08-24-2018, 07:39 PM
(This post was last modified: 08-24-2018, 08:00 PM by soxrok2212.)
(06-28-2017, 03:19 AM)mrfancypants Wrote: I've finally worked out part of the algorithm for 589/599. Not enough to crack it (in fact, with what I worked out, it's totally possible that it's [effectively] uncrackable because they feed it from a RNG), but enough to understand how passwords are being constructed.
Consider the following. Actual parameters of a NVG599 off eBay:
SSID: ATTn3f64I2
Wireless key: nyrip9=c5bgv
Access key: 18?/72@@<3
Second SSID: vATTvb%g?<&c
Second wireless key: #h,t)0(ZUwI0
Looks random, right? Now watch:
Code:ssid_charset='23456789ABCDEFGHIJKMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz'
pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?'
ext_charset='!"#$%&\'()*+,-./:;<=?@[]_`{|}0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
def intpw(x):
val=0
for n in range(0,12):
val+=pw_charset.find(x[n])*(37**(11-n))
if (val%8)==7:
val+=37**12
return val
def intssid(x):
val=0
for n in range(0,7):
val+=ssid_charset.find(x[n+3])*(56**(6-n))
return val
def int_ext(x):
val=0
for n in range(0,len(x)):
val+=ext_charset.find(x[n])*(90**(len(x)-1-n))
return val
>>> '%x' % intssid('ATTn3f64I2')
'13c2a3ea400'
>>> '%x' % intpw('nyrip9=c5bgv')
'7a7b4bbbf4f69800'
>>> '%x' % int_ext("b%g?<&c")
'1f71654cac80'
>>> '%x' % int_ext("#h,t)0")
'3d6180c00'
>>> '%x' % int_ext("(ZUwI0")
'a98a65dc0'
I'll let you meditate on this for now and I'll explain later(hint: consider positions of top and bottom set bits in '7a7b...')
Given that the sha1 of the serial number is used to generate the vATT SSID, there has to be a correllation if mrfancypants was able to recover everything here. The script I found is useful somehow, and sha1 with the serial HAS to be used to generate the keys.
If only we had the serial number from that eBay sticker... I *might* have a way to recover it.