06-30-2017, 12:01 AM
(This post was last modified: 07-10-2017, 03:26 AM by mrfancypants.)
AHA!
The input value is an integer in between 0 and 0x7FFFFFFF (2.1 billion possibilities).
I haven't yet worked out where this number comes from (that one may be random or derived with a MD5/SHA hash, it does not look sequential or clearly related to either the serial, the MAC, or the install date), but, even not knowing the exact number, we cut the time to process all keyspace from thousands of years to a couple of hours.
I wonder if this rates a CERT vulnerability filing.
This will work for 599s, some 589s, and newest BGW210s. This will not work for 5268s or for older 589s. As a rule of thumb, it would work if the SSID starts with a letter (not counting 'ATT').
EDIT: there is an outstanding minor rounding-related problem. For x=0x5f03b1, it generates 'afw7b4vnych7' but I saw a device with 'afw7b4vnych%'. (0x...0be0762 is rounded down to ..0be0760, but, to get the correct pw, it needs to be rounded up to ..0be0764.) Should be pretty rare.
They add a letter 'v' to either side of 'ATT'. So it becomes 'vATTv.....', twelve characters. 'v' may stand for 'video'. AT&T U-Verse comes with optional TV service and this second network may be for connecting the wireless TV receiver to the router.
Yes, that's why AT&T routers maintain a separate copy of the "default wireless key" so they don't need to regenerate it on the spot.
Code:
>>> def gen_599_pw(x):
... x=int(float(x*(2**32+2)))
... pw=''
... for n in range(0,12):
... rem=x%37
... pw=pw_charset[rem]+pw
... x/=37
... return pw
...
>>>
>>> gen_599_pw(0x7a7b4bbb)
'nyrip9=c5bgv'The input value is an integer in between 0 and 0x7FFFFFFF (2.1 billion possibilities).
I haven't yet worked out where this number comes from (that one may be random or derived with a MD5/SHA hash, it does not look sequential or clearly related to either the serial, the MAC, or the install date), but, even not knowing the exact number, we cut the time to process all keyspace from thousands of years to a couple of hours.
I wonder if this rates a CERT vulnerability filing.
This will work for 599s, some 589s, and newest BGW210s. This will not work for 5268s or for older 589s. As a rule of thumb, it would work if the SSID starts with a letter (not counting 'ATT').
EDIT: there is an outstanding minor rounding-related problem. For x=0x5f03b1, it generates 'afw7b4vnych7' but I saw a device with 'afw7b4vnych%'. (0x...0be0762 is rounded down to ..0be0760, but, to get the correct pw, it needs to be rounded up to ..0be0764.) Should be pretty rare.
Quote: I wonder if anybody else has noticed an extra character at each end of the second SSID (making it twelve characters long instead of ten characters)
They add a letter 'v' to either side of 'ATT'. So it becomes 'vATTv.....', twelve characters. 'v' may stand for 'video'. AT&T U-Verse comes with optional TV service and this second network may be for connecting the wireless TV receiver to the router.
Quote:I think I read earlier in this thread that the router might regenerate it's SSID and wireless key during a hard reboot or after a firmware upgrade. So I have to ask, wouldn't that preclude the use of a random number generator (RNG)?
Yes, that's why AT&T routers maintain a separate copy of the "default wireless key" so they don't need to regenerate it on the spot.