Motorola NVG510 Reverse Engineering Information

Goto this page unless you're wanting to do some soldering onto your modem This page is only here now for historical reasons

Motorola NVG510 Reverse Engineering Information

This information is still a work in progress, and if it doesn't work, fries your modem, or kills your dog. Don't blame me just because you listened to a random blog on the internet. USE AT YOUR OWN RISK

Rooting It with the WebUI: There is a way to root the modem without opening it up and soldering on it. See If you don't want to solder onto your modem, use this. In fact, unless you plan on opening the device up or doing some real hacking, everything should be located there. Again goto

Update: A true bridge mode I believe has been found. Scroll to the bottom for more

Big Update: A way to the root shell has been found. At the serial console shell, all that must be entered is ! and it'll take you there.


Hopefully, you reached this web page because you are like me. Tired of the shitty NVG510 modem that you can't do anything about because of AT&T. Well, if you have a bit of electronics know how, and are comfortable with a command line, you can make your modem actually pretty decent. I happened to have an extra one of these things(though both work on my U-Verse account) so I decided what better way to put it to use, than to tear it apart. That said, I'm fairly surprised I didn't fry it in some way. You might not be that lucky. Be prepared to buy a new one if things don't work out.

The Basics

The FCC manual should be the first step in understanding the operation of the NVG510. It can be found at this website

To get access to the described console in the manual however, I'm 99% sure that you must open it up. I've yet to find anything that would allow me to enable the console on an unopened modem.

To open it up, on the underside there are 4 rubber/felt pads. Remove those and under two of them there will be screws. Remove the screws and it should open up fairly easily.

The Serial Port

Now take a look at the circuit board. As you can see, there is plenty of things to modify. There are plug-ins for an external wifi antennae as well as a possible JTAG connector that is unpopulated. You should now look for 4 unpopulated pins labeled "J10". This is a 3.3V/TTL serial port. The square hole is Ground, the hole next to it is 3.3V. The hole next to power is TX and next to that is RX.

Those four holes ended up being fairly difficult to desolder for me. The RX and TX luckily are quite easy to desolder and insert pin headers into, and luckily is all you need. I also soldered a wire into GND, though not properly. Soldering the GND wire is very difficult because it's connected to a fairly large ground plane and I couldn't get it hot enough for all of the solder to melt at one time, so I just (improperly) added some solder to the top of it and stuck in a wire. It's worth it to try reading from the serial port now.

To hook this up to you computer you'll need a proper 3.3V serial cable. Computers natively use 5V serial ports, so they must be level shifted. Also, if you're going to hand-make this cable, you'll need to use an isolator. Or, if you'll feeling extra ambitious, (like I was) you can connect a grounded supply up to it. I managed this by using a PC power supply. I connected GND to the negative terminal, and 12V(yellow) to the positive terminal.. I soldered wires straight to the PCB, but a barrel jack that fits would have been a lot more proper.

Also, the way I accomplished the serial port bit is just use an FPGA I had lying around. My FPGA has a USB-Serial FTDI built in, so all I had to do was make a quick VHDL design like so:

ExtTX <= PCRX;
PCTX <= ExtRX;

And then it did all the heavy lifting, and my FPGA works off of 3.3V already, so it did the level shifting for me.

Now, at first I had a problem in that I never received data from the serial port. I ended up finding a 10K pull up resistor on both RX and TX that I had to remove and then create a solder bridge over. If you're having problems getting any data from the modem, desoldering is worth a try. They are just right of the 4 pins, and are easy to trace out to make sure you got the right two. They are extremely tiny though. Remember, flux is your friend.

The serial port on the modem uses 57600bps, 8-bit data, and 1 stop bit. That information I got from wikidevi

So I simply did

$ screen /dev/ttyUSB1
$ sudo stty -F /dev/ttyUSB1 57600 cs8 -cstopb

Where ttyUSB1 is the USB serial port provided by my FPGA FTDI.

Now, you should be able to turn on the modem and see it's boot log and dmesg. After that press enter into the console and it should pop up something like


The Console

This console is actually fairly simple and easy to use, and breaks out everything that you can configure on the modem. But, it is not the console described in the FCC manual.

This is the help text:

Axis/124578433> help
help [command]                 : Get help.
history                        : Show command history.
get OBJ.ITEM                   : Get the value of OBJ.ITEM (ITEM is a
                                 parameter or status). ### Hint: run 'info
                                 OBJ.params' or 'info OBJ.status' to get a
                                 list of the OBJ's parameters and status.
set OBJ.ITEM VALUE             : Set the value of OBJ.ITEM to VALUE.
info INFO [ARGS ...]           : Get the INFO information (expert mode).
new OBJ [NAME]                 : Create an object with an (optional) name
                                 (requires an 'apply')
del OBJ                        : Delete an object (requires an 'apply')
aget OBJ.ITEM ATTR             : Get the OBJ.ITEM's ATTR attribute.
aset OBJ.ITEM ATTR VALUE       : Set the OBJ.ITEM's ATTR attribute to VALUE.
name OBJ [NAME]                : Get or set the OBJ's "name" (specify a new
                                 name to set it).
names [OBJ]                    : Recursively show all object names.
validate [OBJ]                 : Validate OBJ, or the entire database if no
                                 OBJ specified.
apply                          : Apply changes to the database (changes are
                                 NOT saved).
revert                         : Revert the database by discarding your
save                           : Save the database (rewrites config.xml).
defaults                       : Reset the system back to the factory
                                 defaults (deletes config.xml).
dump [OBJ [LEVELS]]            : Dumps the OBJ's parameters, or the entire
                                 database. Use the optional LEVELS parameter
                                 to limit the depth of the database tree.
sdump [OBJ [LEVELS]]           : Dumps the OBJ's status, or the entire
tdump [TEMPLATE [LEVELS]]      : Dumps the template, or the entire SDB schema.
dirty [OBJ]                    : Displays which parameters are dirty.
run CMD [ARGS ...]             : Run the SDB's CMD command (expert mode
event EVT [ARGS ...]           : Send the EVT (event number) to the SDB
                                 (expert mode only!).
console [on | off]             : Direct all log messages to this console.
                                 Without arguments, toggles on and off.
log [OPTIONS]                  : View log messages. See "log help" for more
voiplog [OPTIONS]              : View log messages. See "log help" for more
mfg [OPTIONS]                  : Set or view MFG parameters. See "mfg help"
                                 for more information.
mirror [PORT CAPTURE-PORT] | "off" : Mirror Ethernet traffic on PORT so that it
                                 may seen on CAPTURE-PORT. Specify "off" to
                                 turn mirroring off.
resetstats [OBJ] ["all"]       : Reset any statistics the object may have.
                                 The optional "all" argument will recursively
                                 reset all children's stats as well. If only
                                 "all" is given (OBJ is omitted), this will
                                 reset all statistics starting at the root
metadata OBJ.PARAM             : Returns metadata information about a given
fwinstall URL | "last"         : Install a firmware image. Use "last" to
                                 reuse the last URL.
crashdump ["erase"]            : Shows the most recent crash dump contents.
                                 The optional "erase" will erase both current
                                 and last saved crash dump contents.
reboot [N] | ["cancel"]        : Reboot the router in N seconds (default is
                                 2). "cancel" argument can be issued to
                                 cancel a previous reboot command.
source FILE                    : Read and process commands from FILE.
. FILE                         : An alias for 'source'.
exit                           : Exit from this shell.
quit                           : An alias for 'exit'.
magic                          : Enter magic mode.
crash                          : Read and Write the Memory mapped registers

Well, seems simple enough then doesn't it? I don't understand the difference in sdump and dump, but I don't think it matters too much.

Now what you want to probably do next is do mfg show and copy those values and then do dump and copy that text.

If you're new to screen, what you need to do is have defscrollback 10000 in your ~/.screenrc and then to copy the text, just push CTRL-A and then [. Then push space to get the first "mark" and then scroll up (with pg-up/up arrow) and press space again. After that, just do CTRL-A and then > and it will write what you just "copied" into /tmp/screen-exchange.

From there, you can easily browse all of the available configuration options.


As you can tell from the dump log, there are a ton of configuration options. Here I'll give you a hint to the more useful ones, as well as some configuration stuff to be aware of

DNS problem fix:

ip.dns.domain-name             =
ip.dns.primary-address         =
ip.dns.secondary-address       =
ip.dns.proxy-enable            = on
ip.dns.override-allowed        = off

You should be able to change these to something more appropriate. override-allowed should be turned on(otherwise I believe they will be reset by DHCP over the DSL link).

So, let's say we want to set the primary name server to, google's sane primary name server. We would enter this at the command line:

set ip.dns.primary-address

Now if that's about all the configuration we want to do and we want to save our changes and make the modem notice them, we have to do a few commands:


You don't necessarily have to do validate, but I assume it's safer to use it I think. I believe that this is what happens:

  1. validate will validate the changes to make sure that no data was input in a way that wouldn't make sense (like if nameserver was set to 921.123.45.673)
  2. apply will actually cause the modem to notice the changes and begin executing using those changes you've made
  3. save will cause the changes you made to persist after reboot. I assume it saves it to flash with this command.

Enabling Telnet:            = 0         = 0

These you should change to what port you want it to run on. Note though that I've yet to figure out the username and password used for SSH. I've searched through both the dump and through the GPL source code and can't find any hints really.

So, to enable these you can just do something like

set 22
set 23

If you want to enable remote access to telnet and/or ssh (I highly recommend not opening up telnet to the world) you can modify these values to something appropriate:

mgmt.remoteaccess[3].protocol  = telnet
mgmt.remoteaccess[3].port      = 0    XX change this to 23
mgmt.remoteaccess[3].idle-timeout = 5
mgmt.remoteaccess[3].total-timeout = 20
mgmt.remoteaccess[3].max-clients = 4
mgmt.remoteaccess[4].protocol  = ssh
mgmt.remoteaccess[4].port      = 0     XX change this to 22
mgmt.remoteaccess[4].idle-timeout = 5
mgmt.remoteaccess[4].total-timeout = 20
mgmt.remoteaccess[4].max-clients = 4

Enabling UPnP:

I haven't confirmed this, but I believe UPnP can be enabled by changing this to on:

mgmt.upnp.enable               = off

Disabling "Potential connection issue" and "no connection" redirect loop crap:

mgmt.lan-redirect.enable       = on

Change it to off. lan-redirect is what causes that extremely annoying redirecting to happen when the connection is lost or "has possible problems". What the modem will do is when you request a nameserver, it will, instead of sending back no route, timeout, or the actual name servers response, it will instead make every domain forward to, so that you can then load an HTML page that causes a redirect(but doesn't set it to do-not-cache) to /cgi-bin/home.ha... So basically, you click do not show, yet the page continues to try to redirect due to modern web browser caching and the lack of a no-cache directive on the redirect page.

Disabling the DHCP server:

conn[1].dhcps-enable           = on

Note that you'll have to configure a static connection to the modem to access it. I don't see much of a point in disabling it completely, as there is (still) no true bridge mode unfortunately.

Bridge mode discoveries:

There does not appear to be a straight forward PPPoE bridge mode, even with full control over the device. I believe there could be a way by doing some special stuff with the link configuration objects, but I don't see anything obvious so far

Possible money saver

From this bootloader, you can change a lot of things AT&T probably would frown upon. Basically, you can make it look like another modem. I'm not 100% sure, but I believe 1 modem is tied to 1 account, making modems that are used worthless. I'm not for sure about this though and will have to test it and research it more. I don't recommend changing anything in the mfg section.


The NVG510 is really a decent modem, but has been kiddie-proofed so hard that it hurts. I hope this guide helps you to taking full control of your modem. Also, I don't recommend trying to evade your U-Verse accounts capabilities. I imagine AT&T won't care much if they catch you modifying your modem... they will care if you modified it to reach 16Mbit speeds when you only have a 3Mbit account though, and I'm sure they keep tabs on it. Don't be stupid.

Same goes for trying to boost wifi power or use channels not specified for use in your country.

True Bridge Mode

A very often wanted feature of the NVG510 is for it to just get out of your way and let your (hopefully more sane) router to deal with all the firewall and NAT business. After quite a bit of experimenting and starting over with default and a bit of an accident, I believe I've figured it out.

Some of the values in the NVG510's configuration "database" appears to be magical, and lots of assumptions have to be made without real technical documentation. So, let's look at the link object that appears to be linked to WAN and LAN connections in an assumed manner.

Here is what was in my modem's dump about links. Your's should look similar:

link[1].type                   = ethernet
link[1].igmp-snooping          = off
link[1].mtu-override           = 0
link[1].port-vlan.ports        = lan-1 lan-2 lan-3 lan-4 ssid-1 ssid-2 ssid-3 ssid-4
link[1].port-vlan.priority     = 0
link[2].type                   = ethernet
link[2].mtu-override           = 0
link[2].supplicant.type        = eap-tls
link[2].supplicant.qos-marker  = AF1
link[2].supplicant.priority    = 0
link[2].port-vlan.ports        = vc-1
link[2].port-vlan.priority     = 0
link[2].tagged-vlan[1].ports   = ptm
link[2].tagged-vlan[1].vid     = 0
link[2].tagged-vlan[1].priority = 0

ptm is the PPP connection. So we basically want for the PPP connection to be routed straight to an ethernet port so our router can handle it. So here is what I did

set link[1].port-vlan.ports "lan-2 lan-3 lan-4"
set link[2].port-vlan.ports lan-1

The first command sets the LAN link so that only the LAN ports 2-4 is used. The next link sets the link for the WAN side of the link. Previously, the port is vc-1. I assume vc-1 is hardwired to magically go to the LAN somehow. Anyway, replacing vc-1 with lan-1 basically makes the equivalent of a PPP bridge.

On the router side, all you have to do is use that port and the modem will do all of the PPP authentication, and I assume MRU shifting to 1500.. All your modem will get is a raw stream from AT&T's servers. So if you send it a DHCP client request, you'll get a response straight from AT&T's servers.

This is the only configuration required as well. This will short through all of the modem's crappy configuration and directly forward it to the first ethernet port(the one closest to the barrel jack power adapter).

And if for some odd reason you need to access the actual modem(such as for reconfiguration), just plug your network cable into another port. The built-in DHCP server runs just as before, except it will never be connected to the internet.

Configuration Template You can dump this for yourself, but to see what Motorola's "template" is for it's configuration options you can check out this pastebin. If you don't know what options a configuration object supports, this is a good bit to look at. Though a few things in the template don't exist in my NVG510 at least and will cause crashes if objects are created. (cifs will not work for me)

Posted: 6/4/2012 7:54:36 AM


have you seen the 'open source' firmware release at:

even if that actually does build a flashable image, i'd be too afraid to flash it. any thoughts?
6/17/2012 8:28:24 PM
nvm. just saw your reference to the GPL sources above and read your other article about the web ui vulnerability! good work! what a gaping hole!
6/17/2012 8:43:03 PM
The open source firmware release isn't complete enough to build a firmware image. It's missing the proprietary `Motopia` module which appears to actually make everything work
6/19/2012 1:37:26 AM
Nothing about Uverse is PPP.  PTM is "ethernet" (mac encapsulated) over the DSL layer -- vs. ATM in legacy DSL.  "vc-1" means "virtual circuit 1"; ptm doesn't have vc's, so that's why removing vc-1 doesn't break anything.
6/28/2012 6:18:40 PM
@rbeam ah, I wasn't aware of that. I still am unfamiliar with how U-Verse works, technically. 
6/29/2012 2:00:32 AM
Just found this -- nice work!  I've been waiting for this for a long time, I hate this modem, and I seem to have wired up my serial TX line incorrectly (it never responded to any bytes from me).

re sdump v dump -- sdump dumps "status", i.e. constantly-updated things like ethernet frame errors.  dump dumps the actual configuration info.
6/30/2012 8:08:32 PM
@bushing I believe your problem was probably the pullup resistors. They gave me problems and I ended up having to desolder them(there is a way to get around it without desoldering though)

That's kind of what I thought sdump was but I wasn't sure
6/30/2012 10:09:03 PM
Question how do i stop the redirect error from happening?
7/8/2012 4:35:26 AM
After reading rbeam's comment, I'm confused as to whether changing these values bridge it or not?
set link[1].port-vlan.ports "lan-2 lan-3 lan-4" 
set link[2].port-vlan.ports lan-1
8/1/2012 12:41:21 AM
Hello, I enabled remote telnet access. But can't access via any number of username/password combos. Any idea where to look?
9/9/2012 8:31:46 PM
@Anonymous: Hmm.. that's odd. Make sure you get the username/password prompt in your telnet client. And if all else fails, try doing a factory reset, then redoing the remote-exploit and try to login again. 
9/11/2012 3:57:14 AM
I was successful at using the remote exploit.  Thanks!  One thing to add though is that the telnet console logs you in to a Netopia OS which is different than the above shell.  To be able to do the configuration things you describe I had to do:

And then log in again.
Anyone figured out how to do QoS with this thing?
9/14/2012 5:33:36 AM
@create: Yes, I believe this is documented on the remote exploit page. And as for QoS, before I switched ISPs
and stopped working on it, I was trying to figure out how to prioritize certain traffic. 

It looks like it has the ability to prioritize, but it's not documented at all. 
9/14/2012 1:18:10 PM
ah yes.... I read up to the ! and missed the next paragraph about nsh.... time to get my eyes checked :)
9/14/2012 3:44:31 PM
Hey thanks for the info man. Any idea how to add static DHCP leases?

9/16/2012 5:59:41 AM
@Johnny Unfortunately, no. I'm sure it's possible, but I don't have U-Verse anymore so I haven't looked into it further
9/17/2012 2:11:47 AM
Ah well thx for the info and the exploit never the less. I am using your suggestion to forward the wan side to lan port 1 and it works flawless. I also saw your post on openWRT forum, even though no replys to it hopefully someone will figure out how to run openwrt on it!
9/28/2012 4:31:12 AM
it says my database is dirty and wont allow me to save when i set mgmt.upnp.enable to on.
10/16/2012 9:49:48 AM
figured it out lol thanks :)
10/16/2012 9:51:24 AM
I'm unable to get my NVG510 to respond to ICMP/ping requests over WAN from the internet. Suggestions?
10/20/2012 5:38:50 PM
About a week ago, passthrough suddenly stopped working for me. The amount of time I poured into getting the NVG and my router to play nice is shameful. "Broken" doesn't even begin to describe just how useless this thing is because of how they chose to cripple it... worst of all, it's not even heavy enough to properly hold a door open or be a boat anchor.

Using the description above, instead of entering into shell mode, I executed 'configure', navigated to the named "LAN" and "WAN" links and was able to change the assigned vlan ports right from the command line and restart. 

Within seconds, it was obvious that all of this 'value add' was the source of wasting my time day and night for a week when all I truly needed was a real bridge mode. Moving to real bridge mode solved every single network issue I was seeing. Thanks for making this post. I had no idea what I was going to try next short of change carriers given that I rely on my broadband connection to make a living.

10/22/2012 7:49:48 AM
Glad I could help. This problem is EXACTLY why I set out to discover a "true" bridge mode, the passthrough
thing kept magically breaking(I'd have to reconfigure it every week or two). After getting kicked
off of xbox live yet again because of it I decided I'd had enough and went to unscrewing things
10/22/2012 1:28:03 PM
Absolutely bloody amazing sir. Unlocked the full potential of this assumed-to-be-POS that I have been using for months with an hourly trip to the world of cgi-bin. But no more. I am grateful on a level you will never know. VPN access is difficult when you can't keep up a connection. I should not have to tether to my phone or use my broadband card sitting in my own living room! Thank you sir! 
10/25/2012 4:00:19 AM
I'm blown away by how you managed to unlock the full potential of what was in my opinion, a kids toy.
Really great job exploiting this gaping hole in security, Motorola should be ashamed.

Perhaps you could help me, I'm trying to set the router to renew its dhcp lease every time its rebooted.
I would like the router to receive a different IP address from ATT. Is this even possible and if so how?
11/2/2012 11:14:56 PM
@topher(heh use to know a friend way back when that went by that alias). It already does this. AT&T probably just happens to give you the same IP address every time. You can't "force" AT&T to give you a different IP. The only thing you could maybe do is use MAC spoofing to make AT&T "think" that you're a different client. I don't think that's physically possible with this modem though, even rooted(nor possible with DSL even?). 
11/3/2012 12:36:42 AM
Hello, I saw Anonymous had issues with not being able to ping this modem from the outside. I have the same problem. All I need to do is be able to ping its public IP to know that its up.
11/8/2012 4:14:04 PM
Followed instructions.  Was able to get into the modem - but "help" didn't look anything like above.  No validate, save, etc.

Different version of the hardware perhaps?
11/16/2012 4:45:22 PM
@Anonymous you must get to the "nsh" shell. Type in `magic`<enter> and then `!`<enter> and then `nsh`<enter> and you'll get to the shell discussed here. 
11/17/2012 3:16:23 AM
Everything working great. Set to bridge to Netgear and is working great. Thanks! Only problem is now my AT&T Voip line quit working. Is there anything I can do about this? Is there a certain port that needs to be forwarded or something? Right now the NVG510 has a reg phone jack output on it and I just plug my phone straight in it and it worked, but now there is no dial tone. Any thoughts? Can we port forward a an port on netgear back to nvg510 somehow, or change a setting via telnet, or port forward to a lan port on netgear then plug phone to that port (with adapter), etc? Any help would be appreciated. Thanks!
11/28/2012 1:20:57 AM
@Anonymous I'm not sure. I suspect there might be a way to do the bridging and then configure one of the unused ethernet ports so that you can hook another ethernet cable from your modem to your router (ie, the modem will be on your LAN, but not be the router). 

This is a much worse problem than just doing port forwarding. Doing the bridge mode described here makes the modem so it can't access the internet directly. I suspect it's possible to work around, but I have no idea how to do it. 
11/28/2012 4:58:17 AM
What I don't get is if everything works as expected, 
why would you want to do this?
12/13/2012 7:22:23 PM
Aaron Borden
@Anonymous re: motopia, it looks like it's included in the source available here
1/6/2013 6:43:44 PM
Once you enable ssh, you can log in with the user "admin" and password set to your device access code.
1/6/2013 8:39:57 PM
I really want put my NVG510 into "true-bridge" mode.
Can I apply the same method for a STATIC IP instead of dynamic?
1/17/2013 12:39:41 AM
It depends... define "static". If you put your NVG510 in bridge mode, then your router has to handle all of this. So, if you get a static IP from AT&T, your router has to be configured to use that static IP. 
1/17/2013 5:14:26 AM
I'm little confused with the lines of code:

set link[1].port-vlan.ports "lan-2 lan-3 lan-4"
set link[2].port-vlan.ports lan-1

So after I do this, which port do I have to connect my router to?
Thank you Earlz you are genious!

1/25/2013 5:25:01 PM
My brother figured out the DNS changes.  He changed the proxy setting to Off, The set an IP for the primary and Secondary setting, the applied, saved, then reboot.  And it worked. The override was already set to on. IP config now has the open DNS ips.

2/17/2013 3:16:24 AM
what do i do when i can't ajust my firewall because i don't have the access code required
3/2/2013 6:35:03 PM
Mr. C.
To enable WAN ping response, from the initial command shell type:
"WAN" (w/o the quotes)
hit return on everything except "icmp-echo-drop"
type "off" (w/o quotes) when you get to this point.
return on everthing else
type validate
type save
your modem should now respond to pings from the WAN port
3/20/2013 3:31:51 AM
upnp enable on works. just did it on mine.
9/14/2013 9:58:07 AM
Can't get past this prompt
entering ! returns 
Unrecognized command. Try "help".

Very odd as it used to work and I was able to set nameservers in the past

firmware version 9.0.6h2d30
11/22/2013 10:33:15 PM
NVG589 Version 9.1.0h4d38

None of the above works now.  Connection always "closed by foreign host" after 2 LF's.  Can't telnet in from WAN or LAN.
12/29/2013 2:12:59 AM

Posting comments is currently disabled(probably due to spam)