In this write-up, we use Wyze Wi-Fi 6E Mesh Router Pro, firmware version 1.0.1.109 as an illustration example.
Wyze mesh networks implement Wi-Fi EasyMesh. However, this standard is flawed by design, having no “real” authentication.
To perform the Wi-Fi passphrase stealing attack through the EasyMesh protocol, we use this script
You might want to change dst='7c:78:b2:ea:12:e5'
to your own gateway’s MAC address. Change src=b'\x5c\xe9\x1e\x8b\x3b\x2c'
to your own laptop’s MAC address. Change iface="en0"
to your own laptop’s wireless interface name.
Run Wireshark before you launch this script. Then, you will be able to see the gateway returning something interesting:
We provide another script.
Populate ENonce
, RNonce
, Encrypted_Settings
, PK_R
, EnrolleeMAC
with the content of the first WSC in the traffic capture
Run decrypt_M2.py
with python2
(not python3).
You can see Wi-Fi fronthaul/backhaul passphrases there: