@Sunny I tried that exact thing, since the NVG510 is wireless N and my current wifi is wireless G. Just give up. I managed to get it to work, but I had to reset it once an hour or the wireless signal would become so weak as to be non-existent, apparently some kind of power saving feature I couldn't figure out how to disable. 

See also: http://earlz.net/view/2012/12/28/0230/how-to-reuse-an-nvg510

Hello Earlz, this is really a great work..This has been very helpful in getting into this modem but i havent been able to get it to work like the way i wanted it to.. Can you let me know if this is possible - I switched to cable recently and have no use of this modem now so I was trying to set it up a wireless access point with a lan port plugged in directly to the back of my cable modem/router. I tried the true bridge mode You have mentioned above except i removed the ppp since i do not want that to happen but that doesn seem to work.. Can You let me know if i am missing something or this will not work..

With the way bridge mode is setup, maybe, maybe not. If you bridged it, you might try running an *extra* network cable from your router to your modem (use one of the non-bridge ports). I'm not sure it'd work though and it'd probably require some extra configuration. I didn't have an NVG510 which supported VoIP, so I don't know. 

Yes. It'd probably be an nsh command like:

set mgmt.account[0].password "mypassword"

I have a problem that I can't seem to work around and wondered if you can help.
I have put the modem in pass-through (needed it for work, and AT&T didn't give a crap; so, I hacked it!)
But, now, my phone doesn't work.  My phone uses the modem for the "dial tone" (at least, that's what the tech told me).
It seems that forwarding everything to my internal router has disabled the phone line.  I thought I could get it
to work by putting vc-1 into the list of ports on link[2].  But, sadly, that does not work.  Any suggestions?

Here's a question: can you change the device access code from within telnet?

@NetZ. Oh wow! I wasn't aware that when the network went down the login functions were basically not used. That's... interesting heh. Anyway, you can probably get the network password from the `nsh` command line.

If you do a `dump` from nsh, one of the fields it lists should be the admin password.. 

Note: I don't condone this behavior at all though. 

many thanks on this site, got me a few steps closer to getting this thing actually decent. could the following be done?: I personally don't know the admin password to our router, and there is great animosity between be and the current network admin, who is quite frankly incompetent (he bought a usb keyboard for his laptop because he thought it was broken; turns out he had numlock on for a couple years). So, I was able to enable telnet by using your page and a trick using that annoying redirect (which is my goal to get rid of, ironically). Apparently when your get that redirect you have access to the full functions of the router (meaning you can reset it, whatever, during this). So I waited till the net failed (common enough) and after the redirect I used your page to enable telnet.

So, if you can do this sort of thing while redirected, can, could you obtain the admin password as well?

Drawing circles is hard. :-)

Dude, I seriously need to send you some cash for this. 
I have been fighting with AT&T 'support' for over a month to get
rid of that stupid connection 'error' redirect message. This is what I wanted. I just did it
- rooted the blasted thing - now but confidant this will address the issue. Also disabled 
that worthless DHCP server they have on the unit. 

Thanks for the tutorial, though my problem seems different than anyone else's.  What happens for me is the redirect, but only when browsing with the http port.  If I go to http://google.com, it redirects.  When I go to https://google.com, it works.  Yahoo messenger works, my gmail notifier works, but all websites will start redirecting when using port 80.  I've shut off the redirect per the tutorial above, but that just makes it redirect to 192.168.1.254 when having its "issues."  The only workaround I have is using a public proxy server when it's acting up.

I have already done nsh. After that it shows up as axis something(not at my computer) but for  I can not change anything

@Levi You have to get to `nsh` first. See the section surrounding the "fixing common problems" header

when i type in the upnp or redirect code it simply says "usge: set OBJ.ITEM VALUE" WHY!!

Never mind i got connected but how do i enable upnp?

@Earlz i enabled telnet on my pc but i cant seem to figure out how to connect to my router using telnet can someone help?

@Earlz how do i connect using telnet?

You pretty much described my highschool experience as well!  Haha!

Thanks for the great work, I FINALLY got rid of the stupid redirect!

For those of you with modems on a different default ip (like me) here's what I did:
Copy the source code out of the page that enables telnet. Save, change the ipaddress, then launch the page. 
Maybe for future users, the page can be modified so that a user can enter the ip as a field as well.

Thanks you...

I am interesting in anyone's results with Static IP also.
I would love to use true bridge mode with this thing as I use PfSense but can't afford too much down time for trial and error.
Also do we have any way to make it ignore any firmware upgrades? My worry is we set this thing up, get it working great finally and a firmware upgrade jacks it up and locks telnet out but for now static IP true bridge would be great!

Hahahaha, Ginger!

This is legit Jordan I like it bro. Don't listen to the douchbag dissing.

@dotmatrix Yea.... I have no idea? I would think it should *just* work if you manually configure your router behind bridge mode to use the static IPs. you might make sure your gateway and netmask is correct. I remember having some problem at some point with AT&T handing out a gateway which fell outside of the netmask, thus requiring me to manually override the netmask. 

Not sure if that applies in this case though unfortunately. I've never had experience with their static IP support

Thank you for the information! I was able to follow your directions to enable true bridge mode, but now I can't seem to figure out how to use my static public IP addresses assigned by AT&T. I am currently using DD-WRT on my router. If I enable the router to use DHCP to configure its IP, it is assigned a random public IP. I can use a traceroute to get my gateway IP. If I use this gateway IP and my private IP I was assigned, nothing works. If I connect the router to LAN 2- LAN 4 and use DHCP in DD-WRT I get a private IP from the NVG510 and everything works. I was assigned 4 static IP addresses. I can't seem to get Uverse Tech support to help me understand how my static IP works. 

Hey Earlz,
Whats the best way to turn the nvg510 into a switch, I managed to do it by disabling the dhcp server and giving it an ip address outside of the main routers ip range. Is this enough? should i disable the firewall and is it possible to disable the broadband light it keeps flashing red. Thank you for all your time and work on this project, take care.

Once upon a time I was messing around in Photoshop and found this obscure WBMP format. It turns out that it's a very simple monochrome image format originally designed for mobile phones. I bet it'd work well for you. https://en.wikipedia.org/wiki/WBMP

THANK YOU FOR THIS

THANK YOU FOR THIS

just a test

That'd be hash cash. Good idea, but vulnerable to botnets. 

@Mattkilla this WILL NOT help. If you're getting a crappy connection speed, 99% of the time it's AT&T and it's infrastructure's fault. (for instance, paper wrapped wires that were first installed in the 40s is not going to be capable of a good connection) 

so just to clarify turning on telnet does what? and true bridge mode would be beneficial to whom? im trying to tweak my modem to allow a higher access speed to each individual device. I never get close to what i pay for. was just wondering if someone could explain these few things in lay-mans terms

To enable WAN ping response, from the initial command shell type:
configure
conn
set
"WAN" (w/o the quotes)
hit return on everything except "icmp-echo-drop"
type "off" (w/o quotes) when you get to this point.
return on everthing else
type validate
type save
your modem should now respond to pings from the WAN port

Nevermind I figured it out. My router was on port 4 instead of 1, doh! What ends up happening that if you put your router on another port after putting it in true bridge mode, it detects the router and overwrites your changes. I've turned off the DHCP server in the modem to prevent this in the future, should I inadvertently use the wrong port again.

Thanks for the info, Earlz!
I am having a problem where I can put the router in true bridge mode, but it reverts back to non-bridged mode after a few days. Telnet still works, I just have to redo the commands. Have you or anyone else noticed this? Is there any fix? I am doing both save and apply.

figured it out lol 

@Earlz or who can help. Thanks you all for the information here!
help with #nine and any other useful information for a real newbie would be greatly
appreciated.
  
quote 9.Now you should be able to login to the modem with telnet.
 The username is admin and the password is your modem's "access code" 
that should be written on it.

I cant figure out how to access telnet on mac i go to teminal-new connection
 choose remote login (telnet)then i add http://192.168.1.254/cgi-bin/etherlan.ha
 to server-side box says server is found & i click connect and get back a message
that says this:

 http://192.168.1.254/cgi-bin/etherlan.ha: nodename nor servname provided,
 or not known
[Process completed]
i cant get passed this part thanks for any help.

ATT always for the shareholders not the customers
and there new plans for expansion are undiscribable.

If I go through with logging in > magic > ! > nsh i cant do anything.   However, if I just type magic it is already at the nsh prompt, and I have configured upnp and google's dns servers to be working working after reboots and everything. There is no apply command though, but after validate and save it seems to apply.

Great work.  Thanks!  I was able to log into the ssh server using "admin" and the device access code as the password.  I am running 9.0.6h2d21.  Since AT&T won't allow you to disable the DHCP server from the UI, I did it using the command line.  The DHCP server was giving me problems.  Even though we had it set to only give out 1 IP address, the other boxes using another DHCP server on the network would mysteriously end up with att.net as a domain search suffix and the router as the DNS server.  Hopefully this will solve the problem.

what do i do when i can't ajust my firewall because i don't have the access code required

Interesting! This is much more source code than they gave out when I first took a look at their source code archives. Last I checked, they only had the "OSS" download available. They appear to leave out some crucial parts such as DSL and VoIP support.. but with what they've given, I'd expect a usable image for routing could be made. Only real problem is there is no documentation on how to reflash the modem other than that it uses CFE somehow

wikidev?
http://www.wikidevi.com/wiki/Motorola_NVG510

Motorola is pleased to provide the open source software used in the NVG510 device!

Please note that this project is for distributing, discussing, and supporting the open source software we release. This site does not provide any SDKs nor general purpose developer support for the NVG510.
http://sourceforge.net/motorola-home/nvg510/home/Home/

Of interest to you, Earlz?
We are pleased to announce the Open Source redistribution for the NVG510 DSL CPE gateway product.
http://sourceforge.net/motorola-home/nvg510/news/2012/01/nvg510-open-source-redistribution/
http://sourceforge.net/projects/nvg510.motorola-home/files/README-NVG510.txt/download
http://sourceforge.net/projects/nvg510.motorola-home/files/
http://sourceforge.net/motorola-home/wiki/Projects/

HUGE thanks to Earlz for his hack and to Brother for the DNS-specific fix. I've had the DNS failure to resolve issue for over a year and it drove me bananas daily. I read the instructions and I was able to change the primary and secondary DNS of the NVG510 modem. I don't know if the settings will stick after a reboot or power cycle, but I do that maybe once every 3 months so it's no big deal. Anyway here's the exact command line syntax for other newbies like me:

login: admin
password: <number on your modem>
magic
!
nsh
You will need to login once more at the NSH prompt

Axis ############>
set ip.dns.proxy-enable off
set ip.dns.override-allowed on
set ip.dns.primary-address 208.67.222.220
set ip.dns.secondary-address 208.67.220.222
validate
apply
save

Open up a CMD prompt in Windows and type in "ipconfig /all"
You should now see that the primary and secondary DNS numbers have been changed to the OpenDNS servers.
Thanks again. You guys rock. I can't wait to try some of the other more obs

Yep, that did it.  Actually I just changed the IP of the modem (and the DHCP IPs), and the IP on my inside router.  Rooted the modem, changed the IPs back, and all is well.  Thanks much.

Hahaha... optimistic pessimism.  I love it.

Whelp, if I try, I will report back, either way it goes.  Be a shame to waste a decent wifi if it doesn't work out that way.

@Anonymous-- I have mine set to a different IP, and the hack doesn't work for me.  I think the page Earlz set up assumes the default IP when it sends the command to the modem.  You might try resetting the modem to default settings and then hit it with the hack.  

@dngrsone In theory it could work, but I haven't been successful in getting it to. Once you put it in bridge mode, the wireless is basically useless. However, you could MAYBE disable the DHCP server and then have a setup like `modem bridged-out -> router in -> router out -> modem non-bridged port` and I THINK that would work. No guarantees though. Worst case is it'll reset everything to defaults when it crashes

No, it didn't come set that way, I assume it would revert back to 192.168.1.254.  I changed it because that's how my previous network was setup when I switched ISPs, and it made it easier to change over.  I could change it back to the default if that's necessary, but then I will have to change the config of the router that sits behind it.  I'll do that if I have to, just checking to see if that is the issue before making the changes.

If I put my NVG510 into true bridge mode (to use with a Smoothwall Express firewall), would I be able to use the NVG510's wifi from behind the firewall (like, route the Protected LAN into lan2)? 

@Anonymous did your modem come shipped that way? Like if you do a factory reset does it reset it to 192.168.1.254?

This doesn't seem to work for me, but I also have my NVG510 assigned as 192.168.0.1 - is that messing up the control page?

As I noted at the beginning of the article, this is an open problem. It would appear that AT&T has hardcoded the DNS settings to be permanently non-configurable. I've heard of some hack with changing the DNS server's configuration file, but I don't imagine this being easy

Update.  Device was turned off overnight and the DNS settings reverted to the factory at&t dns setting.
Anyone know how to make it permanent?  Re-entered using the configure command in normal shell and it seemed
to behave the same.  The settings would stay there during a reboot, but if it was turned off, the settings would
go back to 0.0.0.0 for primary and secondary

To add to the previous Brother post.  Go to http://www.opendns.com/support/article/64 to test
the settings and the tests were all successful.  
I believe the DNS proxy setting (ip.dns.proxy-enable = on is the default) allows the device ie., router to allow name requests to be forwarded to the
ATT name servers. Turning that off and and setting open DNS servers allows the hosts on the network to recieve
those IP addresses via DHCP.  Well see what happens after a couple days to see if the settings hold.
Note:  The ip.dns override-allowed setting was 'ON' as the default.  I did not change that in the articel above
it shows it as off.  Not sure why but, it works for me with it ON.

Didn't know it could be easy... when you know a few secrets. Saved me running out and getting another router!

A BIG thanks to EARLZ for pointing us all in the right direction.  Would never have done it without your help.

"ipconfig /all" now shows Open DNS name servers.

My brother figured out the DNS changes.  He changed the proxy setting to "Off", Then he set an IP for the primary and Secondary setting, then applied, saved, then rebooted.  And it worked. The override was already set to "On". "iponfig /all" now show Open DNS name servers.

My brother figured out the DNS changes.  He changed the proxy setting to Off, The set an IP for the primary and Secondary setting, the applied, saved, then reboot.  And it worked. The override was already set to on. IP config now has the open DNS ips.

@Anonymous oooohhh... That sounds scary :( I have no way of verifying, but it sounds like the remote vulnerability might not exist in your firmware version(ie, it was patched). Email me at earlz @ this domain name(earlz.net) and I'll try to work out what's happening. 

When I press "Save" on the complete_control page, I get redirected to my router configuration page, but it says:

"Address must not be on network (10.x.x.x)"

=/

@Sean normal DHCP. It's definitely NOT PPPoE. If you need a username and password for it, you chose the wrong one. 

Once the TrueBridgeMode has been able, what connection type would then be chosen in my Asus router? PPPoE or normal DHCP?

Thank you so much for this!

@Whit I ended up compiling this as well at the same time, but for whatever reason didn't mention it here. Just go to https://github.com/arduino/Arduino/tree/master/libraries/Wire and copy the makefile above and make modifications to link to Wire.c and twi.c

Thanks! I was looking for something this simple without using the Arduino IDE. 
My problem now is that there is no wire library (i.e. "Wire.h" not found). Is there away to include this in the build above?

@Toao, very good point! I hadn't thought about that. I'll add a note to the article

Thought I should note, that for those having trouble with bridge mode after hitting apply, make sure you are configuring the modem via port 2,3,4 and NOT doing it on port 1, as when you hit apply port 1 will drop the telnet connection and begin the bridge to ATT. YOU MUST do the configuration while on lan port 2,3, or 4 so that you can SAVE or your configuration will NOT be persistent (it will reset every time the router turns off and you will lose bridge mode). I did this bridge mode last night and when I rebooted my Cisco router I lost all configuration and my router was DHCP'd a private net IP instead of the precious REAL internet IP I had earned.... lol

Thanks for doing this. I think just putting the thing in bridge mode is going to solve my issues. I am now able, from the outside world, to pull up a web page hosted on my test machine behind the nvg510, just got to figure out why rdp and ping are not working yet.

I am a biology researcher, i have some data i want to cluster analysis by SOM method would you help me in this regards
my mail id is satish.tadikamalla@gmail.com

Thanks in advance  

I'm little confused with the lines of code:

set link[1].port-vlan.ports "lan-2 lan-3 lan-4"
set link[2].port-vlan.ports lan-1

So after I do this, which port do I have to connect my router to?
Thank you Earlz you are genious!

Earl,

Thank you soooo much.  I could not get my Slingbox with the NVG510 until I read your article and enabled
UPnP.  Now it works great.

It depends... define "static". If you put your NVG510 in bridge mode, then your router has to handle all of this. So, if you get a static IP from AT&T, your router has to be configured to use that static IP. 

I really want put my NVG510 into "true-bridge" mode.
Can I apply the same method for a STATIC IP instead of dynamic?

I tried your instructions for the bridge mode and while it works, for some reason, the Broadband Status page of the NVG510 still showed the device as getting a valid public IP address and from the shell I could actually ping out to the public internet.

Once you enable ssh, you can log in with the user "admin" and password set to your device access code.

@Anonymous re: motopia, it looks like it's included in the source available here http://sourceforge.net/projects/nvg510.motorola-home/files/NVG510-OSS-1.0/NVG510-OSS-1.0.tar.bz2

@Tony hmm that's odd. Have you tried doing a factory reset and then following the bridge mode instructions? 

Cant seem to follow the true bridge guide. Modem locks up after doing "apply" after entering the two set commands.

Do I have to do a reset on NVG510 before turn it to True Bridge Mode? Currently, I am using IP-Passthrough Mode.

@Earlz 
Well, lets say I buy another nvg510 and register it with my service will that change my pubic ip 
address given that the mac address is different?

@Anonymous: I assume you mean your public IP address. And probably not. If AT&T is even mildly competent, their servers won't allow this. However, changing manufacturer tied values and such may induce something like this. I'll warn you that this is one of those things AT&T will notice though and that probably voids your service agreement

Is there anyway I can change my ip address with the root access? 

@Anonymous: It is indeed more complicated than just statewide. Apparently the NVG510 is used where there is 
U-Verse internet and phone, but not TV. (and using VDSL, not fiber to the home/node)

Also, you should watch out for patents with that technique. I think AT&T thought of it first! 

Regarding the modem in Ohio:

I am in Columbus and just recently (this month, December) started using Uverse, and they sent an NVG510.  So apparently it's more complicated than just statewide Ohio=3800HGV.

Anyway, I don't know how this can even be legal, the pure shittiness of the NVG510.  Isn't this why we have consumer regulatory agencies and stuff?  Hey, I have an idea how to make lots of money, I'll offer people high-speed internet with a one-year contract, but instead of actually providing them internet or anything like that I'll just send them a brick and tell them it's a modem!

@Technobabe: I have no idea. First off, I'd make sure that it's really the NVG510. Plug a different computer to it and see if you have the same problem. If so, then see if wireless has the same latency issue. Beyond that, as a last resort you might want to try my true bridge mode to use your own router. This gets the NVG510 completely out of the way and lets your router do what it was made for.. routing. 

Wow, Earlz, this is awesome! So nice to be able to CONTROL this bloody thing! I am having a strange problem with the NVG510, and I was wondering if you can point he in a useful direction to fix it. I have an NVG510 with a 3-bit subnet and a Linux server with an Intel eepro100 network card wired into the NVG510. When I fire up the NVG510 and plug nothing into it, the ping responses are at about 50ms. As soon as I plug my Linux server into it, the ping response time bounces all over the place - anywhere from 50ms to 600ms, although mostly in the 150-200ms range! The SMARMY AT&T tech told me that I have a "network configuration issue" and AT&T doesn't work on that. So, I went thru EVERY networking setting on both the server and the NVG510 at least 3 times, and I can see nothing that would cause this. Any ideas? Since I had AT&T replace the NVG510 and got the 50%+ packet failure down to consistently under 5%, the thru put is good, but why not get every bit of speed I can get? Thanks for any insight you can provid

@Anonymous it does enable UPnP at least partially. The only thing I use UPnP for is so multiple XBoxs can have an open NAT type and this did the trick with 2 Xboxs... however, I set this up for one of my friends who has anywhere from 3-6 setup at a time and only 1 ended up with an open NAT type. Not sure if that's a limitation of xbox live, only having a single IP, or if this modem doesn't have a good UPnP implementation

Can confirm that the uPnP option does indeed enable uPnP.

@Occam, highly doubtful. If I ever get U-Verse again, I can try my best to root it though. (Moved to Ohio and they told me I can't use the two NVG510 modems I already have of course. ugh, but apparently the modem up here is the 3800HGV) 

However, I've heard that the 3800HGV modem is much more sane than the NVG510, including being able to collect interesting things like precise line statistics and charts. 

Heh, I also tried it with a bit of Sirancha. That gave it some definite spice. But yea, at the least you need some garlic though. 

Will this work with the 3800HGV-B?

I just tried something similar after reading this. I didn't have garlic salt or ground ginger, though. I'm not a fan of pepper either, so I didn't add that. I cooked about a cup and a half in a tablespoon of vegetable oil, threw in some soy sauce and then chili powder (gives it a slight taste of spicyness) and a pinch of salt. Still tasted pretty amazing, but not as many flavours as yours! I'm going to have to get some more spices and herbs here to add some more flavour to meals. Delicious!

@MG that's exactly what I did. This particular exploit could've been found though without having the source code to the web application, but without access to the `nsh` shell and list of template configuration options, I wouldn't have been able to know what to change the form value to in order to enable telnet. 

Hi, I really liked your articles even if I don't own that kind of router. I've always wondered, how did you manage to get to the exploit? My guess is that you opened the source of a web page that allows you to edit some useless setting, via the standard UI or by downloading the page using the serial port stuff, then see how the post was made and then replicate the request mechanism with a different option name (like "mgmt.shell.telnet-port") and different value.
Am I correct? Am I missing something?
Thanks, and great job anyway.

@Geeknik you shouldn't have any problems. You'll just have to make sure that your router properly handles the static IPs. You may have to manually set the IP(s) of your router in order to get it to work. I'm not for sure if AT&T directly passes down a static IP from their DHCP servers

@Anonymous I don't believe it's DNS enforcement. There is a management port open on the modem(to the public), but I can't get at the password. Tried brute forcing it, but didn't get anywhere. Also, by doing the true-bridge mode, this management port gets closed. With true bridge mode the modem literally does not think it's even connected to the internet. I don't believe updates or anything will be received in bridge mode. 

Protip from someone who's dealt with similar bullshit from a Verizon-provided router: the DNS configuration and other settings may be being remotely enforced by a backdoor web configuration interface, or possibly just the remote management interface over the DSL line. In the Verizon configuration, the reason for opening a backdoor to router management was, as far as I could tell, for Verizon support requests from people who don't know what a router is and because certain services required opening ports to communicate with some of the cable TV services behind the coax part of the network, and they wanted to force auto configuration (look up MoCA if you're interested). Of course it's a gaping security hole (I could access it from anywhere on the Internet).
Point is, if you're lucky and it turns out DNS enforcement cannot be done over the DSL management interface, you may be able to stop the DNS behavior by disabling that remote management feature / port in the firmware (or adding firewall rules to prevent it f

I have static IPs, will putting them into 'bridge' mode cause any problems here?

What I don't get is if everything works as expected, 
why would you want to do this?

It's been so long since I've touched that code. I have no idea how it worked. I never could get the whole processor to synchronize with memory correctly. Like I said, look at the revision history. If I recall correctly, the last revision I committed was massively broken

can you explain the core_tb.vhdl??
how to get the memoryaddress? ~~how it changes? THX

@Anonymous I'm not sure. You might try running an older revision. It never did get completed because it had some bug I spent over a month trying to figure out

Earlz - Thank you so much for the hard work you have put in.  I have one HUGE issue with this modem.  I called ATT and they informed me I needed to buy Static IP's for this to work!!!  huh???  I have 5 devices that I need port forwarding for.  I set them all up in the modem, no issue.  But the ports never open.  Only the first two, 81 and 82.  I have about gone blind looking at all of the settings.  I see no restrictions.  Can you or anyone else help me find the control to open more than 2 ports??  Please feel free to email me at choices@hotmail.com

HI, recently ! I have been studying your project TINY CPU~~in the file memory.vhd I think there are some
mistakes there so that I got error when I run the testbench!!Can you help me check it out~~THX 

Don't worry it's on my todo list :) It's actually a fairly high priority for me (I planned to get it done before I rebranded my site, but it didn't make the cut). So, it will probably be implemented in a month or two

Your blog is missing an RSS feed so I can't subscribe to it :(

@Anonymous I'm not sure. I suspect there might be a way to do the bridging and then configure one of the unused ethernet ports so that you can hook another ethernet cable from your modem to your router (ie, the modem will be on your LAN, but not be the router). 

This is a much worse problem than just doing port forwarding. Doing the bridge mode described here makes the modem so it can't access the internet directly. I suspect it's possible to work around, but I have no idea how to do it. 

Long story short: I've been too busy to bother updating this(ie, recreating the image). After I get this website "rebranded" (moving to earlz.net), I may have more optimistic news 

:-(

Everything working great. Set to bridge to Netgear and is working great. Thanks! Only problem is now my AT&T Voip line quit working. Is there anything I can do about this? Is there a certain port that needs to be forwarded or something? Right now the NVG510 has a reg phone jack output on it and I just plug my phone straight in it and it worked, but now there is no dial tone. Any thoughts? Can we port forward a an port on netgear back to nvg510 somehow, or change a setting via telnet, or port forward to a lan port on netgear then plug phone to that port (with adapter), etc? Any help would be appreciated. Thanks!

well, found this blog after banging my head against my keyboard (waiting for a 2gb download from dreamspark).

Remaining time 2h, strange thing is 2h ago it also was 2h...
Use to have msdnaa (at least I think it was called that 2 years ago), never had problems with that.

Yep, they basically say "hey where going to give you really bad legitimate access to our software so that you consider 'why am I not just pirating this'"

I thought there's a problem with my connection, it was horribly slow. Thanks for informing. They simply force people to get the software from somewhere else.

@Anonymous I don't know. There have been numerous reports from others about this problem but no one has seemed to find a solution yet. I don't use this modem anymore (switched to Cable), so I don't update any of this anymore. If anyone can figure it out though, I'll definitely publish a link to it. 

Thanks for this great help! I changed the dns servers but they are randomly being changed back. I assume is because I have dynamic IP or any time router is rebooted. I tried "override", but didn't work. I also set "dns proxy-enable" to off. But when I did this, I could no longer use the internet. Any help on how to get NVG510 to "hold" on to the DNS servers I input for good without changing back to att? Can I change DNS from DHCP?

@Anonymous you must get to the "nsh" shell. Type in `magic`<enter> and then `!`<enter> and then `nsh`<enter> and you'll get to the shell discussed here. 

Followed instructions.  Was able to get into the modem - but "help" didn't look anything like above.  No validate, save, etc.

Different version of the hardware perhaps?

Hello, I saw Anonymous had issues with not being able to ping this modem from the outside. I have the same problem. All I need to do is be able to ping its public IP to know that its up.

thanks you are the best----- as change XDSL password and user of company  

Fascinating project, with loads of potential.  Reminiscent of Gates and Jobs back when they were just hacker geeks like the rest of us.

@topher(heh use to know a friend way back when that went by that alias). It already does this. AT&T probably just happens to give you the same IP address every time. You can't "force" AT&T to give you a different IP. The only thing you could maybe do is use MAC spoofing to make AT&T "think" that you're a different client. I don't think that's physically possible with this modem though, even rooted(nor possible with DSL even?). 

I'm blown away by how you managed to unlock the full potential of what was in my opinion, a kids toy.
Really great job exploiting this gaping hole in security, Motorola should be ashamed.

Perhaps you could help me, I'm trying to set the router to renew its dhcp lease every time its rebooted.
I would like the router to receive a different IP address from ATT. Is this even possible and if so how?

Absolutely bloody amazing sir. Unlocked the full potential of this assumed-to-be-POS that I have been using for months with an hourly trip to the world of cgi-bin. But no more. I am grateful on a level you will never know. VPN access is difficult when you can't keep up a connection. I should not have to tether to my phone or use my broadband card sitting in my own living room! Thank you sir! 

Hello. Any news? Hash file? The download problem? Please...?

@thinkdiff heh, forgot about this WIP page. That actually is extremely simple. Where did you enter these commands from?

Hey - thanks for your work on the NVG510 so far, very helpful!

I tried to get bridge mode working on my NVG510 tonight. It seems a simple "brctrl delif br1 eth0.16 ; brctrl addif br2 eth0.16" did the trick. Is this also how you did it?

Glad I could help. This problem is EXACTLY why I set out to discover a "true" bridge mode, the passthrough
thing kept magically breaking(I'd have to reconfigure it every week or two). After getting kicked
off of xbox live yet again because of it I decided I'd had enough and went to unscrewing things

About a week ago, passthrough suddenly stopped working for me. The amount of time I poured into getting the NVG and my router to play nice is shameful. "Broken" doesn't even begin to describe just how useless this thing is because of how they chose to cripple it... worst of all, it's not even heavy enough to properly hold a door open or be a boat anchor.

Using the description above, instead of entering into shell mode, I executed 'configure', navigated to the named "LAN" and "WAN" links and was able to change the assigned vlan ports right from the command line and restart. 

Within seconds, it was obvious that all of this 'value add' was the source of wasting my time day and night for a week when all I truly needed was a real bridge mode. Moving to real bridge mode solved every single network issue I was seeing. Thanks for making this post. I had no idea what I was going to try next short of change carriers given that I rely on my broadband connection to make a living.

I'm unable to get my NVG510 to respond to ICMP/ping requests over WAN from the internet. Suggestions?

I can provide a hash file easily enough.

For the ungzipping error, I'll have to look into that. 

Well, look at this:

$lub>/x/m/i/OpenBSD> gunzip openbsd_51_i386_1g.img.gz 

gzip: openbsd_51_i386_1g.img.gz: unexpected end of file

Downloaded it twice, same error.

Thank you, that's very kind of you. But how about an MD5 or SHA hash file?

figured it out lol thanks :)

it says my database is dirty and wont allow me to save when i set mgmt.upnp.enable to on.

@Newbie Hi! The included unix utilities for the NVG510 is a bit.. sparse. I believe the only way to edit files on the device is to use `cat` and output redirection. However, if you value your sanity, you won't do that :P 

What I did to edit files is setup a TFTP server on my network and then use the included TFTP client on the modem to upload and download files. This is probably the easiest option. I've gotten a tip from elsewhere about some people compiling a less-restricted Busybox for the modem and then uploading it via TFTP. 

I followed the foregoing instructions and was able to get to the root via "magic" then "!".  I can both Telnet & SSH into the root.  I'm totally new to Linux and have been researching UNIX/Linux commands on Google.  However, I can not seem to figure out how to edit /etc/dnsmasq.conf or /var/etc/dnsmasq.conf.  Under either directory, whenever I enter vi /etc/dnsmasq.conf or vi /var/etc/dnsmasq.conf both Telnet & SSH return "/bin/sh: vi: not found".

I've also tried the commands edit; ed; ex w/the same results, e.g. "/bin/sh: ex: not found".

Any ideas on what I'm missing or doing wrong?

Great work 

Heh, that's US carriers for you

Cool. Add SD-Card and a possibility to launch programms from that. You'll have sth. like an old dos/linux.

Your phone plan is so expensive ! 'can't believe it...
In france, you get 3Gb/months, plus free MMS/SMS and calls accross all europe for 19.99€/month...

@zoobab what do you mean? all of the pins are still there for UARTs or GPIOs. Or if you mean using the mbed as a "graphics processor" to hook up to your router, I'm sure it's possible, in fact, it shouldn't even be too difficult. 

@Anonymous The CPU speed is bumped to 100MHz. As for CPU time, I'd estimate somewhere between 25% and 50%. I have no idea how much really though. I can just say I don't notice anything awfully slow. For instance, drawing the hackaday picture one pixel at a time in nested loop is instantaneous, so while it will programs some, I don't imagine anything too noticeable. 

What clock speed are you running at, and what percentage of CPU time (ballpark) does it take to display VGA video?

Any idea if it would be possible to connect that to a serial port, like the one of an openwrt router at 3.3v TTL?

@Tom thanks! It still has a lot of work to be done, but I think it's good enough to tell people about it :) 

Heh, also, I'm kind of surprised my website is handling the load so well. CPU usage has only spiked by about 2% more since being published

Incredible !!!! Realllly a good work ! 

Ah well thx for the info and the exploit never the less. I am using your suggestion to forward the wan side to lan port 1 and it works flawless. I also saw your post on openWRT forum, even though no replys to it hopefully someone will figure out how to run openwrt on it!

Hi, that's great work. I'm wondering what is the process or how did you find out about this loophole. I would like to learn the process. Thank you so much.

@Johnny Unfortunately, no. I'm sure it's possible, but I don't have U-Verse anymore so I haven't looked into it further

Hey thanks for the info man. Any idea how to add static DHCP leases?

ah yes.... I read up to the ! and missed the next paragraph about nsh.... time to get my eyes checked :)

@create: Yes, I believe this is documented on the remote exploit page. And as for QoS, before I switched ISPs
and stopped working on it, I was trying to figure out how to prioritize certain traffic. 

It looks like it has the ability to prioritize, but it's not documented at all. 

I was successful at using the remote exploit.  Thanks!  One thing to add though is that the telnet console logs you in to a Netopia OS which is different than the above shell.  To be able to do the configuration things you describe I had to do:
magic
!
nsh

And then log in again.
Anyone figured out how to do QoS with this thing?

@Anonymous: Hmm.. that's odd. Make sure you get the username/password prompt in your telnet client. And if all else fails, try doing a factory reset, then redoing the remote-exploit and try to login again. 

Hello, I enabled remote telnet access. But can't access via any number of username/password combos. Any idea where to look?

test

After reading rbeam's comment, I'm confused as to whether changing these values bridge it or not?
set link[1].port-vlan.ports "lan-2 lan-3 lan-4" 
set link[2].port-vlan.ports lan-1

@Earlz, i take that back. looks like they are taking the rather unusual step of whitelisting the ip (or port or something) origin of a valid login, rather than using session cookies.. which fooled me

@Earlz, are you sure about that? i grabbed a nonce from diag.ha which is not secured.. and ran a curl post with that nonce and successfully changed some arbitrary config value.. but i'll definitely try again to make sure i didn't taint my test in any way

@Anonymous, I think there is something other than the `nonce` used for the authentication. And the modem ethernet configuration page will check to make sure the admin is authenticated before allowing us to post exploited values to it. So I suspect this isn't too much of a security concern

notice that you can grab the nonce from even some non-password-protected pages like /cgi-bin/diag.ha.. so i guess you dont even need to know the password to take control of the router :)

Testing.. 

@Anonymous. About the DNS problems. I know about this, but I don't see any easy solutions so far. 

How can I get the router to stop overriding my changes to the dns server?
Tired of having to go in again and again to change my nameserver back to google/opendns
I already tried the ip.dns.override-allowed option and that didn't stop it.

Question how do i stop the redirect error from happening?

@Anonymous Well, that stupid redirect page bugged me non-stop. It'd appear out of the blue sometimes without even a power failure. One time it did it, kicked me off XBox Live for no reason and I decided the fight was on. I have 2 modems anyway, might as well open one up. So, I opened it, got to the serial port.. and eventually ended up looking at the source code for the Web Interface and found a vulnerability. I had quite a few friends that had the same modem and same problems, so I documented it hoping to help everyone with this crappy modem. AT&T doesn't seem likely to ever patch their horrible firmware and don't care at all about how poorly it's designed.. Hopefully this trend continues because this exploit would be really easy to patch, and I believe it's the only one that exists 

I wanted to say Thanks You for studying this device and sharing your findings.

Because of you I was able to disable that god awful redirect page.  It's a shame AT&T has this modem so jacked up and worse they don't seem to care.

Anyway,  Thanks again.

@Anonymous(1) heh good point there.

When I override the DNS settings and set override-allow to on, my settings are still overwritten by ATT's dhcp settings for some reason.  Any ideas?  Thanks for your awesome guides.  It's the best resource on the entire internet for this  piece of hardware.

Not sure if it will work for you, but on your complete_control page you are posting to ethconfig.ha or something like that.  I made it work by changing your form to post to etherlan.ha.  Maybe they had an update?

@bushing I believe your problem was probably the pullup resistors. They gave me problems and I ended up having to desolder them(there is a way to get around it without desoldering though)

That's kind of what I thought sdump was but I wasn't sure

Just found this -- nice work!  I've been waiting for this for a long time, I hate this modem, and I seem to have wired up my serial TX line incorrectly (it never responded to any bytes from me).

re sdump v dump -- sdump dumps "status", i.e. constantly-updated things like ethernet frame errors.  dump dumps the actual configuration info.

This worked like charm. I used chrome browser. I used chromes built in capability to 'inspect element' (available via right click on any web page) to edit the values as suggested. Now I am able to telnet in to the device. Thank you very much for the articles.

@rbeam ah, I wasn't aware of that. I still am unfamiliar with how U-Verse works, technically. 

Nothing about Uverse is PPP.  PTM is "ethernet" (mac encapsulated) over the DSL layer -- vs. ATM in legacy DSL.  "vc-1" means "virtual circuit 1"; ptm doesn't have vc's, so that's why removing vc-1 doesn't break anything.

@dooleyr send me an email @ earlz -at- this domain(lastyearswishes.com). Make sure you copy the `nonce` value and then DO NOT load any other page on the modem until after you use the exploit page

Is there something that I am missing.  Every time i try this it takes be back to the home page instead of the changes saved page

The open source firmware release isn't complete enough to build a firmware image. It's missing the proprietary `Motopia` module which appears to actually make everything work

nvm. just saw your reference to the GPL sources above and read your other article about the web ui vulnerability! good work! what a gaping hole!

have you seen the 'open source' firmware release at:
http://sourceforge.net/motorola/nvg510/home/Home/

even if that actually does build a flashable image, i'd be too afraid to flash it. any thoughts?

I didn't apply. Though I'm considering deleting this post as I feel it's a bit too harsh. 

Hey, sorry about the bad formatting of your comment. I guess that's a comment bug I missed in testing.

Anyway, I saw residential, but tried and it didn't like it much. It broke out quite a few more options, but
is still missing some basics like DNS nameserver changing. 

Also, thanks for updating that wiki. I wasn't for sure if this information really belonged there or not.
I did not even think of using that method to get files off of the modem! I instead opted to use the tftp client on the modem. 

Hopefully we can get more people taking control of this modem and posting their own tricks. 
One of the odd things I thought about it was that it supports having 4 different wireless networks.

Also, I believe the modem has USB support on the processor, but not all of the support hardware for it, as I don't see any pinout for it.  

I'm glad you are digging into this modem and found this! I'd looked through the config stuff but missed the redirect disable option.

From the contents of /www/residential, it looks like either the software was designed for of devices, or this device is capable of supporting USB devices and DLNA.

I added info to wikidevi about grabbing data from the device, such as /www/*.

So you didn't get the job...?

Testing... ?

Just making sure I didn't screw it up :)