Monday, November 4, 2019

BMW NBT and NBT Evo Firmware Unpacker

It has been five years since I have released the first build of NBT firmware unpacker.

A few years ago I've had to stop the distribution of unpacker because the misuse of unpacker was disrupting the business of BMW retrofit shops. With 2018 public release of NBT and EVO vulnerabilities that have been known to the BMW retrofit scene since at least fall of 2014, and subsequent patching of vulnerabilities by BMW, I no longer consider distribution of the unpacker as harmful.

To commemorate the five years of NBT unpacker, I am releasing an updated and refactored version with the following new features:

  • Search for supported unpackable firmware files within specified folder
  • Searching for specific file within firmware across multiple firmware files in specified folder
  • Better handling of special cases like ASD or EQU files.
Download nbt_unpack release 1.0.0 here: Win32

Tuesday, January 8, 2019

Configuring 802.1x authentication using wpa_supplicant on Ubiquiti Edgerouter

This guide describes steps required to configure 802.1x wired authentication using wpa_supplicant on Cavium-based Ubiquiti Edgerouter devices running EdgeOS 2.0. Mediatek (Edgerouter-X) procedure is similar, however I do not have such device and could not recompile wpa_supplicant for it.
Copy EAP-TLS certificates and private key in PEM format to /config/auth/
Run sudo chmod -R 0600 /config/auth to secure the credentials.
Copy wpa_supplicant.conf to /config/
If you are using wpa_supplicant.conf generated by a tool in the previous post, modify certificate and key paths to point to /config/auth/
Assuming wpa_supplicant.conf resides in /config/, the router has Internet connectivity and Internet interface that requires wpa_supplicant is eth0, run the following commands in console:
#Remove 1.x repository, add 2.0 Debian repository and install prerequisites
delete system package repository wheezy
set system package repository stretch components 'main contrib'
set system package repository stretch distribution stretch
set system package repository stretch password ''
set system package repository stretch url ''
set system package repository stretch username ''
sudo apt-get update && sudo apt-get install libpcsclite1
#Download backported Debian Buster wpa_supplicant and install it
curl -o /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
cd /tmp/
tar -xvf ./wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
sudo dpkg -i /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb
#Create symbolic link to wpa_supplicant.conf for eth0
sudo ln -s /config/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf
#Disable dbus service and enable wired wpa_supplicant for eth0
sudo systemctl disable wpa_supplicant.service
sudo systemctl enable wpa_supplicant-wired@eth0.service
#Save DEB packages for future use, allow /etc/ubnt/ubnt-rcS/ to install them
sudo mkdir -p /config/data/firstboot/install-packages &&  cd /config/data/firstboot/install-packages
sudo apt-get download libpcsclite1sudo curl -o /config/data/firstboot/install-packages/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
sudo tar -xvf ./wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
sudo rm /config/data/firstboot/install-packages/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
#Recover configuration on EdgeOS upgrade
sudo mkdir -p /config/scripts/firstboot.d/
echo '#!/usr/bin/env bash' | sudo tee -a /config/scripts/firstboot.d/
echo 'ln -s /config/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf' | sudo tee -a /config/scripts/firstboot.d/
echo 'systemctl stop wpa_supplicant.service' | sudo tee -a /config/scripts/firstboot.d/
echo 'systemctl disable wpa_supplicant.service' | sudo tee -a /config/scripts/firstboot.d/
echo 'systemctl enable wpa_supplicant-wired@eth0.service' | sudo tee -a /config/scripts/firstboot.d/
echo 'systemctl start wpa_supplicant-wired@eth0.service' | sudo tee -a /config/scripts/firstboot.d/
sudo chmod 0744 /config/scripts/firstboot.d/

Tuesday, December 18, 2018

EAP-TLS credentials decoder for Motorola and Arris gateways. Ultimate fiber router bypass!

I have developed a tool that converts EAP-TLS credentials from Arris/Motorola FTTH routers into a format usable by wpa_supplicant.
Some older router bypass methods suggest using a dumb switch or EAPol proxy. Now you can authenticate to your ISP with direct connection to ONT, without having to keep a switch or ISP-provided router powered and online.
Instructions are packaged with the tool. You'll need a rooted Arris/Motorola router to use the tool.

I could not help with rooting your router, please don't ask.

You will need to extract /mfg/mfg.dat and /etc/rootcert/*.der files from your Arris/Motorola router.
In order to access mfg.dat, you'll need to mount mtd:mfg partition to /mfg/ with something like this:
mount mtd:mfg -t jffs2 /mfg&&cp /mfg/mfg.dat /tmp/&&umount /mfg
On some very old devices the command above may not work and you will need to copy the mfg partition to an mfg.dat file as-is, with something like this:
dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k

The tool parses mfg.dat, decodes the private key and joins the server and client certificates into a format used by wpa_supplicant. You also get a wpa_supplicant.conf template. You will need to adjust the paths to absolute paths in wpa_supplicant.conf.

Download mfg_dat_decode release 1.04 here: win32 linux MacOS X

Update Feb 23, 2019: Moved files to due to antivirus false positive on MediaFire.

1.00 Initial release.
1.01 Add old format recognition. Validate AAA server root CAs.
1.02 Minor update. Simplified instructions, *.der files now go into tool folder. Added linux and MacOS X builds.
1.03 Better handling of errors when parsing keystore headers. Changed eapol to version 1, for better stability with older wpa_supplicant.
1.04 Include troubleshooting information in error messages when mfg.dat file format is unrecognized.

As far as I can tell, EAP-TLS credentials are not associated to a specific subscriber account, so you could successfully extract credentials from a used router (for example, from eBay or Craigslist). As long as you could root the router and extract the required files, you should be able to get online without ever connecting the used fiber router to your ONT, by installing EAP-TLS credentials on your own BSD, linux or Cisco router and connecting it straight to ONT.

This method does not allow you to steal Internet service or get speeds you did not pay for. Your ISP tracks you by ONT serial/SLID, so your service is associated with your ONT.

Here is an example of successful authentication captured with Wireshark (click to enlarge):
EAP-TLS Wireshark Screenshot

Keep in mind that wpa_supplicant needs to bind to unencapsulated interface (like eth0), while DHCP and DHCPv6-PD may require sending requests with 802.1p tags, what is commonly referred to as "VLAN 0".

In the next post I will describe how to set up Ubiquiti Edgerouter for EAP-TLS 802.1x authentication directly to ONT.

Friday, December 7, 2018

IPv6 and WPA gtk-randomize

I am not a wireless network expert, in fact I know less about wireless than some of the subject matter experts forget in a single day, but I've been playing with various wireless solutions for my home/lab network for some time. For the past few years I've been running Cisco lightweight access points in Flex mode.

While troubleshooting IPv6 connectivity in my home lab, I came across a 'feature' that may be obvious to IPv6 and wireless experts, but took some time for me to figure out.

I am running multiple SSIDs. They have similar, but slightly different configurations. One of my SSIDs have been having issues with IPv6. DHCPv6 would work and Windows endpoints would get IPv6 addresses, but over the time they would lose IPv6 connectivity. In SLAAC mode with RAs the endpoints on that specific SSID would not get IPv6 addresses at all.

After spending some quality time with Wireshark, comparing IPv6 traffic on that VLAN on wired connection vs wireless connection I came to conclusion that there was a wireless-specific configuration issue that was preventing SLAAC IPv6 from working and causing DHCPv6 leases to expire without proper renewal.

After comparing the settings between SSID with functional IPv6 vs the broken SSID I found that enabling 'WPA gtk-randomize' setting was breaking IPv6 RAs.  I don't remember myself specifically enabling this setting. I may have enabled it when I was configuring 802.11r, or it may have been accidentally enabled due to CSCtx48271, but according to my testing, it was definitely affecting RAs. Cisco WLC SSID configuration page clearly states that 'Enabling gtk-randomize will prevent clients from decrypting broadcast and multicast packets.', but it does not mention IPv6. Cisco IPv6 Deployment Guide also does not mention this setting.

While it was not obvious (to me), it does make sense that disabling broadcast and multicast traffic breaks IPv6 RAs. Hopefully this post saves some troubleshooting time to other people hitting IPv6 issues with this setting enabled.


I am planning to use this blog to document my tinkering with various IoT, network and home/automotive entertainment devices. It is mostly for my own reference if I have to go back to re-implement or reconfigure something later, but hopefully others could also find this information useful or help me improve the solutions. I've been using some public forums to document my tinkering previously, but recently I got a thread with my research locked and removed by forum moderators, who did not fully understand the research, but considered the published information 'dangerous', so I've decided to launch a resource that could not be easily censored by third parties.

BMW NBT and NBT Evo Firmware Unpacker

It has been five years since I have released the first build of NBT firmware unpacker. A few years ago I've had to stop the distribut...