Using Aux ports to send Control frames...

Joshua Wright jwright
Wed Sep 29 08:26:59 PDT 2004

> Can anyone help me understanding this method? can u plz send a code or 
> indicate how to disable AUX ports in hostap and how to read or write 
> from it...
> Documents that describes the functionalities of AUX ports or the method 
> reffered to would help me in my research...

The premise is that you have to stop the transmit queue after writing 
the packet to the device, searching through the AUX device for a magic 
value that indicates that start of the packet, and modifying the memory 
offset with your custom frame.

In practice, it's quite difficult since you are competing with a race 
condition to get the card into the right state for you to be able to 
mess with it in a way that it was never intended to do.  In my tests, 
I'm only able to get a few frames (like 1 or 2) transmitted before my 
card ceases to respond altogether, forcing a manual reset.

As I understand it, Cisco and Atheros cards do not have the same 
firmware restrictions as the Prism2 series cards, and can inject 
arbitrary frames of any time or content without being mangled.  This 
could allow an attacker to send spoofed frames with in-order sequence 
numbers to avoid being detected by WLAN IDS systems, and a slew of other 
devious tactics.

Did anyone make it to Toorcon this year?  There was a presentation 
titled "Advanced Packet Injection in 802.11a/b/g Networks" that may shed 
some more light on other packet injection opportunities that are 
otherwise firmware unencumbered.


-Joshua Wright
jwright at

fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

Today I stumbled across the world's largest hotspot.  The SSID is "linksys".

More information about the Hostap mailing list