07-23-2025, 05:09 PM
@ZerBea thanks for the response and thanks for all of your work! @RealEnder did a great job with imeigen, and has added the T-Mobile hotspot further reducing the possible candidates. I haven’t had a chance to check out the T-Mobile devices you shared to see if they have the same weakness.
Fios-F1nDr has been updated to differentiate between ARC-XCI55AX, CR1000, CME1000, E3200 for the DC:F5:1B MAC prefix. There is still a bit more of this type of work I have to do to the script, but overall it’s working well.
This week I was able to add 63 new entries to the password database.
Updated Data Set:
router_data_FULL_072325.xlsx (Size: 898 KB / Downloads: 3)
The Dataset now contains:
G3100/E3200 - 697 entries
CR1000 A/B - 177 entries
ARC-XCI55AX - 143 entries
ASK-NCQ1338 - 165 entries
WNC-CR200A - 62 entries
G1100 - 374 entries
NVG558HX - 67 entries
Other - 143 entries
Total - 1828 entries
![[Image: attachment.php?aid=1358]](https://hashcat.net/forum/attachment.php?aid=1358)
We caught a new device too, the XC46BE, which is also manufactured by Arcadyan. The device teardown shows a variety of chips. I believe the Mediatek MT6990V is the ARM CPU, but I couldn’t find much info. The device QR code and sticker provide a great bit of info.
I found the device using the data from WPA-SEC, here is the info broadcast in the packet. The device is the DRAGON
Model: XC46BE
Manufacture: Arcadyan
Device: DRAGON
Serial Prefix: ACS
MACS: Not enough Info
MAC Prefix: 20:37:F0 38:06:E6
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address
EX: 3806e6801442 = bc329e001dd811b286013806e6801440
SSID: Verizon-XXXX
The 3 password entries I was able to find show that The SSID password is 15 characters, and follows a new format <word><digit><word><digit><word>. So far, these passwords are comprised of a 3-letter, 4-letter, and 6-letter word with single digits. The admin password is 9 character alphanumeric as we’ve seen with a lot of the other devices.
Wi-Fi Name: Wi-Fi Password: Len Admin Password:
Verizon_4XZF4L wed5poem7cherub 15 6KFV7CHGS
Verizon_TC9CP6 bet9nearly8mane 15 4CLBGTZS7
Verizon_94CSGD blouse3cate7ran 15 ZK4TNDJQ6
![[Image: attachment.php?aid=1359]](https://hashcat.net/forum/attachment.php?aid=1359)
The CSG m106 was also caught in the scrape, which is some sort of Verizon device though it doesn’t have the Verizon/Fios SSID. There QR code is just a link to the CSG website. However, the password is 8 character hex that is actually just the end of the serial number. Unfortunately, this device does not broadcast any ESSID information. I did the normal eBay, FB, OfferUp scrape and caught 19 entries. The serial numbers appear to be a a random 16 character hex, possibly a truncated hash. So I had a script try various user input, as well as Unix Epoch time against the password. There are several hashes that produce the password, but none that produce the full serial, so I suspect they are false positives. @RealEnder found the firmware (https://connectcsg.com/pages/firmware-updates), which extracts nicely...so I checked to see how the SN is being generated.
In the file gl_init we see
So we see The SSID is generated from the MAC, and the key is last 8 characters of the factory_sn. Unfortunately the factory_sn is pulled from NVRAM.
![[Image: attachment.php?aid=1360]](https://hashcat.net/forum/attachment.php?aid=1360)
The data collected for CSG m106 all have the MAC prefix 94:83:C4, so I checked there in the WPA-SEC data. There are not any CSG entries since they don’t broadcast the information, however there are several GL-SFT1200 that overlap the address space. The firmware for this device is also available (https://dl.gl-inet.com/router/sft1200/stable), extracts cleanly, and is very similar to the CSG m106 with some minor vendor changes. In gl_init file for both firmware we see
As the image above shows, devices with the SSID GL-<model> have the default password “goodlife”. The firmware shows other models this applies to AR300M, AR750, B1300, B2200, E750, MT750, S200, S1300, X750, X1200
![[Image: attachment.php?aid=1361]](https://hashcat.net/forum/attachment.php?aid=1361)
One of the devices that the default password doesn’t work on is the GL-MT3000 and GL-MT6000, which we see has a 10 character alphanumeric password :frown:. We have the firmware for this device too (https://dl.gl-inet.com/router/mt3000/stable and https://dl.gl-inet.com/router/mt6000/stable). The password seems to be pulled from NVRAM.
But the guest networks may still have the default password “goodlife"
Fios-F1nDr has been updated to differentiate between ARC-XCI55AX, CR1000, CME1000, E3200 for the DC:F5:1B MAC prefix. There is still a bit more of this type of work I have to do to the script, but overall it’s working well.
This week I was able to add 63 new entries to the password database.
Updated Data Set:
router_data_FULL_072325.xlsx (Size: 898 KB / Downloads: 3)
The Dataset now contains:
G3100/E3200 - 697 entries
CR1000 A/B - 177 entries
ARC-XCI55AX - 143 entries
ASK-NCQ1338 - 165 entries
WNC-CR200A - 62 entries
G1100 - 374 entries
NVG558HX - 67 entries
Other - 143 entries
Total - 1828 entries
We caught a new device too, the XC46BE, which is also manufactured by Arcadyan. The device teardown shows a variety of chips. I believe the Mediatek MT6990V is the ARM CPU, but I couldn’t find much info. The device QR code and sticker provide a great bit of info.
Code:
('WIFI:S:Verizon_TC9CP6;T:WPA;P:bet9nearly8mane;;ROUTER:M:XC46BE;S:ACS44201412;D:11-26-2024;F:3.4.0.5;P:4CLBGTZS7;E:357632330053454;B:3806E60264DD;;1',)I found the device using the data from WPA-SEC, here is the info broadcast in the packet. The device is the DRAGON
Code:
2037f022cf12 Arcadyan XC46BE ACS50602760 DRAGON bc329e001dd811b286012037f022cf10 Verizon_BJ3F49Model: XC46BE
Manufacture: Arcadyan
Device: DRAGON
Serial Prefix: ACS
MACS: Not enough Info
MAC Prefix: 20:37:F0 38:06:E6
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address
EX: 3806e6801442 = bc329e001dd811b286013806e6801440
SSID: Verizon-XXXX
The 3 password entries I was able to find show that The SSID password is 15 characters, and follows a new format <word><digit><word><digit><word>. So far, these passwords are comprised of a 3-letter, 4-letter, and 6-letter word with single digits. The admin password is 9 character alphanumeric as we’ve seen with a lot of the other devices.
Wi-Fi Name: Wi-Fi Password: Len Admin Password:
Verizon_4XZF4L wed5poem7cherub 15 6KFV7CHGS
Verizon_TC9CP6 bet9nearly8mane 15 4CLBGTZS7
Verizon_94CSGD blouse3cate7ran 15 ZK4TNDJQ6
The CSG m106 was also caught in the scrape, which is some sort of Verizon device though it doesn’t have the Verizon/Fios SSID. There QR code is just a link to the CSG website. However, the password is 8 character hex that is actually just the end of the serial number. Unfortunately, this device does not broadcast any ESSID information. I did the normal eBay, FB, OfferUp scrape and caught 19 entries. The serial numbers appear to be a a random 16 character hex, possibly a truncated hash. So I had a script try various user input, as well as Unix Epoch time against the password. There are several hashes that produce the password, but none that produce the full serial, so I suspect they are false positives. @RealEnder found the firmware (https://connectcsg.com/pages/firmware-updates), which extracts nicely...so I checked to see how the SN is being generated.
In the file gl_init we see
Code:
uci set glconfig.general.factory_mac=$(get_default_mac_with_colon)
uci set glconfig.general.factory_sn=$(get_default_sn)
ssid=`uci get glconfig.general.factory_mac | awk -F ":" '{print $(NF-1)$NF}'`
uci set wireless.@wifi-iface[$index].ssid="CSG-${ssid}"
key=`uci get glconfig.general.factory_sn | awk '{print substr($0,9)}'`So we see The SSID is generated from the MAC, and the key is last 8 characters of the factory_sn. Unfortunately the factory_sn is pulled from NVRAM.
The data collected for CSG m106 all have the MAC prefix 94:83:C4, so I checked there in the WPA-SEC data. There are not any CSG entries since they don’t broadcast the information, however there are several GL-SFT1200 that overlap the address space. The firmware for this device is also available (https://dl.gl-inet.com/router/sft1200/stable), extracts cleanly, and is very similar to the CSG m106 with some minor vendor changes. In gl_init file for both firmware we see
Code:
ssid_prefix="GL-"${model}
uci set wireless.@wifi-iface[$index].key=goodlifeAs the image above shows, devices with the SSID GL-<model> have the default password “goodlife”. The firmware shows other models this applies to AR300M, AR750, B1300, B2200, E750, MT750, S200, S1300, X750, X1200
One of the devices that the default password doesn’t work on is the GL-MT3000 and GL-MT6000, which we see has a 10 character alphanumeric password :frown:. We have the firmware for this device too (https://dl.gl-inet.com/router/mt3000/stable and https://dl.gl-inet.com/router/mt6000/stable). The password seems to be pulled from NVRAM.
Code:
wifi_password=`lua /usr/bin/get_unique_password.lua`
lfactory.get_unique_password()But the guest networks may still have the default password “goodlife"
Code:
set wireless.$1.key=goodlife
set wireless.$guest.device="$device"