It seems that the DG934 passphrase is created using the same method, but SHA1SUM instead of MD5SUM (SHA1 = 40 char string, same algo as before).
; SKY DG834GT decoder v1.0
; 6th May 2009
; Ref: (no url yet)
; Please note that the following is sloppy coding, my brain is fried. I didn't actually
; achieve any result by viewing the MIPS assembler functions of the router binaries, but this is
; where I started: I have Ubuntu installed and the QEMU emulator, running MIPS (Debian)
; Snip (no url yet)
; (The Debian Etch MIPS small) - rest of the instructions are on that page.
; Once up And running I install GDB And place the SKY router binary 'RC' (usr/sbin/rc) on a webserver
; where I can 'wget' it To the emulated MIPS environment. The binaries for the router can be found
; here: (snip)
; The file you're after is: DG834GT-1SKUK (For Firmware Version 1.02.28) - within that archive
; is target.tar.bz2 - unpack that and you'll find the RC binary.
; You'll also have to copy some libs over from that target archive to your /lib/ directory...
; else the RC binary will appear to not function.
; Make sure to CHMOD 777 the libs and RC binary.
; After failing badly to understand any of the code of RC using GDB,
; I found another way. In the QEMU emulator I renamed my MD5SUM to MD5SUM2, then copied
; my 'more' command to 'MD5SUM' (find them using the 'whereis' command). Effectively, this lets
; GDB run the RC file without creating an MD5SUM. You create it yourself. It still calls MD5SUM, but
; doesn't realise it's calling 'more' instead. So what it's doing it echoing your personalised MAC
; file to itself and creating the password/phrase/etc into the newly created nvram file. With this
; method you can trial and error to find algorithm combinations.
; GDB: shell echo -n 00000000000000000000000000000000 >mac
; GDB: file rc
; GDB: start
; GDB jump EzPassword
; GDB: shell more nvram
; To get this to work correctly you have to type 'start' in GDB before every attempt. Values for
; nvram include: EzPassword, EzSSID, EzChannel, EzPassphrase (all of which can be jumped to, see above)
; Purebasic source requires Droopy Library for hex2dec function
; Window functions derived from public domain source by 'Kale'.
; DG934G v2 SKY router uses the serial on the router itself,
; which is added To the tmp/mac file As: 1a1b1c2a2d2f-12345678...
; (I think!) - trying this out on norm360's data brings the correct
; password etc but not the correct Passphrase. Working on it.
; Ref: (snip)
; Haven't looked at the v3 router yet.
; I think this is all right, my brain is mince, as I said.
; The following is to set the window/button setup
; which I can't explain well, since I took and modified the code
; from public domain archives
#Window_0 = 0
#Window_1 = 1
#Gadget_0 = 0
#Gadget_1 = 1
#Gadget_2 = 2
#Gadget_3 = 3
#Gadget_4 = 4
#Gadget_5 = 5
#Gadget_6 = 6
#Gadget_7 = 7
existingText.s = GetGadgetText(#Gadget_0)
If existingText = ""
SetGadgetText(#Gadget_0, existingText + Chr(13) + Chr(10) + GetGadgetText(#Gadget_1))
lines = SendMessage_(GadgetID(0),#EM_GETLINECOUNT,0,0)
SendMessage_(GadgetID(#Gadget_0), #EM_LINESCROLL, 0, lines)
If OpenWindow(#Window_0, 5, 5, 690, 300, "Sky v1.0 - DG834GT", #PB_Window_MinimizeGadget | #PB_Window_MaximizeGadget | #PB_Window_SystemMenu | #PB_Window_ScreenCentered )
EditorGadget(#Gadget_0, 5, 5, 680, 254, #ES_MULTILINE | #ES_AUTOVSCROLL | #ES_AUTOHSCROLL | #WS_VSCROLL )
StringGadget(#Gadget_1, 5, 270, 250, 21, "")
ButtonGadget(#Gadget_2, 270, 270, 65, 22, "Go")
ButtonGadget(#Gadget_3, 340, 270, 65, 22, "Info")
ButtonGadget(#Gadget_4, 410, 270, 65, 22, "Null1")
ButtonGadget(#Gadget_5, 480, 270, 65, 22, "Null2")
ButtonGadget(#Gadget_6, 550, 270, 65, 22, "Null3")
ButtonGadget(#Gadget_7, 620, 270, 65, 22, "Null4")
Event = WaitWindowEvent()
; Button Go is pressed
If GetGadgetText(#Gadget_1) <> ""
; Button Read Me is pressed
mystring.s = PeekS(? source)
Until Event = #PB_Event_CloseWindow
pro:; Main routine to grab everything from the hash
; Uppercases your mac and removes the : colons if entered
; No other checks on the mac are done in this version
; Purebasic inbuilt md5sum routine
; If doing an MD5SUM in Linux, create your /tmp/mac file with
; echo -n 1a2b3c4d5e6f >mac - Make sure to use the n flag
; This takes 5 double-char hex characters from the MAC
; starting with position 1 - example (MD5SUM for 112233445566):
; eb341820cd3a3485461a61b1e97d31b1 - split this to
; eb 34 18 20 cd
; Then split from position 15, 10 characters again:
; 85 46 1a 61 b1
; I then converted the first five to decimal, then
; the second five and added eb + 85, 34 + 46, etc
; Converted them back to hex and then converting again to 2-digit hex
; (first sum of eb + 85 = 170, so becomes 70)
; Place all of your 5 sums together in one line to
; create the password:
; 70 7a 32 81 7e -> 707a32817e
; I did try adding eb341820cd + 85461a61b1 but the result
; was wrong, maybe it was my math, or the routine, or maybe
; it just can't be done that way, I don't know.
; The following creates an array for easy lookup of the Passphrase.
; 00 = A, 01 = B, 02 = C, etc until Z is reached,
; then we kick back to A: 19 = Z, 1a = A, 1b = B
; The 8 hex values for the Passphrase can be found in the hash
; at these locations:
; Position 3,7,11,15,19,23,27,31 - an example using 1's and 0's,
; where the 1's are the Passphrase hex values:
; So if the above MD5SUM = 00990011001100110011001100110011
; Then via the array-lookup, the Passphrase is:XRRRRRRR
; X=99, R=11
For i = 0 To 255
If a=91 : a=65 :EndIf
; The SSID array is created as above, where
; a hex value of 00=0 and 09=9. When it reaches 9
; the array kicks back To 0, so 0a = 0
; The hex positions in the MD5SUM are found
; at 23,25,27,29,31
; Example: 0102031a1b = 12367
For i = 0 To 255
If a=58 : a=48 :EndIf
; Channel array same as above, but it appears
; they only use channels 1,6 and 11 - so the array
; creates 00=1, 01=6, 02=11, 03 =1, 04=6, etc.
; Channel hex in the MD5SUM is found at position 31 (last two
; characters of the MD5SUM)
For i = 0 To 255
If a>12 : a=1 :EndIf
;Dump them all into variables
; Dump all of the above into a shorter single line with breaks
; Reset some stuff
; Includes this source file into the Purebasic executable
source : IncludeBinary "source.txt" + Chr(0)
phrasearray : IncludeBinary "phrasearray.txt" + Chr(0)
ssidarray : IncludeBinary "ssidarray.txt" + Chr(0)
channelarray : IncludeBinary "channelarray.txt" + Chr(0)