08-24-2018, 07:39 PM
(This post was last modified: 08-24-2018, 08:00 PM by soxrok2212.)

(06-28-2017, 03:19 AM)mrfancypants Wrote: I've finally worked out part of the algorithm for 589/599. Not enough to crack it (in fact, with what I worked out, it's totally possible that it's [effectively] uncrackable because they feed it from a RNG), but enough to understand how passwords are being constructed.

Consider the following. Actual parameters of a NVG599 off eBay:

SSID: ATTn3f64I2

Wireless key: nyrip9=c5bgv

Access key: 18?/72@@<3

Second SSID: vATTvb%g?<&c

Second wireless key: #h,t)0(ZUwI0

Looks random, right? Now watch:

Code:`ssid_charset='23456789ABCDEFGHIJKMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz'`

pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?'

ext_charset='!"#$%&\'()*+,-./:;<=?@[]_`{|}0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

def intpw(x):

val=0

for n in range(0,12):

val+=pw_charset.find(x[n])*(37**(11-n))

if (val%8)==7:

val+=37**12

return val

def intssid(x):

val=0

for n in range(0,7):

val+=ssid_charset.find(x[n+3])*(56**(6-n))

return val

def int_ext(x):

val=0

for n in range(0,len(x)):

val+=ext_charset.find(x[n])*(90**(len(x)-1-n))

return val

>>> '%x' % intssid('ATTn3f64I2')

'13c2a3ea400'

>>> '%x' % intpw('nyrip9=c5bgv')

'7a7b4bbbf4f69800'

>>> '%x' % int_ext("b%g?<&c")

'1f71654cac80'

>>> '%x' % int_ext("#h,t)0")

'3d6180c00'

>>> '%x' % int_ext("(ZUwI0")

'a98a65dc0'

I'll let you meditate on this for now and I'll explain later (hint: consider positions of top and bottom set bits in '7a7b...')

Given that the sha1 of the serial number is used to generate the vATT SSID, there has to be a correllation if mrfancypants was able to recover everything here. The script I found is useful somehow, and sha1 with the serial HAS to be used to generate the keys.

If only we had the serial number from that eBay sticker... I *might* have a way to recover it.