Keyspace List for WPA on Default Routers
add one more router to the list

HUAWEI-B315-XXXX [0-9A-Z][len11]
TelstraXXXX is 0-9 length:10
anyone have the default keyspace for honhaipr routers?
The password appearing on wireless router is default but seems secure. Due to various reasons, ISPs restrict the password’s keyspace that are present on the routers. Google cache is helpful to you as most of the info was borrowed from the routerkeygenPC github project. One can go for wireless-modem and can get help from key generator sites like allkeysgenerator.com for hassle-free solutions.
Sapphire_XXXXX
[0-9][len8]

Also most users can't seem to figure out how to change the default PSK as the process isn't very intuitive. FYI these are 4G pucks that are popular throughout the middle east.
In regards to the ATT Pace algorithm, I’ve found some leads in the firmware here: https://mirrors.napshome.net/ATTGatewayF....pkgstream

I’ve only had a few minutes to look but do a quick Greg for “default_key” and you may be able to catch onto my drift. I’ll try to look at it more ASAP.
Hi soxrok2212.
Did a quick binwalk, unsquashfs and radare2 on some files and noticed that the values are retrieved from the board:
ls /sys/module/board/parameters/*.*
or by debugsys --info

squashfs-root/usr/lib/libwifi.so will use/print that values.
squashfs-root/usr/bin/get_diags_tar.sh retrieve s/n for example.

squashfs-root/etc/rm.conf contains possible dummy values:
[post]
enabled=no
url=http://192.168.2.50/req-new.php
agent=AirTies Remote Monitor/0.01
bootcounter=2134
mac=aa:4d:23:54:cf:16
productID=215322134
serial=at2241507000102
period=60000

There are also some certs inside the pkgstream.
(06-28-2017, 03:19 AM)mrfancypants Wrote: I've finally worked out part of the algorithm for 589/599. Not enough to crack it (in fact, with what I worked out, it's totally possible that it's [effectively] uncrackable because they feed it from a RNG), but enough to understand how passwords are being constructed.

Consider the following. Actual parameters of a NVG599 off eBay:

SSID: ATTn3f64I2
Wireless key: nyrip9=c5bgv
Access key: 18?/72@@<3
Second SSID: vATTvb%g?<&c
Second wireless key: #h,t)0(ZUwI0

Looks random, right? Now watch:

Code:
ssid_charset='23456789ABCDEFGHIJKMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz'
pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?'
ext_charset='!"#$%&\'()*+,-./:;<=?@[]_`{|}0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
def intpw(x):
   val=0
   for n in range(0,12):
           val+=pw_charset.find(x[n])*(37**(11-n))
   if (val%8)==7:
           val+=37**12
   return val
def intssid(x):
 val=0
 for n in range(0,7):
  val+=ssid_charset.find(x[n+3])*(56**(6-n))
 return val
def int_ext(x):
   val=0
   for n in range(0,len(x)):
           val+=ext_charset.find(x[n])*(90**(len(x)-1-n))
   return val

>>> '%x' % intssid('ATTn3f64I2')
'13c2a3ea400'
>>> '%x' % intpw('nyrip9=c5bgv')
'7a7b4bbbf4f69800'
>>> '%x' % int_ext("b%g?<&c")
'1f71654cac80'
>>> '%x' % int_ext("#h,t)0")
'3d6180c00'
>>> '%x' % int_ext("(ZUwI0")
'a98a65dc0'

I'll let you meditate on this for now and I'll explain later Smile (hint: consider positions of top and bottom set bits in '7a7b...')

Given that the sha1 of the serial number is used to generate the vATT SSID, there has to be a correllation if mrfancypants was able to recover everything here. The script I found is useful somehow, and sha1 with the serial HAS to be used to generate the keys.

If only we had the serial number from that eBay sticker... I *might* have a way to recover it.
Regarding the 5268ac...

My conclusion was exactly that. However, Soxrok2212 (and nobody else) was ever able to provide a serial number file as requested.

The serial number file is run through sha1, then the hash from that operation is used to generate the password. I've completely reverse engineered the process (except for the sha1 function itself, of course) with great results, but without proper input, (a serial number file), my results are useless.

Knowing the layout and contents of the serial number file is the key to this crack. Knowing what's in that file will result in a proper sha1 output, and thus, the proper keys. And keep in mind, it is the FILE that feeds sha1, NOT just the serial number.
(09-06-2018, 02:04 AM)fart-box Wrote: Regarding the 5268ac...

My conclusion was exactly that. However, Soxrok2212 (and nobody else) was ever able to provide a serial number file as requested.

The serial number file is run through sha1, then the hash from that operation is used to generate the password. I've completely reverse engineered the process (except for the sha1 function itself, of course) with great results, but without proper input, (a serial number file), my results are useless.

Knowing the layout and contents of the serial number file is the key to this crack. Knowing what's in that file will result in a proper sha1 output, and thus, the proper keys. And keep in mind, it is the FILE that feeds sha1, NOT just the serial number.

The other bad news is it seems that I've lost my 599... I can't, for the life of me, remember where I put it so for now, it's not likely that I can even examine that file.