I tried to glitch my G3100, but I think maybe they have fixed that issue in the firmware my device has. My normal serial output is very short, and with the glitch I could only get this single error to show up, but serial still stopped in the same spot. Shorting the connection too early would just cause it to freeze.
Last week I wasn’t quite sure how to do the calculation for number of possible combinations for the 15 char <word>-<word>-<word> format. However, it turns out that it’s pretty easy. <# of 3 letter words> * <# of 4 letter words> * <# 5 letter words> * <# of digits> * <# digit places> * <# of permutations>. The last 3 values are always going to be 5, 2, 6 (=60) respectfully. So using this 4090 benchmark, which shows 2533 Kh/s for 22000 mode and 275 Mh/s for 22001 mode. If we crunch some numbers here’s what I come up with.
The largest English word list that I found contained 2130 3 letter words, 7186 4 letter words, 15921 5 letter words, which gives us 2130*7186*15921*60 = 14,617,306,198,800 possible combinations. This dictionary is only really feasible if we have PMKID.
RPI4 @ 1080 h/s = ~429 years
4090 (22000) = 66.80 days
4090 (22001) = 14.76 hours
If we reduce just the 5 letter words to 5000 we get 2130*7186*5000*60 = 4,589,454,000,000 possible combinations This dictionary would run fast enough in 22001 mode, but still too slow for anything else.
RPI4 @ 1080 h/s = 134.66 years
4090 (22000) = 20.97 days
4090 (22001) = 4.64 hours
Similarly, if we could reduce the 4 letter words significantly we might see something like this. 2130*2000*5000 = 1,278,000,000,000 possible combinations We are finally starting to see reasonable results!
RPI4 @ 1080 h/s = 37.5 years
4090 (22000) = 5.84 days
4090 (22001) = 1.29 hours
So then I wrote a new script that takes all of the Wi-Fi passwords then breaks them into individual <word> or <digits> for me and does a bit of analysis. Here are the results.
Most Common Words:
[('aim', 8), ('toy', 8), ('bid', 8), ('had', 8), ('gym', 8), ('rid', 7), ('jus', 7), ('hew', 7), ('oar', 7), ('met', 7)]
Most Common Numbers:
[('6', 79), ('3', 76), ('9', 75), ('4', 74), ('7', 73), ('67', 13), ('25', 12), ('53', 12), ('87', 12), ('22', 12)]
The single digit numbers 3, 4, 6, 7, 9 come from the passwords that are the <word>-<word>-<word> format. We can see the distribution of these is very even, so it seems that one number is not favored over the other. The script also separates the words into all of the various wordlists. Here’s the output and the dictionaries are attached below. (I included fios wordlists in these)
Saved 0 unique words to 2_letter_words.txt
Saved 372 unique words to 3_letter_words.txt
Saved 605 unique words to 4_letter_words.txt
Saved 412 unique words to 5_letter_words.txt
Saved 57 unique words to 6_letter_words.txt
Saved 12 unique words to 7_letter_words.txt
Saved 0 unique words to 8_letter_words.txt
Using these wordlists would give us 372*605*412*60 = 5,563,483,200 possible combinations. Check it out, we can quickly run through this list!
RPI4 @ 1080 h/s = 59.62 days
4090 (22000) = 0.61 hours
4090 (22001) = 20 seconds
I wrote another script to actually build the dictionary based off the wordlists. Unfortunately it would be around 95gb, and not really worth while for me to upload. However, I have posted the script to generate the dictionary, so you can build it locally. I will continue to update the wordlists as we continue to scrape.
Of course, we always need more passwords! So I also spent a bit more time this week trying various dorks and came across one more example that turned up some hits.
Ex: site:ebay.com "Verizon G3100" -intext:"out of stock"
Now I have a fairly complete scraping toolset that does new/old eBay listings, FB marketplace, Offerup, Poshmark, Craigslist, shopforsale, and google/duckduckgo images. Other than having to log in to Facebook, everything is automated and can be easily linked together. Unfortunately, It’s likely going to be hard for me to make many more big gains in new entries, but I’ll continue to run a scrape at least biweekly I think. I will still pursue other ways to find new/old images, but I have pretty much exhausted all of my own ideas.
Updated Data Set:
router_data_FULL_051725.xlsx (Size: 608.04 KB / Downloads: 3)
I did manage to add a lot of new entries this week though. There are 45 new entries for the G3200/E3200, bringing us to 463 unique entries! Testing the new entries against Fios-F1nDr gives us:
Before:
Correct - 20 (44%)
Incorrect - 25 (56%)
unknown block - 0 (0%)
Unknown device - 0 (0%)
Not Enough Data - 0 (0%)
After:
Correct - 35 (78%)
Incorrect - 10 (22%)
unknown block - 0 (0%)
Unknown Device 0 (0%)
Not enough data 0( 0%)
The incorrect ones are outliers, which we’re accumulating quite a few at this point. They do seem to group together for the most part, so if I can get a few more entries around them hopefully I can figure out what the issue is. There is also a small section where G3100/E3200 overlap in the same space, so I will also have to deal with that in some way. Anyhow, we now have 221 unique Date Codes!
![[Image: attachment.php?aid=1288]](https://hashcat.net/forum/attachment.php?aid=1288)
This week’s device spotlight is the WNC-CR200A, which like the CR1000A is also manufactured by Wistron NeWeb Corporation. This is a 4/5G router similar to the ARC-XCI55AX and ASK-NCQ1388. They didn’t hide the USB-C port on this one. Sadly, neither the QR code or the sticker have the MAC address. It does include the date code and other important information however.
Currently, the data set contains 41 entries for WNC-CR200A models!
The SSID and passwords follow the same pattern seen in the CR1000A/B and ASK-NCQ1338
![[Image: attachment.php?aid=1289]](https://hashcat.net/forum/attachment.php?aid=1289)
SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.
From this sample we can gain some other info:
The serial number is 11-characters, starting with ACA followed by 9 digits. Since the MAC address is unknown I compared the serial to the IMEI and ICCID. Although both of these appear to mostly follow the date code sequentially, I was unable to find any kind of direct relationship. We don’t have a ton of entries for this device, but it's possible that we could figure out the relationship based on other devices.
From the device teardown, we see that the CPU is a Qualcomm Hawkeye IPQ8072A Quad Core ARM 64 bit A53 2.2GHz processor, which is the same as the ASK-NCQ1338. I think the memory is the two chips labeled "2CR77 D8BPK” but I was unable to find any data sheet for this. I wasn’t able to find any firmware online.
The Dataset now contains:
G3100/E3200 - 464 entries
CR1000 A/B - 97 entries
ARC-XCI55AX - 98 entries
ASK-NCQ1338 - 113 entries
WNC-CR200A - 41 entries
Other - 161 entries
Total - 974 entries
Next update we will have finally broken 1000 entries! I am planning on finally uploading the reference images again with that update. I will hopefully have all of the scripts cleaned up and uploaded to GitHub in the next week or two. We found another device this week, the NVG558HX, again this is an easy target and will be included in future updates
![[Image: attachment.php?aid=1290]](https://hashcat.net/forum/attachment.php?aid=1290)
Code:
Chip ID: BCM68369_B1
Broadcom B53 Dual Core: 1
RDP: 1400MHz
$Uboot: 5.04L.02@ $
WDT: Started with servicing (80s timeout)
NAND: 0 MiB
MMC: sdhci: 0
Loading Environment from BOOT_MAGIC... ENV_BOOT_MAGIC_LOAD
*** Warning - import not done, using default environment
In: serial0
Out: serial0 Last week I wasn’t quite sure how to do the calculation for number of possible combinations for the 15 char <word>-<word>-<word> format. However, it turns out that it’s pretty easy. <# of 3 letter words> * <# of 4 letter words> * <# 5 letter words> * <# of digits> * <# digit places> * <# of permutations>. The last 3 values are always going to be 5, 2, 6 (=60) respectfully. So using this 4090 benchmark, which shows 2533 Kh/s for 22000 mode and 275 Mh/s for 22001 mode. If we crunch some numbers here’s what I come up with.
The largest English word list that I found contained 2130 3 letter words, 7186 4 letter words, 15921 5 letter words, which gives us 2130*7186*15921*60 = 14,617,306,198,800 possible combinations. This dictionary is only really feasible if we have PMKID.
RPI4 @ 1080 h/s = ~429 years
4090 (22000) = 66.80 days
4090 (22001) = 14.76 hours
If we reduce just the 5 letter words to 5000 we get 2130*7186*5000*60 = 4,589,454,000,000 possible combinations This dictionary would run fast enough in 22001 mode, but still too slow for anything else.
RPI4 @ 1080 h/s = 134.66 years
4090 (22000) = 20.97 days
4090 (22001) = 4.64 hours
Similarly, if we could reduce the 4 letter words significantly we might see something like this. 2130*2000*5000 = 1,278,000,000,000 possible combinations We are finally starting to see reasonable results!
RPI4 @ 1080 h/s = 37.5 years
4090 (22000) = 5.84 days
4090 (22001) = 1.29 hours
So then I wrote a new script that takes all of the Wi-Fi passwords then breaks them into individual <word> or <digits> for me and does a bit of analysis. Here are the results.
Most Common Words:
[('aim', 8), ('toy', 8), ('bid', 8), ('had', 8), ('gym', 8), ('rid', 7), ('jus', 7), ('hew', 7), ('oar', 7), ('met', 7)]
Most Common Numbers:
[('6', 79), ('3', 76), ('9', 75), ('4', 74), ('7', 73), ('67', 13), ('25', 12), ('53', 12), ('87', 12), ('22', 12)]
The single digit numbers 3, 4, 6, 7, 9 come from the passwords that are the <word>-<word>-<word> format. We can see the distribution of these is very even, so it seems that one number is not favored over the other. The script also separates the words into all of the various wordlists. Here’s the output and the dictionaries are attached below. (I included fios wordlists in these)
Saved 0 unique words to 2_letter_words.txt
Saved 372 unique words to 3_letter_words.txt
Saved 605 unique words to 4_letter_words.txt
Saved 412 unique words to 5_letter_words.txt
Saved 57 unique words to 6_letter_words.txt
Saved 12 unique words to 7_letter_words.txt
Saved 0 unique words to 8_letter_words.txt
Using these wordlists would give us 372*605*412*60 = 5,563,483,200 possible combinations. Check it out, we can quickly run through this list!
RPI4 @ 1080 h/s = 59.62 days
4090 (22000) = 0.61 hours
4090 (22001) = 20 seconds
I wrote another script to actually build the dictionary based off the wordlists. Unfortunately it would be around 95gb, and not really worth while for me to upload. However, I have posted the script to generate the dictionary, so you can build it locally. I will continue to update the wordlists as we continue to scrape.
Of course, we always need more passwords! So I also spent a bit more time this week trying various dorks and came across one more example that turned up some hits.
Ex: site:ebay.com "Verizon G3100" -intext:"out of stock"
Now I have a fairly complete scraping toolset that does new/old eBay listings, FB marketplace, Offerup, Poshmark, Craigslist, shopforsale, and google/duckduckgo images. Other than having to log in to Facebook, everything is automated and can be easily linked together. Unfortunately, It’s likely going to be hard for me to make many more big gains in new entries, but I’ll continue to run a scrape at least biweekly I think. I will still pursue other ways to find new/old images, but I have pretty much exhausted all of my own ideas.
Updated Data Set:
router_data_FULL_051725.xlsx (Size: 608.04 KB / Downloads: 3)
I did manage to add a lot of new entries this week though. There are 45 new entries for the G3200/E3200, bringing us to 463 unique entries! Testing the new entries against Fios-F1nDr gives us:
Before:
Correct - 20 (44%)
Incorrect - 25 (56%)
unknown block - 0 (0%)
Unknown device - 0 (0%)
Not Enough Data - 0 (0%)
After:
Correct - 35 (78%)
Incorrect - 10 (22%)
unknown block - 0 (0%)
Unknown Device 0 (0%)
Not enough data 0( 0%)
The incorrect ones are outliers, which we’re accumulating quite a few at this point. They do seem to group together for the most part, so if I can get a few more entries around them hopefully I can figure out what the issue is. There is also a small section where G3100/E3200 overlap in the same space, so I will also have to deal with that in some way. Anyhow, we now have 221 unique Date Codes!
This week’s device spotlight is the WNC-CR200A, which like the CR1000A is also manufactured by Wistron NeWeb Corporation. This is a 4/5G router similar to the ARC-XCI55AX and ASK-NCQ1388. They didn’t hide the USB-C port on this one. Sadly, neither the QR code or the sticker have the MAC address. It does include the date code and other important information however.
Code:
('WIFI:S:Verizon_7K3WCX;T:WPA;P:hearth-bot6-sir;;ROUTER:M:WNC-CR200A;S:ACA33004690;D:20230816;P:7JW9YXRKP;E:357473871131817;C:89148000009539565590;;2',)Currently, the data set contains 41 entries for WNC-CR200A models!
The SSID and passwords follow the same pattern seen in the CR1000A/B and ASK-NCQ1338
SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.
From this sample we can gain some other info:
- SSID passwords are 13-15 characters long
- Password <word> are between 3-5 characters for SSID Password (haven’t seen a 6 character word yet)
- We don’t currently see 0, 1, 2, 5, 8 in any of the SSID, SSID Password, or Admin Password.
- HW version is 0.0.5
- Shipped firmware is Unknown
The serial number is 11-characters, starting with ACA followed by 9 digits. Since the MAC address is unknown I compared the serial to the IMEI and ICCID. Although both of these appear to mostly follow the date code sequentially, I was unable to find any kind of direct relationship. We don’t have a ton of entries for this device, but it's possible that we could figure out the relationship based on other devices.
From the device teardown, we see that the CPU is a Qualcomm Hawkeye IPQ8072A Quad Core ARM 64 bit A53 2.2GHz processor, which is the same as the ASK-NCQ1338. I think the memory is the two chips labeled "2CR77 D8BPK” but I was unable to find any data sheet for this. I wasn’t able to find any firmware online.
The Dataset now contains:
G3100/E3200 - 464 entries
CR1000 A/B - 97 entries
ARC-XCI55AX - 98 entries
ASK-NCQ1338 - 113 entries
WNC-CR200A - 41 entries
Other - 161 entries
Total - 974 entries
Next update we will have finally broken 1000 entries! I am planning on finally uploading the reference images again with that update. I will hopefully have all of the scripts cleaned up and uploaded to GitHub in the next week or two. We found another device this week, the NVG558HX, again this is an easy target and will be included in future updates