02-14-2023, 03:55 AM

I tried to use pseudopwd to create passwords for the NVG599. Changed the charset to the normal 37, then took the SNs of a handful of NVG599 routers and added the string "PRESHAREDKEY-0907F5". So you have a variable section up front (of around 12 chars resulting in 6 chars in the pwd), followed by a fixed string. Then feed that into pseudopwd to generated the passwords. A change in the beginning echos through the rest of the password. However, with pseudopwd, the same start results in the same beginning of the conversion, not like MD5 or SHA.

That idea strongly resembles the integer*multiplier where the variable section is the integer and the fixed section the multiplier and would result in a multiplier with 6 digits before the decimal point.

Lastly, I ran that through the multiplier search algo and came up with nothing. Perhaps in this iteration of pseudopwd, the results are now too randomized. Perhaps removing the t3 and t4 reduces the randomness to the original algo for generating the NVG589,599 and 210 passwords.

One more observation is that it seems that the libkeycode.so uses a similar randomization technique but with only two steps. I should probably try to reverse that now....

That idea strongly resembles the integer*multiplier where the variable section is the integer and the fixed section the multiplier and would result in a multiplier with 6 digits before the decimal point.

Lastly, I ran that through the multiplier search algo and came up with nothing. Perhaps in this iteration of pseudopwd, the results are now too randomized. Perhaps removing the t3 and t4 reduces the randomness to the original algo for generating the NVG589,599 and 210 passwords.

One more observation is that it seems that the libkeycode.so uses a similar randomization technique but with only two steps. I should probably try to reverse that now....