Skip to content

Instantly share code, notes, and snippets.

@parthibx24

parthibx24/hidden-wps-lock-detection.md

Last active June 28, 2023 10:17
Show Gist options
  • Save parthibx24/3caa9ffb655c8af1ec3c56f6a229bc3a to your computer and use it in GitHub Desktop.
Save parthibx24/3caa9ffb655c8af1ec3c56f6a229bc3a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
hidden-wps-lock-detection.md

Xiaomi AX5/RA67/AX1800 (qca_hostapd v2.9-devel)

  • Default Configuration Behaviors

    WPS STATE PBC PIN NACK MSG (wpa_supplicant)
    ENABLED (2) TRIGGER DISABLED msg=5 config_error=15
    • wps_ap_setup_locked = 0/null
    • Responds to all WPS Pin attempts with error (WPS_FAIL msg=5 config_error=15)
    • Dosent lockout WPS (even after bruteforcing pins)
    • PBC can be triggered by software (hostapd_cli wps_pbc)

  • PIN-Manually-Enabled Behavior (hostapd_cli wps_ap_pin random)

    WPS STATE PBC PIN NACK MSG (wpa_supplicant)
    ENABLED (2) TRIGGER ENABLED msg=8 config_error=18
    • Responds to wrong pins with (WPS_FAIL msg=8 config_error=18)
    • Locks AP after few attempts, next pins will error out with (WPS_FAIL msg=5 config_error=15) (maybe has short limit ~10pin/30s)
    • Turns pin mode off after 5mins (defualt timeout of wps_ap_pin cmd)

  • PIN MODE HIDDEN LOCK DETECTION

    • NACK/WPS_FAIL msg 
       # 15 = Setup Locked, 18 = Auth Fail (WPS Spec <2.0.58)
 (wps_fail_config_error == 15 && wps_ap_setup_locked != 1)
 AP doesnt accept pins if NACK has a error 15 and AP isnt wps locking.
 If ap does accept pins itll send msg=8 with NACK.
    • BruteForce 
       bruteforce random pins. AP with pin mode disabled wont lockout.
 (prepare some dos tech beforehand, otherwise some ap's will stay locked for a long time)

References

Conclusion:

WPS pin connect is disabled by default but it still replies to wps pin attempts, even if its gonna deny everything. (how do I know its not simply using a different pin, it doesnt lockout even after multiple fail attempts, while when wps pin connect is turned on. itll WPS-AP-SETUP-LOCKED after few attempts). NACK code is different when pin connect is on. ap locks after 2-5 pin attempts (WPS-AP-SETUP-LOCKED) and unlocks after a while (WPS-AP-SETUP-UNLOCKED) (~30-40s). ap turns off pin automatically after a while (WPS-AP-PIN-DISABLED) (5min after turining it on with hostapd_cli wps_ap_pin random)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment