This method works to rip the 802.1x keys from NVG589.
- Prerequisites
- Extract Certificates
- Configuring 802.1x authentication
- Miscellaneous
- Credits & References
- Python 3 for the local http server. There are many alternatives(e.g. mobaxterm).
- Basic knowledge of POSIX commands (cd, mkdir, wget, etc.).
- A NVG589
The certificates extracted from both NVG589 and NVG599 work.
- NVG589 (maybe NVG599)
Credit: nomotion
- If your firmware version <= 9.1.0h12d15_1.1, the following method may work for you. (I didn't test this method.)
A complete bricking guide for Motorola/Arris NVG589. - Otherwise, downgrade(upgrade) to 9.2.2h0d83.
- Reset NVG589 and
ssh remotessh@192.168.1.254
(password:5SaP9I26
)- If ssh is not enabled at this time, upgrade to 9.2.2h4d16
- Downgrade back to 9.2.2h0d83.
- Now ssh should be enabled. Please let me know if you find an easier and simpler method.
- In NVG589, run the following commands in order. (Credit: samlii@dslreports)
ping -c 1 192.168.1.254;echo /bin/nsh >>/etc/shells ping -c 1 192.168.1.254;echo /bin/sh >>/etc/shells ping -c 1 192.168.1.254;sed -i 's/cshell/nsh/g' /etc/passwd
- Exit
exit
and shh backssh remotessh@192.168.1.254
(password:5SaP9I26
) - Type
!
. It switches to root shell.
- In NVG589, run the following commands in order. Make sure you are in root shell.
mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /tmp/ && umount /mfg cd /tmp tar cf cert.tar /etc/rootcert/ cp cert.tar /www/att/images cp /tmp/mfg.dat /www/att/images
- Download http://192.168.1.254/images/mfg.dat and http://192.168.1.254/images/cert.tar to your local device.
Credit: devicelocksmith
- Download decoder v1.0.4: win, linux, mac
- Copy mfg.dat, unzip cert.tar to the same location as mfg_dat_decode.
- Run mfg_dat_decode. You should get a file like this: EAP-TLS_8021x_XXXX.
I cannot use the build-in wpa_supplicant v0.6 in Asuswrt-Merlin to achieve my goal, so I compiled the wpa_supplicant v2.7 from Entware repository. Here I provide the necessary binary files. If you are working on a different model, you may need to compile wpa_supplicant from the source. check this.
- Start python http server.
python -m http.server
- ssh to your router. (You need to enable ssh in the web GUI.)
- Download the packages and unzip it.
wget https://raw.githubusercontent.com/bypassrg/att/master/packages.tar.gz && tar -xzf packages.tar.gz
- Download EAP-TLS_8021x_XXXX file from your local http server.
wget https://YOUR_LOCAL_IP:8000/EAP-TLS_8021x_XXXX.tar.gz
- Unzip and copy files to /jffs/EAP.
mkdir /jffs/EAP && tar xzf EAP-TLS_8021x_XXXX.tar.gz -C /jffs/EAP
- Modify wpa_supplicant.conf. Set *.pem to the absolute path.
ca_cert="/jffs/EAP/CA_XXXX.pem" client_cert="/jffs/EAP/Client_XXXX.pem" private_key="/jffs/EAP/PrivateKey_PKCS1_XXXX.pem"
- Unzip and copy files to /jffs/EAP.
- Install Entware in your router.
- Install in the usb drive. Entware
- Install in jffs. Run this script: entware_jffs.sh
wget -O - https://raw.githubusercontent.com/bypassrg/att/master/entware_jffs.sh |sh
- Check your router's architecture
uname -rm
. If you are not using armv7, you must use the correct Entware installation script. - Deploying Entware
- Replace the URL in entware_jffs.sh accordingly.
- Check your router's architecture
- Install wpa_supplicant and dependencies.
opkg update opkg install libubox echo -e "\ndest opt /opt" >> /opt/etc/opkg.conf opkg install -d opt libubus_2018-10-06-221ce7e7-1_armv7-2.6.ipk opkg install -d opt hostapd-common_2018-12-02-c2c6c01b-6_armv7-2.6.ipk opkg install -d opt wpa-supplicant_2018-12-02-c2c6c01b-6_armv7-2.6.ipk opkg install fake-hwclock echo -e "\n/opt/usr/sbin/wpa_supplicant -s -B -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf" >> /opt/etc/init.d/rc.unslung
- In WAN tab, set MAC Address to identity value which you can find in wpa_supplicant.conf.
- Enable AiProtection.
- I guess this sets VLAN tag to the network traffic, so we don't need pfSense or netgraph.
- IPv6: set Connection type to Native
- If it is the first time to use the certificates, it takes several rounds of authentication. Just wait.
- check /tmp/syslog.log in the router.
- Manually start wpa_supplicant with debug option.
/opt/usr/sbin/wpa_supplicant -dd -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf
Some useful links
- Q: Slow Speed: The speed doesn't reach to the speed that I subscribed to.
A: Please make sure the NAT acceleration is enabled. (Web GUI -> Tools-> HW acceleration). If it says incompatible with, you need to turn off some services.
- Cross compile wpa_supplicant, so we don't need to install Entware.
- Ask Merlin to update wpa_supplicant.
- Try to use Openwrt/ddwrt to bypass AT&T's RG.
- Write a doc for compiling Entware packages from the source.
- Bitcoin: 18hUjgNARRKWXr7hG9n62pWscZ4862TL6Q
- devicelocksmith: EAP-TLS credentials decoder and the method to extract /mfg/mfg.dat
- earlz: Rooting The NVG510 from the WebUI
- nomotion: NVG589 root exploit
- dslreports.com: A great forum with many useful information.
- jsolo1@dslreports.com: Provides many helpful & useful suggestions.