06-28-2017, 03:19 AM
(This post was last modified: 06-28-2017, 03:30 AM by mrfancypants.)

I've finally worked out part of the algorithm for 589/599. Not enough to crack it (in fact, with what I worked out, it's totally possible that it's [effectively] uncrackable because they feed it from a RNG), but enough to understand how passwords are being constructed.

Consider the following. Actual parameters of a NVG599 off eBay:

SSID: ATTn3f64I2

Wireless key: nyrip9=c5bgv

Access key: 18?/72@@<3

Second SSID: vATTvb%g?<&c

Second wireless key: #h,t)0(ZUwI0

Looks random, right? Now watch:

I'll let you meditate on this for now and I'll explain later (hint: consider positions of top and bottom set bits in '7a7b...')

Consider the following. Actual parameters of a NVG599 off eBay:

SSID: ATTn3f64I2

Wireless key: nyrip9=c5bgv

Access key: 18?/72@@<3

Second SSID: vATTvb%g?<&c

Second wireless key: #h,t)0(ZUwI0

Looks random, right? Now watch:

Code:

`ssid_charset='23456789ABCDEFGHIJKMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz'`

pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?'

ext_charset='!"#$%&\'()*+,-./:;<=?@[]_`{|}0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

def intpw(x):

val=0

for n in range(0,12):

val+=pw_charset.find(x[n])*(37**(11-n))

if (val%8)==7:

val+=37**12

return val

def intssid(x):

val=0

for n in range(0,7):

val+=ssid_charset.find(x[n+3])*(56**(6-n))

return val

def int_ext(x):

val=0

for n in range(0,len(x)):

val+=ext_charset.find(x[n])*(90**(len(x)-1-n))

return val

>>> '%x' % intssid('ATTn3f64I2')

'13c2a3ea400'

>>> '%x' % intpw('nyrip9=c5bgv')

'7a7b4bbbf4f69800'

>>> '%x' % int_ext("b%g?<&c")

'1f71654cac80'

>>> '%x' % int_ext("#h,t)0")

'3d6180c00'

>>> '%x' % int_ext("(ZUwI0")

'a98a65dc0'

I'll let you meditate on this for now and I'll explain later (hint: consider positions of top and bottom set bits in '7a7b...')