Skip to content

Latest commit

 

History

History
31 lines (23 loc) · 2 KB

README.md

File metadata and controls

31 lines (23 loc) · 2 KB

extract-mfg

Extract mfg.dat and AT&T root certs from BGW210 or NVG599.

This script assumes it is being run on a Windows PC with the mfg_dat_decode.exe program. It will exploit the gateway and download the certs as well run the mfg_dat_decode.exe program to save the EAP-TLS credentials into a local folder. The local folder will be named <ModelNumber>_<SerialNumber> and will exist in the same directory as the script.

If you include --install_backdoor as a command argument then it will install a telnet backdoor on port 28 that will persist with reboots and firmware upgrades.

You can also include --update_firmware as a command argument to install the latest firmware stored in this repo as the last step of the process. This will start a local HTTP server and the gateway will try to download the firmware (Windows firewall may block this by default). You need specify your local IP address, by using the --server_address command argument, for it to work correctly.

Instructions

  1. Downgrade your Gateway
  2. Install Python3 if you don't already have it
  3. Install Python dependencies:
    pip install requests bs4 lxml wget
    
  4. Run the script:
    python extract_mfg.py <ACCESS_CODE> <DEVICE_ADDRESS> --install_backdoor
    

Credits & References

  • Streiw: BGW210 Exploit Instructions
  • devicelocksmith: EAP-TLS credentials decoder and the method to extract mfg.dat
  • earlz: Commands that can be run on the Arris gateways
  • nomotion: Exploits discovered on Arris gateways