dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
11298

ILpt4U
Premium Member
join:2006-11-12
Saint Louis, MO
ARRIS TM822
Asus RT-N66

ILpt4U to alex14464

Premium Member

to alex14464

Re: Fair warning! 3rd party purchase of U-verse IPDSLAM modem

said by alex14464:

there has to be a way to get this firmware somehow? like the 2wire 2700 i had, took me a wile to find it but got it

I agree, there has to be a way to get it.

Is it possible to rip it out of a current updated 2210?

DataRiker
Premium Member
join:2002-05-19
00000

DataRiker

Premium Member

said by ILpt4U:

said by alex14464:

there has to be a way to get this firmware somehow? like the 2wire 2700 i had, took me a wile to find it but got it

I agree, there has to be a way to get it.

Is it possible to rip it out of a current updated 2210?

Generally dumping firmware on modems is no easy task. Usually need an exploit, so I would say unlikely.

ILpt4U
Premium Member
join:2006-11-12
Saint Louis, MO
ARRIS TM822
Asus RT-N66

ILpt4U

Premium Member

Next question then:

David notes that the firmware is still being pushed to active devices on the network that have the old firmware (key word: devices already active)

That says to me that somewhere on an AT&T server that firmware is sitting there to download...

That firmware has to have a location... a URL, an IP, something...

DataRiker
Premium Member
join:2002-05-19
00000

DataRiker to David

Premium Member

to David
me thinks it would be easier to put an non updated model live with a packet trapper in the middle ( any linux box with two ethernet ports should be apt )

Should be able to isolate the file that way.

The fact that you have to do that is ridiculous.

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff to ILpt4U

MVM,

to ILpt4U
Obviously, AT&T could just release the firmware update. But they won't because they want that $100 modem fee and don't care about screwing over the customer.

I'm debating whether or not to dump the contents of the memory chip in the modem and try to locate the certificate. I suppose I'd need an updated 2210 to extract the correct cert (or maybe I can get it from the NVG510 they're sending me).
Thinkdiff

Thinkdiff to DataRiker

MVM,

to DataRiker
said by DataRiker:

me thinks it would be easier to put an non updated model live with a packet trapper in the middle ( any linux box with two ethernet ports should be apt )

Should be able to isolate the file that way.

The fact that you have to do that is ridiculous.

The issue is you'd have to sniff the DSL packets/frames (which are presumably encrypted, causing this problem in the first place) because you won't see the activity on the LAN side of the modem.

DataRiker
Premium Member
join:2002-05-19
00000

DataRiker

Premium Member

Yes your right the wan traffic would be encrypted certainly.

I didn't think it through

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff to David

MVM,

to David
Not that it needs any more confirmation, but my DSL was activated today and, as expected, the 2210 doesn't work. Fails at authentication.

Still not sure how much effort I want to put into fixing this. Might just purchase a NVG510 off eBay for now until I have more time.

Certainly doesn't leave a good taste in my mouth as a new customer, not that I liked AT&T much to begin with.

life
@sbcglobal.net

life to Thinkdiff

Anon

to Thinkdiff
Hey man, you're ic Cali, right?? Simply find a forum over at UCal/Berkeley and talk to some linux/unix geeks.. .. .. problem solved. someone over there will at least be able to point you to how to access/program the darn thing from command line; if you're so inclined. take care. Have A Healthy, Prosperous Day!
---out here.. .. ..
---10th SFG(A) --> 'kill 'em all....let god sort 'em out!"

DataRiker
Premium Member
join:2002-05-19
00000

DataRiker

Premium Member

said by life :

Hey man, you're ic Cali, right?? Simply find a forum over at UCal/Berkeley and talk to some linux/unix geeks.. .. .. problem solved. someone over there will at least be able to point you to how to access/program the darn thing from command line; if you're so inclined. take care. Have A Healthy, Prosperous Day!
---out here.. .. ..
---10th SFG(A) --> 'kill 'em all....let god sort 'em out!"

No.

If it were just a matter of linux I could certainly help you out. Most modems have the firmware tightly locked.

Although I don't own nor have ever used this modem, so I could be wrong.

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff to life

MVM,

to life
I'm a graduate student at USC in Computer Engineering, so I think I can handle getting into the router on my own

It's just a question of whether or not I want to spend time doing that. I purchased a NVG510 off eBay for $10, so that will probably lessen my desire to break into the 2210.
Thinkdiff

1 edit

Thinkdiff to DataRiker

MVM,

to DataRiker
said by DataRiker:

No.

If it were just a matter of linux I could certainly help you out. Most modems have the firmware tightly locked.

Although I don't own nor have ever used this modem, so I could be wrong.

I'm thinking there are a number of ways into this thing:

1. It as a built-in, but disabled, Telnet server. If I could activate the telnet server, it seems like changing out the cert is straightforward (from the Netopia manual for the generic 2210).

2. It probably has either a JTAG or COM interface (or both). I popped it open, but didn't find any locations on the board that screamed JTAG/COM to me. There are a number of highlighted test points (one group of 7, another group of 3). I'm thinking there could be something there.

3. Dump the whole filesystem, find the cert, and replace it/reflash the memory

Unfortunately 1 and 3 require reading out the memory chip, which is definitely possible, but the setup time could be extensive. 2 is easy if you get lucky and find the interface you're looking for quickly, but that's a long shot. It'd be better if I could find a datasheet for the Infineon psb7100 chip inside the modem, but I haven't found one.

Edit: some more digging turned up that the PSB 7100 is based on an old TI AR7 design, which does have a UART interface. No idea if that interface has stuck around in the Infineon branded chips, but it seems like a good place to start.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer

Premium Member

If you have the new cert, yes. But that's the problem... you'd have to "hack" one that works to get it's cert to fix the one that doesn't. And if you have one that works, you don't need to do any of this.

(BTW, there are ways to get the serial console / telnet access enabled on the NVG. Retreiving the cert, is another matter.)

DataRiker
Premium Member
join:2002-05-19
00000

DataRiker

Premium Member

said by cramer:

If you have the new cert, yes. But that's the problem... you'd have to "hack" one that works to get it's cert to fix the one that doesn't. And if you have one that works, you don't need to do any of this.

(BTW, there are ways to get the serial console / telnet access enabled on the NVG. Retreiving the cert, is another matter.)

Exactly

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff to cramer

MVM,

to cramer
Click for full size
Success

ILpt4U
Premium Member
join:2006-11-12
Saint Louis, MO

ILpt4U

Premium Member

Any details on how said success has been attained?

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff

MVM,

I'll throw together a quick tutorial when I have some time over the next few days. To summarize: copy AT&T/Moto root CA certs from NVG510, activate telnet on the 2210, install new certs, reboot.

It's actually a good thing AT&T sent me a NVG510. It's much easier to get the CA certs from it compared to the 2210.

ILpt4U
Premium Member
join:2006-11-12
Saint Louis, MO

ILpt4U

Premium Member

Has your 2210, now that it has connected, tried to download the new firmware yet?

The process seems fairly straight forward -- well done =)

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff to David

MVM,

to David
Not sure if this is allowed. If it isn't, mods you can remove it or ATT people, PM me and I will take it down ASAP.

Here's what I believe to be the 7.8.7r27 firmware for the 2210.

MD5 (nta787r27_attsw.bin) = 715b2b5d3071731fffbb91ca686a5377

WARNING: I have NOT tested this. I have no idea if it works. I have no idea if it will brick your modem. I have no idea if it will allow your outdated 2210 to get online. You use this completely at your own risk.
That being said, if you try it and it works, let me know
Thinkdiff

Thinkdiff to ILpt4U

MVM,

to ILpt4U
said by ILpt4U:

Has your 2210, now that it has connected, tried to download the new firmware yet?

The process seems fairly straight forward -- well done =)

I finally let the modem stay online for more than a few seconds tonight (I pulled the plug the other day after seeing authentication pass so it wouldn't update). It connected to the ATT CWMP server, received a config file (I think), then it downloaded the firmware file. All this occurred within 30 seconds of the modem being online.

About a minute later, it flashed the firmware file and automatically rebooted into 7.8.7r27.

geraldo
@sbcglobal.net

geraldo to Mangix

Anon

to Mangix
if im not mistaken, the 2310 is for vdsl, not adsl. might be a different method of authenticating.

ILpt4U
Premium Member
join:2006-11-12
Saint Louis, MO
ARRIS TM822
Asus RT-N66

ILpt4U

Premium Member

said by geraldo :

if im not mistaken, the 2310 is for vdsl, not adsl. might be a different method of authenticating.

The 2310 is for VDSL, but both the ADSL2+ and VDSL2 modems use the Certificate Authentication
alex14464
join:2004-11-11
Bonne Terre, MO

alex14464 to Thinkdiff

Member

to Thinkdiff
I tried it and it works!!!!! thanks Thinkdiff just downloaded the zip, unziped and updated my modem and it came right on

brg
Premium Member
join:2001-01-03
Chicago, IL

brg

Premium Member

said by alex14464:

I tried it and it works!!!!! thanks Thinkdiff just downloaded the zip, unziped and updated my modem and it came right on

Can you document how you updated the modem?

madbear
join:2000-09-03
Veedersburg, IN

madbear

Member

Well, last night I screwed my courage to the sticking point, and gave it a try...

Success!

Easy - unzip the file, go into the modem's "Advanced" menu and select "Update Modem." Browse to the unzipped .bin file location, select the firmware update and proceed (sorry, I can't remember the exact button names). The update happens in a few seconds.

I went back in under "Connection Configuration" and selected "Yes, use public IP address" and configured my WNR3500L to get the Internet IP address dynamically from ISP (the 2210 with the current firmware passes the subnet mask correctly to the router, unlike the NVG510), and I was in business.

The log file from initial powerup while connected to the line initially shows the 802.1X Supplicant - FAILURE error, but after about a minute shows "Client Acquired Net Parameters". There's something about "Certificate Verify Success", "Connection Request username changed" and "Connection Request password changed" in there as well.

So all seems well... for the time being. Does anyone know how often those certificates are updated? I really like having a spare modem around in case of emergency, but am I going to have to pull it out of storage every few months and connect it to keep its firmware/certificates current?

And thanks for posting r27!

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff

MVM,

said by madbear:

So all seems well... for the time being. Does anyone know how often those certificates are updated? I really like having a spare modem around in case of emergency, but am I going to have to pull it out of storage every few months and connect it to keep its firmware/certificates current?

Here are the expiration dates for the certificates I extracted from the NVG510. I assume r27 contains the same ones:

SBC Services , Inc Root CA - August 22, 2012
SBC Services, Inc. Enhanced Services CA - August 22, 2012
ATT Services Inc Root CA - February 24, 2031
ATT Services Inc Enhanced Services CA - February 24, 2021
Motorola 802.1x Root CA - June 19, 2019
Motorola 802.1x AAA server CA - June 19, 2019
 

So it looks like you're safe until June 19, 2019, unless AT&T decides to change something else. If the Motorola CA isn't used, then you have even longer (2021)!

madbear
join:2000-09-03
Veedersburg, IN

madbear

Member

Heh - it'll be a really sorry state of affairs if I'm still on IP-DSLAM U-verse in 7 years...

But stranger things have happened!

Thanks again

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff to David

MVM,

to David
FWIW, it seems that the NVG 510 also has the same problem. I purchased one off eBay and it failed authentication the first time I plugged it in. Somehow it was able to download a firmware update and apply it automatically, though. Would've been nice if that functionality was included on the 2210!
andrewcfitz
join:2012-01-23

andrewcfitz to David

Member

to David
Will this one work? Or do I need an AT&T specific one?

»www.amazon.com/Motorola- ··· 02KCNW2Y

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff

MVM,

Just judging by the picture, that won't work. You need the black Motorola 2210-02-1ATT.