Skip to content

Extract mfg.dat and AT&T root certs from BGW210 or NVG599

Notifications You must be signed in to change notification settings

5fff/extract-mfg

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

extract-mfg

Extract mfg.dat and AT&T root certs from BGW210 or NVG599.

This script assumes it is being run on a Windows PC with the mfg_dat_decode.exe program. It will exploit the gateway and download the certs as well run the mfg_dat_decode.exe program to save the EAP-TLS credentials into a local folder. The local folder will be named <ModelNumber>_<SerialNumber> and will exist in the same directory as the script.

If you include --install_backdoor as a command argument then it will install a telnet backdoor on port 28 that will persist with reboots and firmware upgrades.

You can also include --update_firmware as a command argument to install the latest firmware stored in this repo as the last step of the process. This will start a local HTTP server and the gateway will try to download the firmware (Windows firewall may block this by default). You need specify your local IP address, by using the --server_address command argument, for it to work correctly.

Instructions

  1. Downgrade your Gateway
  2. Install Python3 if you don't already have it
  3. Install Python dependencies:
    pip install requests bs4 lxml wget
    
  4. Run the script:
    python extract_mfg.py <ACCESS_CODE> <DEVICE_ADDRESS> --install_backdoor
    

Credits & References

  • Streiw: BGW210 Exploit Instructions
  • devicelocksmith: EAP-TLS credentials decoder and the method to extract mfg.dat
  • earlz: Commands that can be run on the Arris gateways
  • nomotion: Exploits discovered on Arris gateways

About

Extract mfg.dat and AT&T root certs from BGW210 or NVG599

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%