Unpublished WPA key algorithms

gpuhash_me

Active member
Trusted
Contributor
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
4,555
Reaction score
275
Credits
635
We starting this thread to bring to public domain some exclusive unpublished default WPA key algorithms that we use in our every day work.
Unpublished means you can't find it anywhere on the Web so (we hope) Hashkiller forum now will be its origin.

Lets start with TTNET_ZyXEL_XXXX default WPA key algorithm.
These Turkish ZyXEL routers have very strong default WPA key of 13 mixedcase hex digits uncrackable with ordinary bruteforcing.
Knowing the algo becomes possible to calculate default password from the router serial number.
Unfortunately router S/N not always known but search keyspace could be dramatically reduced to ~10^9 and even smaller size.

PoC with some test vectors attached below. The code is not optimal in any way and sometimes can contain (surprise!) MIPS disassembly written in python.
 

cryptonite

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
90
Reaction score
7
Credits
0
First, thank you for publishing this algorithm :)

Not sure I am ever likely to encounter a router like this, but still very interesting
cryptographically to see some example of convoluted code used to generate passphrases

But I am initially puzzled by the junk array

The perl seems to use it three characters at a time using an index from the emulated
MIPS assembler part

The junk array is 795 characters long, but arranged in lines of 61 for some reason?
Seems like a line length a multiple of 3 would make more sense?

I see i0 is effectively var_1a4 multiplied by 3 with line:
i0 = (var_1a4 << 1) + var_1a4

Anyway, the var_1a4 effectively has a range of 795/3 = 265 (0-264)
I would maybe have expected something more a power of 2 here?

Is there some reason why that MIPS bit is constrained to generate var_1a4 of only 0-264?
I have not unpicked it enough yet to see why this could be.
 

gpuhash_me

Active member
Trusted
Contributor
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
4,555
Reaction score
275
Credits
635
cryptonite said:
The junk array is 795 characters long, but arranged in lines of 61 for some reason?
Seems like a line length a multiple of 3 would make more sense?

I see i0 is effectively var_1a4 multiplied by 3 with line:
i0 = (var_1a4 << 1) + var_1a4

Anyway, the var_1a4 effectively has a range of 795/3 = 265 (0-264)
I would maybe have expected something more a power of 2 here?

Is there some reason why that MIPS bit is constrained to generate var_1a4 of only 0-264?
I have not unpicked it enough yet to see why this could be.

Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works. The junk array was simple copied from firmware dump.
Its arranging means nothing it is 1-dimensional array so it arranged in lines just to better fit screen.

We warned the code is not optimal in any way (but it works) and we leave its optimization as exercise for the reader :)
 

cryptonite

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
90
Reaction score
7
Credits
0
gpuhash_me said:
Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works. The junk array was simple copied from firmware dump.
Its arranging means nothing it is 1-dimensional array so it arranged in lines just to better fit screen.

We warned the code is not optimal in any way (but it works) and we leave its optimization as exercise for the reader :)

OK, so there is more reverse engineering to be done here to understand better
the original design intent

The junk length of 265 * 3 instead of something like 256 * 3 is very curious, but those
extra 27 characters do not seem spurious and look to fit into the tri-graph pattern
as 9 additional three character groups?

I like a good puzzle :)
 

cryptonite

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
90
Reaction score
7
Credits
0
I started off thinking I would unpick the stage 2 MIPS part, but then got
sidetracked trying to figure out how they set up the input of var_1a0 to stage 2.

Whoever designed this algorithm deserves some kind of award for the most
obfuscated approach imaginable :\:

It starts of pretty easy by taking the md5 of the serial number

md5("S150Y13068675") = f49ab8d6ce27819152c99e926d1f1372

But then there is a twist where every character at an even offset in the md5
hash is made uppercase (does not affect digits in those positions, obviously)

So the hash ends up looking like this
F49aB8D6Ce27819152C99e926d1f1372

Note the f at offset 0 is now F, but the a at offset 3 is unchanged and so on.
Only even offsets are made uppercase. Odd offsets are left alone.

Finally, the numerical ascii values for all those characters in the modified
hash are summed together to get 0x7d6 or 2006 in decimal

This is the value that ends up in var_1a0 at the input of stage 2 for this
particular serial number :)
 

cryptonite

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
90
Reaction score
7
Credits
0
What is also interesting is that they do the same case shifting trick right at
the end of the algorithm

The final md5 hash for the algorithm is 52aec8568b91e1dcbca5142e95fd31f5
This becomes 52AeC8568b91E1DcBcA5142e95Fd31F5, following the case shifting
rule described earlier

Then the actual PSK is taken out at offset 13 with length 13 to give 1DcBcA5142e95

Because of that odd offset of 13 the case shifting moves so that now even offsets
in the PSK are made uppercase and odd offsets are left alone.

However, this completely negates the upper/lower hex case aspect, because it
is entirely predictable.

For a brute force search, you would be looking for [0-9a-f] at even offsets in the PSK
and [0-9A-F] at odd offsets in the PSK.

Still a 16^13 as a brute force search, which means you still need to know the algorithm
to crack it, but the fact that there are upper and lower case hex characters in the PSK
adds nothing to the complexity.
 

cryptonite

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
90
Reaction score
7
Credits
0
Sorry for highjacking this thread with my thoughts on this algorithm

Got some bad news through another board that purelogic has left here now
So I must leave also
 

mackinson

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
652
Reaction score
2
Credits
0
Sad to hear both purelogic and cryptonite are now gone from the board.

Both were the most interesting posters on here for me, so I think I am done here as well

I was going to leave them both some final farewell rep, but even the rep comments
have been disabled now :(
 

mackinson

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
652
Reaction score
2
Credits
0
Shit! I thought if I threatened to flounce off like user, something
would get changed for the better :)

I see now that strategy only works for the chosen few
Just being silently ignored is the best I can manage :D

Still not happy about the reputation comment change
How the hell are we going to do sneaky PMs on here any more? ;)
 

Felis-Sapiens

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
757
Reaction score
3
Credits
5
gpuhash_me said:
Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works.
It's just a division (integer).

I also found this algorithm some time ago.
 

soxrok2212

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
2,632
Reaction score
71
Credits
454
Release that and perhaps I would share my HOME-XXXX + HOME-XXXX-2.4/5 + XFSETUP-XXXX dictionary :)
 

dark0

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
310
Reaction score
8
Credits
264
soxrok2212 said:
Hey gpuhash, what about your Videotron algorithm? :D

Find me 2 Videtron-XXXX with keys and the first digits of their mac need to be the same XX:XX:XX:XX:XX:XX
And if is posible the S/N
and i will publish the algorithm
 

soxrok2212

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
2,632
Reaction score
71
Credits
454
SSID: VIDEOTRON9364
WAN MAC: 04:BF:6D:5A:2D:CB
Serial: S160A13009364
Password: 4AXCF9CAT7XV3

SSID: VIDEOTRON3104
WAN MAC: 04:BF:6D:5D:2D:3B
Serial: S160A24003104
Password: UNXPKKXRA7HTU

SSID: VIDEOTRON8694
WAN MAC: 04:BF:6D:5D:84:93
Serial: S160A24008694
Password: K3TMPK7943UWY

SSID: VIDEOTRON1586
WAN MAC: 04:BF:6D:5C:77:DB
Serial: S160A22001586
Password: UUTUV43THA943
 

JJ78

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
32
Reaction score
1
Credits
0
SSID: AT-68C5
MAC: 30:74:96:DC:68:C5
Serial: J3N8W17327003052
Password: 5C5FWAEU29


SSID: AT-364F
MAC: 54:25:EA:FD:36:4F
Serial: J3N8W17502003495
Password: YP3ETF2EVS


MODEL: HUAWEI HG659
 
Top