Unpublished WPA key algorithms

[JustGuardian]

You probably need to link into the serial / UART port inside.

I saw someone in another forum saying that the UART displays only the output but does not accept any input. (Maybe because they tought it was more secure?)
Anyways, right now I am reading that there is an exploit named tch-exploit that enables the shell giving root access. I am confused because it requires to flash a "vulnerable" firmware... I'll inform you when I discover something new.

 

[JustGuardian]

UPDATE
I have possibly found the .rbi of the TIM version of this modem, the problem is that they are encrypted .rbi files, so the unpacking problem persists.

https://repository.ilpuntotecnico.com/files/NiCo/TG789vac.V2/TIM/

 

[derigor1992]

Hey, I tried to reconstruct the zcfgBeWlanGenDefaultKey() algorithm of the Zyxel NR7302. Unfortunately I have not been able to do it so far, maybe someone can help me.

Example:

S240Z18002943 -> ea4+CMJX?A

 

[derigor1992]

Hey, I tried to reconstruct the zcfgBeWlanGenDefaultKey() algorithm of the Zyxel NR7302. Unfortunately I have not been able to do it so far, maybe someone can help me.

Example:

S240Z18002943 -> ea4+CMJX?A

 

[JustGuardian]

A silly question. Where did you find this file that is not stripped and includes debug infos?

 

[JustGuardian]

A silly question. Where did you find this file that is not stripped and includes debug infos?

Also, can you link the whole firmware so we can view other files that could be needed for the decompilation?

 

[derigor1992]

A silly question. Where did you find this file that is not stripped and includes debug infos?

Sorry I forgot the link.... But that's exactly my point. I only have this firmware here:

http://fw-acs.telekom.de/tftpboot/BDTX5GNR7302WZ/100ACHA4b5_F0.bin

I unpacked it and tried to analyze it with ghidra.

 

[JustGuardian]

I was able to extract the firmware, but I was not able to find that file libzcfg_be.so, very strange. I tried decompiling with ghidra as well, but I get this strange functions:

 

[drsnooker]

Yeah this is a job for IDA, Ghidra seems to not like this particular code.
Google (or torrent search) IDA 7.6.210427 and you'll be able to find a working copy including all the add ons to download from the high-seas.

As I've look at over a 1000 of these, Zyxel includes in about 10% the debug info (non-stripped) so it's not that rare.
All that said it looks to me like this is just the generic place holder algorithm included in all the latest Zyxel firmware.
The main algorithm is the SBG3500 with an exception for case 2, which uses zykgen.
However, I'd love to be proven wrong, if somebody (@selenium)??? could bake this into an emulator and show it somehow spits out the correct password, it would greatly serve this community. And would give me something to do while I'm snowed in!

 

[JustGuardian]

Yeah this is a job for IDA, Ghidra seems to not like this particular code.
Google (or torrent search) IDA 7.6.210427 and you'll be able to find a working copy including all the add ons to download from the high-seas.

As I've look at over a 1000 of these, Zyxel includes in about 10% the debug info (non-stripped) so it's not that rare.
All that said it looks to me like this is just the generic place holder algorithm included in all the latest Zyxel firmware.
The main algorithm is the SBG3500 with an exception for case 2, which uses zykgen.
However, I'd love to be proven wrong, if somebody (@selenium)??? could bake this into an emulator and show it somehow spits out the correct password, it would greatly serve this community. And would give me something to do while I'm snowed in!

Oh ok thanks for this information, as I said before, i'm kinda new to the reverse engineering. Now I try messing around with ida.

 

[JustGuardian]

I got root access to my VMG8825-B50B WIND branded, could a full backup be useful? I discovered 2 partitions image and image_update, those are the same as rootfs and rootfs_update. If they can be usefull i can upload the files

 

[JustGuardian]

Here are the files, both are different from the libzcfg_be from the emulator...

 

[drsnooker]

Thanks for those. I swear I've seen these before! It looks the be an earlier implementation of the WINDtre algo. Before WIND3 started making the first char a number.
Have a look at mode 1 posted earlier to see how they work

Unpublished WPA key algorithms

Looks like param3 is length 16, so perhaps it's another MD5 hash for the first round. However, it is used iteratively. It's the password for the previous WIFI channel: 2nd channel uses param3=password_WIFI1. Not sure if we will determine the wind3 algo. The algo in the firmware is not the algo...

forum.hashkiller.io

 

[JustGuardian]

Thanks for those. I swear I've seen these before! It looks the be an earlier implementation of the WINDtre algo. Before WIND3 started making the first char a number.
Have a look at mode 1 posted earlier to see how they work

Unpublished WPA key algorithms

Looks like param3 is length 16, so perhaps it's another MD5 hash for the first round. However, it is used iteratively. It's the password for the previous WIFI channel: 2nd channel uses param3=password_WIFI1. Not sure if we will determine the wind3 algo. The algo in the firmware is not the algo...

forum.hashkiller.io

Okay, so this discovery turned out to be a dead end, but at least I learned a lot about the Zyxel modem. I will continue to look for something interesting. Thanks for the help, drsnooker!

 

[JustGuardian]

Btw I noticed that in your message you specify the VMG8828 but I have a VMG8825, so I assume they reused the same libraries?

 

[drsnooker]

The latest models all have the same libzcfg_be.so with the wrong algos in it. It's not surprising WIND3 models have the same overlap.
Yeah Zyxel shares a lot of libraries between models:

Default WPA Keyspace - Work in Progress -

This thread will remain locked while I add everything I can remember. I will update this as much as I can before opening it up for user contributions / modifications Archived discussion can be found here...

forum.hashkiller.io

 

[drsnooker]

Something completely different. Went back to my original white whale and looked again at the key=multiplier* integer, where the key encodes the password. So I thought why couldn't the key be the password, like in Zyxel speedlink 5501 and Fritz!boxes. So I just grabbed a couple keys from ebay and ran it through the scanner.

found keys : 4
looking for multiplier that matches : 3
with an integer precision of : 0.0005
key step size : 1
6370189823275381
8141780422681928
9941119651006220
8918716115520155
663878202 -  3 -  1 - 9595419.4671320
929476418 -  3 -  4 - 9595419.4671350
931804637 -  3 -  1 - 6836400.6470118
1036027626 -  3 -  3 - 9595419.4671313
1190945476 -  3 -  2 - 6836400.6470116
1304592369 -  3 -  4 - 6836400.6470133
1454145268 -  3 -  3 - 6836400.6470131
1711498250 -  3 -  2 - 4757107.0684308
1803222088 -  3 -  4 - 4945988.7247788
1874819294 -  3 -  4 - 4757107.0684320
2009935769 -  3 -  3 - 4945988.7247801
2089740573 -  3 -  3 - 4757107.0684314

Do you guys see that 6836400.647013 ? Looks pretty good right? Nails all four given passwords to an integer. But *sad trombone* doesn't work if I try it for a 5th key. Again a case of too many monkeys. Really need at least 8 matching decimal places for it to work properly. Fritz! does even worse.
Oh well, worth a shot. Now playing with some linear congruential RNGs as that found in the Zyxel PK5000Z, and a different one in TP-link

WPA2 Key Generation Vulnerability: TP-Link

Not really convinced it's not just doing a hash-digest % 10 for Fritz and speedlink, but worth a try. Might try some brute force encoding of the mac and see if that goes anywhere. Pretty much shooting in the dark though.

 

[drsnooker]

I decided to pull all the firmware from http://ftp.ufanet.ru/pub/firmware/ and binwalk it. Nothing interesting in zyxel, d-link, TP-link or anywhere else really. However, the Rotek RX-22101 V1.22 has an interesting file in /bin/flash, it contains what looks like the keygen of actually multiple Rotek routers. A quick look at WPA-sec database shows quite a few uncracked ESSIDs that start with RT-WIFI and WIFI-Dom.ru
The algorithm looks to be super easy, barely an inconvenience, if only you know the inputs. Hopefully, it's just the mac, or we're looking at another rather large rainbow table....

 

[drsnooker]

After digging a little deeper into the Rotek keygen, it uses a 6 byte input, that comes from the HW_System_num, rather than the serial number. Although they could be the same, they probably are not.
If somebody can get their hands on /dev/mtdblock0 from a physical router, we might be able to figure out if the system number and the serial number+mac are related. Until then, I think it could reduce the parameter space a little, but it'll still take over a week to run a rainbow table against a single hash.

 

[drsnooker]

Found another keygen for C-data FD704GW-DAX in /bin/startup

It takes the MD5 of something in nvram (not the MAC, perhaps the serial number??) and does a modified base64 with chars "abcdefghijkmmnppqrstuvwxyzACCDEFGHJJKLMNPPQRSTUVWXYZZ223456799ab" of the MD5 digest resulting in a 20char password. But I cannot seem to find any pictures of it. It's all Russian sites, so I'm using google translate, but this looks to be a pretty rare router. But let me know if you find a C-Data/GPON router that looks to have a wifi password that matches this charset!