Created
March 13, 2017 14:46
-
-
Save kost/abaf5f7bbd2e8f466714900b3b0607e4 to your computer and use it in GitHub Desktop.
Calculate Bootbase/bootext secret for debug commands (ATEN 1,xxxx) - Zyxel, Huawei, ZTE, etc. - similar to zynpass but working for larger devices
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Calculate Bootbase/bootext secret for debug commands | |
Zyxel, Huawei, ZTE, etc. | |
Usage: | |
$ gcc zynsecrets.c -o zynsecrets | |
$ ./zynsecrets 000102030403 | |
Copyright (C) Kost, https://gist.github.com/kost | |
*/ | |
#include <stdio.h> | |
#include <stdlib.h> /* for exit() */ | |
#include <stdint.h> /* uint types */ | |
#include <limits.h> /* for CHAR_BIT */ | |
#include <string.h> | |
/* https://en.wikipedia.org/wiki/Circular_shift#Implementing_circular_shifts */ | |
uint32_t rotr32 (uint32_t value, unsigned int count) { | |
const unsigned int mask = (CHAR_BIT*sizeof(value)-1); | |
count &= mask; | |
return (value>>count) | (value<<( (-count) & mask )); | |
} | |
/* Zyn secret generation */ | |
uint32_t calc_secret(uint32_t seed, uint8_t mac, uint32_t magic) { | |
uint32_t b = seed & 0x00FFFFFF; | |
uint32_t r = rotr32(b + magic, mac & 7); | |
return r^b; | |
} | |
void givehelp (char *prg) { | |
printf("%s: <seed> [mac] [magic]\n",prg); | |
printf("Example: %s 010203040506\n",prg); | |
printf("Example: %s 010203040506 AB\n",prg); | |
printf("Example: %s 010203040506 AB A11F5AC6\n",prg); | |
exit(1); | |
} | |
int main (int argc, char *argv[]) { | |
char *fullseed=NULL; | |
uint32_t res; | |
uint32_t mac=0; | |
uint32_t seed=0; | |
uint32_t magic=0; | |
char seedch[7], macch[3]; | |
int i; | |
if (argc<2) { | |
givehelp(argv[0]); | |
} else { | |
if (strcmp(argv[1],"--help")==0 || strcmp(argv[1],"-h")==0) { | |
givehelp(argv[0]); | |
} | |
fullseed=argv[1]; | |
strncpy (seedch, argv[1], 6); | |
seed=strtol(seedch, NULL, 16); | |
strncpy (macch, fullseed + strlen(fullseed) - 2, 2); | |
mac=strtol(macch, NULL, 16); | |
magic=0x10F0A563; | |
} | |
if (argc>2) { | |
sscanf(argv[2],"%X",&mac); | |
magic=0xA11F5AC6; | |
} | |
if (argc>3) { | |
sscanf(argv[3],"%X",&magic); | |
} | |
fprintf(stderr,"Args: "); | |
for (i=1; i< argc; i++) { | |
fprintf(stderr,"%s ",argv[i]); | |
} | |
fprintf(stderr,"\n"); | |
fprintf (stderr,"Seed: %08X\n", seed); | |
fprintf (stderr,"Mac: %08X\n", mac); | |
fprintf (stderr,"Magic: %08X\n", magic); | |
fprintf (stderr,"\n"); | |
res = calc_secret(seed,mac,magic); | |
printf("%X\n", res); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment