[p2p-hackers] Penumbra Wifi Network

Andy Green andy at warmcat.com
Tue Jan 16 16:34:01 EST 2007

Vikram Dham wrote:

Hi Vikram -

> Doesn't the potential & practicability of this idea depend on the 
> capability of wireless cards and drivers supporting them? Do we know if 
> wireless network card would allow node to be part of Infrastructure 
> network and also transmit broadcast packets on another channel / 
> network? How much can a device driver control the wireless network card? 
> Can it control transmissions per packet basis?

That's right, everything depends first on getting the wlan card to do 
what the protocol needs.

It's definitely not going to be possible to get normal operation from a 
wireless card that is associated on a network if you keep changing the 
channel.  So if you share your network card with your private network 
and Penumbra, you can only listen and send Penumbra packets on the same 
wireless channel you are associated on.  (If you alternatively, or in 
addition, use a second wireless USB stick on its own channel, then you 
can bridge Penumbra traffic between channels and listen on both for 
Penumbra traffic.)

Every transmission from the wireless card is in fact a "broadcast", and 
some parts of it are always unencrypted, including some MAC addresses at 
the beginning.  One of these MAC addresses is set to 11:22:33:44:55:66 
to mark the packet as being a Penumbra packet.

The different cards have different levels of control over the packets, 
some of them expect the 80211 stack to have done the crypto already and 
some of them do hardware crypto after the packet leaves the CPU.  The 
three plans I have for dealing with the different situations are:

  - Try to ship the packet out unencrypted and marked as unencrypted

  - If the wireless card is going to insist on doing hardware encryption 
after I give it the packet, then try to specify the IV (Initialization 
Vector) for the packet, and pre-encrypt the payload with that IV and the 
  current local network key.  Because RC4 is symmetrical, encrypting it 
twice (once in the driver and again in the hardware) will AIUI have the 
end result of getting it out unencrypted

  - If neither of these will fly on particular hardware, then try to 
specify Penumbra packets (only) be encrypted by WEP key 4, and specify 
that WEP key 4 must be set to 0x0000...00 on systems participating in 
Penumbra.  The packets are marked with which of the 4 possible WEP keys 
were used on them when they go out, so this can be decrypted 
transparently by the receiving driver

For receiving, it seems the cards can operate in a promiscuous mode or 
to filter by their MAC address only.  In this case we have to switch the 
card to promiscuous and filter in software for packets with the local 
MAC address or the 11:22:33:44:55:66 one.

The current status is that I can send and receive unencrypted packets on 
an unassociated zd1211 and send and receive encrypted packets on an 
associated zd1211 and ipw3945 wlan with very light modifications to the 


More information about the p2p-hackers mailing list