hashcat Forum - User Contributions

Verizon Fios - wordlists

Mon, 23 Feb 2026 12:17:14 +0000

Hi,
I case anyone is interested. I have the most updated 3 - 7 letter wordlists for Verizon Fios routers.
And 8 - 9 in next post.
Here they are.

  5lista.txt (Size: 21.32 KB / Downloads: 16)

  4lista.txt (Size: 28.89 KB / Downloads: 9)

  6lista.txt (Size: 23.26 KB / Downloads: 9)

  3lista.txt (Size: 7.23 KB / Downloads: 8)

  7lista.txt (Size: 7.29 KB / Downloads: 7)

GUI For Hashcat

Thu, 01 Jan 2026 06:15:41 +0000

Real-time Dashboard: Monitor hashrates, progress, and recovered hashes live via WebSockets.
Remote Access: Securely share your instance over the web via Zrok tunnels to control it remotely.
Security: Supports optional username/password protection.
Hash Extractor: Extracts crackable hashes directly from Archives (7-Zip, etc.), Documents, Wallets, and System files.
Job Queue System: Queue up multiple attacks (Wordlist, Mask, Hybrid, etc.) and let Reactor process them sequentially automatically.
Advanced Insights (PACK): Integrated Password Analysis and Cracking Kit implementation. Analyzes your cracked hashes to generate optimized masks, identify top password patterns, charsets, and entropy data.
Smart Potfile Management:
Pre-Crack Analysis: Check target lists against your potfile before starting an attack to see what is already cracked.
Interactive Terminal: Full pseudo-terminal (PTY) access to the underlying shell for manual overrides or running custom Hashcat commands directly from the GUI.
Multi-Language Support: Fully localized interface available in English and Chinese (中文).
Hardware Monitoring: Real-time GPU temperature and power usage tracking.
Note: Power draw metrics currently support NVIDIA GPUs only via nvidia-smi.
Escrow Integration & Auto-Uploads:
Built-in module to submit cracked hashes to remote escrow APIs (hashes.com).
Auto-Upload: Automatically upload recovered hashes when a set threshold is reached (e.g., every 10 hashes). Features smart detection to match running sessions to the correct Hashes.com algorithm ID.
Session History: Tracks all past attacks, their configurations, and success rates for future reference.

Github: https://github.com/jjsvs/Hashcat-Reactor

  dashboard.png (Size: 377.91 KB / Downloads: 17)

  hash_extractor.png (Size: 286.72 KB / Downloads: 4)

  remote_access.png (Size: 267 KB / Downloads: 4)

  screenshot-36.png (Size: 298.48 KB / Downloads: 5)

  screenshot-37.png (Size: 98.83 KB / Downloads: 3)

metamask2hashcat update

Mon, 20 Oct 2025 13:42:24 +0000

I updated the script metamask2hashcat: did some error handling, added a new command to extract the hash from a Chromium-extension and added a new command to inspect the raw content in the rare case that a vault (mobile) is malformed.

There is a little remark to make: I added the levelDB-parser "plyvel", but it's only compatible with Python 3.12 or lower. Couldn't find another solution for now.

So...the updatet script is now compatible with vaults from Firefox, extension-folder from Chromium and persist-root from mobile phones.

You can find it at my fork: https://github.com/Banaanhangwagen/hashc...hashcat.py

More than happy to get feedback or suggestions to improve it, and maybe PR it to Hashcat-repo...

Wallpapers

Fri, 26 Sep 2025 06:36:05 +0000

Hello everybody,

based on the Work of the User pragmatic, who posted the Hashcat Logo as an SVG a view Years ago, I have created a simple Wallpaper. The Wallpaper comes in two Screen Ratios, 16:9 and 16:10. The 16:9 Version is 4k and the 16:10 Version is 5k so it should look sharp even on larger Screens with High Resolution.

I've put the Wallpaper on Github as the Filesize is larger than the Upload Limit of the Board. The Wallpaper can be found here: GitHub Hashcat Wallpaper

Hope, someone finds it usefull.

Hashcat benchmark comparator

Tue, 15 Jul 2025 18:17:02 +0000

I recently developed a mini-suite of tools to process and compare hashcat benchmarks. The original intent was comparing the performance between using CUDA directly and using OpenCL.

The code is available on GitHub if anyone wants to use or review it/laugh at my code. It's written mostly in python, to parse, process and compare the hashcat results, and shell/bash, a single script to generate the benchmarks.

While doing the tests, I found some interesting diffs between the git version (v6.2.6-1320-g4a6b538b4+) and the release version on the Arch Linux repository (v6.2.6).

Comparing performance on the CUDA backend of both versions, where difference >50%:

Code:
{

  "old": [

    "LastPass + LastPass sniffed -> 19167.27%",

    "PKZIP (Compressed) -> 374.74%"

  ],

  "new": [

    "AIX {ssha1} -> 103.98%",

    "Cisco-IOS $9$ (scrypt) -> 60.05%",

    "PDF 1.4 - 1.6 (Acrobat 5 - 8) -> 57.46%",

    "Blockchain, My Wallet -> 192.90%",

    "DPAPI masterkey file v2 (context 3) -> 90.91%",

    "QNX /etc/shadow (MD5) -> 57.53%",

    "WPA-PMK-PMKID+EAPOL -> 464.19%",

    "Mozilla key3.db -> 287.52%",

    "NetNTLMv1 / NetNTLMv1+ESS (NT) -> 580.83%",

    "NetNTLMv2 (NT) -> 410.81%",

    "Flask Session Cookie ($salt.$salt.$pass) -> 263.46%"

  ]

}

This may be subject to quirks of my GPU (Nvidia GTX 1660), CPU (AMD Ryzen 7 3700X) and temperature fluctuations (the tests were run on my personal desktop). To normalize the data, I ran 5 sequential benchmarks for each hash type, with the "--benchmark-all" flag.

The full results are in a gist here: https://gist.github.com/whoisroot/5498a5...b8bc6646d4

Dahua remote authentication

Sat, 05 Apr 2025 07:16:00 +0000

Hi, guys.
I have a shopcam DHI-XVR5116HE. There is an application DMSS to manage it and see screenshots and etc .
I have udp packets from app.
Using wireshark I have found certain interesting string:

NFPOST /device/3D011F0 /p2p-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: 2088966071
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="y70nnRaOAk9Pbc1cz8L8esO9ph8=", Nonce="1552662507", Created="2025-04-04T15:17:40+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 532
Content-MD5: 832f1c7f19bd8fe62e423770083c80de

NFPOST /device/3D011F0 /relay-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: -562956295
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="wg6ud9Lw7o1p/uPhm37jf1Lchv8=", Nonce="-2106309976", Created="2025-04-04T15:17:42+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 330
Content-MD5: e2a3b2f84d59e1c7ed8966bd48c7d8de

3FB7F9E6-BE74-4A47-9A95- :377771743769062QiU5g5MwLhAED8WxIRHM+nykTeS69S5fNcwRDar43oM=1437081999fullacs

6.2.0

128.14.231.148:464081.1.0NFPOST /device/3D011F0PAE00039/relay-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: -562956295
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="0NXzm3+vygDq5Tqyj3duHhuPGTM=", Nonce="-1753810627", Created="2025-04 04T15:17:43+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 330
Content-MD5: 1d044b86f5a205cbb1a0c76fe408756f

I define the way PasswordDigest string created:

Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

Can I use hashcat to get a password and in what way?

Verizon Fios G3100 and E3200 Research

Thu, 03 Apr 2025 16:54:35 +0000

I recently discovered how easy it was to crack my Netgear default password. That thrill led me to turn my attention to my Fios G3100. However, this has turned out to be a much worthier adversary. Boredom and a bit of tenacity has led me down a winding path, but here is where I am at so far in my research.

The G3100 and E3200 routers are distributed by Verizon. Per usual, the sticker on the back of the unit has the necessary information. I wrote a small python script to scrape Ebay and FB listings and collect all of the associated images. A second script sorts the images using computer vision and OCR to detect the QR code or relevant text. I then personally process the good images to collect the useful information, whenever possible I use the QR code as it is the most trustworthy data to read. Thus far, I have collected over 230+ complete records, as well as saving the images for verification.

FiosG3100andE3200.xlsx (Size: 43.08 KB / Downloads: 12)
Link to Ref_Images.zip (this is a temporary free file sharing link, dm me if it expires)

From this sample we can gain some info on the G3100 key space:

MAC address starting with 04.A2.22 are the oldest and have 16 character passwords
SSID is Fios-XXXXX where X is any char <0-9>
SSID Passwords follow format (ex: met8sonata868elm)
Admin Passwords are 16 characters and follow a format (ex: stubble16crowded)
MAC address starting with B8:F8:53 are mixed and may have 15 or 16 character passwords
SSID is Fios-XXXXX where X is any char <0-9>
SSID Passwords follow format (ex: moat288nit48pug)
Admin Passwords are 16 characters and follow a format (ex: chopper86notably)
MAC address starting with 3C.BD.C5 are the newest and have 15 character passwords
SSID is Fios-XXXXX where X is any char <0-9>
or Verizon_XXXXXX where X is any char <0-9>
SSID Passwords for “Fios” networks follow format (ex: range36vex77toy)
or “Verizon” networks follow -- with a single digit at the end of one word (ex: miry9-elm-north)
Admin Passwords for “Fios” network are 16 characters and follow a format (ex: unusual53smelter)
or “Verizon” networks are 9 characters that are <0-9> (ex: Z79KGSX4T)
Note: 0 and 1 are not seen in sample

From this sample we can gain some info on the E3200 key space:

MAC address starting with 04.A2.22 are the oldest and have 16 character passwords
SSID is E3200-XXXXX where X is any char <0-9>
SSID Passwords follow format (ex: nylon88wit657aye)
Admin Passwords are 16 characters and follow a format (ex: ritual236auction)
MAC address starting with B8:F8:53 are mixed and may have 15 or 16 character passwords
SSID is E3200-XXXXX where X is any char <0-9>
SSID Passwords follow format (ex: mach92see36flat)
Admin Passwords are 16 characters and follow a format (ex: seraph497lantern)
MAC address starting with 3C.BD.C5 have 15 character passwords
SSID is Verizon_XXXXXX where X is any char <0-9>
SSID Passwords follow -- with a single digit at the end of one word (ex: tenth-ben6-vend)
Admin Passwords are are 9 characters that are <0-9> (ex: 3JB94H6CQ)
Note: 0 and 1 are not seen in sample
MAC address starting with DC.F5.1B are the newest and have 15 character passwords
SSID is Verizon_XXXXXX where X is any char <0-9>
SSID Passwords follow -- with a single digit at the end of one word (ex: plush-fast3-con)
Admin Passwords are are 9 characters that are <0-9> (ex: QVB734TKL)
Note: 0 and 1 are not seen in sample

From this sample we can gain some other info:

Password are between 3-7 characters for SSID Password
Password are between 1-4 digits
There are 3 HW version (1102, 1103, 1104)
Serial #’s are 16 digits (except for the most recent E3200 which have 11)
Shipped firmware ranges from 1.3.5.1 to 3.1.1.16
There are the 568 unique words extracted from the passwords:

Code:
add

aft

ago

aim

air

ait

alp

ape

ark

art

ash

ask

awe

aye

bat

bay

bed

bee

beg

ben

bet

bid

biz

boa

bog

bot

bow

bug

bun

bus

bye

cat

caw

cif

cob

con

cot

cub

cud

cup

cut

dab

dad

dam

daw

day

del

dew

dia

did

dig

dit

doe

dos

due

dun

ear

eeg

ego

eke

elk

elm

end

fad

fat

fax

fay

fed

fee

fen

few

fez

fib

fig

fin

fir

fit

fob

fog

fop

for

fox

fro

gad

gap

gel

gem

gen

gig

gin

gnp

gnu

got

gut

had

han

has

hat

hew

hey

hid

hie

him

hin

hit

hod

hub

hue

hum

ice

icy

jab

jag

jam

jaw

jet

jib

jog

joy

jus

lab

law

lay

let

mad

may

met

mil

mix

mod

mow

mud

mug

mum

nag

naw

new

nib

nip

nit

nod

non

not

now

oak

oar

odd

ode

oil

one

ope

opt

ork

out

owl

pal

paw

pay

pea

pet

pit

pod

pug

pun

pup

put

ram

ran

rap

raw

ray

ree

ret

rid

rna

roe

rug

run

rut

rye

sat

say

see

set

sew

sir

sit

six

sly

sou

sow

soy

spa

sum

sun

sup

tag

tap

tax

tee

too

tot

toy

tun

ush

vex

vie

vim

wad

was

wax

web

wed

why

wig

win

wit

woe

won

woo

wry

yak

yam

yea

yes

yet

yon

you

zap

zoo

abbe

aery

agog

alas

alga

allo

arms

atom

back

bake

beak

been

beep

bits

boar

bolt

bone

book

boss

bred

brew

brow

cafe

cape

cart

cast

cene

cere

cham

char

cloy

copy

crib

cuff

dark

dear

deny

dewy

dial

dine

dint

dock

doff

dory

doth

drub

dump

dust

each

ever

exam

fade

fame

fare

fast

fawn

feet

felt

fine

flat

flaw

flit

form

fund

fuss

gage

gain

gall

gate

gent

golf

grab

gray

grey

grim

hair

hake

halt

hasp

have

hawk

held

hide

high

holm

hone

hoot

hour

huff

hung

ibis

iron

jibe

jill

june

kale

kidd

kirk

knit

knot

lack

lead

lean

lend

lens

less

lump

mach

mama

mass

meat

mica

mint

miry

moat

mood

myth

nail

name

nice

nigh

nite

oboe

oily

ouch

over

paid

pail

pant

pelf

pell

pelt

pert

plan

plot

plus

pool

pram

push

quiz

raze

rill

ripe

roar

rome

roof

rook

ruby

rush

sage

sale

self

shed

sign

sill

skim

slop

slue

slug

soap

solo

spin

stir

swam

swap

tare

tele

tell

than

then

they

tidy

tier

ting

tout

tram

trod

tron

tune

type

upon

vain

vane

vend

vide

vine

wain

wait

wake

wane

want

wash

wavy

what

whom

will

wind

wing

wire

wisp

wood

yard

yeah

yell

yelp

yond

zest

acute

amaze

angel

apace

basic

begot

bough

brush

camel

carry

chase

clean

clump

coach

cocky

combe

comet

coney

could

crate

creak

credo

cress

crock

crone

demur

deter

divan

douse

drily

eater

elope

enact

endow

favor

fifth

fifty

finny

flock

floor

floss

flown

focal

focus

forte

froth

fuzzy

games

gorse

guise

hoary

hobby

hutch

inapt

inner

jewel

mayor

meant

mense

mixed

moose

muddy

mulct

niter

north

nylon

order

papal

pivot

plait

plumy

plush

poser

price

quard

quell

quest

range

rapid

rayon

sales

salon

salty

scend

scope

scour

sense

shack

sixty

smack

snips

snort

spark

spent

steep

stiff

swell

synod

taper

tarry

tempt

tenth

thank

tinge

today

trace

track

tract

trade

trawl

trend

tweet

tyler

vague

verse

vetch

vital

whose

witty

woman

worse

wrist

behove

bethel

german

iodine

pallor

remove

sonata

bloated

sweater

Although there is a lot of useful information collected in the sample, it is still a fairly large key space. With that in mind I decided to take my first dives into firmware analysis, which of course requires some firmware. Looking online, I was able to find a single reddit post that linked to g3100 firmware version 3.2.0.15. With a lot more digging, I was able to find posts with links to firmware for other devices. Using this information I wrote another script to try to find additional firmware. Here’s what I've found, many of these are the first time posted online I believe.

https://cpe-ems34.verizon.com/firmware/g....0.0.6.bin
https://cpe-ems34.verizon.com/firmware/g...1.1.17.bin
https://cpe-ems34.verizon.com/firmware/g...1.1.18.bin
https://cpe-ems34.verizon.com/firmware/g...2.0.11.bin
https://cpe-ems34.verizon.com/firmware/B...2.0.13.bin
https://cpe-ems34.verizon.com/firmware/B...2.0.14.bin
https://cpe-ems34.verizon.com/firmware/B...2.0.15.bin
https://cpe-ems34.verizon.com/firmware/B...loader.bin
https://cpe-ems34.verizon.com/firmware/B...loader.bin
https://cpe-ems34.verizon.com/firmware/B...loader.bin
https://cpe-ems34.verizon.com/firmware/B...loader.bin

All of the links I found online for Verizon G3100, E3200, and CR1000 all used the cpe-ems34 link. I did find some other routers that were using different servers such as cpe-ems20 and cpe-ems31. Further investigation lead to this site showing all of the Verizon subdomains, which there are a ton of cpe-ems domains.

I tried my script with a few such as 31, 33, 43, however nothing new was turned up.
https://cpe-ems33.verizon.com/firmware/g...1.1.17.bin
https://cpe-ems34.verizon.com/firmware/g...2.0.15.bin

I tried binwalk on the first firmware I found (3.2.0.15), and while it extracts the file system, none of the files were readable for me. The entropy graph shows that only a small part is encrypted, so I am a bit confused. My next step is to try to mount it in a VM Linux since I only have Mac and RPI for testing.

g3100_fw_3.2.0.15.bin.png (Size: 75.17 KB / Downloads: 3)

This is what led me to looking for older firmware, however using binwalk on 2.0.0.6 gives me similar results. I know that there should be at least 2 more older firmware 1.3.6.27 and 1.5.0.10 but I have not been able to locate them.

g3100_fw_2.0.0.6.bin.png (Size: 79.38 KB / Downloads: 1)

The possibility of firmware encryption led me to look at physical access of the device. After some quick soldering, I connected to the UART. Unfortunately this did not lead to a shell either, but did provide a bit more information. Referencing some of the output online, I found someone else who also connected this way and had a longer output (possibly because of older firmware?).

Code:
BTRM

V1.0

R1.0

L1CD

MMUI

MMU9

DATA

ZBBS

MAIN

OTP?

REF?

REFP

RTF?

RTFP

OTPP

FSBT

NAND

IMG?

IMGL

UHD?

UHDP

RLO?

RLOP

AHD?

ROT?

ROTA

MID?

MIDP

AHDP

SBI?

SBIA

PASS

----

U-Boot SPL 2019.07 (Oct 31 2023 - 03:52:42 -0400)

Strap register: 0x53008176

Board is FLD secure

$SPL: 5.04L.02@419765 $

nand flash device id 0x98d39126, total size 1024MB

block size 256KB, page size 4096 bytes, spare area 216 bytes

ECC BCH-8 

FFinit done

find magic number 0x75456e76 at address 0x100000

FFinit find magic number 0xcb00cb at address 0x114000

reading blob from 0x114000 offset 0x26c len 608

digest sha256 OK

FFinit find magic number 0x64447233 at address 0x105000

reading blob from 0x105000 offset 0xc len 59888

digest sha256 OK

mcb selector 0x1427 checksum 0x722c322d safe_mode 0

U-Boot DDR standalone 2019.07 (Jul 25 2021 - 18:43:37 -0700) Build: 5.04L.02@348603

MemsysInit hpg0_generic_aarch64 3.5.1.1 20171009

DDR3

8267D980 80180000 801A0000 00000000 00000000 0020476E

MCB rev=0x00000501 Ref ID=0x0476E Sub Bld=0x002

Dram Timing 11-11-11

start of memsys_begin

mc_cfg_init(): Initialize the default values on mc_cfg

init_memc_dram_profile(): Initializing MEMC DRAM profile

---------------------------------------------------------------

MEMC DRAM profile (memc_dram_profile_struct) values:

  dram_type    = DDR3

====================================================

PART values:

  part_speed_grade    = 1600 CL11 

  part_size_Mbits    = 4096 (DRAM size in MegaBits)

  part_row_bits      = 15 (number of row bits)

  part_col_bits      = 10 (number of column bits)

  part_ba_bits        = 3 (number of bank bits)

  part_width_bits    = 16 (DRAM width in bits)

NUMER OF PARTS:

  part_num            = 1 (Number of parts)

TOTAL values:

  total_size_Mbits    = 4096 (DRAM size in MegaBits)

  total_cs_bits      = 0 (number of cs bits, for dual_rank mode)

  total_width_bits    = 16 (DRAM width in bits)

  total_burst_bytes  = 16 (Number of bytes per DRAM access)

  total_max_byte_addr = 0x1fffffff (Maximum/last DRAM byte address)

                        (Number of bits in total_max_byte_addr is 29)

                        (i.e. total_max_byte_addr goes from bit 0 to bit 28)

  ddr_2T_mode        = 0

  ddr_hdp_mode        = 1

  large_page          = 1

  ddr_dual_rank      = 0

  cs_mode            = 0

MEMC timing (memc_dram_timing_cfg_struct) values:

====================================================

  MC_CHN_TIM_TIM1_0 register fields:

    tCwl  = 8

    tRP    = 11

    tCL    = 11

    tRCD  = 11

  MC_CHN_TIM_TIM1_1 register fields:

    tCCD_L = 4

    tCCD  = 4

    tRRD_L = 6

    tRRD  = 6

  MC_CHN_TIM_TIM1_2 register fields:

    tFAW  = 32

    tRTP  = 6

    tRCr  = 39

  MC_CHN_TIM_TIM1_3 register fields:

    tWTR_L = 6

    tWTR  = 6

    tWR_L  = 12

    tWR    = 12

  MC_CHN_TIM_TIM2 register fields:

    tR2R  = 0

    tR2W  = 2

    tW2R  = 2

    tW2W  = 0

    tAL    = 0

    tRFC  = 208

====================================================

%1 SSC enabled

Poll PHY Status register

PHY Status= 1

Disable Auto-Refresh

[0000000080180200] = 0x00000305

End of memsys_begin

Add/Ctl Alignment

Coarse Adj=0x087 deg, cmd steps=0x0DC

reg 0x801A0090 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A0094 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A0098 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A009C set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00A0 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00A4 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00A8 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00AC set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00B0 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00B4 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00B8 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00BC set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00C0 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00C4 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00C8 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00CC set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00D0 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00D4 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00D8 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00DC set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00E0 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00E4 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00E8 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00EC set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00F0 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00F4 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00F8 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A00FC set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A0100 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A0108 set to VDL 0x054 with Fine Adj=0x01 deg

reg 0x801A010C set to VDL 0x054 with Fine Adj=0x01 deg

HP RX TRIM

itrim = 0x0

lstrim = 0x9

ZQ Cal HP PHY

R in Ohm

P: Finger=0x318 Term=0x71 Drv=0x28

N: Finger=0x2A6 Term=0x71 Drv=0x28

PLL Ref(Hz)=0x02FAF080 UI STEPS=0x06E

DDR CLK(MHz)=0x31B WL CLK dly(ps)=0x0C8 bitT(ps)=0x274 VDLsize(fs)=0x164D CLK_VDL=0x023

start of memc_init

[0000000080180004] = 0x0110061f

[0000000080180234] = 0x00001101

Enable Auto-Refresh

[0000000080180110] = 0x11100f0e

[0000000080180114] = 0x15141312

[0000000080180118] = 0x19181716

[000000008018011c] = 0x001c1b1a

[0000000080180124] = 0x04000000

[0000000080180128] = 0x08070605

[000000008018012c] = 0x00000a09

[0000000080180134] = 0x000d0c0b

Writing to MC_CHN_CFG_CNFG reg; data=0x00000000

[0000000080180100] = 0x00000000

cfg_memc_timing_ctrl() Called

[0000000080180214] = 0x080b0b0b

[0000000080180218] = 0x04040606

[000000008018021c] = 0x20000627

[0000000080180220] = 0x06060c0c

[0000000080180224] = 0x120000d0

End of memc_init

start of pre_shmoo

[0000000080180004] = 0xc110071f

end of pre_shmoo

SHMOO 28nm

801A0000 80180800 00000000 00020000 00000000

Shmoo WL

One UI Steps : 0x7B

auto-clk result = 01B (filter=0C steps)

initial CLK shift = 023

final CLK shift  = 01B

  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111

  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222

  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012

00 S-------------------X------------------------------------------------------------------------------------------------------

01 S-----------X--------------------------------------------------------------------------------------------------------------

Shmoo RD En

FORCED WR ODT = 0x00001800

DQSN DRIVE PAD CONTROL (from) (to)

B0 00039A91 00079A91

B1 00039A91 00079A91

B0 RISE UI=1 VDL=1B PICK UI=2 VDL=1B

B1 RISE UI=1 VDL=28 PICK UI=2 VDL=28

  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111

  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222

  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012

00 --S-----------------+---+++X+++++++++++++++--------------------------------------------------------------------------------

01 --S-----------------------------+----++-X+++++++++++++++-------------------------------------------------------------------

Shmoo RD DQ NP

DQS :

B0 VDL=6E ok

B1 VDL=6E ok

  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111

  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222

  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012

00 ---------------------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++-------

01 ---------------+++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++---------

02 ------------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---------

03 ----------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++-----------------

04 --------------+++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++-----------------

05 ------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---------------

06 ------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-------------

07 --------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++--------------------

08 ------------------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---

09 -----------------------++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---

10 -------------------+++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-----

11 --------------------+++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++---

12 -----------------+++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++------

13 ----------------++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++-----

14 --------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-----------

15 ------------------++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++---

Shmoo RD DQ P

  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111

  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222

  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012

00 ---------------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++------

01 ---------------+++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++-----

02 -------------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++------

03 ---------++++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++-------------

04 --------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++-------------

05 ------------+++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++-----------

06 ------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-------------

07 --------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-----------------

08 ------------------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-

09 -----------------------++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---

10 -------------------+++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-----

11 --------------------+++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++---

12 -----------------+++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-------

13 ---------------++++++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++++---

14 --------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-----------

15 -----------------+++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++---

Shmoo RD DQ N

  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111

  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222

  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012

00 ------------------+-+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++-------

01 ----------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++---------

02 ------------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---------

03 ---------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++------------------

04 ------------++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++-----------------

05 -----------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++--------------

06 -----------+++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-------------

07 -----++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++--------------------

08 ------------------------++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++--

09 ---------------------++++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++-

10 ------------------+++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++-----

11 ------------------+++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++--

12 ---------------++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++------

13 ----------------++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++-----

14 ------------++++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++----------

15 ------------------++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++---

RD DQS adjustments :

BL0: Start: 0x6E Final: 0x6E

BL1: Start: 0x6E Final: 0x6E

Shmoo WR DQ

  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111

  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222

  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012

00 ------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---------------

01 ----------+++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++---------------------

02 ------------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++----------------

03 ---+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++------------------------

04 ---------+++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++-----------------------

05 --------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++--------------------

06 -----------++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++------------------

07 ---+++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++-----------------------------

08 ---------------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++-------------

09 ---------------++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++---------------

10 -----------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++----------------

11 -----------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++-----------------

12 -----------+++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++--------------------

13 -----------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++-----------------

14 ----+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++------------------------

15 ------------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++----------------

Shmoo WR DM

WR DM

  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111

  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222

  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012

00 -------++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++-----------------------

01 --------++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++------------------

start of memsys_end

[0000000080180004] = 0x8110071f

[0000000080180010] = 0x00000009

end of memsys_end

DDR test done successfully

FFinit find magic number 0x75456e76 at address 0x100000

FFinit find magic number 0x74506c21 at address 0x140000

reading blob from 0x140000 offset 0xc len 163741

digest sha256 OK

U-Boot TPL 2019.07 (Oct 31 2023 - 03:52:39 -0400)

Board is FLD secure

$TPL: 5.04L.02@419765 $

CPU Clock: 1500MHz

IMAGE is NAND

Trying to boot from NAND

nand flash device id 0x98d39126, total size 1024MB

block size 256KB, page size 4096 bytes, spare area 216 bytes

ECC BCH-8 

image from 2097152 to 315621376

brcmnand_read_buf(): Attempt to read bad nand block 760

brcmnand_read_buf(): Attempt to read bad nand block 762

brcmnand_read_buf(): Attempt to read bad nand block 768

brcmnand_read_buf(): Attempt to read bad nand block 770

brcmnand_read_buf(): Attempt to read bad nand block 772

brcmnand_read_buf(): Attempt to read bad nand block 780

brcmnand_read_buf(): Attempt to read bad nand block 782

RESET STATUS is 0x80000000

SELECTED Image 1 FIT_VOL_ID is 3

brcmnand_read_buf(): Attempt to read bad nand block 760

brcmnand_read_buf(): Attempt to read bad nand block 762

brcmnand_read_buf(): Attempt to read bad nand block 768

brcmnand_read_buf(): Attempt to read bad nand block 770

brcmnand_read_buf(): Attempt to read bad nand block 772

brcmnand_read_buf(): Attempt to read bad nand block 780

brcmnand_read_buf(): Attempt to read bad nand block 782

Found FIT format U-Boot

tpl_load_read: sector 7000000, count 3194, buf 0000000007000000

tpl_load_read: sector 7000000, count 4192, buf 0000000007000000

fit read sector 7000000, sectors=16786, dst=0000000007000000, count=16786, size=0x4192

FIT Header Authentication Successfull!

INFO: Found disabled /trust/anti-rollback node!

INFO: Found /trust/hw_state node in fit

tpl_load_read: sector 7003680, count 8028, buf 0000000000004000

## Checking hash(es) for Image atf ... sha256+ OK

tpl_load_read: sector 700b680, count 27fc80, buf 0000000001000000

## Checking hash(es) for Image uboot ... sha256+ OK

tpl_load_read: sector 76ea1c0, count c5be, buf 000000000127fc80

## Checking hash(es) for Image fdt_VERIZON-G3100 ... sha256+ OK

INFO: Creating //trust

INFO: Creating /trust/antirollback_lvl

INFO: Adding exported item node antirollback_lvl to dtb, size:4

INFO: Creating /trust/brcm_pub_key

INFO: Adding exported item node brcm_pub_key to dtb, size:256

U-Boot 2019.07 (Oct 31 2023 - 03:52:45 -0400), Build: 5.04L.02@419765

Model: VERIZON-G3100

DRAM:  512 MiB

max supported leds 32[32]

Serial LED interface found num shifters 2 [2] serial data polarity low 0

BCA LED Controller initialized

HW led 3 registered

HW led 4 registered

HW led 5 registered

HW led 6 registered

HW led 7 registered

HW led 8 registered

HW led 9 registered

HW led 10 registered

SW led 0 registered

SW led 1 registered

SW led 2 registered

SW led 11 registered

SW led 12 registered

SW led 13 registered

SW led 14 registered

SW led 15 registered

Dump Current setting of SWREGs

1.0D, reg=0x00, val=0xc690

1.0D, reg=0x01, val=0x0d06

1.0D, reg=0x02, val=0xcb12

1.0D, reg=0x03, val=0x5372

1.0D, reg=0x04, val=0x0000

1.0D, reg=0x05, val=0x0702

1.0D, reg=0x06, val=0xb000

1.0D, reg=0x07, val=0x0029

1.0D, reg=0x08, val=0x0c02

1.0D, reg=0x09, val=0x0071

1.8 , reg=0x00, val=0xc690

1.8 , reg=0x01, val=0x0d06

1.8 , reg=0x02, val=0xcb12

1.8 , reg=0x03, val=0x5370

1.8 , reg=0x04, val=0x0000

1.8 , reg=0x05, val=0x0702

1.8 , reg=0x06, val=0xb000

1.8 , reg=0x07, val=0x0029

1.8 , reg=0x08, val=0x0c02

1.8 , reg=0x09, val=0x0071

1.5 , reg=0x00, val=0xc690

1.5 , reg=0x01, val=0x0d06

1.5 , reg=0x02, val=0xcb12

1.5 , reg=0x03, val=0x5370

1.5 , reg=0x04, val=0x0000

1.5 , reg=0x05, val=0x0702

1.5 , reg=0x06, val=0xb000

1.5 , reg=0x07, val=0x0029

1.5 , reg=0x08, val=0x0c02

1.5 , reg=0x09, val=0x0071

1.0A, reg=0x00, val=0xc690

1.0A, reg=0x01, val=0x0d06

1.0A, reg=0x02, val=0xcb12

1.0A, reg=0x03, val=0x5370

1.0A, reg=0x04, val=0x0000

1.0A, reg=0x05, val=0x0702

1.0A, reg=0x06, val=0xb000

1.0A, reg=0x07, val=0x0029

1.0A, reg=0x08, val=0x0c02

1.0A, reg=0x09, val=0x0071

Take PMC out of reset

waiting for PMC finish booting

PMC rev: 3.4.1.427360 running

pmc_init:PMC using DQM mode

Chip ID: BCM68369_B1

Broadcom B53 Dual Core: 1500MHz

RDP: 1400MHz

$Uboot: 5.04L.02@419765 $

WDT:  Started with servicing (80s timeout)

NAND:  1024 MiB

MMC:  sdhci: 0

Loading Environment from BOOT_MAGIC... ENV_BOOT_MAGIC_LOAD

found magic at 100000

good crc

resize from 16384 to 8192

OK

In:    serial0

Out:  serial0

Err:  serial0

Board is FLD secure

INFO: Can't find /trust/fit-aes1 node in boot DTB!

Now we are in UBOOT proper

HTTPD: ready for starting

boot_device is NAND

Net:  Using MAC Address b8:f8:53:0b:1d:01

eth0: switch0

No size specified -> Using max size (7300992)

Read 7300992 bytes from volume bootfs1 to 0000000002000000

FIT Header Authentication Successfull!

Read 4 bytes from volume rootfs1 to 000000001dd40664

## Loading kernel from FIT Image at 02000000 ...

  Using 'conf_lx_VERIZON-G3100' configuration

  Verifying Hash Integrity ... OK

  Trying 'kernel' kernel subimage

    Description:  4.19 kernel

    Type:        Kernel Image

    Compression:  lzma compressed

    Data Start:  0x0228c800

    Data Size:    3461392 Bytes = 3.3 MiB

    Architecture: AArch64

    OS:          Linux

    Load Address: 0x00100000

    Entry Point:  0x00100000

    Hash algo:    sha256

    Hash value:  77e40836ec218fa969f9d2bd572115ed9a7ef008cc75bfec4912354ce78a6349

  Verifying Hash Integrity ... sha256+ OK

## Loading fdt from FIT Image at 02000000 ...

  Using 'conf_lx_VERIZON-G3100' configuration

  Verifying Hash Integrity ... OK

  Trying 'fdt_VERIZON-G3100' fdt subimage

    Description:  dtb

    Type:        Flat Device Tree

    Compression:  uncompressed

    Data Start:  0x026ea1c4

    Data Size:    50618 Bytes = 49.4 KiB

    Architecture: AArch64

    Hash algo:    sha256

    Hash value:  c50470d2e693ebcd7dd68e42cc1de0ace24ccc30766e9c36d08c6b4462fa2e53

  Verifying Hash Integrity ... sha256+ OK

  Booting using the fdt blob at 0x26ea1c4

ARCADYAN: Authenticating vmlinux ...

ARCADYAN: Authenticating vmlinux pass

ARCADYAN: Decrypting kernel image ...

ARCADYAN: Decrypting kernel image done

  Uncompressing Kernel Image ... OK

ERROR: reserving fdt memory region failed (addr=1b400000 size=4c00000)

  Loading Device Tree to 0000000007f73000, end 0000000007fff5b9 ... OK

RSVD: not found enrty for adsl

RSVD: not found enrty for bufmem

RSVD: not found enrty for rnrmem

RSVD: Allocated for rdp1    64MB

RSVD: Allocated for rdp2    8MB

RSVD: Allocated for dhd0    11MB

RSVD: Allocated for dhd1    11MB

RSVD: Allocated for dhd2    11MB

RSVD: Total 0x06c00000 bytes CMA reserved memory @ 0x19400000

appending extra boot args to linux boot command line:

  mtdparts=brcmnand.0:2097152(loader),313524224@2097152(image),8388608@315621376(misc1),1048576@324009984(misc3),709885952@325058560(data),28311552@1034944512(owl),1048576@1063256064(mtdoops),2097152@1064304640(license),2097152@1066401792(certificate),1048576@1068498944(pri

Starting kernel ...

D%G

My device is currently running firmware 3.4.0.9, which I tried to revert to any previous version. I found a reference to a “hidden” admin page to update firmware at https://192.168.1.1/#/firmware_upgrade, but none of the firmware I downloaded would work (I think due to anti rollback).

So this is where I am currently stuck. I doubt that the key generation algorithm is on the device. However, if anyone is able to make sense of the serial output that might help unlock the firmware, I would love to just have a look around for curiosity sake. I will try to periodically scrape and update the password file, I originally thought it would have more entries by now.

Next Steps:

Analyze the data set to try to reduce key space (unused characters, common words, find the wordlist?)
Collect more complete entries for the dataset
Try to mount file system (ubi.img) in a proper Linux environment
Try to find older firmware

Backref.jpeg (Size: 50 KB / Downloads: 238)

a DIY wordlist generator

Tue, 15 Oct 2024 01:11:21 +0000

Hi,

Introduction

A little contributation to whom may be interested to make their own wordlist, with continuous update, lightweight and simple as hell

The idea behind it was to find a (almost) limitless source of english words with constant update. As the english language continually evolve, having a "tool" to generate new words make sense.

The generator will use as source wikipedia, in particular the random article : https://en.wikipedia.org/wiki/Special:Random

This page on trigger, will redirect to a random article.

This could work on Windows, though the following instruction are for Linux (but definitively adaptable for Windows)

Getting Ready and Started

Create a new directory and go into

Code:
mkdir scrap && cd scrap

Create the wordlist file

Code:
touch dic.txt

Create the scrapping script (I use nano but any editor will work)

Code:
nano wikipedia_scrap.py

Insert inside

Code:

#!/usr/bin/env python3

import pycurl

from io import BytesIO

from bs4 import BeautifulSoup





buffer = BytesIO()

c = pycurl.Curl()

c.setopt(c.URL, "https://en.wikipedia.org/wiki/Special:Random")

c.setopt(c.FOLLOWLOCATION, True)

c.setopt(c.WRITEDATA, buffer)

c.perform()

c.close()

html = buffer.getvalue().decode("utf-8")



# GET HTML

soup = BeautifulSoup(html, "html.parser")



# GET URL from 
rurl = soup.find('link', {'rel' : 'canonical'}).get("href")



# Print the current (redirected url) where the scrap will happen

print(rurl)



# GET all  from soup var

ptext = soup.find_all('p')

# Extract text from

for p in ptext: arr = p.text.split() for words in arr: # Need more work, remove punctuation words = words.replace(',','').replace('.','').replace('(','').replace(')','').lower() if words.isalpha(): # Only words that have at least 5 chars if len(words) > 4: f = open("dic.txt","a") f.write(words + '\n') f.close()

Make the script executable

Code:
chmod +x wikipedia_scrap.py

Create the bash script that will act as a process and execute the python script every X seconds (timer can be change here)

Code:
nano exec.sh

Insert inside

Code:
#!/bin/bash

# On exit script (ctrl+c or kill), sort alphabetically and clean any double (or triple...) entries

trap "sort -u dic.txt > temp && mv temp dic.txt && exit" SIGINT

while :

do

  ./wikipedia_scrap.py

  # Set a pause between wikipedia request, can be change for lower value (unsure how many request per minute wikipedia will allow)

  sleep 10

done

Make the bash script executable

Code:
chmod +x exec.sh

Now run the bash script

Code:
./exec.sh

Cleaning

Unfortunatelly, determine if a word is in english language is tricky, most of the unwanted foreign words will be easily cleaned as they will be sorted after the last english word.

For example on my current generated dic

Code:
...

zygogaster

zygomatic

zygomorphic

zygomycetes

zygomycota

zygopetalinae

zygopetalon

zygopetalum

zygotaria

zygote

zymalkowski

zynetix

zysman

zytek

zytronic

zyuganov

zzzero

...

Everything after zzzero

Code:
zábřeh

záhady

záhony

zákupy

záleský

zámok

zánka

zápolya

...

électorale

électrique

éliphas

élisabeth

élite

éloize

élèves

éléonore

émigré

émigrés

émile

émilie

énergies

épinac

épiscopale

époque

épreuves

...

διοικητής

διοικηταὶ

δρουγουβιτεία

εβίνα

εθνική

εκλογική

ελλάδα

εσφούγγιζε

ευθύμης

εὐλόγιος

εὔρωψ

θέλεις

θαυμαζω

θεσσαλιῶτις

θεῖος

θρασὺς

...

Starting from there, other non english words can be found sorted between english word, this is the part I think can be improved.

Improving the script

The script can definitively be improved, I'm thinking adding a regex to exclude characters found in words like "divisão" or "phước", or using python library that can do a better job than the function .is_alpha()

Another way could be to change the source, instead of wikipedia, using the API of the New york time to scrap word inside article

I welcome any idea, suggestion or "contribution" to make this little project better. Just keep in mind I like to keep thing as simple as they can be

Here a generated wordlist made with this "tool", with a dirty fast cleaning, over 137770 words generated in ~40 hours of run

https://0x0.st/X6n3.txt

Thank you !

sha256 OpenSSL vs 7z

Mon, 12 Aug 2024 09:58:42 +0000

Hi.
I wrote two programs, one using sha256 from LZMA-SDK, the other using OpenSSL. I noticed that there is a significant speed improvement when using OpenSSL, especially when the processor does not have sha256 instructions. Also, when using LZMA-SDK, there is a decrease in hashing performance over time. Both programs are based on the same algorithm taken from LZMA-SDK, but using the appropriate instructions SHA256_Update(&sha, buf, unrollSize); //from OpenSSL and Sha256_Update((CSha256*)(void*)(Byte*)sha, buf, unrollSize); //from 7z. Could implementing OpenSSL into Hashcat give similar results?

Code:
unsigned char* GetSHA256_7zD(string PassStringUTF16) //OpenSSL

{

    const int len = PassStringUTF16.length();

    CByteBuffer_Wipe PassBuffer(len * 2);

    for (size_t k = 0; k < len; k++)

    {

        wchar_t c = PassStringUTF16[k];

        ((Byte*)PassBuffer)[k * 2] = (Byte)c;

        ((Byte*)PassBuffer)[k * 2 + 1] = (Byte)(c >> 8);

    }

    const unsigned kUnrPow = 6;

    const UInt32 numUnroll = (UInt32)1 << (*g_Cost <= kUnrPow ? (unsigned)*g_Cost : kUnrPow);

    const size_t bufSize = 8 + 0 + PassBuffer.Size();

    const size_t unrollSize = bufSize * numUnroll;

    CAlignedBuffer sha2(sizeof(CSha256) + unrollSize + bufSize * 2); //From 7z to set buf

    Byte* buf = sha2 + sizeof(CSha256); //From 7z

    SHA256_CTX sha; //From OpenSSL

    SHA256_Init(&sha); //From OpenSSL

    //memcpy(buf, "", 0); //for salt, but no salt

    memcpy(buf + 0, PassBuffer, PassBuffer.Size());

    memset(buf + bufSize - 8, 0, 8);

    {

        {

            Byte* dest = buf;

            for (UInt32 i = 1; i < numUnroll; i++)

            {

                dest += bufSize;

                memcpy(dest, buf, bufSize);

            }

        }

        const UInt32 numRounds = (UInt32)1 << *g_Cost;

        UInt32 r = 0;

        do

        {

            Byte* dest = buf + bufSize - 8;

            UInt32 i = r;

            r += numUnroll;

            do

            {

                SetUi32(dest, i)  i++; dest += bufSize;

            } while (i < r);

            SHA256_Update(&sha, buf, unrollSize); //from OpenSSL

        } while (r < numRounds);

    }

    unsigned char* Key = (unsigned char*)malloc(32);

    SHA256_Final(Key, &sha); //from OpenSSL

    return Key;

}

////////////////////////////

unsigned char* GetSHA256_7zZ(string PassStringUTF16) //7z

{

    //From 7z only ->

    const int len = PassStringUTF16.length();

    CByteBuffer_Wipe PassBuffer(len * 2);

    for (size_t k = 0; k < len; k++)

    {

        wchar_t c = PassStringUTF16[k];

        ((Byte*)PassBuffer)[k * 2] = (Byte)c;

        ((Byte*)PassBuffer)[k * 2 + 1] = (Byte)(c >> 8);

    }

    const unsigned kUnrPow = 6;

    const UInt32 numUnroll = (UInt32)1 << (*g_Cost <= kUnrPow ? (unsigned)*g_Cost : kUnrPow);

    const size_t bufSize = 8 + 0 + PassBuffer.Size();

    const size_t unrollSize = bufSize * numUnroll;

    CAlignedBuffer sha(sizeof(CSha256) + unrollSize + bufSize * 2);

    Byte* buf = sha + sizeof(CSha256);

    //memcpy(buf, "", 0); //no salt

    memcpy(buf + 0, PassBuffer, PassBuffer.Size());

    memset(buf + bufSize - 8, 0, 8);

    Sha256_Init((CSha256*)(void*)(Byte*)sha);

    {

        {

            Byte* dest = buf;

            for (UInt32 i = 1; i < numUnroll; i++)

            {

                dest += bufSize;

                memcpy(dest, buf, bufSize);

            }

        }

        const UInt32 numRounds = (UInt32)1 << *g_Cost;

        UInt32 r = 0;

        do

        {

            Byte* dest = buf + bufSize - 8;

            UInt32 i = r;

            r += numUnroll;

            do

            {

                SetUi32(dest, i)  i++; dest += bufSize;

            } while (i < r);

            Sha256_Update((CSha256*)(void*)(Byte*)sha, buf, unrollSize);

        } while (r < numRounds);

    }

    unsigned char* Key = (unsigned char*)malloc(32);

    Sha256_Final((CSha256*)(void*)(Byte*)sha, Key);

    memset(&sha, 0, sizeof(sha));

    return Key;

}

Big feature request: Improve PDF support, cover all versions, better hash format

Wed, 27 Mar 2024 22:32:19 +0000

I am a new user of hashcat. I am trying to use it on a collection of PDF files spanning decades, to recover some passwords. I know a bit about PDF's format, but I am naive about the constraints of hashcat's architecture and history. My experience led me to write up a rather big feature request:

Improve PDF support, cover all versions, better hash format (issue 3976)

Quote:…Make one hashcat invocation able to find passwords for hashes of any version of PDF file, including owner as well as user password. Also, make an improved hash format which a) can describe hashes for any version of PDF file, b) can include a filename and path of the PDF document described by each hash, which may need to be c) a structured format like JSON or bencode rather than the current asterisk-separated flat file format, with d) clear documentation of the hash format, and e) an official, reliable pdf-to-hash tool.…

The issue has more about my view of the current situation, and the desired outcome. I welcome comments and discussion, here, or in issue #3976 on GitHub.

Handshake Hcxdumptool

Mon, 04 Mar 2024 07:50:44 +0000

Im using last version , and i wanted to extract handshake but i can't choose specifc ssid
The tools got all sssid memorise on my phone on put them in pcapng file
I use this command

Code:
Hcxdumptool -i wlan0mon -w myssid.pcapng --rds=1

When i converted it by hcxpcapngtool they told me in wpa-sec this format not supported

Code:
Hcxpcapngtool -o myssid myssid.pcapng

AngryOxide - 802.11 Attack tool generating Hashcat Formats

Sat, 10 Feb 2024 19:05:51 +0000

This has been shared a bit already including in the discord. But I figured I should create a post here too!

I created a WiFi attack tool that generates mode 22000 hashlines for cracking.

Here are the details:

Active state-based attack engine used to retrieve relevent EAPOL messages from Access Points and clients.
Target option that accepts MAC (aabbcc..., aa:bb:cc...) and SSID "Test_SSID" to limit attack scope.
Whitelist option to protect specific networks from attacks. Useful if not using targets.
Auto Hunt capability to find all target channels and hop between them.
A Terminal-UI that presents all relevent data while still living in the terminal for easy usage over SSH.
Limits DEAUTHENTICATION frames that can cause more damage than good to the authentication sequence.
EAPOL 4-Way-Handshake validation using Nonce Correction, Replay Counter validation, and Temporal validation.
Automatically elicits PMKID from access points where available.
Utilizes GPSD with ability to set remote GPSD service address.
Provides pcapng files with embedded GPS using the Kismet Format.
Provides a kismetdb file with all frames (with GPS) for post-processing.
Wraps all output files in a gzipped tarball.
Bash autocompletions for easy interface selection provided.

Attacks:

Will by default attack ALL access points in range, unless atleast one target is supplied, at which point the tool will only transmit against defined targets. (But will still passively collect on other access points).

Attempts authentication/association sequence to produce EAPOL Message 1 (PMKID Collection)
Attempts to retrieve hidden SSID's with undirected probe requests.
Utilizes Anonymous Reassociation to force Access Points to deauthenticate their own clients (MFP Bypass)
Will attempt to send Channel Switch Announcement to send clients to adjacent channels.
Attempts to downgrade RSN modes to WPA2-CCMP (Probe Response Injection)
Attempts to collect EAPOL M2 from stations based solely on Probe Requests (Rogue AP)
Will send controlled deauthentication frames unless told not to (--nodeauth)

All of these attacks are rate-controlled both to prevent erroneous EAPOL timer resets and to maintain some level of OPSEC.

You can find AngryOxide on my github:

Link

And visit out discord if you want some quick responses to questions:

Discord

Screenshots:

7z False positive -> True positive, rule or not...

Sun, 28 Jan 2024 10:34:32 +0000

Hi...
I'm trying to decode 7z Qlocker password with my own password generator
MikiDecoder
no success yet, but...
I know, it's impossible to find simple the rule for passwords in 7z, but I have found something interesting, I think. I have tried to compare all false positive passwords, but I haven't find any rule if I divide, multiply, subtract, try to find HCF and LCM in for all corresponding password-number.
So, I wonder about one thing that seems interesting to me, I want to share with you.
I've been working with Hashcat and hash/password for a long time, and I have seen, that false positive passwords appear at specific intervals. I mean, in my situation, almost always hashcat finds two false positive passwords in one day, then there is a break for 2-4 days, and again two false positive passwords. What do you think about this, is it worth looking for rule?

Inside hc22000 file

Mon, 11 Dec 2023 11:32:50 +0000

Please can you explain what inside the file

I know there is Bssid And essid client , what about others separated by * , what kind of hash is that ?
And where is Passphrase crypted hash

Code:
WPA*01*

?????? :  e05630666aa9198ca136f10ba11e8b11

Bssid : *340a983b7f1c*

Essid :   ec51bc1e7f7d*

??????? :   4d616c696b20486f6d65***01

Algorithm for generate default password

Wed, 06 Dec 2023 11:48:51 +0000

One of the ISP in my country distributes a router ZTE H288A , this router comes with a default password that is a Mac address without :

I want a code that converts Mac to a password
And how i add it to Router Keygen dictionary