hsam123 / android-thomson-key-solver

Automatically exported from code.google.com/p/android-thomson-key-solver
0 stars 0 forks source link

New Calculation for WLAN_xx routers ( telefonica ) #7

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
WifiNetwork.java --> add this

static enum TYPE {
        THOMSON, DLINK, DISCUS, VERIZON, EIRCOM, PIRELLI, TELSEY, ALICE, WLAN4, HUAWEI, WLAN2
    };

-------------

if ((ssid.startsWith("WLAN_") && ssid.length() == 7 &&
                (  mac.startsWith("00:01:38")
                || mac.startsWith("00:16:38")
                || mac.startsWith("00:01:13")
                || mac.startsWith("00:01:1B") 
                || mac.startsWith("00:19:5B"))
        // 00:01:38:.. 00:16:38:.. 00:01:13:.. y 01:1B:11
        ))

        {
            ssidSubpart = new String ( ssid.substring(ssid.length()-2));
            type = TYPE.WLAN2;
            return true;
        }

-----

I also attach Wlan2Keygen.java file

Original issue reported on code.google.com by kampan...@gmail.com on 14 Feb 2011 at 10:10

Attachments:

GoogleCodeExporter commented 8 years ago
It´s an enhancement, not a problem, sorry for the mistake.

Original comment by kampan...@gmail.com on 14 Feb 2011 at 10:11

GoogleCodeExporter commented 8 years ago
Have you tested an apk with this patch applied ?

Original comment by ruka.araujo on 14 Feb 2011 at 1:23

GoogleCodeExporter commented 8 years ago
Also could you point us where to find this algorithm?

Also what I meant with the previous comment was if you tested the application 
with your changes on a real phone and if it worked as we cannot test it 
directly.

Original comment by ruka.araujo on 14 Feb 2011 at 1:26

GoogleCodeExporter commented 8 years ago
Yes, of course. It gets the key, but i've tested with two WLAN_xx , available 
by MAC, and it gives to me the correct key, but i cannot get IP, i think dhcp 
is disabled. But the method works, i find it at 
http://foro.elhacker.net/hacking_wireless/vaya_vaya_solucion_wep_de_las_wlanxx_p
ara_las_dlinkwireless-t169964.0.html
and just translated it to java and added to your source-

Original comment by kampan...@gmail.com on 14 Feb 2011 at 1:29

GoogleCodeExporter commented 8 years ago
Cool! :)

Ok, I did find that algorithm a few days ago, but I didn't implemented it as I 
could be sure if it worked perfectly. One thing though, were there a few 
different possibilities? 
According to this generator, 
http://tubalmartin.googlecode.com/svn/trunk/html/EWFInet.html, sometimes the 
last octet changes.

And although my Spanish isn't that good, I understood from the forum that both 
possibilities were usable. Can you check on this?

Original comment by ruka.araujo on 14 Feb 2011 at 1:37

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
Yes, i'm spanish, my English is not so good but i think you will understand me 
quite well.

The two possibilities are implemented at my algorithm. I catch subSSID ( xx at 
WLAN_xx ) and then look for the first character. If it is not a number ( > 9 in 
hex , A, B, C, D, E ) then it subs 1 to that hex value of the 6th byte of the 
MAC at the first position of the key( considering the MAC as 112233445566 then 
the key would start with 65....)

If the first character of the subSSID is a number, then nothing is changed to 
the key.

Original comment by kampan...@gmail.com on 14 Feb 2011 at 2:56

GoogleCodeExporter commented 8 years ago
Ok cool. I will add it in a minute. How do you want to be credit in the commit? 
kampanita?

Also it also seems there is a known algorithm for ONO networks, can you comment 
on that? 

By the way, don't worry about your English. ;)

Original comment by ruka.araujo on 14 Feb 2011 at 3:12

GoogleCodeExporter commented 8 years ago
Don't worry about the credits ;)
I'm searching more info about ONO networks, if i find something i'll tell you.
Also i would reconsider to put this at svn at this moment, cause i can not 
confirm that the algorithm is working 100%. I could not get IP from 2 WLAN_XX 
with known MACs, so i'm not sure that it's the correct one.

I can confirm that 
-WLAN_4x and JAZZTEL_4x ones go well. 
-vodafoneXXXXX ( Huawei ) do not, 
-SpeedTouchXXXXX ( Thomson ) make apk crash ( i did not install the diccionary, 
but it shouldn't crash for that reason, no ? )
-I did not test anymore cause there are not such kind of wifis at my country, 
so can not confirm anything more.

Original comment by kampan...@gmail.com on 14 Feb 2011 at 3:20

GoogleCodeExporter commented 8 years ago
Hmmm. First do you know the Huawei models from Vodafone?

What mobile phone do you have?
And is the crash consistent?

I will put it in the svn. I can take it out for release in a very simple way.

Original comment by ruka.araujo on 14 Feb 2011 at 3:26

GoogleCodeExporter commented 8 years ago
The version that you are using is it compiled by you or from the Market?

I ask this because the Market tells us when someone crashes the application and 
we get a report but I got nothing new this week.

Original comment by ruka.araujo on 14 Feb 2011 at 3:27

GoogleCodeExporter commented 8 years ago
I've looking to the source code of huawei keygen. I didn't know them, the 
unique algo i knew until finding you was jazztel_xxxx and wlan_xxxx one ( i 
have done it for windows ) 
https://sites.google.com/site/almacenkampanita/WLanDecrypter.zip?attredirects=0&
d=1

I was doing my own android project just for implementing this one, and looking 
for some help with wifi scanner, i found you here ;) ;)...and i 
thought...uhmm...a good point for starting my own app. But when i was going to 
code my class i saw that yours was implementing it yet!.  Then i saw this 
wlan_xx algorithm so i decided to include it at your code- also i've modded the 
icons ( green/red ic_vulnerable ), but only for my own, don't worry about that.

Original comment by kampan...@gmail.com on 14 Feb 2011 at 3:32

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
I forgot to say that here i can see some vodafoneXXXXX that are supposed to be 
huawei ones, looking at the mac 3 first bytes, so is "vulnerable" as your code 
says, but the calculated key is not the correct one ( wpa warns about this when 
trying to connect using the key ).

It could be that vodafone modified something to original algorithm for huawei.

I own a sony ericcson x10 mini

The apk that is crashing when SpeedTouch is selected, it's mines, not Market's 
one. I couldn't get it at the Market...don't know why, but barcode scanner link 
to the market is not working for me. 

Original comment by kampan...@gmail.com on 14 Feb 2011 at 3:38

GoogleCodeExporter commented 8 years ago
Okay, maybe they did. The mac code selection is not conservative at all, that's 
why we warns that we only tested against some INFINITUM ssids.

where did you scanned it from?

Use this link, it always works . ;)
https://market.android.com/details?id=org.exobel.routerkeygen

Could you uninstall your version and test with the market one?

Original comment by ruka.araujo on 14 Feb 2011 at 3:47

GoogleCodeExporter commented 8 years ago
                case WLAN2:

                    RouterKeygen.this.calculator = new Wlan2Keygen(
                            RouterKeygen.this);

                    break;
                }

( you must include this to RouterKeygen.java at onCreate method ) ...i forgot 
this too, sorry ( surely you knew this ;) ;) )

I also have translated strings.xml to Spanish, maybe you also want it.

Original comment by kampan...@gmail.com on 14 Feb 2011 at 3:51

Attachments:

GoogleCodeExporter commented 8 years ago
I already added it to svn and idd that but thanks anyway.

We are always interested in translation.

Original comment by ruka.araujo on 14 Feb 2011 at 3:55

GoogleCodeExporter commented 8 years ago
Ok, i can install Market one, and say something, but not at this moment, i'm at 
work right know ( over 30 kms away from the "vodafone"/SpeedTouch test". My 
scan was done at North of Spain, near of Bilbao ( Basque Country ), at my home.

But i didn't make any change to that part, i only included the new class 
Wlan2Keygen, and made the necessary changes to the app to work with this new 
type of router. No more was modded (...well, UI part, icons and translation of 
text, but nothing important to the sustancial part than the inclussion of 
wlan_2x)

Original comment by kampan...@gmail.com on 14 Feb 2011 at 3:55

GoogleCodeExporter commented 8 years ago
Just a thing more....Change the iso for the strings_ES.xml, it's codded at 
ISO-8859-15 ( latin extended ), and the file that i attached before was with 
UTF-8, sorry for that ( it just works 100% ok as is, but using ISO-8859-15 is 
the correct one )

Original comment by kampan...@gmail.com on 14 Feb 2011 at 4:01

GoogleCodeExporter commented 8 years ago
Your app with UI modded http://img262.imageshack.us/i/routerkeygen.jpg/
My first approach ( just before finding your app ) 
http://img40.imageshack.us/i/jazzdroid.jpg/  ( ListActivity without icons...a 
simple Edit Text was used to show ESSID-BSSID-level-Key)

Original comment by kampan...@gmail.com on 14 Feb 2011 at 4:08

GoogleCodeExporter commented 8 years ago
Did you do the UI mod? I can not really see it that well. Use Shootme form the 
market to take screenshots, it's really great. :)

Original comment by ruka.araujo on 14 Feb 2011 at 4:18

GoogleCodeExporter commented 8 years ago
ONO algorith ( i'll try to code it and will give you feedback about it )

The ESSID is something like this :
p1xxxxxx0000x 

Then whe must ADD 1 to the last value of ESSID. 
for example : ESSID p123503800006 works with passphrase : p123503800007

Generating a WEP pass for this passphrase ( just pass from string to hex each 
character ) we got 10C409F81ACA0EC03EDD0917B3 that is the 128 bit key ) and 
....theese are 4 possible keys of 64 bits (1: 6EDDCD3873 , 2: BE99C6318F, 3: 
498AAA161E , 4: 0F4BDE04E4)

The correct one is always first one : 6EDDCD3873

Functions used to get the correct key:

function padTo64(val)
{
    var ret="";
    var x;
    var rep;
    rep = 1 + (64 / (val.length));
    for (x = 0; x < rep; x++)
    {
        ret = ret + val;
    };
    return ret.substring(0,64);
};

function wepkey128(val)
{
    var ret = hex_md5(padTo64(val));
    ret = ret.substring(0,26);
    return ret.toUpperCase(); 
};

// converts one byte to a 2 chars hex string
function bin2hex(val)
{
    var hex = "0123456789ABCDEF";
    var result = "";
    var index;
    index = (val >> 4) & 0x0f;
    result = result + hex.substring(index, index+1);
    index = val & 0x0f;
    result = result + hex.substring(index, index+1);
    return result;
}

function wepkey64(val)
{
    var pseed  = new Array(4);
        pseed[0] = 0; pseed[1] = 0; pseed[2] = 0; pseed[3] = 0;
    var randNumber;
    var k64 = new Array(4);
        k64[0] = ""; k64[1] = ""; k64[2] = ""; k64[3] = "";
    var i, j, tmp;
    for (i = 0; i < val.length; i++)
    {
        pseed[i%4] ^= val.charCodeAt(i);
    };
    randNumber = pseed[0] | (pseed[1] << 8) | (pseed[2] << 16) | (pseed[3] << 24);
    for (i = 0; i < 4; i++)
    {
        for (j = 0; j < 5; j++)
        {
            randNumber = (randNumber * 0x343fd + 0x269ec3) & 0xffffffff;
            tmp = (randNumber >> 16) & 0xff;
            k64[i] += bin2hex(tmp);
        };
    };
    return k64;
};

sources:

http://foro.elhacker.net/hacking_wireless/desencriptando_wep_por_defecto_de_las_
redes_ono_wifi_instantaneamente-t160928.0.html#ixzz1DwzyQdlg

http://www.wepkey.com/

Original comment by kampan...@gmail.com on 14 Feb 2011 at 4:31

GoogleCodeExporter commented 8 years ago
Cool,do you want committer rights?

Original comment by ruka.araujo on 14 Feb 2011 at 4:39

GoogleCodeExporter commented 8 years ago
And yes i did UI mod, i just put new icons ( a red cross for unavailable , and 
a green V for availble ). Also changed weak_ medium_ and verystrong_ ones, and 
changed color Text to the MAC and ESSID EditText items, cause they saw badly at 
my phone.

I tried to use shootme, but the photo is "moved".... :( , if you want, i also 
can attach the icons i used ;)

Original comment by kampan...@gmail.com on 14 Feb 2011 at 4:51

GoogleCodeExporter commented 8 years ago
No thanks -- The project is yours :)

Original comment by kampan...@gmail.com on 14 Feb 2011 at 4:53

GoogleCodeExporter commented 8 years ago
Last comment for today ;) ( i'm going home now ).

I used this md5 function at my first attempt (JazzDroid ), is shorter than 
yours, maybe you would like to have it for other projects

public static final String md5(final String s) {
        try {
            // Create MD5 Hash
            MessageDigest digest = java.security.MessageDigest
                    .getInstance("MD5");
            digest.update(s.getBytes());
            byte messageDigest[] = digest.digest();
            // Create Hex String
            StringBuffer hexString = new StringBuffer();
            for (int i = 0; i < messageDigest.length; i++) {
                String h = Integer.toHexString(0xFF & messageDigest[i]);
                while (h.length() < 2)
                    h = "0" + h;
                hexString.append(h);
            }
            return hexString.toString();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        return "";
    }

Original comment by kampan...@gmail.com on 14 Feb 2011 at 4:57

GoogleCodeExporter commented 8 years ago
http://img208.imageshack.us/i/snapshot1zs.jpg/

Original comment by kampan...@gmail.com on 14 Feb 2011 at 6:48

Attachments:

GoogleCodeExporter commented 8 years ago
And you also play piano? :o
But this isn't the place to discuss all sort of things - I was thinking we 
could create a group to openly discuss the project ideas and direction.

So, voila Android Router Keygen Development group is born:
http://groups.google.com/group/android-router-keygen-development

Original comment by invent00r@gmail.com on 14 Feb 2011 at 7:11

GoogleCodeExporter commented 8 years ago
I play a little piano, also guitar : http://www.youtube.com/kampanitak ;)

Original comment by kampan...@gmail.com on 14 Feb 2011 at 7:33

GoogleCodeExporter commented 8 years ago
I love Heavy Metal ;) http://www.youtube.com/watch?v=GjUrRj7Vd28

Original comment by kampan...@gmail.com on 14 Feb 2011 at 7:34

GoogleCodeExporter commented 8 years ago
Ok, I have added support for those ONO networks.

Could I ask you to review your translation as we added a few strings and we 
would love to have a 100% Spanish translation in the next release which is 
probably happening Monday. Even so i will add as is now.

Btw we fixed some bugs in ThomsonKeygen, if could test with the same network 
that caused the crash that would be great.

Original comment by ruka.araujo on 19 Feb 2011 at 11:43

GoogleCodeExporter commented 8 years ago
Hi, thank you very much.
I can help you w�th strings.xml for spanish translation.

Could you pass the file to be comprobed by me ?

I saw the one that is at SVN and it's ok, is it the final one ?

Agurrak, Kampanita
___________________________

       -=Yo soy Keyser S�ze=-
 -=Nucleo Duro del KnD-Taldea=-

Original comment by kampan...@gmail.com on 21 Feb 2011 at 9:09

GoogleCodeExporter commented 8 years ago
Ok, one is your translations with minor changes and the other one is the most 
recent original english file. The new strings are at the end of the file so it 
is really easy to check which are new.

Thanks for your help.

Btw the way I know why your own build crashed with a Speedtouch, you have to 
build the native part first. ;)

Original comment by ruka.araujo on 21 Feb 2011 at 2:58

Attachments:

GoogleCodeExporter commented 8 years ago
Hi!  This is the translation file.
Yes, i have compiled JNI part, and it's working now... ;)

Original comment by kampan...@gmail.com on 21 Feb 2011 at 3:27

Attachments:

GoogleCodeExporter commented 8 years ago
That was fast. 
We are launching today an update. Stay tuned! ;)

Thanks for your help. May I bother you again for our next release?

And btw if you find any new algorithm that doens't need stuff like sniffing 
packets, make sure you open an issue here. :)

Original comment by ruka.araujo on 21 Feb 2011 at 3:33

GoogleCodeExporter commented 8 years ago
Yes of course. You do not bother me at all.
If i find more stuff about other routers, i will update the info here, don't 
worry!.

Also, if you need my icons for the updated UI, just ask for them, i can upload 
them here too, they are only a red cross, a green V sign, and the stuff for the 
wifi level.

Original comment by kampan...@gmail.com on 21 Feb 2011 at 3:55

GoogleCodeExporter commented 8 years ago
You can upload them if you wished althogh I cannot promise you to use them. :P

Thanks for your help.

Original comment by ruka.araujo on 21 Feb 2011 at 3:58

GoogleCodeExporter commented 8 years ago
Ok,

We are launching another update.
Could you translated a few more strings.
They are marked with a very obvious tag. ;)

Thanks for your help.

Original comment by ruka.araujo on 14 Mar 2011 at 3:19

Attachments:

GoogleCodeExporter commented 8 years ago
No problem, i left it here.

Original comment by kampan...@gmail.com on 14 Mar 2011 at 7:56

Attachments:

GoogleCodeExporter commented 8 years ago
Could you give us your real name for credit purposes?

Original comment by ruka.araujo on 14 Mar 2011 at 10:21

GoogleCodeExporter commented 8 years ago
Hi, yes,

My real name is Jon Kepa Uriarte

Agurrak, Kampanita
___________________________

       -=Yo soy Keyser S�ze=-
 -=Nucleo Duro del KnD-Taldea=-

Original comment by kampan...@gmail.com on 14 Mar 2011 at 10:44

GoogleCodeExporter commented 8 years ago
I forgot to tell but we reorganized our  string files so they are divided by 
section. in each section there are string to be translated. ;)

You only did the error messages.

Original comment by ruka.araujo on 14 Mar 2011 at 3:18

GoogleCodeExporter commented 8 years ago
Sorry!! ....i left corrected one here.

Original comment by kampan...@gmail.com on 14 Mar 2011 at 3:30

Attachments:

GoogleCodeExporter commented 8 years ago
Hi again.

If I can bother you again, we have a few more strings to be translated. 

Thanks for all your help.

Original comment by ruka.araujo on 17 Jul 2011 at 12:22

Attachments:

GoogleCodeExporter commented 8 years ago
Well this time someone already did your work, so you don't have to worry. ;)

Original comment by ruka.araujo on 17 Jul 2011 at 8:14