Skip to content

Instantly share code, notes, and snippets.

@sfan5

sfan5/brnboot_brute.py

Last active May 2, 2016 15:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sfan5/ac1c49afce6126a29fb7efcfd79212ff to your computer and use it in GitHub Desktop.
Save sfan5/ac1c49afce6126a29fb7efcfd79212ff to your computer and use it in GitHub Desktop.
Download ZIP
Bruteforces brnboot command mode password (required either broken firmware (unbootable) or manual resets)
Raw
brnboot_brute.py
#!/usr/bin/env python2
import time
import serial
class PasswordGen(object):
def __init__(self):
self.charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
self.cur_pw = [0 for i in range(16)]
self.cur_i = 0
def restore(self, pw):
self.cur_i = len(pw)
for i in range(len(pw)):
self.cur_pw[i] = self.charset.index(pw[i])
def next(self):
return ''.join(self.charset[i] for i in self.cur_pw[:self.cur_i+1])
def feedback(self, b):
if b:
self.cur_i += 1
return
self.cur_pw[self.cur_i] += 1
if self.cur_pw[self.cur_i] >= len(self.charset):
raise BaseException("search space exhausted")
port = serial.Serial("/dev/ttyAMA0", baudrate=115200, timeout=0.25)
pgen = PasswordGen()
pgen.restore('khmMyGm') # Speedport W303V Typ A, not full pw but this script fails to proceed
while True:
l = ""
while True:
c = port.read()
if c == '\r': # comes before \n, ignored
continue
elif c == '\n':
break
l += c
if l.endswith("to enter command mode ..."):
port.write(" ")
port.readline() # " 123\r\n"
pw = pgen.next()
print("trying '%s'" % pw)
port.write(pw)
res = False
while True:
c = port.read()
if c == '': # still waiting on input -> pw correct so far
res = True
print("correct!!")
break
elif c == '\n':
break
pgen.feedback(res)
break
print("<< " + l)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment