Thanks Fart-box and welcome back! At this point we're very sure the algorithm to create the PSK is not on the router anymore (if it ever was) But we do have root access to the file system so can grep for anything interesting! Sadly nothing on the video SSID. Sasquatch chokes during the binwalk of the dump (two different NAND chips from two different routers), so glad to have root access.
We did find this interesting bit of code:
SERIAL=cat /sys/module/board/parameters/serialnumber
PASS=echo -n ${SERIAL}SomeStringXXXX-00D09E | md5sum | pseudopasswd -n 16
So we have two examples of the router taking the serialnumber and appending some text to it before doing some math on the result.
Just to clarify in your key-gen are you using integer*multiplier = key then {key modulus 37 key/37} like SoxRok's pskracker,
OR are you doing SHA1(serial number) -> hash. hash per byte modulus 37 to get the psk like the vSSID for nvg599?
If the latter, are you adding text before or after the serial number string before hashing it?
We did find this interesting bit of code:
SERIAL=cat /sys/module/board/parameters/serialnumber
PASS=echo -n ${SERIAL}SomeStringXXXX-00D09E | md5sum | pseudopasswd -n 16
So we have two examples of the router taking the serialnumber and appending some text to it before doing some math on the result.
Just to clarify in your key-gen are you using integer*multiplier = key then {key modulus 37 key/37} like SoxRok's pskracker,
OR are you doing SHA1(serial number) -> hash. hash per byte modulus 37 to get the psk like the vSSID for nvg599?
If the latter, are you adding text before or after the serial number string before hashing it?