05-09-2025, 02:15 PM
Happy Friday everyone, grab some popcorn this week's update is a long one!
In a Verizon thread on Hashkiller, I noticed that Sardukarrr and drsnooker both posted photos to old eBay listings, which are surprisingly still active. I had previously overlooked them because they weren’t G3100/E3200, but now they’re both new entries in the dataset! I was starting to get nervous that I might finally reach the end of the internet, but this got me thinking... Currently only eBay allows me to go backwards to find sold listings, and sadly the window on that is limited. How can I possibly find old listing/images that are still active, but not currently searchable through eBay, FB, etc.
The only way I personally know of is to use google “dorks”. If you are unfamiliar with the term, search engines allow certain parameters that impact the search results. Trying a few out, I could see there were a few fresh hits. So now I needed a google / duckduckgo image search scraper. I do have a decent bit of programming experience over the years, but II will freely admit it has only ever been hobby/novice level. The bit of programming knowledge that I do have allows me to read, understand, modify, adapt, refine or debug well written example code. If you forced me to write code from scratch I could do it, but it would be a slow process, require a lot of trial/error, lots of internet research, and still be clunky. Fortunately now we have AI, which is great at building the skeleton. It’s been my experience that it needs a bit of guidance though. None of the scraping scripts have worked first try, I always have to watch what it is doing and reprompt and add bits when needed to get a working script. It will sometimes drop key functions/features or make unwanted changes to the code when trying to fix other issues. Although it’s not perfect, I stillI end up with something workable much much faster than I would on my own. I use 2 different AI, and sometimes I feed the script one generates to the other to make improvements haha. Any repetitive task that you can do as a normal user on a computer, you can automate fairly easily with a scripting language such as python.
When looking for images eBay and FB are the two biggest sources, but I also look at Reddit, Poshmark, OfferUp, Craigslist, Imgur, and Flickr. I recently found this weird site https://shopforsale.ru/ that I think aggregates listings from eBay, FB and potentially other places. I’m not really sure what it is, but it’s easy to scrape and I was able to pull some new entries from there. To refine our searches here is a list of dorks and you can find other examples online. These are the few uses that I came up with, please comment if you know of any other that look promising.
Using the before tag allows me to only show listings that were posted before I began scraping. This yeilds a few listings that are still active, but much older than the actual site search allows.
Ex: offerup.com verizon fios g3100 before:2025-02-01
Using the site tag with inurl yields listings that have previously sold on eBay. I’m not sure it was entirely correct, but I got a few new hits using this. This particular example only worked on duckduckgo.
Ex: site:ebay.com "verizon fios g3100" inurl
old
AI suggested this as a way to search “old public marketplace listings”. It didn’t yield many, but I did get a fresh hit from 45 weeks ago!
site:facebook.com/marketplace/ "Verizon G3100" -inurl:"search" -inurl:"create"
AI suggested this as a way to find “Older or less promoted eBay listings”, again it produced previously unknown images!
site:ebay.com "Verizon G3100" -inurl:"/sch/" -inurl:"/b/" -2023
Similarly AI suggested this, but it wasn’t fruitful.
site:offerup.com "Verizon G3100" -2024 -2023
So after iterating through these for various devices on both search engines and sweeping up all the photos we can, we’ve added 105 new entries to the dataset. When I first started this project I asked AI how many passwords I would need to determine the algorithm and it told me 1000. Since then, I have realized that AI likes to tell you what you want to hear a lot of the time and not necessarily the truth. But we’re getting close to that goal, so let’s see what else we’ve learned this week...
Updated Data Set:
router_data_FULL_050925.xlsx (Size: 547.7 KB / Downloads: 1)
There are 37 new entries for the G3100/E3200 devices. Running these through Fios-F1nDr we get the following:
Before:
Correct - 22 (59%)
Incorrect - 14 (38%)
unknown block - 1 (2%)
Unknown device - 0 (0%)
Not Enough Data - 0 (0%)
After:
Correct - 34 (92%)
Incorrect - 3 (8%)
unknown block - 0 (0%)
Unknown Device 0 (0%)
Not enough data 0( 0%)
We’re get a little closer each time! We only have a few completely unknown blocks left. With this scrape we captured the very beginning of the B8.F8.53 address space. The 3 that are incorrect are outliers. I have the outliers highlighted in yellow on the Date Codes sheet. Sometimes I can tell the MAC is only off by a few numbers like some devices got skipped. Other times I can’t really make sense of it. Anyhow, most of the time the calculation works out, we now have 212 unique Date Codes. When I first discovered the date codes, I did a quick assessment "We have discovered 145 unique date codes. On average, a block contains 29,336 devices, so a usually high number of devices could indicate that there is at least 1 missing date code. Current calculations predict ~4,165,721 devices total." Looking at the data now, an average block contains 26,162 and predicts 5,180,068 devices total.
We can certainly try to crack how the SSID is created, but from what I see these devices report the proper MAC address during the handshake capture. So for now, let’s use that as a reference. After looking at the keyspace again, it turns out that we now have enough data to shrink it a bit! As we’ve seen, for G3100/E3200 there are multiple algos depending on the date of manufacture. Here is an update to my OP.
From our dataset we can gain some info on the G3100/E3200 key space:
MAC address Block 04.A2.22.00.00.00 to 04.A2.22.D3.FF.2F are the oldest and ALWAYS have 16 character passwords
MAC address Block 04.A2.22.D3.FF.3A to 04.A2.22.FF.FF.FF and B8.F8.53.00.00.00 to B8.F8.53.5B.CD.39
MAC address Block B8.F8.53.5B.CD.41 to B8.F8.53.FF.FF.FF and 3C.BD.C5.00.00.00 to 3C.BD.C5.50.05.44
Another transition occurs here... this is where things get very interesting (and potentially crackable!)
MAC address Block 3C.BD.C5.50.05.44 to 3C.BD.C5.FF.FF.FF and all of the DC.F5.1B, 74.90.BC MACS
The ARC-XCI55AX follow the exact same pattern (except for a single 14 character entry), so I think this is the first dictionary that we should focus on! I doubled checked and the MAC prefixes 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, A8.A2.37, AC.B6.87, C8.99.B2, F4.CA.E7 currently appear unique to this device. 84.90.0A and BC.F8.7E are found in the CR1000 dataset, but the current entries in this space also fit this pattern. So those would be the MAC prefixes vulnerable to this dictionary. @soxrok2212 has already started a nice wordlist at some point I would like to compare mydataset against his list and add words that are missing. They are using a pretty extensive wordlist because we see abbreviations such as cpu, cps, dos, iot, and wpm which aren’t valid words in a scrabble dictionary, but are official words for something like Webster’s Dictionary.
![[Image: attachment.php?aid=1283]](https://hashcat.net/forum/attachment.php?aid=1283)
The device of the week is the ASK-NCQ1338 family, which includes ASK-NCQ1338, ASK-NCQ1338E, ASK-NCQ1338FA. I couldn’t find much info on the differences, but I think the “E” is an extender and I know the “FA” is the newer model. These devices are manufactured by Askey Computer, and can be considered the sister device to the ARC-XCI55AX. I forgot to mention last week, but both the ARC-XC155AX and ASK-NCQ1338 are 5G routers that use cell signal to provide internet. The QR code provides a lot of useful information, including the MAC which unfortunately isn’t printed on the sticker. Similar to the ARC, the QR contains both a date code and the IMEI. The QR also has the ICC ID, which means we can easily collect that with the other data. Something strange though, the last item in the QR code is P: <6 digit number>. Does anyone have an idea what this might be since WPS is 8 digits?
Currently, the data set contains 107 entries for ASK-NCQ1338 models!
The SSID and passwords follow the same pattern seen in the CR1000A/B and ARC-XCI55AX
From this sample we can gain some other info:
The MAC addresses that we see for this device are 2C.EA.DC, 4C.AB.F8, 88.DE.7C, A4.97.33, FC.12.63.
Serial numbers are always 11 digits and start with 2-3 letters (AA, AAM, or ABG), followed by 8 digits. If we compare the MAC/Serial difference like before, we see these change in steps of 4. Hopefully I will be able to use the IMEI or Serial # to back calculate the MAC address for images that we can’t read the QR code. All of the 11 digit serials are very similar across the various models in this thread, so again this is a case where one device can inform us about another.
![[Image: attachment.php?aid=1286]](https://hashcat.net/forum/attachment.php?aid=1286)
From the device teardown, we see that the CPU is a Qualcomm Hawkeye IPQ8072A Quad Core ARM 64 bit A53 2.2GHz processor. The memory is Samsung K4A8G165WB-BCRC 8Gb DDR4 1200 MHz and Samsung KLM8G1GETF-B041 8GB eMMC NAND.
I wasn’t able to find any firmware online. However this device also has the hidden compartment. I think I read it was for the SIM card on this device, but the ARC-XCI55AX has an eSIM and USB-C here.
![[Image: attachment.php?aid=1285]](https://hashcat.net/forum/attachment.php?aid=1285)
Currently in the dataset:
G3100/E3200 - 418 entries
CR1000 A/B - 94 entries
ARC-XCI55AX - 96 entries
ASK-NCQ1338 - 107 entries
Other - 117 entries
Total - 832 entries
I am planning on making at least 3 more long form posts about the various devices that will cover G1100, WNC-CR200A, and the Others. By then I should have pretty much scraped all that I can currently scrape, so I will start doing some more stats analysis on everything that we’ve collected. We caught a new device with these recent scrapes, ASK-RTL108 which has a QR code and a lot of good info on the sticker so I will start scraping these for the next update!
![[Image: attachment.php?aid=1284]](https://hashcat.net/forum/attachment.php?aid=1284)
How can you help?
In a Verizon thread on Hashkiller, I noticed that Sardukarrr and drsnooker both posted photos to old eBay listings, which are surprisingly still active. I had previously overlooked them because they weren’t G3100/E3200, but now they’re both new entries in the dataset! I was starting to get nervous that I might finally reach the end of the internet, but this got me thinking... Currently only eBay allows me to go backwards to find sold listings, and sadly the window on that is limited. How can I possibly find old listing/images that are still active, but not currently searchable through eBay, FB, etc.
The only way I personally know of is to use google “dorks”. If you are unfamiliar with the term, search engines allow certain parameters that impact the search results. Trying a few out, I could see there were a few fresh hits. So now I needed a google / duckduckgo image search scraper. I do have a decent bit of programming experience over the years, but II will freely admit it has only ever been hobby/novice level. The bit of programming knowledge that I do have allows me to read, understand, modify, adapt, refine or debug well written example code. If you forced me to write code from scratch I could do it, but it would be a slow process, require a lot of trial/error, lots of internet research, and still be clunky. Fortunately now we have AI, which is great at building the skeleton. It’s been my experience that it needs a bit of guidance though. None of the scraping scripts have worked first try, I always have to watch what it is doing and reprompt and add bits when needed to get a working script. It will sometimes drop key functions/features or make unwanted changes to the code when trying to fix other issues. Although it’s not perfect, I stillI end up with something workable much much faster than I would on my own. I use 2 different AI, and sometimes I feed the script one generates to the other to make improvements haha. Any repetitive task that you can do as a normal user on a computer, you can automate fairly easily with a scripting language such as python.
When looking for images eBay and FB are the two biggest sources, but I also look at Reddit, Poshmark, OfferUp, Craigslist, Imgur, and Flickr. I recently found this weird site https://shopforsale.ru/ that I think aggregates listings from eBay, FB and potentially other places. I’m not really sure what it is, but it’s easy to scrape and I was able to pull some new entries from there. To refine our searches here is a list of dorks and you can find other examples online. These are the few uses that I came up with, please comment if you know of any other that look promising.
Using the before tag allows me to only show listings that were posted before I began scraping. This yeilds a few listings that are still active, but much older than the actual site search allows.
Ex: offerup.com verizon fios g3100 before:2025-02-01
Using the site tag with inurl yields listings that have previously sold on eBay. I’m not sure it was entirely correct, but I got a few new hits using this. This particular example only worked on duckduckgo.
Ex: site:ebay.com "verizon fios g3100" inurl
oldAI suggested this as a way to search “old public marketplace listings”. It didn’t yield many, but I did get a fresh hit from 45 weeks ago!
site:facebook.com/marketplace/ "Verizon G3100" -inurl:"search" -inurl:"create"
AI suggested this as a way to find “Older or less promoted eBay listings”, again it produced previously unknown images!
site:ebay.com "Verizon G3100" -inurl:"/sch/" -inurl:"/b/" -2023
Similarly AI suggested this, but it wasn’t fruitful.
site:offerup.com "Verizon G3100" -2024 -2023
So after iterating through these for various devices on both search engines and sweeping up all the photos we can, we’ve added 105 new entries to the dataset. When I first started this project I asked AI how many passwords I would need to determine the algorithm and it told me 1000. Since then, I have realized that AI likes to tell you what you want to hear a lot of the time and not necessarily the truth. But we’re getting close to that goal, so let’s see what else we’ve learned this week...
Updated Data Set:
router_data_FULL_050925.xlsx (Size: 547.7 KB / Downloads: 1)
There are 37 new entries for the G3100/E3200 devices. Running these through Fios-F1nDr we get the following:
Before:
Correct - 22 (59%)
Incorrect - 14 (38%)
unknown block - 1 (2%)
Unknown device - 0 (0%)
Not Enough Data - 0 (0%)
After:
Correct - 34 (92%)
Incorrect - 3 (8%)
unknown block - 0 (0%)
Unknown Device 0 (0%)
Not enough data 0( 0%)
We’re get a little closer each time! We only have a few completely unknown blocks left. With this scrape we captured the very beginning of the B8.F8.53 address space. The 3 that are incorrect are outliers. I have the outliers highlighted in yellow on the Date Codes sheet. Sometimes I can tell the MAC is only off by a few numbers like some devices got skipped. Other times I can’t really make sense of it. Anyhow, most of the time the calculation works out, we now have 212 unique Date Codes. When I first discovered the date codes, I did a quick assessment "We have discovered 145 unique date codes. On average, a block contains 29,336 devices, so a usually high number of devices could indicate that there is at least 1 missing date code. Current calculations predict ~4,165,721 devices total." Looking at the data now, an average block contains 26,162 and predicts 5,180,068 devices total.
We can certainly try to crack how the SSID is created, but from what I see these devices report the proper MAC address during the handshake capture. So for now, let’s use that as a reference. After looking at the keyspace again, it turns out that we now have enough data to shrink it a bit! As we’ve seen, for G3100/E3200 there are multiple algos depending on the date of manufacture. Here is an update to my OP.
From our dataset we can gain some info on the G3100/E3200 key space:
MAC address Block 04.A2.22.00.00.00 to 04.A2.22.D3.FF.2F are the oldest and ALWAYS have 16 character passwords
- SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>
- SSID Passwords follow <word><number><word><number><word> format (ex: room50cleft78dry)
- Admin Passwords are 16 characters and follow a <word><number><word> format (ex: bedeck183magenta)
- <word> is between 3-7 characters long, <number> is ANY 1-4 digits
MAC address Block 04.A2.22.D3.FF.3A to 04.A2.22.FF.FF.FF and B8.F8.53.00.00.00 to B8.F8.53.5B.CD.39
- SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>
- SSID Passwords follow <word><number><word><number><word> format (ex: sin296wary394cap)
Passwords are almost always 16 characters, I did find one example at B8.F8.53.57.D8.C1 which is only 15. This address occurs near the next transition.
- Admin Passwords are 16 characters and follow a <word><number><word> format (ex: suffer693grinder)
- <word> is between 3-5 characters long (up to 8 characters for admin), <number> is 2-3 digits with no 0 or 1
MAC address Block B8.F8.53.5B.CD.41 to B8.F8.53.FF.FF.FF and 3C.BD.C5.00.00.00 to 3C.BD.C5.50.05.44
- SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>
- SSID Passwords follow <word><number><word><number><word> format and are ALWAYS 15 characters (ex: dump75owl79copy)
- Admin Passwords are 16 characters and follow a <word><number><word> format (ex: betimes74retinue)
- <word> is between 3-5 characters long (up to 7 characters for admin), <number> is 2-3 digits with no 0 or 1
Another transition occurs here... this is where things get very interesting (and potentially crackable!)
MAC address Block 3C.BD.C5.50.05.44 to 3C.BD.C5.FF.FF.FF and all of the DC.F5.1B, 74.90.BC MACS
- SSID is Verizon_XXXXXX where X is any char <A-Z><0-9>
- SSID Passwords follow follow <word>-<word>-<word> with a single digit at the end of one word (ex: range-joy3-okey)
- Admin Passwords are 9 characters that are <A-Z><0-9> (ex: NQ4BJLC7H)
The ARC-XCI55AX follow the exact same pattern (except for a single 14 character entry), so I think this is the first dictionary that we should focus on! I doubled checked and the MAC prefixes 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, A8.A2.37, AC.B6.87, C8.99.B2, F4.CA.E7 currently appear unique to this device. 84.90.0A and BC.F8.7E are found in the CR1000 dataset, but the current entries in this space also fit this pattern. So those would be the MAC prefixes vulnerable to this dictionary. @soxrok2212 has already started a nice wordlist at some point I would like to compare mydataset against his list and add words that are missing. They are using a pretty extensive wordlist because we see abbreviations such as cpu, cps, dos, iot, and wpm which aren’t valid words in a scrabble dictionary, but are official words for something like Webster’s Dictionary.
The device of the week is the ASK-NCQ1338 family, which includes ASK-NCQ1338, ASK-NCQ1338E, ASK-NCQ1338FA. I couldn’t find much info on the differences, but I think the “E” is an extender and I know the “FA” is the newer model. These devices are manufactured by Askey Computer, and can be considered the sister device to the ARC-XCI55AX. I forgot to mention last week, but both the ARC-XC155AX and ASK-NCQ1338 are 5G routers that use cell signal to provide internet. The QR code provides a lot of useful information, including the MAC which unfortunately isn’t printed on the sticker. Similar to the ARC, the QR contains both a date code and the IMEI. The QR also has the ICC ID, which means we can easily collect that with the other data. Something strange though, the last item in the QR code is P: <6 digit number>. Does anyone have an idea what this might be since WPS is 8 digits?
Code:
('WIFI:S:Verizon_J7JYV9;T:WPA;P:enact-ace9-rang;;ROUTER:M:ASK-NCQ1338FA;S:ABB30107759;D:20230117;F:222656;I:admin;P:79T649KNV;E:356649621448392;C:89148000008863050351;B:FC1263A32908;P:937181;;1',)Currently, the data set contains 107 entries for ASK-NCQ1338 models!
The SSID and passwords follow the same pattern seen in the CR1000A/B and ARC-XCI55AX
- SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
- SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
- Admin Passwords are 9 characters that are <A-Z><0-9>.
From this sample we can gain some other info:
- SSID passwords are13-15 characters long
- Password <word> are between 3-5 characters for SSID Password (haven’t seen a 6 character word yet)
- We don’t currently see 0, 1, 2, 5, 8 in any of the SSID, SSID Password, or Admin Password.
- HW versions are not printed on the device or QR code
- Shipped firmware ranges from 212331 to 222656
The MAC addresses that we see for this device are 2C.EA.DC, 4C.AB.F8, 88.DE.7C, A4.97.33, FC.12.63.
Serial numbers are always 11 digits and start with 2-3 letters (AA, AAM, or ABG), followed by 8 digits. If we compare the MAC/Serial difference like before, we see these change in steps of 4. Hopefully I will be able to use the IMEI or Serial # to back calculate the MAC address for images that we can’t read the QR code. All of the 11 digit serials are very similar across the various models in this thread, so again this is a case where one device can inform us about another.
From the device teardown, we see that the CPU is a Qualcomm Hawkeye IPQ8072A Quad Core ARM 64 bit A53 2.2GHz processor. The memory is Samsung K4A8G165WB-BCRC 8Gb DDR4 1200 MHz and Samsung KLM8G1GETF-B041 8GB eMMC NAND.
I wasn’t able to find any firmware online. However this device also has the hidden compartment. I think I read it was for the SIM card on this device, but the ARC-XCI55AX has an eSIM and USB-C here.
Currently in the dataset:
G3100/E3200 - 418 entries
CR1000 A/B - 94 entries
ARC-XCI55AX - 96 entries
ASK-NCQ1338 - 107 entries
Other - 117 entries
Total - 832 entries
I am planning on making at least 3 more long form posts about the various devices that will cover G1100, WNC-CR200A, and the Others. By then I should have pretty much scraped all that I can currently scrape, so I will start doing some more stats analysis on everything that we’ve collected. We caught a new device with these recent scrapes, ASK-RTL108 which has a QR code and a lot of good info on the sticker so I will start scraping these for the next update!
How can you help?
- I have done a pretty exhaustive search, but I've been unable to locate firmware for anything other than G3100/E3200, CR1000A/B, and G1100. Perhaps you can?
- Do you know of any website or search terms that might lead us to more images to scrape?
- Feel free to DM me links to images and such as well!
- Take a look at the data set, are there any patterns or peculiarities that stand out to you?
- Do you know of anywhere I can easily host large zip files long term for my ref_images, ref_firmware and future dictionary file?
- Know of any other models I should be targeting?
- Want to build a dictionary?
- Like this post or leave a quick comment