Verizon Fios G3100 and E3200 Research
#21
Hey everyone, it’s time again for another update.  I was able to manually process most of the images from last week's large scrape.  I added some more of the G1100 MAC addresses.  Unfortunately, we didn’t add to many entries to the database this week.

Updated Data Set: 
.xlsx   router_data_FULL_061425.xlsx (Size: 823.16 KB / Downloads: 1)


The Dataset now contains:
G3100/E3200 - 613 entries
CR1000 A/B - 138 entries
ARC-XCI55AX - 122 entries
ASK-NCQ1338 - 142 entries
WNC-CR200A - 46 entries
G1100 - 322 entries
NVG558HX - 58 entries
Other - 118 entries
Total - 1559 entries

This week’s scrape did match 2 VERY similar passwords however. Certainly this can’t be a coincidence?

We caught a WNC-CR200A with the WiFi password grille9-yea-ode
We also have a CR1000A with the WiFi password yea-grille9-ork

[Image: attachment.php?aid=1311]
[Image: attachment.php?aid=1310]

I also figured out that the script to decrypt the CR1000A config file also works for the G3100!  Modifying the config file was has been used to enable SSH on G1100 and CR1000.  Unfortunately, on the latest firmware the G3100 doesn’t give us much to work with, just a bunch of files with the normal configuration parameters.

[Image: attachment.php?aid=1312] [Image: attachment.php?aid=1313]

My device is currently on the latest firmware 3.4.0.10, so I tried to rollback my firmware using https://192.168.1.1/#/firmware_upgrade. I was able to roll back to 3.4.0.4, but anything before that was unsuccessful.

During this, I realized that the firmware was one version newer than my OP, so here are the links to the newest Firmware for G3100 and E3200
Code:
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.4.0.10_loader.bin
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.4.0.9_loader.bin

Also I’m excited to share that with a bit of help from @soxrok2212 I was able to find some more previously unknown firmware links!

Here are the links for the G1100
Code:
http://cpe-ems0001.verizon.com/firmware/frontier4_vz_stepstone_release_01.03.01.02_firmwareupgrade.bin.signed
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.03.00.13_firmwareupgrade.bin.signed
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.03.00.14_firmwareupgrade.bin.signed

The first and last link I found in the firmware. Kind of strange, I expected to find more firmware versions, but I fuzzed the links using the file prefixs: bhr4, bhr4_release, and bhr4_stepstone_release, for firmware versions 01.00.00.00 to 03.05.06.30 followed by  _firmwareupgrade or -FTR_firmwareupgrade ending with both .bin or .bin.signed on the base URLs https://cpe-ems33.verizon.com/firmware/, https://cpe-ems34.verizon.com/firmware/, and https://cpe-ems34.verizon.com/firmware/BHR4/. I also checked for frontier4_vz_stepstone_releasebhr4_stepstone_release, and bhr4_release on https://cpe-ems0001.verizon.com/firmware/.

The firmware contained these 2 links, but nothing is available there anymore.
Code:
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.02.00.16_firmwareupgrade.bin.signed
https://cpe-ems34.verizon.com/firmware/bhr4_release_02.03.00.04_firmwareupgrade.bin.signed

We also found firmware links for the ASK-NCQ1338, I was able to figure out that the firmware naming is in the format ASK-NCQ1338_<current version>_<new version>.bin.  Since I already collected the firmware version in the database, It was easy to enumerate other links! There were a few links missing files, I’m guessing that there is probably another firmware version in between. I could try fuzzing to find them, but I don’t think it’s entirely necessary at the moment.  These links are accessible even if you’re not on the Fios network.

Code:
https://cdn2.vzwdm.com/ASK-NCQ1338_212331_212431.bin
https://cdn2.vzwdm.com/ASK-NCQ1338_212431_213231.bin
https://cdn2.vzwdm.com/ASK-NCQ1338_213231_214322.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_214322_214727.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_214727_220745.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_220745_220847.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_220847_222146.bin
https://cdn2.vzwdm.com/ASK-NCQ1338_220847_222146.bin
<missing>https://cdn2.vzwdm.com/ASK-NCQ1338_222656_222746.bin

Running binwalk on the firmware, it pops right open! I haven’t found anything too exciting, but I still need to poke around more.

[Image: ncq1338-png.39122]


Attached Files
.jpeg   image_CR100545.jpeg (Size: 9.13 KB / Downloads: 88)
.jpeg   image_4192504518 copy.jpeg (Size: 129.8 KB / Downloads: 87)
.png   decrypted_config.png (Size: 71.3 KB / Downloads: 87)
.png   system.png (Size: 143.96 KB / Downloads: 87)
Reply
#22
This week was just a typical scrape, but we managed to add over 100 new entries!  I also got the MAC addresses entered for the NVG558HX entries.  We have added model CE1000A to the scrape, they get added under CR1000A/B.

Updated Data Set:  
.xlsx   router_data_FULL_062425.xlsx (Size: 872.74 KB / Downloads: 3)


The Dataset now contains:
G3100/E3200 - 646 entries
CR1000 A/B - 158 entries
ARC-XCI55AX - 130 entries
ASK-NCQ1338 - 151 entries
WNC-CR200A - 49 entries
G1100 - 352 entries
NVG558HX - 60 entries
Other - 130 entries
Total - 1676 entries


I wanted to highlight some of the devices that get caught in the QR scrape but are out of scope for this thread. Maybe sometime I will have some time to check them out further.  I have seen a dozen or so devices, but most of the time the QR only contains the SSID / Password.  Here are a few that are a bit more interesting.

[Image: s-l1600.jpg]

The QR code has the SSID, WiFi Password, Model, Serial, and Admin password.
Code:
('WIFI:T:WPA;S:CenturyLink0320;P:g3i2n6a7f8w5c4;http://www.centurylink.com/home/account/installmyapp.html;C4000BG;C4000BG2145000320;192.168.0.1;admin;W3h7v4m6',)

[Image: attachment.php?aid=1318]

The QR code is structured a bit differently, but contains all of the info that’s on the sticker.
Code:
('S/N:50D10M2BD07603\rMAC:80691A6ECE42\rName:_VelopSetupE42\rPassword:ktxt0dhzrj\rRecovery Key:67502',)

[Image: attachment.php?aid=1319]

The QR code has the SSID, WiFi password, MAC, Serial, Model
Code:
('WIFI:T:WPA2;S:MOTOB34E;P:glassfly525;;DEVICE:M:00403696B34E;S:1163-MG8702-30-1189;T:MG8702;;',)

[Image: attachment.php?aid=1320]

The QR code is missing the Serial and IMEI
Code:
('{"ID":"TMOBILE-7DF4",\n"KY":"award.wackiness.scabbed.jam",\n"U":"admin",\n"P":"wasp.raking.renewal.unleaded",\n"BT":"TMOBILE-7D-F4",\n"PN":"FMNT055AX000J",\n"23S":"ACDF9F1B7DF8"}',)

[Image: attachment.php?aid=1321]

Not much info in the QR code, but the sticker contains everything we would expect.  These passwords are 8 characters all digits and very easy to crack as seen here and on WPA-SEC.
Code:
('WIFI:T:WPA;S:TP-Link_BB4E;P:43582969;;',)


Attached Files
.jpeg   Linksys_MX20WH.jpeg (Size: 141.51 KB / Downloads: 72)
.jpg   Motorola_.MG8702jpg.jpg (Size: 125.27 KB / Downloads: 81)
.jpeg   TMobile_KVD21.jpeg (Size: 127.99 KB / Downloads: 89)
.jpg   TPlink_AX11000.jpg (Size: 123.95 KB / Downloads: 85)
Reply
#23
In case anybody wants them: wordlists (including Admin password lists 8 letter and 9 letter in the next post) for TMobile KVD21. I've been collecting them for awhile. The words compiled strictly collected from KVD21.


Attached Files
.txt   3lista.txt (Size: 6.9 KB / Downloads: 7)
.txt   4lista.txt (Size: 3.41 KB / Downloads: 4)
.txt   5lista.txt (Size: 4.62 KB / Downloads: 3)
.txt   6lista.txt (Size: 5.16 KB / Downloads: 3)
.txt   7lista.txt (Size: 5.95 KB / Downloads: 4)
Reply
#24
Here are the wordlists for 8 - letter, and 9 - letter.


Attached Files
.txt   8lista.txt (Size: 5.46 KB / Downloads: 3)
.txt   9lista.txt (Size: 5.94 KB / Downloads: 3)
Reply
#25
The weeks go by quick and it’s time for another update already! This week I didn’t run any scrapes or process any images for passwords, which means we don’t have a database update.

@samer59 shared his wordlists collected from the TMobile KVD21, so I thought I should extract all of the words in my database to their appropriate lists again. I have also included these Fios words in my lists.  These lists are attached below.

Saved 454 unique words to 3_letter_words.txt
Saved 888 unique words to 4_letter_words.txt
Saved 611 unique words to 5_letter_words.txt
Saved 379 unique words to 6_letter_words.txt
Saved 564 unique words to 7_letter_words.txt
Saved 7 unique words to 8_letter_words.txt

Without including samer59’s contrubution, using the dictionary generator I previously posted would create a dictionary of 14,779,552,320 possible combinations for the strict 15-char <word><word><word> SSID passwords. Unfortunately I still haven’t found a way to reduce this list further.

It’s not all bad news this week though, I’ve made a bit of progress with the firmware! I shared the list of firmware links that I've found, and a GitHub user is hosting them for people that can’t download directly from Verizon Wink (https://3to.moe/verizon_fw/). My G3100 device is currently on version 3.4.0.10, which I thought was the latest version. However, I had noticed version 3.6.0.6 was listed on the Verizon firmware page. We already know the URL to find this firmware, so it was easy to find the link. Other devices had newer firmware listed too, so we grabbed those. I updated the fuzzing script with the new info and here’s what we found.

Code:
G3100:
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.6.0.5_loader.bin
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.6.0.6_loader.bin

E3200:
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.6.0.3_loader.bin

CR1000A:
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.6.0.2_BD_loader.bin

CR1000B:
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.6.0.2_BD_loader.bin

I was also rereading the huge OpenWRT thread on unlocking the CR1000A again, which this post had a link to firmware that I previously overlooked. These file names would be much harder for me to fuzz since they include a timestamp. However searching for the "cdn3.vzwdm” I came across these links. These files are also able to be directly downloaded by anyone!

Code:
https://cdn3.vzwdm.com/hdm/chr2fa_fw_3.2.0.11_oldsig_1685136655890.bin
https://cdn3.vzwdm.com/hdm/chr2fa_fw_3.3.0.11_loader_1715281399811.bin
https://cdn3.vzwdm.com/hdm/chr2fa_fw_3.3.1.2_1735849764361.bin

The firmware with the oldsig caught my attention. That is the first time we’ve seen this in the file name, and version 3.2.0.11 is actually one that we didn’t previously have. Unfortunately we don’t get any different outcomes using binwalk on these newly found firmware. However, the G3100/E3200 are Broadcom devices, and I found this script (BRCM-Unpack) that is supposed to unpack their firmware. Sadly it doesn’t correctly extract any of the G1100/G3100/E3200 firmware, but we get the following output for ALL of the CR1000A/B.

Code:
Image Processing Started on Thu 26 Jun 08:04:50 EDT 2025

Log: output.log
Source: chr2fa_fw_3.2.0.11_oldsig.bin
Size: 61219600

Checking Package Version

SQFS Offset: 55468552
Saved: root_fs.sqfs

Checking for FDT Pattern

FDT Offset: 256
Saved: chr2fa_fw_3.2.0.11_oldsig.dtb
chr2fa_fw_3.2.0.11_oldsig.dts: Warning (unit_address_vs_reg): /images/script/hash@1: node has a unit name, but no reg property
chr2fa_fw_3.2.0.11_oldsig.dts: Warning (unit_address_vs_reg): /images/hlos-199b4e2d5c82b8034f572c5225279453506f03d4/hash@1: node has a unit name, but no reg property
chr2fa_fw_3.2.0.11_oldsig.dts: Warning (unit_address_vs_reg): /images/rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450/hash@1: node has a unit name, but no reg property
chr2fa_fw_3.2.0.11_oldsig.dts: Warning (unit_address_vs_reg): /images/wififw_v1-45b62ade000c18bfeeb23ae30e5a6811eac05e2f/hash@1: node has a unit name, but no reg property
chr2fa_fw_3.2.0.11_oldsig.dts: Warning (unit_address_vs_reg): /images/wififw_v2-d1ec7b26faa44d75a2a40afa9a11c844f2b6ead3/hash@1: node has a unit name, but no reg property
Saved: chr2fa_fw_3.2.0.11_oldsig.dts

Description: Flashing emmc 200 200
Nodes: images
Images: script hlos-199b4e2d5c82b8034f572c5225279453506f03d4 rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450 wififw_v1-45b62ade000c18bfeeb23ae30e5a6811eac05e2f wififw_v2-d1ec7b26faa44d75a2a40afa9a11c844f2b6ead3

Extracting: script
  Description:  flash.scr
  Created:      Wed May 24 13:38:48 2023
  Type:        Script
  Compression:  uncompressed
Saved: script

Extracting: hlos-199b4e2d5c82b8034f572c5225279453506f03d4
  Description:  openwrt-ipq-ipq807x_64-qcom-ipq807x-hkxx-fit-uImage.itb.padded
  Created:      Wed May 24 13:38:48 2023
  Type:        Firmware
  Compression:  uncompressed
Saved: hlos-199b4e2d5c82b8034f572c5225279453506f03d4

Extracting: rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450
  Description:  openwrt-ipq-ipq807x_64-squashfs-root.img
  Created:      Wed May 24 13:38:48 2023
  Type:        Firmware
  Compression:  uncompressed
Saved: rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450

Extracting: wififw_v1-45b62ade000c18bfeeb23ae30e5a6811eac05e2f
  Description:  wifi_fw_squashfs.img
  Created:      Wed May 24 13:38:48 2023
  Type:        Firmware
  Compression:  uncompressed
Saved: wififw_v1-45b62ade000c18bfeeb23ae30e5a6811eac05e2f

Extracting: wififw_v2-d1ec7b26faa44d75a2a40afa9a11c844f2b6ead3
  Description:  wifi_fw_ipq8074_qcn9000_squashfs_v2.img
  Created:      Wed May 24 13:38:48 2023
  Type:        Firmware
  Compression:  uncompressed
Saved: wififw_v2-d1ec7b26faa44d75a2a40afa9a11c844f2b6ead3

Finished Image Processing: Thu 26 Jun 08:05:15 EDT 2025

Started Kernel Processing: Thu 26 Jun 08:05:15 EDT 2025
All Processing Completed on Thu 26 Jun 08:05:15 EDT 2025

The script extracted several images for us! That rootfs looks nice, but its LUKS encrypted.
Code:
rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450: LUKS encrypted file, ver 1 [aes, xts-plain64, sha1] UUID: 4d12098e-44d5-46f4-8dd4-2622485ae277

The file that starts with “hols-“ is actually the U-Boot image (fit-uImage.itb.padded), and is also encrypted. Fortunately the user spol-eff posted a script to decrypt this image. The original script was in Swift code, but I ported it to python.

Code:
import hashlib
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
import os
import struct

def decrypt_hlos(input_filepath, output_filepath):
    """
    Decrypts the HLOS image using SHA384 for key derivation and AES-256 CBC.

    Args:
        input_filepath (str): Path to the input encrypted HLOS file.
        output_filepath (str): Path for the decrypted output file.
    """
    # 1. Key Derivation (SHA384)
    # The Swift code uses SHA2(variant: .sha384).calculate(for: ...)
    # The input bytes are [0x26, 0x46, 0x35, 0x75, 0x61, 0x23, 0x4f, 0x72, 0x36, 0x56]
    key_material = bytes([0x26, 0x46, 0x35, 0x75, 0x61, 0x23, 0x4f, 0x72, 0x36, 0x56])
    sha384_hash = hashlib.sha384(key_material).digest()

    # The AES key is the first 0x20 (32) bytes of the SHA384 hash.
    # SHA384 produces a 48-byte hash, so we take the prefix.
    aes_key = sha384_hash[:0x20] # 32 bytes for AES-256

    # 2. AES Setup (CBC Mode, No Padding)
    # IV is Array(repeating: 0x0, count: 0x10) -> 16 null bytes
    aes_iv = bytes([0x0] * 0x10) # 16 bytes for AES block size

    # Initialize AES cipher
    cipher = Cipher(algorithms.AES(aes_key), modes.CBC(aes_iv), backend=default_backend())
    decryptor = cipher.decryptor()

    # 3. File Handling and Decryption
    try:
        # Ensure output directory exists if output_filepath includes one
        os.makedirs(os.path.dirname(output_filepath), exist_ok=True)

        with open(input_filepath, 'rb') as input_file:
            # Read the first 4 bytes (UInt32) for image size (little-endian)
            # and then seek back and past the 0x200 offset.
            # Swift code reads 4 bytes, then seeks to 0, then seeks to 0x200.
            # We can directly seek to 0x200 and read the rest.
           
            # First, read the full content after the header to calculate size if needed
            # For this script, we'll mimic the Swift behavior for imageSize display
           
            input_file.seek(0)
            size_bytes = input_file.read(4)
            if len(size_bytes) < 4:
                raise ValueError("Input file too small to read image size header.")
           
            # The Swift code loads as UInt32 littleEndian.
            # struct.unpack('<I', ...) parses 4 bytes as unsigned int, little-endian.
            image_size = struct.unpack('<I', size_bytes)[0]
            print(f"Image size (from header): {image_size} bytes")

            # Seek to the actual start of the encrypted data
            input_file.seek(0x200)
            image_bytes = input_file.read() # Read the rest of the file

            # Decrypt the image bytes
            decrypted_bytes = decryptor.update(image_bytes) + decryptor.finalize()

        # Write decrypted data to output file
        with open(output_filepath, 'wb') as output_file:
            output_file.write(decrypted_bytes)

        print(f"Done: written {len(decrypted_bytes)} bytes to {output_filepath}")

    except FileNotFoundError:
        print(f"Error: One of the files was not found.")
        print(f"Input: {input_filepath}")
        print(f"Output: {output_filepath}")
    except Exception as e:
        print(f"An error occurred: {e}")

Once the hlos- file is decrypted, the image unpacks cleanly with unblob! The U-Boot image contains /etc/keyfile

[Image: attachment.php?aid=1331]

On a Linux system with cryptsetup installed, we can use this keyfile to decrypt and open the LUKS encrypted rootfs.

Code:
#sudo cryptsetup --key-file=keyfile luksOpen <file_path> <mapping_name> -v
sudo cryptsetup --key-file=keyfile luksOpen rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450 CR1000A_rootfs -v

This command has -v for verbose output, and should display:
Key slot 0 unlocked.
Command successful.

The decrypted SquashFS image will be located at /dev/mapper/<mapping_name>, so we can extract the image with

Code:
#sudo unsquashfs /dev/mapper/<mapping_name>
sudo unsquashfs /dev/mapper/CR1000A_rootfs

Which gives us the full, decrypted rootfs Smile

[Image: attachment.php?aid=1332]

The keyfiles themselves aren’t in plain text, but we can view/share them using the command

Code:
cryptsetup luksDump —dump-master-key —key-file <keyfile path> <rootfs path>

WARNING!
========
The header dump with volume key is sensitive information
that allows access to encrypted partition without a passphrase.
This dump should be stored encrypted in a safe place.

Are you sure? (Type 'yes' in capital letters): YES
LUKS header information for rootfs-38f7ad8fe7922c1367cfac77ce43c6ee879dc450
Cipher name:      aes
Cipher mode:      xts-plain64
Payload offset:    4096
UUID:              4d12098e-44d5-46f4-8dd4-2622485ae277
MK bits:          256
MK dump:    30 c8 8e 47 a9 a0 d2 90 bb 3c 22 27 3f c7 53 a6
        71 e7 29 80 53 1f 43 67 e1 dd ca d4 5c c9 3a f4

I tried all of the above steps on the latest CR1000A firmware (chr2fa_fw_3.6.0.2_BD_loader.bin), everything works as expected!

Code:
LUKS header information for rootfs-d616347925ecd1d9eb4366fd0013d30798e505f5
Cipher name:      aes
Cipher mode:      xts-plain64
Payload offset:    4096
UUID:              36281f72-7198-49fb-aa70-70b1557b8b1b
MK bits:          256
MK dump:    82 29 97 83 3e 52 25 92 6b c5 c8 10 4c 32 a8 ea
        be 99 f1 68 ae 08 6a c8 c7 86 fe 3d 31 aa 27 39


I haven’t had much of a chance to poke around, but please let me know if anything catches your eye.


Attached Files
.png   hlos_image.png (Size: 142.24 KB / Downloads: 38)
.png   SquasFS_root.png (Size: 366.02 KB / Downloads: 42)
.txt   3_letter_words.txt (Size: 1.77 KB / Downloads: 0)
.txt   4_letter_words.txt (Size: 4.33 KB / Downloads: 0)
.txt   5_letter_words.txt (Size: 3.58 KB / Downloads: 0)
Reply
#26
The rest of the wordlists from the previous post.


Attached Files
.txt   6_letter_words.txt (Size: 2.59 KB / Downloads: 0)
.txt   7_letter_words.txt (Size: 4.41 KB / Downloads: 0)
.txt   8_letter_words.txt (Size: 62 bytes / Downloads: 0)
Reply
#27
This week we’ve returned to our regularly scheduled scrapes, but only managed to snag 89 new entries.

Updated Data Set:  
.xlsx   router_data_FULL_070525.xlsx (Size: 911.88 KB / Downloads: 3)


The Dataset now contains:
G3100/E3200 - 680 entries
CR1000 A/B - 166 entries
ARC-XCI55AX - 137 entries
ASK-NCQ1338 - 158 entries
WNC-CR200A - 58 entries
G1100 - 364 entries
NVG558HX - 65 entries
Other - 137 entries
Total -  1765 entries

[Image: attachment.php?aid=1344]

We have a new device this week, the CME1000. I had been aware of this device for a while, but the sticker doesn’t have much information and I hadn’t found an image with a readable QR code yet. However, when we can read the QR code it has all of the relevant information. There is no device tear down, though I would like to see inside just for fun
Code:
('WIFI:S:Verizon_MP6P3L;T:WPA;P:oak3-spigot-pay;;EXTENDER:M:CME1000;S:AAB21103062;B:08B05532DB18;P:NKFYQD94G;;2',)


I am a bit embarrassed to admit it, but I also realized this week we could have extracted the G1100 firmware since my original post . This GitHub page was part of my initial research, and until recently it contained the only known G1100 firmware (bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed and bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed). Both of these firmware are encrypted with a PGP key, but fortunately jameshilliard has already extracted the Private Keys for us!  Here are the keys, I have also attached them below.

G1100_key1
Code:
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQOXBFUrhvcBCACYLresTT4+S7YAoqctW3VWXtoiFFc/hR+kHZvhpKdQjYirorRy
aYv9xCYc5Y+6Rh/mpQFYIbZoMqxtTZ5kf02kQyXXR7mDhiWu0b3S8q4dUJ/hyy4E
Q1oYZDMX9t9El60AeiB9AEzEpiPlOrT2s77PfexR34e4uQ5GIMZVoSM5WB734ZUW
qumyhPeGg3108m4NpuMitSoRUJW683J0oWFf/b/rXEle+onYaafeAAuZTkFwD8s3
7WwWGPPyOKDUgHi1qpvB3kTs9R+OOJeBFA5Rppx+01BmGdImVXgmfF+VH/rPd6ox
fWHBJ72Quct9oZdufm+d/FNmHFmwJzUwlEPJABEBAAEAB/jEK3SYpvmVVANIzmKy
FTMsIxkM1SuitfgTlhdaxuTm8Ys7tIDm+yd5918p4MFlXP/CUPFqqgp4Rtn+DBAh
e/iZxfUBjXOWF1Z8A+KuCiZno4Z1iXPICwoYZxF10sX7pYldFBDNEZXj6EZdN1AO
s6VD0w7Oe1Z4yBOeUqFXwF+nifN81GwyO3RnUWIpbmeEE94Vz9U/cSnyxwXywChm
dQ8NT+CEP0o+ypkcf1v2KNIcUdrgJ995Z3sLVhsqOc8X+fWfW04HQuEpIX2bLF6+
lQdKKbF0oK15Zf/8FmmGrh9Uh07n87kwDXNpGtDiTNsQgOngYNqL6iPytLKv6xAJ
hiEEAMN2o5RcHwX1y4djcMvNUumfSsmACpnDPBA3mPfwXcmzi5DhWWnWav/waIAC
3jE2bBmVRcHZf5w/P0D86xXOoZMcqG88siAL7Q5xZIS2BWXx07k8UmMkJcRGEcUf
JJzf9gz3cwO4eiSmAeINAuWVALSKTWhACISGtq6K4i2BQ51VBADHUIoYwcvFw+Hx
UPyIlKGMD/dQqvx5gVNhQ+qv7Uo33EFdt689yzZytYGRAL3zAEDTJUDsLVdZk4Be
yZpdAWH1bIuKFpNkKfHXIoT27gDextniARdSBu/OvhAxAEoR07BqZ1TXPK1o9wgz
9aki6SAgqDtSrHvO+qr8S5RZ8yBspQP/ebhgtORfaylmUNVkHg1JEE0xQkyIZp4X
zrw2JmeBWJG1ej/oX5PcAHzKzWV2gdvy9gyvCEcEjYK1X07X59mVLIK3gGEwBJpv
bXqCoTW59r8OdeOMpzzWV22AvdOrLz/LV54CWE8bPibxg1wnKUd823W70MSMSevN
IOubTecJP2E5brQmVmVyaXpvbiBCSFI0IDxldUBncmVlbndhdmVzeXN0ZW1zLmNv
bT6JATgEEwECACIFAlUrhvcCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EJRf3PS924d/yW4IAJI7t+D40QWz5UXeiSoYb7U7ULFGWqvFRj+14oQgIDwyKvJA
xw2cElESHu1RmbhJ+hKDxm/IMxjRMp8gWyMK5r+HcKJ+S8+9G5I2s3xRmI+Pi3rE
AuYoHws7Pjj60lWQ8M1rT1+k3tkee/ozZ9kGpfrP5FBH1/fOOErUm0gdktA5FmDI
xBLR9gNYJyKyjqng5sKiMZNdf/u5qfC68kHj42UOQXHoKgzIwzdK5vr3UlqQR9Be
k9sitlavGZ5WVs2Y9fHXH7chCvlZxPc+P/WH6lWQJXjJo5t+rjSpONnkjPTg9wrp
O/hyeckVFcJynOwDXG9tIZDh0zzmXQPnsn+LfW+dA5gEVSuG9wEIAMWA1s80e0xk
vw12632EonrOgzdZ2Y5vWWOYta2trWWzB9hlmN1Ae5AFgXI7LTBXqpCfSZVcvP6P
W9BvUjHrZuL5X8lQtaKMIMpvtb2iWVW7HQtDPRH9coMoimpvuY5ZXv2vmqurTnTW
9I/AklyV6evt6Sruug581LIV/WFgmaznPD3dAHmgPPcJiuXYnEQQZlm8iO6rlxAQ
pBxCwly/5pWZ56M0bKCyM3qVgEYi/pjJjrg9ndmDdUV2ADvzMWQ5EUAxYaTGVI8J
2AEUR9nEP7WXAMJt9hpM++oH12OX3ZLzFPnOuj1F50Q+VAZMwq1yQyx8CY6oQqSa
DXzs9wz6M9cAEQEAAQAH/jBkgz2+BEARp2ZrLwRQTWd91lTnpRDrY6Gtt0ZY+dWj
alaxfiUoOZ5uWutcaJQhxt8syGDamkxdYAfQXvlwToNqyveO2RJ890Pi30sZzn3d
HR63WO1hhn9wnYm62mJwr3/FWUaa8NxcFwxqCPK6oNh4MNueJuSJ3avNC4qimsTs
bJ25v3orm91ggVggdIkPIXjc/gozGASR29t73VnJaz/Y88bDc0VQzwUkaTEZKOhp
K++PGkIc+f3iKs86TwmeAOCoYFexMUgWdNRHDl4KK+yA1J6o5Mv1KKzy8JuMKfGk
7qfoi+7WplnLQagfsv1BibH7n/LO8FQ1b2DMRB53ykEEAMZjGFvAGVUTjGhVQDvB
CChtvX2YWNZzFdDzEpGKElNPmeBAagcjBszboaNMX0/GuTYeJbSa+sEz+dKwrMaW
cjESL5HKMIjbvt2k7tkDeJEBo9dITU5bGJ6Nk3uik1vHuebAi5ALGjqKQDIskFQX
y4C5bwF//QbI6o52w0ZSv1pHBAD+3Amnb6pULy0wdNO8OBvwH7y9/5yHi6L5+YaF
OgDPGa10RpXRiPSR/AhDjj6Y5BPIuk/fBZnCh7XAB9yOg/rOunhHSrK7Mhn0/d2m
ngr9UbOxsgdZAryIb26QATh0b/TIoGOoVy3bFFPYp15zanCKd9ABe3HCjTCaUDxs
e6yR8QQAw5GO61wKGaXRIazfJ2K0VYV39APfCTncjS/TJvC0nwy8RzVL5sH4f/uX
VdJkvgMExc6+u30XIaIePVaFQe4LBCZrdxfSLVYEhxZd0pBEl454JXy35CZu92KR
Nq04FpX5mC3VJQgREaBo3JvRCdNECka0dtum8ZD1uirsMZBg2G1Ce4kBHwQYAQIA
CQUCVSuG9wIbDAAKCRCUX9z0vduHf4cWB/9FFUHaJiRYTwnXnPAx/7s/fjrFE+cu
QjCnMhGlJIaAwRJROxIisfnT0J2Myryo+wr1cBxZQOvHHq+llPD4tqmUfQQMsyyy
Fp4pI/o0bRTmzsifCfRNbVU3zbg/WiD6RV90SwVDjVnu+zQDN68XPuWeWGpS5JZS
i0/48qbyCtToMSLlsRCObZKCIARzw3ulqSic8aF6Q3xff3paSj3T11ZAuwbDmtYNIz
ecT8nfMlydQ9WigmtkOPXCU19J2RlPSKt37ZC3VB51oqu1BSi+q5ObmaXSVUfX0y
KjN9HiHVNBWJakFTAcTsDrCVm3WpTKZkDLS0IQTps/eB46vF7V97AIQ6
=UtFV
-----END PGP PRIVATE KEY BLOCK-----

G1100_key2
Code:
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQOYBFLP6aQBCACpXewcfz5tFjCA+HaeTafYE8mhvtSab3D1eYqCJTcDdqC8wJEw
9bbUR1cGqZYev9oRjTG/gGUGbbToqqmAAneEi5+1i0ABHT8ThvF34G2nAa528dww
9kfOt842d82ojxhF7kx/KjeLDSaoPaYXbgpKyK8S4CcJM3CObvbxYafZAiGfHLQC
XcBPIe+8vb6T+6KnDl6kK5Tuej9bzEzRGN/UdvUh31JEdtFZJYpNY5URYljNpwwS
YxwGn9cOLu+IBon2OOciAwuxkM2/P1bn6K50QRzMMbtVZerBLQVCbKTYe55f2l1F
BLJ3iXLOI7OWv1Iw9TV2vH3oWCdpDLhJu153ABEBAAEAB/sFttyxr3IIldroFw9Q
KFg/4uxcJTH2I0lr4YBqA13CTlJ+W9Q/kyK/3HJUEA0NF4sA1EM37gSP6CFWR5/K
vl/lnHJfL9tmeOP5FttMdfQtJ3zemCrGNMutGVLUpUvOjUQT4/DidNGv7YR+4P7w
GRncIROVxEinjPvrX6oRmyphw3HADrOyKO5e1bzbmbAO2ZATc0ISOeMyuDZFG8ra
3g5mYtgcHQLtsRhRzyNEcnqGf4uiHMrLkaAOyPwmfubcIdMhYIuaqSJFoWjcNvQn
D9Hr4wyB4XRdMWSF/EyTHQDE0LgsK4+gm/MSbhDnLVJ5AUEVIckbfVbd6OzkQfGk
u3JFBADIF3/BEPh0/W+WuKS+Gnr5ED3O5Ix6YnbD5sBljAl8YotB8nmFzR4mw4j5
RLsadRTFppzUKao2lhUnx9qxY0BjU3qzTAtEfWNdAMm7/jRcmdeuayKFrdHHIJqN
AiwImDrV+qQ8C9E4N8h2meqK7cGrd5mpTk7AreYCEIlMfgpPFQQA2LCuNXjlkgv3
u60HYrTJAwFZCiUVqsWpQWCziC4M3ko9OdtZe6Z713VuSS9bUUMNA7UCWzew0Nx1
lRKv24mEL6STNpI//da5ql3imrLoK4bTNGwQAs/WyCPEUtiftvVY7Goa2XEhm5ZR
qqZ31Y2QcfGBQ0OuSBeQQFbGxossulsD/1k4+5mlmS/uReUWsHoaCwgwis3cnDHn
Gbevdw0AqzfxRxKRcjzqTftMYsrpdVqEvuF5ewj/YtZFbFsCZ3oXKkqFpq6qY64D
uL4mPh0giKykDxePbegOBhLXNdZfBpWZJbPG9cvu5p2qjejR7dm+u+1y/jOHnD14
OJZcQ8zLBA7gPYm0JlZlcml6b24gQkhSNCA8ZXVAZ3JlZW53YXZlcmVhbGl0eS5j
b20+iQE4BBMBAgAiBQJSz+mkAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK
CRCrx0hRZmJ25ZcECACbcMoHeREuldb7d7U84Bgoc6cyT4fi8tT4BZmeOUd9dc/i
dVWsqYpcWQ84eDIB4NkbpBc9cXb/duf4QKeB/b4mK9JlYiLpbVj+hsRn3k9b32w2
BDi9ikYYFAkJhlPodw/kMI0HgNv6lJ1d9HYHbPK4CbIkRBkuNTAKc8ZNSAV861qt
2jdfSRfKFWNBKBdjOsRaNd78VPAsUA9F5ORV6qr+TAgQKOu3W4puano8znkCdDtk
xU6fwzDFbUKSwCgwBS0eGvK4+sANMDsTCqfVyZDcy/fNZGEIiskBt5eb0WOLT9Aw
GaKqpRavSujAyXIc5V/njUvRSFHRymnfM/NfwowtnQOYBFLP6aQBCADP+ae1Q7qg
kPUCrA1ydZwHvoeyw4pdQlteQDd2+H2Wklyp8VNMS0FRa67hg2Mihv40DMl3JKTF
c+ZhG9B9P8hPz+STJPtidg8ckmIP9gxxJcA6dJ/5sIaaOQhrBIY56Ky0ZYOkXj/2
f8yMxFR0xwlMWDJacFyO0bqHLYaYseNC7YysQJPCDYD1lJ76X8EZdgYgw6sP+K9z
S0cs4t7GfI9Oj4ruqSVTw950JUSGlLiJMCU6K7mI78GCgzYgE3xL2XUrL22QutNo
WAzj7OCYhiWRah6COeIvN+3ucJCfCjH4ts/8lnstML8ru7/67RhyaN79jZlp/wA+
FHB/hNI59qfhABEBAAEAB/sGnLe+6Ph45KbvhvAWAqR7cAyxK6udX6/XOSgyR3/5
rq1Ux1wIPc/FsoxgtdxL45oXJk1s9OyqrO7HCVr5cnLQS8om/frilGGSXVqSCpb2
bXZ1PVI9PmYnJtdMTLxmQK4l/aC/8/GpaQKEOrU7Mb1LULYIH1CoB0W8iL9h4Sz6
KpPdWWOYRHmnjvgtXQiKu4jTPBysSVTy56Yj/+om+88XInP1TDW1em3yYBGczzKh
m8qiNnEkISD6HitbgjVbvabqiB9vGmEzOugJRgVSvY514zKFm8s/nIo7Y8SnR0Ud
rpNdLebx+4NTULnUhp2legPDXLKVQsbgNE2z0ev7GDWhBADlT8AUE4U3xsI8wa4n
dTPl9M8Eua9xnuKNb/fYKhN34J/FXXR9rDfzCXCH4C9zT58UxTKTe9MEEimlvuHY
Cts5RImcGp/g4xqzV7y4bQ9LR8BZseoWpMdhdfolUdy972/ZqMtElQtDgla0DBGX
id9d9hdIpDBmKNKKOSkndQLMcQQA6C4ylHUCNMC4tQVTmzylFaYyTre3OIxad8Xp
NdVgpqX42il5Nib4EDz72GLIbZAiCxi1l5FTVuUY/Lz23jxqSbNRJ5NmdJKWgAcT
GnQu4GBXuRLNl+tXy7UcVw3Z53jEWnmqDkNwCc3ozJD7Rew/0X0briNecSwKsxJq
/OqeCnED/iJJUZC4aotpfRq3n2GrzavzxepRiz/U3OuhBxa0LR4xIHDrapr5XQSE
azYsg+Zy1uG+NO2j5NvmJwSKChV4gI5J66qHDLRAWbT7XGeukb3rgXu2uhsx4NRj
GAGkfAqRnKmtgIVyDuqqtW4vRSmzLhIjMd2QDCaMfSyAtb+9MltoPseJAR8EGAEC
AAkFAlLP6aQCGwwACgkQq8dIUWZiduX8EAf+Lrc3Zify4tiQU7mzjknYcZYBWVrj
6F+3FOnka+Zg7uwKcBK6fHQajClCXgLmPmLTNyYawaj2tM57TLYX9SsbdCA9Ng3b
0iMyCixOHY2OunTQv4wCYimGWs6WUXkUwlCFhnGGaPqLHkxXWEgiqu8IKgjaA2UN
B/kLChLVgnxqklAMC2AWT1mT4rmfjY6efWozEjeHOGNTagxT0efN3Sw01xitoekF
b1+jvE5K0EAKddMxSUbpv5V4kuBQ9gomZei6hl2xeYqjlbOAohXjXY1ViTiez3IE
MtbF9y9d0+OoaniAmZVWsufxjaf27n6DdT/S+7Jt1fTqTY9QYAJVd73Kog==
=c6nn
-----END PGP PRIVATE KEY BLOCK-----

We can add these to our keyring using the commands
Code:
gpg --import G1100_key1.txt
gpg: key 945FDCF4BDDB877F: "Verizon BHR4 <eu@greenwavesystems.com>" not changed
gpg: key 945FDCF4BDDB877F: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:      secret keys read: 1
gpg:  secret keys imported: 1

Code:
gpg --import G1100_key2.txt
gpg: key ABC74851666276E5: "Verizon BHR4 <eu@greenwavereality.com>" not changed
gpg: key ABC74851666276E5: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:      secret keys read: 1
gpg:  secret keys imported: 1

Then we can decrypt the firmware with the keys using this command
Code:
gpg --output <decrypted_output_file> --decrypt <encrypted_input_file>
gpg --output decrypted_bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed --decrypt bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed

Finally we extract the decrypted firmware with 
Code:
binwalk -Me decrypted_bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed

[Image: attachment.php?aid=1339]

And this is where I have been stuck... binwalk only extracts a system.dtb and I am not really sure what to do from there. It took me way too long to realize that the decrypted firmware extracts cleanly with unblob!

Code:
unblob decrypted_bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed

[Image: attachment.php?aid=1341]

The PGP Keys also work to decrypt the firmware that I found (bhr4_release_02.03.00.13_firmwareupgrade.bin.signed and bhr4_release_02.03.00.14_firmwareupgrade.bin.signed), but frontier4_vz_stepstone_release_01.03.01.02_firmwareupgrade.bin.signed is still missing the key.

Poking around the firmware just a bit, every version has this in /etc/shadow
root:$6$rFBGnLMRIiVVPTZ8$1J3zPn31Wfrht0oOCKZW52YhbA.lmNieZ6C7zaJ3sANjVYYk28E3FAA1xEMN4ezAu1IAQBRShs4vRl/atc5tF0:15861:0:99999:7:::


Attached Files
.png   Binwalk_firmware.png (Size: 68.52 KB / Downloads: 22)
.jpeg   EB07_1858.jpeg (Size: 118.68 KB / Downloads: 34)
.png   Unblob_G1100.png (Size: 354.29 KB / Downloads: 22)
.txt   G1100_keys.txt (Size: 6.75 KB / Downloads: 0)
Reply