Spoofing the MAC address on Airport Extreme cards (static method)

Updated on Stefan on Mon 1 Aug 2005 at 13:00

Because of the few problems with the dynamic method of MAC address spoofing I "invented" a static method. It makes MAC changing more complicated, because you have to hardcode the MAC you want into the driver and then reload it, everytime you want to change your MAC. But atleast no other real problems were discovered with this method.

Setting up...

I strongly suggest not to experiment with the original drivers in /System/Library/Extensions/AppleAirPort2.kext atleast until you made sure that everything works as you want. Therefore you should first create a copy of the driver into a test environment and also don't forget to make an additional backup.

base:/Users/spoofer root# cp -pR /System/Library/Extensions/AppleAirPort2.kext .
base:/Users/spoofer root# cp -pR /System/Library/Extensions/AppleAirPort2.kext.backup .

Patching the binary driver

For now there is no automatic installation tool and therefore you have to patch the driver binary in AppleAirPort2.kext/Contents/MacOS/AppleAirPort2 with a hex editor of your choice. The following values are maybe different in your driver but atleast 3 driver versions have the same bytes.

For pre Tiger driver versions search for:

88 FF 15 30 | 89 5F 15 31 | 89 1F 15 32 | 7C E0 50 38
89 7F 15 33 | 7D 00 00 38 | 89 3F 15 34 | 7D 60 00 38
88 5F 15 35 | 7D 20 00 38 | 7C 40 00 38 | 2F 80 00 FF
41 9E 01 98

and change into

3C E0 Xx XX | 90 FF 15 30 | 3C E0 Yy YY | 60 E7 Zz ZZ
90 FF 15 32 | 60 00 00 00 | 60 00 00 00 | 60 00 00 00
60 00 00 00 | 60 00 00 00 | 60 00 00 00 | 60 00 00 00
60 00 00 00


For post Tiger driver versions search for:

88 FF 19 90 | 89 7F 19 91 | 89 5F 19 92 | 89 1F 19 93 
7C E0 58 38 | 89 3F 19 94 | 7D 40 00 38 | 88 5F 19 95
7D 00 00 38 | 7D 20 00 38 | 7C 40 00 38 | 2F 80 00 FF 
41 9E 01 CC

and change into

3C E0 Xx XX | 90 FF 19 90 | 3C E0 Yy YY | 60 E7 Zz ZZ
90 FF 19 92 | 60 00 00 00 | 60 00 00 00 | 60 00 00 00
60 00 00 00 | 60 00 00 00 | 60 00 00 00 | 60 00 00 00
60 00 00 00

Of course you have to replace Xx:XX:Yy:YY:Zz:ZZ with the MAC you want. It should be mentioned, that putting any value other than 0x00 into Xx resulted in not working connections. I don't know if it is my accesspoint that refuses such MACs or the Apple kernel.

Testing

After having patched the binary you can now test if everything works by

base:/Users/spoofer root# kextunload AppleAirPort2.kext
kextunload: unload kext AppleAirPort2.kext succeeded
...
base:/Users/spoofer root# kextload AppleAirPort2.kext
kextload: AppleAirPort2.kext loaded successfully
...
...
base:/Users/spoofer root# ifconfig en1
en1: flags=8863 mtu 1500
        inet6 fe80::211:22ff:fe33:4455 prefixlen 64 scopeid 0x5
        inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
        ether: 00:11:22:33:44:55
        media: autoselect status: active
        supported media: autoselect

Known Problems/Limitations

Changing the MAC is more complicated than using ifconfig until someone releases an autopatcher
WPA/WEP connections maybe need that you reenter the key after changing the MAC

Permanent install

I suggest that you perform this step only if you are sure that everything is okay, because otherwise your kernel maybe crashs during startup. Copy your modified AppleAirPort2 file to /System/Library/Extensions/AppleAirPort2.kext/Contents/MacOS/AppleAirPort2 and clear the kext caches.

base:/Users/spoofer root# cp AppleAirPort2.kext /System/Library/Extensions/AppleAirPort2.kext/Contents/MacOS/AppleAirPort2
base:/Users/spoofer root# rm -r /System/Library/Caches/com.apple.kernelcaches/
base:/Users/spoofer root# rm /System/Library/Extensions.kextcache
base:/Users/spoofer root# rm /System/Library/Extensions.mkext

Related Articles

If you find this article interesting you should also have a look at:

Related Sites

If you find this site interesting you should also have a look at:

KisMAC passive network stumbler
kismet passive network stumbler