How to force packets with bad MIC?
Lohmann, Peter
plohmann
Fri May 25 17:39:16 PDT 2007
For the very same reasons that you mention, I forced MIC errors at the driver level (agere.720) by modifying:
void calc_mic_rx_frag( IFBP ifbp, wci_bufp p, int len )
{
:
// After n counter ticks, XOR the MIC with some random value. Force 2 errors.
//
if( ( ( g_nCntr % 300 ) == 299 ) || ( ( g_nCntr % 300 ) == 296 ) )
{
printk("************** %s:%s: corrupting rx MIC\n",__DATE__,__TIME__);
x.x32 ^= 0x1F234509;
}
:
}
The AP reports the MIC errors and goes into countermeasures for 60 seconds.
You would, or course, need to modify the code for your station driver chipset.
I needed this for MIC recovery debugging, and wish there were a better way -- perhaps what Jouni mentioned.
HIH,
-- Peter
On Fri, May 25, 2007 at 11:17:43PM -0000, Queisser, Andrew (Idol pick: Blake) wrote:
> I built wpa_supplicant with the goal to create packets to force MIC
> failures on an AP we're having trouble with. My goal was to first verify
> that the AP does indeed go into TKIP countermeasure mode correctly and
> then checking whether sending junk in the TSC, ICV and and so on does
> not trigger the countermeasure.
>
> I thought I could inject some debug code into wpa_supplicant but after
> digging through the code a bit it seems like this kind of modification
> has to be done at the card driver level.
More information about the Hostap
mailing list