10-11-2020, 12:00 AM

I've been working on the 5268's, not gonna clog up this thread with what I've found but if anyone's interested in collaborating please send me a PM.

You're currently viewing a stripped down version of our content. View the full version with proper formatting.

10-11-2020, 12:00 AM

I've been working on the 5268's, not gonna clog up this thread with what I've found but if anyone's interested in collaborating please send me a PM.

10-16-2020, 09:45 AM

Been comparing 5286AC-FXN credentials.

There is a clear correlation between the first six digits of the MAC, and the first five digits of the S/N.

I'll list the pictures I used to deduce this.

MAC F8:18:97:1ED:1C , S/N 18151N018859

https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4

MAC F8:18:97:08:A8:64 , S/N 19151N004762

https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4

Same thing with these two

https://picclick.com/ATT-U-VERSE-WI-FI-H...id=1&pid=4

https://picclick.com/ATT-U-Verse-Megabit...id=1&pid=5

And these three

https://picclick.com/ATT-U-VERSE-5268AC-...id=1&pid=1

https://picclick.com/ATT-U-verse-Pace-52...id=1&pid=3

https://picclick.com/ATT-UVerse-5268ACFX...id=1&pid=2

You can definitely see a pattern in the S/Ns.

The last six digits of the S/N are probably a unique ID. not sure if any of this will yield anything, but it is interesting so I thought I'd share.

There is a clear correlation between the first six digits of the MAC, and the first five digits of the S/N.

I'll list the pictures I used to deduce this.

MAC F8:18:97:1ED:1C , S/N 18151N018859

https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4

MAC F8:18:97:08:A8:64 , S/N 19151N004762

https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4

Same thing with these two

https://picclick.com/ATT-U-VERSE-WI-FI-H...id=1&pid=4

https://picclick.com/ATT-U-Verse-Megabit...id=1&pid=5

And these three

https://picclick.com/ATT-U-VERSE-5268AC-...id=1&pid=1

https://picclick.com/ATT-U-verse-Pace-52...id=1&pid=3

https://picclick.com/ATT-UVerse-5268ACFX...id=1&pid=2

You can definitely see a pattern in the S/Ns.

The last six digits of the S/N are probably a unique ID. not sure if any of this will yield anything, but it is interesting so I thought I'd share.

11-03-2020, 10:46 AM

(10-16-2020, 09:45 AM)Red1337 Wrote: [ -> ]Been comparing 5286AC-FXN credentials.

There is a clear correlation between the first six digits of the MAC, and the first five digits of the S/N.

Code:

`The 2Wire/Pace serial number has the form 'aabbcdeeeeee'. `

Here 'aa' is 2 digits possibly encoding the manufacture date (observed possible first digits include 1,2,3,4, and 9.)

'bb' is the year ('12' for 2012, etc.), 'c' is almost always 1. 'd' varies, its exact meaning is unclear,but all observed 3801's have a '9' here, all observed 5268AC's have a 'N', and other devices vary.

Source: http://en.techinfodepot.shoutwiki.com/wi...26T_Uverse

For the 589 and 599, (and probably the bgw210s?) the serial is just the mac-1 converted to decimal

11-12-2020, 03:15 AM

Thanks Fart-box. PM-ed our list!

I built a different version of genpass5268... I'm getting the echos but much more consistent, hence I get keys that are a few points off from yours but they ALL result in the correct answer for example pwd=2aek7%tyw+nt

All these keys give the correct password (it doesn't skip like yours)

557810668266750

1423898784903950054

2847239759139633358

4270580733375316662

5693921707610999966

7117262681846683270

8540603656082366574

9963944630318049878

11387285604553733182

12810626578789416486

Which brings me to the multiplier/divisor/seed. I think I can brute force it, but it'll take years to get to 5 decimal places. With the 589 we can spot the minimum at a 0.1 resolution and can refine it after that to get more decimal places. What is the clever way to do it?

I built a different version of genpass5268... I'm getting the echos but much more consistent, hence I get keys that are a few points off from yours but they ALL result in the correct answer for example pwd=2aek7%tyw+nt

All these keys give the correct password (it doesn't skip like yours)

557810668266750

1423898784903950054

2847239759139633358

4270580733375316662

5693921707610999966

7117262681846683270

8540603656082366574

9963944630318049878

11387285604553733182

12810626578789416486

Which brings me to the multiplier/divisor/seed. I think I can brute force it, but it'll take years to get to 5 decimal places. With the 589 we can spot the minimum at a 0.1 resolution and can refine it after that to get more decimal places. What is the clever way to do it?

11-27-2020, 01:51 PM

(11-13-2020, 12:15 AM)drsnooker Wrote: [ -> ]No offence taken! We actually have a google sheet that we use to keep track of stuff, we all have access to it. I'll add all your keys to it, although I might skip the keys that don't work!

Hi,

Would you mind sharing the Google Sheet ? I searched this post but couldn't find the link.

Thanks !

11-28-2020, 02:18 PM

I am trying to identify Huawei and Arris default key spaces. Does anyone have that info?

12-07-2020, 05:00 PM

No one has the info ?

I was asking for the shared GDrive sheet with keyspaces... Thanks

I was asking for the shared GDrive sheet with keyspaces... Thanks

12-15-2020, 09:27 AM

or simply take a look at hcxpsktool:

https://github.com/ZerBea/hcxtools/blob/...ol.c#L1282

It covers several algos (based on analysis of wpa-sec submissions).

Most of them are not covered by RouterKeyGen, because hcxpsktool calculate the entire key space, instead of a single hit.

This behavior is wanted due to analysis purpose, especially in combination with hcxdumptool attacks on CLIENTs (we don't have the origin MAC AP on this attack vector).

https://github.com/ZerBea/hcxtools/blob/...ol.c#L1282

It covers several algos (based on analysis of wpa-sec submissions).

Most of them are not covered by RouterKeyGen, because hcxpsktool calculate the entire key space, instead of a single hit.

This behavior is wanted due to analysis purpose, especially in combination with hcxdumptool attacks on CLIENTs (we don't have the origin MAC AP on this attack vector).

06-09-2021, 04:14 AM

Alrighty.... Let's get back to this 5268ac thingy. I've been collecting more passwords and some interesting statistics show up (see pictures)

After one letter (going right to left) the odds of getting another letter are about half of getting a number or symbol.

After 2 letters, the odds of getting another letter are about a third of getting a number or symbol.

After three letters you'll definitely get a number or a symbol (unless the sequence starts with the very last letter, then you can have 4 letters in a row)

After a symbol it is also forbidden to get another symbol (letter or number only) So a lot of weird statistics going on!

Most of this has been described up thread, so nothing really new, but I'm practically starting over with the analysis.

Based on Farts comments, I'm probably chasing my tail (red herring) and all this falls out automatically when I finally get the correct multiplier. But haven't had any luck with that yet. But I finally have more time, so may be I can get it this summer.

After one letter (going right to left) the odds of getting another letter are about half of getting a number or symbol.

After 2 letters, the odds of getting another letter are about a third of getting a number or symbol.

After three letters you'll definitely get a number or a symbol (unless the sequence starts with the very last letter, then you can have 4 letters in a row)

After a symbol it is also forbidden to get another symbol (letter or number only) So a lot of weird statistics going on!

Most of this has been described up thread, so nothing really new, but I'm practically starting over with the analysis.

Based on Farts comments, I'm probably chasing my tail (red herring) and all this falls out automatically when I finally get the correct multiplier. But haven't had any luck with that yet. But I finally have more time, so may be I can get it this summer.

06-09-2021, 05:08 PM

This kinda belongs in this thread...

CGM4140COM routers have a default password that doesn't quite fit in the hybrid mode or the combinator mode

wordlist ?d?d?d?d wordlist

Any suggestions how to tackle this one? Do we need an -a 8?

CGM4140COM routers have a default password that doesn't quite fit in the hybrid mode or the combinator mode

wordlist ?d?d?d?d wordlist

Any suggestions how to tackle this one? Do we need an -a 8?

Powered By MyBB, © 2002-2024 MyBB Group