We are still looking into RTL816x chipset. We have have some information about how the nonce might be 'built'. However it's still not enough to implement a feasible bruteforce.
Thanks,waiting for it..also I would like to share some data regarding some vulnerable routers and chipsets (about 6 ) ,where can I submit the data?