@drsnooker Admire the dedication, but at the end of the day if you have tried those macs (with +2 and -2 offset) with every possible known zyxel keygen (hex variant like the Perlico one), then it is most probable that they have their own proprietary algo unfortunately.
Unpublished WPA key algorithms
- Thread starter gpuhash_me
- Start date
@wizardhat yeah ran it against mac +/- 4 so no luck.
While I was travelling also finished up the ZTE salt search with no success.
with custom charset=abcdefghijklmnopqrstuvwxyz 'P
Unless we find this somewhere in a random firmware, I'll never know how close I was... It's possible I was a single letter off. Dang hash algorithms...
With no more ideas for the ZTE and Eircom and nothing to reverse in any firmware, all is left is the play with the Rotek algo. @PROger4everPublic already did a lot of work. I want to try to keep the two known charsets and switch the XOR masks and those multipliers (170,171,172) around to see if that gets any hits against the password that are not explained. But first I need to refamiliarize myself with all the work @FiosFiend did in the last couple of pages in this thread and catalogue the missfit passwords.
While I was travelling also finished up the ZTE salt search with no success.
| start | lead in | mask | padding |
| MAC/IMEI | "ZTE " | upto 10 chars from custom charset | 0's fill to 128 len/ No pad |
| MAC/IMEI | "ZTE's " | upto 10 chars from custom charset | 0's fill to 128 len/ No pad |
| MAC/IMEI | "ZTE is " | upto 10 chars from custom charset | 0's fill to 128 len/ No pad |
| MAC/IMEI | "ZTE will " | upto 10 chars from custom charset | 0's fill to 128 len/ No pad |
| MAC/IMEI | "WIFI " | upto 10 chars from custom charset | 0's fill to 128 len/ No pad |
| MAC/IMEI | Wifi " | upto 10 chars from custom charset | 0's fill to 128 len/ No pad |
Unless we find this somewhere in a random firmware, I'll never know how close I was... It's possible I was a single letter off. Dang hash algorithms...
With no more ideas for the ZTE and Eircom and nothing to reverse in any firmware, all is left is the play with the Rotek algo. @PROger4everPublic already did a lot of work. I want to try to keep the two known charsets and switch the XOR masks and those multipliers (170,171,172) around to see if that gets any hits against the password that are not explained. But first I need to refamiliarize myself with all the work @FiosFiend did in the last couple of pages in this thread and catalogue the missfit passwords.
FiosFiend
Active member
@drsnooker attached is the currently updated list, though I don’t think anything has changed since I last posted this. There are very few not found/unknown/impossible passwords left in the list, most of the issues were from me fat fingering the entries, or trying to read blurry images.
Here are the Rotek missfit passwords. There's another one from @Nikolia that might be a double typo or something.
Note that the admin password also contain the same char within 3 spots. So there must really be another algorithm out there.
Not sure why the ESSID hex does not match the MAC. But I found the pics on page 41 by @FiosFiend so all these entries look correct.
Note that the admin password also contain the same char within 3 spots. So there must really be another algorithm out there.
Not sure why the ESSID hex does not match the MAC. But I found the pics on page 41 by @FiosFiend so all these entries look correct.
| Model- | SSID- | WiFi_pw- | Admin_pw- | Hardware- | Firmware- | Serial- | MAC- |
| RX-22200 | RT-WiFi-A020 | kj3el9tC88 | eEbEcuaz | Rev1.0sp1 | 3188887000817 | EC-4C-4D-A0-A0-00 | |
| RX-22312 | RT-WiFi-F2E9 | 4DDWUeB885 | Rev1.0sp1 | 3195148010115 | DC-E3-05-7D-F2-EF | ||
| RX-23302 | RT-WiFi-49BB | eYEceY5y33 | 9UYbp66 | Rev1.0sp2 | V1.24.15 | 42231CMN00016889 | 48-29-E4-35-49-BB |
| RX-33412 | RT-GPON-0350 | VuCGwUE8S8 | UTVuHDhF | 52544B4721110222 |
The 7 char admin password for the RX-23302 missfit seemed odd to me. All the other 23302 use the Rotek2 algo so I decided to lower the accuracy of the fit to find seeds 3459,22897,133
Those seeds give me eYEceY5ye3 and the admin password 9UYbp4i6. It really looked like somebody on NASTROISAM.re edited this picture to give a fake WIFI and admin password.
Now I'll need to check the other three as they could all be fake. Thankfully the admin passwords will actually confirm if the seeds are correct.
Those seeds give me eYEceY5ye3 and the admin password 9UYbp4i6. It really looked like somebody on NASTROISAM.re edited this picture to give a fake WIFI and admin password.
Now I'll need to check the other three as they could all be fake. Thankfully the admin passwords will actually confirm if the seeds are correct.
VuCGwUE8S8 ==> VuCGwUE8S7 (with seeds 13150,22842,133) gives the correct admin password (rotek2). Looks like another case of photoshop, or an unlikely factory miss-print.
kj3el9tC88 ==> kj3ei9tCa8 (with seeds 14293,22884,133) gives admin password eHbEcuaz (so with H replaced with E)
4DDWUeB885 ==> 4eDWUeB8n5 (with seeds 8823,7389,132) gives admin password gCYpUniE (with the first char replaced with the last one)
At this point I think we must conclude that nastroisam just modifies their images for privacy reasons (rather than just putting a solid block over passwords) and no image from that site should be trusted.
And I think there are no more algorithms to be solved here.
kj3el9tC88 ==> kj3ei9tCa8 (with seeds 14293,22884,133) gives admin password eHbEcuaz (so with H replaced with E)
4DDWUeB885 ==> 4eDWUeB8n5 (with seeds 8823,7389,132) gives admin password gCYpUniE (with the first char replaced with the last one)
At this point I think we must conclude that nastroisam just modifies their images for privacy reasons (rather than just putting a solid block over passwords) and no image from that site should be trusted.
And I think there are no more algorithms to be solved here.
I'll put one more nail in this coffin as the RX-22200 has a bar code under the password.
Using an online bar code reader (https://online-barcode-reader.inliteresearch.com/) with the image from page 41 shows the actual password as "kj3ei9tCa8" as predicted by @PROger4everPublic and confirmed by the seeds giving a matching admin password. I guess we shouldn't believe everything we see in the internet.....
Using an online bar code reader (https://online-barcode-reader.inliteresearch.com/) with the image from page 41 shows the actual password as "kj3ei9tCa8" as predicted by @PROger4everPublic and confirmed by the seeds giving a matching admin password. I guess we shouldn't believe everything we see in the internet.....
FiosFiend
Active member
@drsnooker I recently found a bunch of firmware on Archive.org. It doesn’t look too well known based on the number of views. Maybe there is something in there that catches your attention?
@FiosFiend You just hit the motherlode! Over 9000 firmwares! This will require some scripting to compare it all the thousands of firmwares I've already looked at.
FiosFiend
Active member
You’ve probably noticed by now that sadly not 9,000 router firmware. However, the selectors on the side have "Embedded Firmware Collection (Heuwie) 5,042” that seems to be all router firmware. The nice thing about Archive.org is that they have an API. Here is a list of title and link to hopefully make things a bit easier. Please let me know any other ways I can help!
It'll actually be a couple more weeks before I can take a look.... Although it sounds like an AI might be able to help. "Which of the following firmware is from a modem that has a picture on ebay which shows the WIFI password?"
A lot of these old firmwares are from modems before WPA. May be they show a pin, or the password is just 'admin'
A lot of these old firmwares are from modems before WPA. May be they show a pin, or the password is just 'admin'
FiosFiend
Active member
NetComm devices recently caught my attention, and of our course @drsnooker has already located an algorithm for these devices. Unfortunately at the time you weren’t sure it was valid. I have collected data on some of these devices (attached) and with the help of AI I’ve confirmed your algorithm works for the OUI 00:60:64. Like you I tested the generated passwords against the WPA-SEC hashes for this OUI and struck out. Looking at the founds for the NetComm SSIDs, it doesn’t show too many passwords matching this pattern. So maybe the “memorable word” isn’t that memorable and people often change it?
ACCURATE MODEL VERIFICATION
==========================================================================================
Model MAC OUI Expected Generated Match SSID
------------------------------------------------------------------------------------------
3GM2WN 006064 Kawurivode kawurivode ✓ NetComm Wireless 3263
3GM2WN 006064 Medicutala medicutala ✓ NetComm 4574
NB16WV 006064 Tekimugahe tekimugahe ✓ NetComm Wireless 5792
NB16WV 006064 Yalorupite yalorupite ✓ NetComm Wireless 1074
NB16WV-02 006064 Hamirugevu hamirugevu ✓ NetComm 0148
NB16WV-02 006064 ronepisipo ronepisipo ✓ NetComm 4810
NF18AVC 18F145 poduroziza xxxxxxxxxx ✗ NetComm 3895
NF18AVC 18F145 boroqupeve xxxxxxxxxx ✗ NetComm 1062
... [all other models will show ✗] ...
MODEL SUMMARY:
==================================================
3GM2WN : 2/2 (100.0%)
NB16WV : 2/2 (100.0%)
NB16WV-02 : 2/2 (100.0%)
NF18AVC : 0/10 (0.0%)
NF18MESH : 0/1 (0.0%)
NF7 : 0/1 (0.0%)
NLT901AVC : 0/1 (0.0%)
OUI (Manufacturer) ANALYSIS:
==================================================
OUI 006064: 6/6 (100.0%) - Models: 3GM2WN, NB16WV, NB16WV-02
OUI 18F145: 0/8 (0.0%) - Models: NF18AVC, NF7
OUI F8CA59: 0/5 (0.0%) - Models: NF18AVC, NF18MESH, NLT901AVC
As you may have noticed, it doesn’t work for other models with other OUI. However these passwords follow the same format, so I suspect it’s a VERY similar algorithm. One thing about these other devices is that they can have 2 different SSID with 2 different passwords for the 2/5G band. So again with the help of AI I tried to find what the right input is. Unfortunately, I was unsuccessful.
================================================================================
SUMMARY OF TESTED PATTERNS
================================================================================
MAC Formats:
- XX-XX-XX-XX-XX-XX_WPA
- XXXXXXXXXXXX_WPA
- WPA_XXXXXXXXXXXX
- lowercase versions
Separators:
- -
- :
- .
- no separators
Suffixes:
- _WPA
- _WPA2
- _WPS
- _PSK
- _KEY
- _PASS
- _PASSWORD
- _NETCOMM
Band Specific:
- _2G
- _5G
- _2.4G
- _2GHZ
- _5GHZ
- _1
- _2
SSID Based:
- SSIDNUM
- SSIDNUM_WPA
- WPA_SSIDNUM
- NETCOMM_SSIDNUM
Serial Based:
- FULLSERIAL
- LAST4
- LAST6
- FIRST6
- FIRST8
Combinations:
- MAC_SSID
- SSID_MAC
- MAC_LAST4SERIAL
- LAST4SERIAL_MAC
Manufacturer:
- ZyXEL_MAC
- ZYXEL_MAC
- SAGEM_MAC
- BROADCOM_MAC
MAC Manipulations:
- OUI only
- device part only
- reversed
- without first/last chars
After some pretty exhaustive back and forth, I was not able to determine the new algorithm
Not different hash functions (MD5, SHA1, SHA256 all fail)
Not double-hashing (MD5 of MD5 fails)
Not different algorithm structures
Not different input formats (150+ variations tested)
Not different character sets or modes
Not SSID-based
Not serial number based
ACCURATE MODEL VERIFICATION
==========================================================================================
Model MAC OUI Expected Generated Match SSID
------------------------------------------------------------------------------------------
3GM2WN 006064 Kawurivode kawurivode ✓ NetComm Wireless 3263
3GM2WN 006064 Medicutala medicutala ✓ NetComm 4574
NB16WV 006064 Tekimugahe tekimugahe ✓ NetComm Wireless 5792
NB16WV 006064 Yalorupite yalorupite ✓ NetComm Wireless 1074
NB16WV-02 006064 Hamirugevu hamirugevu ✓ NetComm 0148
NB16WV-02 006064 ronepisipo ronepisipo ✓ NetComm 4810
NF18AVC 18F145 poduroziza xxxxxxxxxx ✗ NetComm 3895
NF18AVC 18F145 boroqupeve xxxxxxxxxx ✗ NetComm 1062
... [all other models will show ✗] ...
MODEL SUMMARY:
==================================================
3GM2WN : 2/2 (100.0%)
NB16WV : 2/2 (100.0%)
NB16WV-02 : 2/2 (100.0%)
NF18AVC : 0/10 (0.0%)
NF18MESH : 0/1 (0.0%)
NF7 : 0/1 (0.0%)
NLT901AVC : 0/1 (0.0%)
OUI (Manufacturer) ANALYSIS:
==================================================
OUI 006064: 6/6 (100.0%) - Models: 3GM2WN, NB16WV, NB16WV-02
OUI 18F145: 0/8 (0.0%) - Models: NF18AVC, NF7
OUI F8CA59: 0/5 (0.0%) - Models: NF18AVC, NF18MESH, NLT901AVC
As you may have noticed, it doesn’t work for other models with other OUI. However these passwords follow the same format, so I suspect it’s a VERY similar algorithm. One thing about these other devices is that they can have 2 different SSID with 2 different passwords for the 2/5G band. So again with the help of AI I tried to find what the right input is. Unfortunately, I was unsuccessful.
================================================================================
SUMMARY OF TESTED PATTERNS
================================================================================
MAC Formats:
- XX-XX-XX-XX-XX-XX_WPA
- XXXXXXXXXXXX_WPA
- WPA_XXXXXXXXXXXX
- lowercase versions
Separators:
- -
- :
- .
- no separators
Suffixes:
- _WPA
- _WPA2
- _WPS
- _PSK
- _KEY
- _PASS
- _PASSWORD
- _NETCOMM
Band Specific:
- _2G
- _5G
- _2.4G
- _2GHZ
- _5GHZ
- _1
- _2
SSID Based:
- SSIDNUM
- SSIDNUM_WPA
- WPA_SSIDNUM
- NETCOMM_SSIDNUM
Serial Based:
- FULLSERIAL
- LAST4
- LAST6
- FIRST6
- FIRST8
Combinations:
- MAC_SSID
- SSID_MAC
- MAC_LAST4SERIAL
- LAST4SERIAL_MAC
Manufacturer:
- ZyXEL_MAC
- ZYXEL_MAC
- SAGEM_MAC
- BROADCOM_MAC
MAC Manipulations:
- OUI only
- device part only
- reversed
- without first/last chars
After some pretty exhaustive back and forth, I was not able to determine the new algorithm
Not different hash functions (MD5, SHA1, SHA256 all fail) Not double-hashing (MD5 of MD5 fails) Not different algorithm structures Not different input formats (150+ variations tested) Not different character sets or modes Not SSID-based Not serial number based
FiosFiend
Active member
A bit more NetComm data. @drsnooker can any of your Zyxel algorithms generate these passwords?
NetComm 3569 2zc5xZWU2ztnVX7S D0DBB7E17CDC 214025242905538 356277821762501 NL20
NetComm 3789 MdkYN75JHx8TTg4c D0DBB7915D04 214025224205533 356277820376766 NL20
NetComm 9222 rAfzFav8sNDdCNFC D0DBB7626569 214025223106752 356277820191512 NL20
NetComm 7359 cUcES76pV6vv7vG3 D0DBB7A991F7 214025224907832 356277820666588 NL20-01-01
NetComm 2299 scxp4CxfWhf697bb
NetComm 3569 2zc5xZWU2ztnVX7S D0DBB7E17CDC 214025242905538 356277821762501 NL20
NetComm 3789 MdkYN75JHx8TTg4c D0DBB7915D04 214025224205533 356277820376766 NL20
NetComm 9222 rAfzFav8sNDdCNFC D0DBB7626569 214025223106752 356277820191512 NL20
NetComm 7359 cUcES76pV6vv7vG3 D0DBB7A991F7 214025224907832 356277820666588 NL20-01-01
NetComm 2299 scxp4CxfWhf697bb
It's alphanumeric (non-hex) which means it would be a zykgen cocktail variant. None of the current variants work, given a mac +/- 8 or the serial +/- 10.
It's not forbidden and could potentially be generated using zykgen given the correct seed, but it would be very unlikely.
It's not forbidden and could potentially be generated using zykgen given the correct seed, but it would be very unlikely.
They could also be passgen mode 4 (but with a different seed or suffix) More data to see if letters are left out like (0,1,i, l, o etc)
Perhaps a dedicated passgen module for hashcat, or may be I'll modify my OpenCL MD5 to try to search for a passgen mode 3 MAC+suffic to see if I can make it work.
Perhaps a dedicated passgen module for hashcat, or may be I'll modify my OpenCL MD5 to try to search for a passgen mode 3 MAC+suffic to see if I can make it work.
FiosFiend
Active member
Finally got one! I recently read this paper (attached, remove .txt from pdf to open) where the author discuss finding a few algorithms. Sadly they don’t disclose the actual algorithms, which means that we have an egg hunt on our hands!
I found 2 files in the firmware for elecom's WRH-583WH2 named wpakey2.4g and wpakey5g. Loading them into Ghidra was easy and the decompiled pseudo code was simple to grab. Working with AI a bit, I was able to get a working python script of the wpakey5g algorithm (attached, remove .txt). Testing it in my environment, I am able to confirm that it correctly generates the key shown on the device. There are only a few entries for these SSID on WPA-SEC. Unfortunately the keygen doesn’t crack any of them. I tried using the MAC address +/- 6 as input but still didn’t have any luck. Elecom makes other models with the same SSID and different password format.
Known <MAC:Pass> from images:
bc5c4c2ced61:4772699470186
bc5c4c2d0085:4766205670098
bc5c4c2d016b:5367495178935
The wpakey2.4g is actually a different algorithm that uses “HW_WLAN1_WLAN_ADD” as input, but wpakey5g uses “HW_NIC1_ADDR”. I have been able to emulate wpakey2.4g with QEMU and it spits out "5108498128774”. A bin named “flash" is where the MAC address is pulled from NVRAM that’s used as input, but I haven’t quite worked out feeding it a known MAC to see what it puts out or what the default MAC that it’s generating that key for.
I found 2 files in the firmware for elecom's WRH-583WH2 named wpakey2.4g and wpakey5g. Loading them into Ghidra was easy and the decompiled pseudo code was simple to grab. Working with AI a bit, I was able to get a working python script of the wpakey5g algorithm (attached, remove .txt). Testing it in my environment, I am able to confirm that it correctly generates the key shown on the device. There are only a few entries for these SSID on WPA-SEC. Unfortunately the keygen doesn’t crack any of them. I tried using the MAC address +/- 6 as input but still didn’t have any luck. Elecom makes other models with the same SSID and different password format.
Known <MAC:Pass> from images:
bc5c4c2ced61:4772699470186
bc5c4c2d0085:4766205670098
bc5c4c2d016b:5367495178935
The wpakey2.4g is actually a different algorithm that uses “HW_WLAN1_WLAN_ADD” as input, but wpakey5g uses “HW_NIC1_ADDR”. I have been able to emulate wpakey2.4g with QEMU and it spits out "5108498128774”. A bin named “flash" is where the MAC address is pulled from NVRAM that’s used as input, but I haven’t quite worked out feeding it a known MAC to see what it puts out or what the default MAC that it’s generating that key for.
The attached article shows some more interesting titbits! I wonder who vendor_A is.... (ASUS???) Some clues about algorithms are present too. MD5 hash (with or without salt etc)
Either way, looks like there's more firmware that has keygens as the authors have found them.
And since Elecom likes to include the keygen in the firmware, it might be worth it to track down other models from them. A quick scan of yahoo.jp auctions shows a wrh-300 and wrh-733 as prime targets.
Either way, looks like there's more firmware that has keygens as the authors have found them.
And since Elecom likes to include the keygen in the firmware, it might be worth it to track down other models from them. A quick scan of yahoo.jp auctions shows a wrh-300 and wrh-733 as prime targets.
FiosFiend
Active member
@drsnooker The firmware that I found is a fantastic example for anyone trying to learn this stuff. It basically went how online tutorials show, find the firmware from the vendor site, unpack with binwalk, find binary and reverse with Ghidra. I have looked through a few more models, they all seem to be available online. I haven’t found anything else exciting other reference to gen-pin function that resides in the binary “flash” and is used for generating the WPS pin. I haven’t bothered to reverse that yet.
Elecom aren’t that interested though because they don’t seem widely used. However, the NTT has a lot of uncracked hashes on WPA-SEC. I found a few firmware, they seem readily available from the vendor but maybe they are encrypted now… or I haven’t found the right one yet.
Elecom aren’t that interested though because they don’t seem widely used. However, the NTT has a lot of uncracked hashes on WPA-SEC. I found a few firmware, they seem readily available from the vendor but maybe they are encrypted now… or I haven’t found the right one yet.
FiosFiend
Active member
If anyone wants to join in on the fun here is some more info...
According to the research paper, I am pretty sure Algorithm-4 is wpakey5g
"A value generated by a specific calculation from the AP’s MAC address is used as the default Wi-Fi password.”
Unfortunately the wpakey5g algorithm doesn’t seem to generate the proper password for these other devices, which likely explains why I wasn’t able to crack any of the WPA-SEC hashes. I need to finish reversing the wpakey2.4g, but that one calls srand() and rand(); I think that means I need to emulate it to retrieve the proper key. I just need to figure out how to feed it a new MAC and it will be finished. Algorithm-2 is going to be the one that produces the alpha-numeric passwords.
"The MD5 hash value of the AP’s MAC address is calculated. After converting the hash value to a character string, certain characters are deleted, and a certain length of characters from the beginning of the character string is used as the default Wi-Fi password."
Elecom
WRH-150 (Firmware) - reference to function gen-pin in /bin/flash
WRH-300 (Firmware)
WRH-583WHS (Firmware) - This is where I found wpakey2.4g and wpakey5g in /bin/
WRH-733 (Firmware)
WRC-1167 (Firmware)
WRC-X1800 (Firmware)
WRC-2533 (Firmware)
NTT (Firmware download page)
HR01
PR-400NE
PR-500MI
According to the research paper, I am pretty sure Algorithm-4 is wpakey5g
"A value generated by a specific calculation from the AP’s MAC address is used as the default Wi-Fi password.”
Unfortunately the wpakey5g algorithm doesn’t seem to generate the proper password for these other devices, which likely explains why I wasn’t able to crack any of the WPA-SEC hashes. I need to finish reversing the wpakey2.4g, but that one calls srand() and rand(); I think that means I need to emulate it to retrieve the proper key. I just need to figure out how to feed it a new MAC and it will be finished. Algorithm-2 is going to be the one that produces the alpha-numeric passwords.
"The MD5 hash value of the AP’s MAC address is calculated. After converting the hash value to a character string, certain characters are deleted, and a certain length of characters from the beginning of the character string is used as the default Wi-Fi password."
Elecom
WRH-150 (Firmware) - reference to function gen-pin in /bin/flash
WRH-300 (Firmware)
WRH-583WHS (Firmware) - This is where I found wpakey2.4g and wpakey5g in /bin/
WRH-733 (Firmware)
WRC-1167 (Firmware)
WRC-X1800 (Firmware)
WRC-2533 (Firmware)
NTT (Firmware download page)
HR01
PR-400NE
PR-500MI