Verizon Fios G3100 and E3200 Research
#11
(04-07-2025, 07:45 PM)RealEnder Wrote: Interesting research. We've looked at these and sadly couldn't find anything, which can limit the keyspace, which is really enormous. We have a lot of uncracked Fios networks in wpa-sec. We've got only these:
Code:
b8f853eb8962 Fios-6MSdq arc53dock735wry
b8f85362dec2 Fios-DMG5b palmy82out76arc
04a222f1f9da Fios-9ZfGv tag828pun44snail
b8f85337fb06 Fios-fq8ZT zoo343owl289crow
As always, the BSSID may be fake.

I don’t know if you have been following along, but just for fun I decided to throw your BSSIDs at Fios-F1nDr.  

                            Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input          | b8f853eb8962                          
+--------------------+----------------------------------------+
| MAC Block Start    | B8.F8.53.EB.14.E0                      
+--------------------+----------------------------------------+
| MAC Block End      | B8.F8.53.F3.08.C8                      
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio    | 8                                      
+--------------------+----------------------------------------+
| Calculated Serial  | G402120121003728                      
+--------------------+----------------------------------------+
| Keyspace          | w = <word>  n = <number>              
|                    | ? = single digit at end of random word 
+--------------------+----------------------------------------
| WiFi Pass Format  | wnwnw                                  
+--------------------+----------------------------------------+
| WiFi Pass Length  | 15                                    
+--------------------+----------------------------------------+
| Admin Pass Format  | wnw                                    
+--------------------+----------------------------------------+
| Admin Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Model Type        | G3100                                  
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 201210                                
+--------------------+----------------------------------------+
| Hardware          | 1104                                  
+--------------------+----------------------------------------+

                      Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input          | b8f85362dec2                          
+--------------------+----------------------------------------+
| MAC Block Start    | B8.F8.53.62.C6.90                      
+--------------------+----------------------------------------+
| MAC Block End      | B8.F8.53.67.0D.C8                      
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio    | 8                                      
+--------------------+----------------------------------------+
| Calculated Serial  | G402120032500774                      
+--------------------+----------------------------------------+
| Keyspace          | w = <word>  n = <number>              
|                    | ? = single digit at end of random word 
+--------------------+----------------------------------------+
| WiFi Pass Format  | wnwnw                                  
+--------------------+----------------------------------------+
| WiFi Pass Length  | 15                                    
+--------------------+----------------------------------------+
| Admin Pass Format  | wnw                                    
+--------------------+----------------------------------------+
| Admin Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Model Type        | G3100                                  
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 200325                                
+--------------------+----------------------------------------+
| Hardware          | 1104                                  
+--------------------+----------------------------------------+

                      Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input          | 04a222f1f9da                          
+--------------------+----------------------------------------+
| MAC Block Start    | 04.A2.22.E5.5E.A2                      
+--------------------+----------------------------------------+
| MAC Block End      | 04.A2.22.F3.31.E2                      
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio    | 11                                    
+--------------------+----------------------------------------+
| Calculated Serial  | G401119081375106                      
+--------------------+----------------------------------------+
| Keyspace          | w = <word>  n = <number>              
|                    | ? = single digit at end of random word 
+--------------------+----------------------------------------+
| WiFi Pass Format  | wnwnw                                  
+--------------------+----------------------------------------+
| WiFi Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Admin Pass Format  | wnw                                    
+--------------------+----------------------------------------+
| Admin Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Model Type        | G3100                                  
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 190813                                
+--------------------+----------------------------------------+
| Hardware          | 1103                                  
+--------------------+----------------------------------------+

                      Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input          | b8f85337fb06                          
+--------------------+----------------------------------------+
| MAC Block Start    | B8.F8.53.35.B1.BD                      
+--------------------+----------------------------------------+
| MAC Block End      | B8.F8.53.3B.0B.27                      
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio    | 11                                    
+--------------------+----------------------------------------+
| Calculated Serial  | G401119120913621                      
+--------------------+----------------------------------------+
| Keyspace          | w = <word>  n = <number>              
|                    | ? = single digit at end of random word 
+--------------------+----------------------------------------+
| WiFi Pass Format  | wnwnw                                  
+--------------------+----------------------------------------+
| WiFi Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Admin Pass Format  | wnw                                    
+--------------------+----------------------------------------+
| Admin Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Model Type        | G3100                                  
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 191209                                
+--------------------+----------------------------------------+
| Hardware          | 1103                                  
+--------------------+----------------------------------------+
Reply
#12
(04-08-2025, 05:44 PM)FiosFiend Wrote: From the UART output posted previously we know that it is running AArch64 Linux. Is the sha256 hash value just a check, or something that can be cracked?

Code:
## Loading kernel from FIT Image at 02000000 ...
  Using 'conf_lx_VERIZON-G3100' configuration
  Verifying Hash Integrity ... OK
  Trying 'kernel' kernel subimage
    Description:  4.19 kernel
    Type:        Kernel Image
    Compression:  lzma compressed
    Data Start:  0x0228c800
    Data Size:    3461392 Bytes = 3.3 MiB
    Architecture: AArch64
    OS:          Linux
    Load Address: 0x00100000
    Entry Point:  0x00100000
    Hash algo:    sha256
    Hash value:  77e40836ec218fa969f9d2bd572115ed9a7ef008cc75bfec4912354ce78a6349
  Verifying Hash Integrity ... sha256+ OK

This is a Flattened Image Tree (FIT) image. It uses the same structure as a standard device tree, but it is used to pack together a kernel, device tree, rootfs and device config into a single image. The integrity check you are referring to is not something that can be cracked/bruteforced. It is a sum across the component (kernel, rootfs, etc) to ensure nothing was modified or corrupted.

I do have a NAND dump of both a g1100 and a g3100, but I don't think I have the physical devices any more.

HOWEVER, I will tell you that it is possible to glitch the bootloader into giving you a shell; you have to short the data out pin on the flash chip to ground when it loads the bootloader environment from flash, and the short has to be very brief. The trick here is that they left the fallback config built into u-boot. I can't remember exactly what it was that let me in, maybe it was a bootdelay counter, but it is possible.

Be aware that you can damage the flash and/or its contents doing this, but you may be able to get a root shell.
Reply
#13
(04-22-2025, 05:10 PM)soxrok2212 Wrote:  This is a Flattened Image Tree (FIT) image. It uses the same structure as a standard device tree, but it is used to pack together a kernel, device tree, rootfs and device config into a single image. The integrity check you are referring to is not something that can be cracked/bruteforced. It is a sum across the component (kernel, rootfs, etc) to ensure nothing was modified or corrupted.

I do have a NAND dump of both a g1100 and a g3100, but I don't think I have the physical devices any more.

HOWEVER, I will tell you that it is possible to glitch the bootloader into giving you a shell; you have to short the data out pin on the flash chip to ground when it loads the bootloader environment from flash, and the short has to be very brief. The trick here is that they left the fallback config built into u-boot. I can't remember exactly what it was that let me in, maybe it was a bootdelay counter, but it is possible.

Be aware that you can damage the flash and/or its contents doing this, but you may be able to get a root shell.

OMG I can’t tell you how happy I am to see you reply to this!  I have come across your name in a lot of my research.  I have tagged you in my hashkiller post(https://forum.hashkiller.io/index.php?fo...acking.15/, which has just a bit more info.

Great to hear that you think the glitch will work, I actually just read about that today and it was the next thing on my list to try.  

Thanks again for stopping in!

https://openwrt.org/inbox/toh/arcadyan/a...o_cfe_menu
Reply
#14
I had a bit of time to sort through the general scrape that I did last week.  I've added 32 new entries for the G3100/E3200 dataset, bringing us to 345 entries.  As always we test the new entries against the Fios-F1nDr database and see that we're still catching a good number of new date codes with each scrape.  Currently there are 186 unique Date Codes.

Updated Data Set: 
.xlsx   router_data_FULL_042725.xlsx (Size: 405.04 KB / Downloads: 5)


Before:
Correct - 11 (34%)
Incorrect - 16 (50%)
unknown block - 2 (6%)
Unknown device - 3 (9%)
Not Enough Data - 0 (0%)

After:
Correct - 26 (81%)
Incorrect - 3 (9%)
unknown block - 0 (0%)
Unknown Device 3 (9%)
Not enough data  (0%)

I will hold off on posting the updated data_ref_lines this time, but it’s available in the dataset if you want it or feel free to DM me.

As I mentioned, the image identifying script is doing amazing now that we’ve changed the QR code reader. Last week I did a more general search and caught a ton of different devices. The QR codes are all a little different, so I am working to update the script to grab the data on these.  I have started to scrape these too so that we can better understand all of the Fios/Verizon variations.

ARC-XCI55AX
ASK-NCM1100 / ASK-NCM1100E
ASK-NCQ1338 / ASK-NCQ1338E / ASK-NCQ1338FA
CR1000A / CR1000B
FWA55V5L
G1100
LVSKIHP
WNC-CR200A
... probably a few more!

I plan to make posts for each of these devices as I begin to investigate them. In my original research, I obtained a good bit of useful info from the CR1000A / CR1000B devices. So that is where I will begin...

[Image: attachment.php?aid=1263][Image: attachment.php?aid=1264]

The CR1000A / CR1000B routers are manufactured by Wistron NeWeb Corporation.  Unfortunately, the information is split into 2 labels so collecting complete entries is more difficult.  The QR code does contain the MAC and serial at least.  I updated my scraping script to include the images downloaded from each link, so now I can reference back to the actual listing when necessary.  I think I will eventually put these all of these scripts on GitHub since posting updated versions here makes a lot of clutter.

Code:
('WIFI:S:Verizon_WP4ZXC;T:WPA;P:bug-aged6-noun;;ROUTER:M:CR1000A;S:ABV24234358;W:78670EA7007D;I:admin;P:WNV33WG6C;;1',)

Currently, the data set contains 86 entries for CR1000A / CR1000B!

SSID  is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords  follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.

[Image: attachment.php?aid=1266]

From this sample we can gain some other info:
  • Password <word> are between 3-6 characters for SSID Password
  • We don’t currently see 0 or 1 in any of the SSID, SSID Password, or Admin Password.
  • There are several HW versions (103, 0.0.6, 0.0.7, 0.0.8, 0.0.A, 0.0.B, 0.0.C)
  • Shipped firmware ranges from 3.1.0.17 to 3.2.0.14
  • Somewhat surprising, in this small sample we have caught a good many Mac prefixes: 04.70.56, 1C.D6.BE, 58.96.71, 78.67.0E, 84.90.0A, AC.91.9B, BC.F8.7E, DC.4B.A1

Serial numbers are always 11 digits and start with 2-3 letters, followed by digits.  If we compare the MAC/Serial difference like before, we see these change in steps of 7.  So we should be able to calculate the serial numbers once I figure out how they’re blocked together.

[Image: attachment.php?aid=1267]

Here is a teardown of the device, the CPU is a Qualcomm IPQ8074 SoC. It contains (4) Arm Cortex A53 processors up to 2 GHz clock.

I had found references to CR1000A firmware, which is what helped me find the G3100.  I searched for all the versions I could find, and unfortunately didn’t turn up anything earlier than what I found online.  The good new is @soxrok2212 and crew have done a great job reversing this firmware.

Code:
CR1000A:
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.6.bin
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.7.bin
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.8.bin
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.9.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.2.0.14_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.7_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.8_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.10_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.11_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.1.1.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.1.2.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.1.2_loader.bin

CR1000B:
https://cpe-ems34.verizon.com/firmware/chr2fb_fw_3.1.1.16.bin
https://cpe-ems34.verizon.com/firmware/chr2fb_fw_3.1.1.17.bin
https://cpe-ems34.verizon.com/firmware/chr2fb_fw_3.1.1.18.bin
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.1.1.20.bin
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.7_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.8_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.9_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.10_loader.bin

That’s all I have currently for the CR1000A / CR1000B, however our scrape did catch a lot of other entries. I have also included them in the sheet “other”. I plan to scrape each of these devices individually and make a similar post to this one for them.

This update contains 178 additional entries for “Other” devices, bringing the total number of entries to 609!


Attached Files
.jpg   image_CR100205.jpg (Size: 190.01 KB / Downloads: 69)
.jpg   image_4192500065.jpg (Size: 98.49 KB / Downloads: 68)
.png   CR1000A_SSID.png (Size: 312.41 KB / Downloads: 62)
.png   HexSerialCompare.png (Size: 145.46 KB / Downloads: 59)
Reply
#15
Ok here we go with this weeks update!  Since we are targeting many more devices now, I spent this week working on my Facebook scraping script.  FB is a bit trickier to scrape because they load pages dynamically, and don’t follow normal naming conventions to make it a bit harder to do.  Fortunately those are overcome with a bit of effort, and with AI and I helping each other a bit, I finally have something I am happy with.  So now we have a bunch of new entries to the database, we’re up to 727 unique entries!

Updated Data Set:  
.xlsx   router_data_FULL_050325.xlsx (Size: 476.51 KB / Downloads: 5)

We have added 36 new G3100/E3200, so as always here are the Fios-F1nDr stats:

Before:
Correct - 22 (61%)
Incorrect - 7 (19%)
unknown block - 0 (0%)
Unknown device -  4 (11%)
Not Enough Data - 3 (8%)

After:
Correct - 32 (89%)
Incorrect - 4 (11%)
unknown block - 0 (0%)
Unknown Device 0 (0%)
Not enough data 0( 0%)

Check that out, we’re making some progress! The 4 that were incorrect are outliers. We now have 202 Date Codes. that range from 4/29/19 to 10/28/24.

Some more good news, we have collected enough entries that we can determine the 11-digit serial blocks! These are always E3200 devices, using the last 5 digits as the incremental serial we can see the steps are in increments of 6. All of the E3200 have had a step of 6 so far. This info helps us unlock a lot of the DC.F5.1B and 74.90.BC space that I had kind of ignored previously 😀 .  Fios-F1nDr needed a minor update to calculate these properly, but I have a GitHub account now so hopefully I can get all of the scripts uploaded by next update.

[Image: attachment.php?aid=1277]

As I pointed out before, we are starting to have a good many entries for the same date codes. Block 190813 now has 9 entries!  So I will soon look at those closer and see if I can catch any patterns. I still haven’t had a chance to glitch my device, but I found some interesting artifacts in the g3100_fw_2.0.0.6.bin and e3200_fw_3.1.1.17.bin. I haven’t really poked around in any of the other firmware yet.  I will circle back to all of that eventually, so many things to do...

Code:
/home/paul_shih/project/g3100_2.0.0.5/extern/broadcom-bsp-5.02L06/kernel/linux-4.1

BOOT_CONSOLE Mon Dec 14 15:02:21 CST 2020 paul_shih@buildbox3 

192.168.1.100:g3100-mfg.bin

This is in e3200_fw_3.1.1.17.bin
/home/lennon_chen/e3200/release/0307/bsp/kernel/linux-4.1

BOOT_CONSOLE Mon Mar  7 18:11:55 CST 2022 lennon_chen@buildbox5

192.168.1.100:g3100-mfg.bin

[Image: attachment.php?aid=1279]
This weeks device spotlight is the ARC-XCI55AX. Like the G3100/E3200 these are manufactured by Arcadyan. The QR code provides a lot of useful information, including the MAC which unfortunately isn’t printed on the sticker. The QR also contains a manufacture date, which means we don’t have to figure out the date blocks ourselves! This is the first QR code that has an IMEI # on the sticker and QR code, so we are collecting those too. The sticker also has the ICC ID, which I will probably add data for next update.

Code:
('WIFI:S:Verizon_XTR9DB;T:WPA;P:spoon6-tun-swam;;ROUTER:M:ARC-XCI55AX;S:GRR22068010;D:07-13-2022;F:3.1.1.21;P:KS7BG6QZL;E:358598613057513;B:C899B2B1EBD4;;1',)

Currently, the data set contains 82 entries for ARC-XCI55AX!
The SSID and passwords follow the same pattern seen in the CR1000A/B

SSID  is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.
[Image: arc-xci55ax_ssid-png.38569]

From this sample we can gain some other info:
  • SSID passwords are mostly 15 characters long, I did catch one that was 14 characters in a higher serial number
  • Password <word> are between 3-5 characters for SSID Password (haven’t seen a 6 character word yet)
  • We don’t currently see 0, 1 or 2 in any of the SSID, SSID Password, or Admin Password.
  • HW versions are not printed on the device or QR code
  • Shipped firmware ranges from 3.1.1.14 to 3.2.0.7

Again we see a suprising  number of Mac prefixes: 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, 74.90.BC, 84.90.0A, A8.A2.37, AC.B6.87, BC.F8.7E, C8.99.B2, F4.CA.E7

Serial numbers are always 11 digits and start with 3 letters (ABU or GRR), followed by 8 digits. If we compare the MAC/Serial difference like before, we see these change in steps of 4 or 8.  Hopefully I will be able to use the IMEI or Serial # to back calculate the MAC address for images that we can’t read the QR code.  These might help us better understand similar 11-digit serials on the G3100 and other devices.

[Image: attachment.php?aid=1281][Image: arc-xci55ax_c899b2_step-png.38572]


From the device tear down, we see that the CPU is a Mediatek MT6890 SOC which is a Quad-Core Arm Cortex-A55 @ 2 GHz. The memory is Kingston 16EM16-M4CTB29 LPDDR4x eMCP (16 GB NAND eMMC 5.1 + 16 GB LPDDR4x RAM).

I wasn’t able to find any firmware links online. I did found information that suggests these devices are also used for “Straight talk home internet” from Walmart. I think FWA55V5L is the correct model, but there isn’t much info on these. There was an issue with people registering the devices so Walmart stopped distributing them.

I did find a Reddit post discussing a “Engineering Page” located at https://192.168.1.1/#/eng/ or https://mynetworksettings.com/#/eng/ which asks you for a password. This password is unrelated to both the admin password and WPA-PSK.
  • Does anybody know what this password is, where to find it, or how to calculate it? Login credentials consisting of a password and a token are posted to /eng_auth.cgi as an application/x-www-form-urlencoded string like data=<password>&token=<hex string (MD5?)>
  • I'm noticing here is that the CPE is connecting to an auto configuration server at https://hdm5g.vzwdm.com using the TR-069 CPE Wan Management Protocol. Is there any way to tell the CPE to connect to my own TR-069 server instead?
  • I'm assuming that ports 4567 and 4577 are related to the above CWMP implementation. Running openssl s_client -connect mynetworksettings.com:4577 returns certificate data, but fails to connect with the following error sslv3 alert handshake failureConfusedsl\record\rec_layer_s3.c:1586:SSL alert number 40. The server certificate's subject name is my CPE's serial number, which is different from the SSL cert on port 443. Does anybody know for sure what these ports are for?

I tried to visit the engineering page on my G3100 and it brings up the admin login or if logged in a blank page, but still with the sidebar and everything. Visiting any made up link such as https://192.168.1.1/#/fiend has a different behavior of loading a completely blank page, so I think there’s something there. Does anyone have any info on how to access this page?

[Image: attachment.php?aid=1278]

It’s also intriguing to me that this device has a secret USB-C port hidden behind a plastic panel... from the Reddit post above:
  • I'm assuming that ports 4567 and 4577 are related to the above CWMP implementation. Running openssl s_client -connect mynetworksettings.com:4577 returns certificate data, but fails to connect with the following error sslv3 alert handshake failureConfusedsl\record\rec_layer_s3.c:1586:SSL alert number 40. The server certificate's subject name is my CPE's serial number, which is different from the SSL cert on port 443. Does anybody know for sure what these ports are for?
  • The hidden USB-C port on the bottom is, I believe, for firmware flashing. Plugging it into my Ubuntu laptop and turning on the CPE the device gets recognized as VID 0E8D PID 2000, which is the MediaTek preloader. I've tried methods described here -> https://github.com/bkerler/mtkclient to crash the preloader and enter the bootrom. I can get it to be recognized VID 0E8D PID 0003, but the process hangs from there. Has anybody had any luck accessing the modem through the USB-C port and running AT commands?


There are a few new entries to the CR1000 and Others sections, here’s the current breakdown:

G3100/E3200 - 384 entries
CR1000 A/B - 94 entries
ARC-XCI55AX - 83 entries
Other - 166 entries
Total - 727 entries

Please consider liking this post if you’ve read this far... it’s the only way I know that anyone else is here!


Attached Files
.png   AA621_Block.png (Size: 114.88 KB / Downloads: 54)
.jpeg   secret_usb.jpeg (Size: 119.72 KB / Downloads: 46)
.jpg   image_4192506895.jpg (Size: 332.64 KB / Downloads: 51)
.png   ARC-XCI55AX_step.png (Size: 114.71 KB / Downloads: 43)
Reply
#16
Happy Friday everyone, grab some popcorn this week's update is a long one!

In a Verizon thread on Hashkiller,  I noticed that Sardukarrr and drsnooker both posted photos to old eBay listings, which are surprisingly still active. I had previously overlooked them because they weren’t G3100/E3200, but now they’re both new entries in the dataset!  I was starting to get nervous that I might  finally reach the end of the internet, but this got me thinking... Currently only eBay allows me to go backwards to find sold listings, and sadly the window on that is limited.  How can I possibly find old listing/images that are still active, but not currently searchable through eBay, FB, etc.

The only way I personally know of is to use google “dorks”. If you are unfamiliar with the term, search engines allow certain parameters that impact the search results. Trying a few out, I could see there were a few fresh hits. So now I needed a google / duckduckgo image search scraper. I do have a decent bit of programming experience over the years, but II will freely admit it has only ever been hobby/novice level. The bit of programming knowledge that I do have allows me to read, understand, modify, adapt, refine or debug well written example code. If you forced me to write code from scratch I could do it, but it would be a slow process,  require a lot of trial/error, lots of internet research, and still be clunky. Fortunately now we have AI, which is great at building the skeleton. It’s been my experience that it needs a bit of guidance though. None of the scraping scripts have worked first try, I always have to watch what it is doing and reprompt and add bits when needed to get a working script. It will sometimes drop key functions/features or make unwanted changes to the code when trying to fix other issues.  Although it’s not perfect, I stillI end up with something workable much much faster than I would on my own.  I use 2 different AI, and sometimes I feed the script one generates to the other to make improvements haha.  Any repetitive task that you can do as a normal user on a computer, you can automate fairly easily with a scripting language such as python.

When looking for images eBay and FB are the two biggest sources, but I also look at Reddit, Poshmark, OfferUp, Craigslist, Imgur, and Flickr. I recently found this weird site https://shopforsale.ru/ that I think aggregates listings from eBay, FB and potentially other places. I’m not really sure what it is, but it’s easy to scrape and I was able to pull some new entries from there.  To refine our searches here is a list of dorks and you can find other examples online. These are the few uses that I came up with, please comment if you know of any other that look promising.

Using the before tag allows me to only show listings that were posted before I began scraping. This yeilds a few listings that are still active, but much older than the actual site search allows.
Ex:  offerup.com verizon fios g3100 before:2025-02-01

Using the site tag with inurl yields listings that have previously sold on eBay. I’m not sure it was entirely correct, but I got a few new hits using this. This particular example only worked on duckduckgo.
Ex: site:ebay.com "verizon fios g3100" inurlConfusedold

AI suggested this as a way to search “old public marketplace listings”. It didn’t yield many, but I did get a fresh hit from 45 weeks ago!
site:facebook.com/marketplace/ "Verizon G3100" -inurl:"search" -inurl:"create"

AI suggested this as a way to find “Older or less promoted eBay listings”, again it produced previously unknown images!
site:ebay.com "Verizon G3100" -inurl:"/sch/" -inurl:"/b/" -2023

Similarly AI suggested this, but it wasn’t fruitful.
site:offerup.com "Verizon G3100" -2024 -2023

So after iterating through these for various devices on both search engines and sweeping up all the photos we can, we’ve added 105 new entries to the dataset. When I first started this project I asked AI how many passwords I would need to determine the algorithm and it told me 1000. Since then, I have realized that AI likes to tell you what you want to hear a lot of the time and not necessarily the truth. But we’re getting close to that goal, so let’s see what else we’ve learned this week...

Updated Data Set:  
.xlsx   router_data_FULL_050925.xlsx (Size: 547.7 KB / Downloads: 1)

There are 37 new entries for the G3100/E3200 devices. Running these through Fios-F1nDr we get the following:

Before:
Correct - 22 (59%)
Incorrect - 14 (38%)
unknown block - 1 (2%)
Unknown device - 0 (0%)
Not Enough Data - 0 (0%)

After:
Correct - 34 (92%)
Incorrect - 3 (8%)
unknown block - 0 (0%)
Unknown Device 0 (0%)
Not enough data 0( 0%)

We’re get a little closer each time! We only have a few completely unknown blocks left. With this scrape we captured the very beginning of the B8.F8.53 address space.  The 3 that are incorrect are outliers. I have the outliers highlighted in yellow on the Date Codes sheet. Sometimes I can tell the MAC is only off by a few numbers like some devices got skipped. Other times I can’t really make sense of it. Anyhow, most of the time the calculation works out, we now have 212 unique Date Codes. When I first discovered the date codes, I did a quick assessment "We have discovered 145 unique date codes. On average, a block contains 29,336 devices, so a usually high number of devices could indicate that there is at least 1 missing date code. Current calculations predict ~4,165,721 devices total." Looking at the data now, an average block contains 26,162 and predicts 5,180,068 devices total.

We can certainly try to crack how the SSID is created, but from what I see these devices report the proper MAC address during the handshake capture.  So for now, let’s use that as a reference.  After looking at the keyspace again, it turns out that we now have enough data to shrink it a bit!  As we’ve seen, for G3100/E3200 there are multiple algos depending on the date of manufacture.  Here is an update to my OP. 

From our dataset  we can gain some info on the G3100/E3200  key space:

MAC address Block 04.A2.22.00.00.00 to 04.A2.22.D3.FF.2F are the oldest and ALWAYS have 16 character passwords
  • SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>
  • SSID Passwords follow <word><number><word><number><word> format (ex: room50cleft78dry)
  • Admin Passwords are 16 characters and follow a <word><number><word> format (ex: bedeck183magenta)
  • <word> is between 3-7 characters long, <number> is ANY 1-4 digits
*Suprisingly, this “algo” seems it would be the hardest to crack, but they quickly drop it for some reason.

MAC address Block 04.A2.22.D3.FF.3A to 04.A2.22.FF.FF.FF and B8.F8.53.00.00.00 to B8.F8.53.5B.CD.39
  • SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>
  • SSID Passwords follow <word><number><word><number><word> format (ex: sin296wary394cap)
    Passwords are almost always 16 characters, I did find one example at B8.F8.53.57.D8.C1 which is only 15. This address occurs near the next transition.
  • Admin Passwords are 16 characters and follow a <word><number><word> format (ex: suffer693grinder)
  • <word> is between 3-5 characters long (up to 8 characters for admin), <number> is 2-3 digits with no 0 or 1
*16 character passwords are harder to crack, but for some reason they transition to 15

MAC address Block B8.F8.53.5B.CD.41 to B8.F8.53.FF.FF.FF and 3C.BD.C5.00.00.00 to 3C.BD.C5.50.05.44
  • SSID is Fios-XXXXX where X is any char <a-z><A-Z><0-9>
  • SSID Passwords follow <word><number><word><number><word> format and are ALWAYS 15 characters (ex: dump75owl79copy)
  • Admin Passwords are 16 characters and follow a <word><number><word> format (ex: betimes74retinue)
  • <word> is between 3-5 characters long (up to 7 characters for admin), <number> is 2-3 digits with no 0 or 1
Because of the constrain on word length and the 15 character limit, when there is a 5 character word the other words must be 3 characters with 2-digit numbers

Another transition occurs here... this is where things get very interesting (and potentially crackable!)

MAC address Block 3C.BD.C5.50.05.44 to 3C.BD.C5.FF.FF.FF and all of the DC.F5.1B, 74.90.BC MACS
  • SSID is Verizon_XXXXXX where X is any char <A-Z><0-9>
  • SSID Passwords follow follow <word>-<word>-<word> with a single digit at the end of one word (ex: range-joy3-okey)
  • Admin Passwords are 9 characters that are <A-Z><0-9> (ex: NQ4BJLC7H)
Because of the hyphens, digit and 15 character limit <word> is ALWAYS comprised of a 3 character, 4 character and 5 character word.  No other pattern is mathematically possible.  Additionally, the <number> is always a single digit that is NEVER 0,1, 2, 5, or 8 and NEVER on the last word.

The ARC-XCI55AX follow the exact same pattern (except for a single 14 character entry), so I think this is the first dictionary that we should focus on!  I doubled checked and the MAC prefixes 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, A8.A2.37, AC.B6.87, C8.99.B2, F4.CA.E7 currently appear unique to this device.  84.90.0A and BC.F8.7E are found in the CR1000 dataset, but the current entries in this space also fit this pattern.  So those would be the MAC prefixes vulnerable to this dictionary.  @soxrok2212 has already started a nice wordlist at some point I would like to compare mydataset against his list and add words that are missing. They are using a pretty extensive wordlist because we see abbreviations such as cpu, cps, dos, iot, and wpm which aren’t valid words in a scrabble dictionary, but are official words for something like Webster’s Dictionary.

[Image: attachment.php?aid=1283]

The device of the week is the ASK-NCQ1338 family, which includes ASK-NCQ1338, ASK-NCQ1338E, ASK-NCQ1338FA. I couldn’t find much info on the differences, but I think the “E” is an extender and I know the “FA” is the newer model.  These devices are manufactured by Askey Computer, and can be considered the sister device to the ARC-XCI55AX.    I forgot to mention last week, but both the ARC-XC155AX and ASK-NCQ1338 are 5G routers that use cell signal to provide internet.  The QR code provides a lot of useful information, including the MAC which unfortunately isn’t printed on the sticker. Similar to the ARC, the QR contains both a date code and the IMEI.  The QR also has the ICC ID, which means we can easily collect that with the other data.  Something strange though, the last item in the QR code is P: <6 digit number>.  Does anyone have an idea what this might be since WPS is 8 digits?

Code:
('WIFI:S:Verizon_J7JYV9;T:WPA;P:enact-ace9-rang;;ROUTER:M:ASK-NCQ1338FA;S:ABB30107759;D:20230117;F:222656;I:admin;P:79T649KNV;E:356649621448392;C:89148000008863050351;B:FC1263A32908;P:937181;;1',)

Currently, the data set contains 107 entries for ASK-NCQ1338 models!
The SSID and passwords follow the same pattern seen in the CR1000A/B and ARC-XCI55AX
  • SSID is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
  • SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
  • Admin Passwords are 9 characters that are <A-Z><0-9>.

From this sample we can gain some other info:
  • SSID passwords are13-15 characters long
  • Password <word> are between 3-5 characters for SSID Password (haven’t seen a 6 character word yet)
  • We don’t currently see 0, 1, 2, 5, 8 in any of the SSID, SSID Password, or Admin Password.
  • HW versions are not printed on the device or QR code
  • Shipped firmware ranges from 212331 to 222656

The MAC addresses that we see for this device are  2C.EA.DC, 4C.AB.F8,  88.DE.7C, A4.97.33, FC.12.63.

Serial numbers are always 11 digits and start with 2-3 letters (AA, AAM, or ABG), followed by 8 digits. If we compare the MAC/Serial difference like before, we see these change in steps of 4. Hopefully I will be able to use the IMEI or Serial # to back calculate the MAC address for images that we can’t read the QR code. All of the 11 digit serials are very similar across the various models in this thread, so again this is a case where one device can inform us about another.
[Image: attachment.php?aid=1286]

From the device teardown, we see that the CPU is a Qualcomm Hawkeye IPQ8072A Quad Core ARM 64 bit A53 2.2GHz processor.  The memory is Samsung K4A8G165WB-BCRC 8Gb DDR4 1200 MHz and Samsung KLM8G1GETF-B041 8GB eMMC NAND.

I wasn’t able to find any firmware online. However this device also has the hidden compartment.  I think I read it was for the SIM card on this device, but the ARC-XCI55AX has an eSIM and USB-C here.

[Image: attachment.php?aid=1285]

Currently in the dataset:
G3100/E3200 - 418 entries
CR1000 A/B - 94 entries
ARC-XCI55AX - 96 entries
ASK-NCQ1338 - 107 entries
Other - 117 entries
Total - 832 entries

I am planning on making at least 3 more long form posts about the various devices that will cover G1100, WNC-CR200A, and the Others. By then I should have pretty much scraped all that I can currently scrape, so I will start doing some more stats analysis on everything that we’ve collected. We caught a new device with these recent scrapes, ASK-RTL108 which has a QR code and a lot of good info on the sticker so I will start scraping these for the next update!

[Image: attachment.php?aid=1284]


How can you help?
  • I have done a pretty exhaustive search, but I've been unable to locate firmware for anything other than G3100/E3200, CR1000A/B, and G1100.  Perhaps you can?
  • Do you know of any website or search terms that might lead us to more images to scrape?
  • Feel free to DM me links to images and such as well!
  • Take a look at the data set, are there any patterns or peculiarities that stand out to you?
  • Do you know of anywhere I can easily host large zip files long term for my ref_images, ref_firmware and future dictionary file?
  • Know of any other models I should be targeting?
  • Want to build a dictionary?
  • Like this post or leave a quick comment


Attached Files
.jpg   image_4192501959.jpg (Size: 462.18 KB / Downloads: 12)
.jpeg   ASK-RTL108.jpeg (Size: 87.36 KB / Downloads: 12)
.jpeg   secret_usb.jpeg (Size: 486.32 KB / Downloads: 12)
.png   ASK-NCQ1338_step.png (Size: 85.79 KB / Downloads: 13)
Reply