Verizon Fios G3100 and E3200 Research
#11
(04-07-2025, 07:45 PM)RealEnder Wrote: Interesting research. We've looked at these and sadly couldn't find anything, which can limit the keyspace, which is really enormous. We have a lot of uncracked Fios networks in wpa-sec. We've got only these:
Code:
b8f853eb8962 Fios-6MSdq arc53dock735wry
b8f85362dec2 Fios-DMG5b palmy82out76arc
04a222f1f9da Fios-9ZfGv tag828pun44snail
b8f85337fb06 Fios-fq8ZT zoo343owl289crow
As always, the BSSID may be fake.

I don’t know if you have been following along, but just for fun I decided to throw your BSSIDs at Fios-F1nDr.  

                            Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input          | b8f853eb8962                          
+--------------------+----------------------------------------+
| MAC Block Start    | B8.F8.53.EB.14.E0                      
+--------------------+----------------------------------------+
| MAC Block End      | B8.F8.53.F3.08.C8                      
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio    | 8                                      
+--------------------+----------------------------------------+
| Calculated Serial  | G402120121003728                      
+--------------------+----------------------------------------+
| Keyspace          | w = <word>  n = <number>              
|                    | ? = single digit at end of random word 
+--------------------+----------------------------------------
| WiFi Pass Format  | wnwnw                                  
+--------------------+----------------------------------------+
| WiFi Pass Length  | 15                                    
+--------------------+----------------------------------------+
| Admin Pass Format  | wnw                                    
+--------------------+----------------------------------------+
| Admin Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Model Type        | G3100                                  
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 201210                                
+--------------------+----------------------------------------+
| Hardware          | 1104                                  
+--------------------+----------------------------------------+

                      Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input          | b8f85362dec2                          
+--------------------+----------------------------------------+
| MAC Block Start    | B8.F8.53.62.C6.90                      
+--------------------+----------------------------------------+
| MAC Block End      | B8.F8.53.67.0D.C8                      
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio    | 8                                      
+--------------------+----------------------------------------+
| Calculated Serial  | G402120032500774                      
+--------------------+----------------------------------------+
| Keyspace          | w = <word>  n = <number>              
|                    | ? = single digit at end of random word 
+--------------------+----------------------------------------+
| WiFi Pass Format  | wnwnw                                  
+--------------------+----------------------------------------+
| WiFi Pass Length  | 15                                    
+--------------------+----------------------------------------+
| Admin Pass Format  | wnw                                    
+--------------------+----------------------------------------+
| Admin Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Model Type        | G3100                                  
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 200325                                
+--------------------+----------------------------------------+
| Hardware          | 1104                                  
+--------------------+----------------------------------------+

                      Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input          | 04a222f1f9da                          
+--------------------+----------------------------------------+
| MAC Block Start    | 04.A2.22.E5.5E.A2                      
+--------------------+----------------------------------------+
| MAC Block End      | 04.A2.22.F3.31.E2                      
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio    | 11                                    
+--------------------+----------------------------------------+
| Calculated Serial  | G401119081375106                      
+--------------------+----------------------------------------+
| Keyspace          | w = <word>  n = <number>              
|                    | ? = single digit at end of random word 
+--------------------+----------------------------------------+
| WiFi Pass Format  | wnwnw                                  
+--------------------+----------------------------------------+
| WiFi Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Admin Pass Format  | wnw                                    
+--------------------+----------------------------------------+
| Admin Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Model Type        | G3100                                  
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 190813                                
+--------------------+----------------------------------------+
| Hardware          | 1103                                  
+--------------------+----------------------------------------+

                      Fios-F1nDr
+--------------------+----------------------------------------+
| MAC Input          | b8f85337fb06                          
+--------------------+----------------------------------------+
| MAC Block Start    | B8.F8.53.35.B1.BD                      
+--------------------+----------------------------------------+
| MAC Block End      | B8.F8.53.3B.0B.27                      
+--------------------+----------------------------------------+
| MAC 2 Hex Ratio    | 11                                    
+--------------------+----------------------------------------+
| Calculated Serial  | G401119120913621                      
+--------------------+----------------------------------------+
| Keyspace          | w = <word>  n = <number>              
|                    | ? = single digit at end of random word 
+--------------------+----------------------------------------+
| WiFi Pass Format  | wnwnw                                  
+--------------------+----------------------------------------+
| WiFi Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Admin Pass Format  | wnw                                    
+--------------------+----------------------------------------+
| Admin Pass Length  | 16                                    
+--------------------+----------------------------------------+
| Model Type        | G3100                                  
+--------------------+----------------------------------------+
| Date Code (YYMMDD) | 191209                                
+--------------------+----------------------------------------+
| Hardware          | 1103                                  
+--------------------+----------------------------------------+
Reply
#12
(04-08-2025, 05:44 PM)FiosFiend Wrote: From the UART output posted previously we know that it is running AArch64 Linux. Is the sha256 hash value just a check, or something that can be cracked?

Code:
## Loading kernel from FIT Image at 02000000 ...
  Using 'conf_lx_VERIZON-G3100' configuration
  Verifying Hash Integrity ... OK
  Trying 'kernel' kernel subimage
    Description:  4.19 kernel
    Type:        Kernel Image
    Compression:  lzma compressed
    Data Start:  0x0228c800
    Data Size:    3461392 Bytes = 3.3 MiB
    Architecture: AArch64
    OS:          Linux
    Load Address: 0x00100000
    Entry Point:  0x00100000
    Hash algo:    sha256
    Hash value:  77e40836ec218fa969f9d2bd572115ed9a7ef008cc75bfec4912354ce78a6349
  Verifying Hash Integrity ... sha256+ OK

This is a Flattened Image Tree (FIT) image. It uses the same structure as a standard device tree, but it is used to pack together a kernel, device tree, rootfs and device config into a single image. The integrity check you are referring to is not something that can be cracked/bruteforced. It is a sum across the component (kernel, rootfs, etc) to ensure nothing was modified or corrupted.

I do have a NAND dump of both a g1100 and a g3100, but I don't think I have the physical devices any more.

HOWEVER, I will tell you that it is possible to glitch the bootloader into giving you a shell; you have to short the data out pin on the flash chip to ground when it loads the bootloader environment from flash, and the short has to be very brief. The trick here is that they left the fallback config built into u-boot. I can't remember exactly what it was that let me in, maybe it was a bootdelay counter, but it is possible.

Be aware that you can damage the flash and/or its contents doing this, but you may be able to get a root shell.
Reply
#13
(04-22-2025, 05:10 PM)soxrok2212 Wrote:  This is a Flattened Image Tree (FIT) image. It uses the same structure as a standard device tree, but it is used to pack together a kernel, device tree, rootfs and device config into a single image. The integrity check you are referring to is not something that can be cracked/bruteforced. It is a sum across the component (kernel, rootfs, etc) to ensure nothing was modified or corrupted.

I do have a NAND dump of both a g1100 and a g3100, but I don't think I have the physical devices any more.

HOWEVER, I will tell you that it is possible to glitch the bootloader into giving you a shell; you have to short the data out pin on the flash chip to ground when it loads the bootloader environment from flash, and the short has to be very brief. The trick here is that they left the fallback config built into u-boot. I can't remember exactly what it was that let me in, maybe it was a bootdelay counter, but it is possible.

Be aware that you can damage the flash and/or its contents doing this, but you may be able to get a root shell.

OMG I can’t tell you how happy I am to see you reply to this!  I have come across your name in a lot of my research.  I have tagged you in my hashkiller post(https://forum.hashkiller.io/index.php?fo...acking.15/, which has just a bit more info.

Great to hear that you think the glitch will work, I actually just read about that today and it was the next thing on my list to try.  

Thanks again for stopping in!

https://openwrt.org/inbox/toh/arcadyan/a...o_cfe_menu
Reply
#14
I had a bit of time to sort through the general scrape that I did last week.  I've added 32 new entries for the G3100/E3200 dataset, bringing us to 345 entries.  As always we test the new entries against the Fios-F1nDr database and see that we're still catching a good number of new date codes with each scrape.  Currently there are 186 unique Date Codes.

Updated Data Set: 
.xlsx   router_data_FULL_042725.xlsx (Size: 405.04 KB / Downloads: 3)


Before:
Correct - 11 (34%)
Incorrect - 16 (50%)
unknown block - 2 (6%)
Unknown device - 3 (9%)
Not Enough Data - 0 (0%)

After:
Correct - 26 (81%)
Incorrect - 3 (9%)
unknown block - 0 (0%)
Unknown Device 3 (9%)
Not enough data  (0%)

I will hold off on posting the updated data_ref_lines this time, but it’s available in the dataset if you want it or feel free to DM me.

As I mentioned, the image identifying script is doing amazing now that we’ve changed the QR code reader. Last week I did a more general search and caught a ton of different devices. The QR codes are all a little different, so I am working to update the script to grab the data on these.  I have started to scrape these too so that we can better understand all of the Fios/Verizon variations.

ARC-XCI55AX
ASK-NCM1100 / ASK-NCM1100E
ASK-NCQ1338 / ASK-NCQ1338E / ASK-NCQ1338FA
CR1000A / CR1000B
FWA55V5L
G1100
LVSKIHP
WNC-CR200A
... probably a few more!

I plan to make posts for each of these devices as I begin to investigate them. In my original research, I obtained a good bit of useful info from the CR1000A / CR1000B devices. So that is where I will begin...

[Image: attachment.php?aid=1263][Image: attachment.php?aid=1264]

The CR1000A / CR1000B routers are manufactured by Wistron NeWeb Corporation.  Unfortunately, the information is split into 2 labels so collecting complete entries is more difficult.  The QR code does contain the MAC and serial at least.  I updated my scraping script to include the images downloaded from each link, so now I can reference back to the actual listing when necessary.  I think I will eventually put these all of these scripts on GitHub since posting updated versions here makes a lot of clutter.

Code:
('WIFI:S:Verizon_WP4ZXC;T:WPA;P:bug-aged6-noun;;ROUTER:M:CR1000A;S:ABV24234358;W:78670EA7007D;I:admin;P:WNV33WG6C;;1',)

Currently, the data set contains 86 entries for CR1000A / CR1000B!

SSID  is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords  follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.

[Image: attachment.php?aid=1266]

From this sample we can gain some other info:
  • Password <word> are between 3-6 characters for SSID Password
  • We don’t currently see 0 or 1 in any of the SSID, SSID Password, or Admin Password.
  • There are several HW versions (103, 0.0.6, 0.0.7, 0.0.8, 0.0.A, 0.0.B, 0.0.C)
  • Shipped firmware ranges from 3.1.0.17 to 3.2.0.14
  • Somewhat surprising, in this small sample we have caught a good many Mac prefixes: 04.70.56, 1C.D6.BE, 58.96.71, 78.67.0E, 84.90.0A, AC.91.9B, BC.F8.7E, DC.4B.A1

Serial numbers are always 11 digits and start with 2-3 letters, followed by digits.  If we compare the MAC/Serial difference like before, we see these change in steps of 7.  So we should be able to calculate the serial numbers once I figure out how they’re blocked together.

[Image: attachment.php?aid=1267]

Here is a teardown of the device, the CPU is a Qualcomm IPQ8074 SoC. It contains (4) Arm Cortex A53 processors up to 2 GHz clock.

I had found references to CR1000A firmware, which is what helped me find the G3100.  I searched for all the versions I could find, and unfortunately didn’t turn up anything earlier than what I found online.  The good new is @soxrok2212 and crew have done a great job reversing this firmware.

Code:
CR1000A:
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.6.bin
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.7.bin
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.8.bin
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.9.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.2.0.14_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.7_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.8_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.10_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.0.11_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.1.1.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.1.2.bin
https://cpe-ems34.verizon.com/firmware/CHRA/chr2fa_fw_3.3.1.2_loader.bin

CR1000B:
https://cpe-ems34.verizon.com/firmware/chr2fb_fw_3.1.1.16.bin
https://cpe-ems34.verizon.com/firmware/chr2fb_fw_3.1.1.17.bin
https://cpe-ems34.verizon.com/firmware/chr2fb_fw_3.1.1.18.bin
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.1.1.20.bin
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.7_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.8_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.9_loader.bin
https://cpe-ems34.verizon.com/firmware/CHRB/chr2fb_fw_3.3.0.10_loader.bin

That’s all I have currently for the CR1000A / CR1000B, however our scrape did catch a lot of other entries. I have also included them in the sheet “other”. I plan to scrape each of these devices individually and make a similar post to this one for them.

This update contains 178 additional entries for “Other” devices, bringing the total number of entries to 609!


Attached Files
.jpg   image_CR100205.jpg (Size: 190.01 KB / Downloads: 59)
.jpg   image_4192500065.jpg (Size: 98.49 KB / Downloads: 58)
.png   CR1000A_SSID.png (Size: 312.41 KB / Downloads: 52)
.png   HexSerialCompare.png (Size: 145.46 KB / Downloads: 48)
Reply
#15
Ok here we go with this weeks update!  Since we are targeting many more devices now, I spent this week working on my Facebook scraping script.  FB is a bit trickier to scrape because they load pages dynamically, and don’t follow normal naming conventions to make it a bit harder to do.  Fortunately those are overcome with a bit of effort, and with AI and I helping each other a bit, I finally have something I am happy with.  So now we have a bunch of new entries to the database, we’re up to 727 unique entries!

Updated Data Set:  
.xlsx   router_data_FULL_050325.xlsx (Size: 476.51 KB / Downloads: 4)

We have added 36 new G3100/E3200, so as always here are the Fios-F1nDr stats:

Before:
Correct - 22 (61%)
Incorrect - 7 (19%)
unknown block - 0 (0%)
Unknown device -  4 (11%)
Not Enough Data - 3 (8%)

After:
Correct - 32 (89%)
Incorrect - 4 (11%)
unknown block - 0 (0%)
Unknown Device 0 (0%)
Not enough data 0( 0%)

Check that out, we’re making some progress! The 4 that were incorrect are outliers. We now have 202 Date Codes. that range from 4/29/19 to 10/28/24.

Some more good news, we have collected enough entries that we can determine the 11-digit serial blocks! These are always E3200 devices, using the last 5 digits as the incremental serial we can see the steps are in increments of 6. All of the E3200 have had a step of 6 so far. This info helps us unlock a lot of the DC.F5.1B and 74.90.BC space that I had kind of ignored previously 😀 .  Fios-F1nDr needed a minor update to calculate these properly, but I have a GitHub account now so hopefully I can get all of the scripts uploaded by next update.

[Image: attachment.php?aid=1277]

As I pointed out before, we are starting to have a good many entries for the same date codes. Block 190813 now has 9 entries!  So I will soon look at those closer and see if I can catch any patterns. I still haven’t had a chance to glitch my device, but I found some interesting artifacts in the g3100_fw_2.0.0.6.bin and e3200_fw_3.1.1.17.bin. I haven’t really poked around in any of the other firmware yet.  I will circle back to all of that eventually, so many things to do...

Code:
/home/paul_shih/project/g3100_2.0.0.5/extern/broadcom-bsp-5.02L06/kernel/linux-4.1

BOOT_CONSOLE Mon Dec 14 15:02:21 CST 2020 paul_shih@buildbox3 

192.168.1.100:g3100-mfg.bin

This is in e3200_fw_3.1.1.17.bin
/home/lennon_chen/e3200/release/0307/bsp/kernel/linux-4.1

BOOT_CONSOLE Mon Mar  7 18:11:55 CST 2022 lennon_chen@buildbox5

192.168.1.100:g3100-mfg.bin

[Image: attachment.php?aid=1279]
This weeks device spotlight is the ARC-XCI55AX. Like the G3100/E3200 these are manufactured by Arcadyan. The QR code provides a lot of useful information, including the MAC which unfortunately isn’t printed on the sticker. The QR also contains a manufacture date, which means we don’t have to figure out the date blocks ourselves! This is the first QR code that has an IMEI # on the sticker and QR code, so we are collecting those too. The sticker also has the ICC ID, which I will probably add data for next update.

Code:
('WIFI:S:Verizon_XTR9DB;T:WPA;P:spoon6-tun-swam;;ROUTER:M:ARC-XCI55AX;S:GRR22068010;D:07-13-2022;F:3.1.1.21;P:KS7BG6QZL;E:358598613057513;B:C899B2B1EBD4;;1',)

Currently, the data set contains 82 entries for ARC-XCI55AX!
The SSID and passwords follow the same pattern seen in the CR1000A/B

SSID  is Verizon_XXXXX where X is any char <A-Z><0-9> (This is slightly different from G3100/E3200)
SSID Passwords follow <word>-<word>-<word> with a single digit at the end of either the first 2 words, but never the third.
Admin Passwords are 9 characters that are <A-Z><0-9>.
[Image: arc-xci55ax_ssid-png.38569]

From this sample we can gain some other info:
  • SSID passwords are mostly 15 characters long, I did catch one that was 14 characters in a higher serial number
  • Password <word> are between 3-5 characters for SSID Password (haven’t seen a 6 character word yet)
  • We don’t currently see 0, 1 or 2 in any of the SSID, SSID Password, or Admin Password.
  • HW versions are not printed on the device or QR code
  • Shipped firmware ranges from 3.1.1.14 to 3.2.0.7

Again we see a suprising  number of Mac prefixes: 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, 74.90.BC, 84.90.0A, A8.A2.37, AC.B6.87, BC.F8.7E, C8.99.B2, F4.CA.E7

Serial numbers are always 11 digits and start with 3 letters (ABU or GRR), followed by 8 digits. If we compare the MAC/Serial difference like before, we see these change in steps of 4 or 8.  Hopefully I will be able to use the IMEI or Serial # to back calculate the MAC address for images that we can’t read the QR code.  These might help us better understand similar 11-digit serials on the G3100 and other devices.

[Image: attachment.php?aid=1281][Image: arc-xci55ax_c899b2_step-png.38572]


From the device tear down, we see that the CPU is a Mediatek MT6890 SOC which is a Quad-Core Arm Cortex-A55 @ 2 GHz. The memory is Kingston 16EM16-M4CTB29 LPDDR4x eMCP (16 GB NAND eMMC 5.1 + 16 GB LPDDR4x RAM).

I wasn’t able to find any firmware links online. I did found information that suggests these devices are also used for “Straight talk home internet” from Walmart. I think FWA55V5L is the correct model, but there isn’t much info on these. There was an issue with people registering the devices so Walmart stopped distributing them.

I did find a Reddit post discussing a “Engineering Page” located at https://192.168.1.1/#/eng/ or https://mynetworksettings.com/#/eng/ which asks you for a password. This password is unrelated to both the admin password and WPA-PSK.
  • Does anybody know what this password is, where to find it, or how to calculate it? Login credentials consisting of a password and a token are posted to /eng_auth.cgi as an application/x-www-form-urlencoded string like data=<password>&token=<hex string (MD5?)>
  • I'm noticing here is that the CPE is connecting to an auto configuration server at https://hdm5g.vzwdm.com using the TR-069 CPE Wan Management Protocol. Is there any way to tell the CPE to connect to my own TR-069 server instead?
  • I'm assuming that ports 4567 and 4577 are related to the above CWMP implementation. Running openssl s_client -connect mynetworksettings.com:4577 returns certificate data, but fails to connect with the following error sslv3 alert handshake failureConfusedsl\record\rec_layer_s3.c:1586:SSL alert number 40. The server certificate's subject name is my CPE's serial number, which is different from the SSL cert on port 443. Does anybody know for sure what these ports are for?

I tried to visit the engineering page on my G3100 and it brings up the admin login or if logged in a blank page, but still with the sidebar and everything. Visiting any made up link such as https://192.168.1.1/#/fiend has a different behavior of loading a completely blank page, so I think there’s something there. Does anyone have any info on how to access this page?

[Image: attachment.php?aid=1278]

It’s also intriguing to me that this device has a secret USB-C port hidden behind a plastic panel... from the Reddit post above:
  • I'm assuming that ports 4567 and 4577 are related to the above CWMP implementation. Running openssl s_client -connect mynetworksettings.com:4577 returns certificate data, but fails to connect with the following error sslv3 alert handshake failureConfusedsl\record\rec_layer_s3.c:1586:SSL alert number 40. The server certificate's subject name is my CPE's serial number, which is different from the SSL cert on port 443. Does anybody know for sure what these ports are for?
  • The hidden USB-C port on the bottom is, I believe, for firmware flashing. Plugging it into my Ubuntu laptop and turning on the CPE the device gets recognized as VID 0E8D PID 2000, which is the MediaTek preloader. I've tried methods described here -> https://github.com/bkerler/mtkclient to crash the preloader and enter the bootrom. I can get it to be recognized VID 0E8D PID 0003, but the process hangs from there. Has anybody had any luck accessing the modem through the USB-C port and running AT commands?


There are a few new entries to the CR1000 and Others sections, here’s the current breakdown:

G3100/E3200 - 384 entries
CR1000 A/B - 94 entries
ARC-XCI55AX - 83 entries
Other - 166 entries
Total - 727 entries

Please consider liking this post if you’ve read this far... it’s the only way I know that anyone else is here!


Attached Files
.png   AA621_Block.png (Size: 114.88 KB / Downloads: 32)
.jpeg   secret_usb.jpeg (Size: 119.72 KB / Downloads: 32)
.jpg   image_4192506895.jpg (Size: 332.64 KB / Downloads: 32)
.png   ARC-XCI55AX_step.png (Size: 114.71 KB / Downloads: 31)
Reply