Qualcomm devices

[JonnyTech]

I have used nMac on a multitude of rooted devices running various versions of Android without problem. All of these devices had a Mediatek chipset. Now I own a phone with a Qualcomm chipset. But I have been unable to locate a file containing the MAC address except - except for one in /sys - which I know from previous discussions is unusable. Is this a known issue or can you suggest any way to locate the file?

[ViRb3]

Try this: https://github.com/ViRb3/overseer

I have big plans to improve it, I'll hopefully find the time soon

[JonnyTech]

Thanks @ViRb3 but it does not run.

# ./overseer                                                                                                                                                                                                
sh: ./overseer: can't execute: Permission denied

Have tried chmod 777 and running from both adb shell and an installed root terminal. Copied file to /system/ and /data/ too. Does it produce logs anywhere?

cat /proc/cpuinfo states processor is ARMv7 Processor rev 4 (v7l). getprop ro.product.cpu.abi returns armeabi-v7a. OS is AOSP 9.

[ViRb3]

Executables are only valid under the temp directory, so: /data/local/tmp

[JonnyTech]

Ah, good tip!

[JonnyTech]

OK, so it runs now but then reboots my phone after about a minute..

[JonnyTech]

Same with verbose mode, output piped to log file: lolog.txt

[ViRb3]

The program is probably reading a file that serves as a trigger and shuts down/does some other weird behavior to your device. Try excluding the /dev and /sys directories. The file you're looking for is probably under /persist. I will try to rewrite this program but it won't be soon.

[ViRb3]

Also try /data/vendor/oemvitems

[JonnyTech]

Still reboots: ./overseer xxxxxxxxxxxx -v -b /dev /sys /data/vendor/oemvitems > log.txt log.txt

[ViRb3]

Seems like both cases crash at /system/lib/vnd, try blacklisting /system/lib

[ViRb3]

And I meant try searching in data/vendor/oemvitems, that's where's the MAC on a OnePlus 5T.

[JonnyTech]

How does it scan a specific folder? It only displays a blacklist parameter in help.

[ViRb3]

Ah, I'm afraid I haven't implemented specific searches then. Try going through the files manually I guess.

[ViRb3]

Could also help if you look at the wifi code in your device's kernel source code.

[JonnyTech]

Thete is no oemvitems in data/vendor/. Shall continue tomorrow, need sleep now. Thanks for your help so far.

[ViRb3]

Good luck, and no problems!

[JonnyTech]

BTW even with ./overseer XXXXXXCXXXCC -v -b /sys/ /dev/ /system/ > /storage/0101-0101/xfer/log.txt it still scans /system and crashes in the same place.

PS in case you have more time and knowledge than I do, kernel sources are here: https://github.com/MiCode/Xiaomi_Kernel_OpenSource/tree/tiare-o-oss

[JonnyTech]

I pulled all files from the phone using root adb then scoured them looking for the MAC in text or binary format without success. Is it possible that the MAC is read from hardware and stored in /sys without being copied elsewhere?

[ViRb3]

I do not know. What phone model do you have exactly? Here's the device tree for Xiaomi Redmi Note 4 & 4x (Mido): https://github.com/zeelog/android_device_xiaomi_mido

And here's the MAC file for that: https://github.com/zeelog/android_device_xiaomi_mido/blob/lineage-16.0/wifi/WCNSS_qcom_cfg.ini#L44

[ViRb3]

After some research, it looks like the original MAC of every Qualcomm device is stored in its NV (non-volatile) memory. It seems like you can change it using the Qualcomm Product Support Tools, but that looks overkill and potentially dangerous to me.

Now, there seem to be a lot of abstraction layers on top of that NV data. Sadly, it varies widely from phone to phone and kernel implementations. Try to search in your device's trees and kernels, every phone I've seen so far stores that data in an easily writable file somewhere. On the other hand, Android Q will provide a different MAC for each WiFi network, so the struggle will end soon. Maybe an XPosed/Riru module could be created to do this on older versions.

Good luck!

[JonnyTech]

The device tree for my device (link above) also has a WCNSS_qcom_cfg.ini file but the addresses there do not correspond to the actual MAC of the adaptor.

The NV memory seems inaccessible - I have root and TWRP but neither can see a nvram partition like mediatek devices can.

The randomised MAC address will only be used when scanning networks (http://www.network-usa.com/2019/04/android-q-your-mac-address-on-wifi-networks-will-be-random.html)

The false MAC address is generated only once per network. In other words, when you connect twice on a WiFi network at different times, the same address is used. It remains however associated only with this network.

Also, not all devices support it - I have the current AOSP Q beta and the option is not available, neither in wifi settings, privacy or developer options.

[JonnyTech]

I have found an app that successfully changes the MAC:

"Change my MAC" https://play.google.com/store/apps/details?id=net.xnano.android.changemymac https://forum.xda-developers.com/android/apps-games/app-root-change-mac-spoof-wifi-mac-t3394540

Now I just have to figure out what it does...

[JonnyTech]

Hmm, it seems to edit text file /sys/devices/soc/a000000.qcom,wcnss-wlan/wcnss_mac_addr - thought that was not possible..

[ViRb3]

Well, I guess it could be write-mapped. Have you tried changing that file?

su
cat /sys/devices/soc/a000000.qcom,wcnss-wlan/wcnss_mac_addr
# assume format is 112233445566
echo 112233445566 > /sys/devices/soc/a000000.qcom,wcnss-wlan/wcnss_mac_addr

[JonnyTech]

It also changes another file: /persist/WCNSS_qcom_wlan_nv.bin but it is not obvious what is done. I shall be at a computer in a day or two and shall analyse then report back.

[JonnyTech]

The solution really is as simple as:

echo 88:99:de:ad:be:ef > /sys/devices/soc/a000000.qcom,wcnss-wlan/wcnss_mac_addr

No other files are touched. Do you think that you could add to nMac? This would probably open it up to a whole load of qualcomm devices as well as all the mediatek ones it already supports :)

[ViRb3]

For the sake of completeness, can you please share the result of: stat /sys/devices/soc/a000000.qcom,wcnss-wlan/wcnss_mac_addr?

I can add it, but I have no environment set up to build a new release.

[JonnyTech]

Here you go:

  File: `/sys/devices/soc/a000000.qcom,wcnss-wlan/wcnss_mac_addr'
  Size: 4096     Blocks: 0   IO Blocks: 512 regular file
Device: 10h/16d  Inode: 23489    Links: 1
Access: (600/-rw-------)    Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-05-16 08:45:25.207383859
Modify: 2019-05-16 13:24:51.091904315
Change: 2019-05-16 13:24:51.091904315

I shall set up a build environment and test next week. Thanks!

[JonnyTech]

Have not forgotten about this, but been busy lately. Found Xamarin for Linux: https://github.com/0xFireball/xamarin-android-linux

Then shall follow guide in wiki: https://github.com/ViRb3/nMAC/wiki/Creating-a-new-device-layout

For my reference:

• create new layout in devices folder: https://github.com/ViRb3/nMAC/tree/master/nMAC/Devices
• add entry to: nMAC/MACFunctions.cs - private static async Task<DeviceModel> DetectDevice()
• modify project file: nMAC/nMAC.csproj - <Compile Include="Devices\Qualcomm.cs" />

[JonnyTech]

I have been unable to get Xamarin to work with Linux and have no access to a Windows device. @ViRb3 are you able to to implement my findings?

[ViRb3]

Hi there! I'm afraid that I haven't used or worked on this app for over a year and I don't have any of the tooling neccessary to implement your findings. New devices have a dynamic MAC so I haven't had to change it. Sorry, I hope you understand.

[JonnyTech]

That's cool, thanks for replying.