Skip to content

Instantly share code, notes, and snippets.


wjhrdy/ATT Secret

Last active May 19, 2021
What would you like to do?

There are many reasons you might want to bypass an AT&T router.

Some people complain that the router is limited in specific ways that prevent you from configuring your network the way you might want to.

The most rational reason is that you will have one less variable that might effect your internet speed. I just like the idea of having one less thing plugged in all the time. Plus, it just feels right (if you are here reading this, you know what I mean).

INFO This doesn't allow you to increase your AT&T service speed outside of your paid speed tier. That is controlled on the ONT not on the router.

WARNING This guide will interfere with the AT&T router phoneing home to tell AT&T that your internet is working as intended. If you ever need to call AT&T because of service outages or an AT&T technitian is at your house, you will either have to plug back in the AT&T router or convince them that it is working even though their system likely says your router is not giving them the "internet working as intended" sign.

WARNING If you have any other AT&T services like TV or phone that go through your router you will not be able to completely remove your router so the best you can do is put it in DMZ mode, or you may be able to do some advanced routing using the second bypass method mentioned (but not explained) in the overview section.


There are a few ways to bypass the AT&T Router.

  1. The simplest is to put it in DMZ mode (which doesn't really bypass it but it does remove any default firewall rules that might interfere with incoming connections).
  2. The second and more complicated way is to set up your own router in between the ONT (fiber gateway) and the AT&T router that handles all internet packets and routes only auth packets to the AT&T router (not covered in this writeup).
  3. The third and most complicated way is to unplug the AT&T router fully and use your own router with some extracted certs from any compatible AT&T router (that is not currently being used by anyone else) and let your own router do the 802.11x auth using wpa_supplicant (this guide)
  • Getting AT&T certs (tested easy way)
    • Downgrade AT&T router to a specific firmware
    • Download a python script and executable and run it while plugged in over ethernet
  • Getting AT&T certs (tested hard way)
    • Downgrade AT&T router to a specific firmware
    • Disassemble AT&T router
    • Solder header pins
    • Connect to the AT&T router root interface using USB to TTL UART
    • Copy files from AT&T router to a USB stick
    • Decode those files on your computer
  • Setting up your router to authenticate using AT&T certs
    • Copy certs to your preferred router
    • Setup WAN on eth0.0 (VLAN 0 tagged over eth0)
    • Spoof MAC address on eth0 and eth0.0 to the one from AT&T router
    • Write a script/service to authenticate eth0 using wpa_supplicant



  • Specific AT&T Router to grab certs off - BGW210 or (BGW210 or NVG599) for the solderless solution.

    • BGW210 range from $20 - $150
    • Wouldn't pay more than $40
    • You could also skip purchasing a gateway and purchase certs, but YMMV I can't vouch for any of the eBay sellers and they range from $40 - $100 for the necessary files.
  • A router that can run OpenWRT or VyOS

    • This guide will provide instructions for either
    • pcengines apu2 (OpenWRT)
      • $120-$150 shipped from their website
      • This router is overkill for most purposes but performs very well with OpenVPN if you are interested in using it for a VPN enabled router at close to gigabit speeds.
      • Hint: To purchase click shop and fill in the quantity box, for apu2e2, a case, a power adapter, and an SSD. Click the cart tab and checkout.
      • If going this route make sure you have a USB to Null Modem cable to setup OpenWRT
    • OR
      • Edgerouter (VyOS)
        • Used for $30-$50
        • New for ~$60
        • Affordable, configurable, and reliable

  • Basic Linux skills


    • Basic Soldering
    • USB to TTL UART
      • Doesn't have to be this one
      • This adapter is needed to get root access to the AT&T router.
    • Male Header Pin
      • These pins can be soldered to the AT&T router for a physically stable connection to the board. Otherwise, you can have a friend touch the wires to the points on the board (much more tedious).
    • Soldering Iron (if using the header pins)
    • USB stick (FAT32 formatted)

Getting AT&T certs (easy way)

Disclaimer: Don't do this on your own AT&T router because you could brick it.

Follow the instructions here.

  1. Downgrade your Gateway
    • BGW210-700 to version 1.0.29
    • NVG599 to version 9.2.2h0d83 OR upgrade to version 9.2.2h0d79
  2. Install Python3 if you don't already have it
  3. Install python dependencies
    • pip install requests bs4 lxml wget
  4. Run python --access_code="XXXXXXXX" <DEVICE_ADDRESS> --installBackdoor
  5. Run python --access_code="XXXXXXXX" <DEVICE_ADDRESS> this will dump all the necessary files into a folder in the current directory

Getting AT&T certs (hard way)

Disclaimer: Don't do this on your own AT&T router because you could brick it.

Downgrade the AT&T Router firmware

  • With this AT&T router, BGW210, there is a firmware version that allows you access to the com interface and root privileges. Download that firmware here. TODO verify this is the correct link and create a mirror.
  • Turn on AT&T router with your computer connected to one of the Ethernet ports.
  • Navigate to in your browser
  • Click tab Diagnostics -> Update
  • Upload the firmware file you just downloaded

Disassemble the AT&T Router

  • Remove 2 screws under rubber pads (bottom when modem is in vertical position)
  • Remove 1 screw under rubber plug (top middle when modem is in vertical position)
  • Remove the front translucent plastic covering the LEDs
  • There are fragile tabs that you can press to work the two sides apart slowly
  • Remove screw in the middle of board
  • Tilt out the front and slide forward
  • Fold out the board keeping antennas connected

Solder header pins

  • Solder the male header pins to the board here (insert image)

Connect to the AT&T router serial interface using USB to TTL UART

  • Connect the pins to the USB to TTL like this (insert image)
  • Connect to the USB to TTL serial interface on your computer. Here is a good overview of how to do that on various OS's.
  • Plugin the FAT32 formatted USB stick
  • Once you can connect to the USB to TTL, plugin power to the AT&T router, no ethernet needed.
  • Warning this is a tricky part. You will see the boot log streaming past, and once you see the USB storage initiate press the keys "^" and "e" not ctrl+e. Another way is to copy "^e" to the clipboard and paste.
  • You should see "Attached SCSI removable disk" scroll by before hitting "^e"
  • This keypress should dump you out to the root cshell.

Copy files from AT&T router to a USB stick

now in the shell type:

mkdir /tmp/sda
mount /dev/sda /tmp/sda/
mount mtd:mfg -t jffs2 /mfg
cp /mfg/mfg.dat /tmp/sda/
cp /etc/rootcert/*.der /tmp/sda
ls /tmp/sda
umount /tmp/sda/

If you see this:

arris-si-rootca.der frontierroot.der
arris-si-subca.der mfg.dat
attroot2031.der motroot.der
attsubca2021.der motsubca.der

The files are now on your USB stick, and it can be safely removed.

  • Unplug the power to the AT&T Router

Decode those files on your computer (this step is incorporated in the easy way)

  • We must now translate the files from the AT&T router into something your personal router can use to authenticate
  • Download the mfg_dat_decode tool for your operating system
  • Copy mfg.dat from the USB stick to your computer and place it into the same folder as the mfg_dat_decode executable
  • Copy *.der files from USB stick to the folder of the same folder as the mfg_dat_decode executable
  • Run the mfg_dat_decode executable
  • You should now see a file like this in the same folder:
  • EAP-TLS_8021x_serial-number.tar.gz
  • Now you have the certs

Setting up your router to authenticate using AT&T certs

Copy certs to your preferred router

OpenWRT / EdgeMax (VyOS)

  • backup your router config (OpenWRT Edgemax)
  • Connect your router to the internet
  • Make sure you can ssh into your router
  • Use Secure Copy (scp) to transfer your EAP-TLS_8021x_{{serial-number}}.tar.gz file to your routers /tmp/ folder


Decompress and Configure WPA Supplicant Files

  • ssh into your router and run
mkdir /etc/ont
tar -zxvf /tmp/EAP-TLS_8021x_{{serial-number}}.tar.gz /etc/ont
  • Open /etc/ont/wpa_supplicant.conf in your preferred editor on your router router
  • change the paths for all the pem files to the absolute paths
  • E.g. ca_cert= line becomes ca_cert="/etc/ont/CA_#######-#######.pem"
  • copy the MAC address on the identity="{{MAC}}" line

Install wpa_supplicant

opkg update
opkg install wpa_supplicant
  • Now you can unplug from the internet.

Setup eth0 as ont auth and WAN over eth0.0

The easiest way is to edit your /etc/config/network to look like this

  • Add a new interface for the ont
config interface 'ont'
    	option proto 'none'
    	option macaddr '{{MAC you copied out of wpa_supplicant.conf}}'
    	option ifname 'eth0'
  • Edit your WAN interface so that the following options are added/edited
config interface 'wan'
option macaddr '{{MAC you copied out of wpa_supplicant.conf}}'
option ifname 'eth0.0' 
  • Changing the ifname to eth0.0 will tag the packets with VLAN 0 which the ONT requires for all internet packets.

After editing /etc/config/network restart the networking service using this command

sudo /etc/init.d/networking restart

Test that your router can authenticate

  • Plugin your AT&T ont into eth0 port of your router
  • Manually run authentication by running this on your router:
wpa_supplicant -ieth0 -Dwired -c /etc/ont/wpa_supplicant.conf -B -dd
  • It may take 1 minute or so, but you should see a message saying connection successful

Make a service that authenticates automatically on startup.

Create a file called ont at this path: /etc/init.d/ont

#!/bin/sh /etc/rc.common
# Author: Willy Hardy, 2020
# Author: Adam Chasen, 2020
# Author: Beamer, 2011
# Author: Christian Tietze, 2011

# Start priority of 21 should be right after network comes up. Hopefully we can auth before udhcpc starts requesting.

EXTRA_HELP="Output should contain one line with: [...] wpa_supplicant [...]"

start() {
   echo "Starting ATT ONT authentication using wpa_supplicant"
   wpa_supplicant -ieth0 -Dwired -c /etc/ont/wpa_supplicant.conf -B -dd | logger -t ont_
   sleep 5

stop() {
   # commands to kill application
   echo "Stopping ATT ONT authentication"
   killall wpa_supplicant && echo "wpa_supplicant was terminated"
   sleep 2

status()  {
   echo "The following output should say wpa_supplicant [...]"
   ps | grep wpa_supplicant

EdgeMax (VyOS)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment