It has this crappy DRM that only lets me view the pdf on one computer using only “Adobe Digital Editions”.

If that wasn’t so bad, only a small subset of the text is OCR’d, so most of it isn’t even searchable!

Now I’m pissed, but wait, what do you say? These files are just RSA encrypted, and I have the key?

Some cool guy named i♥cabbages has released code do extract your key, and then decrypt the file to a good ol’ plain pdf. If you want to reproduce my steps you will need to use the PDF decrypter unless you have epubs.

So I use the tool and get a pdf, now I can use one of the most awesome tools in the world: Imagemagick.

Imagemagick can whip this pdf into shape. The first thing I’m going to do is convert each page into a tiff:

$ convert -density 200 input.pdf[1-124] -depth 8 -monochrome %05d.tif

Then I’m going to run tesseract-ocr on them to get the text:

$ for i in $(seq –format=%005.f 1 324)
do
tesseract $i.tif tesseract-$i -l eng
done

Now all I have to do is cat all the text together:

cat *.txt > output.txt

Now I have a fully searchable, plain text file. Exactly what I wanted in the first place!

For the REAL magic, I use agrep to search for strings similar to provided example test questions to help “highlight” the answers. More technical details on that magic on my wiki.

Take a look at some wireless keys that I’ve collected from some Verizon FiOS installs around Tampa:

00-18-01-EA-3D-99,E3X12,6,WEP,1801349FCA
00-18-01-F0-6D-C4,NAMX2,1,WEP,18014B311F
00-18-01-F0-95-78,MWXV2,11,WEP,180149FF66
00-18-01-FD-4F-0E,R0LC7,1,WEP,1801BC5C6B
00-18-01-FE-15-46,JE2K7,1,WEP,1801C1B02B
00-18-01-FF-DF-DD,HH150,1,WEP,1F900396C5
00-1F-90-E0-B1-F8,3RA18,6,WEP,1801CDF4AF
00-1F-90-E0-B5-AC,OQ838,6,WEP,1801CF5700
00-1F-90-E2-7E-61,7WY20,6,WEP,1F90021D27
00-1F-90-E3-1E-90,C7WA0,6,WEP,1F9007C188
00-1F-90-E3-2E-07,DJP80,6,WEP,1F90063349
00-1F-90-E6-A7-D5,BJ2Z0,11,WEP,1F9018F797
00-1F-90-E6-D4-E3,RSHZ0,4,WEP,1F901944DB

What you are looking at here is MAC, SSID, Channel, Encryption, Key.

Notice that they are all WEP, 64bit, with 5 Alpha numeric SSID’s.

I want to emphasize that these are the defaults, and only geeks, nerds and the like change the defaults.

Here is a typical type of router (actiontec) that does this:

Take a real close look at two of the examples:

00-18-01-FE-15-46,JE2K7,1,WEP,1801C1B02B
00-1F-90-E2-7E-61,7WY20,6,WEP,1F90021D27

Notice the relationship the MAC and the key have. Let me split up the bytes for you:

00:18:01:FE:15:46   -  18:01:C1:B0:2B

Verizon, or Actiontec, or someone is setting the first byte of the 40bit key to the second byte of the MAC of the unit. And then they are setting the second byte of the key to the third byte of the MAC!

You can look on the list, and this is mostly the case, there is some overlap on the OIDs. (sometimess it is 1801, sometimes 1f90) Why is this useful? Well if you know it is a FiOS install, you have already decreased your “64bit” key to a real “40bit” key, and you already know 16 bits of it, so you only have to crack 24 bits. This is insane. This is like guessing 3 letters.

The way to use this is with the Aircrack-ng program. Capture some packets, and use the -d option to tell it what the key starts with.

aircrack-ng -d 1801 stupid-fios.cap

You will get the key in No time! Silly Verizon, you didn’t think we would notice you weren’t using constructed (not random) keys?

Have FiOS yourself? Want to share your MAC and default key in the comments?

Above it the bare board that I’ve unscrewed out of the thing. Some solder + a card…..

Now we are talking. For the record this thing is exremely well documented and has a large userbase. I had no problems figureing out how to solder this in. If you want to go to the source of this type of documentation:

http://wiki.openwrt.org/OpenWrtDocs/Hardware/Linksys/WRT54GL

Now all I have to do is format and mount it…

Holy cow it worked. 2G. Now all I have to do is chroot into it. Doing a time on a DD gives about 160kBytes/Second. Now I will turn this into something amazing……..