I’ve been hard at work on the Atrix 4G the last few days, and the first round of hacks is ready to be published. These two hacks allow you to permanently change the Wi-Fi and Bluetooth MAC (Media Access Control) addresses. There has also been some progress in flashing the device, bypassing the locked bootloader.
The MAC address is your device’s unique hardware identifier. When establishing a connection over a Wi-Fi network or attempting to do Bluetooth pairing, the MAC address is what the foreign device uses for authentication. Your device’s MAC address always remains the same and is designed to be unique to each device on earth (unlike the device’s Bluetooth name or IP address, which can be changed)
Why would you want to change your MAC address? Some Wi-Fi networks (particularly corporate or academic networks) are set up with MAC filtering. This means there is a white list of allowed MAC addresses, and the network will not allow access to any devices not on the whitelist. These same networks also tend to have strict restrictions on what types of devices are allowed access, so you may not be able to get the network administrator to allow your smartphone on the network.
Following the steps below will allow you to permanently change your MAC (permanently meaning it will stick through a reboot/power off, but can be changed back at any time using the same method). Required programs are adb (or Root Explorer), a text editor (I used notepad++) and a hex editor (I used hex workshop)
1.) Root your Atrix 4G (using aRoot or manually, SuperOneClick is not recommended at this time as it installs busybox, which the Atrix includes in it’s stock ROM, and this has the potential to cause conflicts)
2.) Make sure your SD Card USB Storage is not currently mounted (so that you can see the files inside your /sdcard-ext folder on the device), and make a backup of all files in the /pds folder. You can accomplish this through adb shell with the following command: “tar zcvpf /sdcard-ext/pds-backup.tar.gz /pds/” – This will create a new file named “pds-backup.tar.gz” on your SD card. You can also use Root Explorer or a similar app to make the backup.
3.) Copy the following files to your PC using adb or Root Explorer: /pds/bt/bt_bdaddr and /pds/wifi/wlan_mac.bin – using adb the commands would be “adb pull /pds/bt/bt_bdaddr C:bt_bdaddr” and “adb pull /pds/wifi/wlan_mac.bin C:wlan_mac.bin”
4.) Open bt_bdaddr in the text editor. You will see something similar to the following: “40:FC:89:DD:EE:FF” – this is your MAC address. Simply change it in the text editor and save. (There must be 6 pairs of hex values, separated by colons, the values can range anywhere from 00 to FF)
5.) Open wlan_mac.bin in the hex editor. Rather than being stored in plain-text as the Bluetooth MAC, this MAC is stored in raw hex bytes, with no separators. You should see something like “40 FC 89 FF DD EE” – once again simply change these values to your desired MAC address and save.
6.) Now push the modified files to your SD card. In adb the command would be “adb push C:bt_bdaddr /sdcard-ext/bt_bdaddr” “adb push C:wlan_mac.bin /sdcard-ext/wlan_mac.bin” – again make sure your SD card is unmounted in windows or the files will not push properly over adb.
7.) Using adb shell or Root Explorer, copy the files back into their original spot in /pds, overwriting the existing versions. “adb shell”, “su” (accept superuser prompt on device), “cp /sdcard-ext/bt_bdaddr /pds/bt/bdaddr”, “cp /sdcard-ext/wlan_mac.bin /pds/wifi/wlan_mac.bin”
8.) Reboot the device, enjoy your new MAC addresses.
I am also working on a hack to bypass the bootloader security, so far we have successfully managed to flash new data to the device, and bypass the signature checks. However the device has not yet successfully booted from the new, modified kernel I designed, so it is still a work in progress. Keep your eyes open for more hacks to come soon.
Thanks: Everyone on #xda-devs irc.freenode.net for testing since I don’t yet have a device, everything was done remotely.