I just found out that the Quectel EC20 modem is another Linux system that comes in the MiFi.
You can also access the shell over serial I will explain below.
I came across that there is an AT command that allows you to run Linux commands on the modem itself:
echo -e "AT+QLINUXCMD="cat /proc/cpuinfo > /dev/ttyGS0"" > /dev/ttyUSB3
To get output you then
cat /dev/ttyUSB1 Processor : ARMv7 Processor rev 1 (v7l) BogoMIPS : 9.61 Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xc05 CPU revision : 1 Hardware : QCT MSM9615 CDP Revision : 0000 Serial : 0000000000000000
So knowing that results can be outputted to another serial interface what happens if you start up a serial console using:
echo -e "AT+QLINUXCMD="/sbin/getty -L ttyGS0 115200 console &"" > /dev/ttyUSB3
minicom -D /dev/ttyUSB1 we got a shell!
Now issue is that there is a password set on the modem login.
9615-cdp login: root Password: Login incorrect
We can use this command to clear the password for the root user
echo -e "AT+QLINUXCMD="passwd > /dev/ttyGS0"" > /dev/ttyUSB3
After the password is changed we can then use the above command
echo -e "AT+QLINUXCMD="/sbin/getty -L ttyGS0 115200 console &"" > /dev/ttyUSB3 to start up serial again and use minicom to login
9615-cdp login: root Password: root@9615-cdp:~#
You should now use passwd to change the root password of your choice.
Now we have root access to the modem!
Just a warning as modifying anything in the modem can cause it to brick as the root file system is persistence in R/W mode so I am not responsible if you brick your modem.