Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Page 1 of 2 1 2 >
Topic Options
#371764 - 11/03/2019 22:53 Rooting a Uverse NVG589 Gateway
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
I know there are a lot of Linux types on here so I thought I might see if any of you would chime in about rooting an Arris NVG589 modem. I bought it with the purpose of extracting the 802.1x certificate to free me from having to use At&t's provided and required gateway on my fiber service. My model is an 5268AC from Pace but I bought the Arris so I could work on it independently from my Internet gateway.

Anyway, I found some instructions to root at as the first step to getting at the certificate, however, I cannot get past telnetting into it. The instructions simply do not work. Either they are leaving something out presumed common knowledge or the instructions are just wrong for my application. Anyway, these are the instructions. I can get through steps 1-3 but 4-5 don't work. If I start a second telnet session, I can't establish a connection with port 9999 as instructed and if try within the same session it says it's a local connection. Thanks for any help!

Stu

1. Open a terminal/cmd and run telnet 192.168.1.254 or your router's IP here.
If you are running Windows 7 or any later version, you might need to add this feature in Control Panel.

2. For username enter admin, for password enter your access code.[1]

3. Run ping `telnetd -l sh -p 9999`
9999 is the port number and you can change it to anything between 1024-65536.[2]

4. Open a terminal/cmd and run telnet 192.168.1.254 9999 or the port number you just entered.

5. You should see a # and that means you are accessing the root shell now!
_________________________
If you want it to break, buy Sony!

Top
#371765 - 11/03/2019 23:19 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31596
Loc: Seattle, WA
Which instructions are you following? Any chance it's this link?
https://github.com/MakiseKurisu/NVG589/wiki/Root-Access

I don't understand all of the instructions because I know dangerously little about Linux. But it looks (to my uneducated eye) like instruction 3 tries to enable a a telnet daemon on port 9999. What is the output from that command? Does it look like it succeeds?

If you say that you can connect to 9999 from the current session, but not from another session, I wonder if it's missing a step which enables the daemon for all users rather than just the one that's logged in. Maybe the instructions are missing some kind of elevation command before enabling the daemon on 9999. Or maybe a simple "sudo" is needed there?

Or maybe port 9999 is firewalled on that model of router, and you have to do more than just start a telnet daemon?

These are all wild guesses, or you may have already tried all those.
_________________________
Tony Fabris

Top
#371766 - 11/03/2019 23:22 Re: Rooting a Uverse NVG589 Gateway [Re: tfabris]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31596
Loc: Seattle, WA
Any chance the "ping" part of that instruction is a typo? I don't understand what that command is doing, but that's probably just my lack of knowledge.
_________________________
Tony Fabris

Top
#371767 - 12/03/2019 00:32 Re: Rooting a Uverse NVG589 Gateway [Re: tfabris]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Yeah that's the one. Thanks Tony! I know very little about Linux either; I'd say way less than you. When I run step 3 I just get a standard ping output:

NOS/255307918359056> ping 'telnetd -l sh -p 9999'

PING telnetd -l sh -p 9999 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: seq=0 ttl=64 time=0.761 ms
64 bytes from 192.168.1.254: seq=1 ttl=64 time=0.356 ms
64 bytes from 192.168.1.254: seq=2 ttl=64 time=0.358 ms
64 bytes from 192.168.1.254: seq=3 ttl=64 time=0.355 ms
64 bytes from 192.168.1.254: seq=4 ttl=64 time=0.366 ms

--- telnetd -l sh -p 9999 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.355/0.439/0.761 ms

NOS/255307918359056>

It doesn't work at all unless I do it exactly as shown. It just comes back with "unrecognized command."


Not really sure what to do at this point. I can desolder the flash where the cert lives and extract it, but eventually I'm still going to have to interact with Linux and vague incomplete instructions like the ones in that link.
_________________________
If you want it to break, buy Sony!

Top
#371768 - 12/03/2019 01:01 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Originally Posted By: maczrool

3. Run ping `telnetd -l sh -p 9999`
9999 is the port number and you can change it to anything between 1024-65536.[2]


That step above is intended to be run ON THE MODEM, from the first telnet session, rather than on the connected PC.

No idea what the "ping" is in there for, but you can try it both with and without the ping prefix. So, from within the original telnet session, do this command on the modem:

telnetd -l sh -p 9999

This part (below) should not be necessary, as the modem is likely running busybox, and the busybox implementation of telnetd uses lowercase-l:

If that fails to do anything useful, try it again with an uppercase-L instead of lowercase:

telnetd -L sh -p 9999


Say, Stu: coming over for the Cambridge meet? Would love to meet you in person there!




Edited by mlord (12/03/2019 01:07)

Top
#371769 - 12/03/2019 02:15 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
The ping command substitution (the backticks) might be some way to work around and run telnetd as a privileged user?
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#371770 - 12/03/2019 02:51 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
I've tried with and without ping. Neither really seems to work correctly and I can't really run it any other way but with a windows client. There's no console in the modem interface. Thanks for everyone's help though!

Terminal shell v1.0
Copyright (C) 2013 Motorola Mobility, LLC. All rights reserved.
Motorola Netopia Model NVG589 VDSL/ADSL AnnexA Ethernet
Running Netopia SOC OS version 9.1.0 (build h4d38_1.1)
ADSL/VDSL capable
(admin completed login: Admin account with read/write access.)

NOS/255307918359056> telnetd -l sh -p 9999

Unrecognized command. Try "help".

NOS/255307918359056> telnetd -L sh -p 9999

Unrecognized command. Try "help".

NOS/255307918359056>

I don't think I will be making it to Cambridge although it would be great to meet all you fine people, I just don't travel much and it's really not in the budget.

Stu
_________________________
If you want it to break, buy Sony!

Top
#371771 - 12/03/2019 09:01 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
peter
carpal tunnel

Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
Quote:
NOS/255307918359056> ping 'telnetd -l sh -p 9999'


Those are apostrophes ''''', but you need backticks `````.

Peter

Top
#371772 - 12/03/2019 10:54 Re: Rooting a Uverse NVG589 Gateway [Re: peter]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Originally Posted By: peter
Quote:
NOS/255307918359056> ping 'telnetd -l sh -p 9999'


Those are apostrophes ''''', but you need backticks `````.


Also, you can try locating the telnetd binary on the modem, and using its full path. Most likely, it is in /usr/sbin/, so that would mean trying these:

ping `/usr/sbin/telnetd -l sh -p 9999`
## Using backquote, often found at top left of a PC keyboard on the tilde (~) key.
## But really, the use of ping with quotes here makes no sense to me.

Or

/usr/sbin/telnetd -l sh -p 9999

If it still says something like "Unrecognized command", then you will have to find exactly where telnetd is hiding. This might work for that:

find / -name telnetd

Top
#371773 - 12/03/2019 10:59 Re: Rooting a Uverse NVG589 Gateway [Re: peter]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Originally Posted By: peter
Quote:
NOS/255307918359056> ping 'telnetd -l sh -p 9999'


Those are apostrophes ''''', but you need backticks `````.

Peter



That was it! I couldn't paste into the session (gave me a weird question mark in a box), so I was just misreading it. The ping is necessary as is a new session for step 5 by the way. Now to figure out how to extract the cert! Thanks everyone. I thought it might be something simple!

Terminal shell v1.0
Copyright (C) 2013 Motorola Mobility, LLC. All rights reserved.
Motorola Netopia Model NVG589 VDSL/ADSL AnnexA Ethernet
Running Netopia SOC OS version 9.1.0 (build h4d38_1.1)
ADSL/VDSL capable
(admin completed login: Admin account with read/write access.)

NOS/255307918359056> `telnetd -l sh -p 9999`

Unrecognized command. Try "help".

NOS/255307918359056> ping `telnetd -l sh -p 9999`

BusyBox v1.18.3 (2013-06-13 18:56:43 EDT) multi-call binary.

Usage: ping [OPTIONS] HOST


New Session after telnet 192.168.1.254 9999:
#
_________________________
If you want it to break, buy Sony!

Top
#371774 - 12/03/2019 11:03 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Originally Posted By: mlord

ping `/usr/sbin/telnetd -l sh -p 9999`
## Using backquote, often found at top left of a PC keyboard on the tilde (~) key.
## But really, the use of ping with quotes here makes no sense to me.

Oh, okay, I get it. The modem is running some kind of limited custom shell (aka. "command interpreter"). So it doesn't allow most commands, but apparently does have a built-in "ping" command. And the child who wrote the custom shell added backquote support to make it easier to script config stuff. And thereby also opened up a massive hole in the custom shell. smile

Surrounding an expression with backquotes tells the shell (command interpreter) to first run the command within the backquotes, and then provide the resulting output as a command line parameter to the original (ping in this case) command.

The telnetd command doesn't output anything useful to ping, but that's unimportant here. The idea instead is to just trick the shell into running a command it normally won't run, telnetd in this case.

Top
#371775 - 12/03/2019 13:28 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Thanks Mark for the explanation! Those vulnerabilities were patched later on. The gateway had to be downgraded to an old firmware to do this. It bugs me that people in the isp circles are so secretive about how to do all this. They say they are worried about AT&T finding out and patching the holes, but they already did and that’s why the downgrade is necessary.

Thanks again for everyone’s help,
Stu
_________________________
If you want it to break, buy Sony!

Top
#371776 - 12/03/2019 13:36 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
I was thinking of going with an ER4 router to run the WPA supplicant with the extracted cert. It should easily support my symetrical gigabit connection and it’s fanless. Just need to decipher all these guides on doing that!

Stu
_________________________
If you want it to break, buy Sony!

Top
#371777 - 12/03/2019 17:31 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31596
Loc: Seattle, WA
Originally Posted By: mlord
The telnetd command doesn't output anything useful to ping, but that's unimportant here. The idea instead is to just trick the shell into running a command it normally won't run, telnetd in this case.


Dayammm. That's a spicy meatball.

Nice explanation. Woulda been nice if the original writer of those instructions could have done the same.
_________________________
Tony Fabris

Top
#371778 - 12/03/2019 18:16 Re: Rooting a Uverse NVG589 Gateway [Re: tfabris]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31596
Loc: Seattle, WA
I'm glad that seeing "ping" running with "telnetd" as its parameter looked weird to me, enough so that I thought it was a typo at first. Shows I'm learning at least something about Linux here and there. :-)

I wish you the best of luck, Stu, on getting the fiber service gateway tweaked to your liking. I fully support the idea of one using one's own hardware on a cable/fiber company's line. That's as it should be.

But I will warn that I've had trouble in that area before. Though it was with a cable modem on Comcast, so it's a different situation. Be prepared for trouble, is what I'm saying. My trouble was this:

- I wanted the monthly modem charge offa my cable bill. I wanted to buy my own modem and save the $10.00/mo
- I needed the modem to be one with Voip line plugs in it (for my land line and burglar alarm).
- That limited the number of modems I could buy. There really was only one kind readily available as a "new" item, a particular Arris unit that Comcast supported.
- The Arris unit would work for a few months and then mysteriously brick to an unrepairable state. Neither Arris nor Comcast tech support was able to fix the modem, and there was a lot of finger pointing.
- I went through something like three of these things before a Comcast tech told me in confidence that it was known issue, that it was possible to remotely brick the Arris modems via bad remote commands and/or bad automatic firmware updates from the cable company.
- I had to ebay a whole different model/make of modem, this time one with the Xfinity logo on it. (Took two tries to find one on ebay which wasn't a reclaimed/blacklisted unit.) That one has been working steadily for years now.

Let us know how it goes for you. smile
_________________________
Tony Fabris

Top
#371779 - 12/03/2019 23:03 Re: Rooting a Uverse NVG589 Gateway [Re: tfabris]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Originally Posted By: tfabris
I'm glad that seeing "ping" running with "telnetd" as its parameter looked weird to me, enough so that I thought it was a typo at first. Shows I'm learning at least something about Linux here and there. :-)


Seems pretty clever. I'm thinking of writing clear instructions for the whole process to make it less mysterious once I get it all sorted out.

Quote:
I wish you the best of luck, Stu, on getting the fiber service gateway tweaked to your liking. I fully support the idea of one using one's own hardware on a cable/fiber company's line. That's as it should be.


I will keep at it this weekend and try to get it going. Will let everyone know. I'm getting a super deal with the exception of the forced crap gateway. 1000mb up and down unlimited for $70/mo supposedly for a lifetime.

Quote:

But I will warn that I've had trouble in that area before. Though it was with a cable modem on Comcast, so it's a different situation. Be prepared for trouble, is what I'm saying. My trouble was this:

- I went through something like three of these things before a Comcast tech told me in confidence that it was known issue, that it was possible to remotely brick the Arris modems via bad remote commands and/or bad automatic firmware updates from the cable company.
- I had to ebay a whole different model/make of modem, this time one with the Xfinity logo on it. (Took two tries to find one on ebay which wasn't a reclaimed/blacklisted unit.) That one has been working steadily for years now.

Let us know how it goes for you. smile
That's horrible! If AT&T bricks my $199 router, there's going to be trouble for sure!
_________________________
If you want it to break, buy Sony!

Top
#371780 - 15/03/2019 11:55 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
I'm attempting to extract the cert files from the gateway and can't figure out how to get them out onto my PC. I ran the command:
mount mtd:mfg -t jffs2 /mfg&&cp /mfg/mfg.dat /tmp/&&umount /mfg
This presumably copies the mfg.dat file to a folder called tmp I guess, but how do I copy it to C on my Windows machine? I've tried scp in the root shell, but I get the response scp not found. Anyone know how to do this?

Edit: After looking at the busybox docs, it does not appear scp is supported. Not sure why it was suggested. What ways are there to transfer files out from busybox?


Edited by maczrool (15/03/2019 13:37)
_________________________
If you want it to break, buy Sony!

Top
#371781 - 15/03/2019 13:54 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
busybox (on Ubuntu, at least) has a built-in HTTP server (busybox httpd). Maybe the version you've got also has that?


Try "busybox httpd -f -p 8080"
_________________________
-- roger

Top
#371782 - 15/03/2019 14:13 Re: Rooting a Uverse NVG589 Gateway [Re: Roger]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Originally Posted By: Roger
busybox (on Ubuntu, at least) has a built-in HTTP server (busybox httpd). Maybe the version you've got also has that?


Try "busybox httpd -f -p 8080"


Thanks! I’ll try that this weekend. Supposedly the gateway supports USB transfers after running these commands but they don’t say what to do after so I have no idea.

1. insmod /lib/modules/2.6.30.10-motopia/kernel/drivers/usb/storage/usb-storage.ko

You might need to change this path to your USB storage device driver.

2. modprobe usb-storage
Note:

You can find your hard driver in /media/hda1.

Several file system drivers are located in /lib/modules/2.6.30.10-motopia/kernel/fs/, load them if you are having trouble to read the data.

Since there is only one class under usb folder, NVG589 is unlikely to support other types of device.
_________________________
If you want it to break, buy Sony!

Top
#371783 - 15/03/2019 16:42 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Originally Posted By: maczrool
Supposedly the gateway supports USB transfers after running these commands but they don’t say what to do after so I have no idea.

[i]1. insmod /lib/modules/2.6.30.10-motopia/kernel/drivers/usb/storage/usb-storage.ko

You might need to change this path to your USB storage device driver.

2. modprobe usb-storage

You can find your hard driver in /media/hda1.

If that's the case, then you can copy the file to the stick as follows:

Code:
mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /media/hda1/ && umount /mfg
umount /media/hda1 ; sync

Top
#371784 - 15/03/2019 17:12 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
If that still gives trouble, then perhaps you can set up an RDP server on the machine for me to connect to and I'll get it sorted. Apparently I can do this directly from Linux too, even if the remote machine (yours) is running MSWin.

Top
#371785 - 15/03/2019 17:56 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Originally Posted By: mlord
If that still gives trouble, then perhaps you can set up an RDP server on the machine for me to connect to and I'll get it sorted. Apparently I can do this directly from Linux too, even if the remote machine (yours) is running MSWin.


Let me try your USB method and if it doesn’t work, I’ll let you know. Thanks again Mark!
_________________________
If you want it to break, buy Sony!

Top
#371787 - 15/03/2019 23:16 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Quote:

If that's the case, then you can copy the file to the stick as follows:

Code:
mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /media/hda1/ && umount /mfg
umount /media/hda1 ; sync


Nope. Not working. I assume I am supposed run the USB code I posted first. I tried with and without. Tried a couple different sticks. Will keep tinkering this weekend.

Result without initial USB code:

Code:
# mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /media/hda1/ && umount /mfg
cp: can't create '/media/hda1/': Is a directory


Result with initial USB code:

Code:
# insmod /lib/modules/2.6.30.10-motopia/kernel/drivers/usb/storage/usb-storage.ko
# modprobe usb-storage
# mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /media/hda1/ && umount /mfg
mount: mounting mtd:mfg on /mfg failed: Device or resource busy
_________________________
If you want it to break, buy Sony!

Top
#371788 - 15/03/2019 23:29 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Just try the cp /mfg/mfg.dat /media/hda1/ part after that last one (the "busy" complaint was because of the previous attempt failing).

Top
#371789 - 16/03/2019 00:00 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Unfortunately I keep getting the "cp: can't create '/media/hda1/': Is a directory" error.

# insmod /lib/modules/2.6.30.10-motopia/kernel/drivers/usb/storage/usb-storage.ko
# modprobe usb-storage
# mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /media/hda1/ && umount /mfg
cp: can't create '/media/hda1/': Is a directory
#
# cp /mfg/mfg.dat /media/hda1/
cp: can't create '/media/hda1/': Is a directory
# insmod /lib/modules/2.6.30.10-motopia/kernel/drivers/usb/storage/usb-storage.ko
insmod: can't insert '/lib/modules/2.6.30.10-motopia/kernel/drivers/usb/storage/usb-storage.ko': File exists
# modprobe usb-storage
# mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /media/hda1/ && umount /mfg
mount: mounting mtd:mfg on /mfg failed: Device or resource busy
# cp /mfg/mfg.dat /media/hda1/
cp: can't create '/media/hda1/': Is a directory
_________________________
If you want it to break, buy Sony!

Top
#371790 - 16/03/2019 00:01 Re: Rooting a Uverse NVG589 Gateway [Re: Roger]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Originally Posted By: Roger
busybox (on Ubuntu, at least) has a built-in HTTP server (busybox httpd). Maybe the version you've got also has that?


Try "busybox httpd -f -p 8080"


It seems my version of busybox does not have httpd.

# busybox httpd -f -p 8080
httpd: applet not found
_________________________
If you want it to break, buy Sony!

Top
#371791 - 16/03/2019 00:32 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
With the USB stick inserted, and all of the USB recipes done, what does this command output:

cat /proc/mounts /proc/partitions

Top
#371792 - 16/03/2019 12:11 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Originally Posted By: mlord
With the USB stick inserted, and all of the USB recipes done, what does this command output:

cat /proc/mounts /proc/partitions


Thanks Mark! Here goes:


# insmod /lib/modules/2.6.30.10-motopia/kernel/drivers/usb/storage/usb-storage.ko
# modprobe usb-storage
# mount mtd:mfg -t jffs2 /mfg && cp /mfg/mfg.dat /media/hda1/ && umount /mfg
cp: can't create '/media/hda1/': Is a directory
# cat /proc/mounts /proc/partitions
rootfs / rootfs rw 0 0
mtd:rootfs / jffs2 rw,relatime 0 0
procfs /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
tmpfs /media tmpfs rw,relatime 0 0
tmpfs /var tmpfs rw,relatime 0 0
devfs /dev tmpfs rw,relatime 0 0
pts /dev/pts devpts rw,relatime,mode=600 0 0
mtd:data /data jffs2 rw,noatime 0 0
mtd:mfg /mfg jffs2 rw,relatime 0 0
major minor #blocks name

31 0 40960 mtdblock0
31 1 40960 mtdblock1
31 2 46976 mtdblock2
31 3 128 mtdblock3
31 4 1024 mtdblock4
8 0 60397568 sda
8 1 60393536 sda1
#
_________________________
If you want it to break, buy Sony!

Top
#371793 - 16/03/2019 14:43 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
The problem was in the third-party instructions which suggested that the USB-stick would have been auto-mounted at /media/hda1

I did have my doubts, now confirmed, as USB-sticks are normally /dev/sdX devices rather than /dev/hdX devices, but some setups do weird things in that regard (eg. the empeg itself!). And there does not seem to be any auto-mounting happening either.

So insert the USB stick, and do this:
Code:
modprobe usb-storage
mkdir /tmp/usb
mount /dev/sda1 /tmp/usb    ## Abort if this line fails
mount mtd:mfg -t jffs2 /mfg
cp /mfg/mfg.dat /tmp/usb/
umount /mfg
umount /tmp/usb
sync

I have written it out one command per line to make it easier to grok, but one could condense it by combining commands. A semi-colon (;) can be used to separate multiple commands placed on the same line. Another way is to join commands with &&, which means "only continue if the previous command worked".

You can see examples of those from the earlier attempts above.

The # symbol is for comments, and means "ignore the rest of this line". I generally write it as ## to make it more obvious, rather than #, but either way it's a comment that doesn't need to be typed out.


Edited by mlord (16/03/2019 15:01)

Top
#371794 - 16/03/2019 14:54 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Here is a more fully commented version of the above:
Code:
modprobe usb-storage        ## Ensure the driver for the USB-stick is loaded
mkdir /tmp/usb              ## Create a directory for use as a mount-point
mount /dev/sda1 /tmp/usb    ## Mount/attach the USB-stick at /tmp/usb
mount mtd:mfg -t jffs2 /mfg ## Mount the manufacturing partition at /mfg
cp /mfg/mfg.dat /tmp/usb/   ## Copy mfg.dat to the USB-stick
umount /mfg                 ## Unmount/detach the manufacturing partition
umount /tmp/usb             ## Unmount/detach the USB-stick
sync                        ## Ensure data is written to the USB-stick before removal


Top
#371795 - 16/03/2019 16:27 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Originally Posted By: mlord
Here is a more fully commented version of the above:
Code:
modprobe usb-storage        ## Ensure the driver for the USB-stick is loaded
mkdir /tmp/usb              ## Create a directory for use as a mount-point
mount /dev/sda1 /tmp/usb    ## Mount/attach the USB-stick at /tmp/usb
mount mtd:mfg -t jffs2 /mfg ## Mount the manufacturing partition at /mfg
cp /mfg/mfg.dat /tmp/usb/   ## Copy mfg.dat to the USB-stick
umount /mfg                 ## Unmount/detach the manufacturing partition
umount /tmp/usb             ## Unmount/detach the USB-stick
sync                        ## Ensure data is written to the USB-stick before removal



Wow this is awesome! Thanks for the comments. That really helps understand what all this is supposed to do. I'm getting an error "Invalid argument' at the mount /dev/sda1 /tmp/usb

# modprobe usb-storage
# mkdir /tmp/usb
mkdir: can't create directory '/tmp/usb': File exists
# mount /dev/sda1 /tmp/usb
mount: mounting /dev/sda1 on /tmp/usb failed: Invalid argument
#
_________________________
If you want it to break, buy Sony!

Top
#371796 - 16/03/2019 17:13 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Ahh.. Okay. It is possible that there is already a file called /tmp/usb on that system. Verify this as follows:

ls -l /tmp/usb

In which case we can just use a different name for our temporary mount point. Let's call it "fred" instead:
Code:
modprobe usb-storage        ## Ensure the driver for the USB-stick is loaded
mkdir /tmp/fred             ## Create a directory for use as a mount-point
mount /dev/sda1 /tmp/fred   ## Mount/attach the USB-stick at /tmp/fred
mount mtd:mfg -t jffs2 /mfg ## Mount the manufacturing partition at /mfg
cp /mfg/mfg.dat /tmp/fred/  ## Copy mfg.dat to the USB-stick. Note trailing slash.
umount /mfg                 ## Unmount/detach the manufacturing partition
umount /tmp/fred            ## Unmount/detach the USB-stick
sync                        ## Ensure data is written to the USB-stick before removal

Any different?

Also, note that the purpose of the trailing slash on the "cp" line is to ensure that the copy fails if /tmp/fred is not present or is not a directory. Without that slash, the copy might appear to succeed, but could simply be creating a copy into a file called "fred", rather than what we intended.


Edited by mlord (16/03/2019 17:22)

Top
#371797 - 16/03/2019 18:00 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Originally Posted By: mlord
Ahh.. Okay. It is possible that there is already a file called /tmp/usb on that system. Verify this as follows:

ls -l /tmp/usb



Thank you Mark! It just reported the file already existed because I had run the commands earlier and got the invalid argument error. I ran them again to see if it would work (still got the invalid argument error anyway) then copied that and posted. Once I restart the gateway the /tmp/usb goes away. So anyway, I'm still not able to proceed due to the invalid argument error.

# ls -l /tmp/usb
ls: /tmp/usb: No such file or directory
# modprobe usb-storage
# mkdir /tmp/usb
# mount /dev/sda1 /tmp/usb
mount: mounting /dev/sda1 on /tmp/usb failed: Invalid argument
#
_________________________
If you want it to break, buy Sony!

Top
#371798 - 16/03/2019 18:33 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Okay, perhaps the version of "mount" used on that machine is dumber than usual. In which case, ensure the USB-stick uses FAT filesystem rather than EXFAT or NTFS, and then do this:

mount /dev/sda1 -t vfat /tmp/usb

Alternatively, you can probably re-format the USB-stick from the modem itself, before doing the above mount command:

mkfs.vfat /dev/sda1

Notes: There are dozens of different "filesystem types" that can be used with Linux. On a full blown PC distro, the mount command will normally automatically figure out which type a given USB-stick has been formatted with. But on an embedded device like a modem (or an empeg), fancy smarts like that are often omitted to make things smaller. And the range of supported filesystem types is also often limited to just a few. vfat (the Win98 filesystem) is pretty much universally supported though.

Top
#371799 - 16/03/2019 23:41 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
That seemed to work! I have an mfg file on the USB drive. I also need to extract the .der files located at: /etc/rootcert/*.der

Then that should be it!

How would I modify the earlier code to make that work? I tried modifying your commands but didn't get anywhere. It's got more folders to it so it's a bit confusing. This is what I intended to try, but it failed at mounting etc/rootcert due to no such file or directory. Hopefully something obvious I'm doing incorrectly!

Code:
modprobe usb-storage                                           
mkdir /tmp/usb                                                  
mount /dev/sda1 /tmp/usb                                        
mount mtd:/etc/rootcert/ -t jffs2 /etc/rootcert/             
cp /etc/rootcert/*.der /tmp/usb/                                
umount /etc/rootcert/                                           
umount /tmp/usb                                                 
sync                                                      



Edited by maczrool (16/03/2019 23:42)
_________________________
If you want it to break, buy Sony!

Top
#371800 - 17/03/2019 02:19 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
The /etc directory is normally always there. No need to mount it.
Check to see if the files you want are already there first:

ls -l /etc/rootcert/*.der

"ls" is the "list files" command, like "dir" on MS-DOS. The "-l" asks it to produce "long" (detailed) output.

If you see a bunch of .der files there, then copy them to the USB-stick similar to before, just omitting the "mount" and "umount" for /etc/..

Top
#371801 - 17/03/2019 02:21 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Code:
modprobe usb-storage     ## This is only needed once after each reboot                                          
mkdir -p /tmp/usb        ## The -p tells mkdir not to complain if /tmp/usb already exists                                         
mount /dev/sda1 /tmp/usb                                        
cp -v /etc/rootcert/*.der /tmp/usb/   ## The -v means "verbose", showing exactly what gets copied                     
umount /tmp/usb                                                 
sync

Top
#371802 - 17/03/2019 12:14 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Quote:
Alternatively, you can probably re-format the USB-stick from the modem itself, before doing the above mount command:

mkfs.vfat /dev/sda1

Notes: There are dozens of different "filesystem types" that can be used with Linux. On a full blown PC distro, the mount command will normally automatically figure out which type a given USB-stick has been formatted with. But on an embedded device like a modem (or an empeg), fancy smarts like that are often omitted to make things smaller. And the range of supported filesystem types is also often limited to just a few. vfat (the Win98 filesystem) is pretty much universally supported though.
The gateway doesn't support the mkfs command either, so I did it in the Windows command line since the only two options in Win10 are NTFS and EXFAT.
_________________________
If you want it to break, buy Sony!

Top
#371803 - 17/03/2019 12:24 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Originally Posted By: mlord
Code:
modprobe usb-storage     ## This is only needed once after each reboot                                          
mkdir -p /tmp/usb        ## The -p tells mkdir not to complain if /tmp/usb already exists                                         
mount /dev/sda1 /tmp/usb                                        
cp -v /etc/rootcert/*.der /tmp/usb/   ## The -v means "verbose", showing exactly what gets copied                     
umount /tmp/usb                                                 
sync


I think I got them all with that. I didn't get anything verbose during the process, but when I opened the USB drive the files were there! Not sure how I can thank you enough. I don't imagine this is the sort of thing I would have be able to piece together myself with such limited knowledge of Linux commands and errors. If there's something you might need in the future please let me know!

Now I need to go obtain an ER-4 to load the cert file onto (using a tool that combines the .der and mfg.dat files). I think setup on that is generally better documented then this backdoor bypass procedure so I should be okay there.

Thanks again and happy St. Patrick's Day!
Stu


Attachments
NVG589.JPG


_________________________
If you want it to break, buy Sony!

Top
#371872 - 15/04/2019 18:40 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Just a quick update on this. I copied the certs you guys helped me extract onto my Edgerouter ER-4 and have successfully gotten it to authenticate with AT&T. The crappy Pace 5268AC has been decommissioned and banished to the attic with the ONT plugged directly into the eth0 interface of my ER-4. Thanks again to everyone on this!

Stu
_________________________
If you want it to break, buy Sony!

Top
#371873 - 15/04/2019 20:05 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Well done! Congratulations! smile

Top
#371874 - 16/04/2019 03:04 Re: Rooting a Uverse NVG589 Gateway [Re: mlord]
maczrool
pooh-bah

Registered: 13/01/2002
Posts: 1649
Loc: Louisiana, USA
Thanks! Couldn’t have done it without you! As luck would have it, I got some more donor gateways, tried desoldering the flash and extracting the files with a flash programmer and that worked too!
_________________________
If you want it to break, buy Sony!

Top
#371907 - 03/05/2019 23:24 Re: Rooting a Uverse NVG589 Gateway [Re: maczrool]
altman
carpal tunnel

Registered: 19/05/1999
Posts: 3457
Loc: Palo Alto, CA
Oooo I have to try this. The imp office has an 589, and myself & Zandr spent a long time with an edgerouter bypassing it for everything *except* 802.1x.

ie, we forward 802.1x traffic to the 589, turning the AT&T port on, but then all packets go via a pfSense box.

Top
Page 1 of 2 1 2 >