Keyspace List for WPA on Default Routers

[drsnooker]

One thing that struck me was the prevalence of the 'b' character versus 'a' which made me wonder if zeroes are for whatever reason much less likely to be generated from whatever the 'seed' is (my assumption being that 'a' equates to '0' and 'b' equates to '1').  I had done a statistical analysis on the data, and 'b' was indeed among the most common characters.

Yeah the 640L algo would produce the same amount of 'a' vs 'b' but almost twice 'abcdef' vs 'ghij' so I blamed it on the small sampling size, but it could be a completely a different algo that treats 0 differently. There's definitely something fishy going on. If you overlay the letters and numbers they show a similar tendency for 1/b and slightly lower for 2/c.
The other chars could even be about the same likelihood. Won't know how any of this works until we find the algo in a random firmware somewhere. 

[drsnooker]

I think I got something to at least explain the above graphs.
Take all values 0,1,2,3, .... 255 and look at the probabilities of each number occurring. Doesn't that look exactly like the probabilities of the characters in the password? (See graph below)

What does that mean for the algo? Well, my guess it's just three bytes, perhaps the last three of the MAC followed may be with a checksum char like WPS pins. 
3 bytes, may be some math, with probably some XORs, directly translated into the password.

Say the MAC is e46f136876c4 --> 0x68 0x76 0xc4 --> 104 118 196 C
convert half to a-j and you have a password that matches the above probability distribution.

[drsnooker]

Hacked together some c-code. Catches 17 out of the 19 dir605l passwords I've collected. It generates a 50G dictionary in about 20 minutes. There are quite a few identical passwords in the rainbow table, so sort -u will help cut it in half.

It misses when the length of combined four bytes is less than what is need to fill the password.
e.g.  febii86601 --> 5418886601 cannot be split in 4 bytes , you'd need 5 bytes.
54 188 86 60 1
(although in this case you could flip left to right and get there, but then you'd miss on a different password in my collection)
Instead of the padding "000000" you'd need to do something a bit more clever to fill the remainder to get to 10 chars, some sort of recursive loop. I'm sure an actual programmer can figure that out!

Of course I'd rather have the real algorithm, but this can work until that is discovered. 
Working backwards from the password may work: password --> bytes --> ?math? <-- mac  
May be I'll give that a whirl tomorrow.

Code:

#include <stdio.h>

int main() {

    int byte1, byte2, byte3, byte4;
    char buffer[20];
    int pos;

    for (byte1 = 0; byte1 < 256; byte1++) {
        for (byte2 = 0; byte2 < 256; byte2++) {
            for (byte3 = 0; byte3 < 256; byte3++) {
                for (byte4 = 0; byte4 < 256; byte4++) {
                    sprintf(buffer, "%d%d%d%d%s", byte1, byte2, byte3, byte4,"000000"); // add padding
                          for (pos=0;pos<5;pos++)
                              buffer[pos]=buffer[pos]+49;
                         buffer[10]=0; // trim to first 10 chars
                         printf("%s\n",buffer);
}
}
}
}
}

[impasse]

Have found two 'Eufy' SSIDs, which by OUI lookup are:
04:17:B6 Smart Innovation LLC
10:2C:B1 Smart Innovation LLC
Just discovered that the keyspace is ?h?h?h?h?h?h?h?h

This does not seem correct for their Wifi Ad-Hoc (the MAC ranges you posted) as used by their direct P2P connection between their devices and the base.

[lookin_for_peace]

Hello,

I've been stuck for a while trying to understand the key generation of Compal CH7465LG (UPC/Vodafone Connect Box). I have gathered a bunch of keys from various places. What have I found:
- the keys are 12 characters long: most of them lower case except 1-3 upper and 1-3 digits, usually 2 upper and 2 digits
- similar characters are not used: 100% sure of: 0 1 9 i o l q O I
- I'm pretty sure the S/N and SSID of the router are used in the generation process but I don't know the algorithm

I've attached a file with the keys I've found online, it took a while.

Is anyone else trying to figure this out and is kind enough to share the findings, also could anyone give me a hint about the key generation algorithm, from what I know it's undisclosed.

[drsnooker]

Hello,

I've been stuck for a while trying to understand the key generation of Compal CH7465LG (UPC/Vodafone Connect Box). I have gathered a bunch of keys from various places. What have I found:
- the keys are 12 characters long: most of them lower case except 1-3 upper and 1-3 digits, usually 2 upper and 2 digits
- similar characters are not used: 100% sure of: 0 1 9 i o l q O I
- I'm pretty sure the S/N and SSID of the router are used in the generation process but I don't know the algorithm

I've attached a file with the keys I've found online, it took a while.

Is anyone else trying to figure this out and is kind enough to share the findings, also could anyone give me a hint about the key generation algorithm, from what I know it's undisclosed.

Great start!
1) It would be helpful if you add the serial numbers and macs (and SSIDs) to this list as well, to be able to try some mathematics to see if anything lines up.
2) But from the data so far, '0DHILOiloq', are not used. You might want to double check password: mj6Frvnxwgxx to see if that's really a 'g' in there. It's the only 'g' in the whole data set, so could be a typo.
3) Do you have access to the firmware? These days, just looking at the passwords isn't enough anymore, and it requires reverse engineering the FW if they managed to leave the algorithm in there.