The Linux Page

Hacking my NVG510 device

Earlz found a way to hack the NVG510 device and wrote a page about it: Rooting The NVG510 from the WebUI

He also offers a page that one can use to allow telnet connections to the NVG510 (by default it is locked up.) From there you can allow ssh and tftp connections too.

Note that this means if you are logged in your NVG510 and you click on a link on a bad server, you could actually allow remote connections from anyone! So that's a dangerous back door, although if you are not logged in the Web interface, then it is fine (assuming you do not then log in without thinking!?)

Just in case Earlz pages were to disappear, I wanted to have my own here.

First there is an IFRAME with the form used to enable the telnet on your NVG510. You first will need to log in your NVG510 and then enter the nonce value in the field as shown below:

Once you enabled telnet, you can start hacking the device with the following:

prompt$ telnet 192.168.1.254
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.

login: admin
password: <same as website password>

Once in, you can use the help command to see all the available commands. This at least gives you access to most everything you need to tweak your device. However, there is more! When you first log in (in the root shell) you can enter the magic word:

NOS/12345678> magic

This gives you access to a new shell that is viewed as a debug shell. That debug shell can be used to tweak things just the same as the normal shell, although it has a different interface. To see all the values you can modify, try the different dump functions.

However, there is more! From inside the magic land, you can enter the nsh shell. That's yet another router like shell, although it allows you to see things in a different way, yet again!?

NOS/12345678/DEBUG/MAGIC> nsh

I do not think that this one gives you much more than the previous level, although that is the one the original author talks about.

Now what? Well! There is even more! To enter shell commands, you often use the bang character. It works in the nsh shell! So you just type bang, and bing! you're in a Unix shell logged in as root.

NOS/12345678/DEBUG/MAGIC> (nsh) !

#        <- Look!!! Unix root prompt!

Here you can see things that are not otherwise accessible. For example, I checked the iptables. That helped me a lot because I was really wondering how my routing tables, iptables, and Ethernet setup was working on my end. Now I know, most people do not need to go that far, but if you like Linux, you'll be in your environment!

The iptables were quite interesting too. Stronger than my previous router that would not do that much. So kudos to the designers (programmers from Motorola, maybe contractors like me, though!)

I found two PDF manuals that I'm (probably illegally, although I did not temper with them!) attaching to this page so it's easy for your (and especially I) to find them again. It is likely that they will disappear from the source where I found them, so it will come handy one day, I'm sure. 8-)

What all the router values do are quite simple to understand, to my pointer of view. What is really obscure should not be modified anyway. Note that you can setup the router to also accept ssh connections. I did not try yet, but it should be possible to setup an ssh key and login without password. If that's true, then I'll be able to better shape the upload transfers by taking the current speed in account. At this time I have 766kbps, but I'd bet that it will vary with time. I was doing that with telnet on the old router. Not practical! (rsh did not want to work right.)

As a side note, if the ssh key does not work, then there is sshpass!

apt-get install sshpass

Earlz was showing how to setup the SSH/telnet from the shell:

set mgmt.shell.ssh-port 22
set mgmt.shell.telnet-port 23
validate
apply
save

Set the port to zero to lock the port and whatever other valid port to enable the ssh/telnet feature.

AttachmentSize
nvg510-admin-handbook-v9.0.1.pdf2.03 MB
nvg510-manual.pdf7.82 MB

Re: Hacking my NVG510 device

Hi Gregory,

Unfortunately, I do not have the same router anymore. Also, it looks like they patched those system automatically so you could do use those tricks anymore.

I'm afraid that your only resource will be your service provider, the one that offered you that router.

Alexis

Re: Hacking my NVG510 device

I'm having trouble with this I did exactly what this step by step told me I put nonce in box press save and I get message format error when at the page I'm on the firmware that has a 30 at the end be nice if someone could help me but I know this website is dead and will probably not get help with the skin of my teeth sadly :( great router once rooted but I need this ssh so badly can't enable when in port 28 soo I'm stuck on how to get this to work any nonce I put in I get "message format error" I wonder if people still have this router and made it this far with it had mine in 2014. Help is needed badly 👍

Re: Hacking my NVG510 device

Hi Brian,

It looks like they upgraded our modems under our nose! That could explain why I had some problems in the last couple of days.

My telnet connection still works, but the nsh is forbidden. I get the same error:

Unrecognized command. Try "help".

So I suppose that's that with this hack...

The former author also mentions that it fails on newer firmware.

Thank you.
Alexis

Re: Hacking my NVG510 device

I was able to do these commands before but now I get Unrecognized command. Try "help". after using !
NVG510 software version 9.0.6h2d30
I telnet to the router and enter admin and access code and i get:
NOS/137162757700208>
after magic, i get:
NOS/137162757700208/DEBUG/MAGIC>
after ! i get the error

What did I do wrong?
Thanks,