Hi there!Originally Posted by dragood
You missed some points.
In his presentation diominique spoke about 2 flows:
1) ES-1=ES-2=0 and that is just for Ralink Chipset and was indeed the first stuff that was coded (because, indeed, it doesn't requires extra brute force of seed)
2) Then wiire found the way to code the second breach revealed by Dominique : some broadcom devices for which we know the "interval" used to define the seed (cracked inmediatly)
In the meantime soxrok2212 sent to dominique datas form realteck chipsets because we saw that the same PKE was used in his two routers and in my two routers with realtek... all four routers from different manufacturer with different firmwares (but all is coming form the SDK for rtl819x project that developer uses to build their firmware)
And dominique foiund out a third breach
3) for this Realtek chipsets the exact time in seconds is used as a seed in DH exchange key process - or it is the time of the last build.( brute force required from exact time (in seconds) to 1970 < don't ask me why for some router it was found that 1970 was used as seed )
wiire coded everything and we have all the stuff in the hand to "pixie-dust" and also to create a custom code to try a different interval.
cheers