Unpublished WPA key algorithms
- Thread starter gpuhash_me
- Start date
Am I reading that right? Admin is the same pass as the wifi?
Found some firmware download locations for Chinese routers.
www.ip-com.com.cn
IP-COM | Soluções Para Redes Corporativas | WISP | SMB
Fundada em 2007, a IP-COM Ă© uma fabricante especializada em equipamentos de rede, fornecendo soluções e dispositivos de alta velocidade, seguros e de fácil manutenção para empresas. Veja o portfĂłlio de produtos já disponĂvel no Brasil.
FiosFiend
Active member
@PROger4everPublic your hits on VOO- led me to look for more of their firmware. Unfortunately I didn’t find any, however I did uncover an older keygen disclosure.
https://github.com/QKaiser/voodoo
Like we’ve seen in many other instances, the “solution” for the ISP is just to change the broadcast MAC. So I modified his brutepsk.py to build a SSID:Key look up table. With this, about 100 or so keys are generated for each SSID, allowing us to quickly crack it with the command (replace SSID.here with your SSID)
grep SSID.here voo_keys.txt | cut -d: -f2- | hashcat -m 22000 --stdin-timeout-abort=600
https://limewire.com/d/43zDe#YwEvj9Haxc
The device in question is a NETGEAR CG3100 which is ALWAYS rebranded by ISPs. If we could find the firmware, I’m sure we would find other keygens...
Numericable - 10 digits
BigPond - 10 digits
ConHem - 8 hex
Telstra - 10 digits Model C6300
https://github.com/QKaiser/voodoo
Like we’ve seen in many other instances, the “solution” for the ISP is just to change the broadcast MAC. So I modified his brutepsk.py to build a SSID:Key look up table. With this, about 100 or so keys are generated for each SSID, allowing us to quickly crack it with the command (replace SSID.here with your SSID)
grep SSID.here voo_keys.txt | cut -d: -f2- | hashcat -m 22000 --stdin-timeout-abort=600
https://limewire.com/d/43zDe#YwEvj9Haxc
The device in question is a NETGEAR CG3100 which is ALWAYS rebranded by ISPs. If we could find the firmware, I’m sure we would find other keygens...
Numericable - 10 digits
BigPond - 10 digits
ConHem - 8 hex
Telstra - 10 digits Model C6300
Last edited by a moderator:
Finally managed to get into the Eircom P-660HN-T1A the admin password was "broadband1" not 1234 or admin or the wifi password.
Again /userfs/bin/md5 performed the factory reset but how to get that file off. No USB port, no xxd, hexdump, not even printf. No netscan or busybox nc
ftpput was using a hard coded IP. Really bare OS!
Eventually managed to get tftp to work. After all that work, like the D1000 before, it just pulls the WPA password from NVRAM.
Only the Eircom F1000 left, but hope is dwindling fast.
Again /userfs/bin/md5 performed the factory reset but how to get that file off. No USB port, no xxd, hexdump, not even printf. No netscan or busybox nc
ftpput was using a hard coded IP. Really bare OS!
Eventually managed to get tftp to work. After all that work, like the D1000 before, it just pulls the WPA password from NVRAM.
Only the Eircom F1000 left, but hope is dwindling fast.
FiosFiend
Active member
@Dawbs let me know that the download link in my last post wasn’t working so I reuploaded it.
https://limewire.com/d/43zDe#YwEvj9Haxc
And the confirmation photo that goes with it..
Here’s an other ISPs that use the Netgear CG3100
ONO - 10 digits (note the similarity between the security pin and WiFi key)
https://limewire.com/d/43zDe#YwEvj9Haxc
And the confirmation photo that goes with it..
Here’s an other ISPs that use the Netgear CG3100
ONO - 10 digits (note the similarity between the security pin and WiFi key)
AI (after a lot of follow up questions) finally came up with a TP-link router that has a non-numerical password printed on the label and has a lot of entries on ebay. The OnHub TGR1900.
The firmware wasn't that hard to find and easily extracted. A quick grep shows the actual charset of those passwords "bcdfghjkmnpqrstvwxyz" used in a function starting at 0x7fb4, which is called from within function 0x5578
IDA, cutter and ghidra all struggle with the decompilation so it's a bit of a guessing game. If you look at the IF statements around the 0x7fb4 function call, it all speaks of TPM endorsement, not wifi passwords. *sad trombone* It's possible that the PSK is generated in a similar matter (SHA256 of something) projecting onto the charset. I tried the obvious things but no luck.
Another one for the close-but-no-cigar list.
The firmware wasn't that hard to find and easily extracted. A quick grep shows the actual charset of those passwords "bcdfghjkmnpqrstvwxyz" used in a function starting at 0x7fb4, which is called from within function 0x5578
IDA, cutter and ghidra all struggle with the decompilation so it's a bit of a guessing game. If you look at the IF statements around the 0x7fb4 function call, it all speaks of TPM endorsement, not wifi passwords. *sad trombone* It's possible that the PSK is generated in a similar matter (SHA256 of something) projecting onto the charset. I tried the obvious things but no luck.
Another one for the close-but-no-cigar list.
Not so fast!
I think it's using the TPM as the RNG resulting in an int32. Then the SHA256 is taken of this int32 (just 4 bytes so possible to generate a dictionary)
So the function at 0x7fb4 does make the PSK (it has the correct fixed length of 9), but there is some weird math going on, so I think it'll require emulation to get it right.
Well, I'm stumped.
You can get the TP-link onhub firmware from https://openwrt.org/toh/hwdata/tp-link/tp-link_onhub_tgr1900 (Look for Firmware OEM Stock)
The SHA256 doesn't matter either. It just uses the first 4 bytes of the digest as the seed. Below is the code so far. But I'm struggling to figure out the shuffling. I'm sure the letters are correct, but the algorithm places them in a special order.
I'll add that the 9th letter is in the correct place (it cannot go above 'p' due to the maths) (2*INT_MAX <<6) / 20**9 So if you look for pictures online you'll notice the last char is never 'q' or higher.
I've been staring at this mesh of self referring pointers doing the shuffle, and I just don't get it. It also seems different in Ghidra from IDA. My attempts at emulation have also failed.
If I assume the shuffle is independent of the letters, I might be able to brute force the order in which the letters get put into the password. It's only 40000 possible permutations as I know the last letter goes in the 9th spot.
I'd greatly appreciate anybody willing to assist!
You can get the TP-link onhub firmware from https://openwrt.org/toh/hwdata/tp-link/tp-link_onhub_tgr1900 (Look for Firmware OEM Stock)
The SHA256 doesn't matter either. It just uses the first 4 bytes of the digest as the seed. Below is the code so far. But I'm struggling to figure out the shuffling. I'm sure the letters are correct, but the algorithm places them in a special order.
I'll add that the 9th letter is in the correct place (it cannot go above 'p' due to the maths) (2*INT_MAX <<6) / 20**9 So if you look for pictures online you'll notice the last char is never 'q' or higher.
I've been staring at this mesh of self referring pointers doing the shuffle, and I just don't get it. It also seems different in Ghidra from IDA. My attempts at emulation have also failed.
If I assume the shuffle is independent of the letters, I might be able to brute force the order in which the letters get put into the password. It's only 40000 possible permutations as I know the last letter goes in the 9th spot.
I'd greatly appreciate anybody willing to assist!
C++:
#include <iostream>
#include <string>
#include <stdio.h>
using namespace std;
#pragma warning(disable : 4996)
const string charset = "bcdfghjkmnpqrstvwxyz";
int main() {
unsigned long long int i,residue,shifted,seed,checksum;
int pos,n;
char letter;
string pwd = "012345678";
for (i = 1ull; i < 4294967295ull; i++) { // loop 2 * INT_MAX to cover the unsigned int32 input
shifted = i << 6;
checksum = 0;
residue = i;
while (residue > 0) {
checksum = residue & 63ull;
residue = residue >> 6;
}
checksum = checksum & 63ull;
seed = shifted + checksum;
for (n = 0; n < 9; n++) {
letter = charset[seed % 20ull];
pos=???????? // 9th position is correct
pwd[pos] = letter;
seed = seed / 20ull;
}
printf("%s\n",pwd.c_str());
}
}Str0nger
New member
Hello. Sorry for bringing up an old thread, but I noticed while looking at stickers on avito.ru that the passwords for some Rotek routers (models RX-33412 and RT-GE-5, v2i) don't match the rotek2 algorithm with seed3 values in the 131-133 range. Unfortunately, I can't check the entire seed3 range, as it would take a couple of months on my rather old computer. Could someone please explain the seed ranges for the passwords listed in the table?
| Model | ESSID_2,4 | S/N | BSSID | admin | WPA_key | seed1 | seed2 | seed3 |
| RT-GE-5, v2i | RT-GPON-981A | 52544B4722507424 | 48:29:E4:AD:98:24 | Hu3YAaU6 | QAmutA9R6C | |||
| RX-33412 | RT-GPON-B3D1 | 52544B4722371588 | 48:29:E4:2C:B3:D8 | ZSuiYEqe | uisZbUaiuy | 19773 | 22879 | 133 |
| RX-33412 | RT-GPON-2D10 | 52544B4722436787 | 48:29:E4:51:2D:1A | uYE5Uce5 | mva6Ydc8Eu | 11818 | 25249 | 133 |
| RT-GE-5, v2i | RT-GPON-CDD6 | 52544B47224706282 | 48:29:E4:FC:CD:E0 | BikAc7E3Ma | ||||
| RX-33412 | RT-GPON-5376 | 52544B4722553062 | 48:29:E4:C2:53:80 | UezY9bUC | XxYU3AYUQ3 | |||
| RT-GE-5, v2i | RT-GPON-FF7B | 52544B4723002670 | 1C:CA:41:0F:FF:85 | i8tYKztE | K9jybYiDtE | |||
| RT-GE-5, v2i | RT-GPON-B04C | 52544B4722462721 | 48:29:E4:7D:B0:56 | kFYUaEi4 | 8qQAf4iFaC | |||
| RT-GE-5, v2i | RT-GPON-0F1F | 52544B4700017456 | 1C:CA:41:14:0F:29 | aXUvEsAn | jY7fECYL7U | |||
| RT-GE-5, v2i | RT-GPON-D7B9 | 52544B4722301792 | 48:29:E4:18:D7:C3 | khAi9d7e | MU7iAtGxue | 29630 | 22852 | 133 |
| RX-33412 | RT-GPON-175A | 52544B4722410992 | 48:29:E4:4A:17:64 | EYUKh4Be | 3vhnyEV7y2 | 5292 | 25249 | 133 |
| RX-33412 | RT-GPON-B42E | 52544B4722638178 | 48:29:E4:D9:B4:38 | 9w6ujUef | JjNUiPQXuf | |||
| RX-33412 | RT-GPON-16BF | 52544B4722372995 | 48:29:E4:2D:16:C9 | MyE8waZT | mqvuQ2U7yB | 18338 | 22879 | 133 |
| RX-33412 | RT-GPON-F87A | 52544B4722519000 | 48:29:E4:B8:F8:84 | Y6cBCuea | R7Y4uTE6Le | |||
| RX-33412 | RT-GPON-897C | 52544B4722663057 | 48:29:E4:E0:89:86 | xMyuAtDd | riuMBQ5EU6 | |||
| RT-GE-5, v2i | RT-GPON-CA78 | BiEbvhut | gXdAyL63AH | |||||
| RT-GE-5, v2i | RT-GPON-A47C | 52544B4722511241 | 48:29:E4:AE:A4:86 | MhTL4Q7e | YiRK4LSatU | |||
| RT-GE-5, v2i | RT-GPON-567F | 52544B4722303595 | 48:29:E4:19:56:89 | 73HWDK47 | cYZG4yEuUa | 19497 | 22908 | 133 |
@Str0nger fascinating finds and a very important addition to the Rotek2 algorithm!!!!
3471,26086,21995,8qQAf4iFaC
1840,26086,21995,QAmutA9R6C
2162,26092,21995,JjNUiPQXuf
253,26307,21995,jY7fECYL7U
9003,26091,21995,XxYU3AYUQ3
10015,26089,21995,riuMBQ5EU6
12760,26091,21995,R7Y4uTE6Le
18110,26089,21995,gXdAyL63AH
20036,26086,21995,YiRK4LSatU
22694,26078,21995,K9jybYiDtE
29863,26089,21995,BikAc7E3Ma
As you can see there is a new seed3 at 21995!
So I'm sorry to say your dictionaries just got 25% bigger with the 131,132,133 and now 21995 as a possible seed3
3471,26086,21995,8qQAf4iFaC
1840,26086,21995,QAmutA9R6C
2162,26092,21995,JjNUiPQXuf
253,26307,21995,jY7fECYL7U
9003,26091,21995,XxYU3AYUQ3
10015,26089,21995,riuMBQ5EU6
12760,26091,21995,R7Y4uTE6Le
18110,26089,21995,gXdAyL63AH
20036,26086,21995,YiRK4LSatU
22694,26078,21995,K9jybYiDtE
29863,26089,21995,BikAc7E3Ma
As you can see there is a new seed3 at 21995!
So I'm sorry to say your dictionaries just got 25% bigger with the 131,132,133 and now 21995 as a possible seed3
Well I cannot figure out how this substitution pattern works on the TP-link OnHub TGR1900. But I don't feel like staring at it anymore. Besides @FiosFiend discovered that the attached C++ code does indeed generate all ebay found passwords without the substitution. So unless there's a real interest in drilling this down to the TPM output that feeds into the SHA256, this 46GB dictionary should work to crack one or two caps for ESSIDs that start with setup?H?H?H?H and have a TP-link OUI.
Well the seed2 range seems really limited, so perhaps a separate dictionary for seed3=21995 and seed2=26078-26307
if @Str0nger could find a lot more passwords that fit this new seed3, you might be get able to get the exact range for seed2.
FiosFiend
Active member
Here’s a funny one for you. Zyxel VMG3625-T50B-EG01V1F
Password is the last 8 digits of the serial. We know enough about Zyxel serials to know that the first 2 digits are the production week (01-52), the 3rd digit is almost always 0 (very rarely 1), and the last 5 digits are the incremental serial. It varies a bit by OUI, but since the SSID is from the MAC and the Key is from the serial, we can see linearity in the found data.
WE_031FA0:13027307
WE_03A050:13029366
WE_27FF20:18064769
WE_2870E0:18066589
WE_4AA4F0:19075882
WE_652AB0:27029156
WE_6717A0:27037043
WE_6757A0:27038067
WE_676360:27038255
WE_67CA20:27039899
WE_9C7820:29011890
WE_B8B3B0:30025969
Password is the last 8 digits of the serial. We know enough about Zyxel serials to know that the first 2 digits are the production week (01-52), the 3rd digit is almost always 0 (very rarely 1), and the last 5 digits are the incremental serial. It varies a bit by OUI, but since the SSID is from the MAC and the Key is from the serial, we can see linearity in the found data.
WE_031FA0:13027307
WE_03A050:13029366
WE_27FF20:18064769
WE_2870E0:18066589
WE_4AA4F0:19075882
WE_652AB0:27029156
WE_6717A0:27037043
WE_6757A0:27038067
WE_676360:27038255
WE_67CA20:27039899
WE_9C7820:29011890
WE_B8B3B0:30025969
It actually makes sense. Many of us here can crack 8 digits in under 30 seconds, so if you are going to use 8 digits as default, why bother writing an algorithm to generate it, Just use the serial number.
What's worse is that they use the same password for the admin login.
Sercomm WD300 (WindTre Home&Life) – Default WPA Algorithm Project
Hi @drsnooker and hi all,
I’ve been a "silent reader" of your work for quite a while now, and I really appreciate the incredible contributions you’ve made to the community over the years.
I’m reaching out because I’ve decided to take a closer look at the Sercomm WD300 (the WindTre Home&Life SuperWiFi model with the 6-digit SSID ending in -xxxxxx). While we already have a full reversal for its Zyxel VMG8825 "twin," it seems nothing has been publicly released for this Sercomm version yet, even though the serial format and derivation logic are likely very similar.
I recall seeing somewhere that you started looking into this project some time ago, but I’m not sure if you ever moved forward with it or if it was put on the back burner.
I’ve already purchased the router and have it here with me to start working on it. Since the firmware is distributed only via OTA and is pretty much impossible to find online, I’m taking steps to analyze it directly from the device.
fgh
I wanted to ask you:
Thanks a lot for your time and for everything you do for the scene!
Hi @drsnooker and hi all,
I’ve been a "silent reader" of your work for quite a while now, and I really appreciate the incredible contributions you’ve made to the community over the years.
I’m reaching out because I’ve decided to take a closer look at the Sercomm WD300 (the WindTre Home&Life SuperWiFi model with the 6-digit SSID ending in -xxxxxx). While we already have a full reversal for its Zyxel VMG8825 "twin," it seems nothing has been publicly released for this Sercomm version yet, even though the serial format and derivation logic are likely very similar.
I recall seeing somewhere that you started looking into this project some time ago, but I’m not sure if you ever moved forward with it or if it was put on the back burner.
I’ve already purchased the router and have it here with me to start working on it. Since the firmware is distributed only via OTA and is pretty much impossible to find online, I’m taking steps to analyze it directly from the device.
fgh
I wanted to ask you:
- Do you know if this specific model has already been successfully reversed by you or someone else?
- Do you happen to have a firmware dump of the WD300, or know where I might find one to start the binary analysis right away?
- If I manage to get the firmware but hit a wall with the reversal, would you be interested in collaborating, or do you know anyone else who might be?
Thanks a lot for your time and for everything you do for the scene!
Attachments
-
wd300.jpg