Extract mfg.dat and AT&T root certs from BGW210 or NVG599.

This script assumes it is being run on a Windows PC with the mfg_dat_decode.exe program. It will exploit the gateway and download the certs as well run the mfg_dat_decode.exe program to save the EAP-TLS credentials into a local folder. The local folder will be named <ModelNumber>_<SerialNumber> and will exist in the same directory as the script.

If you include --install_backdoor as a command argument then it will install a telnet backdoor on port 28 that will persist with reboots and firmware upgrades.

You can also include --update_firmware as a command argument to install the latest firmware stored in this repo as the last step of the process. This will start a local HTTP server and the gateway will try to download the firmware (Windows firewall may block this by default). You need specify your local IP address, by using the --server_address command argument, for it to work correctly.

1. Downgrade your Gateway
   • BGW210-700 to version 1.0.29
   • NVG599 to version 9.2.2h0d83 OR upgrade to version 9.2.2h0d79
2. Install Python3 if you don't already have it
3. Install Python dependencies:

   pip install requests bs4 lxml wget
   

4. Run the script:

   python extract_mfg.py <ACCESS_CODE> <DEVICE_ADDRESS> --install_backdoor
   

• Streiw: BGW210 Exploit Instructions
• devicelocksmith: EAP-TLS credentials decoder and the method to extract mfg.dat
• earlz: Commands that can be run on the Arris gateways
• nomotion: Exploits discovered on Arris gateways