Last active
May 2, 2016 15:25
-
-
Save sfan5/ac1c49afce6126a29fb7efcfd79212ff to your computer and use it in GitHub Desktop.
Bruteforces brnboot command mode password (required either broken firmware (unbootable) or manual resets)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2 | |
import time | |
import serial | |
class PasswordGen(object): | |
def __init__(self): | |
self.charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | |
self.cur_pw = [0 for i in range(16)] | |
self.cur_i = 0 | |
def restore(self, pw): | |
self.cur_i = len(pw) | |
for i in range(len(pw)): | |
self.cur_pw[i] = self.charset.index(pw[i]) | |
def next(self): | |
return ''.join(self.charset[i] for i in self.cur_pw[:self.cur_i+1]) | |
def feedback(self, b): | |
if b: | |
self.cur_i += 1 | |
return | |
self.cur_pw[self.cur_i] += 1 | |
if self.cur_pw[self.cur_i] >= len(self.charset): | |
raise BaseException("search space exhausted") | |
port = serial.Serial("/dev/ttyAMA0", baudrate=115200, timeout=0.25) | |
pgen = PasswordGen() | |
pgen.restore('khmMyGm') # Speedport W303V Typ A, not full pw but this script fails to proceed | |
while True: | |
l = "" | |
while True: | |
c = port.read() | |
if c == '\r': # comes before \n, ignored | |
continue | |
elif c == '\n': | |
break | |
l += c | |
if l.endswith("to enter command mode ..."): | |
port.write(" ") | |
port.readline() # " 123\r\n" | |
pw = pgen.next() | |
print("trying '%s'" % pw) | |
port.write(pw) | |
res = False | |
while True: | |
c = port.read() | |
if c == '': # still waiting on input -> pw correct so far | |
res = True | |
print("correct!!") | |
break | |
elif c == '\n': | |
break | |
pgen.feedback(res) | |
break | |
print("<< " + l) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment