Ok here we go with this weeks update! Since we are targeting many more devices now, I spent this week working on my Facebook scraping script. FB is a bit trickier to scrape because they load pages dynamically, and don’t follow normal naming conventions to make it a bit harder to do. Fortunately those are overcome with a bit of effort, and with AI and I helping each other a bit, I finally have something I am happy with. So now we have a bunch of new entries to the database, we’re up to 727 unique entries!
Updated Data Set:
router_data_FULL_050325.xlsx (Size: 476.51 KB / Downloads: 4)
We have added 36 new G3100/E3200, so as always here are the Fios-F1nDr stats:
Before:
Correct - 22 (61%)
Incorrect - 7 (19%)
unknown block - 0 (0%)
Unknown device - 4 (11%)
Not Enough Data - 3 (8%)
After:
Correct - 32 (89%)
Incorrect - 4 (11%)
unknown block - 0 (0%)
Unknown Device 0 (0%)
Not enough data 0( 0%)
Check that out, we’re making some progress! The 4 that were incorrect are outliers. We now have 202 Date Codes. that range from 4/29/19 to 10/28/24.
Some more good news, we have collected enough entries that we can determine the 11-digit serial blocks! These are always E3200 devices, using the last 5 digits as the incremental serial we can see the steps are in increments of 6. All of the E3200 have had a step of 6 so far. This info helps us unlock a lot of the DC.F5.1B and 74.90.BC space that I had kind of ignored previously 😀 . Fios-F1nDr needed a minor update to calculate these properly, but I have a GitHub account now so hopefully I can get all of the scripts uploaded by next update.
![[Image: attachment.php?aid=1277]](https://hashcat.net/forum/attachment.php?aid=1277)
As I pointed out before, we are starting to have a good many entries for the same date codes. Block 190813 now has 9 entries! So I will soon look at those closer and see if I can catch any patterns. I still haven’t had a chance to glitch my device, but I found some interesting artifacts in the g3100_fw_2.0.0.6.bin and e3200_fw_3.1.1.17.bin. I haven’t really poked around in any of the other firmware yet. I will circle back to all of that eventually, so many things to do...
![[Image: attachment.php?aid=1279]](https://hashcat.net/forum/attachment.php?aid=1279)
This weeks device spotlight is the ARC-XCI55AX. Like the G3100/E3200 these are manufactured by Arcadyan. The QR code provides a lot of useful information, including the MAC which unfortunately isn’t printed on the sticker. The QR also contains a manufacture date, which means we don’t have to figure out the date blocks ourselves! This is the first QR code that has an IMEI # on the sticker and QR code, so we are collecting those too. The sticker also has the ICC ID, which I will probably add data for next update.
Currently, the data set contains 82 entries for ARC-XCI55AX!
The SSID and passwords follow the same pattern seen in the CR1000A/B
SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.
![[Image: arc-xci55ax_ssid-png.38569]](https://forum.hashkiller.io/index.php?attachments/arc-xci55ax_ssid-png.38569)
From this sample we can gain some other info:
Again we see a suprising number of Mac prefixes: 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, 74.90.BC, 84.90.0A, A8.A2.37, AC.B6.87, BC.F8.7E, C8.99.B2, F4.CA.E7
Serial numbers are always 11 digits and start with 3 letters (ABU or GRR), followed by 8 digits. If we compare the MAC/Serial difference like before, we see these change in steps of 4 or 8. Hopefully I will be able to use the IMEI or Serial # to back calculate the MAC address for images that we can’t read the QR code. These might help us better understand similar 11-digit serials on the G3100 and other devices.
![[Image: attachment.php?aid=1281]](https://hashcat.net/forum/attachment.php?aid=1281)
![[Image: arc-xci55ax_c899b2_step-png.38572]](https://forum.hashkiller.io/index.php?attachments/arc-xci55ax_c899b2_step-png.38572)
From the device tear down, we see that the CPU is a Mediatek MT6890 SOC which is a Quad-Core Arm Cortex-A55 @ 2 GHz. The memory is Kingston 16EM16-M4CTB29 LPDDR4x eMCP (16 GB NAND eMMC 5.1 + 16 GB LPDDR4x RAM).
I wasn’t able to find any firmware links online. I did found information that suggests these devices are also used for “Straight talk home internet” from Walmart. I think FWA55V5L is the correct model, but there isn’t much info on these. There was an issue with people registering the devices so Walmart stopped distributing them.
I did find a Reddit post discussing a “Engineering Page” located at https://192.168.1.1/#/eng/ or https://mynetworksettings.com/#/eng/ which asks you for a password. This password is unrelated to both the admin password and WPA-PSK.
I tried to visit the engineering page on my G3100 and it brings up the admin login or if logged in a blank page, but still with the sidebar and everything. Visiting any made up link such as https://192.168.1.1/#/fiend has a different behavior of loading a completely blank page, so I think there’s something there. Does anyone have any info on how to access this page?
![[Image: attachment.php?aid=1278]](https://hashcat.net/forum/attachment.php?aid=1278)
It’s also intriguing to me that this device has a secret USB-C port hidden behind a plastic panel... from the Reddit post above:
There are a few new entries to the CR1000 and Others sections, here’s the current breakdown:
G3100/E3200 - 384 entries
CR1000 A/B - 94 entries
ARC-XCI55AX - 83 entries
Other - 166 entries
Total - 727 entries
Please consider liking this post if you’ve read this far... it’s the only way I know that anyone else is here!
Updated Data Set:
router_data_FULL_050325.xlsx (Size: 476.51 KB / Downloads: 4)
We have added 36 new G3100/E3200, so as always here are the Fios-F1nDr stats:
Before:
Correct - 22 (61%)
Incorrect - 7 (19%)
unknown block - 0 (0%)
Unknown device - 4 (11%)
Not Enough Data - 3 (8%)
After:
Correct - 32 (89%)
Incorrect - 4 (11%)
unknown block - 0 (0%)
Unknown Device 0 (0%)
Not enough data 0( 0%)
Check that out, we’re making some progress! The 4 that were incorrect are outliers. We now have 202 Date Codes. that range from 4/29/19 to 10/28/24.
Some more good news, we have collected enough entries that we can determine the 11-digit serial blocks! These are always E3200 devices, using the last 5 digits as the incremental serial we can see the steps are in increments of 6. All of the E3200 have had a step of 6 so far. This info helps us unlock a lot of the DC.F5.1B and 74.90.BC space that I had kind of ignored previously 😀 . Fios-F1nDr needed a minor update to calculate these properly, but I have a GitHub account now so hopefully I can get all of the scripts uploaded by next update.
As I pointed out before, we are starting to have a good many entries for the same date codes. Block 190813 now has 9 entries! So I will soon look at those closer and see if I can catch any patterns. I still haven’t had a chance to glitch my device, but I found some interesting artifacts in the g3100_fw_2.0.0.6.bin and e3200_fw_3.1.1.17.bin. I haven’t really poked around in any of the other firmware yet. I will circle back to all of that eventually, so many things to do...
Code:
/home/paul_shih/project/g3100_2.0.0.5/extern/broadcom-bsp-5.02L06/kernel/linux-4.1
BOOT_CONSOLE Mon Dec 14 15:02:21 CST 2020 paul_shih@buildbox3
192.168.1.100:g3100-mfg.bin
This is in e3200_fw_3.1.1.17.bin
/home/lennon_chen/e3200/release/0307/bsp/kernel/linux-4.1
BOOT_CONSOLE Mon Mar 7 18:11:55 CST 2022 lennon_chen@buildbox5
192.168.1.100:g3100-mfg.binCode:
('WIFI:S:Verizon_XTR9DB;T:WPA;P:spoon6-tun-swam;;ROUTER:M:ARC-XCI55AX;S:GRR22068010;D:07-13-2022;F:3.1.1.21;P:KS7BG6QZL;E:358598613057513;B:C899B2B1EBD4;;1',)Currently, the data set contains 82 entries for ARC-XCI55AX!
The SSID and passwords follow the same pattern seen in the CR1000A/B
SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.
From this sample we can gain some other info:
- SSID passwords are mostly 15 characters long, I did catch one that was 14 characters in a higher serial number
- Password <word> are between 3-5 characters for SSID Password (haven’t seen a 6 character word yet)
- We don’t currently see 0, 1 or 2 in any of the SSID, SSID Password, or Admin Password.
- HW versions are not printed on the device or QR code
- Shipped firmware ranges from 3.1.1.14 to 3.2.0.7
Again we see a suprising number of Mac prefixes: 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, 74.90.BC, 84.90.0A, A8.A2.37, AC.B6.87, BC.F8.7E, C8.99.B2, F4.CA.E7
Serial numbers are always 11 digits and start with 3 letters (ABU or GRR), followed by 8 digits. If we compare the MAC/Serial difference like before, we see these change in steps of 4 or 8. Hopefully I will be able to use the IMEI or Serial # to back calculate the MAC address for images that we can’t read the QR code. These might help us better understand similar 11-digit serials on the G3100 and other devices.
From the device tear down, we see that the CPU is a Mediatek MT6890 SOC which is a Quad-Core Arm Cortex-A55 @ 2 GHz. The memory is Kingston 16EM16-M4CTB29 LPDDR4x eMCP (16 GB NAND eMMC 5.1 + 16 GB LPDDR4x RAM).
I wasn’t able to find any firmware links online. I did found information that suggests these devices are also used for “Straight talk home internet” from Walmart. I think FWA55V5L is the correct model, but there isn’t much info on these. There was an issue with people registering the devices so Walmart stopped distributing them.
I did find a Reddit post discussing a “Engineering Page” located at https://192.168.1.1/#/eng/ or https://mynetworksettings.com/#/eng/ which asks you for a password. This password is unrelated to both the admin password and WPA-PSK.
- Does anybody know what this password is, where to find it, or how to calculate it? Login credentials consisting of a password and a token are posted to /eng_auth.cgi as an application/x-www-form-urlencoded string like data=<password>&token=<hex string (MD5?)>
- I'm noticing here is that the CPE is connecting to an auto configuration server at https://hdm5g.vzwdm.com using the TR-069 CPE Wan Management Protocol. Is there any way to tell the CPE to connect to my own TR-069 server instead?
- I'm assuming that ports 4567 and 4577 are related to the above CWMP implementation. Running openssl s_client -connect mynetworksettings.com:4577 returns certificate data, but fails to connect with the following error sslv3 alert handshake failure
sl\record\rec_layer_s3.c:1586:SSL alert number 40. The server certificate's subject name is my CPE's serial number, which is different from the SSL cert on port 443. Does anybody know for sure what these ports are for?
I tried to visit the engineering page on my G3100 and it brings up the admin login or if logged in a blank page, but still with the sidebar and everything. Visiting any made up link such as https://192.168.1.1/#/fiend has a different behavior of loading a completely blank page, so I think there’s something there. Does anyone have any info on how to access this page?
It’s also intriguing to me that this device has a secret USB-C port hidden behind a plastic panel... from the Reddit post above:
- I'm assuming that ports 4567 and 4577 are related to the above CWMP implementation. Running openssl s_client -connect mynetworksettings.com:4577 returns certificate data, but fails to connect with the following error sslv3 alert handshake failuresl\record\rec_layer_s3.c:1586:SSL alert number 40. The server certificate's subject name is my CPE's serial number, which is different from the SSL cert on port 443. Does anybody know for sure what these ports are for?
- The hidden USB-C port on the bottom is, I believe, for firmware flashing. Plugging it into my Ubuntu laptop and turning on the CPE the device gets recognized as VID 0E8D PID 2000, which is the MediaTek preloader. I've tried methods described here -> https://github.com/bkerler/mtkclient to crash the preloader and enter the bootrom. I can get it to be recognized VID 0E8D PID 0003, but the process hangs from there. Has anybody had any luck accessing the modem through the USB-C port and running AT commands?
There are a few new entries to the CR1000 and Others sections, here’s the current breakdown:
G3100/E3200 - 384 entries
CR1000 A/B - 94 entries
ARC-XCI55AX - 83 entries
Other - 166 entries
Total - 727 entries
Please consider liking this post if you’ve read this far... it’s the only way I know that anyone else is here!