Korek might work assuming it is not an AP defense mechanism that replies with packets that fudge statistical analysis. Also speeds with 500k ivs get too low (memory is a limiting factor, maybe .ivs instead of .cap would help, not sure if cap isn't required for korek though) limiting real-world scenarios. Try my approach (50k in few tries) with 68 or 86 byte length of packets, I had few WEP resistant routers so far vs 50+ that fell eventually (also one that was very weird had MAC on WEP and MAC+1 described previously on WPA, I really think this is some kind of firmware defense making injection harder)