I wrote the attached DOS program to dump all the tags in the eeprom of
Aironet/Cisco radio cards. It understands the format of a number of the
tags including the WEP keys and works with (at least) the original 4500
through the 350 series. It does not do PCMCIA setup and such; you must
enable the slot with "pcmcia on -boot" or by running some other DOS utility
(e.g., wepdos) that leaves the card running. Use the "-p" option to set
my program to the base address of whatever you used to enable the slot.
Dan Lanciani
[EMAIL PROTECTED]
------
#include <stdio.h>
#include <conio.h>
unsigned base = 0x180;
main(argc, argv)
char **argv;
{
register unsigned i, j, k;
unsigned dat;
again:
if(argc > 1 && argv[1][0] == '-' && argv[1][1] == 'p') {
sscanf(&argv[1][2], "%x", &base);
argv++;
argc--;
goto again;
}
if(inpw(base) & 0x8000) {
fprintf(stderr, "Busy bit set on startup\n");
exit(1);
}
outpw(base, 0x0010);
waitcmd();
ackcmd();
if(inpw(base) & 0x8000) {
fprintf(stderr, "Busy bit set after NOP\n");
exit(1);
}
for(i = 0; i < 0xffff; i++) {
outpw(base + 0x02, i);
outpw(base, 0x0029);
waitcmd();
if(inpw(base + 0x08) == 0x0029) {
printf("TAG %04x ", i);
j = inpw(base + 0x0a);
ackcmd();
outpw(base + 0x3a, j);
outpw(base + 0x3c, 6);
k = inpw(base + 0x3e) - 4;
dat = inpw(base + 0x3e);
printf("LEN %02x DATA ", k);
dumpbap(j, 8, (k + 1) / 2);
switch(i) {
case 0x1000:
printf(" CALLID\n");
break;
case 0x1001:
printf(" COUNTRY %d\n", dat);
break;
case 0x1002:
printf(" POWER %dmW\n", dat);
break;
case 0x1003:
printf(" MODULATION ");
if(dat == 1)
printf("CCK\n");
else if(dat == 2)
printf("MBOK\n");
else
printf("unknown %d\n", dat);
break;
case 0x3000:
case 0x3001:
case 0x3002:
case 0x3003:
case 0x3004:
dumpwep(i, j, k);
break;
case 0xf000:
printf(" WEP flags ");
if(dat&1)
printf("WEP40 ");
if(dat&2)
printf("WEP128");
printf("\n");
break;
}
outpw(base + 0x02, j);
outpw(base, 0x000c);
waitcmd();
}
ackcmd();
}
exit(0);
}
ackcmd()
{
outpw(base + 0x34, 0x0010);
}
waitcmd()
{
while(!(inpw(base + 0x30)&0x0010))
kbhit();
}
dumpbap(seg, off, cnt)
register unsigned cnt;
{
register unsigned i;
outpw(base + 0x3a, seg);
outpw(base + 0x3c, off);
while(cnt--) {
i = inpw(base + 0x3e);
printf("%02x %02x ", i & 0xff, i >> 8);
}
printf("\n");
}
dumpwep(tag, seg, len)
{
register unsigned i, j;
printf(" WEP key ");
if(tag == 0x3004)
printf("home ");
else
printf("#%d ", tag - 0x3000);
if(len != 14 && len != 22) {
printf("unknown record length %d\n", len);
return;
}
outpw(base + 0x3a, seg);
outpw(base + 0x3c, 8 + 6);
i = inpw(base + 0x3e);
printf("LEN %02d ", i);
i = (i + 1) / 2;
while(i--) {
j = inpw(base + 0x3e);
printf("%02x %02x ", (j & 0xff) ^ 0x55, (j >> 8) ^ 0xaa);
}
printf("\n");
}
_______________________________________________
BAWUG's general wireless chat mailing list
[unsubscribe] http://lists.bawug.org/mailman/listinfo/wireless
