caught my eye on the gathering of MAC addresses of wifi access points by phones to create wifi-based location systems and the sale and privacy abuse of that MAC data to benefit the advertising industry. Re what companies now hold how much of that data, scroll down to "Public Wi-Fi location databases" in this Wikipedia page:
The articles mention that standards bodies are considering MAC randomization in wifi access points to combat this abuse and that some industry players, in particular Elon Musk's Starlink, are going ahead with MAC randomization in their routers.
It occurred to me that it might not be too hard to randomize at reboot the MACs associated with dd-wrt's various wifi networks, including VAPs, by setting appropriate nvram variables in Shutdown code. I reboot daily, so it looked like a win to me.
Assuming you use ssh to access the dd-wrt CLI, you can see all your SSIDs in one place with the first line here and all the corresponding MACs in the second line:
Code:
nvram show 2>/dev/null | grep -E '^wlan[.0-9]+_ssid'
nvram show 2>/dev/null | grep -E '^wlan[.0-9]+_hwaddr'
(My routers all broadcast multiple SSIDs, as many as six.) And here next is what I now include in Shutdown code to randomize my MACs daily. You can create/edit that code in GUI>Administration>Commands by mouse copying into the Commands window to edit and then saving with the Save Shutdown button. You can also see the shutdown code (or even replace it if you are on top of your dd-wrt game) in nvram variable rc_shutdown. (But see a small tweak to the code a few messages down from here that will be important if you are configured to use station/client mode to provide WAN from one of your wifi interfaces.)
Code:
#give wifi interfaces random unique MACs at the next reboot
randMAC(){ {
tr -dc '0-9A-F' | head -c1
tr -dc '26AE' | head -c1
hexdump -n5 -e '5/1 ":%02X"'
} </dev/urandom; }
for IF in $(iplink -o show | awk -F: '$2 ~ / wlan[.0-9]+/ {print $2}'); do
while newMAC=$(randMAC)
nvram show 2>/dev/null | sed -nE 's/^[^ =]+_hwaddr=(.*)/\1/p' \
| grep -q "^$newMAC"; do
next
done
nvram set "${IF}_hwaddr=$newMAC"
done
nvram commit
(The BBCode display seems to mangle indenting, but it should copy/paste correctly.)
The randMAC function produces a random "locally administered" unicast MAC, with those two properties coming from the restricted 2nd hex digit. (And thank you @MLandi for the hexdump idea in an old post!) The "for" loops over all the wifi interfaces, including VAPs. The while loop repeatedly uses randMAC to create a MAC and check it (a bit inefficiently, but who cares at shutdown?) against all the MACs already in dd-wrt to make sure we are not accidentally reusing one. This while loop will likely go through its code just once, as the likelihood of accidental MAC reuse is vanishingly small. If you prefer to scoff at tiny probabilities, replace the whole while... done loop with just newMAC=$(randMAC) in the interests of simple code.
THIS MAY NOT WORK ON ALL ROUTERS OR BUILDS!!! It seems to work fine on my Netgear XR500 running build 55630 (k6.1). I won't be trying it on any k4.9 builds, but I do expect to try it on a couple of Linksys/Marvell routers soon. In cany case, test carefully yourself.
Before messing with this, make sure you have a record of the original MACs. Then try this code initially in the CLI, without installing it as Shutdown code and without the nvram commit at the end. (I believe the system will do its own commit when you reboot anyway.) Check and see whether the MACs got changed appropriately. If they did, do the nvram commit, reboot to get changes to happen to what's actually broadcast, then use some utility in a computer or phone to see whether the new MACs are being broadcast. I use the WiFi Scan function in the AirPort Utility app on an iPhone.
Ideally only readers comfortable with shell scripting and CLI use will have a go at this. I do NOT recommend approaching this as a plug-n-play exercise! If you are asking "What's a CLI?" or are confused about where spaces go or what nvram is, etc, best to stay away for now. Treat this as one more bit of motivation for the grand learning-curve climb. _________________ Dynalink DL-WRX36 on 57200, 2x Netgear XR500 and 4x Linksys WRT1900ACSv2 on 55630: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 16 Nov 2015 Posts: 6526 Location: UK, London, just across the river..
Posted: Wed May 29, 2024 11:39 Post subject:
Excellent read and effort, SurprisedItWorks..
just to presume this scenario is when you use your router to
connect to WI-FI spot in client mode...kind of...
Back in the days i used to randomise my WAN mac, for a reason...I didn't want my ISP to know my WAN MAC...
save to start up
echo $(tr -dc A-F0-9 < /dev/urandom | head -c 10 | sed -r 's/(..)/\1:/g;s/:$//;s/^/02:/')
not sure if it is working and i cannot check it as im away for 2 weeks
also i wonder as macs are hardcoded into a different partition, than passed to the nvram, this change shouldn't pose any danger anyway... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 56941 WAP
TP-Link WR1043NDv2 -DD-WRT 56941 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 57515 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 57525 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 57515 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1472 Location: Appalachian mountains, USA
Posted: Wed May 29, 2024 18:54 Post subject:
Alozaros wrote:
Excellent read and effort, SurprisedItWorks..
Hi Alozaros, and thanks for the good vibes.
Quote:
just to presume this scenario is when you use your router to
connect to WI-FI spot in client mode...kind of...
Actually no, though that's a good idea also. I'll have to experiment on my travel router! My little exercise above is just about keeping my wifi SSID/MAC combinations from being used to build up a precise location for my router in a database that will be sold.
Quote:
Back in the days i used to randomise my WAN mac, for a reason...I didn't want my ISP to know my WAN MAC...
save to start up
echo $(tr -dc A-F0-9 < /dev/urandom | head -c 10 | sed -r 's/(..)/\1:/g;s/:$//;s/^/02:/')
not sure if it is working and i cannot check it as im away for 2 weeks
Your tr.. | head.. | sed.. command looks good and tests fine here. But re using it to do something like
Code:
nvram set foobar_hwaddr=$(tr -dc A-F0-9 < /dev/urandom | head -c 10 | sed -r 's/(..)/\1:/g;s/:$//;s/^/02:/')
to set some nvram variable to a random MAC, I wonder whether Startup code runs soon enough to do the job. Just try it I guess. You might have to move it to Shutdown, where the new MAC will be available in even the first stages of the subsequent boot.
Quote:
also i wonder as macs are hardcoded into a different partition, than passed to the nvram, this change shouldn't pose any danger anyway...
I wondered about something like that. But on my XR500, my code did change the transmitted MACs, so perhaps the hardcoded MACs are defaults if you never explicitly set the nvram vars? Guessing here. In any case, this is why I caution readers to test carefully on their own routers. The many router types may not all do it the same way.
I'm waiting for my CS-educated daughter to try it on her Linksys WRT1900ACSv2 and get back to me. That will probably be this weekend, as she's busy during the week teaching algebra to high-school kids. _________________ Dynalink DL-WRX36 on 57200, 2x Netgear XR500 and 4x Linksys WRT1900ACSv2 on 55630: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1472 Location: Appalachian mountains, USA
Posted: Wed May 29, 2024 21:26 Post subject:
Update re experiments on the Linksys WRT1900ACSv2: worked fine as long as I avoided the station-mode issue (next).
Update using station (client) mode to provide WAN over wifi through another router: If your router is configured for this (if command get_wanface in the CLI returns the name of a wifi interface, you are using station mode, which used to be called client mode), you'll need to replace the
Code:
for IF in $(iplink -o show | awk -F: '$2 ~ / wlan[.0-9]+/ {print $2}'); do
line in the script with this modified version:
Code:
for IF in $(iplink -o show | awk -F: '$2 ~ / wlan[.0-9]+/ {print $2}' \
| sed "s/^ //;/^$(get_wanface)\$/d"); do
Piping the interface list through the little sed script deletes the WAN interface if it's in the list, thus preventing the code from messing with the MAC for whatever wifi interface is used in station mode for the WAN. Of course I experimented with changing the WAN wifi's MAC also. Did not end well. I discovered along the way that a restore to a saved backup does NOT (at least on the WRT1900ACSv2) restore all the MACs to their old values. It seemed to restore those of wlan0 and wlan1 but not those of the VAPs. This is why we saved the old MACs, and why you want to know your way around manipulating nvram variables to fix things that need fixing!
For thoroughness then, the whole code now looks like
Code:
#give wifi interfaces random unique MACs at the next reboot
randMAC(){ {
tr -dc '0-9A-F' | head -c1
tr -dc '26AE' | head -c1
hexdump -n5 -e '5/1 ":%02X"'
} </dev/urandom; }
for IF in $(iplink -o show | awk -F: '$2 ~ / wlan[.0-9]+/ {print $2}' \
| sed "s/^ //;/^$(get_wanface)\$/d"); do
while newMAC=$(randMAC)
nvram show 2>/dev/null | sed -nE 's/^[^ =]+_hwaddr=(.*)/\1/p' \
| grep -q "^$newMAC"; do
next
done
nvram set "${IF}_hwaddr=$newMAC"
done
nvram commit
and this code can be used whenever your wifi interfaces are all in either AP mode or station mode. If you have all your wifi interfaces in the usual AP mode, the sed script will have no effect. I have no idea what happens if you are going beyond AP and station modes and getting all creative with your config. I do not encourage experimenting with that, however. We do not want to create bricks! _________________ Dynalink DL-WRX36 on 57200, 2x Netgear XR500 and 4x Linksys WRT1900ACSv2 on 55630: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1472 Location: Appalachian mountains, USA
Posted: Sat Jun 01, 2024 17:26 Post subject:
saphirely wrote:
Linksys WRT1900ACS v1
DD-WRT v3.0-r56490 std (05/24/24)
Linux 6.1.91-rt28 #469 SMP Fri May 24 06:00:09 +07 2024 armv7l
Verified the SSID with New Mac Address and works stable after rebooting.
I also think it is better to change SSID too, and always with "newSSID_nomap"
Totally agree. I installed _nomap alternitives for all my SSIDs yesterday!
Working the phrase "no map" in naturally is nice if you can pull it off: "visit_London with_nomap" for example. Better to just seem eccentric than to send observers straight to google! _________________ Dynalink DL-WRX36 on 57200, 2x Netgear XR500 and 4x Linksys WRT1900ACSv2 on 55630: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1472 Location: Appalachian mountains, USA
Posted: Sun Jun 02, 2024 19:52 Post subject:
saphirely wrote:
How about let the shell change the SSID by DAILY or weekly, monthly?
.
.
.
I have verified.
Also the passcode can be redefined as different characters.
Perhaps in the frontline of Ukariane...That will be a little safer
It won't take effect and get broadcast until the wifi system is restarted. Worse: all your client devices would require your attention to select the new wifi and re-enter the password, even if that password is unchanged! _________________ Dynalink DL-WRX36 on 57200, 2x Netgear XR500 and 4x Linksys WRT1900ACSv2 on 55630: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
