Tuesday, December 18, 2018

EAP-TLS credentials decoder for Motorola and Arris gateways. Ultimate fiber router bypass!

I have developed a tool that converts EAP-TLS credentials from Arris/Motorola FTTH routers into a format usable by wpa_supplicant.
Some older router bypass methods suggest using a dumb switch or EAPol proxy. Now you can authenticate to your ISP with direct connection to ONT, without having to keep a switch or ISP-provided router powered and online.
Instructions are packaged with the tool. You'll need a rooted Arris/Motorola router to use the tool.

I could not help with rooting your router, please don't ask.

You will need to extract /mfg/mfg.dat and /etc/rootcert/*.der files from your Arris/Motorola router.
In order to access mfg.dat, you'll need to mount mtd:mfg partition to /mfg/ with something like this:
mount mtd:mfg -t jffs2 /mfg&&cp /mfg/mfg.dat /tmp/&&umount /mfg
On some very old devices the command above may not work and you will need to copy the mfg partition to an mfg.dat file as-is, with something like this:
dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k

The tool parses mfg.dat, decodes the private key and joins the server and client certificates into a format used by wpa_supplicant. You also get a wpa_supplicant.conf template. You will need to adjust the paths to absolute paths in wpa_supplicant.conf.

Download mfg_dat_decode release 1.04 here: win32 linux MacOS X

Update Feb 23, 2019: Moved files to mega.nz due to antivirus false positive on MediaFire.


Changelog:
1.00 Initial release.
1.01 Add old format recognition. Validate AAA server root CAs.
1.02 Minor update. Simplified instructions, *.der files now go into tool folder. Added linux and MacOS X builds.
1.03 Better handling of errors when parsing keystore headers. Changed eapol to version 1, for better stability with older wpa_supplicant.
1.04 Include troubleshooting information in error messages when mfg.dat file format is unrecognized.

As far as I can tell, EAP-TLS credentials are not associated to a specific subscriber account, so you could successfully extract credentials from a used router (for example, from eBay or Craigslist). As long as you could root the router and extract the required files, you should be able to get online without ever connecting the used fiber router to your ONT, by installing EAP-TLS credentials on your own BSD, linux or Cisco router and connecting it straight to ONT.

This method does not allow you to steal Internet service or get speeds you did not pay for. Your ISP tracks you by ONT serial/SLID, so your service is associated with your ONT.


Here is an example of successful authentication captured with Wireshark (click to enlarge):
EAP-TLS Wireshark Screenshot



Keep in mind that wpa_supplicant needs to bind to unencapsulated interface (like eth0), while DHCP and DHCPv6-PD may require sending requests with 802.1p tags, what is commonly referred to as "VLAN 0".


In the next post I will describe how to set up Ubiquiti Edgerouter for EAP-TLS 802.1x authentication directly to ONT.


61 comments:

  1. I've confirmed this is working with NVG599 mfg.dat. Tool extracted the certs and key and I was successfully authenticated.

    ReplyDelete
  2. Do you still need to spoof the MAC of the gateway assigned to your account for this to work, or is supplying the credentials enough?

    ReplyDelete
  3. Yes, you do. The MAC address of the physical interface must match the MAC on the client certificate for 802.1x authentication to work.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Try 1.03 - it just came out.
    Pace would never work with this tool - it uses a completely different software platform.

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Your mfg.dat is likely incompatible or corrupted. What kind of RG did it come from and how did you extract it? Did you mount the jffs2 partition, or did you just copy the whole partition with 'dd'?

      Delete
    2. This comment has been removed by the author.

      Delete
  7. Good question on mfg.dat as many seem to have issues extracting those. Not saying it's not a thing, tho lots of ways to extract (sharknatto, earlz) do not work anymore if they ever did on hardware like 589, 599, bwg210. So could anyone please point out how you were _recently_ able to extract the files? After all ain't it bit pointless to put all this out there if most people can't use it??

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  8. Thanks for the tool! I wasn't able to root my gateway so I ended up dumping the NAND and extracted mfg.dat from there. After that it works perfectly :)

    ReplyDelete
    Replies
    1. Can you share how you dumped your NAND? I was able to get an exploitable firmware on my gateway, but for some reason the root exploit did not work

      Delete
    2. It's really physical... Essentially you open up the gateway, desolder the NAND chip from the board, find a NAND reader to generate a dump of the entire NAND, extract mfg.dat from there, and then use this tool to get the certificate and key.

      Delete
    3. Would you mind sharing more details? Like what NAND reader you used, how you extracted mfg.dat from the .bin NAND dump, etc. In same camp as you and previous poster, unable to get root access despite documented firmware version on the device

      Delete
    4. Sure, assume you have experience desolder the chip from the board... I used FlashcatUSB for NAND reader, after getting the bin, open it up, find the partition for mfg data, mount it as jffs2 volume, and copy the mfg.dat file from there.

      Delete
    5. Not really but fast learner ;) Would you mind pointing out part needing to be desoldered and if/how anything particular may need to be done (see board pic here: https://hackaday.com/2012/12/13/rooting-your-att-u-verse-modem )?

      Also, assuming reader needs to support 3.3 or 5v, like this one, correct? https://www.amazon.com/Flashcat-Memory-Programmer-EEPROM-software/dp/B00F2P9AS6

      Delete
    6. and thx a bunch for knowledge drop

      Delete
    7. For NVG589 and NVG599, it's a S34ML01G1 in the back (TSOP 48 package), https://imgur.com/a/S2AzcVI. Desolder TSOP-48 is relatively easy if you have the equipment (a hot air gun) https://www.youtube.com/watch?v=7VahHWI3pT8.

      I was using this one (https://www.embeddedcomputers.net/products/FlashcatUSB_xPort/) with the adapter (TSOP-48 Type B, https://www.embeddedcomputers.net/products/ParallelAdapters/).

      For the software side, the basic process:
      1. Dump NAND
      2. Find Partition (nvg589: 0x000005020000-0x000005120000 : "mfg"), slice it (or just dump this part directly in step 1)
      3. Extract the raw jffs2 data (I used binwalk here)
      4. Convert from big endian to little endian (jffs2dump -r -e converted.jffs2 -b original.jffs2)
      5. Dump the converted JFFS2 partition (https://github.com/ohjeongwook/DumpFlash/blob/master/DumpJFFS2.py), you should get mfg.dat here.

      Delete
    8. Nice instructions.
      In addition to that you need trust certs (unless you are forcing wpa_supplicant to bypass cert verification). You could get the trust certs by collecting them in Wireshark (AT&T server sends them in plain DER form in EAP exchange), or by following the following method.
      Download the certs package file for older Pace firmware (google 'att_eapol-certs.pkgstream'). The certs inside the file are in clear text, PEM format, just copy and paste to *.cer files. Open files in Windows explorer and save as *.der files. You could also use openssl to convert PEM to DER.
      Make sure DER files are in same folder as the tool when you run it.
      The trust certs are the same for everyone, so you could get a set from someone who has successfully extracted them.

      Delete
    9. Sweet, not enough words to thank you both. Just need to get tools and give it a shot, will let you know how it goes.

      Question on the trust certs. Looks like att_eapol-certs.pkgstream includes 8 different certs. Found that name of one should be attroot2031.der.
      Are all these certs needed and do their original names matter (if so what are those names supposed to be)? Or just save the certs in 8 separate files with whatever names, convert PEM to DER and put DER files in tool's folder?

      Delete
    10. 2031 should be sufficient, but leaving other certs in the folder wouldn't do any harm. Names do not matter, but .der extension and DER file format is important.
      You could also extract the .der certs from the other partitions on the same flash chip - this way you don't have to convert any certs.
      Another option is running the tool without trust certs (it should generate a warning) and adding them manually to output PEM file for wpa_supplicant - the tool takes certs in DER format, but outputs everything into PEM files.

      Delete
    11. Will probably just put all certs in the folder since I can't be sure which one may be 2031. Either that or just manually add all certs to the output PEM file for wpa_supplicant as you suggested.

      Delete
    12. Thanks! Gonna get tools and follow your instructions. They were very clear!

      Delete
    13. Got the tools, followed all the instructions you gave and it worked!! Thank you everyone for your explanations and your help.

      Delete
    14. @KhaosT or @Sergey - it worked, thanks for your instructions and tool.

      Educational questions for future reference if you don't mind:

      1) Step #2 - "Find Partition "mfg" & slice it" - how did you get a list of the partitions in the .bin firmware dump and how did you slice the right one out?

      Was able to use the hex addresses you provided and dump that segment only from the USB tool (Step #1), but couldn't figure out how to find partitions and slice them from the whole flash dump.

      2) Seems like wpa_supplicant auth works in Linux or Linux-based OSs (ER). Do you have any experience getting it to work on FreeBSD (pfsense)? Linux flavors do this fine, but pfsense has some trouble handling DHCP requests with VLAN0 (802.1p) tags...

      3) Just a comment - you could get mfg.dat from the mfg partition .bin directly (steps #4, #5 not needed). To do that, you need jefferson (https://github.com/sviehb/jefferson) and then you could use binwalk recursively (-Me flags) to extract the jffs2 filesystem like so: binwalk -Me 589_0x05020000-0x05120000.bin - thought I'd point that out in case it may help someone

      Delete
    15. This comment has been removed by the author.

      Delete
  9. Would you mind to share how private key is encoded in mfg.dat? I was trying to identify the data structure in there for the key blob but after looking at it for hours, I still can't figure it out 😅

    ReplyDelete
    Replies
    1. Don't you think that sharing this would kind of defeat the value of this blog post? Besides, finding it yourself is a good mental exercise 😅

      Delete
    2. That's fair :) I was able to locate all 3 DER encoded certs, and I assume the blob before the client cert contains information to reconstruct the private key. Guess it's time for more disassembling...

      Delete
    3. You could try decompiling the tool to see how it does that, or try decompiling RG firmware. Decompiling the tool may be easier since it runs on x86 as opposed to MIPS or ARM. Most people are more comfortable with x86 assembler.

      Delete
    4. I actually tried decompiling the tool first, Go is a huge mess in there 😝

      Delete
    5. There are a couple guides online on reverse engineering of Go executables, so it is possible. If that's too much work, there's always MIPS or ARM RG firmware.

      Delete
    6. Wish I could help you KhaosT but this stuff is like a riddle, wrapped in a mystery, inside an enigma. But perhaps there is a private key at the end of the tunnel :)

      Delete
    7. Finally cracked it... that key transformation is surprising. I guess it's truly security through obscurity 🙃

      Hey Sergey, I really appreciate your creation of the tool. 👍

      Delete
    8. If they really wanted the keys to be secure, they should have used Smart Cards or TPM, but that is like extra $2 on RG BoM. Even then there's a potential for inexpensive side channel attacks, or physical migration of the key store to a new device. Someone made a decision that security by obscurity is good enough. Good job cracking the key. Enjoy!

      Delete
  10. Does the modem need to be connected to the ont while you're connected to the serial port? I get console output and eventually see a quantenna# prompt but it blazes by and I'm not able to input anything. :-/ I'm sure I can desolder the nand but I'm trying to avoid buying a reader if possible.

    ReplyDelete
    Replies
    1. Looks like I didn't go far enough back in the firmware. I have a mfg.dat dump via dd but there aren't any *.der files ( nor a rootcert directory). :-/

      Delete
    2. I was attached to the wrong debug port. All is good, thanks for the tool!

      Delete
  11. This comment has been removed by the author.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. I bought a new BGW-710 in Amazon and successfully used your tool after rooting the RG. The output readme file contains a section that says:

    WARNING! Missing AAA server root CA! Add AAA server root CA to CA_XXXXXX-XXXXXXXXXXXXXX.pem

    Is this because the RG has never been connected to the internet? I'm not moving into the house with ATT service for a couple more months, so I was just prepping for it.

    ReplyDelete
    Replies
    1. Nevermind, I figured out that the error is because I didn't grab the .der certificates off the modem and put them in the same directory as the tool. I grabbed "att_eapol-certs.pkgstream" from some posted Pace firmware and converted the .pem certs to .der and it looks like the tool ran and output some files for me.

      I can't wait to give this a try!

      Delete
  14. Starting new thread too in case it gets lost in the nested replies above (sorry for duplicate):

    @KhaosT or @Sergey - it worked, thanks for your instructions and tool.

    Educational questions for future reference if you don't mind:

    1) Step #2 - "Find Partition "mfg" & slice it" - how did you get a list of the partitions in the .bin firmware dump and how did you slice the right one out?

    Was able to use the hex addresses you provided and dump that segment only from the USB tool (Step #1), but couldn't figure out how to find partitions and slice them from the whole flash dump.

    2) Seems like wpa_supplicant auth works in Linux or Linux-based OSs (ER). Do you have any experience getting it to work on FreeBSD (pfsense)? Linux flavors do this fine, but pfsense has some trouble handling DHCP requests with VLAN0 (802.1p) tags...

    3) Just a comment - you could get mfg.dat from the mfg partition .bin directly (steps #4, #5 not needed). To do that, you need jefferson (https://github.com/sviehb/jefferson) and then you could use binwalk recursively (-Me flags) to extract the jffs2 filesystem like so: binwalk -Me 589_0x05020000-0x05120000.bin - thought I'd point that out in case it may help someone

    ReplyDelete
    Replies
    1. To be clear - binwalk -Me will extract the raw .jffs2 file AND the mfg partition's root filesystem, including mfg.dat (in which case steps #4, #5 are no longer needed)

      Delete
  15. how do you open a pkgstream file?

    ReplyDelete
    Replies
    1. Just open it with Notepad++ or another text editor. Partway down you'll see the certs in plaintext.

      Delete
  16. Ordered a nvg589 and some parts from khaos post. Going to give this a shot - too bad the usg-xg uses wheezy still - that makes it a bit more complicated.

    Also it would be great if a step by step how to was created. - everything from, "here's what you do once you have the tsop-48 plugged in to your laptop.

    ReplyDelete
    Replies
    1. You might try these steps:

      1. Download flashcat usb software from https://www.embeddedcomputers.net/software/, install it and add Win driver for the new USB device (find it in same downloaded .zip)

      2. Run the software and assuming it recognizes the USB device and NAND, it should allow you to dump it to disk (button reads something like "read chip/memory to disk")

      3. If you know how to find partitions and slice them from the full memory dump, you can do that. If not, a quicker way may be to dump only the mfg partition. For NVG589, KhaosT provided the start and end hex addresses. However, Flashcat software requires the start address and length (not the end address). Use start address of 0x000005020000 (leading zeros may get truncated) and length of 1048577 (if you want to calculate length, you might try this: echo 'ibase=16;000005120000-000005020000' | bc + 1)

      4. Assuming you use a Linux distro, add repository packages for binwalk and jefferson (https://github.com/sviehb/jefferson) and any python or other dependencies you may need

      5. Run this: binwalk -Me dump.bin on the .bin file created by flashcat

      6. At this point you should have a jffs2 file and the root filesystem of the mfg partition. Check filesystem folders and you should find mfg.dat

      7. Run mfg_dat_decode, making sure mfg.dat and the certs you saved from att_eapol-certs.pkgstream are in the same folder as the tool (one way to do this is creating a .pem file for each cert you find and then converting .pem format to .der: openssl x509 -in cert.pem -out cert.der -outform DER)

      8. If all goes well, at this stage you should have EAP files and wpa_supplicant.conf (may need to edit for your config)

      9. Connect ONT to your device and set up wpa_supplicant to authenticate

      Delete
    2. This comment has been removed by the author.

      Delete
    3. This comment has been removed by the author.

      Delete
  17. Thought I'd add this tidbit. Bought a user NVG510, downgraded and tftped off the certificates. Tool ran fine but one of the Motorola certificates expires in 2019. Not sure if that'll affect anything:

    802.1x Credential Extraction Tool
    Copyright (c) 2018-2019 devicelocksmith.com
    Version: 1.04 linux 386

    Found client certificate for Serial Number: 001E46-###############

    Found certificates with following Subjects:
    E8:33:81:0C:AA:41
    expires 2034-09-05 09:06:20 -0700 PDT
    Motorola, Inc. Device Intermediate CA ATTCPE1
    expires 2033-04-30 10:36:29 -0700 PDT
    Motorola, Inc. Device Root CA ATTCPE1
    expires 2038-04-30 09:30:26 -0800 PST
    Verifying certificates.. success!
    Validating private key.. success!
    Found valid AAA server root CA certificates:
    ATT Services Inc Root CA
    expires 2031-02-23 15:59:59 -0800 PST
    Motorola 802.1x Root CA
    expires 2019-06-19 13:51:50 -0700 PDT
    Successfully saved EAP-TLS credentials to
    /srv/tftp/EAP-TLS_8021x_001E46-###############.tar.gz

    ReplyDelete
  18. So I picked up an NVG589 off eBay, rooted it, and successfully extracted the certs. However, in my implementation I continue to receive an authentication failure (specifically, CTRL-EVENT-EAP-FAILURE EAP authentication failed). I've ensured that my eth0 (WAN) is spoofing the mac address from the original NVG589 (as listed in the generated wpa_supplicant.conf) yet the failure persists.

    My question is, this NVG589 that I received had a factory sticker over the ONT port. This leads me to believe this modem may have have not been originally provisioned for fiber service, and instead was used as a DSL modem. Could this possibly be the issue, that the extracted certs aren't valid on the fiber network? Do I need to find another modem that was undoubtedly provisioned for use with an ONT?

    ReplyDelete
    Replies
    1. Have you verified you are using a ER-4 type device? Make sure your "ca_cert=", "client_cert=", "identity=", "private_key=" are set accordingly to where you have the certs on the router.

      Also make sure your vlan and eth0 (presumed where you have the ONT connected) are configured to match the mac of the NVG589 you bought.

      This works and is honestly pretty fool proof. I also had to run the "/sbin/wpa_supplicant -s -B -Dwired -ieth0 -c[Path to]wpa_supplicant.conf &" as sudo. But now it auto starts and works through reboots. Make sure the command has the correct path the .conf otherwise you will get errors.

      Other then that sorry not sure what could be the issue, worked for me and I'm a noob in networking

      Delete
  19. I wish more people would post valuable content like this. This is the first time I've been on your website, but after this, I doubt it will be the last time.
    24 hour locksmith

    ReplyDelete
  20. Just another point. I bough an NVG589 from eBay. It came with firmware 9.2.2h3d14 but I was able to downgrade that to 9.2.2h0d83 which is susceptible to the sharknatto vector of attack. After following that to get root I was able to extract the info I needed. The only thing I couldn't figure out was a way to get at the usb, so I moved the files I needed to the www/att/images directory and downloaded via the browser.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. This comment has been removed by the author.

      Delete
    3. Good to know that this firmware you have mentioned works. I haven't had any luck finding a RG that can be used for extraction. Is there any chance to find them online or maybe from you? Thanks

      Delete

Configuring 802.1x authentication using wpa_supplicant on Ubiquiti Edgerouter

This guide describes steps required to configure 802.1x wired authentication using wpa_supplicant on Cavium-based Ubiquiti Edgerouter devic...