Unpublished WPA key algorithms

drsnooker · May 5, 2025

I also share my matlab version of the QEMU keygen of the VMG8825 (without actually giving the algos for the admin and supervisor passwords.) I know there are a few people that are attempting to reverse all those different algorithms and I'll be happy to provide hints of any of the functions they don't have working correctly.

Code:

function qemu(sn);

if nargin<1
    sn='S123Y12341234';
end

serial_value=str2num(sn(2:3)); % perhaps year code of the SN?

disp(['Old algo super ............ ' old_algo_super(sn)]);
disp(' ');
disp(['New algo super ............ ' new_algo_super(sn)]);
disp(' ');
disp(['Old algo admin zyxel 1 .... ' old_admin_zyxel_password(sn,1)]);
disp(['Old algo admin zyxel 2 .... ' old_admin_zyxel_password(sn,2)]);
disp(['Old algo admin zyxel 3 .... ' old_admin_zyxel_password(sn,3)]);
disp(' ');

if serial_value>=19
    disp(['New algo admin zyxel 1 .... ' new_algo_admin(sn)]);
    disp(['New algo admin zyxel 2 .... ' new_algo_admin_2(sn,8)]);
else
    disp(['New algo admin zyxel 1 .... ' old_admin_zyxel_password(sn,1,8)]);
    disp(['New algo admin zyxel 2 .... ' old_admin_zyxel_password(sn,2,8)]);
end

disp(' ');
disp(['Old algo admin wind 2 ..... ' old_admin_zyxel_password(sn,2,10)]);
disp(['Old algo admin wind 1 ..... ' old_admin_zyxel_password(sn,1,10)]);
disp(' ');


if serial_value>=19
    disp(['New algo admin zyxel 2 .... ' new_algo_admin_2(sn,10)]);
    disp(['New algo admin zyxel 1 .... ' new_algo_admin(sn,10)]);
else
    disp(['New algo admin zyxel 2 .... ' old_admin_zyxel_password(sn,2,10)]);
    disp(['New algo admin zyxel 1 .... ' old_admin_zyxel_password(sn,1,10)]);
end
%disp(['New algo admin zyxel 1 ' new_algo_admin(sn)]);

Ananim353 · May 6, 2025

Ananim353 said:
A minute of useless information.
The algorithm for RT-GM-5 is also most likely used for RT-GM-4 late revisions and 1 or 2 more ZTE routers for Rostelecom.
Possibly also for RT-GM-4 early revisions, but it seems to me that the algorithm is slightly different there.
The passwords must necessarily contain at least 1 digit, 1 uppercase letter and 1 lowercase letter.
Also, the passwords that I have encountered (28 routers) use only 36 characters out of 62 possible (the list may reach 40).
Their list is below
Numbers: 234567
Uppercase: ABDEFGHKMPQRTUXY
Lowercase: abdefhkmpqtuxy

One small addition.
Symbols in a password cannot appear more than twice.
That is, there are no passwords like QpGQ6dQr
Since Q appears more than 2 times

wizardhat · May 24, 2025

drsnooker said:
Still busy but thought I drop in a table of zyxel models for which there are pictures, but no algo *yet* I did run them through the algo scanner and struck out, so no known variant of the established algos work.

zyxel model SN MAC PWD Mask
P-660HN-T1A S121K01027829 cc5d4e8872f8 5f6a10c6e795 ?h?h?h?h?h?h?h?h?h?h?h?h
P-660HW-T1 S100Y43033927 5067f088a139 91b62affe9db

Hi @drsnooker did you ever figure out the algos for these P660 models? They were manufactured circa the 2006 - 2012 era so I find it hard to believe that the algo would be very complex or factory burned directly into the nvram. 12 lowercase hex seems like the first 12 digits of a SHA1 or MD5 digest of something.

I own a very old one of these models but I have no idea how to dump the firmware because it seems to be running zyxel's proprietary OS, so no option to use normal linux commands, even over UART.

robinex · May 25, 2025

from Turkey
ZTE

https://imvm.letgo.com/v1/files/8w0khc03ub1v-OLXAUTOTR

https://imvm.letgo.com/v1/files/2zi4cug125712-OLXAUTOTR

https://imvm.letgo.com/v1/files/dd1da2a8eafa4-OLXAUTOTR

https://imvm.letgo.com/v1/files/upc1n34s97v42-LETTR

https://imvm.letgo.com/v1/files/f63e201a78034-OLXAUTOTR

https://imvm.letgo.com/v1/files/00c3257133434-OLXAUTOTR

https://imvm.letgo.com/v1/files/f88f3a5fe7f94-OLXAUTOTR

https://imvm.letgo.com/v1/files/ae2ei29t8m4o2-LETTR

https://imvm.letgo.com/v1/files/7226d63e36d64-OLXAUTOTR

TP-link

https://imvm.letgo.com/v1/files/4416e2edab174-OLXAUTOTR

ZYXEL

https://imvm.letgo.com/v1/files/bd21a38c52b24-OLXAUTOTR

https://imvm.letgo.com/v1/files/690959dbe05a4-OLXAUTOTR

https://imvm.letgo.com/v1/files/1957738748b74-OLXAUTOTR

https://imvm.letgo.com/v1/files/a313d59c9e724-OLXAUTOTR

https://imvm.letgo.com/v1/files/3f1ac0fdf8754-OLXAUTOTR

Huawei

https://imvm.letgo.com/v1/files/0f8a1d37698c4-OLXAUTOTR

https://imvm.letgo.com/v1/files/c052d5bce2904-OLXAUTOTR

one more huawei in attachment

I am looking these FiberHGW password algorithm. These in Turkey. TurkTelekom ISP. I try find firmware but not published ISP firmware. any ideas for these?

drsnooker · May 28, 2025

@wizardhat Not sure if I looked at those particular models. If I had firmware for them and I managed to find a picture of the sticker somewhere on the internet, then I would have published the keygen. I'll see if any of the old algos fit, or if I can find the firmware for those particular models.

@robinex The hints we got from the ZTE admin algo has yet to result in a WIFI keygen. For the Zyxels, those are likely the latest iteration of the algo for which only one person online so far has the answer and they ain't talking....
There are some algos for different tp-link models, but nothing as far as I'm aware for these. Same with Hauwei.

Alright, need to unpack, I'll go look for some RasCode for those P660's tomorrow.

FiosFiend · May 28, 2025

I apparently have a thing for QR codes now because I got excited when I saw those crisp images. Unfortunately the info is pretty basic :(

Code:

('WIFI:S:FiberHGW_HUYV8V;T:WPA;P:YhWKdD4NELFR;;',)

drsnooker · May 28, 2025

@wizardhat turns out those two p660 with hex passwords are from Eircom. The firmware from ftp.zyxel.com.tr or ftp.zyxel.lv don't apply.
You could try to get in using the bootbase commands ATSE, ATEN and ATGU in order to get to the RasCode.

OpenWrt Forum Archive

My google-fu is letting me down so I haven't been able to find the correct firmware for Eircom modems.

@hydddra the authors from unblob have not had a chance to look at the sercomm firmwares so I still cannot extract them to the filesystem.

wizardhat · May 29, 2025

drsnooker said:
@wizardhat turns out those two p660 with hex passwords are from Eircom. The firmware from ftp.zyxel.com.tr or ftp.zyxel.lv don't apply.
You could try to get in using the bootbase commands ATSE, ATEN and ATGU in order to get to the RasCode.

OpenWrt Forum Archive

My google-fu is letting me down so I haven't been able to find the correct firmware for Eircom modems.

@hydddra the authors from unblob have not had a chance to look at the sercomm firmwares so I still cannot extract them to the filesystem.

@drsnooker There was no atgu command but I was able to dump the Rascode with the atdu command, thanks. I'm not very good at reversing but I've attached it below. The modem I have is branded Perlico with PerlicoWifi-XXXX essid, but after searching online it seems the eircom P660s also use the hex passwords, so possibly others too. Also this website seems to have a few ancient zyxel firmwares https://ftp.gwdg.de/pub/misc/zyxel-euro/

drsnooker · May 30, 2025

wizardhat said:
@drsnooker There was no atgu command but I was able to dump the Rascode with the atdu command, thanks. I'm not very good at reversing but I've attached it below. The modem I have is branded Perlico with PerlicoWifi-XXXX essid, but after searching online it seems the eircom P660s also use the hex passwords, so possibly others too. Also this website seems to have a few ancient zyxel firmwares https://ftp.gwdg.de/pub/misc/zyxel-euro/

Cool. I tracked down the original location of the Eircom firmware on the web archive

eircom net Technical Support

web.archive.org

But the archive doesn't store the actual files. Then thought may be I can find the firmware for the D1000 or F1000 and perhaps they use the same algorithm. Couldn't find those firmwares either.
Let me have a look at the German ones. No guarantee they are the same as the Irish ones, but at least it gives me something to reverse. Haven't had anything else to look at....

drsnooker · May 30, 2025

wizardhat said:
@drsnooker There was no atgu command but I was able to dump the Rascode with the atdu command, thanks. I'm not very good at reversing but I've attached it below. The modem I have is branded Perlico with PerlicoWifi-XXXX essid, but after searching online it seems the eircom P660s also use the hex passwords, so possibly others too. Also this website seems to have a few ancient zyxel firmwares https://ftp.gwdg.de/pub/misc/zyxel-euro/

@wizardhat If you load your attached RasCode.bin into Ghidra as 32bit MIPS Big endian (default other options) at base address 0x80020000
You can do a text search for "produce wireless Key fail" which then leads to a function at 8015233c and a function at 801b4218 that look very similar and uses a double MD5 hashing method. Those functions also seem to generate the default SSID with the PerlicoWIFI- prefix.
Now to figure out what they are actually doing....

drsnooker · May 30, 2025

@wizardhat solved this particular mystery for your PerlicoWIFI password. Sadly does not work for the Eircom ones I found earlier.

@Plum it uses a new twist of the agnahaak algo, using bytes of the digest instead ascii values from the hex_hash.
It's a twist I had not seen before, so now I need to update my zyxel search scanner to include this modification and run through all the unexplained passwords again...

wizardhat · May 31, 2025

@drsnooker Impressive work! Shame it doesn't work on the other ones but maybe your scanner will turn something up. At least I was able to contribute to your collection

drsnooker · May 31, 2025

wizardhat said:
@drsnooker Impressive work! Shame it doesn't work on the other ones but maybe your scanner will turn something up. At least I was able to contribute to your collection

You seem pretty adept at extracting RasCodes from actual hardware! Much thanks for that. The firmwares from the ftp site you discovered, have no mention of Eircom.
If you feel like adding more to the collection and willing to spend a few quid, some of these units go for less than $10 on ebay. Perhaps a local thrift store has them for even less!
So if you do come across one and are able to extract the RasCode, of course, I'll reverse its algorithm as well!

Plum · Jun 1, 2025

drsnooker said:
@wizardhat solved this particular mystery for your PerlicoWIFI password. Sadly does not work for the Eircom ones I found earlier.

@Plum it uses a new twist of the agnahaak algo, using bytes of the digest instead ascii values from the hex_hash.
It's a twist I had not seen before, so now I need to update my zyxel search scanner to include this modification and run through all the unexplained passwords again...
View attachment 38959

GitHub - PlumLulz/p660hw_t1_v2py: Keygen for Zyxel P-660HW-T1-v2 using lower case mac

Keygen for Zyxel P-660HW-T1-v2 using lower case mac - PlumLulz/p660hw_t1_v2py

github.com

drsnooker · Jun 1, 2025

@RealEnder The WPA-sec database seem to only contain 1 PerlicoWIFI ESSID (PerlicoWiFi-8b2b) but at least it is cracked with this algo.

drsnooker · Jun 3, 2025

I think I finally squished all the bugs in my openCL ZTE salt scanner. Right now (attached) it runs 10 chars after "ZT" with the admin passwords to find the correct salt "ZTE's future"
in about 22 hours. It also does not completely lock up your screen, so you can watch some youtube while it runs.
The code is not that complicated (other than the local MD5 implementation) so if you want to experiment with finding the WIFI salt, you'd only have to comment out the admin passwords and replace them with the WIFI passwords. Pick your favorite salt-start like "ZTE will" and away you go.

Felix57 · Jun 4, 2025

Hello, drsnooker!
Allow me to return to the "our rams", or rather to the password generator rotek_dict.cpp for RX -22300 models.
The passwords generated by it are not suitable for many models!
I have collected some information available to the Internet for these RX-22300 models - it is in the attached txt-File,
if possible, look at it and can correct the code in C++ so that it generates the passwords in which there will be passwords in the attached file.
Sincerely, Felix
PS: When I looked at the information in WifiInfoView - I found that the MAC-address that the router gives on the air - is more than in BSSID at 1!
SSID MAC-адрес
RT-WiFi_F5A3 08C6B3D9F5A4
RT-WiFi-35E9 B4E54C5835EA
RT-WiFi-6FE4 DCE3058E6FE5

drsnooker · Jun 4, 2025

Felix57 said:
Hello, drsnooker!
Allow me to return to the "our rams", or rather to the password generator rotek_dict.cpp for RX -22300 models.
The passwords generated by it are not suitable for many models!
I have collected some information available to the Internet for these RX-22300 models - it is in the attached txt-File,
if possible, look at it and can correct the code in C++ so that it generates the passwords in which there will be passwords in the attached file.
Sincerely, Felix
PS: When I looked at the information in WifiInfoView - I found that the MAC-address that the router gives on the air - is more than in BSSID at 1!
SSID MAC-адрес
RT-WiFi_F5A3 08C6B3D9F5A4
RT-WiFi-35E9 B4E54C5835EA
RT-WiFi-6FE4 DCE3058E6FE5

Hey @Felix57 Yeah I'm not surprised it doesn't work for a lot of models. As far as I can tell at least the models with a OUI of DC:E3:05 will work.
The list you found have mostly D8:AF:81 OUI (vendor AO) It's likely each manufacturer has their own keygen. The firmware inside the Rotek models can only generate a password with the first char is a capital letter. So based on your findings there must be different algorithm out there, but I have not found that in any of the firmware on 4PDA.
Many vendor do not include the algorithm inside the firmware, and just store default passwords in NVRAM.
Without firmware that include the algorithm, not much I can do. Guessing has almost zero success....

Yeah, it is known that the MAC on the sticker can be +/- 4 from the BSSID. I always check a range of MAC values!

drsnooker · Jun 4, 2025

@Felix57 did a little more digging. I was confused with the RT-GM3 keygen and the rotek keygen :(
Rotek uses two different charsets:
char CHARSET[] = "aaaaabcdeeeeefhiiiijkmnprstuuuuuvwxyyyyzAAAABCDEEEEFGHJKLMNPQRSTUUUUVWXYYYYZ12233445566778899";
char CHARSET[] = "aaaaabcdeeeeefghiiiijkmnpqrstuuuuuvwxyyyyzAAAABCDEEEEFGHJKLMNPQRSTUUUUVWXYYYYZ233445677889";

pwd= BHuYaEkyuK
works with seeds 18928,26665,133 and charset2 So the seed2 value is larger than the normal range.

Doesn't seem to work for the other passwords though. Need to think about what else it could be. A third charset perhaps? Again not seen in any of the firmware from 4pda.

Felix57 · Jun 5, 2025

Here is the last Off. Firmware RX-22300

zyxel model	SN	MAC	PWD	Mask
P-660HN-T1A	S121K01027829	cc5d4e8872f8	5f6a10c6e795	?h?h?h?h?h?h?h?h?h?h?h?h
P-660HW-T1	S100Y43033927	5067f088a139	91b62affe9db

Unpublished WPA key algorithms

Active member

Member

New member

Active member

Attachments

Active member

Active member

Active member

New member

Attachments

Active member

Active member

Active member

Attachments

New member

Active member

Moderator

Active member

Active member

Attachments

Member

Attachments

Active member

Active member

Member