5268ac routers
#1
I figured I'd start a new thread specific for the PACE/ARRIS 5268AC routers. After collecting over 500 passwords, and learning C++ to create an algorithm to determine the multiplier (which works great for NVG589, 599 and 210) it failed to recover a multiplier no matter what encoding I used to create a set of keys from the passwords.
So decided to play around with the physical hardware. Following guides on nomotion and spun.io I gained access to the router and the firmware. Many months of piddling away, has now allowed me root access to the kernel, but like the dog who caught the bus... what do I do with that now that I caught it? 
[Image: H8tK6gj.jpg]

There must be somebody here who has experience looking at a linux 2 kernel and investigate its capabilities. So consider this a cry for help or assistance. Please join in if you have any interest in digging deeper into this router and discover its mysteries!
Reply
#2
Looks very promising, terrific work; sorry I'm no help.
Reply
#3
(11-28-2021, 03:21 AM)calexico Wrote: Looks very promising, terrific work; sorry I'm no help.

Thanks Calexico! 
For everybody else: although I've pulled NAND chips and dumped them, this is all done on a vanilla modem, using an UART connection. If you want to join in, pick up a 5268ac modem from ebay ($25) and a USB UART adapter, like a PL2304HX ($4) So for less than $30, you can really pretend to be a hacker! (or just a hack LOL)
Reply
#4
Ahhh, resurrecting the glory days of satellite stream decryption! Too bad some of the old tools couldn't be useful and given second lives in analyzing and manipulating FW; eeprom "glitchers", ROM flashers, etc., all now laying at the bottom of a drawer sad and lonely...
Reply
#5
It's slow going since I have no idea what I'm doing LOL. But the bdctest from the nvg599 is still there. https://www.nomotion.net/blog/category/h...e-hacking/

This time the username is different though: "vikcmwhxgxbizb" password still bdctest. Found on 4 different routers, so will likely be for all 5268ac's
Reply
#6
Thanks for that link-that's quite a few juicy morsels of info' that may even be relevant to the newer ATT GWs being issued.

As an aside, and in no way meant to discourage your excellent work on the 5268ac, here within my scan area only a couple 5268s remain;all new sub's and many older ones have been swapped-out to the Nokia and Humax units.

If I can get my hands on any I'm not adverse to getting my hands "dirty" again on the board level. In fact, I rather miss it!

Keep up the exploration! They say you're only one HEX away from Heaven...
Reply
#7
(12-13-2021, 03:39 PM)evets97 Wrote: Thanks for that link-that's quite a few juicy morsels of info' that may even be relevant to the newer ATT GWs being issued.

I'll leave this link here then too:
https://spun.io/2018/03/18/getting-into-...ter-part-1


Also seems like the bdctest is under active attack:
https://forums.att.com/conversations/att...f606c82223
Reply
#8
May be 2022 is when we find a crack in the 5268ac armor!

Pulled the files into a reverse engineering package. Found an interesting section of code in libkeycode.so.0.0.0
It's not the same CHARSET as the PSK (note the missing letters), but figuring out how this works, might reveal a clue.

[Image: 5pM9Bf6.jpg]
Reply
#9
Thanks Fart-box and welcome back! At this point we're very sure the algorithm to create the PSK is not on the router anymore (if it ever was)  But we do have root access to the file system so can grep for anything interesting! Sadly nothing on the video SSID. Sasquatch chokes during the binwalk of the dump (two different NAND chips from two different routers), so glad to have root access.

We did find this interesting bit of code:
        SERIAL=cat /sys/module/board/parameters/serialnumber
        PASS=echo -n ${SERIAL}SomeStringXXXX-00D09E | md5sum | pseudopasswd -n 16

So we have two examples of the router taking the serialnumber and appending some text to it before doing some math on the result.

Just to clarify in your key-gen are you using integer*multiplier = key then {key modulus 37 key/37}  like SoxRok's pskracker,
OR are you doing SHA1(serial number) -> hash.  hash per byte modulus 37 to get the psk like the vSSID for nvg599?
If the latter, are you adding text before or after the serial number string before hashing it?
Reply
#10
The grep is how we found the /usr/lib/libkeycode.so.0.0.0 as it is missing the letters 'i' and 'o' in the alphabet making it easy to find, almost every file has the regular charset in it! Even a grep -ir \`{  (non-ascii vSSID charset sequence) names hundreds of files.

The echo ${SN}+STRING | md5sum | pseudopasswd statement came from /sbin/sysinit

Fascinating about the multiplier though. I developed the algorithm that recovers the multiplier for nvg589 (long float with fraction that goes on for 12 decimal places) and nvg599 (integer) but fails to recover a multiplier for 5289ac, no matter what encoding and charset I use to generate keys as I stated in the PM I sent you.

@Evets97 is correct though, that the install base is dwindling fast so the interest is minimal. Perhaps I have shown sufficient effort to try to figure it out myself, and before you take your secret key-gen to your grave, may be share it with the world while it still might do some good?

You can download a copy of the firmware as shown by jhutchins on nomotion. Binwalk can pull most of the files out. I think it struggles, because the filesystem is actually 3 different partitions.
"That’s hxxp://gaxeway.c01.sbcglobal.nex/firmware/00D09E/10.5.3.527283-PROD/5268.insxall.pkgsxream . Change every “x” to a “t” and you’ll have the link."

Oh and the serialnumber file just contains the serial number in ASCII (with a capital 'N' in the middle). There is a debate whether or not there is a CHR(10), /n, endl as a final character or if that's added by the cat statement....
Reply