Unpublished WPA key algorithms

[FiosFiend]

Welcome @glennh glad to have another person on the hunt!

I would first search for threads on OpenWRT forums for this device. It’s not that useful for WPA algorithms, but those guys are great at getting into devices.

If you’re able to trigger the firmware update, it might be possible to use something like wire shark to see if you can catch the URL that the update is pulled from.

Do you have a USB to serial adapter? They are fairly cheap online. You would need to open up the device and connect to any UART pins you find. The goal is to get to root / console in order to pull the firmware from the device.

I am not sure what your current skill level is, but there are a lot of tutorials online that will help you a good bit initially. As you make progress or get stuck let us know and we’ll help where we can

 

[drsnooker]

Indeed @glennh. I'd love to have a go if you get stuck. I only briefly looked at Sercomm (Russian models), and quickly discovered the firmware is encrypted, so I did not get anywhere.
4pda forum has some Sercomm firmware that you can download, but without the decryption algorithm, cannot extract.

As @FiosFiend said, physical access to your modem might at least get the firmware decryption algorithm, which then allows from firmware extraction. After that perhaps we get lucky and the software engineers left the keygen (or at least a hint of it) on the device.

 

[drsnooker]

Well I cannot figure out how this substitution pattern works on the TP-link OnHub TGR1900. But I don't feel like staring at it anymore. Besides @FiosFiend discovered that the attached C++ code does indeed generate all ebay found passwords without the substitution. So unless there's a real interest in drilling this down to the TPM output that feeds into the SHA256, this 46GB dictionary should work to crack one or two caps for ESSIDs that start with setup?H?H?H?H and have a TP-link OUI.

@RealEnder There's only 1 entry for the TP-LINK onhub TGR1900 with ESSID setupHHHH in the uncracked wpa-sec database. It's setup7A11 with 4 different hashes. I figured I'd give the dictionary a go and wouldn't know it, password: rryrkzcpp cracks all 4 entries. So the algo works real life.

Attached is the C++ code to generate the dictionary if anybody ever comes across another one!

 

[glennh]

Thanks for the warm welcome @FiosFiend and for the heads-up @drsnooker

@FiosFiend: I’ll definitely check the OpenWRT forums to see if there's any existing groundwork. I do have a USB-to-TTL adapter ready, so my next step will be opening the case and hunting for those UART pins. I'll also try to sniff the OTA traffic, though I suspect it might be HTTPS.

@drsnooker: That’s a very important point about the encryption. If I can get console access, I’ll prioritize looking for the decryption routines or trying to dump the filesystem directly from memory while it's uncompressed.

I will post some high-res photos of the PCB as soon as I have the device open. If I find a serial console, I’ll share the boot logs here.

Glad to have you guys on board!

 

[kasper9776]

ROTEK2 SEED3 30189 MAC 58F85C , F4E578

 

[RealEnder]

@RealEnder There's only 1 entry for the TP-LINK onhub TGR1900 with ESSID setupHHHH in the uncracked wpa-sec database. It's setup7A11 with 4 different hashes. I figured I'd give the dictionary a go and wouldn't know it, password: rryrkzcpp cracks all 4 entries. So the algo works real life.

Attached is the C++ code to generate the dictionary if anybody ever comes across another one!

Nice find! Haven't looked at these devices, but maybe this setupHHHH AP is just temporary, which is after the initial config is removed. The seed for setup7A11, which has BSSID a42bb0e87a11, is 4201969116. Can't see correlation and with just one sample it's a nogo, as the resulting list is too big (40 GB). Also don't see similar cracked keys for SSIDs worth trying.

 

[drsnooker]

ROTEK2 SEED3 30189 MAC 58F85C , F4E578

@kasper9776 Do you have a picture of the router?
@PROger4everPublic did some research and said there are some collisions (the algorithm does not always generate a unique password for given seeds)

Unpublished WPA key algorithms

Found another keygen for C-data FD704GW-DAX in /bin/startup It takes the MD5 of something in nvram (not the MAC, perhaps the serial number??) and does a modified base64 with chars "abcdefghijkmmnppqrstuvwxyzACCDEFGHJJKLMNPPQRSTUVWXYZZ223456799ab" of the MD5 digest resulting in a 20char...

forum.hashkiller.io

 

[kasper9776]

@kasper9776 Do you have a picture of the router?
@PROger4everPublic did some research and said there are some collisions (the algorithm does not always generate a unique password for given seeds)

Unpublished WPA key algorithms

Found another keygen for C-data FD704GW-DAX in /bin/startup It takes the MD5 of something in nvram (not the MAC, perhaps the serial number??) and does a modified base64 with chars "abcdefghijkmmnppqrstuvwxyzACCDEFGHJJKLMNPPQRSTUVWXYZZ223456799ab" of the MD5 digest resulting in a 20char...

forum.hashkiller.io

54525352241618E8:TS-4022:RT-GPON-E260:58F85С82Е26А:7EUWYivAeL:Rotek2-133
5452535222314639:TS-4022:RT-GPON-3186:F4E578833190:K3F84afj7U:Rotek2-133
5452535223261580:TS-4022:RT-GPON-D00D:58F85C67D017:EYB97ajYua:Rotek2-30189
5452535222566907:TS-4022:RT-GPON-9AC5:F4E578F09ACF:gTUyi3AuYU:Rotek2-30189
5452535222498257:TS-4022:RT-GPON-CAF5:F4E578C2CAFF:9bSXE4YkCc:Rotek2-30189
5452535222660769:TS-4022:RT-GPON-4BB1:58F85C0D4BBB:gSyeAYTeyU:Rotek2-30189
5452535222609284:TS-4022:RT-GPON-3E67:F4E578FC3E71:EXs63EiYV8:Rotek2-30189

 

[drsnooker]

A while ago @Sparton noticed that some Mitrastar routers had passwords that could be generated by the Zyxel SBG3500. Then more recently @FiosFiend found the firmware for Mitrastar routers for the VIVO (Brazil) ISP. Those indeed contained the SBG3500 core algorithm, but took a different slice from the second hex digest. Instead of the normal start at 7 with password length 20, these started at 17 with length 10.
So I decided to try to run all possible cuts from the second hex digests (forwards and backwards) against the wpa-sec uncracked database, and found more than 5000 passwords. These had starting points at 7, 15 and 17 and lengths of 10,12,18, and 20.
The other thing I will note here is that the MAC used to generate the password differed from the BSSID by -7,-2,-1, and 0. You can usually look at the ESSID to determine the delta between the BSSID and the value of the MAC offset to run the algo.

I'll give an example for VIVOFIBRA-1AA8-5G with MAC=d8c678861aaf
The mac offset is -7 (0x1aa8 - 0x1aaf) so the input for the algorithm is d8c678861aa8
If you want to use the python version posted by @Plum you'd have to change line 58 to "key = hex_digest[16:16+length]" to change the starting point to the 17th character of the 2nd hex digest to get the correct password of '23F999636F'

The majority (98%) of the ESSIDs are MOVISTAR_HHHH (Where HHHH are usually the last two bytes of the mac used to run the keygen)
Second is VIVOFIBRA-HHHH
A few VIVOFIBRA-HHHH-5G
Then lots of odds and ends of people that changed the ESSID but not the default password.

The three most common OUIs are 8aaa9c,9897d1, and 345760 (31%,27%, and 17%)
Some other OUIs stand out as they are not listed as Mitrastar (found via the ESSID, rather than BSSID) 'c6c678' is listed as unknown
while 0025df is listed but not Mitrastar. It's possible these are repeaters or the user configured them to match a true Mitrastar router.

I've attached a comma separated spreadsheet of all the info if you want to have a closer look at these new found passwords.

 

[drsnooker]

@Plum Any chance you can add another command line parameter to the SBG3500 algorithm to allow for users to change the start of the crop from hex_digest2?
I don't know how to do a pull request and I barely know python basics, but I think these are the modifications needed:

line 9
def SBG3500(serial, length,start):

line 58
key = hex_digest[start:start+length]

line 64.5 (insert new line)
parser.add_argument('-start', help='Password start', default=6, type=int)

line 67
SBG3500(args.serial, args.length,args.start)

So a function call for SBG3500('d8c678861aa8',10,16)
Would give: 23F999636F

Matlab has index 1, so that password starts in python would be 6,14 and 16. (instead of 7,15,17)

 

[Plum]

@Plum Any chance you can add another command line parameter to the SBG3500 algorithm to allow for users to change the start of the crop from hex_digest2?
I don't know how to do a pull request and I barely know python basics, but I think these are the modifications needed:

line 9
def SBG3500(serial, length,start):

line 58
key = hex_digest[start:start+length]

line 64.5 (insert new line)
parser.add_argument('-start', help='Password start', default=6, type=int)

line 67
SBG3500(args.serial, args.length,args.start)

So a function call for SBG3500('d8c678861aa8',10,16)
Would give: 23F999636F

Matlab has index 1, so that password starts in python would be 6,14 and 16. (instead of 7,15,17)

Yup I will work on this when I have some time. A bit busy lately so might be a bit.

 

[Plum]

@Plum Any chance you can add another command line parameter to the SBG3500 algorithm to allow for users to change the start of the crop from hex_digest2?
I don't know how to do a pull request and I barely know python basics, but I think these are the modifications needed:

line 9
def SBG3500(serial, length,start):

line 58
key = hex_digest[start:start+length]

line 64.5 (insert new line)
parser.add_argument('-start', help='Password start', default=6, type=int)

line 67
SBG3500(args.serial, args.length,args.start)

So a function call for SBG3500('d8c678861aa8',10,16)
Would give: 23F999636F

Matlab has index 1, so that password starts in python would be 6,14 and 16. (instead of 7,15,17)

Done.

Update sbg3500.py · PlumLulz/sbg3500py@13347ce

Added optional password index start flag

github.com

 

[drsnooker]

Another batch of founds for the Mitrastar OUI, this time using the zykgen algorithm, mostly of Gin and Juice.
With a ESSID of WLAN_HHHH the BSSID offset is two. All the others have no offset.
Most ESSIDs are Speedy-HHHHHH asme movistar_HHHHHH and of course a few that changed the ESSID but not the default password.

 

[drsnooker]

For the keen observers in the above table, there's a few dozen cocktail 14 passwords. It's a new one! @FiosFiend deserves the credit for the discovery of the firmware and decided to name it Quentão after a Brazilian drink. Here's a picture of an example. So far they have ESSID VIVO-HHHH

https://http2.mlstatic.com/D_NQ_NP_2X_663538-MLB72412204190_102023-F.webp

@Plum: I've update the worked out example data in the zykgen file to help you out. It begins with a new charset (ambiguous and non-ambiguous) as usual. But at the end does a post modification to make sure there is at least one upper case, one lower case and a number in the password. (The positions depend on the length of the password)
Mode 13 is the WIND3 mode2 that you have already implemented as a stand-alone so you can just ignore it if you want.

 

[FiosFiend]

Awesome work @drsnooker!

I just wanted to follow up with a bit more info. I found the VIVO- firmware pack here: https://archive.org/download/firmwares-vivo

As you can see from the list, there are a lot of different models.. lets take a closer look.

Askey RTF3505VW-N2
SSID: VIVOFIBRA-

Key: Last 10 characters of MAC

Arcadyan VRX220 and ARV752DPW
SSID: VIVO-, GVT-

Key: The device uses the Serial as the password. The SN are broadcast in the packet, so I was able to use the WPA-SEC data to narrow the range to this mask: -1 456 -2 234 -3 012 "J?1?2?d?3?d?d?d?d?d”

dlink dsl-2740e
SSID: GVT-

Key: Last 10 characters of serial, which starts with S1E, S1F, 41F, 13C

MitraStar DSL-100HN-T1
SSID: VIVO-

Gin and juice algorithm with Serial as input

DSL-100NH-T1-NV
SSID: VIVO-



Key: Algorithm currently unknown

Mitrastar Gpt2741gnac-n1
SSID: VIVOFIBRA-, MOVISTAR-

Key: This is the one that uses the newly modified SBG3500 algorithm

Mitrastar DSL-2401HN-T1C-NV
SSID: VIVO-

Key: Last 10 characters of MAC

Mitrastar DSL-2401HNA-T1CC
SSID: WLAN_, SPEEDY-

Key: Gin and juice algorithm with MAC as input

MitraStar DSL-2401HN2-E1C
SSID: VIVO-

Key: This is the new Quentão cocktail!

 

[drsnooker]

@FiosFiend Great summary. Those DSL-100NH-T1-NV are bothering me. They smell like Gin and Juice. Perhaps just an unknown seed, like a hidden serial number, or something else. Let me have another look at the firmware, perhaps there's a hint in it.

 

[wpa2wpa2]

Movistar (Telefonica) Spain does not release firmware files publicly. They only update their routers remotely. Could Wireshark get it?

These are the current lists of Mistrastar and Askey router and repeater models used by MOVISTAR_XXXX and MOVISTAR-WIFI6-XXX:

盟創科技-智慧生活．無縫互聯

TelefonicaSpain / DeclaracionCE-Askey Computer Corp. (亞旭電腦)

<div style="text-align: center;"><strong>SELECT PRODUCT</strong><br /><br /><span color="#e51513"> </span><span style="color:#e74c3c;">| </span><a href="#Router Smart WiFi RTF3505VW"><span color="#c0392b"> </span>Router Smart Wi-Fi RTF3505VW </a> <span ..

www.askey.com.tw

 

[wpa2wpa2]

Mistrastar / Askey / Comtrend routers and repeaters 2025 firmware pack for Movistar (Telefonica) Spain (MOVISTAR_XXXX and MOVISTAR-WIFI6-XXX):

File folder on MEGA

mega.nz

 

[FiosFiend]

Unfortunately, I don’t know if we have the DSL-100NH-T1-NV firmware

DSL-100HN-T1-NV is a very closely named, but different device that uses the last 10 characters of the MAC as the key.

 

[drsnooker]

@FiosFiend found this algo in an Askey firmware. /sbin/askit_pwd_generator.
The password alternates (in default) between upper, lower and numbers so for a 20 char password there will be 7 upper case, 7 lower case and 6 digits. Sadly that doesn't match the WIFI passwords printed on the label. It shuffles the position after the original generation, so you can only tell in the intermediate password that it's just going in order.
Looking at some of the scripts, this might be the seed for askit_aes_crypt. But the only copy I have found so far is identified as running on "Argonaut Risc Core ARCompact" But I'll give it a go without emulation anyway....
@Plum ignore for now until we understand how this fits into the WIFI keygen.