Wednesday, June 3, 2020

Statement on fraudulent DMCA complaints

It came to my attention that someone pretending to be me is sending DMCA takedown requests for several GitHub repositories, claiming the repositories are infringing on my copyright for mfg_dat_decode, also known as 802.1x Credential Extraction Tool

I hereby affirm that as a copyright holder for the abovementioned tool, I have never sent DMCA takedown requests for any GitHub repositories.

I do authorize the distribution and use of mfg_dat_decode in its binary unmodified form in any open source projects for non-commercial purposes. Any commercial use, including use in any legal proceedings requires explicit license. Decompiling, disassembling or any other reverse engineering or modification of this tool for any commercial use is strictly prohibited.

Saturday, November 30, 2019

Stadia Controller failing to connect to Cisco Wireless APs

When I received my Stadia Controller Founder's Edition, I've noticed that I cannot connect to any SSID on my Cisco Wireless Access points. I've tried moving my 802.11ac Wave 2 APs from WLC to Mobility Express and back, creating new WPA3 and WPA2 SSIDs and still cannot get the Stadia Controller to connect. I've even taken out my old 3600 AP, reflashed it with Autonomous image and tried to set up a plain vanilla WPA2 SSID on it. Stadia Controller still would not connect. That was very odd, considering I have dozens of wireless clients of various age and processing power, including Google/Nest devices that connect with no issues.

My next step was setting up a test SSID on Meraki MR24 AP reflashed with lates trunk image of OpenWRT. Stadia Controller connected to my test WPA3 SSID right away. Test with WPA2 was also successful. But that was not an acceptable workaround for me, since I don't want to keep another AP up and running just for the Stadia Controller, so I've decided to take time over the weekend to spin up Kali Linux on one of my laptops, to do some packet captures in monitor mode and compare the attributes of beacon frames.

Here is what I have discovered:

Starting with Cisco WLC version 8.3.1020, IEEE 802.11v and IEEE 802.11k are enabled for new SSIDs by default.
According to Cisco, "Wireless network management (802.11v) strives to improve the quality of the end-user experience by enabling information exchange. Basic Service Set (BSS) transition management is a vital aspect of 802.11v by which devices can solicit advice from the WLAN as well as receive unsolicited advice from the WLAN about which access point they should associate to. The decision to associate or not would ultimately depend on the device. Additionally, 802.11v includes multiple extensions that enable the client to sleep for a longer duration and thereby save battery life."
Unfortunately, it seems that this undoubtedly helpful feature is not compatible with Google Stadia Controller.

Once I've turned off 802.11v on my SSIDs, Stadia Controller was immediately able to connect.

I don't know if Stadia Controller is using wpa_supplicant, or some in-house WPA Supplicant implementation, but whatever they use, it seems that the implementation is buggy.
Hopefully it is fixed in future, but meanwhile, if you are experiencing issues connecting your Stadia Controller to WLC-managed enterprise APs, try disabling 802.11v. Here is a good article describing how to check SSID for 802.11v support and how to enable/disable it for SSID on a Cisco WLC.
In Wireshark you would want to look at beacon frames, IEEE 802.11 wireless LAN, Tagged Parameters, Extended Capabilities, Octet 3.

Monday, November 4, 2019

BMW NBT and NBT Evo Firmware Unpacker

It has been five years since I have released the first build of NBT firmware unpacker.

A few years ago I've had to stop the distribution of unpacker because the misuse of unpacker was disrupting the business of BMW retrofit shops. With 2018 public release of NBT and EVO vulnerabilities that have been known to the BMW retrofit scene since at least fall of 2014, and subsequent patching of vulnerabilities by BMW, I no longer consider distribution of the unpacker as harmful.

To commemorate the five years of NBT unpacker, I am releasing an updated and refactored version with the following new features:

  • Search for supported unpackable firmware files within specified folder
  • Searching for specific file within firmware across multiple firmware files in specified folder
  • Better handling of special cases like ASD or EQU files.
Download nbt_unpack release 1.0.0 here: Win32

Tuesday, January 8, 2019

Configuring 802.1x authentication using wpa_supplicant on Ubiquiti Edgerouter

This guide describes steps required to configure 802.1x wired authentication using wpa_supplicant on Cavium-based Ubiquiti Edgerouter devices running EdgeOS 2.0. Mediatek (Edgerouter-X) procedure is similar, however I do not have such device and could not recompile wpa_supplicant for it.
Copy EAP-TLS certificates and private key in PEM format to /config/auth/
Run sudo chmod -R 0600 /config/auth to secure the credentials.
Copy wpa_supplicant.conf to /config/
If you are using wpa_supplicant.conf generated by a tool in the previous post, modify certificate and key paths to point to /config/auth/
Assuming wpa_supplicant.conf resides in /config/, the router has Internet connectivity and Internet interface that requires wpa_supplicant is eth0, run the following commands in console:
#Remove 1.x repository, add 2.0 Debian repository and install prerequisites
delete system package repository wheezy
set system package repository stretch components 'main contrib'
set system package repository stretch distribution stretch
set system package repository stretch password ''
set system package repository stretch url ''
set system package repository stretch username ''
sudo apt-get update && sudo apt-get install libpcsclite1
#Download backported Debian Buster wpa_supplicant and install it
curl -o /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
cd /tmp/
tar -xvf ./wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
sudo dpkg -i /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb
#Create symbolic link to wpa_supplicant.conf for eth0
sudo ln -s /config/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf
#Disable dbus service and enable wired wpa_supplicant for eth0
sudo systemctl disable wpa_supplicant.service
sudo systemctl enable wpa_supplicant-wired@eth0.service
#Save DEB packages for future use, allow /etc/ubnt/ubnt-rcS/ to install them
sudo mkdir -p /config/data/firstboot/install-packages &&  cd /config/data/firstboot/install-packages
sudo apt-get download libpcsclite1sudo curl -o /config/data/firstboot/install-packages/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
sudo tar -xvf ./wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
sudo rm /config/data/firstboot/install-packages/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
#Recover configuration on EdgeOS upgrade
sudo mkdir -p /config/scripts/firstboot.d/
echo '#!/usr/bin/env bash' | sudo tee -a /config/scripts/firstboot.d/
echo 'ln -s /config/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf' | sudo tee -a /config/scripts/firstboot.d/
echo 'systemctl stop wpa_supplicant.service' | sudo tee -a /config/scripts/firstboot.d/
echo 'systemctl disable wpa_supplicant.service' | sudo tee -a /config/scripts/firstboot.d/
echo 'systemctl enable wpa_supplicant-wired@eth0.service' | sudo tee -a /config/scripts/firstboot.d/
echo 'systemctl start wpa_supplicant-wired@eth0.service' | sudo tee -a /config/scripts/firstboot.d/
sudo chmod 0744 /config/scripts/firstboot.d/

Tuesday, December 18, 2018

EAP-TLS credentials decoder for Motorola and Arris gateways. Ultimate fiber router bypass!

I have developed a tool that converts EAP-TLS credentials from Arris/Motorola FTTH routers into a format usable by wpa_supplicant.
Some older router bypass methods suggest using a dumb switch or EAPol proxy. Now you can authenticate to your ISP with direct connection to ONT, without having to keep a switch or ISP-provided router powered and online.
Instructions are packaged with the tool. You'll need a rooted Arris/Motorola router to use the tool.

I could not help with rooting your router, please don't ask.

You will need to extract /mfg/mfg.dat and /etc/rootcert/*.der files from your Arris/Motorola router.
In order to access mfg.dat, you'll need to mount mtd:mfg partition to /mfg/ with something like this:
mount mtd:mfg -t jffs2 /mfg&&cp /mfg/mfg.dat /tmp/&&umount /mfg
On some very old devices the command above may not work and you will need to copy the mfg partition to an mfg.dat file as-is, with something like this:
dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k

The tool parses mfg.dat, decodes the private key and joins the server and client certificates into a format used by wpa_supplicant. You also get a wpa_supplicant.conf template. You will need to adjust the paths to absolute paths in wpa_supplicant.conf.

Download mfg_dat_decode release 1.04 here: win32 linux MacOS X

Update Feb 23, 2019: Moved files to due to antivirus false positive on MediaFire.

1.00 Initial release.
1.01 Add old format recognition. Validate AAA server root CAs.
1.02 Minor update. Simplified instructions, *.der files now go into tool folder. Added linux and MacOS X builds.
1.03 Better handling of errors when parsing keystore headers. Changed eapol to version 1, for better stability with older wpa_supplicant.
1.04 Include troubleshooting information in error messages when mfg.dat file format is unrecognized.

As far as I can tell, EAP-TLS credentials are not associated to a specific subscriber account, so you could successfully extract credentials from a used router (for example, from eBay or Craigslist). As long as you could root the router and extract the required files, you should be able to get online without ever connecting the used fiber router to your ONT, by installing EAP-TLS credentials on your own BSD, linux or Cisco router and connecting it straight to ONT.

This method does not allow you to steal Internet service or get speeds you did not pay for. Your ISP tracks you by ONT serial/SLID, so your service is associated with your ONT.

Here is an example of successful authentication captured with Wireshark (click to enlarge):
EAP-TLS Wireshark Screenshot

Keep in mind that wpa_supplicant needs to bind to unencapsulated interface (like eth0), while DHCP and DHCPv6-PD may require sending requests with 802.1p tags, what is commonly referred to as "VLAN 0".

In the next post I will describe how to set up Ubiquiti Edgerouter for EAP-TLS 802.1x authentication directly to ONT.

Friday, December 7, 2018

IPv6 and WPA gtk-randomize

I am not a wireless network expert, in fact I know less about wireless than some of the subject matter experts forget in a single day, but I've been playing with various wireless solutions for my home/lab network for some time. For the past few years I've been running Cisco lightweight access points in Flex mode.

While troubleshooting IPv6 connectivity in my home lab, I came across a 'feature' that may be obvious to IPv6 and wireless experts, but took some time for me to figure out.

I am running multiple SSIDs. They have similar, but slightly different configurations. One of my SSIDs have been having issues with IPv6. DHCPv6 would work and Windows endpoints would get IPv6 addresses, but over the time they would lose IPv6 connectivity. In SLAAC mode with RAs the endpoints on that specific SSID would not get IPv6 addresses at all.

After spending some quality time with Wireshark, comparing IPv6 traffic on that VLAN on wired connection vs wireless connection I came to conclusion that there was a wireless-specific configuration issue that was preventing SLAAC IPv6 from working and causing DHCPv6 leases to expire without proper renewal.

After comparing the settings between SSID with functional IPv6 vs the broken SSID I found that enabling 'WPA gtk-randomize' setting was breaking IPv6 RAs.  I don't remember myself specifically enabling this setting. I may have enabled it when I was configuring 802.11r, or it may have been accidentally enabled due to CSCtx48271, but according to my testing, it was definitely affecting RAs. Cisco WLC SSID configuration page clearly states that 'Enabling gtk-randomize will prevent clients from decrypting broadcast and multicast packets.', but it does not mention IPv6. Cisco IPv6 Deployment Guide also does not mention this setting.

While it was not obvious (to me), it does make sense that disabling broadcast and multicast traffic breaks IPv6 RAs. Hopefully this post saves some troubleshooting time to other people hitting IPv6 issues with this setting enabled.


Welcome to my blog. I am planning to use this blog to document my tinkering with various IoT, network and home/automotive entertainment devices. It is mostly for my own reference if I have to go back to re-implement or reconfigure something later, but hopefully others could also find this information useful or help me improve the solutions.

Statement on fraudulent DMCA complaints

It came to my attention that someone pretending to be me is sending DMCA takedown requests for several GitHub repositories, claiming the...