Firmware upgrade failed due to version incompatibility.

CE1CECL commented 2 years ago

This error happens whenever I try to downgrade from version 2.16.4

ARRIS BGW210-700

( copied from https://github.com/Archerious/bgw210-root/issues/8 )

jabberwock commented 2 years ago

This appears to be a check implemented by AT&T in the latest firmware. If I find any more information, I will post here.

sctigercat1 commented 2 years ago

Curious if anyone has found a solution to this?

CE1CECL commented 1 year ago

I have some progress

3.20 (latest) -> spTurquoise210-700_3.18.2_ENG.bin -> I'm still stuck as of 01/29/2023 "Firmware image is invalid.", I cannot downgrade to spTrapeze_Turquoise210-700_3.18.1.bin or older for some reason

CE1CECL commented 1 year ago

UPDATE:

on spTurquoise210-700_3.18.2.bin since its older than the ENG by a month:

$ curl 192.168.1.254 -X'POST x/var/log/upgrade.log'

2023-02-05T14:57:45.219053-05:00 L6 FMWR[17031]: firmware_status_set(), Firmware status inst_state = Idle prev_state = Idle and persist_state =Idle
2023-02-05T14:57:45.219263-05:00 L6 FMWR[17031]: firmware_status_set(), Firmware status set to idle
2023-02-05T14:57:45.437986-05:00 L6 FMWR[17031]: firmware_status_set(), Firmware status inst_state = Downloading prev_state = Idle and persist_state =Idle
2023-02-05T14:57:45.438065-05:00 L5 FMWR[17031]: firmware_status_set(), Firmware download started
2023-02-05T14:57:46.750436-05:00 L3 FMWR[26168]: do_install(), Image validation failed with status 3
2023-02-05T14:57:47.040059-05:00 L6 FMWR[17031]: firmware_status_set(), Firmware status inst_state = Invalid image prev_state = Downloading and persist_state =Idle
2023-02-05T14:57:47.040159-05:00 L3 FMWR[17031]: firmware_status_set(), Firmware installation failure - image is invalid

$ ssh -vvvv -p 51002 admin@192.168.1.254
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname 192.168.1.254 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.254 [192.168.1.254] port 51002.
debug1: Connection established.
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_rsa error:2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_rsa.pub error:2
debug1: identity file C:\\Users\\CE1CECL/.ssh/id_rsa type -1
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_rsa-cert.pub error:2
debug1: identity file C:\\Users\\CE1CECL/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_dsa error:2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_dsa.pub error:2
debug1: identity file C:\\Users\\CE1CECL/.ssh/id_dsa type -1
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_dsa-cert.pub error:2
debug1: identity file C:\\Users\\CE1CECL/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_ecdsa.pub error:2
debug1: identity file C:\\Users\\CE1CECL/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_ecdsa-cert.pub error:2
debug1: identity file C:\\Users\\CE1CECL/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_ed25519.pub error:2
debug1: identity file C:\\Users\\CE1CECL/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_ed25519-cert.pub error:2
debug1: identity file C:\\Users\\CE1CECL/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_xmss.pub error:2
debug1: identity file C:\\Users\\CE1CECL/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/id_xmss-cert.pub error:2
debug1: identity file C:\\Users\\CE1CECL/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version dropbear_BUU0210_2020.81
debug1: no match: dropbear_BUU0210_2020.81
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.254:51002 as 'admin'
debug3: put_host_port: [192.168.1.254]:51002
debug3: hostkeys_foreach: reading file "C:\\Users\\CE1CECL/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file C:\\Users\\CE1CECL/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys from [192.168.1.254]:51002
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes256-ctr
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256
debug2: MACs stoc: hmac-sha2-256
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: ecdh-sha2-nistp384
debug1: kex: host key algorithm: rsa-sha2-256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:iOjtXDfW8YZj+jcvDkuYZQQ+YUQdwdlff6u2IG6ngm4
debug3: put_host_port: [192.168.1.254]:51002
debug3: put_host_port: [192.168.1.254]:51002
debug3: hostkeys_foreach: reading file "C:\\Users\\CE1CECL/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file C:\\Users\\CE1CECL/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys from [192.168.1.254]:51002
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: hostkeys_foreach: reading file "C:\\Users\\CE1CECL/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file C:\\Users\\CE1CECL/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys from [192.168.1.254]:51002
debug3: Failed to open file:C:/Users/CE1CECL/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: Host '[192.168.1.254]:51002' is known and matches the RSA host key.
debug1: Found key in C:\\Users\\CE1CECL/.ssh/known_hosts:2
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\CE1CECL/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\CE1CECL/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\CE1CECL/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\CE1CECL/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\CE1CECL/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: password
debug3: start over, passed a different list password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup password
debug3: remaining preferred: ,keyboard-interactive,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
admin@192.168.1.254's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (password).
Authenticated to 192.168.1.254 ([192.168.1.254]:51002).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console
debug3: This windows OS supports conpty
debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing
debug3: Successfully set console output code page from:65001 to 65001
debug3: Successfully set console input code page from:437 to 65001
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 24576 rmax 32759
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: chan_shutdown_write (i0 o1 sock -1 wfd 5 efd 6 [write])
debug2: channel 0: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug2: channel 0: chan_shutdown_read (i0 o3 sock -1 wfd 4 efd 6 [write])
debug2: channel 0: input open -> closed
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug3: Successfully set console output code page from 65001 to 65001
debug3: Successfully set console input code page from 65001 to 437
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1)

debug3: send packet: type 1
debug3: Successfully set console output code page from 65001 to 65001
debug3: Successfully set console input code page from 65001 to 437
Connection to 192.168.1.254 closed.
Transferred: sent 1936, received 1204 bytes, in 0.8 seconds
Bytes per second: sent 2486.8, received 1546.5
debug1: Exit status 0

$

obvRedwolf commented 1 year ago

putting this new guide here for future people here. this guide uses a newer version that you can (hopefully) downgrade to.

https://github.com/mozzarellathicc/attcerts

metametapod commented 11 months ago

@CE1CECL where was your spTurquoise210-700_3.18.2.bin downloaded? I tried http://gateway.c01.sbcglobal.net/firmware/ALPHA/210/001E46/BGW210-700_3.18.2/spTurquoise210-700_3.18.2.bin, which successfully downloaded and installed (4.24.6 / latest -> 3.18.2_ENG -> 3.18.2) but can't connect over SSH.

$ curl 192.168.1.254 -X'POST x/var/log/upgrade.log'
P0000-00-00T00:07:13.155692 L6 FMWR[3009]: firmware_status_set(), Firmware status inst_state = Image validated prev_state = Downloading and persist_state =Idle
P0000-00-00T00:07:13.180186 L6 FMWR[3009]: firmware_status_set(), Crashlog files erased.
P0000-00-00T00:07:33.944223 L6 FMWR[3009]: firmware_status_set(), Firmware image is valid - rebooting to complete install
P0000-00-00T00:07:48.332667 L5 FMWR[3009]: sdb_factory_reset_finish(), Factory reset done
P0000-00-00T00:00:20.200441 L6 UPROLL[2962]: uproll_init_uproll_time_file(), The uproll_time structure init done
P0000-00-00T00:00:59.669455 L5 FMWR[2962]: system_uproll_commit(), Upgrade Success with Retry Count = 0. The Image is Committed
P0000-00-00T00:00:59.683526 L5 FMWR[2962]: system_uproll_defer_status_update(), No need to update Deferred status
P0000-00-00T00:00:59.683707 L5 FMWR[2962]: firmware_partition_status_set(), Partition-1 is the Active Partition
P0000-00-00T00:00:59.683718 L5 FMWR[2962]: firmware_partition_status_set(), Upgrade from 4.21.5 to 3.18.2_ENG success 
P0000-00-00T00:04:50.176364 L6 FMWR[2962]: firmware_status_set(), Firmware status inst_state = Idle prev_state = Idle and persist_state =Idle
P0000-00-00T00:04:50.176406 L6 FMWR[2962]: firmware_status_set(), Firmware status set to idle
P0000-00-00T00:04:50.399720 L6 FMWR[2962]: firmware_status_set(), Firmware status inst_state = Downloading prev_state = Idle and persist_state =Idle
P0000-00-00T00:04:50.399762 L5 FMWR[2962]: firmware_status_set(), Firmware download started
P0000-00-00T00:05:35.924310 L6 FMWR[2962]: firmware_status_set(), Firmware status inst_state = Image validated prev_state = Downloading and persist_state =Idle
P0000-00-00T00:05:35.982234 L6 FMWR[2962]: firmware_status_set(), Crashlog files erased.
P0000-00-00T00:05:56.712785 L6 FMWR[2962]: firmware_status_set(), Firmware image is valid - rebooting to complete install
P0000-00-00T00:00:20.060969 L6 UPROLL[2965]: uproll_init_uproll_time_file(), The uproll_time structure init done
P0000-00-00T00:00:56.675782 L5 FMWR[2965]: system_fwver_log(), Change in firmware version detected from 3.18.2_ENG to 3.18.2
P0000-00-00T00:01:00.516211 L5 FMWR[2965]: system_uproll_commit(), Upgrade Success with Retry Count = 0. The Image is Committed
P0000-00-00T00:01:00.520493 L5 FMWR[2965]: system_uproll_defer_status_update(), No need to update Deferred status
P0000-00-00T00:01:00.520766 L5 FMWR[2965]: firmware_partition_status_set(), Partition-2 is the Active Partition

$ ssh -vvvv -p 51002 admin@192.168.1.254
OpenSSH_9.4p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/user/.ssh/config
debug1: /Users/user/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.254 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/user/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.1.254 [192.168.1.254] port 51002.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: connect to address 192.168.1.254 port 51002: Connection refused
ssh: connect to host 192.168.1.254 port 51002: Connection refused

Did I download the wrong one or is there another step I’m missing?

Am able to extract certs via the above guide posted by @obvRedwolf on 3.18.2_ENG, but need SSH or telnet access to list files and diagnose a different issue.

CE1CECL commented 11 months ago

@CE1CECL where was your spTurquoise210-700_3.18.2.bin downloaded? I tried http://gateway.c01.sbcglobal.net/firmware/ALPHA/210/001E46/BGW210-700_3.18.2/spTurquoise210-700_3.18.2.bin, which successfully downloaded and installed (4.24.6 / latest -> 3.18.2_ENG -> 3.18.2) but can't connect over SSH.

$ curl 192.168.1.254 -X'POST x/var/log/upgrade.log'
P0000-00-00T00:07:13.155692 L6 FMWR[3009]: firmware_status_set(), Firmware status inst_state = Image validated prev_state = Downloading and persist_state =Idle
P0000-00-00T00:07:13.180186 L6 FMWR[3009]: firmware_status_set(), Crashlog files erased.
P0000-00-00T00:07:33.944223 L6 FMWR[3009]: firmware_status_set(), Firmware image is valid - rebooting to complete install
P0000-00-00T00:07:48.332667 L5 FMWR[3009]: sdb_factory_reset_finish(), Factory reset done
P0000-00-00T00:00:20.200441 L6 UPROLL[2962]: uproll_init_uproll_time_file(), The uproll_time structure init done
P0000-00-00T00:00:59.669455 L5 FMWR[2962]: system_uproll_commit(), Upgrade Success with Retry Count = 0. The Image is Committed
P0000-00-00T00:00:59.683526 L5 FMWR[2962]: system_uproll_defer_status_update(), No need to update Deferred status
P0000-00-00T00:00:59.683707 L5 FMWR[2962]: firmware_partition_status_set(), Partition-1 is the Active Partition
P0000-00-00T00:00:59.683718 L5 FMWR[2962]: firmware_partition_status_set(), Upgrade from 4.21.5 to 3.18.2_ENG success 
P0000-00-00T00:04:50.176364 L6 FMWR[2962]: firmware_status_set(), Firmware status inst_state = Idle prev_state = Idle and persist_state =Idle
P0000-00-00T00:04:50.176406 L6 FMWR[2962]: firmware_status_set(), Firmware status set to idle
P0000-00-00T00:04:50.399720 L6 FMWR[2962]: firmware_status_set(), Firmware status inst_state = Downloading prev_state = Idle and persist_state =Idle
P0000-00-00T00:04:50.399762 L5 FMWR[2962]: firmware_status_set(), Firmware download started
P0000-00-00T00:05:35.924310 L6 FMWR[2962]: firmware_status_set(), Firmware status inst_state = Image validated prev_state = Downloading and persist_state =Idle
P0000-00-00T00:05:35.982234 L6 FMWR[2962]: firmware_status_set(), Crashlog files erased.
P0000-00-00T00:05:56.712785 L6 FMWR[2962]: firmware_status_set(), Firmware image is valid - rebooting to complete install
P0000-00-00T00:00:20.060969 L6 UPROLL[2965]: uproll_init_uproll_time_file(), The uproll_time structure init done
P0000-00-00T00:00:56.675782 L5 FMWR[2965]: system_fwver_log(), Change in firmware version detected from 3.18.2_ENG to 3.18.2
P0000-00-00T00:01:00.516211 L5 FMWR[2965]: system_uproll_commit(), Upgrade Success with Retry Count = 0. The Image is Committed
P0000-00-00T00:01:00.520493 L5 FMWR[2965]: system_uproll_defer_status_update(), No need to update Deferred status
P0000-00-00T00:01:00.520766 L5 FMWR[2965]: firmware_partition_status_set(), Partition-2 is the Active Partition

$ ssh -vvvv -p 51002 admin@192.168.1.254
OpenSSH_9.4p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/user/.ssh/config
debug1: /Users/user/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.254 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/user/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.1.254 [192.168.1.254] port 51002.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: connect to address 192.168.1.254 port 51002: Connection refused
ssh: connect to host 192.168.1.254 port 51002: Connection refused

Did I download the wrong one or is there another step I’m missing?

Am able to extract certs via the above guide posted by @obvRedwolf on 3.18.2_ENG, but need SSH or telnet access to list files and diagnose a different issue.

Give me the results of nmap -p- 192.168.1.254, mine are (change to your gateway ip, if needed):

# nmap -p- 192.168.1.154
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-03 17:33 EDT
Nmap scan report for dsldevice.attlocal.net (192.168.1.154)
Host is up (0.0026s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE    SERVICE
53/tcp    open     domain
80/tcp    open     http
111/tcp   filtered rpcbind
443/tcp   open     https
7547/tcp  filtered cwmp
10999/tcp filtered unknown
49000/tcp filtered matahari
51001/tcp filtered unknown
51002/tcp open     unknown
51010/tcp filtered unknown
61001/tcp filtered unknown
MAC Address: F8:9B:6E:73:96:21 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 10.03 seconds
#

metametapod commented 11 months ago

@CE1CECL

Give me the results of nmap -p- 192.168.1.254, mine are (change to your gateway ip, if needed):

Using firmware version 3.18.2, modem packet filter and advanced firewall disabled, firewall on computer disabled.

On macOS 14.1:

$ nmap -p- 192.168.1.154
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-03 16:15 PDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
$ nmap -Pn 192.168.1.154
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-03 16:15 PDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.154
Host is up (0.000014s latency).
All 1000 scanned ports on 192.168.1.154 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
$ ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=2.379 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=1.421 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=1.513 ms
^C
--- 192.168.1.254 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.421/1.771/2.379/0.432 ms

On Ubuntu 22.04:

$ nmap -v -p- 192.168.1.254
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-03 18:20 PDT
Initiating Ping Scan at 18:20
Scanning 192.168.1.254 [2 ports]
Completed Ping Scan at 18:20, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:20
Completed Parallel DNS resolution of 1 host. at 18:20, 0.00s elapsed
Initiating Connect Scan at 18:20
Scanning dsldevice.attlocal.net (192.168.1.254) [65535 ports]
Discovered open port 443/tcp on 192.168.1.254
Discovered open port 53/tcp on 192.168.1.254
Discovered open port 80/tcp on 192.168.1.254
Increasing send delay for 192.168.1.254 from 0 to 5 due to 34 out of 111 dropped probes since last increase.
Increasing send delay for 192.168.1.254 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.1.254 from 10 to 20 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.1.254 from 20 to 40 due to 11 out of 11 dropped probes since last increase.
Connect Scan Timing: About 0.31% done
Connect Scan Timing: About 1.39% done; ETC: 14:46 (20:08:17 remaining)
Connect Scan Timing: About 2.48% done; ETC: 06:07 (11:29:01 remaining)
Connect Scan Timing: About 3.56% done; ETC: 02:45 (8:06:55 remaining)
Connect Scan Timing: About 4.65% done; ETC: 00:58 (6:19:14 remaining)
Connect Scan Timing: About 5.74% done; ETC: 23:51 (5:11:52 remaining)
Connect Scan Timing: About 6.80% done; ETC: 23:07 (4:27:20 remaining)
Connect Scan Timing: About 7.86% done; ETC: 22:35 (3:54:35 remaining)
Connect Scan Timing: About 8.92% done; ETC: 22:10 (3:29:23 remaining)
Connect Scan Timing: About 9.97% done; ETC: 21:51 (3:09:35 remaining)
Connect Scan Timing: About 11.03% done; ETC: 21:35 (2:53:29 remaining)
Connect Scan Timing: About 12.10% done; ETC: 21:22 (2:39:48 remaining)
Connect Scan Timing: About 13.14% done; ETC: 21:12 (2:28:42 remaining)
Connect Scan Timing: About 14.18% done; ETC: 21:03 (2:19:10 remaining)
Connect Scan Timing: About 15.22% done; ETC: 20:55 (2:10:53 remaining)
Connect Scan Timing: About 16.36% done; ETC: 20:47 (2:02:56 remaining)
Connect Scan Timing: About 17.61% done; ETC: 20:40 (1:55:21 remaining)
Connect Scan Timing: About 18.96% done; ETC: 20:34 (1:48:10 remaining)
Connect Scan Timing: About 20.40% done; ETC: 20:28 (1:41:27 remaining)
Connect Scan Timing: About 22.06% done; ETC: 20:22 (1:34:42 remaining)
Connect Scan Timing: About 23.82% done; ETC: 20:17 (1:28:26 remaining)
Connect Scan Timing: About 25.69% done; ETC: 20:12 (1:22:35 remaining)
Connect Scan Timing: About 27.76% done; ETC: 20:07 (1:16:54 remaining)
Connect Scan Timing: About 30.04% done; ETC: 20:02 (1:11:24 remaining)
Connect Scan Timing: About 32.52% done; ETC: 19:58 (1:06:06 remaining)
Connect Scan Timing: About 35.11% done; ETC: 19:55 (1:01:11 remaining)
Connect Scan Timing: About 37.90% done; ETC: 19:51 (0:56:27 remaining)
Connect Scan Timing: About 40.89% done; ETC: 19:48 (0:51:53 remaining)
Connect Scan Timing: About 44.10% done; ETC: 19:45 (0:47:29 remaining)
Connect Scan Timing: About 47.47% done; ETC: 19:43 (0:43:09 remaining)
Connect Scan Timing: About 51.04% done; ETC: 19:40 (0:38:59 remaining)
Connect Scan Timing: About 54.83% done; ETC: 19:38 (0:34:58 remaining)
Connect Scan Timing: About 58.83% done; ETC: 19:36 (0:31:02 remaining)
Connect Scan Timing: About 62.97% done; ETC: 19:34 (0:27:16 remaining)
Connect Scan Timing: About 67.32% done; ETC: 19:32 (0:23:31 remaining)
Connect Scan Timing: About 71.78% done; ETC: 19:31 (0:19:54 remaining)
Connect Scan Timing: About 76.34% done; ETC: 19:30 (0:16:22 remaining)
Connect Scan Timing: About 81.08% done; ETC: 19:28 (0:12:51 remaining)
Connect Scan Timing: About 85.94% done; ETC: 19:27 (0:09:24 remaining)
Discovered open port 49152/tcp on 192.168.1.254
Connect Scan Timing: About 90.81% done; ETC: 19:26 (0:06:03 remaining)
Connect Scan Timing: About 95.77% done; ETC: 19:25 (0:02:45 remaining)
Completed Connect Scan at 19:25, 3855.07s elapsed (65535 total ports)
Nmap scan report for dsldevice.attlocal.net (192.168.1.254)
Host is up (0.0014s latency).
Not shown: 65525 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
53/tcp    open     domain
80/tcp    open     http
111/tcp   filtered rpcbind
443/tcp   open     https
7547/tcp  filtered cwmp
10999/tcp filtered unknown
49152/tcp open     unknown
51001/tcp filtered unknown
51010/tcp filtered unknown
61001/tcp filtered unknown

Read data files from: /snap/nmap/3159/usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3855.12 seconds

Noticed the open 49152 port and tried to SSH into it, but no luck.

$ ssh -vvvv -p 49152 admin@192.168.1.254
OpenSSH_9.4p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/user/.ssh/config
debug1: /Users/user/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.254 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/user/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.1.254 [192.168.1.254] port 49152.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /Users/user/.ssh/id_rsa type 0
debug1: identity file /Users/user/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.4
kex_exchange_identification: Connection closed by remote host
Connection closed by 192.168.1.254 port 49152

CE1CECL commented 11 months ago

@CE1CECL

Give me the results of nmap -p- 192.168.1.254, mine are (change to your gateway ip, if needed):

Using firmware version 3.18.2, modem packet filter and advanced firewall disabled, firewall on computer disabled.

On macOS 14.1:

$ nmap -p- 192.168.1.154
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-03 16:15 PDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
$ nmap -Pn 192.168.1.154
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-03 16:15 PDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.154
Host is up (0.000014s latency).
All 1000 scanned ports on 192.168.1.154 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
$ ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=2.379 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=1.421 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=1.513 ms
^C
--- 192.168.1.254 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.421/1.771/2.379/0.432 ms

On Ubuntu 22.04:

$ nmap -v -p- 192.168.1.254
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-03 18:20 PDT
Initiating Ping Scan at 18:20
Scanning 192.168.1.254 [2 ports]
Completed Ping Scan at 18:20, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:20
Completed Parallel DNS resolution of 1 host. at 18:20, 0.00s elapsed
Initiating Connect Scan at 18:20
Scanning dsldevice.attlocal.net (192.168.1.254) [65535 ports]
Discovered open port 443/tcp on 192.168.1.254
Discovered open port 53/tcp on 192.168.1.254
Discovered open port 80/tcp on 192.168.1.254
Increasing send delay for 192.168.1.254 from 0 to 5 due to 34 out of 111 dropped probes since last increase.
Increasing send delay for 192.168.1.254 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.1.254 from 10 to 20 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.1.254 from 20 to 40 due to 11 out of 11 dropped probes since last increase.
Connect Scan Timing: About 0.31% done
Connect Scan Timing: About 1.39% done; ETC: 14:46 (20:08:17 remaining)
Connect Scan Timing: About 2.48% done; ETC: 06:07 (11:29:01 remaining)
Connect Scan Timing: About 3.56% done; ETC: 02:45 (8:06:55 remaining)
Connect Scan Timing: About 4.65% done; ETC: 00:58 (6:19:14 remaining)
Connect Scan Timing: About 5.74% done; ETC: 23:51 (5:11:52 remaining)
Connect Scan Timing: About 6.80% done; ETC: 23:07 (4:27:20 remaining)
Connect Scan Timing: About 7.86% done; ETC: 22:35 (3:54:35 remaining)
Connect Scan Timing: About 8.92% done; ETC: 22:10 (3:29:23 remaining)
Connect Scan Timing: About 9.97% done; ETC: 21:51 (3:09:35 remaining)
Connect Scan Timing: About 11.03% done; ETC: 21:35 (2:53:29 remaining)
Connect Scan Timing: About 12.10% done; ETC: 21:22 (2:39:48 remaining)
Connect Scan Timing: About 13.14% done; ETC: 21:12 (2:28:42 remaining)
Connect Scan Timing: About 14.18% done; ETC: 21:03 (2:19:10 remaining)
Connect Scan Timing: About 15.22% done; ETC: 20:55 (2:10:53 remaining)
Connect Scan Timing: About 16.36% done; ETC: 20:47 (2:02:56 remaining)
Connect Scan Timing: About 17.61% done; ETC: 20:40 (1:55:21 remaining)
Connect Scan Timing: About 18.96% done; ETC: 20:34 (1:48:10 remaining)
Connect Scan Timing: About 20.40% done; ETC: 20:28 (1:41:27 remaining)
Connect Scan Timing: About 22.06% done; ETC: 20:22 (1:34:42 remaining)
Connect Scan Timing: About 23.82% done; ETC: 20:17 (1:28:26 remaining)
Connect Scan Timing: About 25.69% done; ETC: 20:12 (1:22:35 remaining)
Connect Scan Timing: About 27.76% done; ETC: 20:07 (1:16:54 remaining)
Connect Scan Timing: About 30.04% done; ETC: 20:02 (1:11:24 remaining)
Connect Scan Timing: About 32.52% done; ETC: 19:58 (1:06:06 remaining)
Connect Scan Timing: About 35.11% done; ETC: 19:55 (1:01:11 remaining)
Connect Scan Timing: About 37.90% done; ETC: 19:51 (0:56:27 remaining)
Connect Scan Timing: About 40.89% done; ETC: 19:48 (0:51:53 remaining)
Connect Scan Timing: About 44.10% done; ETC: 19:45 (0:47:29 remaining)
Connect Scan Timing: About 47.47% done; ETC: 19:43 (0:43:09 remaining)
Connect Scan Timing: About 51.04% done; ETC: 19:40 (0:38:59 remaining)
Connect Scan Timing: About 54.83% done; ETC: 19:38 (0:34:58 remaining)
Connect Scan Timing: About 58.83% done; ETC: 19:36 (0:31:02 remaining)
Connect Scan Timing: About 62.97% done; ETC: 19:34 (0:27:16 remaining)
Connect Scan Timing: About 67.32% done; ETC: 19:32 (0:23:31 remaining)
Connect Scan Timing: About 71.78% done; ETC: 19:31 (0:19:54 remaining)
Connect Scan Timing: About 76.34% done; ETC: 19:30 (0:16:22 remaining)
Connect Scan Timing: About 81.08% done; ETC: 19:28 (0:12:51 remaining)
Connect Scan Timing: About 85.94% done; ETC: 19:27 (0:09:24 remaining)
Discovered open port 49152/tcp on 192.168.1.254
Connect Scan Timing: About 90.81% done; ETC: 19:26 (0:06:03 remaining)
Connect Scan Timing: About 95.77% done; ETC: 19:25 (0:02:45 remaining)
Completed Connect Scan at 19:25, 3855.07s elapsed (65535 total ports)
Nmap scan report for dsldevice.attlocal.net (192.168.1.254)
Host is up (0.0014s latency).
Not shown: 65525 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
53/tcp    open     domain
80/tcp    open     http
111/tcp   filtered rpcbind
443/tcp   open     https
7547/tcp  filtered cwmp
10999/tcp filtered unknown
49152/tcp open     unknown
51001/tcp filtered unknown
51010/tcp filtered unknown
61001/tcp filtered unknown

Read data files from: /snap/nmap/3159/usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3855.12 seconds

Noticed the open 49152 port and tried to SSH into it, but no luck.

$ ssh -vvvv -p 49152 admin@192.168.1.254
OpenSSH_9.4p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/user/.ssh/config
debug1: /Users/user/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.254 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/user/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.1.254 [192.168.1.254] port 49152.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /Users/user/.ssh/id_rsa type 0
debug1: identity file /Users/user/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.4
kex_exchange_identification: Connection closed by remote host
Connection closed by 192.168.1.254 port 49152

nmap -sV -O -p49152 192.168.1.254 may help to see what it is?

metametapod commented 11 months ago

# nmap -sV -O -p49152 192.168.1.254
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-04 11:40 PDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.254
Host is up (0.0024s latency).

PORT      STATE SERVICE VERSION
49152/tcp open  upnp    Cisco-Linksys E4200 WAP upnpd (UPnP 1.0)
MAC Address: redacted (Arris Group)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 - 5.5 (99%), Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (96%), Sony X75CH-series Android TV (Android 5.0) (95%), Linux 3.1 (95%), Linux 3.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: CPE: cpe:/h:cisco:e4200

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.46 seconds

laytonio commented 1 month ago

Hi @CE1CECL

Any chance you still have the version with the open ssh port and can share?

Thanks

CE1CECL commented 1 month ago

Hi @CE1CECL

Any chance you still have the version with the open ssh port and can share?

Thanks

I'm not sure if its a version thing, because it only enabled once you hook it up online. However (this dump is from the latest firmware on the BGW320-505 since I no long have the BGW210-700) it seems they disabled it:

# nmap -sV -O -p- 192.168.1.254
Starting Nmap 7.92 ( https://nmap.org ) at 2024-08-21 10:49 EDT
Nmap scan report for dsldevice.attlocal.net (192.168.1.254)
Host is up (0.0023s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE    SERVICE  VERSION
53/tcp    open     domain   dnsmasq 2.89
80/tcp    open     http     lighttpd 1.4.69
111/tcp   filtered rpcbind
443/tcp   open     ssl/http lighttpd 1.4.69
7547/tcp  filtered cwmp
10999/tcp filtered unknown
49000/tcp filtered matahari
51001/tcp filtered unknown
51002/tcp filtered unknown
51010/tcp filtered unknown
61001/tcp filtered unknown
MAC Address: F8:9B:6E:73:96:21 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.42 seconds

I do have the full archive to the firmware from the gateway site when it did show the list of files (I just checked it again, and it says Access denied) if anyone wants it, I just have to find a place to share, either on archive.org or github if it all fits. I did have a spare Pace 5268AC and the same thing happened when I tried it.

laytonio commented 1 month ago

Hi @CE1CECL Any chance you still have the version with the open ssh port and can share? Thanks

I'm not sure if its a version thing, because it only enabled once you hook it up online. However (this dump is from the latest firmware on the BGW320-505 since I no long have the BGW210-700) it seems they disabled it:

I do have the full archive to the firmware from the gateway site when it did show the list of files (I just checked it again, and it says Access denied) if anyone wants it, I just have to find a place to share, either on archive.org or github if it all fits. I did have a spare Pace 5268AC and the same thing happened when I tried it.

Thanks for the quick reply. Yeah not a huge deal if you cant find a place. Seems a lot of the archives are getting taken down. I found this for the moment, https://archive.org/download/BGW210-700-Firmware-Collection. I did see on discord that there are at least 4 different 3.18.2 hashes so I was hoping I just couldn't find the right one.

bypassrg / att

Firmware upgrade failed due to version incompatibility. #13