1 static const char *title = \
2 "Generate Broadcom CFE seeds and passwords for many popular modem/router devices\n"
4 static const float VERSION = 1.3f;
6 static const char *copyright = \
7 "Copyright 2015 TJ <hacker@iam.tj>\n"
8 "Licenced on the terms of the GNU General Public Licence version 3\n"
11 static const char *help = \
12 "This tool can generate passwords for use with many devices that contain Broadcom Common Firmware Environment (CFE) bootbase which has a debug mode that is enabled using the 'ATEN 1 XXXXXXXX' command, where XXXXXXXX is an eight digit hexadecimal 'password'.\n\n"
14 "It is NOT necessary to have the device generate a 'seed' using 'ATSE [MODEL-ID]' because this tool can generate the seed from the device's first (base) MAC address.\n\n"
16 "When the device generates a seed it combines the number of seconds since 1970-01-01 00:00:00 with the router MAC address. Both are encoded in a single 6-byte hexadecimal number\n\n"
18 "Each value is truncated to its 3 least significant bytes so, for example:\n\n"
20 " $ date +%F.%T; echo \"obase=16;$(date +%s)\" | bc\n"
21 " 2016-03-26.23:06:32\n"
24 "and MAC Address: EC:43:F6:46:C0:80\n\n"
26 "becomes F715F8 concatenated with 46C080\n\n"
28 " CFE> ATSE DSL-2492GNAU-B1BC\n"
29 " F715F846C080 <<<< last 3 bytes of MAC address\n"
31 " seconds since 1970-01-01 00:00:00 (2016-03-26 23:06:32)\n\n"
33 "*NOTE: the default seed after power-up is 000000 so no time value needs to be specifed if 'ATSE <model-id-string>' has not been executed on the device.\n\n"
35 "Access to the device's console via a serial UART port, or a network telnet/ssh session, is required to enter the password.\n\n"
37 "So, for a device with base MAC address (reported by the CFE during boot) E.g:\n\n"
39 " CFE version 1.0.38-112.118 for BCM963268 (32bit,SP,BE)\n"
41 " Base MAC Address : ec:43:f6:46:c0:80\n"
43 " *** Press any key to stop auto run (1 seconds) ***\n"
46 "Using this tool do:\n\n"
48 " ./cfe_gen_pass -s ec:43:f6:46:c0:80 -p\n\n"
50 " MAC address: ec:43:f6:46:c0:80 Timestamp: 000000 Seed: 00000046c080 Password: 10f0a563\n\n"
52 "And on the device do:\n\n"
54 " CFE> ATEN 1 10f0a563\n"
56 " *** command status = 0\n\n"
58 "The tool can accept a timestamp as 8 hexadecimal characters (useful for testing the algorithm):\n\n"
60 " ./cfe_gen_pass -t 0FF020 -s ec:43:f6:46:c0:80 -p\n\n"
62 "MAC address: ec:43:f6:46:c0:80 Timestamp: 0FF020 Seed: 0FF02046c080 Password: 110f65a3\n\n"
71 static const size_t TIMESTAMP_SIZE = 8;
72 static const size_t SEED_SIZE = 12;
73 static const size_t PASSWORD_SIZE = 8;
74 static const size_t MESSAGE_SIZE = 128;
75 static const size_t MAC_ADDR_SIZE = 17;
76 static const size_t DATESTRING_SIZE = 20;
84 " -s 00:01:02:03:04:05 create seed from MAC address\n"
85 " -t [00000000] seconds since 1970-01-01 (defaults to NOW) \n"
86 " -p [SEED] generate password (with optional seed)\n"
87 " -h show additional help\n"
95 pr_error_exit(unsigned int usage, const char *error, ...)
98 char error_message[MESSAGE_SIZE + 1];
102 va_start(args, error);
103 (void) vsnprintf(error_message, MESSAGE_SIZE + 1, error, args);
105 fprintf(stderr, "Error: %s\n", error_message);
107 if (usage) pr_usage(usage);
112 static const unsigned int passwords[8] = {
124 generate_seed(char *mac, char *timestamp, char *seed)
126 unsigned int result = 0;
127 if (mac && strlen(mac) == MAC_ADDR_SIZE) {
129 char *mac_ptr = mac + 9;
130 size_t ts_len = strlen(timestamp);
131 if (ts_len == TIMESTAMP_SIZE) {
132 for (i = 0; i < SEED_SIZE; ++i) {
133 if (i < 6) // first half of seed is the truncated timestamp
134 seed[i] = timestamp[i+2];
135 else { // second half is the truncated MAC address
136 if (*mac_ptr == ':' || *mac_ptr == '-')
138 seed[i] = *mac_ptr++;
143 pr_error_exit(0, "Timestamp ('%s') should be %d hexadecimal characters e.g: 56F715F8", timestamp, TIMESTAMP_SIZE);
145 pr_error_exit(0, "MAC-ADDR should be %d characters, e.g: 00:01:02:03:04:05", MAC_ADDR_SIZE);
151 generate_pass(char *seed, char *password)
153 unsigned int result = 0;
155 if (seed && strlen(seed) == SEED_SIZE) {
156 unsigned int timestamp, byte, key, pass;
157 timestamp = byte = 0;
158 if(! sscanf(seed, "%06x", ×tamp))
159 pr_error_exit(1, "unable to parse seed's timestamp");
160 if (! sscanf(&seed[10], "%02x", &byte))
161 pr_error_exit(1, "unable to parse seed's MAC address");
163 pass = (passwords[key] + timestamp) ^ timestamp;
164 snprintf(password, PASSWORD_SIZE + 1, "%08x", pass);
167 pr_error_exit(0, "Seed should be %d hex characters", SEED_SIZE);
173 main(int argc, char **argv, char **env)
182 char *MAC_ADDR = NULL;
183 char timestamp[TIMESTAMP_SIZE + 1];
184 char seed[SEED_SIZE + 1];
185 char password[PASSWORD_SIZE + 1];
186 char date_string[DATESTRING_SIZE + 1];
187 unsigned int opt_seed, opt_pass, opt_ts;
190 seed[0] = password[0] = timestamp[0] = 0;
191 seed[SEED_SIZE] = password[PASSWORD_SIZE] = 0;
192 opt_seed = opt_pass = opt_ts = 0;
193 strncpy(timestamp, "00000000", TIMESTAMP_SIZE + 1);
195 fprintf(stderr, "%s\nVersion: %0.2f\n%s\n", title, VERSION, copyright);
197 for (arg = 1; arg < (unsigned) argc; ++arg) {
198 size_t arg_len = strlen(argv[arg]);
200 if (argv[arg][0] == '-') {
201 switch (argv[arg][1]) {
215 fprintf(stderr, "Version: %0.2f\n", VERSION);
217 } else if (opt_seed == 1) {
218 MAC_ADDR = argv[arg];
220 } else if (opt_pass == 1 && opt_seed == 0) {
221 if (arg_len != SEED_SIZE)
222 pr_error_exit(1, "seed length must be %d characters", SEED_SIZE);
224 strncpy(seed, argv[arg], SEED_SIZE);
226 } else if (opt_ts == 1) {
227 if (arg_len != TIMESTAMP_SIZE)
228 pr_error_exit(1, "timestamp length must be %d hexadecimal characters", TIMESTAMP_SIZE);
230 strncpy(timestamp, argv[arg], TIMESTAMP_SIZE);
234 if (! opt_seed && ! opt_pass)
236 else if (opt_seed && opt_seed != 2)
237 pr_error_exit(1, "seed requires MAC-ADDRESS");
238 else if (! opt_seed && opt_pass && opt_pass != 2)
239 pr_error_exit(1, "password on its own requires a pre-generated seed");
240 else if (opt_seed && opt_pass && opt_pass != 1)
241 pr_error_exit(1, "generating seed and password; cannot also accept pre-generated seed");
242 else if (opt_pass == 2 && opt_ts)
243 pr_error_exit(1, "seed already contains a timestamp; cannot over-ride it");
244 else if (opt_ts == 1 || opt_pass == 2) { // no timestamp provided; use NOW
247 snprintf(timestamp, TIMESTAMP_SIZE + 1, "%08lX", ts);
250 if (opt_pass == 2) { // try to figure out the correct date-time from the seed
251 // inherits the most significant 2 characters from the NOW time
252 strncpy(timestamp+2, seed, 6);
254 if (sscanf(timestamp, "%08lx", &tmp))
255 if (tmp > ts-3600 && tmp < ts+3600) // timestamps are so close they must be for the same date
259 if(opt_ts) { // ts needs to be valid to be converted to a time string
260 if(! sscanf(timestamp, "%08lx", &ts))
261 pr_error_exit(1, "converting timestamp string ('%s') to number", timestamp);
264 strftime(date_string, DATESTRING_SIZE, "%F %T", t);
267 if (! generate_seed(MAC_ADDR, timestamp, seed))
268 pr_error_exit(1, "unable to generate seed; aborting");
270 if (! generate_pass(seed, password))
271 pr_error_exit(0, "unable to generate password");
273 if (opt_seed || opt_pass)
274 printf("MAC address: %s Timestamp: %s (%s) Seed: %s Password: %s\n", MAC_ADDR, timestamp, date_string, seed, password);