06-21-2017, 08:32 AM
(This post was last modified: 06-22-2017, 08:38 PM by mrfancypants.)
(06-20-2017, 10:12 PM)fart-box Wrote: I'm afraid I have to agree with Mrfancypants when he said "it looks like these routers come with the 10-char SSID and the non-alphanumeric password burned directly into EEPROM at the factory", if for no other reason than that the WPA pass phrase is already printed right on the label when the router leaves the factory. It doesn't make sense that the router would need to "rebuild" the WPA pass phrase every time it does a hard re-boot.
That's not a bulletproof conclusion. Consider that the SSID is normally printed on the label too, but most firmwares I've seen so far also have code that generates the SSID inside firmware.
Your typical router has a tiny amount (kilobytes worth) of storage for things like the password and the wi-fi config. It's "natural" for it to have fields for:
* Serial number
* (Optionally) MAC address (sometimes serial and MAC are related)
* Model identifier
* Access code
* WPA passkey
...
If you try to do a full factory reset, it can do one of three things. It can either wipe the access code and the WPA passkey (leaving the device unsecured), or reset them to fixed values, or it can compute default values from the serial and/or MAC.
AT&T routers are a bit different, in that they *also* have, right in the platform chunk with the serial number:
* Default access code
* Default wireless key
* Default SSID
If you do a factory reset or use the box without changing defaults, they simply pull the values from the platform chunk and use them until you put in custom values.
Per the open-source headers, that may be the case for all firmware versions 9.x and 10.x (which is pretty much all firmwares we have):
/* Here begins the new fields introduced by 9x */
char serNumStr[MAX_SERNUM_STRLEN + 1];
/* Default "Wireless Network Key" (for AT&T, similar to access code) */
char wirelessKey[MAX_WIRELESS_KEY_STRLEN + 1];
/* Default "Wireless SSID" (for AT&T) */
char wirelessSSID[MAX_WIRELESS_SSID_STRLEN + 1];
ubyte allowFWUpdate;
Quote: "The Wi-Fi Network Name consists of “ATT” plus the last seven characters of the Wi-Fi Gateway’s serial number."
I'm pretty sure that's not true for most newer models, unless the gateway has a "secret" serial number in addition to the one printed on the label. Your typical 589 has a serial number that looks like "163150389796448" and is equal to its MAC address converted to decimal. Its SSID is mixed letters and digits.
Still, there may be something here.
Quote:I'm not sure why you guys are looking through older firmware for a solution, when clearly the NVG589 and NVG599 are the products we're interested in, but I'm sure you know what you're doing, and you're much better at this than I am.
I would expect the algorithm to be basically similar between 589s and older models, just with more obfuscation. If we could figure out how the WPA key was generated before firmware 9.x, that would be a big step forward.
Unfortunately, the only devices for which pre-9.x AT&T firmwares exist are apparently Motorola 2247-N8 and 2Wire 2701/3801. Motorola 2247-N8 uses a 20-hex WPA key that is generated from its access key using SHA1. I'm not sure yet if it generalizes to later versions. Motorola went 9.x with NVG510, I have firmware dated September 2011 (9.0.6h0d48) which looks very similar to their current offerings.
2701/3801s have been shipping with 10-digit keys for ages (since 2005 if not longer). Both are well hardened against reverse engineering. I had no luck reversing 2701s for multiple reasons, and I couldn't even find any 3801 firmwares to download. There has been least one successful attempt to dump flash images from either, but it's been so long that even the files are no longer available.