Keyspace List for WPA on Default Routers
#27
Meanwhile I spent an unproductive day trying to reverse engineer the router firmware. It is not uncommon that the WPA key is generated internally by the router from the serial number (https://www.usenix.org/system/files/conf...orente.pdf) All these routers are internally more or less the same architecture "Motopia". Took a while to get my hands on a copy of firmware (it's not offered officially for download), finally found a few versions on some backalley website, then took a while longer to unpack and to find a disassembler that can read MIPS big-endian.
In the end it all comes to nothing. I'm not 100% sure but it looks like these routers come with the 10-char SSID and the non-alphanumeric password burned directly into EEPROM at the factory. I found code that generates SSIDs from the serial number and the SKU, but it only has branches for ATTddd and ATTdddd (and a couple of others for non-AT&T customers).
It's either that or there's a specialized version of firmware for AT&T which I couldn't find yet.

P.S. In case anyone ever wants to pick up where I left off, here are some pointers.
Firmwares are at http://68.250.244.11/firmware/, the web site may be someone's personal Linux PC and it is sporadically on and off, I couldn't find any alternate sources.
Install https://github.com/devttys0/binwalk to unpack the firmware, which gives you a jffs2 file, and then find some way to unpack that.
Inside jffs2 you have a Linux distro. The most interesting bit seems to be the executable "sdb" which is either in /bin or in /sbin depending on firmware. Look for references to the string "ATT" or "ATT%s". There may be other places where relevant code is hiding. For something seemingly as simple as a router, there sure is a lot of stuff inside.
The code is MIPS big-endian and it can be reversed either by Radare2 or by a recent Ida Pro (neither of the two demo/evaluation versions on the developer site works, my old licensed 4.5 does not work either, in the end I had to torrent a 6.85.) If you know x86, MIPS is relatively easy to pick up, just look up registers/instructions and remember that the first instruction after the jump is executed before the jump.
Like I said, the SSID/WPA code for ATTxxxxxxx does not seem to be there, but there is a curious function that does SHA1 on the serial number and on some Jimi Hendrix lyrics and produces a hex string that may be used as a password for ATTdddd.
Arris has a large open-source code repository on Sourceforge but it has been pretty thoroughly scrubbed of anything that might be of use to us. In particular, "sdb" is completely absent. The closest it gets to relevant is, in the "NVG-9.1.1h0" download, there are some headers that were probably left behind by accident.
Reply


Messages In This Thread
RE: Keyspace List for WPA on Default Routers - by mrfancypants - 06-06-2017, 05:59 AM