JustGuardian
Active member
I wonder how you will extract that "thing" from the nvram. I'm really curious because I seen other routers getting something from the nvram and then using it to generate the key.
Unpublished WPA key algorithms
- Thread starter gpuhash_me
- Start date
Well if I can find a picture, I'd just try some things and see if the correct password pops out.
If not, I have to physically get my hands on a router (or have a local do it for me)
1) try telnet to get shell and pull the NVRAM data
2) no telnet, then UART
3) no UART then use an eprom programmer and a clip to extract the data
4) if the clip doesn't work, then desolder the NVRAM and dump with the programmer.
If not, I have to physically get my hands on a router (or have a local do it for me)
1) try telnet to get shell and pull the NVRAM data
2) no telnet, then UART
3) no UART then use an eprom programmer and a clip to extract the data
4) if the clip doesn't work, then desolder the NVRAM and dump with the programmer.
JustGuardian
Active member
wow (especially the last 2 points) seems very expensive in terms of money and time. What if the "seed" is in the nvram and it is different for every router, can this be considered as secure?
I am talking about the TIM modem that I was inspecting: I found out that the seed for the password is in a eeprom partition and it differs for every devices. But what I am thinking is: how can this seed generate the same password at every "reconfiguration" and how can I extract it. Also, what if I find a pattern in the seed, could this lead to a wordlist generation?
Expensive is relative. I've got a flashcat XPort ($45) and a variety of clips and adapters. Usually you don't know what you need until you take the unit apart, although most units I've cracked open had a TSOP48 NAND chip.
The seed will be different for each router (that's how they get different passwords) but some times the seeds are easy to guess like here where the seed is just the number of miliseconds since Jan1, 1970. Then you can just brute force the seed. Other times the seed is just the MD5 hash of the serial number or the mac. You just don't know until you see what the seed is.
But yes, if you know the pattern of the seed you can generate a wordlist.
Hashcat can run through a word list that is INT_MAX (2.1 billion entries) long in about 10 minutes. So if the seed is an integer, than that's not a problem at all.
The seed will be different for each router (that's how they get different passwords) but some times the seeds are easy to guess like here where the seed is just the number of miliseconds since Jan1, 1970. Then you can just brute force the seed. Other times the seed is just the MD5 hash of the serial number or the mac. You just don't know until you see what the seed is.
But yes, if you know the pattern of the seed you can generate a wordlist.
Hashcat can run through a word list that is INT_MAX (2.1 billion entries) long in about 10 minutes. So if the seed is an integer, than that's not a problem at all.
JustGuardian
Active member
Thanks for those info, this is really interesting. Those are like reading the bible of the routers lmao, in this field the experience is everything... Thanks
I did finally manage to find a picture of one of those Rotek modems:
www.avito.ru
If there are any Russian readers and 1100R isn't like a months salary, it'd be cool to pick it up.
The way the algo works, it takes a long decimal string the looks like the serial number "3203500002713" which is hex 0x2e9df7acd99 and breaks them into three 16bit words. '0x2e9' ,'0xdf7a' and '0xcd99' and does some math on that as shown in /bin/flash. But it's the machine ID number, not the serial (or the mac) I played around with those as well. If we can get the machine ID, and perhaps see how that relates to either the serial,mac or just how many zeros are in the middle, it would reduce the parameter space a lot!
Rotek RX-22101 ÑоÑÑÐµÑ Ð Ð¾ÑÑелеком кÑпиÑÑ Ð²Â ÐовоÑибиÑÑке Ñ доÑÑавкой | ÐлекÑÑоника | ÐвиÑо
Rotek RX-22101 роутер Ростелеком: объявление о продаже с доставкой в Новосибирске на Авито. продам роутер. Можно прошить в DIR-822. Рабочий. Состояние как на фото. В наличии много штук Комплект поставки: -Роутер -Блок питания -Патчкорд rj-45 Авито доставка: Почта России, СДЭК По всем вопросам в ЛС
The way the algo works, it takes a long decimal string the looks like the serial number "3203500002713" which is hex 0x2e9df7acd99 and breaks them into three 16bit words. '0x2e9' ,'0xdf7a' and '0xcd99' and does some math on that as shown in /bin/flash. But it's the machine ID number, not the serial (or the mac) I played around with those as well. If we can get the machine ID, and perhaps see how that relates to either the serial,mac or just how many zeros are in the middle, it would reduce the parameter space a lot!
Buying stuff from Russia turns out to be a lot trickier than I thought.... So let me just call out a few members to see if they are still around and willing to help acquire one of those Rotek modems.
@Zakros, @Nikolia, @wkIzalwikOzEqpJcByMa, @mhmdtimings, @Leoff
Ideally I'd love for them to get their hands dirty and crack the modem open themselves to extract the Machine ID, but drop shipping it to me would work as well.
@Zakros, @Nikolia, @wkIzalwikOzEqpJcByMa, @mhmdtimings, @Leoff
Ideally I'd love for them to get their hands dirty and crack the modem open themselves to extract the Machine ID, but drop shipping it to me would work as well.
I figured I'd attach to full algorithm for the Rotek modems. I played around with some more input options and struck out. Really need that machine ID.
Looks like there are sellers on avito that have dozens of these modems!
Looks like there are sellers on avito that have dozens of these modems!
I had a thought that I could just try all three 16bit words as the input to the rotek keygen, and see which combination of inputs would match the password as shown in the picture of the Rotek rx22101
Then with those three input, I could calculate what the machine ID needed to be. First needed to dust of my C++ skills, wrote up the code and did a little benchmark turns out, it'll still take weeks to go through all 2^48 combinations. So I played around some more, finally figured out how to implement openMP, ran it on 7 cores and still 10 days. I started it running, but then had a power blib and it would have to start over. So this was my excuse to try to play with openCL. Spend hours trying to get it to install to no avail. Then came across this wrapper:
github.com
And bam, openCL for everybody, without the install nightmares! I'll attach my modifications to the main.cpp and kernel.cpp so you can run this as well. Only takes an hour to go through all 2^48 possible inputs. If you try this code, be warned, it'll completely lock up your computer until it is done!
So now you think, well what is that machine ID then? It didn't find it! So there's more to this algorithm than I thought.
@selenium are you still around? I could really use your help, as I forgot everything I learned about qiling.... I've attached the /bin/flash binary.
The keygen gets called at 0x40fc44
Full firmware http://ftp.ufanet.ru/pub/firmware/Rotek/ROTEK-RX22101-V1.22.62-UFN.bin
Then with those three input, I could calculate what the machine ID needed to be. First needed to dust of my C++ skills, wrote up the code and did a little benchmark turns out, it'll still take weeks to go through all 2^48 combinations. So I played around some more, finally figured out how to implement openMP, ran it on 7 cores and still 10 days. I started it running, but then had a power blib and it would have to start over. So this was my excuse to try to play with openCL. Spend hours trying to get it to install to no avail. Then came across this wrapper:
GitHub - ProjectPhysX/OpenCL-Wrapper: OpenCL is the most powerful programming language ever created. Yet the OpenCL C++ bindings are cumbersome and the code overhead prevents many people from getting started. I created this lightweight OpenCL-Wrapper
OpenCL is the most powerful programming language ever created. Yet the OpenCL C++ bindings are cumbersome and the code overhead prevents many people from getting started. I created this lightweight...
github.com
And bam, openCL for everybody, without the install nightmares! I'll attach my modifications to the main.cpp and kernel.cpp so you can run this as well. Only takes an hour to go through all 2^48 possible inputs. If you try this code, be warned, it'll completely lock up your computer until it is done!
So now you think, well what is that machine ID then? It didn't find it! So there's more to this algorithm than I thought.
@selenium are you still around? I could really use your help, as I forgot everything I learned about qiling.... I've attached the /bin/flash binary.
The keygen gets called at 0x40fc44
Full firmware http://ftp.ufanet.ru/pub/firmware/Rotek/ROTEK-RX22101-V1.22.62-UFN.bin
Got the qiling scripts figured out! And fixed the matlab code to match the output from the emulator. Now gotta figure out how to fix the openCL code to match that as well.
Turns out I included the incorrect qiling script. Here's the correct one.
Now for the ironic bit. This algo was included in a older version of the firmware for the RX-22101 but not the latest firmware. No combination of seeds is able to generate the password.
However, it works fine for the RX-22311! It's also not random luck with too many monkeys typing as it generates the admin password as well. So it's confirmed to be the correct algorithm!
For the attached pic, the seeds are 16861, 22903 and 133. Because it uses different modular math for each seed, there are 2nd orders possibilities: 47130 (16861+30269), 53210 (22903+30307) and 30456 (133+30323). The third seed even has a third possibility of 133+2*30323=60779;
As a step prior to this algo, the firmware XORs these seeds with 43981, 22842 and 60779 respectively, which made me think it's really trying to hide the source, so it might be easy from here. *disappointed*
The words (from the machine ID) are 59920 (0xea10) or 5079 (0x13d7) for word1.
0x4d or 0x96e0 for word2
0xedee, 0x9b93 or 0x00 for word3
Reconstructing the possible machine ID string from those 16bit words gives 12 values:
334639459822
334639438739
334639398912
165892743818734
165892743797651
165892743757824
331045400046
331045378963
331045339136
165889149758958
165889149737875
165889149698048
but each can be added to n*281474976710656 where n=0..3552713678
for n=1
281809616170478
281809616149395
281809616109568
447367720529390
447367720508307
447367720468480
281806022110702
281806022089619
281806022049792
447364126469614
447364126448531
447364126408704
No similarities to the mac or the serial number so far.
Really want to have a look at /dev/mtdblock0 on one of these units to find the true machine ID.
In the mean time, I'll try some other Rotek RX-22xxx models to see what sticks and may be find a pattern that way.
Now for the ironic bit. This algo was included in a older version of the firmware for the RX-22101 but not the latest firmware. No combination of seeds is able to generate the password.
However, it works fine for the RX-22311! It's also not random luck with too many monkeys typing as it generates the admin password as well. So it's confirmed to be the correct algorithm!
For the attached pic, the seeds are 16861, 22903 and 133. Because it uses different modular math for each seed, there are 2nd orders possibilities: 47130 (16861+30269), 53210 (22903+30307) and 30456 (133+30323). The third seed even has a third possibility of 133+2*30323=60779;
As a step prior to this algo, the firmware XORs these seeds with 43981, 22842 and 60779 respectively, which made me think it's really trying to hide the source, so it might be easy from here. *disappointed*
The words (from the machine ID) are 59920 (0xea10) or 5079 (0x13d7) for word1.
0x4d or 0x96e0 for word2
0xedee, 0x9b93 or 0x00 for word3
Reconstructing the possible machine ID string from those 16bit words gives 12 values:
334639459822
334639438739
334639398912
165892743818734
165892743797651
165892743757824
331045400046
331045378963
331045339136
165889149758958
165889149737875
165889149698048
but each can be added to n*281474976710656 where n=0..3552713678
for n=1
281809616170478
281809616149395
281809616109568
447367720529390
447367720508307
447367720468480
281806022110702
281806022089619
281806022049792
447364126469614
447364126448531
447364126408704
No similarities to the mac or the serial number so far.
Really want to have a look at /dev/mtdblock0 on one of these units to find the true machine ID.
In the mean time, I'll try some other Rotek RX-22xxx models to see what sticks and may be find a pattern that way.
Last edited by a moderator:
Don't know what this means but you can take the third possible machine ID (334639398912)
and add 7525 * 281474976710656 which is 2118099534387085312
That for some reason is exactly last part of the serial number (12403) multiplied by 0x9b5139b00000
The folks over at the 4pda forum might be able to extract a /dev/mtdblock0 from one of these units, but I guess it considers me a robot as I cannot solve the captcha.
4pda.to
@Nikolia @Leoff Any chance you can cross post this thread to the 4pda forum?
I found this identical algorithm now as well in the beeline Rx-22200 firmware in /lib/libapmib.so (function apmib_default) so it's more widespread and might be of value to a larger community.
and add 7525 * 281474976710656 which is 2118099534387085312
That for some reason is exactly last part of the serial number (12403) multiplied by 0x9b5139b00000
The folks over at the 4pda forum might be able to extract a /dev/mtdblock0 from one of these units, but I guess it considers me a robot as I cannot solve the captcha.
Rotek RX-22200 (22101, 22301, 22312) – прошивка [Ростелеком, Дом.Ру, D-Link] - 4PDA
Rotek RX-22200 (22101, 22301, 22312) – прошивка [Ростелеком, Дом.Ру, D-Link], [other]
4pda.to
I found this identical algorithm now as well in the beeline Rx-22200 firmware in /lib/libapmib.so (function apmib_default) so it's more widespread and might be of value to a larger community.
| WIFI pwd | SSID | seed1 | seed2 | seed3 | |
| rx-23311 | Hdp6FCuP4M | RT-WIFI-5B91 | 16861 | 22903 | 133 | |
| rx-22311c | biy8agBREL | RT-WIFI-350D | 13975 | 22859 | 133 | |
| rx-22300 | BHuYaEkyuK | RT-WIFI-A3AA | 18928 | 26665 | 133 | |
| rx-33412 | uisZbUaiuy | RT-GPON-B3D1 | 19773 | 22879 | 133 | |
| rx-22300 | uBZ4qvaWUE | RT-WIFI-BF22 | 16381 | 18433 | 133 | |
| rx-22311 | 4ipueyVXau | RT-WIFI-5B91 | 5140 | 22970 | 133 | |
| rx-22311 | UKqz62KyaA | RT-WIFI-B971 | 29263 | 22885 | 133 |
Anybody notice pattern? Yeah that's seed3 is always 133! (with twice the modulo and the XOR actually turns the last 16bit word of the hexadecimal presentation of the hardware ID into "0000"
@Plum is you have the time, it might now be worth converting the matlab code to python. @RealEnder this finding has reduced the parameter space so much you might be able to cook up a rainbow table especially as seed2 seems to be mostly around 22900 as a first pass. But the range for seed1 is upto 0x763d, and seed2 upto 0x7663 so not even the full INT_MAX range
So far it seems that the older models RX22101 and RX22200 use a different variant that so far hasn't shown up in any of the firmwares I found. Those also have a different ESSID (like Ufanet_2G_HHHH, WIFI-DOM.ru-DDDD, and Tattelecom_HHHH) So far this is good for RT-WIFI-HHHH.
GitHub - PlumLulz/rotek_keygen2: Keygen some Rotek modems with ESSID RT-WIFI-HHHH and RT-GPON-HHHH
Keygen some Rotek modems with ESSID RT-WIFI-HHHH and RT-GPON-HHHH - PlumLulz/rotek_keygen2
github.com
My attempt to writing some c++ code to generate the rainbow table for those rotek modems. You could dial in the seed2 for loop around 22900 instead of the full range.
As is, it generates the 10GB rainbow table in a few minutes.
As is, it generates the 10GB rainbow table in a few minutes.
I was just looking at pics of the ROTEK RX-22200
Yeah that clearly is a '1' no wonder no combination of seeds was giving me the correct password.
Current charset is given by: 'aaaaabcdeeeeefghiiiijkmnpqrstuuuuuvwxyyyyzAAAABCDEEEEFGHJKLMNPQRSTUUUUVWXYYYYZ233445677889'
The occurrence of characters is about the same with a large increase for the vowels. Also a capital "I' and no capital "J"
May be I'll play around with some different charsets keeping the rest of the algorithm the same. I could really use some help from the other side of the iron firewall, digging up firmwares for these routers.... Specifically looking for DOM.ru firmwares of really any ROTEK router. Of course, also would still love to get my hands on a /dev/mtdblock0 to understand this customer_HW_system_NUM and how it relates to the MAC and SN.
Yeah that clearly is a '1' no wonder no combination of seeds was giving me the correct password.
Current charset is given by: 'aaaaabcdeeeeefghiiiijkmnpqrstuuuuuvwxyyyyzAAAABCDEEEEFGHJKLMNPQRSTUUUUVWXYYYYZ233445677889'
The occurrence of characters is about the same with a large increase for the vowels. Also a capital "I' and no capital "J"
May be I'll play around with some different charsets keeping the rest of the algorithm the same. I could really use some help from the other side of the iron firewall, digging up firmwares for these routers.... Specifically looking for DOM.ru firmwares of really any ROTEK router. Of course, also would still love to get my hands on a /dev/mtdblock0 to understand this customer_HW_system_NUM and how it relates to the MAC and SN.
Last edited by a moderator:
Oh @Plum?!?!? All it needed was the correct charset and the password spits right out for the picture above!
Still has seed3 as 133 and seed2 in the high 228xx range. I'm sure that's not a coincidence!
I think, I would have gotten there eventually with a new mathematical approach I was working in. But came across a youtube clip (
) that has a link to a firmware that extracts to give a different /bin/flash that I've been reversing so far.
Still has seed3 as 133 and seed2 in the high 228xx range. I'm sure that's not a coincidence!
I think, I would have gotten there eventually with a new mathematical approach I was working in. But came across a youtube clip (
GitHub - PlumLulz/rotek_keygen3: Keygen for some Rotek RX-22200 modems
Keygen for some Rotek RX-22200 modems. Contribute to PlumLulz/rotek_keygen3 development by creating an account on GitHub.
github.com
Great work @Plum.
For clarity, rotek_keygen2 is at least for models RX-22300, RX-22311, RX-23311, and RX-33412 with an ESSID of RT-WIFI-HHHH and RT-GPON-HHHH
rotek_keygen3 is at least for models RX-22200 and RX-22301 with ESSID WIFI-DOM.ru-DDDD
Pictures found on Avito.ru and yandex.ru for the latter algo were solved.
There still remain the RX-22101 with ESSID Ufanet_2G_HHHH and RX-22200 with either RT-WIFI-HHHH or Tattelecom_HHHH
I will try some more charsets to see even anything sticks.
For clarity, rotek_keygen2 is at least for models RX-22300, RX-22311, RX-23311, and RX-33412 with an ESSID of RT-WIFI-HHHH and RT-GPON-HHHH
rotek_keygen3 is at least for models RX-22200 and RX-22301 with ESSID WIFI-DOM.ru-DDDD
Pictures found on Avito.ru and yandex.ru for the latter algo were solved.
| model | mac | sn | WIFI pwd | SSID | seed1 | seed2 | seed3 |
| rx-22200 | dce3052cf8df | 318A110010923 | 9KeyhiduAx | WIFI-DOM.ru-0923 | 19733 | 22883 | 133 |
| rx-22200 | dc03052fe666 | 318A127006050 | 493rUFEALc | WIFI-DOM.ru-6050 | 14719 | 22805 | 133 |
| rx-22200 | dce3052a6de4 | 318A110001120 | t49CuYE6Fa | WIFI-DOM.ru-1120 | 16163 | 22887 | 133 |
| rx-22200 | dce30531e796 | 318A127013778 | rABtySZmUF | WIFI-DOM.ru-3778 | 88 | 22958 | 133 |
| rx-22200 | dce3052426BA | 3189126009238 | PnupmaAymt | WIFI-DOM.ru-9238 | 29493 | 22829 | 133 |
| rx-22200 | dce30512c461 | 3188060007181 | RxXtuYAhSM | WIFI-DOM.ru-7181 | 8687 | 22788 | 133 |
| rx-22200 | dce30523c808 | 3189126007812 | xLj8aF3uMt | WIFI-DOM.ru-7812 | 16341 | 22958 | 133 |
| rx-22200 | dce30517d6bf | 3188074010283 | jx2HbyuiU3 | WIFI-DOM.ru-0283 | 9616 | 22785 | 133 |
| rx-22200 | dce3052675ad | 3189128001977 | Mi9f1Bi7Ey | WIFI-DOM.ru-1977 | 15809 | 22845 | 133 |
| rx-22200 | dce3050df931 | 3188055004701 | 7vCKeYUA2p | WIFI-DOM.ru-4701 | 1826 | 22844 | 133 |
| rx-22200 | dce305142bd6 | 3188060012594 | Aa7er6YetZ | WIFI-DOM.ru-2594 | 14412 | 22970 | 133 |
| rx-22200 | dce3050d97c8 | 3188055003716 | j3aKiDeUih | WIFI-DOM.ru-3715 | 8195 | 22856 | 133 |
| rx-22200 | dce305284322 | 3189128006925 | j8xEwNKXa8 | WIFI-DOM.ru-8925 | 7304 | 22798 | 133 |
| rx-22301 | dce305086589 | 3188146007133 | TiUde7u4Ej | WIFI-DOM.ru-7133 | 22118 | 22852 | 133 |
| rx-22200 | dce305042ff1 | 3186129006213 | uayE952YM9 | WIFI-DOM.ru-6213 | 817 | 22970 | 133 |
| rx-22200 | dce30501391e | 3186128002186 | 6F5CGeAkns | WIFI-DOM.ru-2186 | 25928 | 22872 | 133 |
| rx-22200 | dce30502cb79 | 3186129000645 | P5ieZc3aF8 | WIFI-DOM.ru-0645 | 9694 | 22900 | 133 |
| rx-22200 | dce30504f5a2 | 3186146001590 | Uay5Eip5X3 | WIFI-DOM.ru-1590 | 16714 | 22873 | 133 |
| rx-22200 | dce30502b34d | 3186129000481 | RF3y9HU8Lu | WIFI-DOM.ru-0481 | 27484 | 22890 | 133 |
| rx-22200 | dce305024434 | 3186128006206 | VEipeUGsea | WIFI-DOM.ru-6206 | 29423 | 22973 | 133 |
There still remain the RX-22101 with ESSID Ufanet_2G_HHHH and RX-22200 with either RT-WIFI-HHHH or Tattelecom_HHHH
I will try some more charsets to see even anything sticks.
Much thanks to @RealEnder who managed to collate tens of thousands (I'm not kidding) of the WIFI-DOM.ru-DDDD passwords. If I down select to the passwords that have seed3=133, I'm left with 21509 passwords that will be generated by rotek_keygen3. So I figured I'd plot seeds1 vs seed2, turns out seed2 has an incredibly limited range from 22784 to 22975 with even a gap in the middle, so you can really shrink the rainbow table and still catch most of the passwords!
If I then look at the seed3!=133 , there's also a bit of a pattern there. With seed3 = 22610,23002, 24058 and 26578 also giving a larger contribution.
Not sure if that's random luck, or a meaningful result, but if you struck out with seed3=133, perhaps give those 4 a try.
If I then look at the seed3!=133 , there's also a bit of a pattern there. With seed3 = 22610,23002, 24058 and 26578 also giving a larger contribution.
Not sure if that's random luck, or a meaningful result, but if you struck out with seed3=133, perhaps give those 4 a try.