Keyspace List for WPA on Default Routers
I think I got the rounding in the 589 generator correct now.

Code:
void genpass589(uint32_t x, unsigned char *psk) {
static const char CHARSET[] = "abcdefghijkmnpqrstuvwxyz23456789#%+=?";
int i;

uint64_t one = x * 465661287.5245797; // thank you mrfancypants for finding this number

should be

Code:
void genpass589(uint32_t x, unsigned char *psk) {
static const char CHARSET[] = "abcdefghijkmnpqrstuvwxyz23456789#%+=?";
int i;

   uint64_t y = x;

y += y << 31;
unsigned long idx = 63 - __builtin_clzll(y);
if (idx > 52)
{
       y >>= idx - 52 - 1;
y = (y >> 1) + (y & 1);
y <<= idx - 52;
}
uint64_t one = double(y) * (double(1e18) / (1ull << 62));

The bit with __builtin_clzll it is mainly there to make sure that uint64_t to double rounding is performed correctly, which seems to fail without it on occasion. I'm not sure of the exact form this needs to take, I have about 70 collected passwords of the 589 type, of those only one fails without the if(), and all pass with the if().

And the parallel with the 599 generator is much clearer now. In the 599, the last line becomes
Code:
uint64_t one = double(y) * 2;

It may be safer to rewrite the whole thing in pure integers, so as not to rely on the behavior of the floating-point unit. It should go something like this (warning: completely untested code, don't have GCC here)

Code:
uint64_t do_rounding(uint64_t x)
{
            int idx = 63 - __builtin_clzll(x);
            if (idx > 52)
            {
                x >>= idx - 52 - 1;
                x = (x >> 1) + (x & 1);
                x <<= idx - 52;
            }
            return x;
}

void genpass589(uint32_t x, unsigned char *psk) {
static const char CHARSET[] = "abcdefghijkmnpqrstuvwxyz23456789#%+=?";
int i;

   uint64_t y = x;
   y = y + (y << 31);
   y = do_rounding(y);
   y = (uint64_t) ( ((__int128)y * (__int128)1000000000000000000ull) >> 61 );
   do_rounding(y);
   uint64_t one = y>>1;
(03-14-2018, 11:08 PM)fart-box Wrote: Acording to my research, regardless of manufacturer or model number, (NVG-589, NVG-599, NVG-510, or 5268ac), all ATT passwords are available from the same gigantic list of keys (the "encrypted" form of the password for lack of a better term). All we need are the proper divisors (or multipliers if you prefer that term).

As a bonus, when using keys, word lists can be built more precisely to target specific models, thus reducing crack time. And those same word lists can be tailored to cover the entire spectrum of possible candidates, rather than the 2,147,483,647 word limit you've set in your key-gen.

So I'm wondering, have you done any research along these lines?


I'm not sure I follow. Can you give an example?

I did a bit more research into 5268 but didn't reach any firm conclusions. There are some statistical anomalies in character frequencies, but I don't have enough passwords to be sure what (if anything) they mean.
(03-14-2018, 11:08 PM)fart-box Wrote:
(03-13-2018, 01:47 AM)mrfancypants Wrote: Am I missing anything?

Welcome back Mrfancypants! You've been missed! That was a great article you mentioned! Thank you!

Soxrok2212 failed to mention what I've been doing all of this time, and I doubt that anyone here has even taken the time to try to understand it, but I'm pretty sure YOU will understand it. Your math skills (or at least your pattern finding skills) are far superior to mine.

Acording to my research, regardless of manufacturer or model number, (NVG-589, NVG-599, NVG-510, or 5268ac), all ATT passwords are available from the same gigantic list of keys (the "encrypted" form of the password for lack of a better term). All we need are the proper divisors (or multipliers if you prefer that term).

As a bonus, when using keys, word lists can be built more precisely to target specific models, thus reducing crack time. And those same word lists can be tailored to cover the entire spectrum of possible candidates, rather than the 2,147,483,647 word limit you've set in your key-gen.

So I'm wondering, have you done any research along these lines?

(And Soxrok2212, should I give up waiting for that serial number file?)

Hi, 
Thanks for this wonderful gem. Did you find any correlation between the device's mac address and the password itself? 

I was doing the same kind of research on modems around my house from the same telco. But I have like 20 so its hard finding anything statistically worth mentioning. 

Also when you said from the same big list, do you have that big list Id be happy to see if I can figure out any patterns because my guess is they all do it the same way... but I just cant put my finger on it. 

The problem with trying to find patterns is the danger of actually finding patterns that arent even there or statistical anomaly or just too small of a sample. Anyways post more I like reading that type of stuff.
I tried looking to JTAG the 599 I have but there’s no headers soldered on at the factory. Tested a few points on the board but wasn’t able to draw any conclusions as to what they are.
I’ll add the new keygen at the next chance I get. I’ll look into the 599 again when I can but I’m super busy lately.
(04-02-2018, 01:02 AM)fart-box Wrote:
(03-28-2018, 01:22 AM)soxrok2212 Wrote: I’ll add the new keygen at the next chance I get. I’ll look into the 599 again when I can but I’m super busy lately.

I'm excited to try out the new math Mrfancypants provided. Thank you for your efforts.
It seems you and I are the only ones trying to solve this puzzle.

I’ll work in the new code to a test branch. Would just like to do some testing before I add changes into master. I’ll probably name it “fancy”. Later today try:

Code:
git checkout fancy
 
And it should get you the testing branch.

EDIT: It should be up now.
You can download the zip and compile with cygwin as an alternative. Anyways, I was just hoping you could pass in all your 589 and 599 Keys, run pskracker with this:
Code:
pskracker -t att -f | grep “known keys”
The pskracker command will run both the att keygens and then just pipe into grep for all your keys. Don’t need to run hashcat. Just very fun that all the ones you have are found.
(04-04-2018, 03:00 AM)fart-box Wrote:
(04-03-2018, 03:21 PM)soxrok2212 Wrote: You can download the zip and compile with cygwin as an alternative.

I've got cygwin on another computer, but like my Linux machine, it's busy working and wont be done for a long time.

Quote:Anyways, I was just hoping you could pass in all your 589 and 599 Keys...

Do you mean pass them in to pskracker, or share them with you? And do you mean "keys" or "passwords"?

Quote:... just pipe into grep for all your keys.

Again, do you mean "keys" or "passwords"?

I only ask because what I call a key looks like "37755494642808271" and what I call a password looks like "ah9u=s4a=wbk".

I meant passwords lol.
(04-05-2018, 08:42 PM)fart-box Wrote:
(04-03-2018, 03:21 PM)soxrok2212 Wrote: You can download the zip and compile with cygwin as an alternative.

Soxrok2212,

Sometimes I get stupid, so apologies in advance.

I found an old usb with a Linux distro on it so I booted up my laptop, typed in the command you specified to download fancy, and got:

  fatal: Not a git repository (or any of the parent directories): .git

So I added the URL to pskracker to the command and got the same error.

Will you please send a direct link to download the 'fancy' files in zip format? Also, I'd rather not install a test version of the program. Is there a gcc command to build a stand-alone version?

If you don't want this version to go public yet, feel free to just send a private message on this forum.

Thanks!

Hey sorry, I read this on my phone yesterday but forgot to respond on my PC. Here's a link to the fancy branch: https://github.com/soxrok2212/PSKracker/.../fancy.zip

By default, the makefile builds the program when you run "make", and then installs it to your system when you run "make install", so just don't run "make install". Just execute pskracker from the directory you have everything unzipped to with ./pskracker <options>
Arris TG2472 routers

SSID: 6 hex upper (e.g 89ABCD)

Observed key formats:
?u?d,?1BULACC3?d?d?d?d?d
?u?d,?12ULAED3?d?d?d?d?d
?u?d,?12ULAEG3?d?d?d?d?d
?u?d,?1BUL7583?d?d?d?d?d
?u?d,?1BUL6463?d?d?d?d?d
?u?d,?1BUL7BA3?d?d?d?d?d