MiFi modem (Quectel EC20) have another Linux system inside

heavymetal · February 22, 2017, 2:20pm

Hi,

I just found out that the Quectel EC20 modem is another Linux system that comes in the MiFi.

You can also access the shell over serial I will explain below.

I came across that there is an AT command that allows you to run Linux commands on the modem itself:
echo -e "AT+QLINUXCMD="cat /proc/cpuinfo > /dev/ttyGS0"" > /dev/ttyUSB3

To get output you then

cat /dev/ttyUSB1

Processor : ARMv7 Processor rev 1 (v7l)
BogoMIPS : 9.61
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc05
CPU revision : 1
Hardware : QCT MSM9615 CDP
Revision : 0000
Serial : 0000000000000000

So knowing that results can be outputted to another serial interface what happens if you start up a serial console using:
echo -e "AT+QLINUXCMD="/sbin/getty -L ttyGS0 115200 console &"" > /dev/ttyUSB3

Using minicom -D /dev/ttyUSB1 we got a shell!

Now issue is that there is a password set on the modem login.


9615-cdp login: root
Password:
Login incorrect

We can use this command to clear the password for the root user echo -e "AT+QLINUXCMD="passwd > /dev/ttyGS0"" > /dev/ttyUSB3

After the password is changed we can then use the above command echo -e "AT+QLINUXCMD="/sbin/getty -L ttyGS0 115200 console &"" > /dev/ttyUSB3 to start up serial again and use minicom to login


9615-cdp login: root
Password:
root@9615-cdp:~#

You should now use passwd to change the root password of your choice.

Now we have root access to the modem!

Just a warning as modifying anything in the modem can cause it to brick as the root file system is persistence in R/W mode so I am not responsible if you brick your modem.

justin · February 22, 2017, 2:24pm

Very interesting post, thanks for the info!

alzhao · February 22, 2017, 2:45pm

good hack!

zipfly30 · March 2, 2017, 2:08am

This is great, but I’m just trying to figure out how to change the EC20’s IMEI so it can be recognized by our development server. Does anybody know how to do this?

I know it’s possible - I’ve seen people do it for automotive systems. Thank you in advance.

brother · March 2, 2017, 2:24am

correct command

opkg update; opkg install minicom

echo -e “AT+QLINUXCMD="/sbin/getty -L ttyGS0 115200 console &"\r\n” > /dev/ttyUSB2

minicom -D /dev/ttyUSB1

heavmetal: excellent work. Did you know about this project?

the password listed there is : oelinux123

no need to even change it. This is great!

morgon · March 2, 2017, 9:40am

Technically I think it is not really a linux-system but an embedded android-system (that of course uses a linux-kernel).

The link you posted mentions debugging with adb (and you can see adbd running on it) which is a typical android-tool.

brother · March 2, 2017, 10:32pm

The OS of the Quectel chips uses Open Embedded and makes use of the Android bootloader and adb. This makes it quite versatile. Also, the system is much more powerful: 800mhz, 256mb ram. The root is mounted r/w which means that one can add opkg and add software, but also that changing things without caution could brick the unit. This is a huge advancement and makes the Mifi an even greater tool.

This may also enable the unlocking of other LTE channels. Has anyone tried?

heavymetal · March 4, 2017, 4:18am

Did you know about this project?

I did after some more research on the chipset.