01-06-2022, 02:56 AM
No XXD on the router, so copied the serialnumber file to a thumbdrive to look at it.
ls -l on the router itself gives a file size of 4096. Once copied it's only 13 bytes, with indeed a 0x0a after the serialnumber ASCII characters.
The code on the router that is using it goes out of it's way to remove the /n though....
SERIAL=cat /sys/module/board/parameters/serialnumber
PASS=echo -n ${SERIAL}STRNIGSTUFF | MD5SUM
So the string that is ported into the hasher does not contain any 0x0a.
Does anybody here know how to get the NVRAM commit to accept?
The access code is actually missing from the NVRAM (PSK, ESSID and MAC are already burnt in), so the algo to generate the access code might still be around somewhere on the router. I can change the SN (nvram set serialnumber XXXXXNXXXXXX and confirm with "nvram get serialnumber") but a reboot of the router resets that. nvram commit <enter> errors out with "could not initialize msg, ret=9002"
My thinking is that if I could change the NVRAM and do a factory reset, I could follow what is going on with the access code and get another clue for the encoding scheme.
ls -l on the router itself gives a file size of 4096. Once copied it's only 13 bytes, with indeed a 0x0a after the serialnumber ASCII characters.
The code on the router that is using it goes out of it's way to remove the /n though....
SERIAL=cat /sys/module/board/parameters/serialnumber
PASS=echo -n ${SERIAL}STRNIGSTUFF | MD5SUM
So the string that is ported into the hasher does not contain any 0x0a.
Does anybody here know how to get the NVRAM commit to accept?
The access code is actually missing from the NVRAM (PSK, ESSID and MAC are already burnt in), so the algo to generate the access code might still be around somewhere on the router. I can change the SN (nvram set serialnumber XXXXXNXXXXXX and confirm with "nvram get serialnumber") but a reboot of the router resets that. nvram commit <enter> errors out with "could not initialize msg, ret=9002"
My thinking is that if I could change the NVRAM and do a factory reset, I could follow what is going on with the access code and get another clue for the encoding scheme.