Is it possible to easily broadcast fake Wi-Fi beacon frames?

gronak · January 1, 2025, 12:01pm

Hello!

Long story short, I want to duplicate what these guys did to enable hearing aid feature for Apple AirPods Pro 2: https://lagrangepoint.substack.com/p/airpods-hearing-aid-hacking

I'm using an iPad with no GPS or cellular capabilities, OpenWRT router is running a VPN client and I get needed response from https://gspe1-ssl.ls.apple.com/pep/gcc (I get "US" which is where my VPN server is), but the feature doesn't work and in Maps I see my true location.

To spoof location they used SkyLift: https://github.com/adamhrv/skylift

It runs on ESP32 which I don't have, so I wanted to ask you guys first, is it possible to do something similar using OpenWRT?
Ideally I'd get data from wigle.net from the same location where my VPN server is and send fake/spoofed beacons in a loop (10 times a second as I understand it).

I don't have skills needed to change OpenWRT code and compile it, but if there is a ready to use tool that can send such beacons so I could use it in a simple bash script - that would be perfect.

Thanks.

brada4 · January 1, 2025, 1:32pm

Does random mac luci/nwtwork/wireless/edit an ap/lower advanced tab/ mac address -> set random fill the gap?

mk24 · January 1, 2025, 1:40pm

The aircrack-ng suite is available in OpenWrt. I think one of its programs will replay a file of arbitrary packets.

gronak · January 1, 2025, 1:47pm

I'm pretty sure it uses all APs it can detect and use this information to get location data, that's why in the article they say "We also bumped the number of SSIDs to cycle up through to 100 from 10."

But I'll give it a shot, just need to somehow block WiFi signal of my neighbors first. Thanks!

porshuram · January 1, 2025, 3:37pm

populate the /etc/config/wireless file for each ssid and mac with

config wifi-iface 'wifinet<number>'                                  
                  option device '<radio_name/wifi_device_name>'                
                  option mode 'ap'                                                       
                  option ssid '<ssid>'                                       
                  option encryption 'sae-mixed'                                                                
                  option macaddr '<mac>'                                                              
                  option key '<any_valid_password>'                                
                  option network 'lan'

replace the text in <>
save and restart

gronak · January 2, 2025, 7:21am

Thanks! I started learning how to forge and play packets with aircrack-ng that @mk24 suggested, but this is a much simpler solution for my problem. Created 15 APs as a test and they are visible when searching for WiFi on my devices

I actually did try to just create multiple APs (in LuCI), but it failed on Xiaomi Mi WiFi Mini after just a couple additional APs, they weren't starting. This time I'm using ASUS RT-AX53U and it has no issues it seems.

system · January 12, 2025, 7:21am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.