Eircom Netopia WEP key generator

Enter SSID

Eircom's implementation of Netopia's derivation of 128-bit WEP keys from broadcast SSIDs has been reverse engineered. Here's an explaination of the steps required.

1. Getting the MAC Address from the SSID
You can either just read the MAC address from the air, as I did with these two examples:
eircom2633 7520: 00-0f-cc-59-b0-9c
eircom6046 1214: 00-0f-cc-c2-6d-40

Or you can calculate them from the broadcast SSID. Here's how:

1.1. Convert the 6-digit octal number to Hexidecimal:
2633 7520 OCT -> HEX = (0x)59b f50
6046 1214 OCT -> HEX = (ox)c26 28c

1.2. XOR the hex result with the first three 8-bit two-digit hex of the Netopia MAC address (00-0f-cc)
XOR (0x59bf50, 0x000fcc) = 0x59b09c
XOR (0xc2628c, 0x000fcc) = 0xc26d40

Aside: XOR sets the bit to 1 where the corresponding bits in its operands are different (on if it was off, off if it was on)
XOR010110011011000010011100 = 0x59b09c

1.3. That's it - you have the MAC Address
eircom2633 7520 = 00-0f-cc-59-b0-9c
eircom6046 1214 = 00-0f-cc-c2-6d-40

2. Getting the serial number from the MAC Address
2.1. We know where Netopia serial numbers start from
It's 0x01000000

2.2. Add this to the last three octals of your MAC address
0x0059B09C + 0x01000000 = 0x0159B09C
0x00c26d40 + 0x01000000 = 0x01c26d40

2.3. Convert this to decimal to get the serial number
0x0159B09C HEX -> DEC = 22655132
0x01c26d40 HEX -> DEC = 29519168

3. Getting the WEP key from the serial number
3.1. Convert serial number to word format
22655132 = "TwoTwoSixFiveFiveOneThreeTwo"
29519168 = "TwoNineFiveOneNineOneSixEight"

3.2. Append the string "Although your world wonders me, "
"TwoTwoSixFiveFiveOneThreeTwo" -> "TwoTwoSixFiveFiveOneThreeTwoAlthough your world wonders me, "
"TwoNineFiveOneNineOneSixEight" -> "TwoNineFiveOneNineOneSixEightAlthough your world wonders me, "

3.3. Hash this result with SHA-1 (You can use this)
"TwoTwoSixFiveFiveOneThreeTwoAlthough your world wonders me, " -> 29b2e9560b3a83a187ec5f205788d5420a47aa42
"TwoNineFiveOneNineOneSixEightAlthough your world wonders me, " -> d9dd7ef5be51a9e199d7df3c93bcf5cac0743d6a

3.4. Seperate the first 26 digits, and there you have your WEP Key!
eircom2633 7520 = 29b2e9560b3a83a187ec5f2057
eircom6046 1214 = d9dd7ef5be51a9e199d7df3c93

Incidently, the appended strings are lyrics taken from the song 'Third Stone from the Sun' by Jimi Hendrix. You can download it here (8MB).

The source code to this script (Perl) is here. Here's the exploit in action.

Home Page