Ah interesting. Well theres really 3 things on my mind right now.
1: Have t6_x's Reaver print PKE, PKR all that **** with -vvv (as well as sending M1, M2, etc). I've already contacted him about that, hopefully we will see it soon
2: Get someone who knows C (or who can modify MDK3) and try to probe an AP with invalid SSID characters to try to reset/reboot the AP.
3: Figure out how to forge a packet that could possibly open up an opportunity for one (or more) of the 3 things I listed earlier on APs configured with WPA+TKIP or WPA+WPA2 TKIP+CCMP
Thats basically my agenda... if anyone wants to assist me that would be great