2 Generate Broadcom CFE seeds and passwords for many popular modem/router devices
4 Copyright 2015 TJ <hacker@iam.tj>
5 Licenced on the terms of the GNU General Public Licence version 3
9 gcc -o cfe_gen_pass cfe_generate_password.c
17 ./cfe_gen_pass [options]
19 This tool can generate passwords for use with many devices that contain
20 Broadcom Common Firmware Environment (CFE) bootbase which has a debug mode
21 that is enabled using the "ATEN 1 XXXXXXXX" command, where XXXXXXXX is an
22 eight digit hexadecimal 'password'.
24 It is NOT necessary to have the device generate a 'seed' using "ATSE [MODEL-ID]"
25 because this tool can generate the seed from the device's first (base) MAC address
26 *provided* the "ATSE" command has NOT been executed since the device last booted.
28 Access to the device's console via a serial UART port is required to enter the password.
30 So, for a device with base MAC address (reported by the CFE during boot) E.g:
32 CFE version 1.0.38-112.118 for BCM963268 (32bit,SP,BE)
34 Base MAC Address : ec:43:f6:46:c0:80
36 *** Press any key to stop auto run (1 seconds) ***
41 ./cfe_gen_pass -s ec:43:f6:46:c0:80 -p
43 MAC address: ec:43:f6:46:c0:80 Timestamp: 000000 Seed: 00000046c080 Password: 10f0a563
49 *** command status = 0
51 The tool can accept a timestamp as 6 hexadecimal characters (useful for testing the algorithm):
53 ./cfe_gen_pass -t 0FF020 -s ec:43:f6:46:c0:80 -p
55 MAC address: ec:43:f6:46:c0:80 Timestamp: 0FF020 Seed: 0FF02046c080 Password: 110f65a3
63 static const float VERSION = 1.0f;
64 static const size_t TIMESTAMP_SIZE = 6;
65 static const size_t SEED_SIZE = 12;
66 static const size_t PASSWORD_SIZE = 8;
67 static const size_t MESSAGE_SIZE = 128;
72 fprintf(stderr, "%s\n",
75 " -s 00:01:02:03:04:05 create seed from MAC address\n"
76 " -t 000000 millisecond timestamp since boot\n"
77 " -p [SEED] generate password (with optional seed)\n\n"
78 " E.g. -s 01:02:03:04:05 \n"
79 " -s 01:02:03:04:05 -p\n"
85 pr_error_exit(unsigned int usage, const char *error, ...)
88 char error_message[MESSAGE_SIZE];
92 va_start(args, error);
93 (void) vsnprintf(error_message, MESSAGE_SIZE, error, args);
95 fprintf(stderr, "Error: %s\n", error_message);
97 if (usage) pr_usage();
102 static const unsigned int passwords[8] = {
114 generate_seed(char *mac, char *timestamp, char *seed)
116 unsigned int result = 0;
117 if (mac && strlen(mac) == 17) {
119 char *mac_ptr = mac + 9;
120 size_t ts_len = strlen(timestamp);
121 for (i = 0; i <= SEED_SIZE; ++i) {
122 /* if no timestamp assume CFE get_time() returned 0 and CFE g_pw_timestamp == 0x00000000 */
124 seed[i] = ts_len ? timestamp[i] : '0';
126 if (*mac_ptr == ':' || *mac_ptr == '-')
128 seed[i] = *mac_ptr++;
133 pr_error_exit(0, "MAC-ADDR should be 17 characters, e.g: 00:01:02:03:04:05");
139 generate_pass(char *seed, char *password)
141 unsigned int result = 0;
143 if (seed && strlen(seed) == 12) {
144 unsigned int timestamp, byte, key, pass;
145 timestamp = byte = 0;
146 if(! sscanf(seed, "%06x", ×tamp))
147 pr_error_exit(1, "unable to parse seed's timestamp");
148 if (! sscanf(&seed[10], "%02x", &byte))
149 pr_error_exit(1, "unable to parse seed's MAC address");
151 pass = (passwords[key] + timestamp) ^ timestamp;
152 snprintf(password, PASSWORD_SIZE + 1, "%08x", pass);
155 pr_error_exit(0, "Seed should be %d hex characters", SEED_SIZE);
161 main(int argc, char **argv, char **env)
170 char *MAC_ADDR = NULL;
171 char timestamp[TIMESTAMP_SIZE + 1];
172 char seed[SEED_SIZE + 1];
173 char password[PASSWORD_SIZE + 1];
174 unsigned int opt_seed, opt_pass, opt_ts;
175 seed[0] = password[0] = 0;
176 seed[SEED_SIZE] = password[PASSWORD_SIZE] = timestamp[TIMESTAMP_SIZE] = 0;
177 opt_seed = opt_pass = opt_ts = 0;
178 strncpy(timestamp, "000000", TIMESTAMP_SIZE);
180 for (arg = 1; arg < (unsigned) argc; ++arg) {
181 size_t arg_len = strlen(argv[arg]);
183 if (argv[arg][0] == '-') {
184 switch (argv[arg][1]) {
195 fprintf(stderr, "Version: %0.2f\n", VERSION);
197 } else if (opt_seed == 1) {
198 MAC_ADDR = argv[arg];
200 } else if (opt_pass == 1 && opt_seed == 0) {
201 if (arg_len != SEED_SIZE)
202 pr_error_exit(1, "seed length must be %d characters", SEED_SIZE);
204 strncpy(seed, argv[arg], SEED_SIZE);
206 } else if (opt_ts == 1) {
207 if (arg_len != TIMESTAMP_SIZE)
208 pr_error_exit(1, "timestamp length must be %d characters", TIMESTAMP_SIZE);
210 strncpy(timestamp, argv[arg], TIMESTAMP_SIZE);
214 if (! opt_seed && ! opt_pass)
216 else if (opt_seed && opt_seed != 2)
217 pr_error_exit(1, "seed requires MAC-ADDRESS");
218 else if (! opt_seed && opt_pass && opt_pass != 2)
219 pr_error_exit(1, "password on its own requires a pre-generated seed");
220 else if (opt_seed && opt_pass && opt_pass != 1)
221 pr_error_exit(1, "generating seed and password; cannot also accept pre-generated seed");
222 else if (opt_ts == 1)
223 pr_error_exit(0, "missing timestamp; assuming 000000");
227 if (! generate_seed(MAC_ADDR, timestamp, seed))
228 pr_error_exit(1, "unable to generate seed; aborting");
230 if (! generate_pass(seed, password))
231 pr_error_exit(0, "unable to generate password");
233 printf("MAC address: %s Timestamp: %s Seed: %s Password: %s\n", MAC_ADDR, timestamp, seed, password);