dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
34796
bsdunix43
join:2019-02-11
Wilmington, NC

2 recommendations

bsdunix43 to dls

Member

to dls

Re: [AT&T Fiber] Any way to bypass att modem using ASUS GT-AC5300?

Hypothetically could someone root a nvg589 and take those certs and use them in a residents that previously used the BGW210?

dls
join:2018-12-07
Chicago, IL

3 recommendations

dls

Member

Yes. ATT does not track the RGs, they just require one to authenticate. Your fiber service address is tied to ONT SNID.
rainlake
join:2006-10-03
Twinsburg, OH

4 recommendations

rainlake to bsdunix43

Member

to bsdunix43
I Just bought a 589 off eBay and it worked
Basically, you root it first(google)
Exact certs (google)
Copy it with an usb drive
Decode certs(same link with exact certs)
Copy it on to you router(I use er-4)
Start wpa_supplicant with certs

I just build wpa_supplicant for mips64. So you do not need extra packages. I can upload it if someone interested. And also thanks to dls!!
maczrool
join:2017-04-06
Memphis, TN

3 recommendations

maczrool

Member

said by rainlake:

I just build wpa_supplicant for mips64. So you do not need extra packages. I can upload it if someone interested. And also thanks to dls!!

That would be great. Thanks!
maczrool

2 recommendations

maczrool to rainlake

Member

to rainlake
said by rainlake:

Exact certs (google)

What is “exact certs?” Extract certificates? Haven’t seen anything on Google to help with that. Guess I’ll just press on with physical access to the flash.
bsdunix43
join:2019-02-11
Wilmington, NC

2 recommendations

bsdunix43 to rainlake

Member

to rainlake
Rainlake- I just scooped a ER-4 it would be great to see a wpa_supplicant version without the need for extra packages!! Feel free to share. Thanks!
maczrool
join:2017-04-06
Memphis, TN

2 recommendations

maczrool

Member

I've got an NVG589 from eBay and found some clear as mud instructions for rooting it but still not much on getting the cert out of it. Anyway, while stumbling along with the instructions which seem to be written out of order, it says I should see a '#' which I never get. When I follow their last bit of instructions before the # is supposed to appear which is "Open a terminal/cmd and run telnet 192.168.1.254 9999", in the telnet session I get "IP address 192.168.1.254 is local" rather than the #. Any idea what I'm doing wrong?
Turbo6
join:2015-10-29
Newport Beach, CA

1 recommendation

Turbo6

Member

Paste a link to instructions here
maczrool
join:2017-04-06
Memphis, TN

1 recommendation

maczrool

Member

»github.com/MakiseKurisu/ ··· 589/wiki

I'm referring to the root access page. So far all I've been able to do is establish a telnet connection. Steps 1-3 on the page work. Steps 4-5 do not.

If someone has firmware version 9.2.2h0d83 for the NVG589 that supports ssh then there is another way supposedly, but I can't try it as it doesn't work on the other versions of the firmware.
maczrool

2 recommendations

maczrool

Member

I got it rooted! I was using ‘ ‘ rather than ` `. Now on to retrieving the cert.

klutchrider
join:2003-01-02
Bedford, TX

2 recommendations

klutchrider

Member

Nice, keep us updated, placing a bid on ebay for a nvg589 to do this.
bsdunix43
join:2019-02-11
Wilmington, NC

2 recommendations

bsdunix43

Member

yeah I have given up on trying this with a BGW210-700 ... guess my soldering skills aren't that great lol. I have a NVG589 coming in tomorrow so hopefully that is an easier path...
brianlan
join:2009-10-12
Garner, NC

1 recommendation

brianlan

Member

DLS's method to extract the cert from the flash memory is the way to go, the firmware on the eBay gateways might be already patched where you can't downgrade to a rootable version.
maczrool
join:2017-04-06
Memphis, TN

1 recommendation

maczrool

Member

Maybe I lucked out but I had no trouble downgrading mine to a version that allows telnet. Only cost me $15.
brianlan
join:2009-10-12
Garner, NC

5 recommendations

brianlan

Member

Click for full size
Was happy to break out the ole rework station and have something to actually do!

Brought back memories of flashing the Motorola SB5100 modem with custom firmware.

maczrool
join:2017-04-06
Memphis, TN

4 recommendations

maczrool

Member

I looked into going the flash removal route but the investment in readers and adapters I’d probably never use again seemed unnecessary when there are software approaches available.
bsdunix43
join:2019-02-11
Wilmington, NC

2 recommendations

bsdunix43 to maczrool

Member

to maczrool
What version of firmware was your NVG589 when you got it? Mine shipped with 9.2.2h4d16 and I can not downgrade it to the version listed in the github article.... sheesh... been at this for like over a month.
bsdunix43

2 recommendations

bsdunix43 to brianlan

Member

to brianlan
brianlan - I am desperate.. my solder skills are for crap.. is this the model of Flashcat you got? »www.embeddedcomputers.ne ··· B_xPort/ also I can't find that exact model of TSOP-48 hat you got there.
maczrool
join:2017-04-06
Memphis, TN

2 recommendations

maczrool

Member

You need that and the type B TSOP-48 adapter.
brianlan
join:2009-10-12
Garner, NC

3 edits

4 recommendations

brianlan to bsdunix43

Member

to bsdunix43
said by bsdunix43:

brianlan - I am desperate.. my solder skills are for crap.. is this the model of Flashcat you got? »www.embeddedcomputers.ne ··· B_xPort/ also I can't find that exact model of TSOP-48 hat you got there.

Yeah its a FlashcatUSB xPort with the TSOP-48 Type B Parallel Socket.

Keep in mind I used this with the Spansion S34ML01G1 flash chip, from a NVG589. I haven't looked at the other makes and models to see what their flash chips are. So don't assume this is a one-size fits all solution.

Also, I give 100% of credit for the flash work to the folks over at devicelocksmith.com (dls See Profile) and the commenters to the posts. Without their R&D I wouldn't have ventured out this far on my own for this project.

I took all the work there at DSL and extended the functionality to pfSense. Turns out the included version of wpa_supplicant with the latest version of pfSense (/usr/local/sbin/wpa_supplicant) is fully compatible with the generated certificate pack and config. I think I will start a new thread about using pfSense and wpa_supplicant to auth with 802.1x on AT&T Fiber...
maczrool
join:2017-04-06
Memphis, TN

2 recommendations

maczrool

Member

Is there any particular reason to yank the chip when the cert can just be extracted from a rooted gateway? Is the process that much easier reading the flash directly?
rainlake
join:2006-10-03
Twinsburg, OH

2 recommendations

rainlake to Hero

Member

to Hero
wpa_supplicant.zip
780,686 bytes
followed here to downgrade:»github.com/MakiseKurisu/ ··· owngrade
followed here to root:»github.com/MakiseKurisu/ ··· t-Access
ATTN: when you run ping 'telnetd -l sh -p 9999', use quote to replace the `, and you will see a ping response in your window.
you can follow "https://github.com/MakiseKurisu/NVG589/wiki/Enable-USB-Storage-Device" to enable usb and mount it to copy files or you can connect cables, set ip address to scp
followed here to extract certs/keys: "https://www.devicelocksmith.com/2018/12/eap-tls-credentials-decoder-for-nvg-and.html", I used usb drive to copy my files out.

you can follow his guide to install on ER-4, ER-X at "https://www.devicelocksmith.com/2019/01/configuring-8021x-authentication-using.html"
or you can download my attached wpa_supplicant, I removed dependency of readline and libpcsclite1, but it's for mips64(like ER-4) only

for me, I put it in /config/scripts then created an script file in /config/scripts/post-config.d/wpa_supplicant.sh

#!/usr/bin/env bash
#Start EAP-TLS on eth1
#Check if already running to avoid multiple instances

IF_WAN=eth1
PROCESS_NAME=wpa_supplicant
PROCESS_PATH=/config/scripts/wpa_supplicant
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME)

if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then
$PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
fi

do not forget to chmod +x /config/scripts/wpa_supplicant and chmod +x /config/scripts/post-config.d/wpa_supplicant.sh

I put all certs in /config/auth folder so I have to edit /config/wpa_supplicant.conf

also do not forget create a vlan0 on your wan port and set it's mac address to the value in wpa_supplicant.conf
rainlake

2 recommendations

rainlake to maczrool

Member

to maczrool
open another terminal. you are not suppose run it on your router
brianlan
join:2009-10-12
Garner, NC

4 recommendations

brianlan to Hero

Member

to Hero
These are my pfSense notes created from a lot of others work on the interwebs. Use them after you have ran dls See Profile decoder from »www.devicelocksmith.com and obtained the generated .pem's and wpa_supplicant.conf files.

1) copy the certificates to /conf/, which is a symlink to /cf/conf/ just so you know. This location survives system upgrades and reboots.
a) CA_001E46-XXXXXXXXXXXXXXX.pem
b) Client_001E46-XXXXXXXXXXXXXXX.pem
c) PrivateKey_PKCS1_001E46-XXXXXXXXXXXXXXX.pem
d) wpa_supplicant.conf
e) start_8021x.sh (see script below)

2) Current gotcha that I am still working through is why I am not able to complete authentication (802.1x Failure) when the ONT is directly plugged into the WAN (em0) port. But strangely enough if I use my previously used Netgear gs105e-v2 switch that I have ports 1 & 2 set to vlan id 1, connecting ONT to port 1 and pfSense WAN (em0) to port 2, the shit authenticates almost immediately. If anyone wants to tell me the solution to remove the switch from the traffic flow, that would be great, i'm about tired of trying new shit at this point :) I think its the fact WAN (em0) on pfSense is not tagging traffic to vlan id 0 and that's causing some trouble. I have been thinking of taking the netgraph code from »github.com/aus/pfatt to create an interface with traffic tagged with vlan id 0 then pointing wpa_supplicant.conf to that new interface and that will probably fix things, but who knows, it's late now and honestly if I have to leave the switch in place it's a non-issue. Everything is on a UPS backup and wpa_supplicant is running in daemon mode where if you disconnect/connect the circuit at any point, it will recover connectivity in less than a minute, hands off. That's good enough with with me :)

The following script is what I am using with pfSense to start the authentication daemon and restart the em0 interface. Save the script as /conf/start_8021x.sh Use the pfSense package 'Shellcmd' to run it at each system restart.

#!/usr/bin/env sh
 
INTERFACE="em0"
 
logger -s "WPA (${INTERFACE}): Beginning WPA authorization process."
 
WPA_DAEMON_CMD="/usr/local/sbin/wpa_supplicant -D wired -i ${INTERFACE} -c /conf/wpa_supplicant.conf -B"
 
# Kill any existing wpa_supplicant process.
PID=$(pgrep -f "wpa_supplicant.*${INTERFACE}")
if [ ${PID} > 0 ];
then
  logger -s "WPA (${INTERFACE}): Terminating existing supplicant on PID ${PID}."
  RES=$(kill ${PID})
fi
 
# Start wpa_supplicant daemon.
RES=$(${WPA_DAEMON_CMD})
PID=$(pgrep -f "wpa_supplicant.*${INTERFACE}")
logger -s "WPA (${INTERFACE}): Supplicant running on PID ${PID}."
 
# Wait until wpa_cli has authenticated.
WPA_STATUS_CMD="/usr/local/sbin/wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
IP_STATUS_CMD="ifconfig ${INTERFACE} | grep 'inet\ ' | cut -d' ' -f2"
 
logger -s "WPA (${INTERFACE}): Waiting for authorization."
 
while true;
do
  WPA_STATUS=$(eval ${WPA_STATUS_CMD})
  if [ X${WPA_STATUS} = X"Authorized" ];
  then
    logger -s "WPA (${INTERFACE}): Authorization completed."
 
    IP_STATUS=$(eval ${IP_STATUS_CMD})
 
    if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ];
    then
      logger -s "WPA (${INTERFACE}): No IP address assigned, force restarting DHCP."
      RES=$(eval /etc/rc.d/dhclient forcerestart ${INTERFACE})
      IP_STATUS=$(eval ${IP_STATUS_CMD})
    fi
    logger -s "WPA (${INTERFACE}): IP address is ${IP_STATUS}."
    break
  else
    sleep 1
  fi
done
 
logger -s "WPA (${INTERFACE}): Process complete, exiting."
 
 
SlabBulkhead
join:2001-12-05
Dayton, OH
(Software) pfSense
Ubiquiti U6-Pro
Ubiquiti U6-LR

2 recommendations

SlabBulkhead

Member

said by brianlan:

These are my pfSense notes created from a lot of others work on the interwebs. Use them after you have ran dls See Profile decoder from »www.devicelocksmith.com and obtained the generated .pem's and wpa_supplicant.conf files.

1) copy the certificates to /conf/, which is a symlink to /cf/conf/ just so you know. This location survives system upgrades and reboots.
a) CA_001E46-XXXXXXXXXXXXXXX.pem
b) Client_001E46-XXXXXXXXXXXXXXX.pem
c) PrivateKey_PKCS1_001E46-XXXXXXXXXXXXXXX.pem
d) wpa_supplicant.conf
e) start_8021x.sh (see script below)

2) Current gotcha that I am still working through is why I am not able to complete authentication (802.1x Failure) when the ONT is directly plugged into the WAN (em0) port. But strangely enough if I use my previously used Netgear gs105e-v2 switch that I have ports 1 & 2 set to vlan id 1, connecting ONT to port 1 and pfSense WAN (em0) to port 2, the shit authenticates almost immediately. If anyone wants to tell me the solution to remove the switch from the traffic flow, that would be great, i'm about tired of trying new shit at this point :) I think its the fact WAN (em0) on pfSense is not tagging traffic to vlan id 0 and that's causing some trouble. I have been thinking of taking the netgraph code from »github.com/aus/pfatt to create an interface with traffic tagged with vlan id 0 then pointing wpa_supplicant.conf to that new interface and that will probably fix things, but who knows, it's late now and honestly if I have to leave the switch in place it's a non-issue. Everything is on a UPS backup and wpa_supplicant is running in daemon mode where if you disconnect/connect the circuit at any point, it will recover connectivity in less than a minute, hands off. That's good enough with with me :)

Thank you for your efforts! If fiber comes to my street, I can take a whack at this on my pfSense system as well.
I had DSL but there was no ability to bypass there. I ended up cancelling recently and switching back to cable when my 12 months were up.
maczrool
join:2017-04-06
Memphis, TN

2 recommendations

maczrool to rainlake

Member

to rainlake
Thanks for the detailed write up! I’ll see if I can get my cert out this weekend. Don’t yet have an ER-4 to test the rest.
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

2 recommendations

ke4pym to brianlan

Premium Member

to brianlan
So aside from your auth issues, are you able to bypass the T box entirely with pfsense?

F100
join:2013-01-15
Durham, NC
Alcatel-Lucent G-010G-A
(Software) pfSense
Pace 5268AC

2 recommendations

F100 to brianlan

Member

to brianlan
I remembered my Dad has an Motorola NVG-510 he used to use with AT&T DSL but later cancelled service. Would that work like the NVG589 does to get the certs?

That would be better for me than fishing on Ebay. It's a DSL modem but if I remember from the threads here, AT&T uses the same certs on DSL and DSL/ONT based gateways.
brianlan
join:2009-10-12
Garner, NC

2 recommendations

brianlan to ke4pym

Member

to ke4pym
said by ke4pym:

So aside from your auth issues, are you able to bypass the T box entirely with pfsense?

Yes
bsdunix43
join:2019-02-11
Wilmington, NC

bsdunix43 to maczrool

Member

to maczrool
maczrool -

I can't attest to how easy it is to "extract" the cert(s) via chip method, however for us that don't have a rootable (I made that word up) modem then it looks to be our only option.