Hi,
I just found out that the Quectel EC20 modem is another Linux system that comes in the MiFi.
You can also access the shell over serial I will explain below.
I came across that there is an AT command that allows you to run Linux commands on the modem itself:
echo -e "AT+QLINUXCMD="cat /proc/cpuinfo > /dev/ttyGS0"" > /dev/ttyUSB3
To get output you then
cat /dev/ttyUSB1
Processor : ARMv7 Processor rev 1 (v7l)
BogoMIPS : 9.61
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc05
CPU revision : 1
Hardware : QCT MSM9615 CDP
Revision : 0000
Serial : 0000000000000000
So knowing that results can be outputted to another serial interface what happens if you start up a serial console using:
echo -e "AT+QLINUXCMD="/sbin/getty -L ttyGS0 115200 console &"" > /dev/ttyUSB3
Using minicom -D /dev/ttyUSB1
we got a shell!
Now issue is that there is a password set on the modem login.
9615-cdp login: root
Password:
Login incorrect
We can use this command to clear the password for the root user echo -e "AT+QLINUXCMD="passwd > /dev/ttyGS0"" > /dev/ttyUSB3
After the password is changed we can then use the above command echo -e "AT+QLINUXCMD="/sbin/getty -L ttyGS0 115200 console &"" > /dev/ttyUSB3
to start up serial again and use minicom to login
9615-cdp login: root
Password:
root@9615-cdp:~#
You should now use passwd to change the root password of your choice.
Now we have root access to the modem!
Just a warning as modifying anything in the modem can cause it to brick as the root file system is persistence in R/W mode so I am not responsible if you brick your modem.