2 recommendations |
to dls
Re: [AT&T Fiber] Any way to bypass att modem using ASUS GT-AC5300?Hypothetically could someone root a nvg589 and take those certs and use them in a residents that previously used the BGW210? |
|
dls join:2018-12-07 Chicago, IL
3 recommendations |
dls
Member
2019-Mar-2 12:33 am
Yes. ATT does not track the RGs, they just require one to authenticate. Your fiber service address is tied to ONT SNID. |
|
4 recommendations |
to bsdunix43
I Just bought a 589 off eBay and it worked Basically, you root it first(google) Exact certs (google) Copy it with an usb drive Decode certs(same link with exact certs) Copy it on to you router(I use er-4) Start wpa_supplicant with certs
I just build wpa_supplicant for mips64. So you do not need extra packages. I can upload it if someone interested. And also thanks to dls!! |
|
3 recommendations |
said by rainlake:I just build wpa_supplicant for mips64. So you do not need extra packages. I can upload it if someone interested. And also thanks to dls!! That would be great. Thanks! |
|
maczrool
2 recommendations |
to rainlake
What is “exact certs?” Extract certificates? Haven’t seen anything on Google to help with that. Guess I’ll just press on with physical access to the flash. |
|
2 recommendations |
to rainlake
Rainlake- I just scooped a ER-4 it would be great to see a wpa_supplicant version without the need for extra packages!! Feel free to share. Thanks! |
|
2 recommendations |
I've got an NVG589 from eBay and found some clear as mud instructions for rooting it but still not much on getting the cert out of it. Anyway, while stumbling along with the instructions which seem to be written out of order, it says I should see a '#' which I never get. When I follow their last bit of instructions before the # is supposed to appear which is "Open a terminal/cmd and run telnet 192.168.1.254 9999", in the telnet session I get "IP address 192.168.1.254 is local" rather than the #. Any idea what I'm doing wrong? |
|
Turbo6 join:2015-10-29 Newport Beach, CA
1 recommendation |
Turbo6
Member
2019-Mar-10 10:10 am
Paste a link to instructions here |
|
1 recommendation |
» github.com/MakiseKurisu/ ··· 589/wikiI'm referring to the root access page. So far all I've been able to do is establish a telnet connection. Steps 1-3 on the page work. Steps 4-5 do not. If someone has firmware version 9.2.2h0d83 for the NVG589 that supports ssh then there is another way supposedly, but I can't try it as it doesn't work on the other versions of the firmware. |
|
|
maczrool
2 recommendations |
I got it rooted! I was using ‘ ‘ rather than ` `. Now on to retrieving the cert. |
|
2 recommendations |
Nice, keep us updated, placing a bid on ebay for a nvg589 to do this. |
|
2 recommendations |
yeah I have given up on trying this with a BGW210-700 ... guess my soldering skills aren't that great lol. I have a NVG589 coming in tomorrow so hopefully that is an easier path... |
|
1 recommendation |
DLS's method to extract the cert from the flash memory is the way to go, the firmware on the eBay gateways might be already patched where you can't downgrade to a rootable version. |
|
1 recommendation |
Maybe I lucked out but I had no trouble downgrading mine to a version that allows telnet. Only cost me $15. |
|
5 recommendations |
Was happy to break out the ole rework station and have something to actually do! Brought back memories of flashing the Motorola SB5100 modem with custom firmware. |
|
4 recommendations |
I looked into going the flash removal route but the investment in readers and adapters I’d probably never use again seemed unnecessary when there are software approaches available. |
|
2 recommendations |
to maczrool
What version of firmware was your NVG589 when you got it? Mine shipped with 9.2.2h4d16 and I can not downgrade it to the version listed in the github article.... sheesh... been at this for like over a month. |
|
bsdunix43
2 recommendations |
to brianlan
brianlan - I am desperate.. my solder skills are for crap.. is this the model of Flashcat you got? » www.embeddedcomputers.ne ··· B_xPort/ also I can't find that exact model of TSOP-48 hat you got there. |
|
2 recommendations |
You need that and the type B TSOP-48 adapter. |
|
3 edits
4 recommendations |
to bsdunix43
Yeah its a FlashcatUSB xPort with the TSOP-48 Type B Parallel Socket. Keep in mind I used this with the Spansion S34ML01G1 flash chip, from a NVG589. I haven't looked at the other makes and models to see what their flash chips are. So don't assume this is a one-size fits all solution. Also, I give 100% of credit for the flash work to the folks over at devicelocksmith.com (dls ) and the commenters to the posts. Without their R&D I wouldn't have ventured out this far on my own for this project. I took all the work there at DSL and extended the functionality to pfSense. Turns out the included version of wpa_supplicant with the latest version of pfSense (/usr/local/sbin/wpa_supplicant) is fully compatible with the generated certificate pack and config. I think I will start a new thread about using pfSense and wpa_supplicant to auth with 802.1x on AT&T Fiber... |
|
2 recommendations |
Is there any particular reason to yank the chip when the cert can just be extracted from a rooted gateway? Is the process that much easier reading the flash directly? |
|
2 recommendations |
to Hero
followed here to downgrade:» github.com/MakiseKurisu/ ··· owngradefollowed here to root:» github.com/MakiseKurisu/ ··· t-Access ATTN: when you run ping 'telnetd -l sh -p 9999', use quote to replace the `, and you will see a ping response in your window. you can follow "https://github.com/MakiseKurisu/NVG589/wiki/Enable-USB-Storage-Device" to enable usb and mount it to copy files or you can connect cables, set ip address to scp followed here to extract certs/keys: "https://www.devicelocksmith.com/2018/12/eap-tls-credentials-decoder-for-nvg-and.html", I used usb drive to copy my files out. you can follow his guide to install on ER-4, ER-X at "https://www.devicelocksmith.com/2019/01/configuring-8021x-authentication-using.html" or you can download my attached wpa_supplicant, I removed dependency of readline and libpcsclite1, but it's for mips64(like ER-4) only for me, I put it in /config/scripts then created an script file in /config/scripts/post-config.d/wpa_supplicant.sh #!/usr/bin/env bash #Start EAP-TLS on eth1 #Check if already running to avoid multiple instances IF_WAN=eth1 PROCESS_NAME=wpa_supplicant PROCESS_PATH=/config/scripts/wpa_supplicant PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME) if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then $PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid fi do not forget to chmod +x /config/scripts/wpa_supplicant and chmod +x /config/scripts/post-config.d/wpa_supplicant.sh I put all certs in /config/auth folder so I have to edit /config/wpa_supplicant.conf also do not forget create a vlan0 on your wan port and set it's mac address to the value in wpa_supplicant.conf |
|
rainlake
2 recommendations |
to maczrool
open another terminal. you are not suppose run it on your router |
|
4 recommendations |
to Hero
These are my pfSense notes created from a lot of others work on the interwebs. Use them after you have ran dls decoder from » www.devicelocksmith.com and obtained the generated .pem's and wpa_supplicant.conf files. 1) copy the certificates to /conf/ , which is a symlink to /cf/conf/ just so you know. This location survives system upgrades and reboots. a) CA_001E46-XXXXXXXXXXXXXXX.pem b) Client_001E46-XXXXXXXXXXXXXXX.pem c) PrivateKey_PKCS1_001E46-XXXXXXXXXXXXXXX.pem d) wpa_supplicant.conf e) start_8021x.sh (see script below) 2) Current gotcha that I am still working through is why I am not able to complete authentication (802.1x Failure) when the ONT is directly plugged into the WAN (em0) port. But strangely enough if I use my previously used Netgear gs105e-v2 switch that I have ports 1 & 2 set to vlan id 1, connecting ONT to port 1 and pfSense WAN (em0) to port 2, the shit authenticates almost immediately. If anyone wants to tell me the solution to remove the switch from the traffic flow, that would be great, i'm about tired of trying new shit at this point :) I think its the fact WAN (em0) on pfSense is not tagging traffic to vlan id 0 and that's causing some trouble. I have been thinking of taking the netgraph code from » github.com/aus/pfatt to create an interface with traffic tagged with vlan id 0 then pointing wpa_supplicant.conf to that new interface and that will probably fix things, but who knows, it's late now and honestly if I have to leave the switch in place it's a non-issue. Everything is on a UPS backup and wpa_supplicant is running in daemon mode where if you disconnect/connect the circuit at any point, it will recover connectivity in less than a minute, hands off. That's good enough with with me :) The following script is what I am using with pfSense to start the authentication daemon and restart the em0 interface. Save the script as /conf/start_8021x.sh Use the pfSense package 'Shellcmd' to run it at each system restart. #!/usr/bin/env sh
INTERFACE="em0"
logger -s "WPA (${INTERFACE}): Beginning WPA authorization process."
WPA_DAEMON_CMD="/usr/local/sbin/wpa_supplicant -D wired -i ${INTERFACE} -c /conf/wpa_supplicant.conf -B"
# Kill any existing wpa_supplicant process.
PID=$(pgrep -f "wpa_supplicant.*${INTERFACE}")
if [ ${PID} > 0 ];
then
logger -s "WPA (${INTERFACE}): Terminating existing supplicant on PID ${PID}."
RES=$(kill ${PID})
fi
# Start wpa_supplicant daemon.
RES=$(${WPA_DAEMON_CMD})
PID=$(pgrep -f "wpa_supplicant.*${INTERFACE}")
logger -s "WPA (${INTERFACE}): Supplicant running on PID ${PID}."
# Wait until wpa_cli has authenticated.
WPA_STATUS_CMD="/usr/local/sbin/wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
IP_STATUS_CMD="ifconfig ${INTERFACE} | grep 'inet\ ' | cut -d' ' -f2"
logger -s "WPA (${INTERFACE}): Waiting for authorization."
while true;
do
WPA_STATUS=$(eval ${WPA_STATUS_CMD})
if [ X${WPA_STATUS} = X"Authorized" ];
then
logger -s "WPA (${INTERFACE}): Authorization completed."
IP_STATUS=$(eval ${IP_STATUS_CMD})
if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ];
then
logger -s "WPA (${INTERFACE}): No IP address assigned, force restarting DHCP."
RES=$(eval /etc/rc.d/dhclient forcerestart ${INTERFACE})
IP_STATUS=$(eval ${IP_STATUS_CMD})
fi
logger -s "WPA (${INTERFACE}): IP address is ${IP_STATUS}."
break
else
sleep 1
fi
done
logger -s "WPA (${INTERFACE}): Process complete, exiting."
|
|
(Software) pfSense Ubiquiti U6-Pro Ubiquiti U6-LR
2 recommendations |
said by brianlan:These are my pfSense notes created from a lot of others work on the interwebs. Use them after you have ran dls decoder from »www.devicelocksmith.com and obtained the generated .pem's and wpa_supplicant.conf files.
1) copy the certificates to /conf/ , which is a symlink to /cf/conf/ just so you know. This location survives system upgrades and reboots. a) CA_001E46-XXXXXXXXXXXXXXX.pem b) Client_001E46-XXXXXXXXXXXXXXX.pem c) PrivateKey_PKCS1_001E46-XXXXXXXXXXXXXXX.pem d) wpa_supplicant.conf e) start_8021x.sh (see script below)
2) Current gotcha that I am still working through is why I am not able to complete authentication (802.1x Failure) when the ONT is directly plugged into the WAN (em0) port. But strangely enough if I use my previously used Netgear gs105e-v2 switch that I have ports 1 & 2 set to vlan id 1, connecting ONT to port 1 and pfSense WAN (em0) to port 2, the shit authenticates almost immediately. If anyone wants to tell me the solution to remove the switch from the traffic flow, that would be great, i'm about tired of trying new shit at this point :) I think its the fact WAN (em0) on pfSense is not tagging traffic to vlan id 0 and that's causing some trouble. I have been thinking of taking the netgraph code from »github.com/aus/pfatt to create an interface with traffic tagged with vlan id 0 then pointing wpa_supplicant.conf to that new interface and that will probably fix things, but who knows, it's late now and honestly if I have to leave the switch in place it's a non-issue. Everything is on a UPS backup and wpa_supplicant is running in daemon mode where if you disconnect/connect the circuit at any point, it will recover connectivity in less than a minute, hands off. That's good enough with with me :) Thank you for your efforts! If fiber comes to my street, I can take a whack at this on my pfSense system as well. I had DSL but there was no ability to bypass there. I ended up cancelling recently and switching back to cable when my 12 months were up. |
|
2 recommendations |
to rainlake
Thanks for the detailed write up! I’ll see if I can get my cert out this weekend. Don’t yet have an ER-4 to test the rest. |
|
ke4pym Premium Member join:2004-07-24 Charlotte, NC
2 recommendations |
to brianlan
So aside from your auth issues, are you able to bypass the T box entirely with pfsense? |
|
F100 join:2013-01-15 Durham, NC Alcatel-Lucent G-010G-A (Software) pfSense Pace 5268AC
2 recommendations |
to brianlan
I remembered my Dad has an Motorola NVG-510 he used to use with AT&T DSL but later cancelled service. Would that work like the NVG589 does to get the certs?
That would be better for me than fishing on Ebay. It's a DSL modem but if I remember from the threads here, AT&T uses the same certs on DSL and DSL/ONT based gateways. |
|
2 recommendations |
to ke4pym
said by ke4pym:So aside from your auth issues, are you able to bypass the T box entirely with pfsense? Yes |
|
|
to maczrool
maczrool -
I can't attest to how easy it is to "extract" the cert(s) via chip method, however for us that don't have a rootable (I made that word up) modem then it looks to be our only option. |
|