Keyspace List for WPA on Default Routers
(06-17-2017, 05:13 PM)soxrok2212 Wrote: I have the firmwares extracted and file systems mounted, but only /bin is populated. There are just common linux binaries. In the past, the only relevant binaries I've found were in /lib which is empty. It seems as if we are missing something or the firmwares have been wiped of all sensitive information.

Are you looking at the file I uploaded? There should be /bin/sdb and /bin/cshell, which contain much of the default configuration logic, and a /lib/, which has the interface used to access the NVRAM (the actual access code is in the kernel space).

I also got a device (a 4111N) and I have a full filesystem dump for it.

At this point I'm about 95% sure that none of the firmwares shipped since 2013/14 or so have the code we want (not unless it is crippled and/or well hidden.) Still looking at older versions. I have some educated guesses as to how the password is generated, but I can't come up with a working algorithm. There's most likely a MD5 of either the serial number or the mfg timestamp (plus an unknown salt) involved. I'm trying to organize my thoughts and I'll put it somewhere on the web to keep this thread from getting too far off-topic.
Unless the exact algorithm can be worked out, fartboxes approach may be the best we have Sad

devilsadvocate Wrote:Let us know if you find any CIA planted backdoors in any of these firmwares.  This could get very interesting.

As I understand the leak, that's not something they'd plant in regular firmwares. That's more along the lines of uploading a modified version of firmware with spying capabilities onto an otherwise pristine device. To do that, you'd typically need to connect to the router via wi-fi first. (Which is not to say there aren't any backdoors in these firmwares.)

Messages In This Thread
RE: Keyspace List for WPA on Default Routers - by mrfancypants - 06-19-2017, 11:36 PM