hashcat
advanced password recovery

FiosFiend · (This post was last modified: 04-17-2025, 08:06 PM by FiosFiend.)

(04-07-2025, 07:45 PM)RealEnder Wrote: Interesting research. We've looked at these and sadly couldn't find anything, which can limit the keyspace, which is really enormous. We have a lot of uncracked Fios networks in wpa-sec. We've got only these:

Code:
b8f853eb8962 Fios-6MSdq arc53dock735wry b8f85362dec2 Fios-DMG5b palmy82out76arc 04a222f1f9da Fios-9ZfGv tag828pun44snail b8f85337fb06 Fios-fq8ZT zoo343owl289crow
As always, the BSSID may be fake.

I don’t know if you have been following along, but just for fun I decided to throw your BSSIDs at Fios-F1nDr.

Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input | b8f853eb8962
+--------------------+----------------------------------------+
| MAC Block Start | B8.F8.53.EB.14.E0
+--------------------+----------------------------------------+
| MAC Block End | B8.F8.53.F3.08.C8
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio | 8
+--------------------+----------------------------------------+
| Calculated Serial | G402120121003728
+--------------------+----------------------------------------+
| Keyspace | w = <word> n = <number>
| | ? = single digit at end of random word
+--------------------+----------------------------------------
| WiFi Pass Format | wnwnw
+--------------------+----------------------------------------+
| WiFi Pass Length | 15
+--------------------+----------------------------------------+
| Admin Pass Format | wnw
+--------------------+----------------------------------------+
| Admin Pass Length | 16
+--------------------+----------------------------------------+
| Model Type | G3100
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 201210
+--------------------+----------------------------------------+
| Hardware | 1104
+--------------------+----------------------------------------+

Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input | b8f85362dec2
+--------------------+----------------------------------------+
| MAC Block Start | B8.F8.53.62.C6.90
+--------------------+----------------------------------------+
| MAC Block End | B8.F8.53.67.0D.C8
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio | 8
+--------------------+----------------------------------------+
| Calculated Serial | G402120032500774
+--------------------+----------------------------------------+
| Keyspace | w = <word> n = <number>
| | ? = single digit at end of random word
+--------------------+----------------------------------------+
| WiFi Pass Format | wnwnw
+--------------------+----------------------------------------+
| WiFi Pass Length | 15
+--------------------+----------------------------------------+
| Admin Pass Format | wnw
+--------------------+----------------------------------------+
| Admin Pass Length | 16
+--------------------+----------------------------------------+
| Model Type | G3100
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 200325
+--------------------+----------------------------------------+
| Hardware | 1104
+--------------------+----------------------------------------+

Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input | 04a222f1f9da
+--------------------+----------------------------------------+
| MAC Block Start | 04.A2.22.E5.5E.A2
+--------------------+----------------------------------------+
| MAC Block End | 04.A2.22.F3.31.E2
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio | 11
+--------------------+----------------------------------------+
| Calculated Serial | G401119081375106
+--------------------+----------------------------------------+
| Keyspace | w = <word> n = <number>
| | ? = single digit at end of random word
+--------------------+----------------------------------------+
| WiFi Pass Format | wnwnw
+--------------------+----------------------------------------+
| WiFi Pass Length | 16
+--------------------+----------------------------------------+
| Admin Pass Format | wnw
+--------------------+----------------------------------------+
| Admin Pass Length | 16
+--------------------+----------------------------------------+
| Model Type | G3100
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 190813
+--------------------+----------------------------------------+
| Hardware | 1103
+--------------------+----------------------------------------+

Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input | b8f85337fb06
+--------------------+----------------------------------------+
| MAC Block Start | B8.F8.53.35.B1.BD
+--------------------+----------------------------------------+
| MAC Block End | B8.F8.53.3B.0B.27
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio | 11
+--------------------+----------------------------------------+
| Calculated Serial | G401119120913621
+--------------------+----------------------------------------+
| Keyspace | w = <word> n = <number>
| | ? = single digit at end of random word
+--------------------+----------------------------------------+
| WiFi Pass Format | wnwnw
+--------------------+----------------------------------------+
| WiFi Pass Length | 16
+--------------------+----------------------------------------+
| Admin Pass Format | wnw
+--------------------+----------------------------------------+
| Admin Pass Length | 16
+--------------------+----------------------------------------+
| Model Type | G3100
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 191209
+--------------------+----------------------------------------+
| Hardware | 1103
+--------------------+----------------------------------------+

soxrok2212 · (This post was last modified: 04-22-2025, 05:17 PM by soxrok2212.)

(04-08-2025, 05:44 PM)FiosFiend Wrote: From the UART output posted previously we know that it is running AArch64 Linux. Is the sha256 hash value just a check, or something that can be cracked?

Code:
## Loading kernel from FIT Image at 02000000 ... Using 'conf_lx_VERIZON-G3100' configuration Verifying Hash Integrity ... OK Trying 'kernel' kernel subimage Description: 4.19 kernel Type: Kernel Image Compression: lzma compressed Data Start: 0x0228c800 Data Size: 3461392 Bytes = 3.3 MiB Architecture: AArch64 OS: Linux Load Address: 0x00100000 Entry Point: 0x00100000 Hash algo: sha256 Hash value: 77e40836ec218fa969f9d2bd572115ed9a7ef008cc75bfec4912354ce78a6349 Verifying Hash Integrity ... sha256+ OK

This is a Flattened Image Tree (FIT) image. It uses the same structure as a standard device tree, but it is used to pack together a kernel, device tree, rootfs and device config into a single image. The integrity check you are referring to is not something that can be cracked/bruteforced. It is a sum across the component (kernel, rootfs, etc) to ensure nothing was modified or corrupted.

I do have a NAND dump of both a g1100 and a g3100, but I don't think I have the physical devices any more.

HOWEVER, I will tell you that it is possible to glitch the bootloader into giving you a shell; you have to short the data out pin on the flash chip to ground when it loads the bootloader environment from flash, and the short has to be very brief. The trick here is that they left the fallback config built into u-boot. I can't remember exactly what it was that let me in, maybe it was a bootdelay counter, but it is possible.

Be aware that you can damage the flash and/or its contents doing this, but you may be able to get a root shell.

FiosFiend · (This post was last modified: 04-22-2025, 05:52 PM by FiosFiend.)

(04-22-2025, 05:10 PM)soxrok2212 Wrote: This is a Flattened Image Tree (FIT) image. It uses the same structure as a standard device tree, but it is used to pack together a kernel, device tree, rootfs and device config into a single image. The integrity check you are referring to is not something that can be cracked/bruteforced. It is a sum across the component (kernel, rootfs, etc) to ensure nothing was modified or corrupted.

I do have a NAND dump of both a g1100 and a g3100, but I don't think I have the physical devices any more.

HOWEVER, I will tell you that it is possible to glitch the bootloader into giving you a shell; you have to short the data out pin on the flash chip to ground when it loads the bootloader environment from flash, and the short has to be very brief. The trick here is that they left the fallback config built into u-boot. I can't remember exactly what it was that let me in, maybe it was a bootdelay counter, but it is possible.

Be aware that you can damage the flash and/or its contents doing this, but you may be able to get a root shell.

OMG I can’t tell you how happy I am to see you reply to this! I have come across your name in a lot of my research. I have tagged you in my hashkiller post(https://forum.hashkiller.io/index.php?fo...acking.15/, which has just a bit more info.

Great to hear that you think the glitch will work, I actually just read about that today and it was the next thing on my list to try.

Thanks again for stopping in!

https://openwrt.org/inbox/toh/arcadyan/a...o_cfe_menu

FiosFiend · (This post was last modified: 04-28-2025, 12:07 AM by FiosFiend.)

I had a bit of time to sort through the general scrape that I did last week. I've added 32 new entries for the G3100/E3200 dataset, bringing us to 345 entries. As always we test the new entries against the Fios-F1nDr database and see that we're still catching a good number of new date codes with each scrape. Currently there are 186 unique Date Codes.

Updated Data Set:
.xlsx

router_data_FULL_042725.xlsx (Size: 405.04 KB / Downloads: 1)

Before:
Correct - 11 (34%)
Incorrect - 16 (50%)
unknown block - 2 (6%)
Unknown device - 3 (9%)
Not Enough Data - 0 (0%)

After:
Correct - 26 (81%)
Incorrect - 3 (9%)
unknown block - 0 (0%)
Unknown Device 3 (9%)
Not enough data (0%)

I will hold off on posting the updated data_ref_lines this time, but it’s available in the dataset if you want it or feel free to DM me.

As I mentioned, the image identifying script is doing amazing now that we’ve changed the QR code reader. Last week I did a more general search and caught a ton of different devices. The QR codes are all a little different, so I am working to update the script to grab the data on these. I have started to scrape these too so that we can better understand all of the Fios/Verizon variations.

ARC-XCI55AX
ASK-NCM1100 / ASK-NCM1100E
ASK-NCQ1338 / ASK-NCQ1338E / ASK-NCQ1338FA
CR1000A / CR1000B
FWA55V5L
G1100
LVSKIHP
WNC-CR200A
... probably a few more!

I plan to make posts for each of these devices as I begin to investigate them. In my original research, I obtained a good bit of useful info from the CR1000A / CR1000B devices. So that is where I will begin...

[Image: attachment.php?aid=1263]

The CR1000A / CR1000B routers are manufactured by Wistron NeWeb Corporation. Unfortunately, the information is split into 2 labels so collecting complete entries is more difficult. The QR code does contain the MAC and serial at least. I updated my scraping script to include the images downloaded from each link, so now I can reference back to the actual listing when necessary. I think I will eventually put these all of these scripts on GitHub since posting updated versions here makes a lot of clutter.

Code:
('WIFI:S:Verizon_WP4ZXC;T:WPA;P:bug-aged6-noun;;ROUTER:M:CR1000A;S:ABV24234358;W:78670EA7007D;I:admin;P:WNV33WG6C;;1',)

Currently, the data set contains 86 entries for CR1000A / CR1000B!

SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.

[Image: attachment.php?aid=1266]

From this sample we can gain some other info:

Password <word> are between 3-6 characters for SSID Password
We don’t currently see 0 or 1 in any of the SSID, SSID Password, or Admin Password.
There are several HW versions (103, 0.0.6, 0.0.7, 0.0.8, 0.0.A, 0.0.B, 0.0.C)
Shipped firmware ranges from 3.1.0.17 to 3.2.0.14
Somewhat surprising, in this small sample we have caught a good many Mac prefixes: 04.70.56, 1C.D6.BE, 58.96.71, 78.67.0E, 84.90.0A, AC.91.9B, BC.F8.7E, DC.4B.A1

Serial numbers are always 11 digits and start with 2-3 letters, followed by digits. If we compare the MAC/Serial difference like before, we see these change in steps of 7. So we should be able to calculate the serial numbers once I figure out how they’re blocked together.

[Image: attachment.php?aid=1267]

Here is a teardown of the device, the CPU is a Qualcomm IPQ8074 SoC. It contains (4) Arm Cortex A53 processors up to 2 GHz clock.

I had found references to CR1000A firmware, which is what helped me find the G3100. I searched for all the versions I could find, and unfortunately didn’t turn up anything earlier than what I found online. The good new is @soxrok2212 and crew have done a great job reversing this firmware.

Code:
CR1000A:

https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.6.bin

https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.7.bin

https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.8.bin

https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.9.bin

https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.2.0.14_loader.bin

https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.7_loader.bin

https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.8_loader.bin

https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.10_loader.bin

https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.11_loader.bin

https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.1.1.bin

https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.1.2.bin

https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.1.2_loader.bin

CR1000B:

https://cpe-ems34.verizon.com/firmware/chr2fb_fw_3.1.1.16.bin

https://cpe-ems34.verizon.com/firmware/chr2fb_fw_3.1.1.17.bin

https://cpe-ems34.verizon.com/firmware/chr2fb_fw_3.1.1.18.bin

https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.1.1.20.bin

https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.7_loader.bin

https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.8_loader.bin

https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.9_loader.bin

https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.10_loader.bin

That’s all I have currently for the CR1000A / CR1000B, however our scrape did catch a lot of other entries. I have also included them in the sheet “other”. I plan to scrape each of these devices individually and make a similar post to this one for them.

This update contains 178 additional entries for “Other” devices, bringing the total number of entries to 609!

Login
Username/Email:
Password:	Lost Password?
	Remember me

hashcat advanced password recovery

hashcat
advanced password recovery