04-17-2025, 07:56 PM (This post was last modified: 04-17-2025, 08:06 PM by FiosFiend.)
(04-07-2025, 07:45 PM)RealEnder Wrote: Interesting research. We've looked at these and sadly couldn't find anything, which can limit the keyspace, which is really enormous. We have a lot of uncracked Fios networks in wpa-sec. We've got only these:
04-22-2025, 05:10 PM (This post was last modified: 04-22-2025, 05:17 PM by soxrok2212.)
(04-08-2025, 05:44 PM)FiosFiend Wrote: From the UART output posted previously we know that it is running AArch64 Linux. Is the sha256 hash value just a check, or something that can be cracked?
Code:
## Loading kernel from FIT Image at 02000000 ...
Using 'conf_lx_VERIZON-G3100' configuration
Verifying Hash Integrity ... OK
Trying 'kernel' kernel subimage
Description: 4.19 kernel
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x0228c800
Data Size: 3461392 Bytes = 3.3 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x00100000
Entry Point: 0x00100000
Hash algo: sha256
Hash value: 77e40836ec218fa969f9d2bd572115ed9a7ef008cc75bfec4912354ce78a6349
Verifying Hash Integrity ... sha256+ OK
This is a Flattened Image Tree (FIT) image. It uses the same structure as a standard device tree, but it is used to pack together a kernel, device tree, rootfs and device config into a single image. The integrity check you are referring to is not something that can be cracked/bruteforced. It is a sum across the component (kernel, rootfs, etc) to ensure nothing was modified or corrupted.
I do have a NAND dump of both a g1100 and a g3100, but I don't think I have the physical devices any more.
HOWEVER, I will tell you that it is possible to glitch the bootloader into giving you a shell; you have to short the data out pin on the flash chip to ground when it loads the bootloader environment from flash, and the short has to be very brief. The trick here is that they left the fallback config built into u-boot. I can't remember exactly what it was that let me in, maybe it was a bootdelay counter, but it is possible.
Be aware that you can damage the flash and/or its contents doing this, but you may be able to get a root shell.
04-22-2025, 05:50 PM (This post was last modified: 04-22-2025, 05:52 PM by FiosFiend.)
(04-22-2025, 05:10 PM)soxrok2212 Wrote: This is a Flattened Image Tree (FIT) image. It uses the same structure as a standard device tree, but it is used to pack together a kernel, device tree, rootfs and device config into a single image. The integrity check you are referring to is not something that can be cracked/bruteforced. It is a sum across the component (kernel, rootfs, etc) to ensure nothing was modified or corrupted.
I do have a NAND dump of both a g1100 and a g3100, but I don't think I have the physical devices any more.
HOWEVER, I will tell you that it is possible to glitch the bootloader into giving you a shell; you have to short the data out pin on the flash chip to ground when it loads the bootloader environment from flash, and the short has to be very brief. The trick here is that they left the fallback config built into u-boot. I can't remember exactly what it was that let me in, maybe it was a bootdelay counter, but it is possible.
Be aware that you can damage the flash and/or its contents doing this, but you may be able to get a root shell.
OMG I can’t tell you how happy I am to see you reply to this! I have come across your name in a lot of my research. I have tagged you in my hashkiller post(https://forum.hashkiller.io/index.php?fo...acking.15/, which has just a bit more info.
Great to hear that you think the glitch will work, I actually just read about that today and it was the next thing on my list to try.
04-27-2025, 11:58 PM (This post was last modified: 04-28-2025, 12:07 AM by FiosFiend.)
I had a bit of time to sort through the general scrape that I did last week. I've added 32 new entries for the G3100/E3200 dataset, bringing us to 345 entries. As always we test the new entries against the Fios-F1nDr database and see that we're still catching a good number of new date codes with each scrape. Currently there are 186 unique Date Codes.
I will hold off on posting the updated data_ref_lines this time, but it’s available in the dataset if you want it or feel free to DM me.
As I mentioned, the image identifying script is doing amazing now that we’ve changed the QR code reader. Last week I did a more general search and caught a ton of different devices. The QR codes are all a little different, so I am working to update the script to grab the data on these. I have started to scrape these too so that we can better understand all of the Fios/Verizon variations.
I plan to make posts for each of these devices as I begin to investigate them. In my original research, I obtained a good bit of useful info from the CR1000A / CR1000B devices. So that is where I will begin...
The CR1000A / CR1000B routers are manufactured by Wistron NeWeb Corporation. Unfortunately, the information is split into 2 labels so collecting complete entries is more difficult. The QR code does contain the MAC and serial at least. I updated my scraping script to include the images downloaded from each link, so now I can reference back to the actual listing when necessary. I think I will eventually put these all of these scripts on GitHub since posting updated versions here makes a lot of clutter.
Currently, the data set contains 86 entries for CR1000A / CR1000B!
SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200) SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third. Admin Passwords are 9 characters that are <A-Z><0-9>.
From this sample we can gain some other info:
Password <word> are between 3-6 characters for SSID Password
We don’t currently see 0 or 1 in any of the SSID, SSID Password, or Admin Password.
There are several HW versions (103, 0.0.6, 0.0.7, 0.0.8, 0.0.A, 0.0.B, 0.0.C)
Shipped firmware ranges from 3.1.0.17 to 3.2.0.14
Somewhat surprising, in this small sample we have caught a good many Mac prefixes: 04.70.56, 1C.D6.BE, 58.96.71, 78.67.0E, 84.90.0A, AC.91.9B, BC.F8.7E, DC.4B.A1
Serial numbers are always 11 digits and start with 2-3 letters, followed by digits. If we compare the MAC/Serial difference like before, we see these change in steps of 7. So we should be able to calculate the serial numbers once I figure out how they’re blocked together.
Here is a teardown of the device, the CPU is a Qualcomm IPQ8074 SoC. It contains (4) Arm Cortex A53 processors up to 2 GHz clock.
I had found references to CR1000A firmware, which is what helped me find the G3100. I searched for all the versions I could find, and unfortunately didn’t turn up anything earlier than what I found online. The good new is @soxrok2212 and crew have done a great job reversing this firmware.
That’s all I have currently for the CR1000A / CR1000B, however our scrape did catch a lot of other entries. I have also included them in the sheet “other”. I plan to scrape each of these devices individually and make a similar post to this one for them.
This update contains 178 additional entries for “Other” devices, bringing the total number of entries to 609!
05-03-2025, 06:56 PM (This post was last modified: 05-03-2025, 07:01 PM by FiosFiend.)
Ok here we go with this weeks update! Since we are targeting many more devices now, I spent this week working on my Facebook scraping script. FB is a bit trickier to scrape because they load pages dynamically, and don’t follow normal naming conventions to make it a bit harder to do. Fortunately those are overcome with a bit of effort, and with AI and I helping each other a bit, I finally have something I am happy with. So now we have a bunch of new entries to the database, we’re up to 727 unique entries!
Check that out, we’re making some progress! The 4 that were incorrect are outliers. We now have 202 Date Codes. that range from 4/29/19 to 10/28/24.
Some more good news, we have collected enough entries that we can determine the 11-digit serial blocks! These are always E3200 devices, using the last 5 digits as the incremental serial we can see the steps are in increments of 6. All of the E3200 have had a step of 6 so far. This info helps us unlock a lot of the DC.F5.1B and 74.90.BC space that I had kind of ignored previously 😀 . Fios-F1nDr needed a minor update to calculate these properly, but I have a GitHub account now so hopefully I can get all of the scripts uploaded by next update.
As I pointed out before, we are starting to have a good many entries for the same date codes. Block 190813 now has 9 entries! So I will soon look at those closer and see if I can catch any patterns. I still haven’t had a chance to glitch my device, but I found some interesting artifacts in the g3100_fw_2.0.0.6.bin and e3200_fw_3.1.1.17.bin. I haven’t really poked around in any of the other firmware yet. I will circle back to all of that eventually, so many things to do...
BOOT_CONSOLE Mon Dec 14 15:02:21 CST 2020 paul_shih@buildbox3
192.168.1.100:g3100-mfg.bin
This is in e3200_fw_3.1.1.17.bin
/home/lennon_chen/e3200/release/0307/bsp/kernel/linux-4.1
BOOT_CONSOLE Mon Mar 7 18:11:55 CST 2022 lennon_chen@buildbox5
192.168.1.100:g3100-mfg.bin
This weeks device spotlight is the ARC-XCI55AX. Like the G3100/E3200 these are manufactured by Arcadyan. The QR code provides a lot of useful information, including the MAC which unfortunately isn’t printed on the sticker. The QR also contains a manufacture date, which means we don’t have to figure out the date blocks ourselves! This is the first QR code that has an IMEI # on the sticker and QR code, so we are collecting those too. The sticker also has the ICC ID, which I will probably add data for next update.
Currently, the data set contains 82 entries for ARC-XCI55AX!
The SSID and passwords follow the same pattern seen in the CR1000A/B
SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200) SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third. Admin Passwords are 9 characters that are <A-Z><0-9>.
From this sample we can gain some other info:
SSID passwords are mostly 15 characters long, I did catch one that was 14 characters in a higher serial number
Password <word> are between 3-5 characters for SSID Password (haven’t seen a 6 character word yet)
We don’t currently see 0, 1 or 2 in any of the SSID, SSID Password, or Admin Password.
HW versions are not printed on the device or QR code
Shipped firmware ranges from 3.1.1.14 to 3.2.0.7
Again we see a suprising number of Mac prefixes: 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, 74.90.BC, 84.90.0A, A8.A2.37, AC.B6.87, BC.F8.7E, C8.99.B2, F4.CA.E7
Serial numbers are always 11 digits and start with 3 letters (ABU or GRR), followed by 8 digits. If we compare the MAC/Serial difference like before, we see these change in steps of 4 or 8. Hopefully I will be able to use the IMEI or Serial # to back calculate the MAC address for images that we can’t read the QR code. These might help us better understand similar 11-digit serials on the G3100 and other devices.
I wasn’t able to find any firmware links online. I did found information that suggests these devices are also used for “Straight talk home internet” from Walmart. I think FWA55V5L is the correct model, but there isn’t much info on these. There was an issue with people registering the devices so Walmart stopped distributing them.
Does anybody know what this password is, where to find it, or how to calculate it? Login credentials consisting of a password and a token are posted to /eng_auth.cgi as an application/x-www-form-urlencoded string like data=<password>&token=<hex string (MD5?)>
I'm noticing here is that the CPE is connecting to an auto configuration server at https://hdm5g.vzwdm.com using the TR-069 CPE Wan Management Protocol. Is there any way to tell the CPE to connect to my own TR-069 server instead?
I'm assuming that ports 4567 and 4577 are related to the above CWMP implementation. Running openssl s_client -connect mynetworksettings.com:4577 returns certificate data, but fails to connect with the following error sslv3 alert handshake failuresl\record\rec_layer_s3.c:1586:SSL alert number 40. The server certificate's subject name is my CPE's serial number, which is different from the SSL cert on port 443. Does anybody know for sure what these ports are for?
I tried to visit the engineering page on my G3100 and it brings up the admin login or if logged in a blank page, but still with the sidebar and everything. Visiting any made up link such as https://192.168.1.1/#/fiend has a different behavior of loading a completely blank page, so I think there’s something there. Does anyone have any info on how to access this page?
It’s also intriguing to me that this device has a secret USB-C port hidden behind a plastic panel... from the Reddit post above:
I'm assuming that ports 4567 and 4577 are related to the above CWMP implementation. Running openssl s_client -connect mynetworksettings.com:4577 returns certificate data, but fails to connect with the following error sslv3 alert handshake failuresl\record\rec_layer_s3.c:1586:SSL alert number 40. The server certificate's subject name is my CPE's serial number, which is different from the SSL cert on port 443. Does anybody know for sure what these ports are for?
The hidden USB-C port on the bottom is, I believe, for firmware flashing. Plugging it into my Ubuntu laptop and turning on the CPE the device gets recognized as VID 0E8D PID 2000, which is the MediaTek preloader. I've tried methods described here -> https://github.com/bkerler/mtkclient to crash the preloader and enter the bootrom. I can get it to be recognized VID 0E8D PID 0003, but the process hangs from there. Has anybody had any luck accessing the modem through the USB-C port and running AT commands?
There are a few new entries to the CR1000 and Others sections, here’s the current breakdown:
Happy Friday everyone, grab some popcorn this week's update is a long one!
In a Verizon thread on Hashkiller, I noticed that Sardukarrr and drsnooker both posted photos to old eBay listings, which are surprisingly still active. I had previously overlooked them because they weren’t G3100/E3200, but now they’re both new entries in the dataset! I was starting to get nervous that I might finally reach the end of the internet, but this got me thinking... Currently only eBay allows me to go backwards to find sold listings, and sadly the window on that is limited. How can I possibly find old listing/images that are still active, but not currently searchable through eBay, FB, etc.
The only way I personally know of is to use google “dorks”. If you are unfamiliar with the term, search engines allow certain parameters that impact the search results. Trying a few out, I could see there were a few fresh hits. So now I needed a google / duckduckgo image search scraper. I do have a decent bit of programming experience over the years, but II will freely admit it has only ever been hobby/novice level. The bit of programming knowledge that I do have allows me to read, understand, modify, adapt, refine or debug well written example code. If you forced me to write code from scratch I could do it, but it would be a slow process, require a lot of trial/error, lots of internet research, and still be clunky. Fortunately now we have AI, which is great at building the skeleton. It’s been my experience that it needs a bit of guidance though. None of the scraping scripts have worked first try, I always have to watch what it is doing and reprompt and add bits when needed to get a working script. It will sometimes drop key functions/features or make unwanted changes to the code when trying to fix other issues. Although it’s not perfect, I stillI end up with something workable much much faster than I would on my own. I use 2 different AI, and sometimes I feed the script one generates to the other to make improvements haha. Any repetitive task that you can do as a normal user on a computer, you can automate fairly easily with a scripting language such as python.
When looking for images eBay and FB are the two biggest sources, but I also look at Reddit, Poshmark, OfferUp, Craigslist, Imgur, and Flickr. I recently found this weird site https://shopforsale.ru/ that I think aggregates listings from eBay, FB and potentially other places. I’m not really sure what it is, but it’s easy to scrape and I was able to pull some new entries from there. To refine our searches here is a list of dorks and you can find other examples online. These are the few uses that I came up with, please comment if you know of any other that look promising.
Using the before tag allows me to only show listings that were posted before I began scraping. This yeilds a few listings that are still active, but much older than the actual site search allows. Ex: offerup.com verizon fios g3100 before:2025-02-01
Using the site tag with inurl yields listings that have previously sold on eBay. I’m not sure it was entirely correct, but I got a few new hits using this. This particular example only worked on duckduckgo. Ex: site:ebay.com "verizon fios g3100" inurlold
AI suggested this as a way to search “old public marketplace listings”. It didn’t yield many, but I did get a fresh hit from 45 weeks ago! site:facebook.com/marketplace/ "Verizon G3100" -inurl:"search" -inurl:"create"
AI suggested this as a way to find “Older or less promoted eBay listings”, again it produced previously unknown images! site:ebay.com "Verizon G3100" -inurl:"/sch/" -inurl:"/b/" -2023
Similarly AI suggested this, but it wasn’t fruitful. site:offerup.com "Verizon G3100" -2024 -2023
So after iterating through these for various devices on both search engines and sweeping up all the photos we can, we’ve added 105 new entries to the dataset. When I first started this project I asked AI how many passwords I would need to determine the algorithm and it told me 1000. Since then, I have realized that AI likes to tell you what you want to hear a lot of the time and not necessarily the truth. But we’re getting close to that goal, so let’s see what else we’ve learned this week...
We’re get a little closer each time! We only have a few completely unknown blocks left. With this scrape we captured the very beginning of the B8.F8.53 address space. The 3 that are incorrect are outliers. I have the outliers highlighted in yellow on the Date Codes sheet. Sometimes I can tell the MAC is only off by a few numbers like some devices got skipped. Other times I can’t really make sense of it. Anyhow, most of the time the calculation works out, we now have 212 unique Date Codes. When I first discovered the date codes, I did a quick assessment "We have discovered 145 unique date codes. On average, a block contains 29,336 devices, so a usually high number of devices could indicate that there is at least 1 missing date code. Current calculations predict ~4,165,721 devices total." Looking at the data now, an average block contains 26,162 and predicts 5,180,068 devices total.
We can certainly try to crack how the SSID is created, but from what I see these devices report the proper MAC address during the handshake capture. So for now, let’s use that as a reference. After looking at the keyspace again, it turns out that we now have enough data to shrink it a bit! As we’ve seen, for G3100/E3200 there are multiple algos depending on the date of manufacture. Here is an update to my OP.
From our dataset we can gain some info on the G3100/E3200 key space:
MAC address Block 04.A2.22.00.00.00 to 04.A2.22.D3.FF.2F are the oldest and ALWAYS have 16 character passwords
SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>
SSID Passwords follow <word><number><word><number><word> format (ex: room50cleft78dry)
Admin Passwords are 16 characters and follow a <word><number><word> format (ex: bedeck183magenta)
<word> is between 3-7 characters long, <number> is ANY 1-4 digits
*Suprisingly, this “algo” seems it would be the hardest to crack, but they quickly drop it for some reason.
MAC address Block 04.A2.22.D3.FF.3A to 04.A2.22.FF.FF.FF and B8.F8.53.00.00.00 to B8.F8.53.5B.CD.39
SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>
SSID Passwords follow <word><number><word><number><word> format (ex: sin296wary394cap)
Passwords are almost always 16 characters, I did find one example at B8.F8.53.57.D8.C1 which is only 15. This address occurs near the next transition.
Admin Passwords are 16 characters and follow a <word><number><word> format (ex: suffer693grinder)
<word> is between 3-5 characters long (up to 8 characters for admin), <number> is 2-3 digits with no 0 or 1
*16 character passwords are harder to crack, but for some reason they transition to 15
MAC address Block B8.F8.53.5B.CD.41 to B8.F8.53.FF.FF.FF and 3C.BD.C5.00.00.00 to 3C.BD.C5.50.05.44
SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>
SSID Passwords follow <word><number><word><number><word> format and are ALWAYS 15 characters (ex: dump75owl79copy)
Admin Passwords are 16 characters and follow a <word><number><word> format (ex: betimes74retinue)
<word> is between 3-5 characters long (up to 7 characters for admin), <number> is 2-3 digits with no 0 or 1
Because of the constrain on word length and the 15 character limit, when there is a 5 character word the other words must be 3 characters with 2-digit numbers
Another transition occurs here... this is where things get very interesting (and potentially crackable!)
MAC address Block 3C.BD.C5.50.05.44 to 3C.BD.C5.FF.FF.FF and all of the DC.F5.1B, 74.90.BC MACS
SSID is Verizon_XXXXXX where X is any char <A-Z><0-9>
SSID Passwords follow follow <word>-<word>-<word> with a single digit at the end of one word (ex: range-joy3-okey)
Admin Passwords are 9 characters that are <A-Z><0-9> (ex: NQ4BJLC7H)
Because of the hyphens, digit and 15 character limit <word> is ALWAYS comprised of a 3 character, 4 character and 5 character word. No other pattern is mathematically possible. Additionally, the <number> is always a single digit that is NEVER 0,1, 2, 5, or 8 and NEVER on the last word.
The ARC-XCI55AX follow the exact same pattern (except for a single 14 character entry), so I think this is the first dictionary that we should focus on! I doubled checked and the MAC prefixes 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, A8.A2.37, AC.B6.87, C8.99.B2, F4.CA.E7 currently appear unique to this device. 84.90.0A and BC.F8.7E are found in the CR1000 dataset, but the current entries in this space also fit this pattern. So those would be the MAC prefixes vulnerable to this dictionary. @soxrok2212 has already started a nice wordlist at some point I would like to compare mydataset against his list and add words that are missing. They are using a pretty extensive wordlist because we see abbreviations such as cpu, cps, dos, iot, and wpm which aren’t valid words in a scrabble dictionary, but are official words for something like Webster’s Dictionary.
The device of the week is the ASK-NCQ1338 family, which includes ASK-NCQ1338, ASK-NCQ1338E, ASK-NCQ1338FA. I couldn’t find much info on the differences, but I think the “E” is an extender and I know the “FA” is the newer model. These devices are manufactured by Askey Computer, and can be considered the sister device to the ARC-XCI55AX. I forgot to mention last week, but both the ARC-XC155AX and ASK-NCQ1338 are 5G routers that use cell signal to provide internet. The QR code provides a lot of useful information, including the MAC which unfortunately isn’t printed on the sticker. Similar to the ARC, the QR contains both a date code and the IMEI. The QR also has the ICC ID, which means we can easily collect that with the other data. Something strange though, the last item in the QR code is P: <6 digit number>. Does anyone have an idea what this might be since WPS is 8 digits?
Currently, the data set contains 107 entries for ASK-NCQ1338 models!
The SSID and passwords follow the same pattern seen in the CR1000A/B and ARC-XCI55AX
SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.
From this sample we can gain some other info:
SSID passwords are13-15 characters long
Password <word> are between 3-5 characters for SSID Password (haven’t seen a 6 character word yet)
We don’t currently see 0, 1, 2, 5, 8 in any of the SSID, SSID Password, or Admin Password.
HW versions are not printed on the device or QR code
Shipped firmware ranges from 212331 to 222656
The MAC addresses that we see for this device are 2C.EA.DC, 4C.AB.F8, 88.DE.7C, A4.97.33, FC.12.63.
Serial numbers are always 11 digits and start with 2-3 letters (AA, AAM, or ABG), followed by 8 digits. If we compare the MAC/Serial difference like before, we see these change in steps of 4. Hopefully I will be able to use the IMEI or Serial # to back calculate the MAC address for images that we can’t read the QR code. All of the 11 digit serials are very similar across the various models in this thread, so again this is a case where one device can inform us about another.
I wasn’t able to find any firmware online. However this device also has the hidden compartment. I think I read it was for the SIM card on this device, but the ARC-XCI55AX has an eSIM and USB-C here.
Currently in the dataset: G3100/E3200 - 418 entries CR1000 A/B - 94 entries ARC-XCI55AX - 96 entries ASK-NCQ1338 - 107 entries Other - 117 entries Total - 832 entries
I am planning on making at least 3 more long form posts about the various devices that will cover G1100, WNC-CR200A, and the Others. By then I should have pretty much scraped all that I can currently scrape, so I will start doing some more stats analysis on everything that we’ve collected. We caught a new device with these recent scrapes, ASK-RTL108 which has a QR code and a lot of good info on the sticker so I will start scraping these for the next update!
How can you help?
I have done a pretty exhaustive search, but I've been unable to locate firmware for anything other than G3100/E3200, CR1000A/B, and G1100. Perhaps you can?
Do you know of any website or search terms that might lead us to more images to scrape?
Feel free to DM me links to images and such as well!
Take a look at the data set, are there any patterns or peculiarities that stand out to you?
Do you know of anywhere I can easily host large zip files long term for my ref_images, ref_firmware and future dictionary file?
05-17-2025, 05:15 PM (This post was last modified: 05-17-2025, 05:16 PM by FiosFiend.)
I tried to glitch my G3100, but I think maybe they have fixed that issue in the firmware my device has. My normal serial output is very short, and with the glitch I could only get this single error to show up, but serial still stopped in the same spot. Shorting the connection too early would just cause it to freeze.
Code:
Chip ID: BCM68369_B1
Broadcom B53 Dual Core: 1
RDP: 1400MHz
$Uboot: 5.04L.02@ $
WDT: Started with servicing (80s timeout)
NAND: 0 MiB
MMC: sdhci: 0
Loading Environment from BOOT_MAGIC... ENV_BOOT_MAGIC_LOAD
*** Warning - import not done, using default environment
In: serial0
Out: serial0
Last week I wasn’t quite sure how to do the calculation for number of possible combinations for the 15 char <word>-<word>-<word> format. However, it turns out that it’s pretty easy. <# of 3 letter words> * <# of 4 letter words> * <# 5 letter words> * <# of digits> * <# digit places> * <# of permutations>. The last 3 values are always going to be 5, 2, 6 (=60) respectfully. So using this 4090 benchmark, which shows 2533 Kh/s for 22000 mode and 275 Mh/s for 22001 mode. If we crunch some numbers here’s what I come up with.
The largest English word list that I found contained 2130 3 letter words, 7186 4 letter words, 15921 5 letter words, which gives us 2130*7186*15921*60 = 14,617,306,198,800 possible combinations. This dictionary is only really feasible if we have PMKID.
RPI4 @ 1080 h/s = ~429 years
4090 (22000) = 66.80 days
4090 (22001) = 14.76 hours
If we reduce just the 5 letter words to 5000 we get 2130*7186*5000*60 = 4,589,454,000,000 possible combinations This dictionary would run fast enough in 22001 mode, but still too slow for anything else.
RPI4 @ 1080 h/s = 134.66 years
4090 (22000) = 20.97 days
4090 (22001) = 4.64 hours
Similarly, if we could reduce the 4 letter words significantly we might see something like this. 2130*2000*5000 = 1,278,000,000,000 possible combinations We are finally starting to see reasonable results!
RPI4 @ 1080 h/s = 37.5 years
4090 (22000) = 5.84 days
4090 (22001) = 1.29 hours
So then I wrote a new script that takes all of the Wi-Fi passwords then breaks them into individual <word> or <digits> for me and does a bit of analysis. Here are the results.
The single digit numbers 3, 4, 6, 7, 9 come from the passwords that are the <word>-<word>-<word> format. We can see the distribution of these is very even, so it seems that one number is not favored over the other. The script also separates the words into all of the various wordlists. Here’s the output and the dictionaries are attached below. (I included fios wordlists in these)
Saved 0 unique words to 2_letter_words.txt Saved 372 unique words to 3_letter_words.txt Saved 605 unique words to 4_letter_words.txt Saved 412 unique words to 5_letter_words.txt Saved 57 unique words to 6_letter_words.txt Saved 12 unique words to 7_letter_words.txt Saved 0 unique words to 8_letter_words.txt
Using these wordlists would give us 372*605*412*60 = 5,563,483,200 possible combinations. Check it out, we can quickly run through this list!
I wrote another script to actually build the dictionary based off the wordlists. Unfortunately it would be around 95gb, and not really worth while for me to upload. However, I have posted the script to generate the dictionary, so you can build it locally. I will continue to update the wordlists as we continue to scrape.
Of course, we always need more passwords! So I also spent a bit more time this week trying various dorks and came across one more example that turned up some hits. Ex: site:ebay.com "Verizon G3100" -intext:"out of stock"
Now I have a fairly complete scraping toolset that does new/old eBay listings, FB marketplace, Offerup, Poshmark, Craigslist, shopforsale, and google/duckduckgo images. Other than having to log in to Facebook, everything is automated and can be easily linked together. Unfortunately, It’s likely going to be hard for me to make many more big gains in new entries, but I’ll continue to run a scrape at least biweekly I think. I will still pursue other ways to find new/old images, but I have pretty much exhausted all of my own ideas.
I did manage to add a lot of new entries this week though. There are 45 new entries for the G3200/E3200, bringing us to 463 unique entries! Testing the new entries against Fios-F1nDr gives us:
The incorrect ones are outliers, which we’re accumulating quite a few at this point. They do seem to group together for the most part, so if I can get a few more entries around them hopefully I can figure out what the issue is. There is also a small section where G3100/E3200 overlap in the same space, so I will also have to deal with that in some way. Anyhow, we now have 221 unique Date Codes!
This week’s device spotlight is the WNC-CR200A, which like the CR1000A is also manufactured by Wistron NeWeb Corporation. This is a 4/5G router similar to the ARC-XCI55AX and ASK-NCQ1388. They didn’t hide the USB-C port on this one. Sadly, neither the QR code or the sticker have the MAC address. It does include the date code and other important information however.
Currently, the data set contains 41 entries for WNC-CR200A models!
The SSID and passwords follow the same pattern seen in the CR1000A/B and ASK-NCQ1338
SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.
From this sample we can gain some other info:
SSID passwords are 13-15 characters long
Password <word> are between 3-5 characters for SSID Password (haven’t seen a 6 character word yet)
We don’t currently see 0, 1, 2, 5, 8 in any of the SSID, SSID Password, or Admin Password.
HW version is 0.0.5
Shipped firmware is Unknown
The serial number is 11-characters, starting with ACA followed by 9 digits. Since the MAC address is unknown I compared the serial to the IMEI and ICCID. Although both of these appear to mostly follow the date code sequentially, I was unable to find any kind of direct relationship. We don’t have a ton of entries for this device, but it's possible that we could figure out the relationship based on other devices.
From the device teardown, we see that the CPU is a Qualcomm Hawkeye IPQ8072A Quad Core ARM 64 bit A53 2.2GHz processor, which is the same as the ASK-NCQ1338. I think the memory is the two chips labeled "2CR77 D8BPK” but I was unable to find any data sheet for this. I wasn’t able to find any firmware online.
The Dataset now contains: G3100/E3200 - 464 entries CR1000 A/B - 97 entries ARC-XCI55AX - 98 entries ASK-NCQ1338 - 113 entries WNC-CR200A - 41 entries Other - 161 entries Total - 974 entries
Next update we will have finally broken 1000 entries! I am planning on finally uploading the reference images again with that update. I will hopefully have all of the scripts cleaned up and uploaded to GitHub in the next week or two. We found another device this week, the NVG558HX, again this is an easy target and will be included in future updates
sl\record\rec_layer_s3.c:1586:SSL alert number 40. The server certificate's subject name is my CPE's serial number, which is different from the SSL cert on port 443. Does anybody know for sure what these ports are for?