As always, you, and solely you, are responsible for what you do to your hardware, and how you use your hardware. The information provided on this page is strictly for educational purposes. Some things described here may be illegal in certain regions. You may damage your hardware if you don't follow the instructions exactly. Use at your own risk.
Will be described here later or go to Lincomatic's Site and download Alchemy. With your card inthe computer and windows running, run alchemy, select the card from the list, and follow the instructions it gives you. After it's finished, you still need to flash the firmware to plug the new PDA values back into the firmware just like the manual DOS hack.
This is the OLD Manual Method - Do NOT use this method. For information only
ORiNOCO cards at first do not seem very similar to PRISM based cards, although at a firmware structure level, they are quite similar. Both have an area in NVRAM called the PDA, or Production Data Area, which holds PDR's, or Production Data Records. PDR's hold key information about each wireless card, such as the MAC address, serial number, available channels, manufacturer id, etc etc. By changing the values of the right PDR's, one can change the MAC address, serial number, available channels, or encryption settings. The changed PDR's will not take effect immediately though. The PDR's are used to plug values into the firmware as it's being written to the flash memory of the card. These same hacks can be applied by directly changing the firmware and then flashing it, but each new version of firmware that comes out would also need to be changed if that method were used. Changing the PDR's permanently changes the card's attributes as the PDR values will be plugged into any firmware flashed onto the card, and thus the card only needs to be 'hacked' once. Now, on to the fun stuff...
There are a few things you should have handy before you begin:
*If you have trouble reading or writing back the pda, try a different pc with a different pcmcia controller in it.
That's it, your card should be upgraded with higher encryption, extra channels, or both depending on which PDR(s) you changed.
This procedure also applies to PRISM based cards to get the extended channels, just don't change the "6 109" line.
It may also be possible to increase the TX power with a PDR. I'm currently looking into this and will update this page when I know more.
Thank you to "steve!" on the seattle wireless development mailing list who inspired me to look into this more.
This is directly based off of this avaya hack by Rusty Chiles. The main difference between his instructions and these being using 2 different versions of flash.exe to extract and write back the firmware. Also based on this e-mail by Wilfried Klaebe to the hostap mailing list describing changing the firmware directly (rather than the PDA) to get all the channels. I don't get where F3FF comes from (as opposed to 3FFF) - must be an big/little endian thing. I never did try F3FF - it might work as well.
As always, if you have questions or problems, feel free to contact me at andrew_dot_hakman_at_gmail_dot_com