04-23-2018, 09:02 AM
I found those:
https://mirrors.napshome.net/ATTGatewayFirmware/
Checked several of the images, they are easy extracted with recent version of binwalk like this:
binwalk -eM [fw.image.bin]
Of course, hw specific info is stored in NVRAM, so no separate file in image
Those in 599 dir come with default ESSID in form Frontier[last 4 bytes from SN][_5G]
Two utilities reference function to get wpa key: sdb and cwmpsuper(for TR-69 provisioning). This happens with system.mfg-wireless-key.
Those utilities import both md5 and sha1, also AES, so if there is algo implemented in them, those can be used in it.
Gave a quick look, nothing interesting. Those are stripped, so it will require more digging.
For now I think the default PSK and SN are written in the factory, which is better from security point of view. This doesn't mean we cant reduce the keyspace further, eg. like in Thomson case.
https://mirrors.napshome.net/ATTGatewayFirmware/
Checked several of the images, they are easy extracted with recent version of binwalk like this:
binwalk -eM [fw.image.bin]
Of course, hw specific info is stored in NVRAM, so no separate file in image
Those in 599 dir come with default ESSID in form Frontier[last 4 bytes from SN][_5G]
Two utilities reference function to get wpa key: sdb and cwmpsuper(for TR-69 provisioning). This happens with system.mfg-wireless-key.
Those utilities import both md5 and sha1, also AES, so if there is algo implemented in them, those can be used in it.
Gave a quick look, nothing interesting. Those are stripped, so it will require more digging.
For now I think the default PSK and SN are written in the factory, which is better from security point of view. This doesn't mean we cant reduce the keyspace further, eg. like in Thomson case.