5268ac routers
#31
I have been watching this thread and the original thread since the very beginning, without comment, but due to this current turn of events I've just joined this forum to add my two cents worth. That makes this is my very first post, sox.

I just wanted to say that I remember when sox first made his cracker, and fartbox did give him/her h*ll for not giving credit to fancypants. I checked the old thread, but fartbox's post is gone now. I guess sox did give credit after he got caught, so that problem is solved.

As for lurkers, I've only been here for a few minutes, because the forum only logs the time you've been logged in, yet I've been lurking here for years. Another problem solved.

And as for proof, nobody offered fartbox a cap to crack. Fartbox could have supplied his own cap, with ESSID and password as "proof", but who could have verified it without his code? So that's solved too.

So, please, get back to work on the 5268 problem so I can get back to lurking in the shadows.
Reply
#32
I always thought it was frowned upon to post hashes/caps on this forum. Either way, I have a authentic 5268AC cap posted on hashkiller for anybody to take a whack at.
https://forum.hashkiller.io/index.php?th...ost-306160
Reply
#33
(04-10-2022, 10:56 PM)bentrout Wrote: I have been watching this thread and the original thread since the very beginning, without comment, but due to this current turn of events I've just joined this forum to add my two cents worth. That makes this is my very first post, sox.

I just wanted to say that I remember when sox first made his cracker, and fartbox did give him/her h*ll for not giving credit to fancypants. I checked the old thread, but fartbox's post is gone now. I guess sox did give credit after he got caught, so that problem is solved.

Welcome, fellow lurker
You are right that sox claimed the first ATT algo without reference to mrfancypants until shamed and yet still
puts down fart-box with his "Awe man" crap after he had been called out and corrected references retrospectively
Best to just keep lurking and keep the new algos safe.
Reply
#34
(04-19-2022, 09:34 PM)MrMiller Wrote: Best to just keep lurking and keep the new algos safe.

Can't keep safe what you don't have!
Reply
#35
To continue the howto guide but a little more specific for this modem.

First you'll have to get your grubby hands on a modem, plenty for sale on ebay, facebook and all the usual places you go for used electronics. Next step is to crack open the case. Not an easy task and will require quite a bit of force.
There are 4 pegs you have to push in simultaneously on the back (plug side) of the router.
[Image: bBGxLXA.jpg]

Once that's done, you'll see the UART edge connector. The leads are pretty skinny, so if you don't feel up to the soldering work, you can purchase a MEC1-108-02-F-D-EM2 connector instead.
[Image: P8w7hx7.jpg]
[Image: y4wM5od.jpg]
All of this came from the spun.io link in message #7 up thread.
Combine this with a cheap ($3.00) PL2303HX USB-UART adapter, connect pin 2 to the black lead of the USB adapter, 13 to the green and 15 to the white wire. Set minicom to 115200 baud, 8bits, no parity, 1 stop bit, and watch the data come in!

Now for the root access part: 

The nomotion.net pages seem to have expired but are still available through the way back machine.
[Image: Selection_022-1024x490.png]

The actual root password is the MD5crypt hash that starts with $1$xyz
After firmware version 10.5.6 this changes to a sha512crypt and in firmware version 11.1 they turn off keyboard entry so the first thing you'll probably have to do is downgrade the firmware.

Download the firmware from the link shown on this page (after replacing all the x's with t's)
https://web.archive.org/web/202104211411...em-part-1/

Then plug your ethernet cable into the modem and in your favorite browser go to 192.168.1.254/upgrade, click upgrade and browse to the downloaded firmware.

You'll also have to do some actual cracking, it's time to pop that MD5crypt hash! I will give you a clue here, it consists of 3 upper case, 3 lower case and 2 numbers. Now if you've seen all the unique codes for the 5268AC as well as the remoteSSH password, I'm sure you can guess where one of the numbers is. The rest is upto you!
As a side note, the nomotion page also shows a root password hash that starts with $1$LXs... It is overwritten, but if you want to have a little fun, in that case it is just 7 chars (again, upper case, lower case, and numbers). Again, a good guess where one of the numbers is....

Connect to the modem over the UART connection. Press a key after it booted up and it'll ask for a login.
Just use username root and the 8 char password you found above. Et viola: root shell!

The other thing I'll add here is that you also can get into u-boot (to dump the NAND), but you need root access first.
From the root shell, type:
factorytool --setfactorymode true<enter>

Now during the boot sequence, where it says "Hit any key to stop autoboot: 5" just press a key and you're in u-boot.
From another terminal window you could type: printf "nand dump 1f000" > dev/ttyUSB0 <enter> to have to router dump all the various router unique data.

The paramtool binary is used to actually make the user a factory technician with additional access, but I have not spent time to figure out how to do that.
Reply
#36
Well, I've completed looking under the streetlight with hashcats' MD5 algorithm. 
The best fit I've found is:
wju-zohnhy132161N11499300D09E  with 'wju-zohnhy' being the prefix and '00D09E' being the suffix to the SN (132161N114993).

MD5 of wju-zohnhy132161N11499300D09E is A8A6D3D67B2FD81C4BF9D73FA2AA9987
Modulus 8 on the first digest and 37 on the next 11 gives: 0  18  26  29  12  10  31  28    1  27  30  26
Project that onto the default charset (abcdefghijkmnpqrstuvwxyz23456789#%+=?) gives '2u47nk96b589' with the reminder that the actual password we're looking for is '2u47nk96b58m' so all but the last letter.

Of course all of this is pure chance, because as soon as you change the serial number to another routers', you get no match at all.

Also nothing so far with my homebrew SHA1 using just a suffix string. It's slower going as that runs on my CPU threads.
Still working on a prefix to some router specific value (SN, AC, MAC) with SHA1. I can only do 8 characters, so cross your fingers that's what was used!
Reply
#37
Can't keep safe what you don't have!
[/quote]


You must then have same reasoning with gpuhash and VIDEOTRON algorithm?
Reply
#38
With todays latest ebay auction I have now collected 700 passwords for this router. (with the help of many that came before me of course). However, I seem to be no closer to reducing the keyspace for it.
Still going strong looking at salted hashes from various unique identifiers using SHA1. Just wish I had more CPU cores, I'm due for an upgrade anyway so perhaps I'll just go the whole shebang with the next gen GPUs and CPUs.
Reply