Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ATT Uverse RG Bypass (0.2 BTC)

    Bounties
    80
    555
    1.2m
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pyrodex
      last edited by

      I've heard people being able to use the supplicant mode without netgraph if they used a switch or bypass switch between pfSense and the ONT. Can anyone confirm and what model switch did you use?

      I tried this on my new physical firewall with a DGS-1005G and had no luck. Any one?

      1 Reply Last reply Reply Quote 0
      • Z
        Zaf9670
        last edited by

        So based on what I'm reading over the past 2+ years pfsense still requires netgraph in order to work with the 802.1x certificates?

        Also of note, someone on Reddit found a downgrade loophole for the BGW210-700 which allows root access. So you can extract the 802.1x certificates and disable the auto-updates to the gateway.

        Reddit post:
        https://www.reddit.com/r/ATT/comments/g59rwm/bgw210700_root_exploitbypass/

        Pastebin with steps to perform:
        https://pastebin.com/SUGLTfv4

        1 Reply Last reply Reply Quote 0
        • timtraceT
          timtrace
          last edited by timtrace

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • timtraceT
            timtrace
            last edited by

            Is this expected behavior?

            Running the netgraph bypass as documented at https://github.com/MonkWho/pfatt . No LANs have been routed to ngeth0 just yet.

            I get about about one packet every two-three minutes from the RG: tcpdump -ei em4

            10:06:30.887851 f8:2d:c0:yy:yy:yy (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 424: vlan 0, p 3, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from f8:2d:c0:yy:yy:yy (oui Unknown), length 378
            

            And I get about 100 per minute from the ONT: tcpdump -ei em5

            09:59:03.144906 a0:f3:e4:59:27:94 (oui Unknown) > f8:2d:c0:yy:yy:yy (oui Unknown), ethertype 802.1Q (0x8100), length 60: vlan 0, p 0, ethertype IPv4, 162-224-176-1.lightspeed.stlsmo.sbcglobal.net > zzz-zzz-179-129.lightspeed.stlsmo.sbcglobal.net: ICMP echo reply, id 30739, seq 4885, length 8
            
            • $RG_IF = em4
            • $ONT_IF = em5
            • f8:2d:c0:yy:yy:yy / zzz-zzz-179-129.lightspeed.stlsmo.sbcglobal.net = my RG
            • a0:f3:e4:59:27:94 / 162-224-176-1.lightspeed.stlsmo.sbcglobal.net = ATT
            1 Reply Last reply Reply Quote 0
            • GPz1100G
              GPz1100
              last edited by

              ^^For the first one, I think that might be a byproduct of the rg not getting an ip when using the eap proxy method. That is, it keeps requesting, but because the proxy only passes 802.1x traffic, it never actually receives it.

              The 2nd looks like the gateway is responding to a ping request? You have something pinging the gateway ip (162.224.176.1) often?

              1 Reply Last reply Reply Quote 1
              • timtraceT
                timtrace
                last edited by timtrace

                Sounds like the first one is benign, unless, it is an indicator that something else is wrong.

                The second - I’m not pinging in on that IP.

                Edit: The second thing, with the 100+ pings per minute, was the pfSense gateway monitor. It's now disabled.

                1 Reply Last reply Reply Quote 0
                • GPz1100G
                  GPz1100
                  last edited by

                  What gateway box are you using? Maybe time to dump it entirely and go wpa_supplicant method?

                  timtraceT 1 Reply Last reply Reply Quote 1
                  • timtraceT
                    timtrace @GPz1100
                    last edited by timtrace

                    @GPz1100 Worked on that last night, I’ve got the certs off of the RG and broken into PEMs. Will work on the rest this evening.

                    Bricked the gateway though. I think I left the file system RW when I rebooted. It’s in a boot loop.

                    Thankfully, I still have my Charter connection, so I’m not in an outage condition.

                    timtraceT 1 Reply Last reply Reply Quote 0
                    • timtraceT
                      timtrace @timtrace
                      last edited by timtrace

                      Can't get the supplicant mode to work.

                      I had to comment lines 205-231 of pfatt.sh to get the system to boot.

                      wpa_cli status says:
                      Supplicant PAE state=HELD
                      suppPortStatus=Unauthorized
                      EAP state=FAILURE

                      tcpdump -i ONT_IF -e vlan says:
                      05:20:52.486546 f8:2d:c0:xx:xx:xx (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 22: vlan 0, p 0, ethertype EAPOL, EAPOL start (1) v2, len 0

                      /conf/pfatt/bin/* is 755 and /conf/pfatt/wpa/* is 644

                      Certs import without error into the web configurator, if only to make sure that they're intact. I've since pulled them back out of there.

                      What could be keeping this thing from being authorized?

                      F 1 Reply Last reply Reply Quote 0
                      • N
                        neatneat
                        last edited by neatneat

                        I just moved into a temporary housing situation and was told this unit has ATT U-Verse. I'm looking at the back of my current RG (BGW210-700) and it's using an RJ11 from "broadband" port to the wall. The wall port doesn't have an RJ45 connection. Are there any workarounds for this using this method?

                        F 1 Reply Last reply Reply Quote 0
                        • GPz1100G
                          GPz1100
                          last edited by

                          Rj11 = dsl. You need fiber.

                          1 Reply Last reply Reply Quote 1
                          • F
                            fortillian @neatneat
                            last edited by

                            @neatneat said in ATT Uverse RG Bypass (0.2 BTC):

                            I just moved into a temporary housing situation and was told this unit has ATT U-Verse. I'm looking at the back of my current RG (BGW210-700) and it's using an RJ11 from "broadband" port to the wall. The wall port doesn't have an RJ45 connection. Are there any workarounds for this using this method?

                            Uverse is the name of their interwebz service which can be DSL or Fiber. You could get a DSL modem if you don't want to use their equipment. If you have uverse TV service, or ATT home phone service, you'll need to keep their equipment in place.

                            1 Reply Last reply Reply Quote 1
                            • B
                              bk150
                              last edited by

                              I removed the gateway from my setup using the supplicant method from MonkWho's fork of pfatt from aus.

                              https://github.com/MonkWho/pfatt/tree/supplicant

                              This worked well on a SG-5100 on pfSense 2.4.5 p1 with certificates purchased on eBay from maczrcool. I'm getting full line speed (940/940) with no issues. I've tested that the setup survives expected and unexpected reboots.

                              L 1 Reply Last reply Reply Quote 0
                              • L
                                lmgcnbzlp @bk150
                                last edited by

                                @bk150 I'm trying to do what you've accomplished, on my PCEngines APU2 box with 2.4.5 p1 using MonkWho's fork. I have the certs extracted from my Arris BGW210. Did you also need Netgraph for the Supplicant approach? I was hoping to avoid it.

                                J 1 Reply Last reply Reply Quote 0
                                • J
                                  JonH @lmgcnbzlp
                                  last edited by

                                  @lmgcnbzlp said in ATT Uverse RG Bypass (0.2 BTC):

                                  I have the certs extracted from my Arris BGW210

                                  Just wondering what you used to extract the certs.

                                  L 1 Reply Last reply Reply Quote 0
                                  • L
                                    lmgcnbzlp @JonH
                                    last edited by

                                    @JonH I used the python script method per:

                                    https://www.reddit.com/r/ATT/comments/g59rwm/bgw210700_root_exploitbypass/

                                    Had to run it twice because the script didn't have a wait period defined to account for telnet server startup leadtime, but on the second run it appears to have worked and was able to save the certs to my local machine in the manner documented in the readme.

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      fresnoboy @timtrace
                                      last edited by fresnoboy

                                      @timtrace

                                      Did you get this to work? I am trying to enable pfsense to be moved to a different system via vmotion for doing maintenance on the host. Right now I use the netgraph bypass method, but I don't think it will work if I am using PCI device passthrough, which prevents the VM to be migrated.

                                      Does the vlan0 tagging get interfered with by vmware's management of the network interfaces? I can use port mirroring on a switch to make the ONT and even the gateway available on multiple systems.

                                      thx
                                      mike

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        DanielJay23
                                        last edited by

                                        I have the netgraph version working well on my system. I am currently running 2.4.4-RELEASE. Will upgrading to 2.4.5_1 break this setup? Will I have to re-do my setup or can I just do a straight update through the web interface of my pfSense box?

                                        MonkWhoM 1 Reply Last reply Reply Quote 0
                                        • MonkWhoM
                                          MonkWho @DanielJay23
                                          last edited by

                                          @DanielJay23 said in ATT Uverse RG Bypass (0.2 BTC):

                                          I have the netgraph version working well on my system. I am currently running 2.4.4-RELEASE. Will upgrading to 2.4.5_1 break this setup? Will I have to re-do my setup or can I just do a straight update through the web interface of my pfSense box?

                                          Before upgrading I would recommend you compare your current pfatt.sh script with the one if the repository here https://github.com/MonkWho/pfatt and see if any big changes are necessary.

                                          One major change in 2.4.5 is that ng_etf module is now part of base pfsense and you don't need to compile and upload it anymore. And it's also loaded by default so we cleaned out those parts of the script as well. If you don't update your current pfatt.sh it might hang with an error and stop the boot process of your box. Depends what version of the script you are running. Early versions required that module to load and didn't have "-nq" flag that allowed system to skip if it's already loaded.

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            andrew_241
                                            last edited by andrew_241

                                            I'm trying to use the supplicant version of pfatt.sh, and my pfSense box hangs on 'waiting EAP for authorization...' during boot. I had to manually break and edit the relevant parts of config.xml to be able to boot properly. I think I'm using the latest version of the script, and I did follow the instructions here. I do have the necessary certificates extracted from an unused gateway device.

                                            Any idea on what the problem might be?

                                            Thanks!

                                            MonkWhoM 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.