/att

Ripping 802.1x from NVG589 and rooting it to bypass AT&T's residential gateway

Primary LanguageShellMIT LicenseMIT

BypassAttRG

This method works to rip the 802.1x keys from NVG589.

Menu

Prerequisites

  • Python 3 for the local http server. There are many alternatives(e.g. mobaxterm).
  • Basic knowledge of POSIX commands (cd, mkdir, wget, etc.).
  • A NVG589

Back to menu

Extract Certificates

The certificates extracted from both NVG589 and NVG599 work.

NVG589

Rooting

Credit: nomotion

  • If your firmware version <= 9.1.0h12d15_1.1, the following method may work for you. (I didn't test this method.)
    A complete bricking guide for Motorola/Arris NVG589.
  • Otherwise, downgrade(upgrade) to 9.2.2h0d83.
  • Reset NVG589 and ssh remotessh@192.168.1.254 (password:5SaP9I26)
    • If ssh is not enabled at this time, upgrade to 9.2.2h4d16
    • Downgrade back to 9.2.2h0d83.
    • Now ssh should be enabled. Please let me know if you find an easier and simpler method.
  • In NVG589, run the following commands in order. (Credit: samlii@dslreports)
    ping -c 1 192.168.1.254;echo /bin/nsh >>/etc/shells
    ping -c 1 192.168.1.254;echo /bin/sh >>/etc/shells
    ping -c 1 192.168.1.254;sed -i 's/cshell/nsh/g' /etc/passwd
    
  • Exit exit and shh back ssh remotessh@192.168.1.254 (password:5SaP9I26)
  • Type !. It switches to root shell.

Extract Certificates

  • In NVG589, run the following commands in order. Make sure you are in root shell.
    mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /tmp/ && umount /mfg
    cd /tmp
    tar cf cert.tar /etc/rootcert/
    cp cert.tar /www/att/images
    cp /tmp/mfg.dat /www/att/images
    
  • Download http://192.168.1.254/images/mfg.dat and http://192.168.1.254/images/cert.tar to your local device.

Back to menu

Configuring 802.1x authentication

Decode Credentials

Credit: devicelocksmith

  • Download decoder v1.0.4: win, linux, mac
  • Copy mfg.dat, unzip cert.tar to the same location as mfg_dat_decode.
  • Run mfg_dat_decode. You should get a file like this: EAP-TLS_8021x_XXXX.

Update wpa_supplicant in Asuswrt-Merlin

I cannot use the build-in wpa_supplicant v0.6 in Asuswrt-Merlin to achieve my goal, so I compiled the wpa_supplicant v2.7 from Entware repository. Here I provide the necessary binary files. If you are working on a different model, you may need to compile wpa_supplicant from the source. check this.

  • Start python http server. python -m http.server
  • ssh to your router. (You need to enable ssh in the web GUI.)
  • Download the packages and unzip it. wget https://raw.githubusercontent.com/bypassrg/att/master/packages.tar.gz && tar -xzf packages.tar.gz
  • Download EAP-TLS_8021x_XXXX file from your local http server. wget https://YOUR_LOCAL_IP:8000/EAP-TLS_8021x_XXXX.tar.gz
    • Unzip and copy files to /jffs/EAP. mkdir /jffs/EAP && tar xzf EAP-TLS_8021x_XXXX.tar.gz -C /jffs/EAP
    • Modify wpa_supplicant.conf. Set *.pem to the absolute path.
      ca_cert="/jffs/EAP/CA_XXXX.pem"
      client_cert="/jffs/EAP/Client_XXXX.pem"
      private_key="/jffs/EAP/PrivateKey_PKCS1_XXXX.pem"
      
  • Install Entware in your router.
    • Install in the usb drive. Entware
    • Install in jffs. Run this script: entware_jffs.sh
      wget -O - https://raw.githubusercontent.com/bypassrg/att/master/entware_jffs.sh |sh
      • Check your router's architecture uname -rm. If you are not using armv7, you must use the correct Entware installation script.
      • Deploying Entware
      • Replace the URL in entware_jffs.sh accordingly.
  • Install wpa_supplicant and dependencies.
    opkg update
    opkg install libubox
    echo -e "\ndest opt /opt" >> /opt/etc/opkg.conf
    opkg install -d opt libubus_2018-10-06-221ce7e7-1_armv7-2.6.ipk
    opkg install -d opt hostapd-common_2018-12-02-c2c6c01b-6_armv7-2.6.ipk
    opkg install -d opt wpa-supplicant_2018-12-02-c2c6c01b-6_armv7-2.6.ipk
    opkg install fake-hwclock
    echo -e "\n/opt/usr/sbin/wpa_supplicant -s -B -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf" >> /opt/etc/init.d/rc.unslung
    

Configure Asuswrt-Merlin via web GUI

  • In WAN tab, set MAC Address to identity value which you can find in wpa_supplicant.conf.
  • Enable AiProtection.
    • I guess this sets VLAN tag to the network traffic, so we don't need pfSense or netgraph.
  • IPv6: set Connection type to Native

Debug

  • If it is the first time to use the certificates, it takes several rounds of authentication. Just wait.
  • check /tmp/syslog.log in the router.
  • Manually start wpa_supplicant with debug option.
    /opt/usr/sbin/wpa_supplicant -dd -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf

Miscellaneous

Compile Entware packages from source

Some useful links

FAQ

  1. Q: Slow Speed: The speed doesn't reach to the speed that I subscribed to.
    A: Please make sure the NAT acceleration is enabled. (Web GUI -> Tools-> HW acceleration). If it says incompatible with, you need to turn off some services.

To-dos

  • Cross compile wpa_supplicant, so we don't need to install Entware.
  • Ask Merlin to update wpa_supplicant.
  • Try to use Openwrt/ddwrt to bypass AT&T's RG.
  • Write a doc for compiling Entware packages from the source.

Donation

  • Bitcoin: 18hUjgNARRKWXr7hG9n62pWscZ4862TL6Q

Back to menu

Credits & References

Back to menu