dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
98633

dls
join:2018-12-07
Chicago, IL

32 recommendations

dls

Member

[AT&T Fiber] Bye bye 802.1x, you will not be missed.

What if I told you that the whole 802.1x authentication is enforced at ONT level and is not necessary to get online?
In corporate networks it's the switch that communicates with AAA server, receives and processes 802.1x frames and enables or disables access on a switch port.

In ATT's GPON world, the switch is an ONT (the SoC has a switch part in it) and it is responsible for 802.1x. On top of that, 802.1x is not part of standard OMCI features - it's an add-on that is requested from ONT vendors by AT&T.

So if you use a generic ONT like an ONT SFP stick, which has no support for AT&T's OMCI extensions, you do not need 802.1x, certificates, rooting gateways extracting and decoding certs. I wish I knew all that before I spent all this time rooting RGs and developing tools to decode the certs. But it appears that all of that is unnecessary if you are using your own ONT.

All you need to get online is to match OMCI version (0xA0), ONT Hardware version, ONT Software version, Vendor string with Serial Number and password ("DEFAULT").

Depending on the type of ONT you use (I have only tried Lantiq and Realtek based SFPs so far), you may need to set your VLANs to something other than default '0', but the bottom line is that 802.1x is completely unnecessary.

I have only tried this on GPON so far, but there is a good chance XGS-PON works the same way.

Happy 4th of July!
pxwoo
join:2004-09-14
WI

1 recommendation

pxwoo

Member

Is your sfp synced at 2.5G and now you can use overprovisioning? (if you have 1gig plan // like that Canadian provider)

Do you happen to know a part number of a xgspon sfp+ that can be programed?

dls
join:2018-12-07
Chicago, IL

5 recommendations

dls

Member

Not sure if this differs by the market and OLT config, but I am not getting any more bandwidth than what I am paying for. The best benefit of running using SFP for me is that it stays in the same rack as all of my other network gear, powered by the same UPS as my PoE network devices, so as long as my main UPS has juice, my network keeps running uninterrupted. I got a 10-Gig capable router to future proof my network, but to be honest, ER-4 with an SFP port would have worked just fine at full wire speed even with smallest packet sizes.
netnerd
join:2020-05-04
9400

1 recommendation

netnerd to dls

Member

to dls
Can you move away from vlan 0 with the SFP ONT?

dls
join:2018-12-07
Chicago, IL

5 recommendations

dls

Member

Some ONTs can't process AT&T OLT VLAN manipulation OMCI instructions correctly and expose Internet on VLANs that are used for transit. In case of Realtek-based SFP with firmware released in April, Internet was in 802.1q VLAN displayed in VlanTagFilterData (not VLAN 0).
swindmill
join:2002-07-12
Ann Arbor, MI

1 recommendation

swindmill to dls

Member

to dls
Any idea if this model will do the trick?

»www.amazon.com/Universal ··· 8C818JSQ

Seems to be realtek based?

If not, any other suggestions?

dls
join:2018-12-07
Chicago, IL

1 edit

3 recommendations

dls

Member

I am not familiar with all possible SFPs that are out there and have no experience with this specific one, but as long as you can modify the values referenced in my first post, it may work. Also pay attention to color coding of the pull tab on SFP. Blue tab usually means SC/UPC, while green tab means SC/APC. You need to use the correct connector type to avoid signal loss.
dls

2 recommendations

dls

Member

The values for Software version and Hardware version are available from ONT Web UI using dumb switch or any other bypass method. You just need to write down the existing values AT&T expects to see to let your ONT get online. Vendor string and serial number are on the label attached to ONT. Vendor string is the first part of the serial number, like ALCL
Turbo6
join:2015-10-29
Newport Beach, CA

1 recommendation

Turbo6 to dls

Member

to dls
So for xgs-pon, something like this?

»www.tellabs.com/product/ont202

Anonab279
@185.213.80.x

5 recommendations

Anonab279

Anon

said by Turbo6:

So for xgs-pon, something like this?

»www.tellabs.com/product/ont202

Get on the Discord channel where upnatom is leading the project to find programmable GPON and XGS-PON replacements for Bell Canada and AT&T equipment.

»[Internet] Bypassing the HH3K up to 2.5Gbps using a BCM57810S NIC

GabeD
join:2021-10-31
Atlanta, GA

9 recommendations

GabeD to dls

Member

to dls
Watching this thread intently!
mthompson
join:2016-02-17
Lubbock, TX

9 recommendations

mthompson to dls

Member

to dls

gfunkdave
join:2002-05-20
Chicago, IL

1 recommendation

gfunkdave to dls

Member

to dls
said by dls:

All you need to get online is to match OMCI version (0xA0), ONT Hardware version, ONT Software version, Vendor string with Serial Number and password ("DEFAULT").

I'm curious what this all means. I'm assuming you can set the OMCI version manually in whatever ONT stick you get. What are the ONT hardware and software versions, vendor strings, and serial numbers you need to match?
Turbo6
join:2015-10-29
Newport Beach, CA

1 recommendation

Turbo6 to Anonab279

Member

to Anonab279
link to the discord?

wizkid6
join:2002-03-31
Opelika, AL

4 recommendations

wizkid6

Member

»discord.gg/NjsyDpYFKT

Anon978fc
@84.229.48.x

7 recommendations

Anon978fc

Anon

Incredible that no one has ever attempted this in all of these years!!!

No need for the eap_proxy or the wpa_supplicant if this is true... This leaves a few open questions (and let's keep the focus on gpon for now).

1. What is the process to 'program' the SFP?
1b. Did you just get the serial # from the sticker on the white ONT box?
2. Which make/model have you tried and know work?
3. If you use a 2.5 or 10g router with GPON SFP+ (10g compatible SFP), I assume you can hard-set the link speed to 2.5, 5 or 10G and get the benefit of 1.2g (20% over provisioning?)
FreeBSDfan
join:2022-04-28
Stamford, CT

7 recommendations

FreeBSDfan to dls

Member

to dls
Calix ONTs are generally easy to clone, it can be done with a JTAG cable.

However, Calix ONTs may not work with AT&T Fiber, and even if they do, possibly 802.1X may be enforced this way.

I don't know if Calix ONTs with Broadcom SOCs will work with AT&T Fiber.

URL: »www.neelc.org/posts/clon ··· lix-ont/

If you do go with Calix ONTs, avoid the 716GE-I R2 (w/ square design), it has a 16384 TCP connection limit. The older 716GE-I (w/ angled design) or 803G are good models.

Alternatively, if we have the legal and political willpower, we could tell the FCC that AT&T can disable 802.1X for BYOD customers and get a 010/020 ONT, and use 802.1X for everyone else (unlikely).
adam1991
join:2012-06-16
united state

adam1991

Member

said by Anoncd363 :

This sounds like an excellent way to get disconnected for "stealing" service as presumably a node with a whitelisted serial but no 802.1x authentication sets off big flashing red lights on the CO's management dashboard. Big if true regardless.

Great point. T's goal is to wire everything to be customer installable; at that point, if T sees this they will assume the user to be stealing service.

I guess they could compare the red flags to the customer address list, and leave the valid addresses alone. But would they?
FreeBSDfan
join:2022-04-28
Stamford, CT

1 recommendation

FreeBSDfan

Member

I've run a cloned ONT on CenturyLink GPON for over 7 months. My service has been perfect since cloning, while the stock CL ONT has given me nothing but issues (small connection limit). AT&T may be (read: probably is) different, however.

Maybe AT&T will catch on, maybe AT&T will do nothing since engineers have better things to do assuming you aren't stealing service.

CL suggested BS solutions like QoS or VPN. QoS doesn't eliminate artificial connection limits, and some VPNs may work but add latency. However, CL 6rd and HE.net tunnels had no latency issues due to a GRE/UDP tunnel.

But CL's case is different. CL uses PPPoE so it's impossible to steal service without valid credentials. AT&T does not (outside of legacy DSL) so it may be easier.

Even in India, GPON (at least BSNL/MTNL) usually has PPPoE even when unbundling laws are nonexistent in India, but Indian ISPs want to deter stealing service.
adam1991
join:2012-06-16
united state

9 recommendations

adam1991

Member

said by FreeBSDfan:

AT&T may be (read: probably is) different, however.

Maybe AT&T will catch on, maybe AT&T will do nothing since engineers have better things to do assuming you aren't stealing service.

It's not the engineers. It's the business office and accountants.

And yes, AT&T *is* different than your CenturyLink service. Guaranteed.

They DO know about every RG out there that's bypassed. It's true that they don't care. But that's a different beast.
Luckygecko
join:2022-05-11

5 recommendations

Luckygecko to dls

Member

to dls
said by dls:

..
In ATT's GPON world, the switch is an ONT (the SoC has a switch part in it) and it is responsible for 802.1x. On top of that, 802.1x is not part of standard OMCI features - it's an add-on that is requested from ONT vendors by AT&T.
...

AT&T was key in making Open OMCI specifications. I want to make sure that people understand that support for 802.1x is not something that AT&T forced on Nokia but published as part of 'Managed Entities" (ME) Open OMCI 3.0 with "Dot1X Port Extension Package --ME #290" being a specification but optional in OMCI implementations. So, it's possible that other ONT/ONU may respond.

Looking at my Nokia's boot log, at 1 min 18 seconds after boot, I see it receive an OMCI message to initialize the DOT1X PORT EXTENSION PACKAGE.

djrobx
Premium Member
join:2000-05-31
Reno, NV

5 recommendations

djrobx

Premium Member

said by Anoncd363 :

This sounds like an excellent way to get disconnected for "stealing" service as presumably a node with a whitelisted serial but no 802.1x authentication sets off big flashing red lights on the CO's management dashboard. Big if true regardless.

Yeah, that'd be my concern too.

Is it going to be big flashing red lights or is it going to be some cryptic log line that the OMCI command to enable 802.11x failed that nobody looks at? With other bypass methods, it's still pretty clear that the RG is missing even viewing your account page as a customer, but they don't seem to go after anyone for it.

Provisioning is still locked to a serial number. It would only be theft if the same serial number was used in more than one location.

dls
join:2018-12-07
Chicago, IL

6 recommendations

dls

Member

AT&T _does_ see 802.1x authentication on your account - at least when installer gets your ONT and RG online for the first time. 802.1x authentication does not get updated or expire. So you are authenticated forever until you send EAP-TLS logoff frame, and if you pull the SC connector from your AT&T-provided ONT, this never happens. Of course they can do deep log dives and start spending insane amount of CPU cycles to prove that adam1991 was correct. But something tells me they have better things to do with their developers and CPU resources of their infrastructure and forcing users to use their ONTs is not worth the cost.
Of course if your ONT starts sending things in incorrect or misalligned T-CONTs and you mess up the OLT port, that will get attention. You'll get same kind of attention if you start flashing codes from your TV remote down the GPON fiber uplink.
dls

1 recommendation

dls to Anon978fc

Member

to Anon978fc
said by Anon978fc :

Incredible that no one has ever attempted this in all of these years!!!

No need for the eap_proxy or the wpa_supplicant if this is true... This leaves a few open questions (and let's keep the focus on gpon for now).

1. What is the process to 'program' the SFP?
1b. Did you just get the serial # from the sticker on the white ONT box?
2. Which make/model have you tried and know work?
3. If you use a 2.5 or 10g router with GPON SFP+ (10g compatible SFP), I assume you can hard-set the link speed to 2.5, 5 or 10G and get the benefit of 1.2g (20% over provisioning?)

1. Each ONT is different. Google specifics for ONT you intend to use.
2. I've mentioned it above. SFPs based on Lantiq and Realtek SoCs.
3. No, at least for me. (Again, this was in one of my messages above).
dls

3 recommendations

dls to djrobx

Member

to djrobx
said by djrobx:

Provisioning is still locked to a serial number. It would only be theft if the same serial number was used in more than one location.

Serial number is associated with OLT port. SN appearing on some random OLT port is unlikely to get service.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

3 recommendations

cramer

Premium Member

Yes, this is a violation under CFAA. It's doubtful AT&T will care. At best, they'll take operational security a millimeter further. (note: 802.1x is not remotely about security. it's about forcing customers to buy/rent their router - which contributes a lot of revenue generating data.) I seriously doubt there's anything at all in place to even audit the 802.1x systems; it's that much of a joke. If the whole process depends on the ONT doing it, and your ONT is faking OMCI (or not running it at all), there will be nothing to alarm. Nothing upstream of the ONT will know if the port was properly authorized, nor do they care.
cramer

7 recommendations

cramer to FreeBSDfan

Premium Member

to FreeBSDfan
said by FreeBSDfan:

assuming you aren't stealing service

It's not technically possible to steal service as the ONT serial number is only valid on that specific OLT port ("split"), moving it requires reassigning it. It's not like a cable modem that can be moved virtually anywhere within the same carrier network. ('tho with 30+ years of M&A, it's hard to know where the boundaries actually are!) If two ONTs with the same serial are on the same port, they'll constantly step on each other.
cramer

1 edit

6 recommendations

cramer to djrobx

Premium Member

to djrobx
said by djrobx:

With other bypass methods, it's still pretty clear that the RG is missing...

The RG is an actively managed device (so is the ONT.) When such devices don't check in or respond as they should, it's an error, AT&T being AT&T does not care in the slightest if your ONT and/or RG aren't working. That's your problem. Until you call them, it's not their's! Yes, they know people are bypassing the RG, and they can know who, if they bothered to look, but it isn't an active problem, so they really don't care. (and everyone is paying the $10/mo now anyway... no longer a line item they have to remove if you don't use their router.)
Luckygecko
join:2022-05-11

1 recommendation

Luckygecko to cramer

Member

to cramer
said by cramer:

Yes, this is a violation under CFAA. ............

Please expand and tell us more.
Turbo6
join:2015-10-29
Newport Beach, CA

1 recommendation

Turbo6 to dls

Member

to dls
»www.balticnetworks.com/p ··· spon-ont

I need to get this ONT and then copy everything from my BGW320 into it. apparently that's all that's needed - then just plug the fiber from the bgw320 into this.

My UDM-SE is in the other end of the house so I can't just use SFP direct to my UDM so this method seems to be best for my use.