This presentation discusses a strategy for reverse-engineering router firmware to analyze algorithms used to generate default WPA2 PSKs, and demonstrates how such passwords can be recovered within minutes. Further, we describe a procedure that can instantly gather a complete wireless authentication trace, which enables an off-line password recovery attack.