5268ac routers
#31
I have been watching this thread and the original thread since the very beginning, without comment, but due to this current turn of events I've just joined this forum to add my two cents worth. That makes this is my very first post, sox.

I just wanted to say that I remember when sox first made his cracker, and fartbox did give him/her h*ll for not giving credit to fancypants. I checked the old thread, but fartbox's post is gone now. I guess sox did give credit after he got caught, so that problem is solved.

As for lurkers, I've only been here for a few minutes, because the forum only logs the time you've been logged in, yet I've been lurking here for years. Another problem solved.

And as for proof, nobody offered fartbox a cap to crack. Fartbox could have supplied his own cap, with ESSID and password as "proof", but who could have verified it without his code? So that's solved too.

So, please, get back to work on the 5268 problem so I can get back to lurking in the shadows.
Reply
#32
I always thought it was frowned upon to post hashes/caps on this forum. Either way, I have a authentic 5268AC cap posted on hashkiller for anybody to take a whack at.
https://forum.hashkiller.io/index.php?th...ost-306160
Reply
#33
(04-10-2022, 10:56 PM)bentrout Wrote: I have been watching this thread and the original thread since the very beginning, without comment, but due to this current turn of events I've just joined this forum to add my two cents worth. That makes this is my very first post, sox.

I just wanted to say that I remember when sox first made his cracker, and fartbox did give him/her h*ll for not giving credit to fancypants. I checked the old thread, but fartbox's post is gone now. I guess sox did give credit after he got caught, so that problem is solved.

Welcome, fellow lurker
You are right that sox claimed the first ATT algo without reference to mrfancypants until shamed and yet still
puts down fart-box with his "Awe man" crap after he had been called out and corrected references retrospectively
Best to just keep lurking and keep the new algos safe.
Reply
#34
(04-19-2022, 09:34 PM)MrMiller Wrote: Best to just keep lurking and keep the new algos safe.

Can't keep safe what you don't have!
Reply
#35
To continue the howto guide but a little more specific for this modem.

First you'll have to get your grubby hands on a modem, plenty for sale on ebay, facebook and all the usual places you go for used electronics. Next step is to crack open the case. Not an easy task and will require quite a bit of force.
There are 4 pegs you have to push in simultaneously on the back (plug side) of the router.
[Image: bBGxLXA.jpg]

Once that's done, you'll see the UART edge connector. The leads are pretty skinny, so if you don't feel up to the soldering work, you can purchase a MEC1-108-02-F-D-EM2 connector instead.
[Image: P8w7hx7.jpg]
[Image: y4wM5od.jpg]
All of this came from the spun.io link in message #7 up thread.
Combine this with a cheap ($3.00) PL2303HX USB-UART adapter, connect pin 2 to the black lead of the USB adapter, 13 to the green and 15 to the white wire. Set minicom to 115200 baud, 8bits, no parity, 1 stop bit, and watch the data come in!

Now for the root access part: 

The nomotion.net pages seem to have expired but are still available through the way back machine.
[Image: Selection_022-1024x490.png]

The actual root password is the MD5crypt hash that starts with $1$xyz
After firmware version 10.5.6 this changes to a sha512crypt and in firmware version 11.1 they turn off keyboard entry so the first thing you'll probably have to do is downgrade the firmware.

Download the firmware from the link shown on this page (after replacing all the x's with t's)
https://web.archive.org/web/202104211411...em-part-1/

Then plug your ethernet cable into the modem and in your favorite browser go to 192.168.1.254/upgrade, click upgrade and browse to the downloaded firmware.

You'll also have to do some actual cracking, it's time to pop that MD5crypt hash! I will give you a clue here, it consists of 3 upper case, 3 lower case and 2 numbers. Now if you've seen all the unique codes for the 5268AC as well as the remoteSSH password, I'm sure you can guess where one of the numbers is. The rest is upto you!
As a side note, the nomotion page also shows a root password hash that starts with $1$LXs... It is overwritten, but if you want to have a little fun, in that case it is just 7 chars (again, upper case, lower case, and numbers). Again, a good guess where one of the numbers is....

Connect to the modem over the UART connection. Press a key after it booted up and it'll ask for a login.
Just use username root and the 8 char password you found above. Et viola: root shell!

The other thing I'll add here is that you also can get into u-boot (to dump the NAND), but you need root access first.
From the root shell, type:
factorytool --setfactorymode true<enter>

Now during the boot sequence, where it says "Hit any key to stop autoboot: 5" just press a key and you're in u-boot.
From another terminal window you could type: printf "nand dump 1f000" > dev/ttyUSB0 <enter> to have to router dump all the various router unique data.

The paramtool binary is used to actually make the user a factory technician with additional access, but I have not spent time to figure out how to do that.
Reply
#36
Well, I've completed looking under the streetlight with hashcats' MD5 algorithm. 
The best fit I've found is:
wju-zohnhy132161N11499300D09E  with 'wju-zohnhy' being the prefix and '00D09E' being the suffix to the SN (132161N114993).

MD5 of wju-zohnhy132161N11499300D09E is A8A6D3D67B2FD81C4BF9D73FA2AA9987
Modulus 8 on the first digest and 37 on the next 11 gives: 0  18  26  29  12  10  31  28    1  27  30  26
Project that onto the default charset (abcdefghijkmnpqrstuvwxyz23456789#%+=?) gives '2u47nk96b589' with the reminder that the actual password we're looking for is '2u47nk96b58m' so all but the last letter.

Of course all of this is pure chance, because as soon as you change the serial number to another routers', you get no match at all.

Also nothing so far with my homebrew SHA1 using just a suffix string. It's slower going as that runs on my CPU threads.
Still working on a prefix to some router specific value (SN, AC, MAC) with SHA1. I can only do 8 characters, so cross your fingers that's what was used!
Reply
#37
Can't keep safe what you don't have!
[/quote]


You must then have same reasoning with gpuhash and VIDEOTRON algorithm?
Reply
#38
With todays latest ebay auction I have now collected 700 passwords for this router. (with the help of many that came before me of course). However, I seem to be no closer to reducing the keyspace for it.
Still going strong looking at salted hashes from various unique identifiers using SHA1. Just wish I had more CPU cores, I'm due for an upgrade anyway so perhaps I'll just go the whole shebang with the next gen GPUs and CPUs.
Reply
#39
Was a bit distracted with developing keygens for ZyXEL modems. But I did gain some more experience writing C++ code. Decided to write the multiplier finding algo from scratch to see if I missed anything. Again I cannot find a multiplier. But it recovers the NVG589 and 599 multipliers flawlessly.  Oh well, over 800 passwords now.

Code:
#include <iostream>
#include <fstream>

using namespace std;
using std::ifstream;

const double precision = 0.000001;
const double precision2 = 2*precision;

bool is_integer(double input) {
    bool result;
    double fraction;

    input = input + precision; //shift .9999 to above zero, so you can floor to get the remainder
    fraction = input - (long)input;
    result=fraction<precision2;
    return result;
}

void main(int argc, char* argv[]) {
    int key1, key2, fit, max_fit;
    double integer1, integer2, integer3, multiplier, max_multi;
    ifstream file_data;
    string file_name;
    int number_of_keys;
    long double all_keys[600];

    file_name = argv[1];
    file_data.open(file_name);
    if (!file_data) {
        cerr << "file not found";
        exit(1);
    }
    number_of_keys = 0;
    while (!file_data.eof()) {
        file_data >> all_keys[number_of_keys];
        number_of_keys = number_of_keys + 1;
    }
    file_data.close();

    for (integer1 = 1; integer1 < 3e9; integer1++) {
        max_fit = 0;

        for (key1 = 0; key1 < number_of_keys; key1++) {
            fit = 0;
            multiplier = all_keys[key1] / integer1;
            for (key2 = 0; key2 < number_of_keys; key2++) {
                integer2 = all_keys[key2] / multiplier;
                if (is_integer(integer2)) {
                    fit++;
                }
            }
            if (fit > max_fit) {
                max_fit = fit;
                max_multi = multiplier;
            }
        }
        if (max_fit >= number_of_keys-2) { // allowed to miss on one key
            printf("%17.7lf\n", max_multi);
        }
    }
}
Reply
#40
This hasn't been mentioned before but I started looking at the PACE (non-AT&T) 5268AC. They are much rarer to find, but managed to find pictures of a few. Notice anything curious about the passwords?

[Image: 4N3NkjY.png]

That's right! Like the AT&T u-verse 5268AC they all start with a number and never have more than 3 letters in a row. No symbols, but they look awefully like a longer version of the AT&T ESSID. They are also 12 chars long, like the u-verse passwords. Of course it's a really small data-set, but at least it is consistent. I have seen a single Sonic and a single Arris labelled one as well, but not sure if they fit the pattern.
Now you may ask why I post this, well because I just laid my grubby hands on one of these bad boys and are about to crack it open in the hopes that this one, unlike AT&T, left a clue somewhere in its chips!
Reply