[GUIDE] Changing your Bluetooth/Wi-Fi MAC Address

Search This thread

Da_G

Inactive Senior RD / Moderator Emeritus
Aug 20, 2007
3,332
1,563
Riverside, CA
Samsung Galaxy S22 Ultra
Hi guys :)

Well, I had an Atrix for a few days, but had some issues with AT&T and had to return it and deal with some customer service issues before I can re-purchase the device. I didn't let that slow me down though :)

While I had it, I made a few dumps of the NAND, and have been working on disassembling things. Thanks to the help from a number of great people on IRC (#xda-devs irc.freenode.net) I have been able to successfully change the Bluetooth and Wi-Fi MAC addresses, and discovered a way to write to the flash, bypassing the bootloader security.

The full writeup can be found at pocketnow.com

I will be posting more info about the bootloader bypass as soon as I get it 100% working, right now we are able to write data directly to the NAND, bypassing bootloader security, and also provide a false signature, allowing the device to boot. However there are some remaining issues (a custom kernel that was flashed to the device failed to boot properly) - stay tuned :)
 

lpsi2000

Senior Member
Jan 16, 2004
2,479
156
TriState
Excellent, can't wait to see the end result. Hopefully custom kernels and ROMs will be coming soon.
 
Last edited:

joeycass

Member
Mar 2, 2011
27
2
Devs you guys are amazing! Thank you for the hard work that is put into all this! I know the challange is fun for you all, but it really helps us non dev ppl out a lot!

Sent from my MB860 using XDA App
 

ahmarchi

Senior Member
Aug 20, 2008
1,065
180
Greensboro
nicely done Da-G.... great work as always glad to see you again and i hope to continue using your work as i did back in old winmo cooking :)!!!

quick question, is there really a reason why to change the bluetooth/wifi MAC drivers??? are there any benefits or basically just the same exact reasons when you do it on pc's
 

Da_G

Inactive Senior RD / Moderator Emeritus
Aug 20, 2007
3,332
1,563
Riverside, CA
Samsung Galaxy S22 Ultra
Main reason to change MAC address is to be able to join Wi-Fi networks that have whitelisting.

You could also use it to simplify device administration on your network.

Beyond that I can also imagine a few black-hat reasons to do it :)

Atrix is one of the few smartphones that can pull it off easily though, others I am aware of are the LG Optimus One and the SGS series (although it's not so easy on SGS)

There are plenty of other interesting datas in /pds, it is the device provisioning partition (NVRAM) and is equivalent to /efs on the i9000/Captivate (which is the last device I used, so easy for me to compare with)

Careful messing with it though, on the Captivate changing the wrong bit would kill your cellular radio until you restored an EFS backup, I suspect the same danger is here with the Atrix too! And we don't have a quick way to restore a PDS backup yet like with odin on SGS (although I am hot on the heels of a method to do so)
 

oFUNGUSo

Senior Member
Feb 16, 2011
524
18
round rock TX
Omfg I'm excited! If this device gets real ROMs an even custom kernels, its going to be an even more amazing device

Sent from my MB860 using XDA Premium App
 

franciscojavierleon

Senior Member
Jul 16, 2010
441
39
Maracaibo
i'm exited about the bootloader bypass, i thought the firmware would do a complete checksum of it, so if it's partial then we should be able to find out exactly what gets checked.

i'm curious to see if you have been able to find something regarding sim unlock, just like the sgs was holding the lock very easily changeable with a simple hex editor. i bought the code already but maybe other people will get lucky :)
 

Da_G

Inactive Senior RD / Moderator Emeritus
Aug 20, 2007
3,332
1,563
Riverside, CA
Samsung Galaxy S22 Ultra
I've asked for a backup of /pds prior to and after locking over in the general forum, hopefully a few people can send those my way. I suspect a good hard look at that will reveal the location and provide an easy unlock method (I think I located it already, but as /pds is not restored via flashing the leaked SBF, i'm loathe to have someone else try it in fear of brickage)

I'll hammer it out once I get my device back in hand, whenever AT&T decides to allow me to purcahse :)
 
Last edited:
  • Like
Reactions: ahmarchi

franciscojavierleon

Senior Member
Jul 16, 2010
441
39
Maracaibo
I've asked for a backup of /pds prior and after locking over in the general forum, hopefully a few people can send those my way. I suspect a good hard look at that will reveal the location and provide an easy unlock method (I think I located it already, but as /pds is not restored via flashing the leaked SBF, i'm loathe to have someone else try it in fear of brickage)

I'll hammer it out once I get my device back in hand, whenever AT&T decides to allow me to purcahse :)

i will do it, but i am getting a permission denied.

Code:
C:\Users\fjleon\Desktop\android-sdk-windows\platform-tools>adb shell tar zcvpf /
sdcard-ext/pds-backup.tar.gz /pds/
tar: can't open '/sdcard-ext/pds-backup.tar.gz': Permission denied
i tried adb shell su and accepted super user on the phone, but i still cannot do it
 

ahmarchi

Senior Member
Aug 20, 2008
1,065
180
Greensboro
wow bypass= custom roms...... this would be ingenious hope u get it working....

how does rsd lite 5 flashing work??? it seems to create an image and then re sign it.... would backtracking and try to use the same method work?
 

Da_G

Inactive Senior RD / Moderator Emeritus
Aug 20, 2007
3,332
1,563
Riverside, CA
Samsung Galaxy S22 Ultra
@franciscojavierleon:

Make sure you don't have usb internal/sd storage mounted when you issue the command, or the sd card will be unaccessible from device

@ahjdmarchi:

I didn't study the program too much yet. I'll look to that if the current method i'm working on proves to be a failure :)
 
Last edited:
  • Like
Reactions: ahmarchi

ahmarchi

Senior Member
Aug 20, 2008
1,065
180
Greensboro
@franciscojavierleon:

Make sure you don't have usb internal/sd storage mounted when you issue the command, or the sd card will be unaccessible from device

@ahjdmarchi:

I didn't study the program too much yet. I'll look to that if the current method i'm working on proves to be a failure :)

heres a tattoo that i have on my chest

"failure is not an option" good luck brudda hope all turns well
 

Da_G

Inactive Senior RD / Moderator Emeritus
Aug 20, 2007
3,332
1,563
Riverside, CA
Samsung Galaxy S22 Ultra
@franciscojavierleon:

Try this instead.

Code:
adb shell tar zcvpf /data/local/tmp/pds-backup.tar.gz /pds/
adb pull /data/local/tmp/pds-backup.tar.gz
adb shell rm /data/local/tmp/pds-backup.tar.gz
 

cellzealot

Senior Member
Jan 4, 2008
1,314
815
Philadelphia, PA
RadioComm

You really need to take a look at RadioComm if you haven't yet.

The BT MAC address can be edited directly in the NVM on all Motorola devices.

On CDMA chipset devices it is located in seem 01bf record 0001 bytes 0006 and there is also a module and special set of TCI commands for managing this called HOB restore.
There are also flags set in the firmware for whether the HOB is verified during the flash cycle or not.

just an FYI! :cool:
 

Fausty

Member
Aug 31, 2009
43
1
Sydney, AUS
Edited. Nevermind just saw you needed it before unlock as well. I've got my PDS folder from my unlocked phone if you need it (not sure)
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 14
    Hi guys :)

    Well, I had an Atrix for a few days, but had some issues with AT&T and had to return it and deal with some customer service issues before I can re-purchase the device. I didn't let that slow me down though :)

    While I had it, I made a few dumps of the NAND, and have been working on disassembling things. Thanks to the help from a number of great people on IRC (#xda-devs irc.freenode.net) I have been able to successfully change the Bluetooth and Wi-Fi MAC addresses, and discovered a way to write to the flash, bypassing the bootloader security.

    The full writeup can be found at pocketnow.com

    I will be posting more info about the bootloader bypass as soon as I get it 100% working, right now we are able to write data directly to the NAND, bypassing bootloader security, and also provide a false signature, allowing the device to boot. However there are some remaining issues (a custom kernel that was flashed to the device failed to boot properly) - stay tuned :)
    2
    @cellzealot:

    Checked out RadioComm already, but none of the commands work for Atrix. Have you tried it? Perhaps you have a more updated version?
    1
    I've asked for a backup of /pds prior to and after locking over in the general forum, hopefully a few people can send those my way. I suspect a good hard look at that will reveal the location and provide an easy unlock method (I think I located it already, but as /pds is not restored via flashing the leaked SBF, i'm loathe to have someone else try it in fear of brickage)

    I'll hammer it out once I get my device back in hand, whenever AT&T decides to allow me to purcahse :)
    1
    @franciscojavierleon:

    Make sure you don't have usb internal/sd storage mounted when you issue the command, or the sd card will be unaccessible from device

    @ahjdmarchi:

    I didn't study the program too much yet. I'll look to that if the current method i'm working on proves to be a failure :)
    1
    Yeah, i've noticed that too. The lock is probably stuffed away in NVRAM somewhere. I'll look into dumping that and seeing what I can see.

    @zen kun:
    Well, since /pds doesn't change with the unlock, no :( Have to look elsewhere!