Default key algorithm in Thomson and BT Home Hub routers
Yes, we’re back with more embedded devices vulnerability research! And yes, we’re also back with more security attacks against the BT Home Hub (most popular DSL router in the UK)!
As you know, we encourage folks in the community to team up with GNUCITIZEN in different projects as we’ve had very successful experiences doing so. This time it was Kevin Devine’s turn. Kevin, who is an independent senior security researcher, did an awesome job at reverse engineering the default WEP/WPA key algorithm used by some Thomson Speedtouch routers including the BT Home Hub. Kevin noticed that all the public vulnerability research conducted in the past for the BT Home Hub had been released by GNUCITIZEN, so he decided to share his findings and work with us in this fascinating project. As you might already know, at GNUCITIZEN we’re committed members of the white-hat community who feel that it’s our responsibility to inform the public when a security issue exists.
Confirmed suspicions
Many of us involved researching the security of wireless home routers have always suspected that routers that come with default WEP/WPA keys follow predictable algorithms for practical reasons. Yes, I’m talking about routers that come with those stickers that include info such as S/N, default SSID, and default WEP/WPA key. Chances are that if you own a wireless router which uses a default WEP or WPA key, such key can be predicted based on publicly-available information such as the router’s MAC address or SSID. In other words: it’s quite likely that the bad guys can break into your network if you’re using the default encryption key. Thanks to Kevin, our suspicion that such issue exists on the BT Home Hub has been confirmed (keep reading for more details!). Our advice is: use WPA rather than WEP and change the default encryption key now!
Brief history of default WEP/WPA key algorithms research
As far as I know, Kevin and james67 were the first researchers to publicly crack a default encryption key algorithm of a Wi-FI home router. Kevin cracked the algorithm used by Netopia routers which are shipped Eircom in Ireland and AT&T in the US (the second ISP was never reported, 0day!). On the other hand james67 targeted the Netgear DG834GT router shipped by SKY in the UK. Unfortunately, james67 did not publish the details of the algorithm he cracked which is a shame as it means that we cannot learn from his research.
The Thomson Speedtouch default WEP/WPA algorithm
Unlike james67, Kevin’s strategy to crack default WEP/WPA algorithms involve debugging setup wizards shipped by some ISPs, as opposed to debugging the router which uses the default key algorithm. Kevin obtained a copy of such wizard (”stInstall.exe”) provided by Orange in Spain - which can be found on broadband customers’ installation CDs. Such setup utility allowed him to figure out the default key algorithm.
In short we have: S/N -> hash -> default SSID and encryption key which can be read as: a hashed version of the router’s serial number is generated which is then used to derive both, the default SSID and the default encryption key. This is just a high-level overview of the algorithm. More specifically we have (quoted from Kevin’s stkeys tool source code comments):
Take as example: “CP0615JT109 (53)”
Remove the CC and PP values: CP0615109
Convert the “XXX” values to hexadecimal: CP0615313039
Process with SHA-1: 742da831d2b657fa53d347301ec610e1ebf8a3d0
The last 3 bytes are converted to 6 byte string, and appended to the word “SpeedTouch” which becomes the default SSID: SpeedTouchF8A3D0
The first 5 bytes are converted to a 10 byte string which becomes the default WEP/WPA key: 742DA831D2
In the case of the BT Home Hub, the only difference that is we only take the last two bytes (rather than 3 bytes) from the SHA1 hash to derive the SSID:
S/N: CP0647EH6DM(BF)
Remove CC and PP values: CP06476DM
"XXX" values hex-encoded: CP064736444D
SHA1-ed: 06f48a28eba1ab896a396077d772fd65503b8df3
Default SSID: BTHomeHub-8DF3
Default encryption key: 06f48a28ebBy brute-forcing possible serial numbers and deriving the default SSID and encryption key, we can find possible keys for a given default SSID, which is exactly what Kevin’s stkeys tool does.
The bigger the number of hexadecimal digits the target SSID has, the smaller the number of generated possible keys is. For instance, if the target SSID is “SpeedTouchF8A3D0″, we can narrow down the number of possible keys to only two. On the other side, a target SSID with only 4 hex digits (2 bytes) such as “BTHomeHub-20E3″ would give us 80 possible keys on average.
We’ve tested ST585v6 which is shipped by Orange in Spain. Thomson Speedtouch routers provided by Orange in Spain come with WPA enabled by default. Being able to narrow down the number of possible default WPA keys to only two using Kevin’s tool is quite remarkable.
In the case of the BT Home Hub in the UK (which only comes with 40 bits WEP encryption by default by the way), we can narrow down the number of possible keys to about 80. In order to avoid the brute-forcing computation time required by the “stkeys” tool, I created “BTHHkeygen” which looks up the possible keys for a given SSID from a pre-generated “SSID->keys” table. Think of it as a rainbow table for cracking the BT Home Hub’s default WEP encryption key. Once the list of around 80 keys is obtained, the second step in the attack is to try each of them automatically, until the valid key is identified. For this purpose I created “BTHHkeybf” which is a fancy wrapper around the “iwconfig” Linux tool. Unfortunately, in order to prevent abuse, we’re not publishing such tools. We tested three different BT Home Hubs, and the the attack seems to work fine.
There is one thing that I want to mention regarding this attack when launched against a BT Home Hub: breaking into a BT Home Hub Wi-Fi network which uses default settings (40 bits WEP) has always been possible in a matter of minutes (if packet injection attacks are used) since the Home Hub was released into the market. Therefore, this predictable-default-key attack doesn’t change the current state of the BT Home Hub’s Wi-Fi insecurity. It’s always been known that BT Home Hub Wi-Fi networks can be easily broken into by cracking the WEP key!
trackbacks
- Voice of VOIPSA » Blog Archive » GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers
- Routers Thomson. Caso español: redes WEP/WPA “SpeedTouchXXXXXX” al descubierto « Jaka crew’s Weblog
- Facecrook » Blog Archive » Super-simple wireless key dictionary cracker.
- giulia » Blog Archive » Hacking BT Home Hub and Thomson routers by predicting keys
- Dumping the admin password of the BT Home Hub | GNUCITIZEN
comments
Pretty interesting post, Adrian. Cryptography and encryption schemes are not my strong point, but I would imagine this took a lot of work, and is quite impressive.
I never fail to be amazed by the fact companies are willing to ship to millions of customers routers which have WEP rather than WPA by default, but it is even more astonishing that the default key (which lets face it most people will never change, knowing nothing about computer security) can be derived from the default SSID (which is public knowledge)!
Good work guys on continuing to keep the pressure on BT and other companies to wise up. I mean how hard can it be for them?
As always, a high quality post. Thank you very much for this information and thank you kevin for making this possible ;)
This information is dynamite, and brings to mind the info posted on http://www.rfidupdate.com/arti.....p;from=rss where rfids can be cloned, this is the basis of the UK Goverment ID cards!
Thanks a lot for your feedback guys. As you know we never hide anything at GNUCITIZEN. We truly believe this benefits everyone (including consumers) in the long run. And of course, thank you Kevin: this project wouldn’t have been possible without your help!
Stay tuned for HITB Dubai 2008!
Good Job! I tried with bot my new and old hub….Works perfectly!
Great article. I just tried this at home (several of my neighbours appear to have Home Hubs), and it works perfectly.
I might buy a BT Home Hub 1.5, see if I can’t beat you to the plate next time ;)
This works for my SpeedTouch!! I just checked it. My question is: I use an 128bit key, generated by my SpeedTouch. Can this be found out as well?
Sorry for my English.
Thanks very much, Ill continue evangelising WPA and non trivial passwords.
Wohoo, you guys have been getting very good results with this attack! As you can see it works quite wonderfully!
btw, I’m releasing BTHHkeygen with the rainbow tables tomorrow at HITB Dubai 2008: http://conference.hackinthebox.....age_id=186
Using such tool you’ll be able to generate the (about 80) possible keys for the BT Home Hub instantly, thus saving bruteforcing time. BTHHkeybf which allows you to identify the valid key *will* also be released with the rest of my presentation materials.
Additionally, I will also release “axis-defacer”: a PoC tool to demo video stream replacement attacks (hijacking surveillance video) for Axis IP cameras.
I have ported Kevin Devine’s stkeys.c to Python if anyone’s interested. My script uses Python 2.5’s hashlib for sha1. It’s a lot shorter than the C version.
Hey, I just found out the 128bit-key in my router wasn’t generated by my speedtouch.. Only the first characters are the ones from the 64bit key
Great tool, thanks!!
Adrian Pastor,
Again.. wonderful post!!!!
I am finishing a (how-to - step by step-) secure your wireless networks…
Using firewalls, Vpns, TKIP, corrects cryptos like WPA2, wireless IPS, fakeaps, and more…
This new kind of atack will be mentioned inside the how-to with all author´s credits!
Thx to gnucitizen and other independent research’s!
It will be available soon!
-If possible i will post something here.
@Marchiner: please let us know when you publish such article. It sounds interesting!
@Simon: if the key is the default one, then it’s quite likely that it will work. The vulnerability has nothing to do with the encryption type or strength, but rather with the fact that they key value is predictable. Your best bet is to simply try out the attack.
@Hubert: that sounds really cool. Can you please post the link to the python port please?
Hi dudes!
I hope it will help u!
http://weiss.u40.hosting.digiweb.ie/stech/
And this is KeyGen for SpeedTouch THOMSON!
http://www.mediafire.com/?svyenmddzm3
See u dudes! 8)
Def 69
thanks for the heads-up
Kevin has added my ssid2key.py Python script to http://weiss.u40.hosting.digiw.....stkeys.zip
For the script kiddie in all of us, I’ve created a Windows XP version of “BTHHkeybf”.
In the name of responsible disclosure, I’ll release it after Adrian has done his talk and makes his code available.
BTHHkeygen (including rainbow tables) and BTHHkeybf can be found here: http://conference.hitb.org/hit.....Beyond.zip
(located on the “\BT Home Hub\demo_exploits\Default WEP key cracking\” folder)
@Edward: you can now go ahead and post a link to your WinXP port :) Thanks for waiting for our release first.
@Hubert: thanks for letting us know!
hahaha, that’s a good work :).
A similar algorihtm exist for the generation of the defaut WEP key in the Hitachi AH4021 and AH4222, used in France by Club-Internet and Alice.
In fact, the default WEP key is the beginning of the SHA-1 hash of the default SSID, which is derived from the serial number of the device (which is derived form the MAC address of the Wi-Fi interface).
We went on that conclusion thanks to the marvelous work of Club-Internet, who just released a Windows GUI tool named WEPtool. WEPtool takes a Club-Internet.box SSID and generate the corresponding WEP key (yes, our #@! government vote for fascit laws against the citizens while ISP help wardrivers and outlaws). What is really fun is that we did not need to perform any sort of reverse engineering to understand the generation process : the WEPtool relies entirely upon a DDL called FSHash (for File String Hash), and the source code of that library is open source !
What you need is a SHA-1 computing program, and you can hack into any of these.
The WEPtool binary and the source code of the FSHash DLL can be found on my humble website). A reverse engineering work has been made by a member of the FRET group, and all of this was originally published in the 2600 Lille meeting reports along the year 2007 and in this thread, thanks to my friend oxyde.
Edward Pearson when will u be releasing your win32 version of BTHHKeygen n BF Thanks
What are the CC, PP and XXX values? You lost me there…
@Ricky “Hexy” Small
Probably when I get home tonight. Last night I forgot.
Would be very interesting seeing the win32 version. Great job guys! BT Sucks!
Right. Sorry about the delay, I’ve had a very busy couple of days.
As requested, here is the Windows XP version of BTHHkeybf
http://facecrook.net/BTHHkeybf.zip
This code isn’t elegant, optimized, well written, or pretty, but it works well. It was 2am and I needed an Internet Connection, best practice wasn’t an issue.
There’s always a chance you’ll have to make a few changes to the script (different network auth type perhaps, higher DCHP timeout maybe.)
Please feel free to do whatever you want with this, use it, edit it, distribute it.
Look inside BTHHkeybf.vbs for additional help.
(P.S. This probably won’t work on Vista, for those interested, I suggest you investigate the built in “netsh” utility, by the looks of things it could be used as a drop in replacment for Engl’s zwlancfg.exe.)
Cannot get this the win32 version to work. Anyone fancy making a guide or step by step? Cheers x
Elfist,
One step-by-step, coming up.
For this example, we’re using BTHomeHub-CD07
First use stkeys to generate a list of possible keys, use the -o option to output these to a file:
stkeys -i CD07 -o keys.txt
Then, in command prompt, run my script against this file, thus:
cscript BTHHkeybf.vbs BTHomeHub-CD07 keys.txt
Provided you’re NOT connected to any wireless networks when you run it, and the Wireless Zero Config service is running and enabled, it’ll crack the password.
Lovely!
But abit of a problem. I know this isnt a support site or anything but i think alot of people would have the same problems as im having. So sorry if im annouying! I managed to output the keys file from the stkeys. Then I type cscript BTHHkeybf.vbs BTHomeHub-CD07 keys.txt and not alot happends… Is it meant to automatically connect to the network after i hit enter? or wait awhile until it finds the right key? And also it should be compatible with xp sp3? And in the outputted txt file are the 1st 10 digs 1 possible key? then the next 10 the next possible key etc etc? thanks again! x
I need more than “not a lot happens”. What does it say when you run BTHHkeybf.vbs?
You need WZC enabled as I said before. You also need to replace BTHomeHub-CD07 with the SSID you’re trying to crack.
Yes, the keys are what you used stkeys for. RTFA!!!
I was using the CD07 as an example ovi. WZC is enabled. When I run the BTHHkeybf.vbs its comes up with the Usuage and the the example (Example: cscript BTHHkeybf.vbs BTHomeHub-CD07.txt )in cmd but doesn’t actually crack it or does anything.
Any progress on the windows version of bthhkeygen?
I have made a WinXP version. I will email it to anyone interested.
-S
The win32 version is linked above…
It works perfectly for me, I can only assume Elfist is doing something wron.
Oh sorry, you want the keygen.
Adrian’s precomputes the keys into a Rainbow table type configuration. This allows the lookups to be instant.
You can use the stkeys program detailed above if you don’t care about the crypt speed (My Centrino does it in a matter of seconds)
RTFA!!
Slinx whats your email?
files.slinx (at) googlemail [dot] com
-S
ive got a ps3 and there’s a few bt home hubs around me is there any way to hack them
thx for much if u can help
plz email me the answer or post here
there are many ways but you are on your own in this business :)
For the third time: RTFA.
It’s not exactly cryptic, it’s practically a step by step.
It’s funny, when someone is so focused on breaking into a computer network and not interested in the learning experience, he will fail to see how it can be done even when the information is right in front of his eyes!
@Simon: this attack has only been tested with the factory-default keys used by Thomson Speedtouch/BTHH routers. In some cases (can depend on ISP) the default it’s a WPA key, in others, it’s a WEP key.
In the case of the BT Home Hub which is widely used in the UK, the default key is a a 40bits WEP key.
thx for the info
Hi all.
A very interesting article showing just how weak wep encryption is. I thought i’d give it a go so I dug out my old homehub router. I ran stkeys and outputted the txt file, i looked and checked my wep key was listed, which it was. But when I came to run the BTHHkeybf.vbs file, i got the following message;
Trying key: 1234567890
C:\BTHHkey.vbs(27,2) (null): This application failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
Am I doing something blatently wrong or do I need to go in and change the script?
regards
Rob.
i wouuld ,ike to log on 2 my neighbours BT-HomeHub but the way this is set out is well confusing i just need the pass key
can some 1 please help me out with some step by step instructions or sumin please!!!
ellis, we don’t like to moderate comments but please, don’t post these kind of questions here. this is not a script-kiddish forum. many thanks.
The BT HH v1.5 uses this algorithm as well: I just tried it on mine - your article states that it uses a different algorithm: why did you say that?
Nice work. So does BTHHkeybf.vbs only work for 40 bits WEP keys only?
Reason i ask is I used the step by step posted by Edward Pearson(many thanks)at which the keys generated does have my key in the list but the key found by BTHHkeybf.vbs is not correct.
My default is 64 bit wep.
Okay so I followed your method in the post and it seemed to work in that typing:
Gives a hash which has the first 10 characters as the default WEP key and the last 4 characters as the suffix to the SSID.
But when I look at the entry in BTHH-Keys.csv from the zip archive of your conference presentation the correct key is not found in the row corresponding to the default SSID of my HH. perhaps I have misunderstood what the files BTHH-Keys is for?
Hi all… I’m confused.
Are these tools only to generate the WEP/WPA keys or are they to find out what the SERIAL NUMBER of the router is?
Depending on which is which would depend on how much of an impact this would have on BTs customers?
Thanks
Just to clarify my response above: between the ” in the echo command should be the modifed serial number according to the method in the main post(i.e. with CC and PP removed and XXX changed to hex).
i have tried all sorts of ways to access my pals home hub. i used the bthhkeygen and gathered the list of keys but thats as far as i got i dont understand the rest. where do i type commands i it in the command prompt? if so i have tried several comands stated by this article and also some of the comands within the documentation attached with the software. as i have no understanding of how this works i fail to see how the home hub is vulnerable to attack the home hub is bthomehub-0CED and as a result of knowing jack about this subject i resorted to painstakingly trying each key individually all 76. none of which worked will someone please help? is the status of the connection changed visually on my screen e.g. should (padlock) Security Enabled Wireless Network be changed so it tells me i am connected to the network. could someone possibly help and or either provide me with the key or how to obtain it. i am an ultimate beginner to the scene of security for my computer. mant thanks in advance 8)
Oh and what is stkeys supposed to do? how the hell am i supposed to output my keys to a .txt file? HHHMMMMMMM
fair nuff m8 itz all kl ;)
Hi again
Just took a look at the stkeys source code - I presume this is what you used to get your database of potential keys as included in conference presentation? If so the reason that my router’s default key isn’t in your database is that stkeys inly defaults to keys for units produced in ‘05 & ‘06 - my unit is produced (from serial no.) in ‘07. So to cover v1.5 units (if my guess that this is the problem proves correct) you need to increase the upper limit in stkeys and thus enlarge the database.
Thanks again for the good work!
Hi. I have a small problem. i have a bt hub, but its on my ex girlfriends adress, and i need to know what is she doing with it cos the last bills are inormess. i there any chance that someon would help me out with getting access to my bt home hub throu internet? and ofcourse getting acces to the devices sonnected to the hub ?
@noob: 40 bits WEP encryption is usually advertised as 64 bits. They’re both the same encryption type and strength.
@jimjamsunny: the tools allow you to find the default WEP/WPA key of the BT Home Hub and Thomson Speedtouch routers.
@Stephen: To answer all your questions: you’re probably right the the BT Home Hub v1.5 ALSO follows the same algorithm, but we probably misreported that the attack doesn’t work on v1.5. This is because the rainbow tables (BTHH-keys.csv) were created using the default stkeys.exe tool which only generates keys for routers manufactured in the year 2005 and 2006. When attacking the BTHH v1.5, just change the following line in the source code from:
for(year = 5;year <= 6;year++) {
to:
for(year = 5;year <= 8;year++) {
and recompile.
I’d be a good idea to regenerate BTHH-keys.csv adding 2007 and 2008 for attacking the BTHH v1.5. However, the number of possible keys would be increased from 80 to 160 approximately I believe.
stkeys.exe (live generation of keys): http://weiss.u40.hosting.digiw.....stkeys.zip
BTHH-keys.csv (pre-generated keys): http://conference.hitb.org/hit.....Beyond.zip
@stephen
Since i passed the info to Adrian, i take responsibility for the mis-reporting..there was a lack of valid S/N’s and other information in initial tests which is why i believed v1.5 was safe.
stkeys worked for 2005 - 2006 because the router i had was manufactured in 2006.. and some S/N’s collected from hrodgar were from 2005.
more people gave hrodgar S/N’s for 2004 up to 2008, and a different version was written to try speed things up.
If you look at http://weiss.u40.hosting.digiw.....x_stkeys.c - it generates all known years, but only for routers using 24 bit SSID.
exclusion of BT HH SSID is because too many keys were generated with only 16 bit input.. also Thomson routers by default in Spain use WPA which is obviously much harder to crack than WEP.
for this reason, BT HH keys were never really tested afterwards and it was still believed v1.5 used a different algorithm.
interesting to know it worked for you.
Just a small query for Edward Pearson, I have followed your method, and i must say it is a lot easier for windows.
I encounter a problem though, i have WZC enabled and follow the process.
But I get an error
“Trying Key:
2BE704DA74
C:\Documents and Settings\me\Desktop\BTHHkeybf\BTHHkeybf.vbs(27, 2) (null): This
application has failed to start because the application configuration is incorr
ect. Reinstalling the application may fix this problem.”
Any help would be much appreciated
Ok, awesome find guys, thanks for all the effort.
With regards to the step by step written by Edward, I have followed all the steps, got all possible keys to output to a file and then when I execute “cscript BTHHkeybf.vbs BTHomeHub-xxxx key.txt” (or whatever outputted files name was)
it displays
” Trying Key: xxxxxxxxxx (first key in outputted file)
Alive”
And just sits there seemingly doing nothing, it doesn’t seem to attempt to connect to a network, or really do anything for that matter, WZC is enabled and started and I’m sure I’ve done everything to a t, can anyone offer any help at all please?
Guys,
As I explained, this is something I wrote late at night so I could check my e-mail.
Have a look at the VBScript, there’s plenty that could go wrong.
To reiterate:
This will not work on Vista.
This will not work unless the Windows “Wireless Zero Config” is active. Not a 3rd party program.
This relys on “zwlancfg.exe” to automate WZC, if it doesn’t work, then neither will this script.
Before you run the script, you must first disconnect any and all wireless networks. “Automatic” networks, must be set to “Manual”.
The script works by adding a new Automatic wireless profile to WZC, at which point Windows should automatically try to connect, if automatic connections are off, then this script will fail.
When the script displays “Alive”, it means it has added the profile to WZC, and is waiting for a wireless connection to be established (it does this by checking signal strength). Open WZC and look at the target network, what is it’s status?
Once a connection has been established, a normal Windows install will attempt to get an IP through DHCP, again, this must be enabled for this to work.
My script will wait 3 seconds (ample time for DHCP to respond on my machine), and then attempt to ping Google, it that fails, it’ll disconnect and move onto the next key.
0days of old often contained deliberate mistakes to deter script kiddies. If you don’t understand what’s going on here, then try and learn rather than hoping somebody will come up with instructions you can blindly follow.
If you’re not capable of understanding what the script is doing, and where it may go wrong, then you don’t deserve free internet. Do what most of us did and work it out for yourselves, it’s not that hard.
Hi,
Thank you for the reply and all you’re work. Just to clear this up, I am not attempting to get free Internet, I am attempting to progress my knowledge of network security and am trying to use this script on my own BTHomehub, my WEP key is in the genrated list however I wanted to see how the script operates and watch it in action, I apologize if I have offended you with my questions, however I was just looking to learn as research can only get you so far, I was looking for some input from someone experienced on this field, which you have given me in your last post, I will check everything over and have another attempt, thank you for your info!
To be quite honest sirius I didn’t mean you. There are a number of people above who just can’t be bothered
@Edward
I have checked everything, and what I get is It sits at alive then i fail to get an IP and it says limited connectivity.
I know its frustrating getting all these questions, but I am just curious to why it doesnt want to work
When I come to run the BTHHkeybf.vbs file, i got the following message;
Trying key: 1234567890
C:\BTHHkey.vbs(27,2) (null): This application failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
Am I doing something blatently wrong or do I need to go in and change the script?
cheers
kev
I get the same hanging problem after it prints ‘Alive’
I’m runnin XP SP3 though, so maybe that’s the problem?
The waitToDie function never exits…
I think updating to the latest version of Zwlancfg might solve the SP3 problem :-
http://www.engl.co.uk/products.....istory.htm
Ok, with some additional research and a slight edit to the script I have got this up and running. Just for anyone who is interested I had to update the xp install on my laptop with a specific hotfix which updated wireless settings/files on the machine. I also downloaded the latest version of the zwlancfg, I also changed the dhcp timeout to 7 seconds as the 3 didnt seem enough for my connection for some reason.
After these changes the script successfully run and connected to my network!
Thank you for releasing this as I have learned a fair bit of knowledge during the pursuit of getting this up and running.
Glad you guys managed to get it working, good call as well, it never occured to me that Microsoft may have broken it when SP3 arrived.
When will the default algorithm for Sky routers come out
Ok - i’ve got the script working, yet i cant seem to find out where to change the dhcp timeout from 3 seconds to 7 seconds?
Script runs and shows trying key “************” with ALIVE under it - then just sits there -hanging about - doesnt try and connect or anything - WZC is enabled and have latest version of zwlancfg, also ran the xp hotfix etc without sp3.
Sirius what was the hotfix that you used? As I’m having the same problem with XP Sp3
does anyone run xp media center edition i cant seem to get the zwcnfig to run when i attempt to run the newer version liked above i get a mesage stating that i need vista or xp pro sp2 or sp3 i downloadd sp3 bot when instaling i am told it is not a valid win32 apliation is it possible to actually do this attck with media center or not
Edward (or anyone who can assist)
I have successfully managed to get your VB script working, in that if I edit the key file to conmtain my key as the first line it will connect.
When I put my key as the second line (either in the string or making the file line by line) it fails to read it and hangs at the “Alive” prompt showing the first key.
I have read the script and can understand the process being followed, but cannot see why it would hang….. I know it works (as proven above) but cannot get the loop to loop….
Also just to note for all others that this will work on a non BT HH router(the script to connect) but you need a different way to generate the keys. (anyone figured out any other alogrithms yet… I have tried but seemingly failed miserably).
Thanks for any assistance.
Kevin: To change the DCHP timeout, look for “3000″ in the code, change this to Seconds * 1000.
As stated, there isn’t that much that can go wrong, I suggest all of you having problems go here: http://www.engl.co.uk/products/zwlancfg/index.html and download the latest copy of zwlancfg.
One problem I have experianced in Vista (as stated, this WILL NOT WORK in Vista), is that you can’t use my method to query the WMI, and check the wireless is up, as this will cause it to hang BEFORE displaying “Alive”. If it’s hanging after this I sugget you look at the “waitToDie” method, although if “waitToStart” works, I don’t see why “waitToDie” wouldn’t.
The only other thing I suggest is you add a few: WScript.Echo “Reached line X” in some choice places, and find out where its failing from.
Why not try and execute zwlancfg yourself, try and add a profile? Think outside of the box people.
I have done my best to support this script, in the past comments I have outlined, in detail, exactly how it works, if you can’t do some simple debugging on a basic VBScript, then too bad.
Game Over, its up to you lot now.