Solving common problems

I'm glad you are digging into this modem and found this! I'd looked through the config stuff but missed the redirect disable option.

From the contents of /www/residential, it looks like either the software was designed for of devices, or this device is capable of supporting USB devices and DLNA.

I added info to wikidevi about grabbing data from the device, such as /www/*.

Hey, sorry about the bad formatting of your comment. I guess that's a comment bug I missed in testing.

Anyway, I saw residential, but tried and it didn't like it much. It broke out quite a few more options, but
is still missing some basics like DNS nameserver changing. 

Also, thanks for updating that wiki. I wasn't for sure if this information really belonged there or not.
I did not even think of using that method to get files off of the modem! I instead opted to use the tftp client on the modem. 

Hopefully we can get more people taking control of this modem and posting their own tricks. 
One of the odd things I thought about it was that it supports having 4 different wireless networks.

Also, I believe the modem has USB support on the processor, but not all of the support hardware for it, as I don't see any pinout for it.  

Is there something that I am missing.  Every time i try this it takes be back to the home page instead of the changes saved page

@dooleyr send me an email @ earlz -at- this domain(lastyearswishes.com). Make sure you copy the `nonce` value and then DO NOT load any other page on the modem until after you use the exploit page

I wanted to say Thanks You for studying this device and sharing your findings.

Because of you I was able to disable that god awful redirect page.  It's a shame AT&T has this modem so jacked up and worse they don't seem to care.

Anyway,  Thanks again.

@Anonymous Well, that stupid redirect page bugged me non-stop. It'd appear out of the blue sometimes without even a power failure. One time it did it, kicked me off XBox Live for no reason and I decided the fight was on. I have 2 modems anyway, might as well open one up. So, I opened it, got to the serial port.. and eventually ended up looking at the source code for the Web Interface and found a vulnerability. I had quite a few friends that had the same modem and same problems, so I documented it hoping to help everyone with this crappy modem. AT&T doesn't seem likely to ever patch their horrible firmware and don't care at all about how poorly it's designed.. Hopefully this trend continues because this exploit would be really easy to patch, and I believe it's the only one that exists 

How can I get the router to stop overriding my changes to the dns server?
Tired of having to go in again and again to change my nameserver back to google/opendns
I already tried the ip.dns.override-allowed option and that didn't stop it.

@Anonymous. About the DNS problems. I know about this, but I don't see any easy solutions so far. 

notice that you can grab the nonce from even some non-password-protected pages like /cgi-bin/diag.ha.. so i guess you dont even need to know the password to take control of the router :)

@Anonymous, I think there is something other than the `nonce` used for the authentication. And the modem ethernet configuration page will check to make sure the admin is authenticated before allowing us to post exploited values to it. So I suspect this isn't too much of a security concern

@Earlz, are you sure about that? i grabbed a nonce from diag.ha which is not secured.. and ran a curl post with that nonce and successfully changed some arbitrary config value.. but i'll definitely try again to make sure i didn't taint my test in any way

@Earlz, i take that back. looks like they are taking the rather unusual step of whitelisting the ip (or port or something) origin of a valid login, rather than using session cookies.. which fooled me

Hi, that's great work. I'm wondering what is the process or how did you find out about this loophole. I would like to learn the process. Thank you so much.

I followed the foregoing instructions and was able to get to the root via "magic" then "!".  I can both Telnet & SSH into the root.  I'm totally new to Linux and have been researching UNIX/Linux commands on Google.  However, I can not seem to figure out how to edit /etc/dnsmasq.conf or /var/etc/dnsmasq.conf.  Under either directory, whenever I enter vi /etc/dnsmasq.conf or vi /var/etc/dnsmasq.conf both Telnet & SSH return "/bin/sh: vi: not found".

I've also tried the commands edit; ed; ex w/the same results, e.g. "/bin/sh: ex: not found".

Any ideas on what I'm missing or doing wrong?

@Newbie Hi! The included unix utilities for the NVG510 is a bit.. sparse. I believe the only way to edit files on the device is to use `cat` and output redirection. However, if you value your sanity, you won't do that :P 

What I did to edit files is setup a TFTP server on my network and then use the included TFTP client on the modem to upload and download files. This is probably the easiest option. I've gotten a tip from elsewhere about some people compiling a less-restricted Busybox for the modem and then uploading it via TFTP. 

thanks you are the best----- as change XDSL password and user of company  

Thanks for this great help! I changed the dns servers but they are randomly being changed back. I assume is because I have dynamic IP or any time router is rebooted. I tried "override", but didn't work. I also set "dns proxy-enable" to off. But when I did this, I could no longer use the internet. Any help on how to get NVG510 to "hold" on to the DNS servers I input for good without changing back to att? Can I change DNS from DHCP?

@Anonymous I don't know. There have been numerous reports from others about this problem but no one has seemed to find a solution yet. I don't use this modem anymore (switched to Cable), so I don't update any of this anymore. If anyone can figure it out though, I'll definitely publish a link to it. 

I have static IPs, will putting them into 'bridge' mode cause any problems here?

Protip from someone who's dealt with similar bullshit from a Verizon-provided router: the DNS configuration and other settings may be being remotely enforced by a backdoor web configuration interface, or possibly just the remote management interface over the DSL line. In the Verizon configuration, the reason for opening a backdoor to router management was, as far as I could tell, for Verizon support requests from people who don't know what a router is and because certain services required opening ports to communicate with some of the cable TV services behind the coax part of the network, and they wanted to force auto configuration (look up MoCA if you're interested). Of course it's a gaping security hole (I could access it from anywhere on the Internet).
Point is, if you're lucky and it turns out DNS enforcement cannot be done over the DSL management interface, you may be able to stop the DNS behavior by disabling that remote management feature / port in the firmware (or adding firewall rules to prevent it f

@Geeknik you shouldn't have any problems. You'll just have to make sure that your router properly handles the static IPs. You may have to manually set the IP(s) of your router in order to get it to work. I'm not for sure if AT&T directly passes down a static IP from their DHCP servers

@Anonymous I don't believe it's DNS enforcement. There is a management port open on the modem(to the public), but I can't get at the password. Tried brute forcing it, but didn't get anywhere. Also, by doing the true-bridge mode, this management port gets closed. With true bridge mode the modem literally does not think it's even connected to the internet. I don't believe updates or anything will be received in bridge mode. 

Hi, I really liked your articles even if I don't own that kind of router. I've always wondered, how did you manage to get to the exploit? My guess is that you opened the source of a web page that allows you to edit some useless setting, via the standard UI or by downloading the page using the serial port stuff, then see how the post was made and then replicate the request mechanism with a different option name (like "mgmt.shell.telnet-port") and different value.
Am I correct? Am I missing something?
Thanks, and great job anyway.

@MG that's exactly what I did. This particular exploit could've been found though without having the source code to the web application, but without access to the `nsh` shell and list of template configuration options, I wouldn't have been able to know what to change the form value to in order to enable telnet. 

Will this work with the 3800HGV-B?

@Occam, highly doubtful. If I ever get U-Verse again, I can try my best to root it though. (Moved to Ohio and they told me I can't use the two NVG510 modems I already have of course. ugh, but apparently the modem up here is the 3800HGV) 

However, I've heard that the 3800HGV modem is much more sane than the NVG510, including being able to collect interesting things like precise line statistics and charts. 

Can confirm that the uPnP option does indeed enable uPnP.

@Anonymous it does enable UPnP at least partially. The only thing I use UPnP for is so multiple XBoxs can have an open NAT type and this did the trick with 2 Xboxs... however, I set this up for one of my friends who has anywhere from 3-6 setup at a time and only 1 ended up with an open NAT type. Not sure if that's a limitation of xbox live, only having a single IP, or if this modem doesn't have a good UPnP implementation

Wow, Earlz, this is awesome! So nice to be able to CONTROL this bloody thing! I am having a strange problem with the NVG510, and I was wondering if you can point he in a useful direction to fix it. I have an NVG510 with a 3-bit subnet and a Linux server with an Intel eepro100 network card wired into the NVG510. When I fire up the NVG510 and plug nothing into it, the ping responses are at about 50ms. As soon as I plug my Linux server into it, the ping response time bounces all over the place - anywhere from 50ms to 600ms, although mostly in the 150-200ms range! The SMARMY AT&T tech told me that I have a "network configuration issue" and AT&T doesn't work on that. So, I went thru EVERY networking setting on both the server and the NVG510 at least 3 times, and I can see nothing that would cause this. Any ideas? Since I had AT&T replace the NVG510 and got the 50%+ packet failure down to consistently under 5%, the thru put is good, but why not get every bit of speed I can get? Thanks for any insight you can provid

@Technobabe: I have no idea. First off, I'd make sure that it's really the NVG510. Plug a different computer to it and see if you have the same problem. If so, then see if wireless has the same latency issue. Beyond that, as a last resort you might want to try my true bridge mode to use your own router. This gets the NVG510 completely out of the way and lets your router do what it was made for.. routing. 

Regarding the modem in Ohio:

I am in Columbus and just recently (this month, December) started using Uverse, and they sent an NVG510.  So apparently it's more complicated than just statewide Ohio=3800HGV.

Anyway, I don't know how this can even be legal, the pure shittiness of the NVG510.  Isn't this why we have consumer regulatory agencies and stuff?  Hey, I have an idea how to make lots of money, I'll offer people high-speed internet with a one-year contract, but instead of actually providing them internet or anything like that I'll just send them a brick and tell them it's a modem!

@Anonymous: It is indeed more complicated than just statewide. Apparently the NVG510 is used where there is 
U-Verse internet and phone, but not TV. (and using VDSL, not fiber to the home/node)

Also, you should watch out for patents with that technique. I think AT&T thought of it first! 

Is there anyway I can change my ip address with the root access? 

@Anonymous: I assume you mean your public IP address. And probably not. If AT&T is even mildly competent, their servers won't allow this. However, changing manufacturer tied values and such may induce something like this. I'll warn you that this is one of those things AT&T will notice though and that probably voids your service agreement

@Earlz 
Well, lets say I buy another nvg510 and register it with my service will that change my pubic ip 
address given that the mac address is different?

Do I have to do a reset on NVG510 before turn it to True Bridge Mode? Currently, I am using IP-Passthrough Mode.

Cant seem to follow the true bridge guide. Modem locks up after doing "apply" after entering the two set commands.

@Tony hmm that's odd. Have you tried doing a factory reset and then following the bridge mode instructions? 

I tried your instructions for the bridge mode and while it works, for some reason, the Broadband Status page of the NVG510 still showed the device as getting a valid public IP address and from the shell I could actually ping out to the public internet.

Earl,

Thank you soooo much.  I could not get my Slingbox with the NVG510 until I read your article and enabled
UPnP.  Now it works great.

Thanks for doing this. I think just putting the thing in bridge mode is going to solve my issues. I am now able, from the outside world, to pull up a web page hosted on my test machine behind the nvg510, just got to figure out why rdp and ping are not working yet.

Thought I should note, that for those having trouble with bridge mode after hitting apply, make sure you are configuring the modem via port 2,3,4 and NOT doing it on port 1, as when you hit apply port 1 will drop the telnet connection and begin the bridge to ATT. YOU MUST do the configuration while on lan port 2,3, or 4 so that you can SAVE or your configuration will NOT be persistent (it will reset every time the router turns off and you will lose bridge mode). I did this bridge mode last night and when I rebooted my Cisco router I lost all configuration and my router was DHCP'd a private net IP instead of the precious REAL internet IP I had earned.... lol

@Toao, very good point! I hadn't thought about that. I'll add a note to the article

Once the TrueBridgeMode has been able, what connection type would then be chosen in my Asus router? PPPoE or normal DHCP?

@Sean normal DHCP. It's definitely NOT PPPoE. If you need a username and password for it, you chose the wrong one. 

When I press "Save" on the complete_control page, I get redirected to my router configuration page, but it says:

"Address must not be on network (10.x.x.x)"

=/

@Anonymous oooohhh... That sounds scary :( I have no way of verifying, but it sounds like the remote vulnerability might not exist in your firmware version(ie, it was patched). Email me at earlz @ this domain name(earlz.net) and I'll try to work out what's happening. 

My brother figured out the DNS changes.  He changed the proxy setting to "Off", Then he set an IP for the primary and Secondary setting, then applied, saved, then rebooted.  And it worked. The override was already set to "On". "iponfig /all" now show Open DNS name servers.

"ipconfig /all" now shows Open DNS name servers.

To add to the previous Brother post.  Go to http://www.opendns.com/support/article/64 to test
the settings and the tests were all successful.  
I believe the DNS proxy setting (ip.dns.proxy-enable = on is the default) allows the device ie., router to allow name requests to be forwarded to the
ATT name servers. Turning that off and and setting open DNS servers allows the hosts on the network to recieve
those IP addresses via DHCP.  Well see what happens after a couple days to see if the settings hold.
Note:  The ip.dns override-allowed setting was 'ON' as the default.  I did not change that in the articel above
it shows it as off.  Not sure why but, it works for me with it ON.

Didn't know it could be easy... when you know a few secrets. Saved me running out and getting another router!

A BIG thanks to EARLZ for pointing us all in the right direction.  Would never have done it without your help.

Update.  Device was turned off overnight and the DNS settings reverted to the factory at&t dns setting.
Anyone know how to make it permanent?  Re-entered using the configure command in normal shell and it seemed
to behave the same.  The settings would stay there during a reboot, but if it was turned off, the settings would
go back to 0.0.0.0 for primary and secondary

As I noted at the beginning of the article, this is an open problem. It would appear that AT&T has hardcoded the DNS settings to be permanently non-configurable. I've heard of some hack with changing the DNS server's configuration file, but I don't imagine this being easy

This doesn't seem to work for me, but I also have my NVG510 assigned as 192.168.0.1 - is that messing up the control page?

@Anonymous did your modem come shipped that way? Like if you do a factory reset does it reset it to 192.168.1.254?

If I put my NVG510 into true bridge mode (to use with a Smoothwall Express firewall), would I be able to use the NVG510's wifi from behind the firewall (like, route the Protected LAN into lan2)? 

No, it didn't come set that way, I assume it would revert back to 192.168.1.254.  I changed it because that's how my previous network was setup when I switched ISPs, and it made it easier to change over.  I could change it back to the default if that's necessary, but then I will have to change the config of the router that sits behind it.  I'll do that if I have to, just checking to see if that is the issue before making the changes.

@dngrsone In theory it could work, but I haven't been successful in getting it to. Once you put it in bridge mode, the wireless is basically useless. However, you could MAYBE disable the DHCP server and then have a setup like `modem bridged-out -> router in -> router out -> modem non-bridged port` and I THINK that would work. No guarantees though. Worst case is it'll reset everything to defaults when it crashes

Hahaha... optimistic pessimism.  I love it.

Whelp, if I try, I will report back, either way it goes.  Be a shame to waste a decent wifi if it doesn't work out that way.

@Anonymous-- I have mine set to a different IP, and the hack doesn't work for me.  I think the page Earlz set up assumes the default IP when it sends the command to the modem.  You might try resetting the modem to default settings and then hit it with the hack.  

Yep, that did it.  Actually I just changed the IP of the modem (and the DHCP IPs), and the IP on my inside router.  Rooted the modem, changed the IPs back, and all is well.  Thanks much.

HUGE thanks to Earlz for his hack and to Brother for the DNS-specific fix. I've had the DNS failure to resolve issue for over a year and it drove me bananas daily. I read the instructions and I was able to change the primary and secondary DNS of the NVG510 modem. I don't know if the settings will stick after a reboot or power cycle, but I do that maybe once every 3 months so it's no big deal. Anyway here's the exact command line syntax for other newbies like me:

login: admin
password: <number on your modem>
magic
!
nsh
You will need to login once more at the NSH prompt

Axis ############>
set ip.dns.proxy-enable off
set ip.dns.override-allowed on
set ip.dns.primary-address 208.67.222.220
set ip.dns.secondary-address 208.67.220.222
validate
apply
save

Open up a CMD prompt in Windows and type in "ipconfig /all"
You should now see that the primary and secondary DNS numbers have been changed to the OpenDNS servers.
Thanks again. You guys rock. I can't wait to try some of the other more obs

Of interest to you, Earlz?
We are pleased to announce the Open Source redistribution for the NVG510 DSL CPE gateway product.
http://sourceforge.net/motorola-home/nvg510/news/2012/01/nvg510-open-source-redistribution/
http://sourceforge.net/projects/nvg510.motorola-home/files/README-NVG510.txt/download
http://sourceforge.net/projects/nvg510.motorola-home/files/
http://sourceforge.net/motorola-home/wiki/Projects/

Motorola is pleased to provide the open source software used in the NVG510 device!

Please note that this project is for distributing, discussing, and supporting the open source software we release. This site does not provide any SDKs nor general purpose developer support for the NVG510.
http://sourceforge.net/motorola-home/nvg510/home/Home/

wikidev?
http://www.wikidevi.com/wiki/Motorola_NVG510

Interesting! This is much more source code than they gave out when I first took a look at their source code archives. Last I checked, they only had the "OSS" download available. They appear to leave out some crucial parts such as DSL and VoIP support.. but with what they've given, I'd expect a usable image for routing could be made. Only real problem is there is no documentation on how to reflash the modem other than that it uses CFE somehow

Great work.  Thanks!  I was able to log into the ssh server using "admin" and the device access code as the password.  I am running 9.0.6h2d21.  Since AT&T won't allow you to disable the DHCP server from the UI, I did it using the command line.  The DHCP server was giving me problems.  Even though we had it set to only give out 1 IP address, the other boxes using another DHCP server on the network would mysteriously end up with att.net as a domain search suffix and the router as the DNS server.  Hopefully this will solve the problem.

If I go through with logging in > magic > ! > nsh i cant do anything.   However, if I just type magic it is already at the nsh prompt, and I have configured upnp and google's dns servers to be working working after reboots and everything. There is no apply command though, but after validate and save it seems to apply.

@Earlz or who can help. Thanks you all for the information here!
help with #nine and any other useful information for a real newbie would be greatly
appreciated.
  
quote 9.Now you should be able to login to the modem with telnet.
 The username is admin and the password is your modem's "access code" 
that should be written on it.

I cant figure out how to access telnet on mac i go to teminal-new connection
 choose remote login (telnet)then i add http://192.168.1.254/cgi-bin/etherlan.ha
 to server-side box says server is found & i click connect and get back a message
that says this:

 http://192.168.1.254/cgi-bin/etherlan.ha: nodename nor servname provided,
 or not known
[Process completed]
i cant get passed this part thanks for any help.

ATT always for the shareholders not the customers
and there new plans for expansion are undiscribable.

figured it out lol 

Thanks for the info, Earlz!
I am having a problem where I can put the router in true bridge mode, but it reverts back to non-bridged mode after a few days. Telnet still works, I just have to redo the commands. Have you or anyone else noticed this? Is there any fix? I am doing both save and apply.

Nevermind I figured it out. My router was on port 4 instead of 1, doh! What ends up happening that if you put your router on another port after putting it in true bridge mode, it detects the router and overwrites your changes. I've turned off the DHCP server in the modem to prevent this in the future, should I inadvertently use the wrong port again.

so just to clarify turning on telnet does what? and true bridge mode would be beneficial to whom? im trying to tweak my modem to allow a higher access speed to each individual device. I never get close to what i pay for. was just wondering if someone could explain these few things in lay-mans terms

@Mattkilla this WILL NOT help. If you're getting a crappy connection speed, 99% of the time it's AT&T and it's infrastructure's fault. (for instance, paper wrapped wires that were first installed in the 40s is not going to be capable of a good connection) 

Hey Earlz,
Whats the best way to turn the nvg510 into a switch, I managed to do it by disabling the dhcp server and giving it an ip address outside of the main routers ip range. Is this enough? should i disable the firewall and is it possible to disable the broadband light it keeps flashing red. Thank you for all your time and work on this project, take care.

Thank you for the information! I was able to follow your directions to enable true bridge mode, but now I can't seem to figure out how to use my static public IP addresses assigned by AT&T. I am currently using DD-WRT on my router. If I enable the router to use DHCP to configure its IP, it is assigned a random public IP. I can use a traceroute to get my gateway IP. If I use this gateway IP and my private IP I was assigned, nothing works. If I connect the router to LAN 2- LAN 4 and use DHCP in DD-WRT I get a private IP from the NVG510 and everything works. I was assigned 4 static IP addresses. I can't seem to get Uverse Tech support to help me understand how my static IP works. 

@dotmatrix Yea.... I have no idea? I would think it should *just* work if you manually configure your router behind bridge mode to use the static IPs. you might make sure your gateway and netmask is correct. I remember having some problem at some point with AT&T handing out a gateway which fell outside of the netmask, thus requiring me to manually override the netmask. 

Not sure if that applies in this case though unfortunately. I've never had experience with their static IP support

I am interesting in anyone's results with Static IP also.
I would love to use true bridge mode with this thing as I use PfSense but can't afford too much down time for trial and error.
Also do we have any way to make it ignore any firmware upgrades? My worry is we set this thing up, get it working great finally and a firmware upgrade jacks it up and locks telnet out but for now static IP true bridge would be great!

Thanks for the great work, I FINALLY got rid of the stupid redirect!

For those of you with modems on a different default ip (like me) here's what I did:
Copy the source code out of the page that enables telnet. Save, change the ipaddress, then launch the page. 
Maybe for future users, the page can be modified so that a user can enter the ip as a field as well.

@Earlz how do i connect using telnet?

@Earlz i enabled telnet on my pc but i cant seem to figure out how to connect to my router using telnet can someone help?

Never mind i got connected but how do i enable upnp?

when i type in the upnp or redirect code it simply says "usge: set OBJ.ITEM VALUE" WHY!!

@Levi You have to get to `nsh` first. See the section surrounding the "fixing common problems" header

I have already done nsh. After that it shows up as axis something(not at my computer) but for  I can not change anything

Thanks for the tutorial, though my problem seems different than anyone else's.  What happens for me is the redirect, but only when browsing with the http port.  If I go to http://google.com, it redirects.  When I go to https://google.com, it works.  Yahoo messenger works, my gmail notifier works, but all websites will start redirecting when using port 80.  I've shut off the redirect per the tutorial above, but that just makes it redirect to 192.168.1.254 when having its "issues."  The only workaround I have is using a public proxy server when it's acting up.

Dude, I seriously need to send you some cash for this. 
I have been fighting with AT&T 'support' for over a month to get
rid of that stupid connection 'error' redirect message. This is what I wanted. I just did it
- rooted the blasted thing - now but confidant this will address the issue. Also disabled 
that worthless DHCP server they have on the unit. 

I have a problem that I can't seem to work around and wondered if you can help.
I have put the modem in pass-through (needed it for work, and AT&T didn't give a crap; so, I hacked it!)
But, now, my phone doesn't work.  My phone uses the modem for the "dial tone" (at least, that's what the tech told me).
It seems that forwarding everything to my internal router has disabled the phone line.  I thought I could get it
to work by putting vc-1 into the list of ports on link[2].  But, sadly, that does not work.  Any suggestions?

With the way bridge mode is setup, maybe, maybe not. If you bridged it, you might try running an *extra* network cable from your router to your modem (use one of the non-bridge ports). I'm not sure it'd work though and it'd probably require some extra configuration. I didn't have an NVG510 which supported VoIP, so I don't know. 

Hello Earlz, this is really a great work..This has been very helpful in getting into this modem but i havent been able to get it to work like the way i wanted it to.. Can you let me know if this is possible - I switched to cable recently and have no use of this modem now so I was trying to set it up a wireless access point with a lan port plugged in directly to the back of my cable modem/router. I tried the true bridge mode You have mentioned above except i removed the ppp since i do not want that to happen but that doesn seem to work.. Can You let me know if i am missing something or this will not work..