Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Breakout supplicant and bridge methods into separate scripts #33

Open
owenthewizard opened this issue Oct 4, 2020 · 19 comments
Open

Breakout supplicant and bridge methods into separate scripts #33

owenthewizard opened this issue Oct 4, 2020 · 19 comments

Comments

@owenthewizard
Copy link
Contributor

The different bypass methods should be separated into (pf|opn)att_bridge.sh and (pf|opn)att_wpa.sh as they don't really overlap except for the VLAN 0 situation. Maybe that could be broken out into a script function too.

This would make it easier for people to setup and configure the bypass and ease maintenance as well.

I welcome opposing viewpoints on this issue.

N.B. The supplicant branch seems to be out of date (e.g. still using logger).

@MonkWho
Copy link
Owner

MonkWho commented Oct 4, 2020

I agree. I keep meaning to sit down one of these days, cleanup the readme a little, separate bridge and supplicant, and dome some other cleanup. There's just never enough time.

Bridge mode from the supplicant script is a little outdated but it also has a section for 5268AC that might help some folks. So that should probably be rolled into the main script and readme adjusted accordingly.

I want to get rid of supplicant branch altogether and have just one main branch that has all the info. Also need to decide if "before 2.4.5" needs to be kept or not. There was a need in the old version to copy the ng_etf.ko file so that required extra steps. But people should be upgrading to 2.4.5 anyways so maybe there's no need to keep the old branch.

Maybe readme needs to be trimmed down and most of the info moved to the wiki?

I will try and work on it in next couple weeks.

@owenthewizard
Copy link
Contributor Author

owenthewizard commented Oct 4, 2020

But people should be upgrading to 2.4.5 anyways so maybe there's no need to keep the old branch.

I agree, I don't see a reason not to remove it once 2.4.4-p3 is out of support.

Maybe readme needs to be trimmed down and most of the info moved to the wiki?

That would be nice. My only concern is that if this repo fell to the same fate as the original, the wiki would be lost whereas a readme wouldn't. But I guess the solution of that is to backup the wiki.

Update:
Here's a draft opnatt-wpa.sh, tested working. I'll clean it up a bit before creating a PR.
Perhaps with some cleanup and a few tweaks we could get this project added as a (pf|opn)sense plugin.

@maxfield-allison
Copy link
Contributor

I agree on the plug-in portion. I have some experience with the OPNsense plugins and have been looking for time to set aside and package this all up.

@super-triangle
Copy link

Apologies for swinging through here with a related question. I'm looking to set up pfSense + WPA supplicant. Is there an up-to-date guide kicking around anywhere, or is the best path to follow along with the supplicant branch readme from 6ish months ago?

@maxfield-allison
Copy link
Contributor

The supplicant branch is fairly accurate. Grabbing the certs from your RG is a bit out of scope for this project but I was able to figure it out with a little google fu. I believe I have some bookmarks I can share when I'm in front of my pc tomorrow. There was a tool I used that was buggy but ended up working after a few tries and adjustments.

@Ixian
Copy link

Ixian commented Nov 14, 2020

This script: https://github.com/iwleonards/extract-mfg

Works, maybe that is the one you referred to?

Related Reddit thread that also has links to the firmware you need and additional info: https://www.reddit.com/r/ATT/comments/g59rwm/bgw210700_root_exploitbypass/

It's not for users that need hand holding, but the process is reasonably straightforward and easy if you can run python scripts and follow instructions.

@super-triangle
Copy link

Closing the loop here. I was able to extract the certs but unable to get things working. Sounds like some markets are changing the auth process, which breaks the supplicant versions of this workaround. Ended up using bridging mode and all is well.

@maxfield-allison
Copy link
Contributor

It sounds like your supplicant wasn't configured correctly. If they changed auth on the backend, the bridge would break too since all it sends are eap packets

@Ixian
Copy link

Ixian commented Nov 17, 2020

Where did you read some markets were changing the auth process? That would be really difficult for them to do.

I recently moved from bridge to supplicant and it works fine for me, agree with maxfield-allison that you should re-check your setup.

I much prefer the supplicant method because bridge mode recovery (from loss of service, extended power outages, etc.) is finicky at best. With supplicant when I restore the connection it re-authorizes right away, every time and works better with my LTE failover setup. Also nice to be able to store the giant useless gateway out of sight.

@maxfield-allison
Copy link
Contributor

To clarify, AT&T are putting out a new RG model BGW320-50x that has an integrated ONT with SFP. That DOES break the functionality of the bypass methods here. I believe they're swapping to xsg-pon and using their management system to perform additional auth. more information can be found here https://www.dslreports.com/forum/r32605799-BGW320-505-new-gateway-with-integrated-ONT

@maxfield-allison
Copy link
Contributor

more good info here

@Ixian
Copy link

Ixian commented Nov 17, 2020

I've been following that thread too. It's interesting and I'm glad they're rolling XG-PON out but wouldn't cause whatever problem @burnburnrocket had getting supplicant mode to work. As you mentioned @maxfield-allison if they somehow changed how auth is done on the back end in certain markets than the bridge bypass mode wouldn't work either.

Also, this is AT&T. It will take them years to roll a new ONT/gateway combo out and longer still before the current crop of certs are invalid.

@Ixian
Copy link

Ixian commented Nov 17, 2020

The second thread you posted is more interesting in that it suggests in limited markets AT&T has started switching customers to new splitters that can handle GPON and XG-PON on the back end and the latter requires additional auth, which causes problems however that still means bridging EAP wouldn't work either. Also that thread is full of a lot of speculation, anecdotal reports and hand-wringing. I'll start keeping more of an eye on this though, and have my old gateway handy :)

@super-triangle
Copy link

Ah, apologies. Didn't mean to spread any misinformation here. Those are the threads I found, which I misunderstood to mean that the pfatt bridge solution worked even when supplicant did not. I struggled with supplicant for a few hours before giving up.

Like the other issue thread, it constantly hung at the waiting for EAP auth, preventing the router from booting. This made it extremely difficult to troubleshoot anything. After finding those posts I had incorrectly assumed I was in an area using the new auth.

@Ixian
Copy link

Ixian commented Nov 17, 2020

No worries. "Bridge mode" can easily be confused for the gateway "bridge" (which of course it isn't but that is what it's called) and that's what those threads are talking about when they said "bridge" - they are going back to the gateway and using passthrough.

If you have EAP bridging working then you should be able to get supplicant going assuming you have the right certs. That extraction script I linked a few posts above works and will grab the certs & convert them automatically.

@super-triangle
Copy link

Hi @Ixian, I was able to extract the certs without problem after rooting my ATT box. It was the steps after that where I got hard-stuck. Maybe sometime I'll try again when I have hours to kill. Oof.

@Ixian
Copy link

Ixian commented Nov 17, 2020

You are using pfsense or opn? Make sure you don't mix the scripts up. Past that, if you got EAP bridge working you should have no problem getting the supplicant going as well, for most people getting the correct certs is the problem. You decoded them with mfg_dat_decode right? That, and checking to make sure you are using the right paths/permissions, is all you really need to do.

@owenthewizard
Copy link
Contributor Author

owenthewizard commented Mar 9, 2021

I agree on the plug-in portion. I have some experience with the OPNsense plugins and have been looking for time to set aside and package this all up.

@maxfield-allison I don't suppose you have had any time for this? :)

@maxfield-allison
Copy link
Contributor

Unfortunately I'm on a new bgw320 and haven't been bypassing for about 9 months. I've kept my ear to the ground but unfortunately I don't think there is a bypass method for this rg yet which makes it difficult to test and package a plugin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants