I have developed a tool that converts EAP-TLS credentials from Nokia/Humax/Arris/Motorola FTTH routers into a format usable by wpa_supplicant.
Some older router bypass methods suggest using a dumb switch or EAPol proxy. Now you can authenticate to your ISP with direct connection to ONT, without having to keep a switch or ISP-provided router powered and online.
Instructions are packaged with the tool. You'll need a rooted Arris/Motorola router to use the tool.
I could not help with rooting your router, please don't ask.
You will need to extract /mfg/mfg.dat and /etc/rootcert/*.der files from your Arris/Motorola router.
In order to access mfg.dat, you'll need to mount mtd:mfg partition to /mfg/ with something like this:
mount mtd:mfg -t jffs2 /mfg&&cp /mfg/mfg.dat /tmp/&&umount /mfg
On some very old devices the command above may not work and you will need to copy the mfg partition to an mfg.dat file as-is, with something like this:
dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k
The tool parses mfg.dat, decodes the private key and joins the server and client certificates into a format used by wpa_supplicant. You also get a wpa_supplicant.conf template. You will need to adjust the paths to absolute paths in wpa_supplicant.conf.
Download mfg_dat_decode release 1.06 here: win32 linux MacOS X
Update Feb 23, 2019: Moved files to mega.nz due to antivirus false positive on MediaFire.
As far as I can tell, EAP-TLS credentials are not associated to a specific subscriber account, so you could successfully extract credentials from a used router (for example, from eBay or Craigslist). As long as you could root the router and extract the required files, you should be able to get online without ever connecting the used fiber router to your ONT, by installing EAP-TLS credentials on your own BSD, linux or Cisco router and connecting it straight to ONT.
This method does not allow you to steal Internet service or get speeds you did not pay for. Your ISP tracks you by ONT serial/SLID, so your service is associated with your ONT.
Here is an example of successful authentication captured with Wireshark (click to enlarge):
Keep in mind that wpa_supplicant needs to bind to unencapsulated interface (like eth0), while DHCP and DHCPv6-PD may require sending requests with 802.1p tags, what is commonly referred to as "VLAN 0".
In the next post I will describe how to set up Ubiquiti Edgerouter for EAP-TLS 802.1x authentication directly to ONT.
Some older router bypass methods suggest using a dumb switch or EAPol proxy. Now you can authenticate to your ISP with direct connection to ONT, without having to keep a switch or ISP-provided router powered and online.
Instructions are packaged with the tool. You'll need a rooted Arris/Motorola router to use the tool.
I could not help with rooting your router, please don't ask.
You will need to extract /mfg/mfg.dat and /etc/rootcert/*.der files from your Arris/Motorola router.
In order to access mfg.dat, you'll need to mount mtd:mfg partition to /mfg/ with something like this:
mount mtd:mfg -t jffs2 /mfg&&cp /mfg/mfg.dat /tmp/&&umount /mfg
On some very old devices the command above may not work and you will need to copy the mfg partition to an mfg.dat file as-is, with something like this:
dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k
The tool parses mfg.dat, decodes the private key and joins the server and client certificates into a format used by wpa_supplicant. You also get a wpa_supplicant.conf template. You will need to adjust the paths to absolute paths in wpa_supplicant.conf.
Download mfg_dat_decode release 1.06 here: win32 linux MacOS X
Update Feb 23, 2019: Moved files to mega.nz due to antivirus false positive on MediaFire.
Changelog:
1.00 Initial release.
1.01 Add old format recognition. Validate AAA server root CAs.
1.02 Minor update. Simplified instructions, *.der files now go into tool folder. Added linux and MacOS X builds.
1.03 Better handling of errors when parsing keystore headers. Changed eapol to version 1, for better stability with older wpa_supplicant.
1.04 Include troubleshooting information in error messages when mfg.dat file format is unrecognized.
1.00 Initial release.
1.01 Add old format recognition. Validate AAA server root CAs.
1.02 Minor update. Simplified instructions, *.der files now go into tool folder. Added linux and MacOS X builds.
1.03 Better handling of errors when parsing keystore headers. Changed eapol to version 1, for better stability with older wpa_supplicant.
1.04 Include troubleshooting information in error messages when mfg.dat file format is unrecognized.
1.05 Initial support for new router models
1.06 Refactored code for new models
As far as I can tell, EAP-TLS credentials are not associated to a specific subscriber account, so you could successfully extract credentials from a used router (for example, from eBay or Craigslist). As long as you could root the router and extract the required files, you should be able to get online without ever connecting the used fiber router to your ONT, by installing EAP-TLS credentials on your own BSD, linux or Cisco router and connecting it straight to ONT.
This method does not allow you to steal Internet service or get speeds you did not pay for. Your ISP tracks you by ONT serial/SLID, so your service is associated with your ONT.
Here is an example of successful authentication captured with Wireshark (click to enlarge):
In the next post I will describe how to set up Ubiquiti Edgerouter for EAP-TLS 802.1x authentication directly to ONT.
