AT&T Uverse

From WikiDevi.Wi-Cat.RU
Jump to navigation Jump to search

Overview

AT&T Uverse DSL routers are drawn from two separate hardware lines.

Both lines can be traced continuously back to 2007 and beyond.

The first line includes:

The second includes:

Brand names change within each line due to acquisitions:

Most of these were also shipped under a variety of less common names.

These lines were developed separately until 2015/16, when Pace was acquired by Arris.

Most of these are not AT&T-exclusive and they are occasionally shipped to other commercial customers.

They used to be relatively common in Europe and employed by big ISPs such as Eircom (Ireland) and Swisscom (Switzerland).

2Wire 2701HG-B in particular used to be available in the UK under the name "BT Business Hub 2".

Hardware and timeline

A typical unit in these lines is essentially a small computer, with 16-64 MB of flash memory,

a similar amount of RAM, and 1-10 kB of NVRAM for persistent configuration storage.

The CPU in 2Wire 2701 and 3801 is an obscure Trimedia design. All others use MIPS (mostly big-endian.)

The 2247 has several sub-models, including Netopia 2247NWG, Motorola 2247-02/42/62, and Motorola 2247-N8.

Despite similar names, they are substantially different internally.

NWG/02/42/62 uses an Infineon/TI MIPS little-endian CPU and an Infineon Wi-Fi chip.

  • 2247-N8 is more similar to all other Uverse devices in that it uses a Broadcom MIPS big-endian CPU.
  • 2247NWG is the oldest of these and it was already in production in 2007.
  • 2247-62 and 2247-N8 were first released around 2010.
  • NVG510 came out in 2011, followed by NVG589 in 2013 and NVG599 in 2014.

On the 2Wire/Pace side, 3801HGV was discontinued in 2013, 4111N was released in 2011,

5168NV was released in 2012, and 5268AC was released in late 2014, replacing all other models.

Firmware

2247's original "7-series" firmware (known versions include '770r6'and '787r27') is a monolithic binary

with stripped symbols, which makes it difficult to analyze (the binary has 15000 unnamed functions
that do everything from string manipulations to firewall to web UI.)

It is possible to make some headway by comparing the code against releases for other models.

Circa 2011, Motorola rolled out the NVG510 with the new "9-series" Linux-based firmware.

This firmware, with slight modifications, can be found on all subsequent models within the line.

The 2247 received a 9.x update by 2013.

Within the Pace product line, 2701s and 3801s, on top of a disassembler-unfriendly chip, use a proprietary

compression method to compress their firmware redistributables.

4111N and beyond are Linux-based and can be decompressed using standard tools (binwalk and unsquashfs.)

Serial numbers, access codes, SSIDs, and passwords

The two lines have different serial number conventions.

Devices in the Motorola/Arris line (except some 2247NWGs) always have a long numeric serial number,

which is simply the device MAC converted into decimal.

The 2Wire/Pace serial number has the form 'aabbcdeeeeee'.

Here 'aa' is 2 digits possibly encoding the manufacture date (observed possible first digits include 1,2,3,4, and 9.)

'bb' is the year ('12' for 2012, etc.), 'c' is almost always 1. 'd' varies, its exact meaning is unclear,
but all observed 3801's have a '9' here, all observed 5268AC's have a 'N', and other devices vary.

(E.g. 4111N's sometimes have an 'E', and 5168NV's with both a '9' and 'N' have been observed.)

'eeeeee' is a 6-digit sequence that may represent a sequential number of the unit in a particular year.
  • 2247NWGs don't have a default unit-specific access code.
  • 2247-62's come with a 10-digit 'modem access code', a 20-hex-lower WPA key, and a 8-oct SSID
in the form 'oooo oooo', all printed on various device labels.

The SSID is computed from the MAC by XOR'ing the first three bytes with the last three, and converting to octal.

The WPA key is generated from the access code using an algorithm that involves a MD5 hash.

It is not clear how or if the access code is derived from anything.

Motorola Netopia 2247-N8's are similar except the 'WPA key' label is absent

and the 'device access code' is presumably used as the WPA key.

3801s have a 10-digit access code, a different 10-digit WPA key, and a SSID in the form '2WIREddd'.

Here 'ddd' is the last 3 digits of the serial number.

Starting in 2011-12, Arris NVG510 / Pace 4111N / Pace 5168NV all adopt the same pattern,

replacing '2WIRE' in the SSID with the name of the ISP (commonly 'ATT',
but e.g. 'HT' for 'Hawaiian Telecom' has been observed as well.)

Starting with NVG589 (2013), Arris/Motorola line switches to a new pattern.

Now the SSID is 'ATTccccccc' and the password is 12 character long.

The charset for the SSID is [2-9 A-Z a-z], possibly except 'l', 'o', 'L', and 'O' (56 possible symbols total.)

The charset for the password is [2-9 a-z %#=+?]. Most 589s follow an additional pattern:

all characters at even positions in the SSID and at odd positions in the password
are digits (e.g. SSID ATT2a3B4c5, password 2a3B4c5#687d).

The second pattern fails in later models (this behavior is not consistent: there are non-conforming

589's dating from March 2014 as well as conforming 589's dating from May 2015.)

On the Pace side, 5268AC is the first model to adopt the same SSID/WPA convention.