Verizon Fios G3100 and E3200 Research

[FiosFiend]

I recently discovered how easy it was to crack my Netgear default password.  That thrill led me to turn my attention to my Fios G3100.  However, this has turned out to be a much worthier adversary.  Boredom and a bit of tenacity has led me down a winding path, but here is where I am at so far in my research.

The G3100 and E3200 routers are distributed by Verizon.  Per usual, the sticker on the back of the unit has the necessary information.  I wrote a small python script to scrape Ebay and FB listings and collect all of the associated images.  A second script sorts the images using computer vision and OCR to detect the QR code or relevant text.  I then personally process the good images to collect the useful information, whenever possible I use the QR code as it is the most trustworthy data to read.  Thus far, I have collected over 230+ complete records, as well as saving the images for verification.


  FiosG3100andE3200.xlsx (Size: 43.08 KB / Downloads: 7)  
Link to Ref_Images.zip (this is a temporary free file sharing link, dm me if it expires)

From this sample we can gain some info on the G3100 key space:

• MAC address starting with 04.A2.22 are the oldest and have 16 character passwords
      SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>   
      SSID Passwords follow <word><number><word><number><word> format (ex: met8sonata868elm)
      Admin Passwords are 16 characters and follow a <word><number><word> format (ex: stubble16crowded)
  
• MAC address starting with B8:F8:53 are mixed and may have 15 or 16 character passwords
      SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9> 
      SSID Passwords follow <word><number><word><number><word> format (ex: moat288nit48pug)
      Admin Passwords are 16 characters and follow a <word><number><word> format (ex: chopper86notably)
  
• MAC address starting with 3C.BD.C5 are the newest and have 15 character passwords
      SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>
               or Verizon_XXXXXX where X is any char <A-Z><0-9>     
      SSID Passwords for “Fios” networks follow <word><number><word><number><word> format (ex: range36vex77toy)
               or “Verizon” networks follow <word>-<word>-<word> with a single digit at the end of one word (ex: miry9-elm-north)
  
•     Admin Passwords for “Fios” network are 16 characters and follow a <word><number><word> format (ex: unusual53smelter)
              or “Verizon” networks are 9 characters that are <A-Z><0-9> (ex: Z79KGSX4T)
              Note: 0 and 1 are not seen in sample    
  

From this sample we can gain some info on the E3200 key space:

• MAC address starting with 04.A2.22 are the oldest and have 16 character passwords
      SSID is E3200-XXXXX where X is any char <a-z><A-Z><0-9>   
      SSID Passwords follow <word><number><word><number><word> format (ex: nylon88wit657aye)
      Admin Passwords are 16 characters and follow a <word><number><word> format (ex: ritual236auction)
  
• MAC address starting with B8:F8:53 are mixed and may have 15 or 16 character passwords
      SSID is E3200-XXXXX where X is any char <a-z><A-Z><0-9>
      SSID Passwords follow <word><number><word><number><word> format (ex: mach92see36flat)
      Admin Passwords are 16 characters and follow a <word><number><word> format (ex: seraph497lantern)
  
• MAC address starting with 3C.BD.C5 have 15 character passwords
      SSID is Verizon_XXXXXX where X is any char <A-Z><0-9>
      SSID Passwords follow <word>-<word>-<word> with a single digit at the end of one word (ex: tenth-ben6-vend)    
      Admin Passwords are are 9 characters that are <A-Z><0-9> (ex: 3JB94H6CQ)        
      Note: 0 and 1 are not seen in sample  
  
• MAC address starting with DC.F5.1B are the newest and have 15 character passwords
      SSID is Verizon_XXXXXX where X is any char <A-Z><0-9>
      SSID Passwords follow <word>-<word>-<word> with a single digit at the end of one word (ex: plush-fast3-con)    
      Admin Passwords are are 9 characters that are <A-Z><0-9> (ex: QVB734TKL)           
      Note: 0 and 1 are not seen in sample  
  

From this sample we can gain some other info:

• Password <word> are between 3-7 characters for SSID Password
  
• Password <number> are between 1-4 digits
  
• There are 3 HW version (1102, 1103, 1104)
  
• Serial #’s are 16 digits (except for the most recent E3200 which have 11)
  
• Shipped firmware ranges from 1.3.5.1 to 3.1.1.16 
  
• There are the 568 unique words extracted from the passwords:
  

Code:

add
aft
ago
aim
air
ait
alp
ape
ark
art
ash
ask
awe
aye
bat
bay
bed
bee
beg
ben
bet
bid
biz
boa
bog
bot
bow
bug
bun
bus
bye
cat
caw
cif
cob
con
cot
cub
cud
cup
cut
dab
dad
dam
daw
day
del
dew
dia
did
dig
dit
doe
dos
due
dun
ear
eeg
ego
eke
elk
elm
end
fad
fat
fax
fay
fed
fee
fen
few
fez
fib
fig
fin
fir
fit
fob
fog
fop
for
fox
fro
gad
gap
gel
gem
gen
gig
gin
gnp
gnu
got
gut
had
han
has
hat
hew
hey
hid
hie
him
hin
hit
hod
hub
hue
hum
ice
icy
jab
jag
jam
jaw
jet
jib
jog
joy
jus
lab
law
lay
let
mad
may
met
mil
mix
mod
mow
mud
mug
mum
nag
naw
new
nib
nip
nit
nod
non
not
now
oak
oar
odd
ode
oil
one
ope
opt
ork
out
owl
pal
paw
pay
pea
pet
pit
pod
pug
pun
pup
put
ram
ran
rap
raw
ray
ree
ret
rid
rna
roe
rug
run
rut
rye
sat
say
see
set
sew
sir
sit
six
sly
sou
sow
soy
spa
sum
sun
sup
tag
tap
tax
tee
too
tot
toy
tun
ush
vex
vie
vim
wad
was
wax
web
wed
why
wig
win
wit
woe
won
woo
wry
yak
yam
yea
yes
yet
yon
you
zap
zoo
abbe
aery
agog
alas
alga
allo
arms
atom
back
bake
beak
been
beep
bits
boar
bolt
bone
book
boss
bred
brew
brow
cafe
cape
cart
cast
cene
cere
cham
char
cloy
copy
crib
cuff
dark
dear
deny
dewy
dial
dine
dint
dock
doff
dory
doth
drub
dump
dust
each
ever
exam
fade
fame
fare
fast
fawn
feet
felt
fine
flat
flaw
flit
form
fund
fuss
gage
gain
gall
gate
gent
golf
grab
gray
grey
grim
hair
hake
halt
hasp
have
hawk
held
hide
high
holm
hone
hoot
hour
huff
hung
ibis
iron
jibe
jill
june
kale
kidd
kirk
knit
knot
lack
lead
lean
lend
lens
less
lump
mach
mama
mass
meat
mica
mint
miry
moat
mood
myth
nail
name
nice
nigh
nite
oboe
oily
ouch
over
paid
pail
pant
pelf
pell
pelt
pert
plan
plot
plus
pool
pram
push
quiz
raze
rill
ripe
roar
rome
roof
rook
ruby
rush
sage
sale
self
shed
sign
sill
skim
slop
slue
slug
soap
solo
spin
stir
swam
swap
tare
tele
tell
than
then
they
tidy
tier
ting
tout
tram
trod
tron
tune
type
upon
vain
vane
vend
vide
vine
wain
wait
wake
wane
want
wash
wavy
what
whom
will
wind
wing
wire
wisp
wood
yard
yeah
yell
yelp
yond
zest
acute
amaze
angel
apace
basic
begot
bough
brush
camel
carry
chase
clean
clump
coach
cocky
combe
comet
coney
could
crate
creak
credo
cress
crock
crone
demur
deter
divan
douse
drily
eater
elope
enact
endow
favor
fifth
fifty
finny
flock
floor
floss
flown
focal
focus
forte
froth
fuzzy
games
gorse
guise
hoary
hobby
hutch
inapt
inner
jewel
mayor
meant
mense
mixed
moose
muddy
mulct
niter
north
nylon
order
papal
pivot
plait
plumy
plush
poser
price
quard
quell
quest
range
rapid
rayon
sales
salon
salty
scend
scope
scour
sense
shack
sixty
smack
snips
snort
spark
spent
steep
stiff
swell
synod
taper
tarry
tempt
tenth
thank
tinge
today
trace
track
tract
trade
trawl
trend
tweet
tyler
vague
verse
vetch
vital
whose
witty
woman
worse
wrist
behove
bethel
german
iodine
pallor
remove
sonata
bloated
sweater

Although there is a lot of useful information collected in the sample, it is still a fairly large key space.  With that in mind I decided to take my first dives into firmware analysis, which of course requires some firmware.  Looking online, I was able to find a single reddit post that linked to g3100 firmware version 3.2.0.15.  With a lot more digging, I was able to find posts with links to firmware for other devices.  Using this information I wrote another script to try to find additional firmware.  Here’s what I've found, many of these are the first time posted online I believe.

https://cpe-ems34.verizon.com/firmware/g....0.0.6.bin
https://cpe-ems34.verizon.com/firmware/g...1.1.17.bin
https://cpe-ems34.verizon.com/firmware/g...1.1.18.bin
https://cpe-ems34.verizon.com/firmware/g...2.0.11.bin
https://cpe-ems34.verizon.com/firmware/B...2.0.13.bin
https://cpe-ems34.verizon.com/firmware/B...2.0.14.bin
https://cpe-ems34.verizon.com/firmware/B...2.0.15.bin
https://cpe-ems34.verizon.com/firmware/B...loader.bin
https://cpe-ems34.verizon.com/firmware/B...loader.bin
https://cpe-ems34.verizon.com/firmware/B...loader.bin
https://cpe-ems34.verizon.com/firmware/B...loader.bin

All of the links I found online for Verizon G3100, E3200, and CR1000 all used the cpe-ems34 link.  I did find some other routers that were using different servers such as cpe-ems20 and cpe-ems31.  Further investigation lead to this site showing all of the Verizon subdomains, which there are a ton of cpe-ems domains.

I tried my script with a few such as 31, 33, 43, however nothing new was turned up.
https://cpe-ems33.verizon.com/firmware/g...1.1.17.bin
https://cpe-ems34.verizon.com/firmware/g...2.0.15.bin

I tried binwalk on the first firmware I found (3.2.0.15), and while it extracts the file system, none of the files were readable for me.  The entropy graph shows that only a small part is encrypted, so I am a bit confused.  My next step is to try to mount it in a VM Linux since I only have Mac and RPI for testing.

  g3100_fw_3.2.0.15.bin.png (Size: 75.17 KB / Downloads: 2)

This is what led me to looking for older firmware, however using binwalk on 2.0.0.6 gives me similar results.  I know that there should be at least 2 more older firmware 1.3.6.27 and 1.5.0.10 but I have not been able to locate them.  

  g3100_fw_2.0.0.6.bin.png (Size: 79.38 KB / Downloads: 1)

The possibility of firmware encryption led me to look at physical access of the device.  After some quick soldering, I connected to the UART.  Unfortunately this did not lead to a shell either, but did provide a bit more information.  Referencing some of the output online, I found someone else who also connected this way and had a longer output (possibly because of older firmware?).

Code:

BTRM
V1.0
R1.0
L1CD
MMUI
MMU9
DATA
ZBBS
MAIN
OTP?
REF?
REFP
RTF?
RTFP
OTPP
FSBT
NAND
IMG?
IMGL
UHD?
UHDP
RLO?
RLOP
AHD?
ROT?
ROTA
MID?
MIDP
AHDP
SBI?
SBIA
PASS
----

U-Boot SPL 2019.07 (Oct 31 2023 - 03:52:42 -0400)
Strap register: 0x53008176
Board is FLD secure
$SPL: 5.04L.02@419765 $
nand flash device id 0x98d39126, total size 1024MB
block size 256KB, page size 4096 bytes, spare area 216 bytes
ECC BCH-8
FFinit done
find magic number 0x75456e76 at address 0x100000
FFinit find magic number 0xcb00cb at address 0x114000
reading blob from 0x114000 offset 0x26c len 608
digest sha256 OK
FFinit find magic number 0x64447233 at address 0x105000
reading blob from 0x105000 offset 0xc len 59888
digest sha256 OK
mcb selector 0x1427 checksum 0x722c322d safe_mode 0

U-Boot DDR standalone 2019.07 (Jul 25 2021 - 18:43:37 -0700) Build: 5.04L.02@348603

MemsysInit hpg0_generic_aarch64 3.5.1.1 20171009
DDR3
8267D980 80180000 801A0000 00000000 00000000 0020476E
MCB rev=0x00000501 Ref ID=0x0476E Sub Bld=0x002
Dram Timing 11-11-11

start of memsys_begin
mc_cfg_init(): Initialize the default values on mc_cfg
init_memc_dram_profile(): Initializing MEMC DRAM profile
---------------------------------------------------------------
MEMC DRAM profile (memc_dram_profile_struct) values:
  dram_type    = DDR3
====================================================
PART values:
  part_speed_grade    = 1600 CL11
  part_size_Mbits    = 4096 (DRAM size in MegaBits)
  part_row_bits      = 15 (number of row bits)
  part_col_bits      = 10 (number of column bits)
  part_ba_bits        = 3 (number of bank bits)
  part_width_bits    = 16 (DRAM width in bits)
NUMER OF PARTS:
  part_num            = 1 (Number of parts)
TOTAL values:
  total_size_Mbits    = 4096 (DRAM size in MegaBits)
  total_cs_bits      = 0 (number of cs bits, for dual_rank mode)
  total_width_bits    = 16 (DRAM width in bits)
  total_burst_bytes  = 16 (Number of bytes per DRAM access)
  total_max_byte_addr = 0x1fffffff (Maximum/last DRAM byte address)
                        (Number of bits in total_max_byte_addr is 29)
                        (i.e. total_max_byte_addr goes from bit 0 to bit 28)
  ddr_2T_mode        = 0
  ddr_hdp_mode        = 1
  large_page          = 1
  ddr_dual_rank      = 0
  cs_mode            = 0
MEMC timing (memc_dram_timing_cfg_struct) values:
====================================================
  MC_CHN_TIM_TIM1_0 register fields:
    tCwl  = 8
    tRP    = 11
    tCL    = 11
    tRCD  = 11
  MC_CHN_TIM_TIM1_1 register fields:
    tCCD_L = 4
    tCCD  = 4
    tRRD_L = 6
    tRRD  = 6
  MC_CHN_TIM_TIM1_2 register fields:
    tFAW  = 32
    tRTP  = 6
    tRCr  = 39
  MC_CHN_TIM_TIM1_3 register fields:
    tWTR_L = 6
    tWTR  = 6
    tWR_L  = 12
    tWR    = 12
  MC_CHN_TIM_TIM2 register fields:
    tR2R  = 0
    tR2W  = 2
    tW2R  = 2
    tW2W  = 0
    tAL    = 0
    tRFC  = 208
====================================================
%1 SSC enabled

Poll PHY Status register
PHY Status= 1
Disable Auto-Refresh
[0000000080180200] = 0x00000305
End of memsys_begin
Add/Ctl Alignment
Coarse Adj=0x087 deg, cmd steps=0x0DC
reg 0x801A0090 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A0094 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A0098 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A009C set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00A0 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00A4 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00A8 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00AC set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00B0 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00B4 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00B8 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00BC set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00C0 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00C4 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00C8 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00CC set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00D0 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00D4 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00D8 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00DC set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00E0 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00E4 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00E8 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00EC set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00F0 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00F4 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00F8 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A00FC set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A0100 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A0108 set to VDL 0x054 with Fine Adj=0x01 deg
reg 0x801A010C set to VDL 0x054 with Fine Adj=0x01 deg
HP RX TRIM
itrim = 0x0
lstrim = 0x9

ZQ Cal HP PHY
R in Ohm
P: Finger=0x318 Term=0x71 Drv=0x28
N: Finger=0x2A6 Term=0x71 Drv=0x28

PLL Ref(Hz)=0x02FAF080 UI STEPS=0x06E
DDR CLK(MHz)=0x31B WL CLK dly(ps)=0x0C8 bitT(ps)=0x274 VDLsize(fs)=0x164D CLK_VDL=0x023
start of memc_init
[0000000080180004] = 0x0110061f
[0000000080180234] = 0x00001101
Enable Auto-Refresh
[0000000080180110] = 0x11100f0e
[0000000080180114] = 0x15141312
[0000000080180118] = 0x19181716
[000000008018011c] = 0x001c1b1a
[0000000080180124] = 0x04000000
[0000000080180128] = 0x08070605
[000000008018012c] = 0x00000a09
[0000000080180134] = 0x000d0c0b
Writing to MC_CHN_CFG_CNFG reg; data=0x00000000
[0000000080180100] = 0x00000000
cfg_memc_timing_ctrl() Called
[0000000080180214] = 0x080b0b0b
[0000000080180218] = 0x04040606
[000000008018021c] = 0x20000627
[0000000080180220] = 0x06060c0c
[0000000080180224] = 0x120000d0
End of memc_init
start of pre_shmoo
[0000000080180004] = 0xc110071f
end of pre_shmoo

SHMOO 28nm
801A0000 80180800 00000000 00020000 00000000

Shmoo WL

One UI Steps : 0x7B

auto-clk result = 01B (filter=0C steps)
initial CLK shift = 023
final CLK shift  = 01B

  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111
  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222
  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012
00 S-------------------X------------------------------------------------------------------------------------------------------
01 S-----------X--------------------------------------------------------------------------------------------------------------

Shmoo RD En
FORCED WR ODT = 0x00001800
DQSN DRIVE PAD CONTROL (from) (to)
B0 00039A91 00079A91
B1 00039A91 00079A91
B0 RISE UI=1 VDL=1B PICK UI=2 VDL=1B
B1 RISE UI=1 VDL=28 PICK UI=2 VDL=28
  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111
  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222
  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012
00 --S-----------------+---+++X+++++++++++++++--------------------------------------------------------------------------------
01 --S-----------------------------+----++-X+++++++++++++++-------------------------------------------------------------------

Shmoo RD DQ NP
DQS :
B0 VDL=6E ok
B1 VDL=6E ok
  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111
  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222
  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012
00 ---------------------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++-------
01 ---------------+++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++---------
02 ------------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---------
03 ----------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++-----------------
04 --------------+++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++-----------------
05 ------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---------------
06 ------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-------------
07 --------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++--------------------
08 ------------------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---
09 -----------------------++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---
10 -------------------+++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-----
11 --------------------+++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++---
12 -----------------+++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++------
13 ----------------++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++-----
14 --------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-----------
15 ------------------++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++---

Shmoo RD DQ P
  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111
  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222
  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012
00 ---------------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++------
01 ---------------+++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++-----
02 -------------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++------
03 ---------++++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++-------------
04 --------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++-------------
05 ------------+++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++-----------
06 ------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-------------
07 --------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-----------------
08 ------------------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-
09 -----------------------++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---
10 -------------------+++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-----
11 --------------------+++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++---
12 -----------------+++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-------
13 ---------------++++++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++++---
14 --------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-----------
15 -----------------+++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++---

Shmoo RD DQ N
  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111
  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222
  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012
00 ------------------+-+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++-------
01 ----------------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++---------
02 ------------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---------
03 ---------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++------------------
04 ------------++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++-----------------
05 -----------++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++--------------
06 -----------+++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++-------------
07 -----++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++--------------------
08 ------------------------++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++--
09 ---------------------++++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++-
10 ------------------+++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++-----
11 ------------------+++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++--
12 ---------------++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++------
13 ----------------++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++-----
14 ------------++++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++++----------
15 ------------------++++++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++++++---

RD DQS adjustments :
BL0: Start: 0x6E Final: 0x6E
BL1: Start: 0x6E Final: 0x6E

Shmoo WR DQ
  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111
  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222
  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012
00 ------------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++---------------
01 ----------+++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++---------------------
02 ------------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++----------------
03 ---+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++------------------------
04 ---------+++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++-----------------------
05 --------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++--------------------
06 -----------++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++------------------
07 ---+++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++-----------------------------
08 ---------------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++-------------
09 ---------------++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++---------------
10 -----------+++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++----------------
11 -----------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++-----------------
12 -----------+++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++--------------------
13 -----------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++-----------------
14 ----+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++------------------------
15 ------------+++++++++++++++++++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++++++++++++++++++----------------

Shmoo WR DM
WR DM
  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111
  000000000011111111112222222222333333333344444444445555555555666666666677777777778888888888999999999900000000001111111111222
  012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012
00 -------++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++-----------------------
01 --------++++++++++++++++++++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++++++++++++++++++++------------------
start of memsys_end
[0000000080180004] = 0x8110071f
[0000000080180010] = 0x00000009
end of memsys_end
DDR test done successfully
FFinit find magic number 0x75456e76 at address 0x100000
FFinit find magic number 0x74506c21 at address 0x140000
reading blob from 0x140000 offset 0xc len 163741
digest sha256 OK

U-Boot TPL 2019.07 (Oct 31 2023 - 03:52:39 -0400)
Board is FLD secure
$TPL: 5.04L.02@419765 $
CPU Clock: 1500MHz
IMAGE is NAND
Trying to boot from NAND
nand flash device id 0x98d39126, total size 1024MB
block size 256KB, page size 4096 bytes, spare area 216 bytes
ECC BCH-8
image from 2097152 to 315621376
brcmnand_read_buf(): Attempt to read bad nand block 760
brcmnand_read_buf(): Attempt to read bad nand block 762
brcmnand_read_buf(): Attempt to read bad nand block 768
brcmnand_read_buf(): Attempt to read bad nand block 770
brcmnand_read_buf(): Attempt to read bad nand block 772
brcmnand_read_buf(): Attempt to read bad nand block 780
brcmnand_read_buf(): Attempt to read bad nand block 782
RESET STATUS is 0x80000000
SELECTED Image 1 FIT_VOL_ID is 3
brcmnand_read_buf(): Attempt to read bad nand block 760
brcmnand_read_buf(): Attempt to read bad nand block 762
brcmnand_read_buf(): Attempt to read bad nand block 768
brcmnand_read_buf(): Attempt to read bad nand block 770
brcmnand_read_buf(): Attempt to read bad nand block 772
brcmnand_read_buf(): Attempt to read bad nand block 780
brcmnand_read_buf(): Attempt to read bad nand block 782
Found FIT format U-Boot
tpl_load_read: sector 7000000, count 3194, buf 0000000007000000
tpl_load_read: sector 7000000, count 4192, buf 0000000007000000
fit read sector 7000000, sectors=16786, dst=0000000007000000, count=16786, size=0x4192
FIT Header Authentication Successfull!
INFO: Found disabled /trust/anti-rollback node!
INFO: Found /trust/hw_state node in fit
tpl_load_read: sector 7003680, count 8028, buf 0000000000004000
## Checking hash(es) for Image atf ... sha256+ OK
tpl_load_read: sector 700b680, count 27fc80, buf 0000000001000000
## Checking hash(es) for Image uboot ... sha256+ OK
tpl_load_read: sector 76ea1c0, count c5be, buf 000000000127fc80
## Checking hash(es) for Image fdt_VERIZON-G3100 ... sha256+ OK
INFO: Creating //trust
INFO: Creating /trust/antirollback_lvl
INFO: Adding exported item node antirollback_lvl to dtb, size:4
INFO: Creating /trust/brcm_pub_key
INFO: Adding exported item node brcm_pub_key to dtb, size:256


U-Boot 2019.07 (Oct 31 2023 - 03:52:45 -0400), Build: 5.04L.02@419765

Model: VERIZON-G3100
DRAM:  512 MiB
max supported leds 32[32]
Serial LED interface found num shifters 2 [2] serial data polarity low 0
BCA LED Controller initialized
HW led 3 registered
HW led 4 registered
HW led 5 registered
HW led 6 registered
HW led 7 registered
HW led 8 registered
HW led 9 registered
HW led 10 registered
SW led 0 registered
SW led 1 registered
SW led 2 registered
SW led 11 registered
SW led 12 registered
SW led 13 registered
SW led 14 registered
SW led 15 registered
Dump Current setting of SWREGs
1.0D, reg=0x00, val=0xc690
1.0D, reg=0x01, val=0x0d06
1.0D, reg=0x02, val=0xcb12
1.0D, reg=0x03, val=0x5372
1.0D, reg=0x04, val=0x0000
1.0D, reg=0x05, val=0x0702
1.0D, reg=0x06, val=0xb000
1.0D, reg=0x07, val=0x0029
1.0D, reg=0x08, val=0x0c02
1.0D, reg=0x09, val=0x0071
1.8 , reg=0x00, val=0xc690
1.8 , reg=0x01, val=0x0d06
1.8 , reg=0x02, val=0xcb12
1.8 , reg=0x03, val=0x5370
1.8 , reg=0x04, val=0x0000
1.8 , reg=0x05, val=0x0702
1.8 , reg=0x06, val=0xb000
1.8 , reg=0x07, val=0x0029
1.8 , reg=0x08, val=0x0c02
1.8 , reg=0x09, val=0x0071
1.5 , reg=0x00, val=0xc690
1.5 , reg=0x01, val=0x0d06
1.5 , reg=0x02, val=0xcb12
1.5 , reg=0x03, val=0x5370
1.5 , reg=0x04, val=0x0000
1.5 , reg=0x05, val=0x0702
1.5 , reg=0x06, val=0xb000
1.5 , reg=0x07, val=0x0029
1.5 , reg=0x08, val=0x0c02
1.5 , reg=0x09, val=0x0071
1.0A, reg=0x00, val=0xc690
1.0A, reg=0x01, val=0x0d06
1.0A, reg=0x02, val=0xcb12
1.0A, reg=0x03, val=0x5370
1.0A, reg=0x04, val=0x0000
1.0A, reg=0x05, val=0x0702
1.0A, reg=0x06, val=0xb000
1.0A, reg=0x07, val=0x0029
1.0A, reg=0x08, val=0x0c02
1.0A, reg=0x09, val=0x0071
Take PMC out of reset
waiting for PMC finish booting
PMC rev: 3.4.1.427360 running
pmc_init:PMC using DQM mode
Chip ID: BCM68369_B1
Broadcom B53 Dual Core: 1500MHz
RDP: 1400MHz
$Uboot: 5.04L.02@419765 $
WDT:  Started with servicing (80s timeout)
NAND:  1024 MiB
MMC:  sdhci: 0
Loading Environment from BOOT_MAGIC... ENV_BOOT_MAGIC_LOAD
found magic at 100000
good crc
resize from 16384 to 8192
OK
In:    serial0
Out:  serial0
Err:  serial0
Board is FLD secure
INFO: Can't find /trust/fit-aes1 node in boot DTB!
Now we are in UBOOT proper
HTTPD: ready for starting
boot_device is NAND
Net:  Using MAC Address b8:f8:53:0b:1d:01
eth0: switch0
No size specified -> Using max size (7300992)
Read 7300992 bytes from volume bootfs1 to 0000000002000000
FIT Header Authentication Successfull!
Read 4 bytes from volume rootfs1 to 000000001dd40664
## Loading kernel from FIT Image at 02000000 ...
  Using 'conf_lx_VERIZON-G3100' configuration
  Verifying Hash Integrity ... OK
  Trying 'kernel' kernel subimage
    Description:  4.19 kernel
    Type:        Kernel Image
    Compression:  lzma compressed
    Data Start:  0x0228c800
    Data Size:    3461392 Bytes = 3.3 MiB
    Architecture: AArch64
    OS:          Linux
    Load Address: 0x00100000
    Entry Point:  0x00100000
    Hash algo:    sha256
    Hash value:  77e40836ec218fa969f9d2bd572115ed9a7ef008cc75bfec4912354ce78a6349
  Verifying Hash Integrity ... sha256+ OK
## Loading fdt from FIT Image at 02000000 ...
  Using 'conf_lx_VERIZON-G3100' configuration
  Verifying Hash Integrity ... OK
  Trying 'fdt_VERIZON-G3100' fdt subimage
    Description:  dtb
    Type:        Flat Device Tree
    Compression:  uncompressed
    Data Start:  0x026ea1c4
    Data Size:    50618 Bytes = 49.4 KiB
    Architecture: AArch64
    Hash algo:    sha256
    Hash value:  c50470d2e693ebcd7dd68e42cc1de0ace24ccc30766e9c36d08c6b4462fa2e53
  Verifying Hash Integrity ... sha256+ OK
  Booting using the fdt blob at 0x26ea1c4
ARCADYAN: Authenticating vmlinux ...
ARCADYAN: Authenticating vmlinux pass
ARCADYAN: Decrypting kernel image ...
ARCADYAN: Decrypting kernel image done
  Uncompressing Kernel Image ... OK
ERROR: reserving fdt memory region failed (addr=1b400000 size=4c00000)
  Loading Device Tree to 0000000007f73000, end 0000000007fff5b9 ... OK
RSVD: not found enrty for adsl
RSVD: not found enrty for bufmem
RSVD: not found enrty for rnrmem
RSVD: Allocated for rdp1    64MB
RSVD: Allocated for rdp2    8MB
RSVD: Allocated for dhd0    11MB
RSVD: Allocated for dhd1    11MB
RSVD: Allocated for dhd2    11MB
RSVD: Total 0x06c00000 bytes CMA reserved memory @ 0x19400000
appending extra boot args to linux boot command line:
  mtdparts=brcmnand.0:2097152(loader),313524224@2097152(image),8388608@315621376(misc1),1048576@324009984(misc3),709885952@325058560(data),28311552@1034944512(owl),1048576@1063256064(mtdoops),2097152@1064304640(license),2097152@1066401792(certificate),1048576@1068498944(pri
Starting kernel ...

D%G

My device is currently running firmware 3.4.0.9, which I tried to revert to any previous version.  I found a reference to a “hidden” admin page to update firmware at https://192.168.1.1/#/firmware_upgrade, but none of the firmware I downloaded would work (I think due to anti rollback).

So this is where I am currently stuck.  I doubt that the key generation algorithm is on the device.  However, if anyone is able to make sense of the serial output that might help unlock the firmware, I would love to just have a look around for curiosity sake.  I will try to periodically scrape and update the password file, I originally thought it would have more entries by now.

Next Steps:

• Analyze the data set to try to reduce key space (unused characters, common words, find the wordlist?)
  
• Collect more complete entries for the dataset
  
• Try to mount file system (ubi.img) in a proper Linux environment
  
• Try to find older firmware
  

[FiosFiend]

I forgot to post the E3200 Firmware links I discovered.  The single mention I found previously was for the 3.2.0.11.trapeze.bin

https://cpe-ems34.verizon.com/firmware/e...1.1.17.bin
https://cpe-ems34.verizon.com/firmware/e...1.1.18.bin
https://cpe-ems34.verizon.com/firmware/e....2.0.1.bin
https://cpe-ems34.verizon.com/firmware/B...rapeze.bin
https://cpe-ems34.verizon.com/firmware/B...rapeze.bin
https://cpe-ems34.verizon.com/firmware/B...rapeze.bin
https://cpe-ems34.verizon.com/firmware/B...2.0.11.bin
https://cpe-ems34.verizon.com/firmware/B...2.0.12.bin
https://cpe-ems34.verizon.com/firmware/B...loader.bin
https://cpe-ems34.verizon.com/firmware/B...loader.bin

Code:

https://cpe-ems34.verizon.com/firmware/e3200_fw_3.1.1.17.bin
https://cpe-ems34.verizon.com/firmware/e3200_fw_3.1.1.18.bin
https://cpe-ems34.verizon.com/firmware/e3200_fw_3.2.0.1.bin
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.2.0.11.trapeze.bin
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.2.0.12.trapeze.bin
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.4.0.8.trapeze.bin
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.2.0.11.bin
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.2.0.12.bin
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.4.0.7_loader.bin
https://cpe-ems34.verizon.com/firmware/BHRx_Ext/e3200_fw_3.4.0.8_loader.bin

and the G3100 for readability.

Code:

https://cpe-ems34.verizon.com/firmware/g3100_fw_2.0.0.6.bin
https://cpe-ems34.verizon.com/firmware/g3100_fw_3.1.1.17.bin
https://cpe-ems34.verizon.com/firmware/g3100_fw_3.1.1.18.bin
https://cpe-ems34.verizon.com/firmware/g3100_fw_3.2.0.11.bin
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.2.0.13.bin
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.2.0.14.bin
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.2.0.15.bin
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.4.0.4_loader.bin
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.4.0.6_loader.bin
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.4.0.8_loader.bin
https://cpe-ems34.verizon.com/firmware/BHRx/g3100_fw_3.4.0.9_loader.bin

<Mirrors>
https://cpe-ems33.verizon.com/firmware/g3100_fw_3.1.1.17.bin
https://cpe-ems33.verizon.com/firmware/g3100_fw_3.2.0.15.bin

[drsnooker]

Nicely done. Not sure if this will be helpful, but PSKracker has a couple of netgear wordlists that might come in handy
https://github.com/andrewjlamarche/PSKracker

[RealEnder]

Interesting research. We've looked at these and sadly couldn't find anything, which can limit the keyspace, which is really enormous. We have a lot of uncracked Fios networks in wpa-sec. We've got only these:

Code:

b8f853eb8962 Fios-6MSdq arc53dock735wry
b8f85362dec2 Fios-DMG5b palmy82out76arc
04a222f1f9da Fios-9ZfGv tag828pun44snail
b8f85337fb06 Fios-fq8ZT zoo343owl289crow

As always, the BSSID may be fake.

[FiosFiend]

Yeah I have come across the wordlists for 3-7 letter words that could be combined to create a dictionary, however as others have discovered the possible keyspace is still huge.  I had a bit of time over the weekend to play with the data, and I am happy to report that I made some progress!  With a little more data collection/processing I should be able to generate all of the Serial numbers based on MAC address.  Without an algorithm, it isn’t super exciting... but it does allow me to at least validate the MAC and serials I collect are accurate since the characters 0 8 B all look similar in blurry photos.  If we ever do discover the algorithm, the serial number could likely be part of it.


Here’s my analysis...

I noticed that there seemed to be a pattern in the last digit of the MAC address, with many ending in 0/8, or 4/C especially when grouped together by serial number.  So I separated the data by MAC address using the first 3 octets (ie B8.F8.53.XX.XX.XX), and then combined the last 3 octets (ie DD.4A.98) removed the decimals (DD4A98) and converted the hex to decimal value (14502552).  This gave me a numerical value for the MAC that I could plot vs the serial number.  We can see there is a very strong correlation, but we can’t accurately calculate the serial number. 



To try to determine the relationship, I kept the serial numbers sorted in order.  Then I took the hex2dec and serial number of one entry, and subtracted it from the next.  I then took the (Mac difference / Serial difference). Seeing the same whole digit pop up several times gives us a clue that we’re on to something!



However, there are still several entries that don’t make any sense at all.  I tried to look at the serial numbers individually, but there were huge jumps that didn’t seem explainable.  I fed the data to our favorite AI, and it couldn’t make much sense of it either.  However, it did suggest that perhaps the digits 21 in all of the serial numbers (E302120090812958) was a date code.  I investigated this a little bit, but it didn’t seem to work out.  Eventually I broke the digits into smaller numbers, which then allowed me to recognize there is a date code, just in a slightly different spot!  The format is 2-digit year, 2 digit month, 2 digit day starting on the 6th character (E302120090812958 = 09/08/2020).  I was able to verify this because the month spot is never greater than 12, the day spot is never greater than 31 and is only 31 on months that have that many days, and the years are between 19-23.  The first 5 characters in the serial always stay the same, so that leaves us with the last 5 digits as the incremental serial (E302120090812958).  With this information in hand, I sorted the list by date codes, and everything starts to line up more.  The number 8 that shows up is how many steps there are between MAC addresses, so if the MAC is 3C.BD.C5.42.22.50, the next address in the sequence will be 3C.BD.C5.42.22.58.  Using this information, I can actually back calculate the starting MAC address for each date code if we assume each block starts @ 00000 serial.  Once all of the starting blocks are calculated, we can calculate the end of the previous block by subtracting 1 step.  The E3200 MACS step by 6 digits instead of 8, some of the earlier g3100 jump by 11.  Several of the ending blocks stop on seemingly non-random numbers, which is another clue that we're on the right track.  I have gone though and done this for the 3C.BD.C5 MACs I have on hand, and ended up covering most of the address space.  I was also able to identify and correct several places where the MAC or Serial was slightly off in my original data set (and validated using the saved photos)



With this bit of success, I created a python script to calculate the serial based on a given MAC.  There are still a few “UNKNOWN” blocks when there seems to be a large gap of MACs between blocks.  I will work on adding the other MAC prefixes, so that we can enumerate all possible devices.  I also stopped on serial 00001 earlier instead of 00000.  I am still not sure which is correct honestly.  Eventually I will correct them all to 00000 add code to detect these edges and give you both Serials.  If you test the code, please report back.  If you want to give me a MAC address and have me try to guess the serial I can.  Otherwise, I have another batch of recently scraped images that I still need to validate and add to the database.  I will be testing these on the script.  My next post should have an updated data set!

Code:

#!/usr/bin/env python3
# -*- coding: utf-8 -*-


import re
from datetime import datetime

# Your MAC ranges data
mac_data = """
3C.BD.C5.00.00.00:3C.BD.C5.01.F5.6A,G3100,8,Unknown
3C.BD.C5.01.F5.70:3C.BD.C5.09.3B.F8,G3100,8,121011516659
3C.BD.C5.09.3C.00:3C.BD.C5.0C.30.38,G3100,8,121030100001
3C.BD.C5.0C.30.40:3C.BD.C5.16.4A.C8,G3100,8,121021700001
3C.BD.C5.16.4A.D0:3C.BD.C5.1C.C1.58,G3100,8,121031200001
3C.BD.C5.1C.C1.5E:3C.BD.C5.22.C3.EA,G3100,8,Unknown
3C.BD.C5.22.C3.F0:3C.BD.C5.2B.5B.E8,G3100,8,121033100001
3C.BD.C5.2B.5B.F0:3C.BD.C5.31.1E.60,G3100,8,121041400001
3C.BD.C5.31.1E.66:3C.BD.C5.37.5C.92,G3100,8,Unknown
3C.BD.C5.37.5C.98:3C.BD.C5.3D.D3.40,G3100,8,121051800001
3C.BD.C5.3D.D3.48:3C.BD.C5.42.22.58,G3100,8,121060700001
3C.BD.C5.42.22.60:3C.BD.C5.46.3E.C4,G3100,8,121062200000
3C.BD.C5.46.3E.CC:3C.BD.C5.47.F6.C4,G3100,8,121071300000
3C.BD.C5.47.F6.CC:3C.BD.C5.49.AE.C4,G3100,8,121072100000
3C.BD.C5.49.AE.CC:3C.BD.C5.50.05.44,G3100,8,121070100000
3C.BD.C5.50.05.4C:3C.BD.C5.56.95.D4,G3100,8,121072000000
3C.BD.C5.56.95.DA:3C.BD.C5.60.3B.72,E3200,6,121072000000
3C.BD.C5.60.3B.74:3C.BD.C5.69.B8.CC,G3100,8,121081100000
3C.BD.C5.69.B8.D4:3C.BD.C5.71.07.FC,G3100,8,121082000000
3C.BD.C5.71.08.00:3C.BD.C5.76.8D.C8,G3100,8,121082600000
3C.BD.C5.76.8D.CC:3C.BD.C5.7D.27.9C,G3100,8,121090800000
3C.BD.C5.7D.27.A2:3C.BD.C5.85.4C.98,G3100,8,Unknown
3C.BD.C5.83.03.D4:3C.BD.C5.85.4C.9E,E3200,6,121091600001
3C.BD.C5.85.4C.A4:3C.BD.C5.8C.CB.C6,E3200,6,Unknown
3C.BD.C5.8C.CB.CC:3C.BD.C5.93.FF.8C,G3100,8,121101500000
3C.BD.C5.93.FF.92:BD.C5.93.9B.67.6C,G3100,8,Unknown
3C.BD.C5.9B.67.72:3C.BD.C5.A1.71.B2,G3100,8,121110500000
3C.BD.C5.A1.71.BA:3C.BD.C5.A3.FE.1C,E3200,6,121110500001
3C.BD.C5.A3.FE.22:3C.BD.C5.AD.16.64,E3200,6,Unknown
3C.BD.C5.AD.16.6A:3C.BD.C5.AE.AE.2E,E3200,6,122010100001
3C.BD.C5.AE.AE.34:3C.BD.C5.B4.2D.5E,E3200,6,121122100000
3C.BD.C5.B4.2D.62:3C.BD.C5.B5.09.9A,G3100,8,122021400000
3C.BD.C5.B5.09.A2:3C.BD.C5.B5.E5.9A,G3100,8,122031000000
3C.BD.C5.B5.E5.A2:3C.BD.C5.B8.0B.9A,G3100,8,122031100000
3C.BD.C5.B8.0B.A2:3C.BD.B8.C1.ED.A2,G3100,8,122031500000
3C.BD.C5.C1.ED.A4:3C.BD.C5.C2.40.1E,E3200,6,122031300000
3C.BD.C5.C2.40.24:3C.BD.C5.C2.89.E0,E3200,6,122031400000
3C.BD.C5.C2.89.E6:3C.BD.C5.CD.A1.1A,E3200,6,Unknown
3C.BD.C5.CD.A1.20:3C.BD.C5.CF.39.86,E3200,6,122052200000
3C.BD.C5.CF.39.8C:3C.BD.C5.D2.C8.06,E3200,6,122091400000
3C.BD.C5.D2.C8.0C:3C.BD.C5.D3.41.F2,E3200,6,122091500000
3C.BD.C5.D3.41.F8:3C.BD.C5.DA.E1.12,E3200,6,Unknown
3C.BD.C5.DA.E1.18:3C.BD.C5.DD.EE.80,E3200,6,122110900000
3C.BD.C5.DD.EE.86:3C.BD.C5.E5.83.8A,E3200,6,Unknown
3C.BD.C5.E5.83.90:3C.BD.C5.E8.44.B0,E3200,6,123011000000
3C.BD.C5.E8.34.96:3C.BD.C5.E8.44.B6,E3200,6,123030400000
3C.BD.C5.E8.44.BC:3C.BD.C5.F1.11.4A,E3200,6,Unknown
3C.BD.C5.F1.11.50:3C.BD.C5.F1.E1.E2,E3200,6,123042100000
3C.BD.C5.F1.E1.E8:3C.BD.C5.F4.B3.C2,E3200,6,123042600000
3C.BD.C5.F4.B3.C8:3C.BD.C5.F8.7A.CA,E3200,6,123052000000
3C.BD.C5.F8.7A.D0:3C.BD.C5.F9.F9.FE,E3200,6,123080600000

""".strip().splitlines()

# Helper to convert MAC string to integer
def mac_to_int(mac):
    return int(mac.replace(".", ""), 16)

# Helper to extract the last 3 octets as integer
def last_3_octets_to_int(mac):
    return int(mac.replace(".", "")[-6:], 16)

def format_date_from_serial(serial):
    if serial.lower() == 'unknown' or not serial.isdigit():
        return "Unknown"
    try:
        year = int(serial[1:3])
        month = int(serial[3:5])
        day = int(serial[5:7])
        # Normalize year
        year += 2000 if year < 100 else 0
        date = datetime(year, month, day)
        return date.strftime("%m-%d-%y")
    except Exception:
        return "Invalid"

def calculate_serial(mac_input):
    mac_input_clean = mac_input.upper().replace(":", ".").replace("-", ".")
    mac_value = mac_to_int(mac_input_clean)
    mac_last = last_3_octets_to_int(mac_input_clean)

    for line in mac_data:
        mac_range, model, step_str, serial_start = line.split(",")
        mac_start_str, mac_end_str = mac_range.split(":")
        step = int(step_str)
       
        mac_start_val = mac_to_int(mac_start_str)
        mac_end_val = mac_to_int(mac_end_str)

        if mac_start_val <= mac_value <= mac_end_val and serial_start != "Unknown":
            mac_start_last = last_3_octets_to_int(mac_start_str)
            delta = (mac_last - mac_start_last) // step
            calculated_serial = str(int(serial_start) + delta).zfill(12)
            date_str = format_date_from_serial(calculated_serial)
            return {
                "Given MAC": mac_input_clean,
                "Start MAC": mac_start_str,
                "Calculated Serial": calculated_serial,
                "Model": model,
                "Date": date_str
            }

    return {"error": "MAC not found in any known range or serial unknown."}

# Main loop
if __name__ == "__main__":
    user_mac = input("Enter a MAC address (e.g., 3C:BD:C5:09:3C:12): ")
    result = calculate_serial(user_mac)
   
    if "error" in result:
        print(result["error"])
    else:
        for k, v in result.items():
            print(f"{k}: {v}")

[FiosFiend]

I wanted to mention that I know the posted data set and python code both contain minor errors. 

For the data set: I will be posting a new data set with revalidated data, additional columns, and new entries.
For the python code: I realized since the info in the date blocks is the same, we can output a lot of details about a specific device, including the correct keyspace for a dictionary attack based on MAC. I will also be sharing the various scripts that I’ve discussed once I clean them up a little bit.

For now if anyone can help with the firmware it would be greatly appreciated. Here is a bit more info in that regard.

I found a nice teardown of the device here: https://fccid.io/RAXG3100/Internal-Photo...330446.pdf

Here we see the CPU chip is a BROADCOM BCM43684KRFBG. (product page)


From the UART output posted previously we know that it is running AArch64 Linux. Is the sha256 hash value just a check, or something that can be cracked?

Code:

## Loading kernel from FIT Image at 02000000 ...
  Using 'conf_lx_VERIZON-G3100' configuration
  Verifying Hash Integrity ... OK
  Trying 'kernel' kernel subimage
    Description:  4.19 kernel
    Type:        Kernel Image
    Compression:  lzma compressed
    Data Start:  0x0228c800
    Data Size:    3461392 Bytes = 3.3 MiB
    Architecture: AArch64
    OS:          Linux
    Load Address: 0x00100000
    Entry Point:  0x00100000
    Hash algo:    sha256
    Hash value:  77e40836ec218fa969f9d2bd572115ed9a7ef008cc75bfec4912354ce78a6349
  Verifying Hash Integrity ... sha256+ OK

The memory is TOSHIBA TH58NVG3S0HTA10 (data sheet). It looks like there test are pads to access the memory. Figuring out the layout, and dump directly from the chip is probably a bit above my skillset currently.


Part of the UART output posted earlier:

Code:

MEMC DRAM profile (memc_dram_profile_struct) values:
  dram_type    = DDR3
====================================================
PART values:
  part_speed_grade    = 1600 CL11
  part_size_Mbits    = 4096 (DRAM size in MegaBits)
  part_row_bits      = 15 (number of row bits)
  part_col_bits      = 10 (number of column bits)
  part_ba_bits        = 3 (number of bank bits)
  part_width_bits    = 16 (DRAM width in bits)
NUMER OF PARTS:
  part_num            = 1 (Number of parts)
TOTAL values:
  total_size_Mbits    = 4096 (DRAM size in MegaBits)
  total_cs_bits      = 0 (number of cs bits, for dual_rank mode)
  total_width_bits    = 16 (DRAM width in bits)
  total_burst_bytes  = 16 (Number of bytes per DRAM access)
  total_max_byte_addr = 0x1fffffff (Maximum/last DRAM byte address)
                        (Number of bits in total_max_byte_addr is 29)
                        (i.e. total_max_byte_addr goes from bit 0 to bit 28)

There are 2 boards inside the device. Each has an obvious UART, however I was only able to get output from 1. Unfortunately I don’t remember the pin layout, but I used a multimeter to find (+) and (-). I think RX/TX were right my first try, otherwise swap them. There is also possibly a JTAG connector, but I don’t have much experience with that.

Bad UART: Board without COAX connector.


Good UART: Board with the COAX connector


There are several other chips on the boards such as, ZM5101A-CME3, Broadcom B50212E, ERF32, SEC 907(?), MXL3711 which I know very little about.