+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: Verizon Fios G3100 and E3200 Research (/thread-12540.html)
RE: Verizon Fios G3100 and E3200 Research - FiosFiend - 06-14-2025
Hey everyone, it’s time again for another update. I was able to manually process most of the images from last week's large scrape. I added some more of the G1100 MAC addresses. Unfortunately, we didn’t add to many entries to the database this week.
Updated Data Set:
router_data_FULL_061425.xlsx (Size: 823.16 KB / Downloads: 0)
The Dataset now contains:
G3100/E3200 - 613 entries
CR1000 A/B - 138 entries
ARC-XCI55AX - 122 entries
ASK-NCQ1338 - 142 entries
WNC-CR200A - 46 entries
G1100 - 322 entries
NVG558HX - 58 entries
Other - 118 entries
Total - 1559 entries
This week’s scrape did match 2 VERY similar passwords however. Certainly this can’t be a coincidence?
We caught a WNC-CR200A with the WiFi password grille9-yea-ode
We also have a CR1000A with the WiFi password yea-grille9-ork
I also figured out that the script to decrypt the CR1000A config file also works for the G3100! Modifying the config file was has been used to enable SSH on G1100 and CR1000. Unfortunately, on the latest firmware the G3100 doesn’t give us much to work with, just a bunch of files with the normal configuration parameters.
My device is currently on the latest firmware 3.4.0.10, so I tried to rollback my firmware using https://192.168.1.1/#/firmware_upgrade. I was able to roll back to 3.4.0.4, but anything before that was unsuccessful.
During this, I realized that the firmware was one version newer than my OP, so here are the links to the newest Firmware for G3100 and E3200
Code:
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.4.0.10_loader.bin
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.4.0.9_loader.binAlso I’m excited to share that with a bit of help from @soxrok2212 I was able to find some more previously unknown firmware links!
Here are the links for the G1100
Code:
http://cpe-ems0001.verizon.com/firmware/frontier4_vz_stepstone_release_01.03.01.02_firmwareupgrade.bin.signed
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.03.00.13_firmwareupgrade.bin.signed
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.03.00.14_firmwareupgrade.bin.signedThe first and last link I found in the firmware. Kind of strange, I expected to find more firmware versions, but I fuzzed the links using the file prefixs: bhr4, bhr4_release, and bhr4_stepstone_release, for firmware versions 01.00.00.00 to 03.05.06.30 followed by _firmwareupgrade or -FTR_firmwareupgrade ending with both .bin or .bin.signed on the base URLs https://cpe-ems33.verizon.com/firmware/, https://cpe-ems34.verizon.com/firmware/, and https://cpe-ems34.verizon.com/firmware/BHR4/. I also checked for frontier4_vz_stepstone_release, bhr4_stepstone_release, and bhr4_release on https://cpe-ems0001.verizon.com/firmware/.
The firmware contained these 2 links, but nothing is available there anymore.
Code:
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.02.00.16_firmwareupgrade.bin.signed
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.03.00.04_firmwareupgrade.bin.signedWe also found firmware links for the ASK-NCQ1338, I was able to figure out that the firmware naming is in the format ASK-NCQ1338_<current version>_<new version>.bin. Since I already collected the firmware version in the database, It was easy to enumerate other links! There were a few links missing files, I’m guessing that there is probably another firmware version in between. I could try fuzzing to find them, but I don’t think it’s entirely necessary at the moment. These links are accessible even if you’re not on the Fios network.
Code:
https://cdn2.vzwdm.com/ASK-NCQ1338_212331_212431.bin
https://cdn2.vzwdm.com/ASK-NCQ1338_212431_213231.bin
https://cdn2.vzwdm.com/ASK-NCQ1338_213231_214322.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_214322_214727.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_214727_220745.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_220745_220847.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_220847_222146.bin
https://cdn2.vzwdm.com/ASK-NCQ1338_220847_222146.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_222656_222746.binRunning binwalk on the firmware, it pops right open! I haven’t found anything too exciting, but I still need to poke around more.