JustGuardian
Active member
I wonder how you will extract that "thing" from the nvram. I'm really curious because I seen other routers getting something from the nvram and then using it to generate the key.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Unpublished WPA key algorithms
- Thread starter gpuhash_me
- Start date
Well if I can find a picture, I'd just try some things and see if the correct password pops out.
If not, I have to physically get my hands on a router (or have a local do it for me)
1) try telnet to get shell and pull the NVRAM data
2) no telnet, then UART
3) no UART then use an eprom programmer and a clip to extract the data
4) if the clip doesn't work, then desolder the NVRAM and dump with the programmer.
If not, I have to physically get my hands on a router (or have a local do it for me)
1) try telnet to get shell and pull the NVRAM data
2) no telnet, then UART
3) no UART then use an eprom programmer and a clip to extract the data
4) if the clip doesn't work, then desolder the NVRAM and dump with the programmer.
JustGuardian
Active member
wow (especially the last 2 points) seems very expensive in terms of money and time. What if the "seed" is in the nvram and it is different for every router, can this be considered as secure?Well if I can find a picture, I'd just try some things and see if the correct password pops out.
If not, I have to physically get my hands on a router (or have a local do it for me)
1) try telnet to get shell and pull the NVRAM data
2) no telnet, then UART
3) no UART then use an eprom programmer and a clip to extract the data
4) if the clip doesn't work, then desolder the NVRAM and dump with the programmer.
I am talking about the TIM modem that I was inspecting: I found out that the seed for the password is in a eeprom partition and it differs for every devices. But what I am thinking is: how can this seed generate the same password at every "reconfiguration" and how can I extract it. Also, what if I find a pattern in the seed, could this lead to a wordlist generation?
Expensive is relative. I've got a flashcat XPort ($45) and a variety of clips and adapters. Usually you don't know what you need until you take the unit apart, although most units I've cracked open had a TSOP48 NAND chip.
The seed will be different for each router (that's how they get different passwords) but some times the seeds are easy to guess like here where the seed is just the number of miliseconds since Jan1, 1970. Then you can just brute force the seed. Other times the seed is just the MD5 hash of the serial number or the mac. You just don't know until you see what the seed is.
But yes, if you know the pattern of the seed you can generate a wordlist.
Hashcat can run through a word list that is INT_MAX (2.1 billion entries) long in about 10 minutes. So if the seed is an integer, than that's not a problem at all.
The seed will be different for each router (that's how they get different passwords) but some times the seeds are easy to guess like here where the seed is just the number of miliseconds since Jan1, 1970. Then you can just brute force the seed. Other times the seed is just the MD5 hash of the serial number or the mac. You just don't know until you see what the seed is.
But yes, if you know the pattern of the seed you can generate a wordlist.
Hashcat can run through a word list that is INT_MAX (2.1 billion entries) long in about 10 minutes. So if the seed is an integer, than that's not a problem at all.
JustGuardian
Active member
Thanks for those info, this is really interesting. Those are like reading the bible of the routers lmao, in this field the experience is everything... ThanksExpensive is relative. I've got a flashcat XPort ($45) and a variety of clips and adapters. Usually you don't know what you need until you take the unit apart, although most units I've cracked open had a TSOP48 NAND chip.
The seed will be different for each router (that's how they get different passwords) but some times the seeds are easy to guess like here where the seed is just the number of miliseconds since Jan1, 1970. Then you can just brute force the seed. Other times the seed is just the MD5 hash of the serial number or the mac. You just don't know until you see what the seed is.
But yes, if you know the pattern of the seed you can generate a wordlist.
Hashcat can run through a word list that is INT_MAX (2.1 billion entries) long in about 10 minutes. So if the seed is an integer, than that's not a problem at all.