards, I set out to answer the dozens of requests I had received for an Atheros patch. I am working on a new MacBook Pro with an AirPort Extreme (168C,87) using firmware 1.1.9.3.

Rather than perform the same routine of binary surgery on a copy of the driver, I thought I’d try attacking a moving target this time by performing the patch in kernel space, while the AirPort card is on and running. This is widely accepted as a Bad Idea™, but people who are swapping their MAC address don’t tend to be the kind who fret about the stability of their kernels.

Thanks to a helpful reply to my question on Apple’s kernel mailing list, it didn’t take much work to craft a kernel extension that could look up the address of any global symbol in Apple’s Atheros driver. This leaves me with the task of locating a symbol to victimize, and I’ve talentlessly chosen ath_set_mac_address.

Vestigial Traces

This is as far as I made it last night, when a Google search led me to a MadWifi repository check-in, which piqued my interest: it uses the exact same symbol name as Apple’s driver. Moreover, both strings that appear in the MadWifi function also appear in the AirPort binary file.

I believe the point at which the Atheros chipset made an appearance in Macs was with the debut of the first Intel iMac in 2006. The datestamp on the MadWifi checkin predates this by two years. If it turns out that Apple has lifted code from the MadWifi project, Apple may be forced to publicize the source code to their driver, as the MadWifi’s code is released under the GPL.

I hate to send bad publicity Apple’s way, but it’s disappointing when people disregard the wishes of an author who has made his work freely available to the public. I just hope that Apple handles this better than Maui X-Stream.

Onward

According to the MadWifi code, I need to have a reference to the device whose MAC address I want to change. This is problematic, because I have to find another function I can patch into and grab the reference (sort of man-in-the-middle). Unfortunately, this isn’t so easy on x86, and I can’t use APETools because they can’t run in the kernel.

On a Tangent

In Talk:AirPort at Wikipedia, an anonymous author writes that “AirPort Extreme Cards can also be made to operate at a restricted military frequency, which is why the drivers are not made open source.” The author did not provide any sources for his or her information, so I’m highly skeptical, though it would be kickass.

This entry was posted Monday, October 22nd, 2007 at 12:30 pm and is filed under Computer Science. You can leave a response, or trackback from your own site.