Tuesday, December 18, 2018

EAP-TLS credentials decoder for Nokia, Humax, Motorola and Arris gateways. Ultimate fiber router bypass!

I have developed a tool that converts EAP-TLS credentials from Nokia/Humax/Arris/Motorola FTTH routers into a format usable by wpa_supplicant.
Some older router bypass methods suggest using a dumb switch or EAPol proxy. Now you can authenticate to your ISP with direct connection to ONT, without having to keep a switch or ISP-provided router powered and online.
Instructions are packaged with the tool. You'll need a rooted Arris/Motorola router to use the tool.

I could not help with rooting your router, please don't ask.

You will need to extract /mfg/mfg.dat and /etc/rootcert/*.der files from your Arris/Motorola router.
In order to access mfg.dat, you'll need to mount mtd:mfg partition to /mfg/ with something like this:
mount mtd:mfg -t jffs2 /mfg&&cp /mfg/mfg.dat /tmp/&&umount /mfg
On some very old devices the command above may not work and you will need to copy the mfg partition to an mfg.dat file as-is, with something like this:
dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k

The tool parses mfg.dat, decodes the private key and joins the server and client certificates into a format used by wpa_supplicant. You also get a wpa_supplicant.conf template. You will need to adjust the paths to absolute paths in wpa_supplicant.conf.

Download mfg_dat_decode release 1.06 here: win32 linux MacOS X

Update Feb 23, 2019: Moved files to mega.nz due to antivirus false positive on MediaFire.

1.00 Initial release.
1.01 Add old format recognition. Validate AAA server root CAs.
1.02 Minor update. Simplified instructions, *.der files now go into tool folder. Added linux and MacOS X builds.
1.03 Better handling of errors when parsing keystore headers. Changed eapol to version 1, for better stability with older wpa_supplicant.
1.04 Include troubleshooting information in error messages when mfg.dat file format is unrecognized.
1.05 Initial support for new router models
1.06 Refactored code for new models

As far as I can tell, EAP-TLS credentials are not associated to a specific subscriber account, so you could successfully extract credentials from a used router (for example, from eBay or Craigslist). As long as you could root the router and extract the required files, you should be able to get online without ever connecting the used fiber router to your ONT, by installing EAP-TLS credentials on your own BSD, linux or Cisco router and connecting it straight to ONT.

This method does not allow you to steal Internet service or get speeds you did not pay for. Your ISP tracks you by ONT serial/SLID, so your service is associated with your ONT.

Here is an example of successful authentication captured with Wireshark (click to enlarge):
EAP-TLS Wireshark Screenshot

Keep in mind that wpa_supplicant needs to bind to unencapsulated interface (like eth0), while DHCP and DHCPv6-PD may require sending requests with 802.1p tags, what is commonly referred to as "VLAN 0".

In the next post I will describe how to set up Ubiquiti Edgerouter for EAP-TLS 802.1x authentication directly to ONT.

Friday, December 7, 2018

IPv6 and WPA gtk-randomize

I am not a wireless network expert, in fact I know less about wireless than some of the subject matter experts forget in a single day, but I've been playing with various wireless solutions for my home/lab network for some time. For the past few years I've been running Cisco lightweight access points in Flex mode.

While troubleshooting IPv6 connectivity in my home lab, I came across a 'feature' that may be obvious to IPv6 and wireless experts, but took some time for me to figure out.

I am running multiple SSIDs. They have similar, but slightly different configurations. One of my SSIDs have been having issues with IPv6. DHCPv6 would work and Windows endpoints would get IPv6 addresses, but over the time they would lose IPv6 connectivity. In SLAAC mode with RAs the endpoints on that specific SSID would not get IPv6 addresses at all.

After spending some quality time with Wireshark, comparing IPv6 traffic on that VLAN on wired connection vs wireless connection I came to conclusion that there was a wireless-specific configuration issue that was preventing SLAAC IPv6 from working and causing DHCPv6 leases to expire without proper renewal.

After comparing the settings between SSID with functional IPv6 vs the broken SSID I found that enabling 'WPA gtk-randomize' setting was breaking IPv6 RAs.  I don't remember myself specifically enabling this setting. I may have enabled it when I was configuring 802.11r, or it may have been accidentally enabled due to CSCtx48271, but according to my testing, it was definitely affecting RAs. Cisco WLC SSID configuration page clearly states that 'Enabling gtk-randomize will prevent clients from decrypting broadcast and multicast packets.', but it does not mention IPv6. Cisco IPv6 Deployment Guide also does not mention this setting.

While it was not obvious (to me), it does make sense that disabling broadcast and multicast traffic breaks IPv6 RAs. Hopefully this post saves some troubleshooting time to other people hitting IPv6 issues with this setting enabled.


Welcome to my blog. I am planning to use this blog to document my tinkering with various IoT, network and home/automotive entertainment devices. It is mostly for my own reference if I have to go back to re-implement or reconfigure something later, but hopefully others could also find this information useful or help me improve the solutions.

Making work with eMMC interposer slightly more convenient

In one of the previous posts I have described eMMC interposer and how it can help with modifications of the device firmware without having t...