5268ac routers

[slyexe]

They are much rarer to find

I can supply you a large amount of captures of these units if you need a dataset. Lemme know, these are quite common here and have tonnes kicking around.

[drsnooker]

The non-ATT versions? If you can find one in a local yardsale/goodwill, hook a brother up!
It won't take the ATT root passwords, so I don't have root shell nor u-boot. I can desolder the NAND, but I doubt I can resolder it back and still work, so I could use another one!

[90h]

for what it's worth here
some notes from back when:
https://pastebin.com/iz6Rne75
https://pastebin.pl/view/86341379

those basically talk about downgrading to older 10.x version, then generating an rma user password (which has root) on console
(this uses the pseudopasswd utility as mentioned in /sbin/sysinit)

also, a python implementation of the pseudopasswd algo:
https://pastebin.com/SKtazSq3

note that pseudopasswd unfortunately is essentially a hash func - it takes two chars on input to produce one char on output, so not reversible

also lua script for dumping the certs on the box
https://pastebin.pl/view/e4ef26f9

[drsnooker]

also, a python implementation of the pseudopasswd algo:
https://pastebin.com/SKtazSq3

Excellent! Thank you for your contribution. I've been thinking about reversing pseudopasswd for the heck of it. Obviously I have the original root password so the de-tour going through the RMA user isn't necessary.

[90h]

@drsnooker
are you saying (from your old post) that the root password is static across all devices, or is a per-device password?

[drsnooker]

The root password is the same for all devices upto FW 11. It changes to a Sha512crypt that I didn't bother cracking as it eliminates keyboard input as well. But the sha512crypt hash is the same for all devices as well.

[drsnooker]

I tried to use pseudopwd to create passwords for the NVG599. Changed the charset to the normal 37, then took the SNs of a handful of NVG599 routers and added the string "PRESHAREDKEY-0907F5". So you have a variable section up front (of around 12 chars resulting in 6 chars in the pwd), followed by a fixed string. Then feed that into pseudopwd to generated the passwords. A change in the beginning echos through the rest of the password. However, with pseudopwd, the same start results in the same beginning of the conversion, not like MD5 or SHA.

That idea strongly resembles the integer*multiplier where the variable section is the integer and the fixed section the multiplier and would result in a multiplier with 6 digits before the decimal point.

Lastly, I ran that through the multiplier search algo and came up with nothing. Perhaps in this iteration of pseudopwd, the results are now too randomized. Perhaps removing the t3 and t4 reduces the randomness to the original algo for generating the NVG589,599 and 210 passwords.

One more observation is that it seems that the libkeycode.so uses a similar randomization technique but with only two steps. I should probably try to reverse that now....

[drsnooker]

Well I guess I've got to make a correction. All ATT u-verse editions of the 5268AC have the same root password (as far as I can tell from a sample size of 7). This PACE non-ATT version did not share it. After getting a TSOP48 clip and dumping the NAND, got my hands on the root md5crypt hash. Thankfully the answer was in one of the dictionaries, so didn't have to go full random ?u?l?d on it.
Turns out, it also had the RMA user on it. I guess I should have tried that first. Live and learn. But now I have more toys in my toolbox.

It was FW 10.5.4 (one I hadn't not seen for ATT) but nothing new in there as far as I can tell to help solve this mystery. 
Drop me a PM if you want a copy of the filesystem, or NAND dump.

[drsnooker]

Just hit a collection of 900 passwords (after deleting the ones from Wolfe on HK)
I thought 90h had a good idea with pastebin, so here's a link to the 900.

https://pastebin.com/e55YS9wK

I'll add a little note stating that there are two different version yellow stickers on the routers. One (older) with an increased line spacing where the T's in the ATT ESSID are not touching, and a newer one where the TT are touching. I tried to split my catalogue thinking may be there are two algorithms as well, but per usual, struck out.

[drsnooker]

I was *not so* randomly poking around some other MIPS based firmware. And normally don't bother with looking at individual functions, but my eyes came across part of the MD5update function. If you have examined @90h python conversion of the pseudopwd, it will look awfully familiar. Perhaps pseudopwd is using a simpler/earlier version of MD5!
So now I need to go look at MD4 and before to see if anything matches what I thought was a complete homebrew algorithm, but might be a perfectly normal established hashing algo.