Extract mfg.dat and AT&T root certs from BGW210 or NVG599

This script assumes it is being run on a Windows PC with the mfg_dat_decode.exe program. It will exploit the gateway and download the certs as well run the mfg_dat_decode.exe to save the EAP-TLS credentials into a local folder. The local folder will be named <ModelNumber>_<SerialNumber> and will exist in the same directory as the script.

If you include "--installBackdoor" as a command argument then it will install a telnet backdoor on port 28 that will persist with reboots and firmware upgrades.

You can also include "--updateFirmware" as a command argument to install the latest firmware stored in this repo as the last step of the process. This will start a local http server and the gateway will try to download the firmware so Windows firewall may block this by default. Also, you need to make sure your local IP address matches the "SERVER_ADDRESS" value in the script for it to work correctly. The default "SERVER_ADDRESS" is 192.168.1.50.

1. Downgrade your Gateway
   • BGW210-700 to version 1.0.29
   • NVG599 to version 9.2.2h0d83 OR upgrade to version 9.2.2h0d79
2. Install Python3 if you don't already have it
3. Install python dependencies
   • pip install requests
   • pip install bs4
   • pip install wget
4. Run python extract_mfg.py --access_code="XXXXXXXX" --installBackdoor

• Streiw: BGW210 Exploit Instructions
• devicelocksmith: EAP-TLS credentials decoder and the method to extract mfg.dat
• earlz: Commands that can be run on the Arris gateways
• nomotion: Exploits discovered on Arris gateways