How to HACK your ISP router - step by step.

Nice Video! Its a bit ironic, that we in Germany has a "Free Router Choice" per law. So the ISP has to allow to use our own router. Best law in Germany for an Networkadmin! :)

ISPs in North America: "Wait, that's illegal!"

Amazing work! @8:39 you mask your serial, but the hex is still in the left - unmasked to 383A - and later on the full packet you replay with ncat.

If its customer provided equipment you own... feel free to hack it! Watch out hacking against equipment that belongs to a telco though. It can be a felony or crime to even attempt hacking on communication provider routers

Please don't ever cut out the parts where you make mistakes in speaking. The video sounds more casual and natural. Love your videos, keep them coming!

Here in the US, I somehow convinced my local ISP to give me a sfp+ module. They are a small provider that only serves one city. Nevertheless I was getting close to doing this with the crappy ont units driving me crazy. They are the one isp I can say nice things about because they pick up the phone and don’t immediately blame me when something is wrong. Here’s to having more local ISPs and not huge companies running the internet.

You got an easy one to bypass, in France, bypassing ISP's boxes is not that easy 😋 but it's a great educational video 👍

Excellent video, Tomaz! Not too long, precise, easy to understand. I really enjoyed it. Cheers from USA!

The latter kind of comments you mentioned at the start of the video... it's always great to disprove them with a video proving them that you're right and they were wrong.
Vindication, hell yeah.

The AVN Fritzbox is actually a great device. The only downsides AFAIK, it is proprietary and you don't control it.
@2:00 That depends on what you want to hack and how experienced you are.
@2:38 It is not just a router. It is an "internet box". Everything you might need is stuffed in a box. There is a switch, a DSL modem, a WLAN module, etc.
@12:19 The "minus" is a flag, not an operator, my dude. 😉

great video might use this as a basis for mine, but more congratz for having what could be called sponsor even if its just for one video :), i wish i will get to that level one day but i have a long way to go with my crappy 360 subs.
also fun fact hacking has multiple meaning and one of them mostly used in IT is someone who achieves their goals in non standard way. there is also the phrase Hack something together which means to finding quick workaround or solution that isnt standard.

My isp forces me to use their ONT but it's configured like a bridge to Ethernet in my house. The good thing is that it works well and doesn't interfere but I keep asking about higher speeds or adding a second line. Their own ONT even has a second port they could just provision since it's not being used for IPTV or anything. But the customer support is overseas and aren't very helpful. There was one guy named Cederich on the online support, very cool guy because I ran into him twice in one week 😂.
the good news is another company has installed their own lines in our neighborhood recently and are just waiting on the city to approve the rest of the permits. Hopefully soon there'll be more competition here in my neighborhood.

Great video.
Unfortunately there's no SFP in the ISP Routers in Portugal.
For some years now not even ONTs. Its fiber directly to the router and you get only copper twisted pair out.

Excellent! Your demonstration was clear and concise, well done!

I'm all for using your own equipment, but this is the GPON equivalent of finding your PPPoE/SIP credentials and VPI/VCI. At least on the Fritzbox you can disable TR.069 manually. Unfortunately your ISP chose to use the router instead of the ONU to authenticate you on their network otherwise you probably wouldn't have noticed. Although I don't think they went above and beyond, they're probably very lazy and scan the big barcode on the box they send you. Cool addition to be able to run it in a switch, most SFP programming I've seen was directly connected to a CPU, definitely not DHCP. Nice to see you succeeded, hacking can be very frustrating ;)

Those look like good old AT commands, brings back memories of the dial up days

I have just bought the ONT LXT-010H-D ONT from Poland, it shipped really fast here in Greece. I read the content of my ISP's ONT and with telnet (Putty client) pasted the serials etc from my ISP's ONT to the Leox ONT and this is how I use my own mini-pc with intel N100 cpu and 4x2.5gbps ports and pfsense as a router

Absolutely brilliant. Thanks for the detailed explanation....

Thank you, Tomaz. Nice and quick, no fluff. Instant subscribe.
I have a Fritz in the UK, but they're expensive, I don't want to brick it. It's frustrating that they nuked ssh/telnet, I'd have been happy with that.

Finally I know how did you do that. You mentioned in previous video that on German forum, that I also followed, there is a firmware for Fritzbox that allows packet capture that by default is not available. But even with a Wireshark you can just connect any router via RJ-45 (of course you have to connect only a router that is not connected to any other device) choose the ethernet interface to capture the data sent and received between the computer and a router or modem and look for a payload. I am just wondering is is doable with Huawei HG8245X6-10 that in fact can alos work in bridge mode and then on your router eg. Mikrotik you have to configure PPPoE as I did currently. I just would like to replace this Huawei with a TP-Link converter that exists on the market a really long. The only one thing you need to know it this case - do you have a multimode or single-mode optical fiber and buy a proper gbic SFP module.

What a nice video, part laptop ad, part educational hacking video. Great!

Meanwhile my provider literally sent me a step by step description on how to set the correct VLAN and other settings for pfSense/OPNsense to configure it...

Great video for all networking enthusiasts. I myself am very satisfied with my Fritzbox for home usage (it is a very current model). Nevertheless, I was able to learn something because I now know that the Fritzbox is able to capture network traffic 🙌
I just love content like this

On previous video what found most interesting was commentators says an EU directive (in place or in making) for ISP to have an open network option, that is, you use your own ont router of FW and ISP provide basic/generic instructions how to setup.
However can’t find anything online.

The main idea why it is useful: you can have access to ont vlan’s directly in your equipment, usually it reduces devices and wires in complex setups. Same thing is much more complicated with huawei replacements, which is highly popular in some Eastern Europe regions.

I very much like the acknowledgement of bridge-mode and how it is mostly also acceptable.

My fiber ISP uses AON instead of GPON, I don't know if that makes it different but at the moment I can just use my own SFP module with a transparent "dumb" media converter and just plug that into my router of choice. Nice for now. Rumors were flying they stop this, but has been fine for years. In the beginning you needed to use MAC cloning, but if you request bridge mode, you can remove the isp modem as well for some reason. Now they have the fritz 5530 and no longer offer bridge mode, but it still works with your own equipment out of the box. The ISP modem does have a serial number but for now it seems to be irrelevant. I feel lucky because here in Austria we dont have "router freedom law" like they do in Germany.

As a former ISP technician for 5+ years I must say, good job.
In my country if you know "how to ask" (at least mainly correct terminology which shows them that you are not a complete tool and actually know what you want) ISP will let you (providing needed parameters) and in some cases if needed even help you set up your own device.

I got the same FS module you mentioned in the past video and tried to use it with my FRITZ!Box 5590 but the device keeps telling me that "No SFP module found" and gets really hot after triyng to configure it, I tried with a different ZTE module I got from AliExpress and at least it shows as "Unknown SFP module"
Is this a problem with the SFP module itself? Does the 5590 support the FS module? I am missing something?
Please I'll appreciate any help, I am struggling with this since past year

this is perfect. am i also able somehow to discover that serial when i have external ONT? like huawei small one?

I am glad that I have the opportunity to use my router for my Internet connection. This Fritzbox thing reminds me my last vacation in Germany, there I rented an apartment with a Fritzbox modem / router. I was only allow to use port 80 and 443 for outgoing traffic. So I could only get my VPN to my home server working by using port 443, which was a bit annoying.

Excellent video!

If you got to see the modems we got here in Australia, you'd be thankful for the one you are dising on.

I liked the the final part, of it not being so practical, but where is fun in that?
Thanks for the video!

Have you tried changing your router ip that was communicating with that isp ip and just merge somehow this new ip im talkin about w that same serial number and bake it into that black box w cmd? In other words, do you just need to have the serial of a neighbors router , understand what ip ranges his isp provides and get free internet forever? or the exact ip is a must also?, also are there any isp ips that are kinda universal that you can merge with that serial of your router and estabilish connection? I hope i didnt sound too dumb cuz i have no clue how these things work. Btw we dont have those extended dongles at all at my country, but what pissed me off the most is that they hard baked the dns of my isp into my router, and each time id change it they would revert it back. First time here, sorry about this essay.

That's very insightful.

Nice job. My Jurassic Fibre Nokia PON has the web config locked down so I can't even access it. Bridge mode was my only choice to secure my network. Mesh FritzBox setup from the prior DSL connection slotted straight in.

13:42 it's not just about FUN..
Simply putting router to bridge mode may not be an option for many, my ISP disabled bridge mode and only allow it if I buy a Static IP, so this 'hack' is pretty useful!

Ive been waiting for this

would this also be applicable to Innbox routers? afaik, they have built-in sfp module so i don't know if replaying the payload is even necessary here. just cloning the mac address of the innbox modem should be fine?

Great Video!

Is this GPON or XGS-PON? With the more modern Fritzboxes (5530/5590) the SFP+ is “dumb”. The SOC in the router does all the processing. So only AVM SFP+ modules work and you can’t use their SFP+ in your own router. I am amazed that with your FB it worked.

My ISP in the USA provides 10Gbps fiber using XGS-PON. They provide an ONT, but customers are allowed to use their own router (using a TP-Link Omada ER8411 with mine).
Works much better than some other ISPs that provide a combined ONT and router with some proprietary authentication scheme, that they force you to use.

Why not just set the provided router in Bridge Mode and call it a day?

I don't use my ISP router, I'm using my own opnsense box.

does router you making now have hardware pppoe offloading? since we need use PPPOE for 100M~2G (mine is 500M/500M) network here

You don't need to hack their router. Just drop your own router downstream of it that you have full control over. Now you have an edge router that is yours, you own, and only you can control. Pretty simple really. Add your own WAPs, and turn off the wifi on your cable provided router. Setup your own LAN, and route your network traffic through your edge router. Any and every business who has decent IT, does this no matter what their ISP/IP/Handoff consists of.

I really learn about how stuff works from this! Cool

I have a Calix Systems ONT from my ISP, I imagine I might have to go on a similar path. You rightly presumed in another comment it has the green connector, is that important?

Not all of the SFP's with larger shells are 'smart', or ONTs. Some are just oversized to support SC/APC connectors

Fun Fact--most ISP provided routers never change the default password. Usually the password default has a "random" generator that changes the password a fixed intervals but if you know the original, which they don't change, you can usually lookup online what the current password is based on the default seed.

Thanks for a great presentation! Even when you butchered the English words you came out on top of it. People forget how hard it is for bon English people to speak English. Well done sir 🎉

where can i read the full guide

Yay a new video

Great video.

My god, yes you're right that this is technically "hacking", but you were given a pretty nice deal of cards from your ISP:
- Your ISP's modem ship with a firmware containing an actual packet capture tool (yes it's not linked anywhere but it is available on the modem at least, which is not the case for most of them)
- The SFP module is actually exposed on the same network, and not communicating in a separate network not exposed by the modem to the outside (which I believe is what most other ISPs do)
- Your SFP module is easily physically accessible on the modem, instead of not being hidden inside the modem and accessible in a non-destructive way
Sadly, this is not as "easily" doable on other ISP's modems :(

Definitely beautiful hacking, thank you very much =)

i wonder how important or confidential is serial number? its for me just number identify the device with no user data or identification associated with it

I have read too many comments about how it is illegal because technically we are renting the equipment. If they do not offer an option to OWN, the equipment, then it is wrongly forced upon us to be rented. At least that is how I justify the fact these should be hacked and bypassed.
I am having issues getting past my Calix for my provider, but I offered to spend a couple hundred bucks to buy a replacement one that doesn't have a back door from the ISP, if they would just allow it on their network. They tell me that is absolutely not possible. Which is a lie, it is possible, they just don't want to do it. I get that I am living in an apartment and when I leave it would be super inconvenient to have to send a technician out to swap it back out... But I am willing to pay the price for both those services.

Curious what you have to say about AT&T's hellish gateway box.

1. Get a laptop with an rj45, I hate it when customers call and doesnt have a proper laptop with rj45 port or an converter. 2. ISPs doesnt mind if people doing this stuff. Just have the ability to have the stock router setup when calling in if you lost connection for trouble shooting purposes.

thx for your work

This is I guess for Telekom Slovenia TS? Eliminating Modems on A1, is quite easy also. However I don't think you can eliminate OLT unit on GPON Fiber also, ... ?

I need to learn how to do this because my ISP has the public share opened, and it can't be disabled, which is a security risk. Also when people use the ISP Hotspot I'm the one who loses speed, even after paying a premium to get those speeds.

Mine is a gpon but even with right credentials with bridge mode enabled it could not get authenticated even with same gateway address

You should hold it a against them about not having rj45, Love your videos Btw.

Man, having to do this sort of stuff just to get rid of an old, shitty router makes me so glad my ISP just lets me use my own Mikrotik router, and so all I have in my home network is a simple media converter / modem going from optical to copper. The rest is up to me.

The correct technical name for the SFP module is "čikoladica" (smal chocolate). I got a name for looking like kinder chocolate.

Glad it's optional for using the ISP router in my country. 😂
I just buy what I want, configure and done.
Only drawback we do have are the tv setup boxes that are ISP locked (on MAC address). But no big deal because I only use the internet and streaming services.

Do a video on att’s, bgw210! I need to rip their certs off so I can replace it with my ubiquiti router

Been really enjoying both videos!
I only got coax gigabit internet, so the upload sucks with only 50mbit and i cant really use any other router than a fritzbox or a ISP provided box, since there are no real alternatives in the EU/Germany other than the technicolor tc4400 which is really overpriced as a modem :(

Step 1: build your own router. Done.

The Bridge-mode comment isn’t applicable with newer hardware - my ISP supplied FRITZ!Box 5530 router has no bridge mode, leaving me with double NAT 🙈

Had quite a frustrating experience recently when i tried to update a Fritzbox. Turns out only the ISP could do that and they were several versions late already. and also they could do this at any given time so... Meh.
Upgraded my connection to a better one shortly after that, got a new Fritzbox so that was no longer an issue, at least momentarily.

forum link please

I hate the idea of "just putting your old router in bridge mode", because I hate the idea of locked-down hardware, and anyone at the ISP having access to it.

I'm from India and here the ISPs have all shifted to fibre and the ONTs (Nokia g-2425ga for me) they provided are locked down af and they do not train their on field tech to enable bridge or even login with pppoe (best to keep the customer under surveillance 😈)
Anyways, what I've tried till now is unlock the provided ont but that did not let me enable bridge mode. So I relocked it and bought a TP-Link XZ000-G7 and tried with that but still failed.
So after a long while crying in the corner someone on the national forum informed that the ISP does VLAN mapping and whatever shown on the default ONT's page is wrong because the ISP uses Alcatel OLT in the backend which has issues with the customer side equipment if it's 3rd party.
So now I'll try VLAN scanning using UART since that is the only way and see if I can achieve full control over the service I paid for. Btw, the ISP doesn't do mac-binding

thanks a lot - if you got more in-depth videos like that, i'm looking forward you upload more stuff like that. cheers from right around the corner ;)

Hey I have an internet issue basically my games don’t feel right when I’m online but when I disconect to offline they feel fine and I’m not talking about lag or anything like that because I get my speed I pay for it’s like a weird Desync sort of delay that makes my inputs not feel snappy 😢 so I cannot play competitively online it completely ruins the experience if anyone can help im any way please your input would mean a lot

I received updated fritz 7530ax modem/router for fibre which I put in bridge mode network /mesh with old fritz 7530 downstairs router mode enough fun for me! Interesting. Not a hack though.

Why did you need a windows laptop?

Great video!
Technically it's not a modem, because it doesn't modulate/demodulates analog signals, there is only digital signals.
Also, a PON stick being utilized in such a manner, directly locked down to customer premises equipment (CPE), is not a common practice observed in ISP setups here in the Nordic. ONT's instead of pon sticks so the customer can bring their own hardware if would like. also there is L3 switches
I get that these are oversimplification of the technology and that most of the people that will probably watch this video doesn't care :)
-jr network engineer c:

I wouldn't mind if you made a Slovenian version

Glad my ISP just uses plain fiber ethernet, and with no 802.1x or weird vlans. Just stuff in any compatible $10 SFP module and it just works - unlike this GPON based stuff which requires at least a bit of hackery, ISP assisted provisioning (which they will usually refuse to do) or both.

Recently my ISP switched my router.
The new one:
- Has 2 ports (excuse me, what year do we live in?)
- Has about 5m usable Wi-Fi range.
- Shuts off the internet access regularly for a few seconds because the public IP expires (like what?)
I'm lucky enough to have a separate gigabit switch and an AP in my office.
Oh and while we're at it. They shut off my internet for an entire bloody day before switching out my old router, because we got assigned an IPv6 address (god why) at 2am and the old one was v4-only. Arghhhh...

My ISP router doesn't even have a bridge mode, and recently they "locked" all access to the interface (its all remote with their own tools), F that! I'll try this someday~

My ISP in Switzerland: we don’t give you a router but we suggest a fritzbox fiber. But if you need help with pfsense, feel free to contact our nerd employees by phone or mail. This should be standard procedure

8:44 you forgot to censor the hex part of payload

"...just put the ISP router in the bridge mode...". (The ISP device is in that case only being used for its ONT.) Well, that is not always possible. In my case, I have a fancy communications cabinet which the architect built into my wall where all the in- and out- going cabling is placed. That cabinet is unfortunately very small and the ISP device is bulky - I cannot manage to fit that device, my router and the corresponding power bricks in the tiny space available. So, if instead I use my own ONT (a pretty small box) and my own router than I'm fine. Of course, that approach requires specific knowledge and (in some cases) some "hacking". And if in addition you want to retain the IPTV and the telephone service (I don't), the project becomes a bit more complex.
A silly reason to get rid of the ISP device altogether, I know, so I thought I would share it with you. And BTW my greatest compliments and admiration to you Tomaž for your excellent presentation of an excellent work! Iskrene čestitke! 😉

Hmmm...will try to do that on t-2 😏

Kolk enih problemov s Telekomom ....
Pri mojem ponudniku sem SFP vtaknil v ruter in to je to.

What annoys me with ISPs is that they tie the WAN access to the serial number of the ONT. On my setup, the PPPoE connection is handled by the router, but I still need an ONT sending its serial number along, which is just unnecessary. A media converter would do the same thing. Is it possible to spoof the ONT's serial to the OLT on the ISP's side so people running their own routers can skip the fibre modem entirely? It would save people a couple of bucks (the cheapest ONT costs about twice what you pay for a media converter) and streamline their setups (I need to keep my ONT up to date - a media converter not so much).
And before anyone asks - I checked, this would be perfectly legal, at least in Germany. They can't force anyone to use specific equipment according to § 73 TKG (3). They also don't have to support you to set up your own, though. You may use whatever device you seem fit, as long as you don't disturb the public network.

Anyone that turns a lawnmower into a vacuum cleaner is also a hacker.

I use to use the ISP SFP module from my Bell HomeHub300 in my UDM Pro, for Two Years the internet worked Perfect, however Unify did an Update and now the SFP Module sometimes doesn't work or if it does, only for an Hr then cut out. Anyone have any Idea why it did this? and Yes I tried Downgrading the UDM Pro Software, however that did Nothing. Now I'm Stuck with the HomeHub going into the UDM Pro 😞

My ISP bridged the router and I control my network now.
Good for me. Bad for Murica people.

Unfortunately, just because you paid for it and own it, that doesn't mean you can legally modify it. E.g. Purrari modded Ferrari.

I like your videos

Hacking sometimes involves material loss.

Hacking is more about the spirit of tinkering and protecting your right to own. You dont have to break into systems or protections to hack. Anyway, whatever you feel like doing.

👍🏻👍🏻👍🏻👍🏻👍🏻