(I am not sure this questions fits this board, if it doesn't please redirect me accordingly) (I can only post two links, so bear with me :p) (can't find any decent tags for this... :( )
As you can see by a previous question of mine on this board, I am doing some work with Devolo powerline devices. I am trying to replicate the final steps of this article. Rigth now I am stuck with the non-vulnerable devices.
Qualcomm provides a software suite called open-plc-utils which is used in the link above. Following the attack description, there is a crucial step where the device's MAC address is converted to a 16 capital character password. The mac2pw Qualcomm code correctly converts MAC to password for TP-Link devices, but not for others. Since I am trying to attack a Devolo device, I need to somehow disclose the changes made to the original algorithm.
So far, I read the description of mac2pw and studied linear congruential generators (since one is used in mac2pw). Reading from the security stack exchange I saw that discovering the crucial LCG parameters (a, c, m) is actually pretty feasible. Nevertheless, the algorithm provided by Qualcomm is not as simple. It introduces some entropy by using only the "random" numbers whose 128 modulus provides a capital letter, use those capital letters to fill an array, and then uses more "random" numbers (modded once again) to select the final password from that array. Therefore, I cannot be sure that two letters of the password correspond to two consecutive numbers generated by LCG, which are required to break the LCG.
I am assuming they went the lazy way and only changed some parameters: a, c and/or m. In case they didn't and wrote some other algorithm of theirs, I hope I could discover an equivalent LCG.
I have six of Devolo MAC addresses and their corresponding passwords. I think these should be enough for me to discover the underlying algorithm. I believe I don't need the exact algorithm Devolo uses, an equivalent one should suffice.
My main issue here is how to overcome the entropy and the consecutive modulus operations. How can I overcome these and obtain the underlying algorithm, or an equivalent one?
EDIT: I also remembered I can use cloud resources to brute force the algorithm. By simplifying the basic algorithm and brute force all combinations of a/c/m, I could get an algorithm similar to the original. Nevertheless, I am not sure it is possible.
