Tuesday, December 18, 2018

EAP-TLS credentials decoder for Nokia, Humax, Motorola and Arris gateways. Ultimate fiber router bypass!

I have developed a tool that converts EAP-TLS credentials from Nokia/Humax/Arris/Motorola FTTH routers into a format usable by wpa_supplicant.
Some older router bypass methods suggest using a dumb switch or EAPol proxy. Now you can authenticate to your ISP with direct connection to ONT, without having to keep a switch or ISP-provided router powered and online.
Instructions are packaged with the tool. You'll need a rooted Arris/Motorola router to use the tool.

I could not help with rooting your router, please don't ask.

You will need to extract /mfg/mfg.dat and /etc/rootcert/*.der files from your Arris/Motorola router.
In order to access mfg.dat, you'll need to mount mtd:mfg partition to /mfg/ with something like this:
mount mtd:mfg -t jffs2 /mfg&&cp /mfg/mfg.dat /tmp/&&umount /mfg
On some very old devices the command above may not work and you will need to copy the mfg partition to an mfg.dat file as-is, with something like this:
dd if=/dev/mtdblock4 of=/tmp/mfg.dat bs=1k

The tool parses mfg.dat, decodes the private key and joins the server and client certificates into a format used by wpa_supplicant. You also get a wpa_supplicant.conf template. You will need to adjust the paths to absolute paths in wpa_supplicant.conf.

Download mfg_dat_decode release 1.06 here: win32 linux MacOS X

Update Feb 23, 2019: Moved files to mega.nz due to antivirus false positive on MediaFire.


Changelog:
1.00 Initial release.
1.01 Add old format recognition. Validate AAA server root CAs.
1.02 Minor update. Simplified instructions, *.der files now go into tool folder. Added linux and MacOS X builds.
1.03 Better handling of errors when parsing keystore headers. Changed eapol to version 1, for better stability with older wpa_supplicant.
1.04 Include troubleshooting information in error messages when mfg.dat file format is unrecognized.
1.05 Initial support for new router models
1.06 Refactored code for new models

As far as I can tell, EAP-TLS credentials are not associated to a specific subscriber account, so you could successfully extract credentials from a used router (for example, from eBay or Craigslist). As long as you could root the router and extract the required files, you should be able to get online without ever connecting the used fiber router to your ONT, by installing EAP-TLS credentials on your own BSD, linux or Cisco router and connecting it straight to ONT.

This method does not allow you to steal Internet service or get speeds you did not pay for. Your ISP tracks you by ONT serial/SLID, so your service is associated with your ONT.


Here is an example of successful authentication captured with Wireshark (click to enlarge):
EAP-TLS Wireshark Screenshot



Keep in mind that wpa_supplicant needs to bind to unencapsulated interface (like eth0), while DHCP and DHCPv6-PD may require sending requests with 802.1p tags, what is commonly referred to as "VLAN 0".


In the next post I will describe how to set up Ubiquiti Edgerouter for EAP-TLS 802.1x authentication directly to ONT.


108 comments:

  1. I've confirmed this is working with NVG599 mfg.dat. Tool extracted the certs and key and I was successfully authenticated.

    ReplyDelete
  2. Do you still need to spoof the MAC of the gateway assigned to your account for this to work, or is supplying the credentials enough?

    ReplyDelete
  3. Yes, you do. The MAC address of the physical interface must match the MAC on the client certificate for 802.1x authentication to work.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Try 1.03 - it just came out.
    Pace would never work with this tool - it uses a completely different software platform.

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Your mfg.dat is likely incompatible or corrupted. What kind of RG did it come from and how did you extract it? Did you mount the jffs2 partition, or did you just copy the whole partition with 'dd'?

      Delete
    2. This comment has been removed by the author.

      Delete
  7. Good question on mfg.dat as many seem to have issues extracting those. Not saying it's not a thing, tho lots of ways to extract (sharknatto, earlz) do not work anymore if they ever did on hardware like 589, 599, bwg210. So could anyone please point out how you were _recently_ able to extract the files? After all ain't it bit pointless to put all this out there if most people can't use it??

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  8. Thanks for the tool! I wasn't able to root my gateway so I ended up dumping the NAND and extracted mfg.dat from there. After that it works perfectly :)

    ReplyDelete
    Replies
    1. Can you share how you dumped your NAND? I was able to get an exploitable firmware on my gateway, but for some reason the root exploit did not work

      Delete
    2. It's really physical... Essentially you open up the gateway, desolder the NAND chip from the board, find a NAND reader to generate a dump of the entire NAND, extract mfg.dat from there, and then use this tool to get the certificate and key.

      Delete
    3. Would you mind sharing more details? Like what NAND reader you used, how you extracted mfg.dat from the .bin NAND dump, etc. In same camp as you and previous poster, unable to get root access despite documented firmware version on the device

      Delete
    4. Sure, assume you have experience desolder the chip from the board... I used FlashcatUSB for NAND reader, after getting the bin, open it up, find the partition for mfg data, mount it as jffs2 volume, and copy the mfg.dat file from there.

      Delete
    5. Not really but fast learner ;) Would you mind pointing out part needing to be desoldered and if/how anything particular may need to be done (see board pic here: https://hackaday.com/2012/12/13/rooting-your-att-u-verse-modem )?

      Also, assuming reader needs to support 3.3 or 5v, like this one, correct? https://www.amazon.com/Flashcat-Memory-Programmer-EEPROM-software/dp/B00F2P9AS6

      Delete
    6. and thx a bunch for knowledge drop

      Delete
    7. For NVG589 and NVG599, it's a S34ML01G1 in the back (TSOP 48 package), https://imgur.com/a/S2AzcVI. Desolder TSOP-48 is relatively easy if you have the equipment (a hot air gun) https://www.youtube.com/watch?v=7VahHWI3pT8.

      I was using this one (https://www.embeddedcomputers.net/products/FlashcatUSB_xPort/) with the adapter (TSOP-48 Type B, https://www.embeddedcomputers.net/products/ParallelAdapters/).

      For the software side, the basic process:
      1. Dump NAND
      2. Find Partition (nvg589: 0x000005020000-0x000005120000 : "mfg"), slice it (or just dump this part directly in step 1)
      3. Extract the raw jffs2 data (I used binwalk here)
      4. Convert from big endian to little endian (jffs2dump -r -e converted.jffs2 -b original.jffs2)
      5. Dump the converted JFFS2 partition (https://github.com/ohjeongwook/DumpFlash/blob/master/DumpJFFS2.py), you should get mfg.dat here.

      Delete
    8. Nice instructions.
      In addition to that you need trust certs (unless you are forcing wpa_supplicant to bypass cert verification). You could get the trust certs by collecting them in Wireshark (AT&T server sends them in plain DER form in EAP exchange), or by following the following method.
      Download the certs package file for older Pace firmware (google 'att_eapol-certs.pkgstream'). The certs inside the file are in clear text, PEM format, just copy and paste to *.cer files. Open files in Windows explorer and save as *.der files. You could also use openssl to convert PEM to DER.
      Make sure DER files are in same folder as the tool when you run it.
      The trust certs are the same for everyone, so you could get a set from someone who has successfully extracted them.

      Delete
    9. Sweet, not enough words to thank you both. Just need to get tools and give it a shot, will let you know how it goes.

      Question on the trust certs. Looks like att_eapol-certs.pkgstream includes 8 different certs. Found that name of one should be attroot2031.der.
      Are all these certs needed and do their original names matter (if so what are those names supposed to be)? Or just save the certs in 8 separate files with whatever names, convert PEM to DER and put DER files in tool's folder?

      Delete
    10. 2031 should be sufficient, but leaving other certs in the folder wouldn't do any harm. Names do not matter, but .der extension and DER file format is important.
      You could also extract the .der certs from the other partitions on the same flash chip - this way you don't have to convert any certs.
      Another option is running the tool without trust certs (it should generate a warning) and adding them manually to output PEM file for wpa_supplicant - the tool takes certs in DER format, but outputs everything into PEM files.

      Delete
    11. Will probably just put all certs in the folder since I can't be sure which one may be 2031. Either that or just manually add all certs to the output PEM file for wpa_supplicant as you suggested.

      Delete
    12. Thanks! Gonna get tools and follow your instructions. They were very clear!

      Delete
    13. Got the tools, followed all the instructions you gave and it worked!! Thank you everyone for your explanations and your help.

      Delete
    14. @KhaosT or @Sergey - it worked, thanks for your instructions and tool.

      Educational questions for future reference if you don't mind:

      1) Step #2 - "Find Partition "mfg" & slice it" - how did you get a list of the partitions in the .bin firmware dump and how did you slice the right one out?

      Was able to use the hex addresses you provided and dump that segment only from the USB tool (Step #1), but couldn't figure out how to find partitions and slice them from the whole flash dump.

      2) Seems like wpa_supplicant auth works in Linux or Linux-based OSs (ER). Do you have any experience getting it to work on FreeBSD (pfsense)? Linux flavors do this fine, but pfsense has some trouble handling DHCP requests with VLAN0 (802.1p) tags...

      3) Just a comment - you could get mfg.dat from the mfg partition .bin directly (steps #4, #5 not needed). To do that, you need jefferson (https://github.com/sviehb/jefferson) and then you could use binwalk recursively (-Me flags) to extract the jffs2 filesystem like so: binwalk -Me 589_0x05020000-0x05120000.bin - thought I'd point that out in case it may help someone

      Delete
  9. Would you mind to share how private key is encoded in mfg.dat? I was trying to identify the data structure in there for the key blob but after looking at it for hours, I still can't figure it out 😅

    ReplyDelete
    Replies
    1. Don't you think that sharing this would kind of defeat the value of this blog post? Besides, finding it yourself is a good mental exercise 😅

      Delete
    2. That's fair :) I was able to locate all 3 DER encoded certs, and I assume the blob before the client cert contains information to reconstruct the private key. Guess it's time for more disassembling...

      Delete
    3. You could try decompiling the tool to see how it does that, or try decompiling RG firmware. Decompiling the tool may be easier since it runs on x86 as opposed to MIPS or ARM. Most people are more comfortable with x86 assembler.

      Delete
    4. I actually tried decompiling the tool first, Go is a huge mess in there 😝

      Delete
    5. There are a couple guides online on reverse engineering of Go executables, so it is possible. If that's too much work, there's always MIPS or ARM RG firmware.

      Delete
    6. Wish I could help you KhaosT but this stuff is like a riddle, wrapped in a mystery, inside an enigma. But perhaps there is a private key at the end of the tunnel :)

      Delete
    7. Finally cracked it... that key transformation is surprising. I guess it's truly security through obscurity 🙃

      Hey Sergey, I really appreciate your creation of the tool. 👍

      Delete
    8. If they really wanted the keys to be secure, they should have used Smart Cards or TPM, but that is like extra $2 on RG BoM. Even then there's a potential for inexpensive side channel attacks, or physical migration of the key store to a new device. Someone made a decision that security by obscurity is good enough. Good job cracking the key. Enjoy!

      Delete
    9. I would have though a blog dedicated to documenting the reverse engineering process would have published the data packing/obfuscation format.

      Delete
    10. Don't get me wrong. I appreciate this work very much. Just confused what the reason could be.

      Delete
    11. Feel free to reverse engineer the published executables. It's a lot easier than reverse engineering embedded systems.

      Delete
  10. Does the modem need to be connected to the ont while you're connected to the serial port? I get console output and eventually see a quantenna# prompt but it blazes by and I'm not able to input anything. :-/ I'm sure I can desolder the nand but I'm trying to avoid buying a reader if possible.

    ReplyDelete
    Replies
    1. Looks like I didn't go far enough back in the firmware. I have a mfg.dat dump via dd but there aren't any *.der files ( nor a rootcert directory). :-/

      Delete
    2. I was attached to the wrong debug port. All is good, thanks for the tool!

      Delete
  11. This comment has been removed by the author.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. I bought a new BGW-710 in Amazon and successfully used your tool after rooting the RG. The output readme file contains a section that says:

    WARNING! Missing AAA server root CA! Add AAA server root CA to CA_XXXXXX-XXXXXXXXXXXXXX.pem

    Is this because the RG has never been connected to the internet? I'm not moving into the house with ATT service for a couple more months, so I was just prepping for it.

    ReplyDelete
    Replies
    1. Nevermind, I figured out that the error is because I didn't grab the .der certificates off the modem and put them in the same directory as the tool. I grabbed "att_eapol-certs.pkgstream" from some posted Pace firmware and converted the .pem certs to .der and it looks like the tool ran and output some files for me.

      I can't wait to give this a try!

      Delete
  14. Starting new thread too in case it gets lost in the nested replies above (sorry for duplicate):

    @KhaosT or @Sergey - it worked, thanks for your instructions and tool.

    Educational questions for future reference if you don't mind:

    1) Step #2 - "Find Partition "mfg" & slice it" - how did you get a list of the partitions in the .bin firmware dump and how did you slice the right one out?

    Was able to use the hex addresses you provided and dump that segment only from the USB tool (Step #1), but couldn't figure out how to find partitions and slice them from the whole flash dump.

    2) Seems like wpa_supplicant auth works in Linux or Linux-based OSs (ER). Do you have any experience getting it to work on FreeBSD (pfsense)? Linux flavors do this fine, but pfsense has some trouble handling DHCP requests with VLAN0 (802.1p) tags...

    3) Just a comment - you could get mfg.dat from the mfg partition .bin directly (steps #4, #5 not needed). To do that, you need jefferson (https://github.com/sviehb/jefferson) and then you could use binwalk recursively (-Me flags) to extract the jffs2 filesystem like so: binwalk -Me 589_0x05020000-0x05120000.bin - thought I'd point that out in case it may help someone

    ReplyDelete
    Replies
    1. To be clear - binwalk -Me will extract the raw .jffs2 file AND the mfg partition's root filesystem, including mfg.dat (in which case steps #4, #5 are no longer needed)

      Delete
  15. how do you open a pkgstream file?

    ReplyDelete
    Replies
    1. Just open it with Notepad++ or another text editor. Partway down you'll see the certs in plaintext.

      Delete
  16. Ordered a nvg589 and some parts from khaos post. Going to give this a shot - too bad the usg-xg uses wheezy still - that makes it a bit more complicated.

    Also it would be great if a step by step how to was created. - everything from, "here's what you do once you have the tsop-48 plugged in to your laptop.

    ReplyDelete
    Replies
    1. You might try these steps:

      1. Download flashcat usb software from https://www.embeddedcomputers.net/software/, install it and add Win driver for the new USB device (find it in same downloaded .zip)

      2. Run the software and assuming it recognizes the USB device and NAND, it should allow you to dump it to disk (button reads something like "read chip/memory to disk")

      3. If you know how to find partitions and slice them from the full memory dump, you can do that. If not, a quicker way may be to dump only the mfg partition. For NVG589, KhaosT provided the start and end hex addresses. However, Flashcat software requires the start address and length (not the end address). Use start address of 0x000005020000 (leading zeros may get truncated) and length of 1048577 (if you want to calculate length, you might try this: echo 'ibase=16;000005120000-000005020000' | bc + 1)

      4. Assuming you use a Linux distro, add repository packages for binwalk and jefferson (https://github.com/sviehb/jefferson) and any python or other dependencies you may need

      5. Run this: binwalk -Me dump.bin on the .bin file created by flashcat

      6. At this point you should have a jffs2 file and the root filesystem of the mfg partition. Check filesystem folders and you should find mfg.dat

      7. Run mfg_dat_decode, making sure mfg.dat and the certs you saved from att_eapol-certs.pkgstream are in the same folder as the tool (one way to do this is creating a .pem file for each cert you find and then converting .pem format to .der: openssl x509 -in cert.pem -out cert.der -outform DER)

      8. If all goes well, at this stage you should have EAP files and wpa_supplicant.conf (may need to edit for your config)

      9. Connect ONT to your device and set up wpa_supplicant to authenticate

      Delete
  17. Thought I'd add this tidbit. Bought a user NVG510, downgraded and tftped off the certificates. Tool ran fine but one of the Motorola certificates expires in 2019. Not sure if that'll affect anything:

    802.1x Credential Extraction Tool
    Copyright (c) 2018-2019 devicelocksmith.com
    Version: 1.04 linux 386

    Found client certificate for Serial Number: 001E46-###############

    Found certificates with following Subjects:
    E8:33:81:0C:AA:41
    expires 2034-09-05 09:06:20 -0700 PDT
    Motorola, Inc. Device Intermediate CA ATTCPE1
    expires 2033-04-30 10:36:29 -0700 PDT
    Motorola, Inc. Device Root CA ATTCPE1
    expires 2038-04-30 09:30:26 -0800 PST
    Verifying certificates.. success!
    Validating private key.. success!
    Found valid AAA server root CA certificates:
    ATT Services Inc Root CA
    expires 2031-02-23 15:59:59 -0800 PST
    Motorola 802.1x Root CA
    expires 2019-06-19 13:51:50 -0700 PDT
    Successfully saved EAP-TLS credentials to
    /srv/tftp/EAP-TLS_8021x_001E46-###############.tar.gz

    ReplyDelete
  18. So I picked up an NVG589 off eBay, rooted it, and successfully extracted the certs. However, in my implementation I continue to receive an authentication failure (specifically, CTRL-EVENT-EAP-FAILURE EAP authentication failed). I've ensured that my eth0 (WAN) is spoofing the mac address from the original NVG589 (as listed in the generated wpa_supplicant.conf) yet the failure persists.

    My question is, this NVG589 that I received had a factory sticker over the ONT port. This leads me to believe this modem may have have not been originally provisioned for fiber service, and instead was used as a DSL modem. Could this possibly be the issue, that the extracted certs aren't valid on the fiber network? Do I need to find another modem that was undoubtedly provisioned for use with an ONT?

    ReplyDelete
    Replies
    1. Have you verified you are using a ER-4 type device? Make sure your "ca_cert=", "client_cert=", "identity=", "private_key=" are set accordingly to where you have the certs on the router.

      Also make sure your vlan and eth0 (presumed where you have the ONT connected) are configured to match the mac of the NVG589 you bought.

      This works and is honestly pretty fool proof. I also had to run the "/sbin/wpa_supplicant -s -B -Dwired -ieth0 -c[Path to]wpa_supplicant.conf &" as sudo. But now it auto starts and works through reboots. Make sure the command has the correct path the .conf otherwise you will get errors.

      Other then that sorry not sure what could be the issue, worked for me and I'm a noob in networking

      Delete
    2. Hello, Magnus did you ever find out the problem, because I too just ordered a router from Ebay with the ONT covered

      Delete
  19. I wish more people would post valuable content like this. This is the first time I've been on your website, but after this, I doubt it will be the last time.
    24 hour locksmith

    ReplyDelete
  20. Just another point. I bough an NVG589 from eBay. It came with firmware 9.2.2h3d14 but I was able to downgrade that to 9.2.2h0d83 which is susceptible to the sharknatto vector of attack. After following that to get root I was able to extract the info I needed. The only thing I couldn't figure out was a way to get at the usb, so I moved the files I needed to the www/att/images directory and downloaded via the browser.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. This comment has been removed by the author.

      Delete
    3. Good to know that this firmware you have mentioned works. I haven't had any luck finding a RG that can be used for extraction. Is there any chance to find them online or maybe from you? Thanks

      Delete
  21. So I'm able to pull certs from a Pace 5286AC as a single PEM file. I've separated the certs into their own files (ca.pem, client.pem, private.pem) for use with wpa_supplicant, but there are features of this script that would be useful. Outputting the expiration dates (i don't see them in plaintext in the certs), displaying the MAC address (which is in plain text) and doing any other certificate validation. Outputting the wpa_supplicant config would be nice too. I'm having trouble getting wpa_suplicant to work and I don't know if it's because my certs are bad/expired or if it's my config.

    ReplyDelete
    Replies
    1. Turns out my certs have some issues. If anyone has any guidance here it would be appreciated. WPA_SUPPLICANT logs below.
      TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '/C=US/O=ATT Services Inc/CN=ATT Services Inc Enhanced Services CA'
      ngeth0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=US/O=ATT Services Inc/CN=ATT Services Inc Enhanced Services CA' err='unable to get local issuer certificate'
      EAP: Status notification: remote certificate verification (param=unable to get local issuer certificate)

      Delete
    2. Did you get a warning about missing AAA certs when running the tool? You are likely missing AAA CA cert (ATT Root CA)

      Delete
    3. I've just realized that you got the certs from Pace 5286AC and did not use mfg_dat_decode. In this case you would want to get the trust cert form Pace firmware. Google for "att_eapol-certs.pkgstream", the certs in file are in plain text.

      Delete
    4. How did you pull certs off the Pace 5286AC ?

      Delete
  22. Any plans to open source this tool? Thanks for making it!

    ReplyDelete
  23. @Sergey
    thank you for developing the tool, I have successfully extracted the credentials from my RG and it works on pfsense!
    One question, the credentials with the format for wpa_supplicant, would you mind suggest how I can export the certificates for Cisco IOS device?
    Thank you!

    ReplyDelete
    Replies
    1. None of the IOS devices I have support 802.1x with EAP-TLS authentication, so unfortunately I cannot test the credential format or configuration commands to get it working on Cisco devices. If you get this to work on Cisco devices, please share your findings and I would be happy to add support for Cisco IOS into the tool.

      Delete
    2. Was hoping to use Cisco IOS as well. Shame that Cisco doesn't seem to support 802.1x auth. Guess I will stick with Ubiquiti UDM Pro or go back to Mikrotik.

      Delete
  24. Looks like you have been able to use pfsense to authenticate with AT&T and have been able to remove the ISP RG completely off the network?

    Could you explain how you did this? I am trying to do this myself but so far have been able to find instructions only for letting pfsense do everything but the authentication which still requires the AT&T gateway.

    Thanks.

    ReplyDelete
    Replies
    1. Yes. I don't know much about pfsense, but check this thread:
      https://github.com/aus/pfatt/pull/19

      Delete
  25. Hello first of all, Thank you for this awesome tool Sergey!
    Second will credentials from Any att router work? I would like to extract credentials from NVG589, but I use BGW 210 at home. Thank you!

    ReplyDelete
    Replies
    1. Yes, any ATT Fiber RG should work.

      Delete
    2. Thank you for the reply! I am going to order one now. Thanks

      Delete
  26. This comment has been removed by the author.

    ReplyDelete
  27. Just wondering if anyone who has had success with pfsense is able to help. Wireshark is showing me it doesn't pass "request, identity". I have extracted certs and directed to wpa_supplicant.conf. If anyone who has had success using bare pfsense, your help would be appreciated.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. OK last post. I narrowed it down. I rebooted to see if the IP would stay it didn't. My issue was I had to run wpa_supplicant pointing to my..conf file and not reboot the entire system, but only "reroot" which stops and remounts everything. Hmm 🤔. I would not like to do this everytime the machine turns off. Any hints? Yes I'm root.

      Delete
    3. I have posted instructions for UBNT ER-4 in another post. Other vendors may use other directory structures and configuration files, so there is no universal solution - you'll have to come up with something that works for your device on your own. You would want wpa_supplicant to run after device boots, sets correct time (this is important for cert validation) and brings up interfaces, but before DHCP.

      Delete
  28. the mac version of the tools didn't works under catalina.

    ReplyDelete
  29. Agreed, mac tool doesn't work in Catalina. Used windows and worked without an issue. Thanks so much Sergey! This is really great and much appreciated!!

    ReplyDelete
  30. A year after implementing this at home and it is still working beautifully. Thank you for this @Sergey, it is one of the coolest things ever.

    BGW210 certs added to USG-XG-8

    ReplyDelete
  31. Still working great for me. Certs from NVG589 (ebay). Well worth the $20! The question is, can I return my AT&T router and get the $10 equipment fee off the bill!

    ReplyDelete
    Replies
    1. That would be a question for AT&T.

      Delete
    2. No. You cannot turn it back in because it is associated with your account via the Mac. If someone else got that rg they could put it on their line and would cause you problems as well.

      Delete
  32. Sergey, thanks for the tool, If I may ask, I downgraded a BGW210 to firmware 1.0.29, ran extract_mfg.py and extracted mfg.dat and certs. arris-si-rootca.der arris-si-subca.der attroot2031.der attsubca2021.der frontierroot.der motroot.der & motsubca.der. I got my CAxxx.pem , Clientxxxx.pem & PrivateKey.pem , No errors while using mfg_dat_decode and decoding mfg.dat but still can not connect. Getting authenticated without server . Any idea. ? I'm using a Mikrotik CRS125-24G, Firmware 6.46.6.

    Thanks a lot..

    -HC

    ReplyDelete
  33. I am not familiar with Mikrotik. You may want to attempt connecting from wpa_supplicant manually from a linux PC, just make sure that you send DHCP requests in VLAN0 or 802.1p. Another thing to check is if you are properly cloning a MAC from RG.

    ReplyDelete
  34. I'm running into a similar issue myself. Successfully extracted my mfg.dat and certs from the BGW210, and was able to run mfg_dat_decode successfully.

    Unfortunately, just using wpa_supplicant I'm getting EAPOL failures.

    ```
    EAPOL: txStart
    TX EAPOL: dst=01:xx:xx:xx:xx:xx
    TX EAPOL - hexdump(len=4): 02 01 00 00
    EAPOL: idleWhile --> 0
    EAP: EAP entering state FAILURE
    ngeth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
    EAPOL: SUPP_PAE entering state AUTHENTICATING
    EAPOL: SUPP_BE entering state FAIL
    EAPOL: SUPP_PAE entering state HELD
    EAPOL: Supplicant port status: Unauthorized
    EAPOL: SUPP_BE entering state IDLE
    EAPOL authentication completed - result=FAILURE
    EAPOL: startWhen --> 0
    ```

    Any ideas/suggestions? The MAC is properly cloned for my interface, and should be tagged as VLAN0

    ReplyDelete
    Replies
    1. It looks like my EAPOL start isn't being tagged as vlan0, which might explain why I never get ANY response.


      [2.4.5-RELEASE][admin@pfSense]/root/supplicant: tcpdump -vv -s 65535 -X -n vlan 0
      tcpdump: listening on ngeth0, link-type EN10MB (Ethernet), capture size 65535 bytes
      ^C
      0 packets captured
      4 packets received by filter
      0 packets dropped by kernel
      [2.4.5-RELEASE][admin@pfSense]/root/supplicant: tcpdump -vv -s 65535 -X -n
      tcpdump: listening on ngeth0, link-type EN10MB (Ethernet), capture size 65535 bytes
      17:43:53.737022 EAPOL start (1) v2, len 0
      0x0000: 0201 0000 ....

      Delete
    2. I am sorry, I could not provide support for wpa_supplicant on all possible platforms. You could try asking for help on wpa_supplicant mailing list at http://lists.infradead.org/mailman/listinfo/hostap

      Delete
  35. Hello,

    Windows defender is blocking me from using this as it contains a virus.

    ReplyDelete
  36. Hello,

    Windows defender is blocking me from using this as it contains a virus.

    ReplyDelete
    Replies
    1. That is a false positive. You could report it to Microsoft if this bothers you. I've done this myself in past and this seems just a temporary solution before their engine tags it as malicious again. If in doubt you could always run it within an isolated temporary virtual machine.

      Delete
  37. Hi, Would it be possible to update your macos binary to work on the latest versions of macos? Currently it receives a `kill` signal when attempted to launch (even after gatekeeper has been updated).
    Thanks

    ReplyDelete
    Replies
    1. Sorry, I don't have a Mac, so I don't have a machine to test with. The executable was compiled with Golang. Apple must have made some changes in recent MacOS that are not letting the tool to run. You could spin up a Windows or Linux virtual machine and use the respective versions within the VMs.

      Delete
    2. Thanks, that was my next plan.

      Delete
    3. I'd recommend Windows Sandbox if you're on Win 10 Pro. Very convenient.

      Delete
    4. I agree with Ryan - Sandbox feature is a natural fit to run things like mfg_decode. Along with WSL2 it is my favorite feature in latest Windows 10.

      Delete
  38. Where do I find the AAA server root CA der file?

    Found valid AAA server root CA certificates:
    None
    WARNING: No valid server root Certificate Authority DER files found in c:\mfg_dat_decode_1_04_macosx

    ReplyDelete
    Replies
    1. figured it out. somehow my downloaded .der files from the bgw210-700 contained html. no wonder. zipped them into tar.gz and it worked. If you import them into a mikrotik you need to see 6 certs.

      Delete
  39. Can someone try this with the BGW 320-500/505? would be neat to learn more about these units

    ReplyDelete
  40. Not sure what I'm doing wrong. I have the mfg.dat and 7, *.der files from a BGW210-700 in the same folder as the mfg_dat_decode.exe. When I double click the exe file a .tar.gz file is created but thats it. There are no *.pem files or wpa_supplicant.conf files created

    ReplyDelete
    Replies
    1. NVM i figured it out the the .tar.gz is a compressed file with files in it thanks!

      Delete
  41. So now I have the 320. I do not have the separate ONT. It now it built-in. So now I'll have to use this cert in a ubuiqti router.

    years ago when I first got fiber. I was messing around with it. I plugged the ethernet from the ONT directly into my MAC... a messaged came up asking for the Authentication (user and pass I think). I will have to try it again. It almost reminded me of how old DSL was set up..

    ReplyDelete
  42. There seems to be a bug (at least with the darwin build) if you're not good at following directions exactly:

    If you have _both_ mfg.dat and calibration_01.bin (which seems to occur with some dumping tools for the bgw210-700), you'll get an error like the following

    ```
    Verifying certificates.. success!
    panic: Error 255

    goroutine 1 [running]:
    main.main()
    C:/Coding/Go/src/mfg_dat_decode/mfg_dat_decode.go:223 +0x3331
    ```

    In my case, the fix was to ensure only mfg.dat was present. This code doesn't appear to be open source or I'd take a look and recommend a change, but I suspect file presence is used to determine extraction strategy and when both are present there's an edge case where it might apply the wrong approach.

    ReplyDelete

Making work with eMMC interposer slightly more convenient

In one of the previous posts I have described eMMC interposer and how it can help with modifications of the device firmware without having t...