BEC 6300 Ridgewave 4G/LTE router

For Developers
1

I have searched but can't find any similar devices..

I am looking to build OpenWRT for the BEC (Billion) 6300 NEL (NZL?) "Ridgewave" router.

This is some sort of a mongrel device.. (this post is mainly a brain dump of my investigations..)

Thus far popping the lid off reveals it's an RT63368F based device, with an RTL8367RB ethernet chip, and an RT5392L wifi chip. I see that this CPU, ethernet, and wifi are all supported, in different devices. It also has a miniPCIe socket with a Sierra Wireless AirPrime card in it.

The device has telnet and ssh available, but it drops you into a ZyXEL CLI instead of a shell (at least logging in as "admin". There are references to "support", but doesn't appear to be such a user).

Most of the commands available in a normal ZyXEL shell are disabled, I've tried a few methods to escape the shell but am not successful yet. ftp://ftp2.zyxel.com/P-660W-T1_v2/cli_reference_guide/P-660W-T1%20v2_1.pdf

Analysing the firmware format, it's almost identical to the TrendChip firmware as documented here:

Running tcrevenge across the firmware images I have looks very close, but just a tiny bit off:

$ tcrevenge -c BEC-6300NEL-1.06.1.167.afw 
Manual check (binwalk): header size must be 256 (0x0100)
Magic number: 0x32524448 found 0x32524448 ...ok
Magic device: 0x00000100 found 0x00000100 ...ok
tclinux.bin size: 11303849 found 11303849 ...ok
tclinux.bin chekcsum: 0xF0E5BEE0 found 0xF0E5BEE0 ...ok
Manual check Firmware version: 7.0.1.0 found 7.0.1.0. If they differ use -v to adjust.
Manual check (binwalk): squashfs offset must be at 0x0010EBA9
Manual check (mtd partition dump): squashfs size (padded to erase_size at 4K (0x1000)) must be at 10194944 (0x009B9000)
Manual check (all tests have been done with model 3) Model: 3 6035 122 74 found 6300NZL. If they differ use -m to adjust.

ie from the above, opening the firmware in a hex editor, I see that the offset is 10EAA9 instead of 10EBA9, and I'm not sure why the device has NZL in the firmware file when the actual model is identified as an NEL on the sticker.

Running a binwalk -e across the firmware image with sasquatch available extracts the header, which is a 7z archive, and the squashfs..

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
256           0x100           LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3394840 bytes
1108905       0x10EBA9        Squashfs filesystem, big endian, version 3.0, size: 10193555 bytes, 1429 inodes, blocksize: 65536 bytes, created: 2017-10-13 05:10:46

Backup and restore functionality is available, it will upload and download config file in xml format to/from a TFTP server. The XML config file uploaded contains the admin password in plain text, and credentials and URLs for TR069, MQTT (over SSL) etc.

It runs Boa web server, and "vibe" is installed, but not configured, so it may be possible to push in binaries or scripts to where the vibe files are supposed to be, in order to run other things, such as ssh calling bash/busybox instead of whatever the ZyXEL interface is.

There's also ftp, SMB, and other things installed and enabled. Seems like lots of avenues to get root on this thing, then dump out the mtd layout etc.

2

Poking around in the extracted squashfs, there are lots of interesting things available through the webserver. I have also discovered that the .cgi files in the cgi-bin directory can be accessed without authenticating.

access_acllist.cgi
access_ipfilterlist.cgi
access_urlfilterlist.cgi
adv_qoslist.cgi
adv_routing_table.cgi
dhcp_client_list.cgi
dhcp_static_list.cgi
dm_log.cgi
dmz_table.cgi
Dualwan_protocolbindlist.cgi
getCANames.cgi
getCertNames.cgi
hidden_gct.cgi
home_pvclist.cgi
ipaddr_table.cgi
portbinding_table.cgi
porttriggering_list.cgi
status_ipseclog.cgi
status_log1.cgi
status_log_bhati.cgi
status_log.cgi
status_voip_call_log1.cgi
status_voip_call_log.cgi
status_voip_call_log_miss1.cgi
status_voip_call_log_miss.cgi
status_voip_call_log_out1.cgi
status_voip_call_log_out.cgi
trace.cgi
virsvr_table.cgi
virsvr_table_local_port.cgi
virsvr_table_nolocal_port.cgi
voip_log.cgi
voip_media2.cgi
voip_media.cgi
voip_speed_dial.cgi

The log ones are interesting; status_log_bhati.cgi outputs the content of dmesg:

text.imem !!
Remaining IMEM space: -4248 bytes	Section Size: 728 bytes
PCI: Enabling device 0000:01:00.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:01:00.0 to 64
Mirror/redirect action on
Ebtables v2.0 registered
igmpsnoop V1.1.0.0 (Feb 13 2012-20:16:36)

mldsnooping V1.1.0.0 (Feb 13 2012-20:16:36)
eth0: starting interface.
alloc_sram p=bc000800 free=7800
alloc_sram p=bc002800 free=5800
Start to init Realtek 8367 Switch
rtk_init smi_init ret = 0 SCK_GPIONUM(24) SDA_GPIONUM(26)
rtk_init rtk_switch_init ret = 0
WAN_PORT = 4
rtk_init rtl8367b_getAsicPHYReg ret = 0 phyData=0x1140
rtk_init rtl8367b_setAsicPHYReg ret = 0
rtk_init rtl8367b_getAsicPHYReg ret = 0 phyData=0x1940
rtk_init rtk_port_rgmiiDelayExt_set ret = 0
rtk_init rtk_port_macForceLinkExt_set ret = 0
rtk_init rtk_port_macStatus_get ret = 0
speed(2), duplex(1), link(1)

macSetUpPhy: swicVendor (9)

macRxPortEnable swicVendor 9


 BILLION_RTL8367 lan_port_map

Ralink HW NAT Module Enabled
device eth0 entered promiscuous mode
now bb MainSsid mac 60:03:47
0x1300 = 00064380
jiffies=ffff9230, POLLING_MODE_DETECT_INTV=300
device ra0 entered promiscuous mode
TC3162 hardware watchdog initialized

Enabling SSL security system , port:443

SSL security system enabled[RTL8367] rtk_VLAN_SET_EN.. wan_port(4)(active=0)
rtk_vlaninit:: smi_init ret = 0 SCK_GPIONUM(24) SDA_GPIONUM(26)
rtk_cpu_enable_set:: ret 0 
rtk_cpu_tagPort_set:: ret 0 
rtl8367b_setAsicCputagMode(1):: ret 0 
rtl8367b_getAsicCputagMode(1):: ret 0 
[RTL8367] rtk_SET_VID.. index:0 active:1 vid:1 portMap:0x4f untagPortMap:0xbf
[RTL8367] rtk_SET_VID.. index:1 active:1 vid:5 portMap:0x50 untagPortMap:0xbf
config:: UCAST_UNKNOWNDA action(0)
config:: UCAST_UNKNOWNSA action(0)
config:: UCAST_UNMATCHSA action(0)
config:: port 0 vid(1) pri(0) ret(0) mac_cnt(840)
config:: port 1 vid(1) pri(0) ret(0) mac_cnt(840)
config:: port 2 vid(1) pri(0) ret(0) mac_cnt(840)
config:: port 3 vid(1) pri(0) ret(0) mac_cnt(840)
config:: port 4 vid(5) pri(0) ret(0) mac_cnt(840)
config:: port 5 vid(1) pri(0) ret(0) mac_cnt(840)
config:: port 6 vid(5) pri(0) ret(0) mac_cnt(0)
config:: port 7 vid(1) pri(0) ret(0) mac_cnt(840)
[RTL8367] rtk_SET_CAP..(port=3) Disable
[RTL8367] rtk_SET_CAP..(port=2) Disable
[RTL8367] rtk_SET_CAP..(port=1) Disable
[RTL8367] rtk_SET_CAP..(port=0) Disable
eth0.1: add 33:33:00:00:00:01 mcast address to master interface
eth0.1: add 01:00:5e:00:00:01 mcast address to master interface
eth0.2: add 33:33:00:00:00:01 mcast address to master interface
eth0.2: add 01:00:5e:00:00:01 mcast address to master interface
eth0.3: add 33:33:00:00:00:01 mcast address to master interface
eth0.3: add 01:00:5e:00:00:01 mcast address to master interface
eth0.4: add 33:33:00:00:00:01 mcast address to master interface
eth0.4: add 01:00:5e:00:00:01 mcast address to master interface
device eth0 left promiscuous mode
br0: port 1(eth0) entering disabled state
[RTL8367] rtk_VLAN_SET_EN.. wan_port(4)(active=1)
rtk_cpu_enable_set:: ret 0 
rtk_cpu_tagPort_set:: ret 0 
rtl8367b_setAsicCputagMode(1):: ret 0 
rtl8367b_getAsicCputagMode(1):: ret 0 
rtk_init rtl8367b_getAsicPHYReg ret = 0 phyData=0x1940
rtk_init rtl8367b_setAsicPHYReg ret = 0
rtk_init rtl8367b_getAsicPHYReg ret = 0 phyData=0x1140
[RTL8367] rtk_SET_VID.. index:0 active:1 vid:1 portMap:0x4f untagPortMap:0xbf
[RTL8367] rtk_SET_VID.. index:1 active:1 vid:5 portMap:0x50 untagPortMap:0xbf
[RTL8367] rtk_SET_PVID..(port=0) (pvid=1)
[RTL8367] rtk_SET_PVID..(port=1) (pvid=1)
[RTL8367] rtk_SET_PVID..(port=2) (pvid=1)
[RTL8367] rtk_SET_PVID..(port=3) (pvid=1)
[RTL8367] rtk_SET_PVID..(port=4) (pvid=5)
[RTL8367] rtk_SET_PVID..(port=6) (pvid=1)
========================insmod iptable_filter=======================
ip6_tables: (C) 2000-2006 Netfilter Core Team
check_and_set_forwardchain pre_filter_state is 0, delete ipfilter, app filter and url filter chain
usb 2-2: new high speed USB device using rt3xxx-ehci and address 2
ewan_transpare_vtag(0)
usb 2-2: config 1 has an invalid interface number: 8 but max is 4
usb 2-2: config 1 has an invalid interface number: 10 but max is 4
usb 2-2: config 1 has no interface number 1
usb 2-2: config 1 has no interface number 4
usb 2-2: configuration #1 chosen from 1 choice

RTL8367 EWAN VLAN tagged transparent disabled

Flush RTL8367 Address table
usbcore: registered new interface driver usbserial
drivers/usb/serial/usb-serial.c: USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
drivers/usb/serial/usb-serial.c: USB Serial Driver core
drivers/usb/serial/usb-serial.c: USB Serial support registered for GobiSerial
GobiSerial 2-2:1.0: GobiSerial converter detected
usb 2-2: GobiSerial converter now attached to ttyUSB0
GobiSerial 2-2:1.2: GobiSerial converter detected
usb 2-2: GobiSerial converter now attached to ttyUSB1
br0: port 6(eth0.4) entering learning state
br0: port 5(eth0.3) entering learning state
br0: port 4(eth0.2) entering learning state
br0: port 3(eth0.1) entering learning state
br0: port 2(ra0) entering learning state
br0: topology change detected, propagating
br0: port 6(eth0.4) entering forwarding state
br0: topology change detected, propagating
br0: port 5(eth0.3) entering forwarding state
br0: topology change detected, propagating
br0: port 4(eth0.2) entering forwarding state
br0: topology change detected, propagating
br0: port 3(eth0.1) entering forwarding state
br0: topology change detected, propagating
br0: port 2(ra0) entering forwarding state
GobiSerial 2-2:1.3: GobiSerial converter detected
usb 2-2: GobiSerial converter now attached to ttyUSB2
usbcore: registered new interface driver GobiSerial
GobiSerial: 1.0.30/SWI_2.4_K2.6.22
[RTL8367] rtk_SET_CAP..(port=3) Enable
[RTL8367] rtk_SET_CAP..(port=2) Enable
[RTL8367] rtk_SET_CAP..(port=1) Enable
[RTL8367] rtk_SET_CAP..(port=0) Enable
GobiNet: 2014-10-09/SWI_2.27
Port 2 = 2 name(GobiNet)
ppp11: register 'GobiNet' at usb-rt3xxx-2, GobiNet Ethernet Device, 86:e8:74:
RawIP mode
Radvd function activated!
dhcp6s parameter activated by exec!
read WLAN driver from rt_device success!
start snat 0
start snat 1
start snat 2
start snat 3
start snat 4
start snat 5
start snat 6
start snat 7
Portmirror_boot 
Portmirror_execute uu
Portmirror_execute 
====>/userfs/bin/ethphxcmd rtl8367 ewanmir disabled 1 0=====================================

RTL8367 EWAN Mirror disabled

Enter cwmp boot, we will start tr69 Process
Parental Control: parental_execute() Enter.
creating qcqmi0 netname(ppp11) GobiQMIIndex(0) GobiQMI0Index(0)
Port 2 = 2 name(GobiNet)
ppp11.1: register 'GobiNet' at usb-rt3xxx-2, GobiNet Ethernet Device, 86:e8:74:
RawIP mode
function key:VPN disable , pptp_boot 5588
function key:VPN disable , pptpc_boot 5261
function key:VPN disable , l2tp_boot 6149
dualwan_boot 
RTL8367 LAN Isolation enabled
Port(0) fwd_mask_lan(4f)
Port(1) fwd_mask_lan(4f)
Port(2) fwd_mask_lan(4f)
Port(3) fwd_mask_lan(4f)
webserver_boot.
creating qcqmi0.1 netname(ppp11.1) GobiQMIIndex(0) GobiQMI0Index(1)
usbcore: registered new interface driver GobiNet
webserver_boot boa.
firewall6 is deactive

Enabling SSL security system , port:443

SSL security system enabledlargeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511)
LB 3G up:killall -29 3gfun
---------------------issue ::killall -29 3gfun
Link State: DSL link up.
wan_write
if_count 1 none_cnt 36 22 36
firewall6 is deactive
ewan_transpare_vtag(0)

RTL8367 EWAN VLAN tagged transparent disabled

Flush RTL8367 Address table
ThreadedTimerCheck: get last for first time
Link State: LAN_1 up.
Clean Reset ...
firewall6 is deactive
FSN: LQ81377

The etc directory is a symlink to /tmp/etc, and in the squashfs /tmp only contains xl2tpd-control (layer 2 tunnel), so it must be generating the contents of /tmp/etc (and /tmp/vat) on boot from somewhere. There is a /usr/etc directory, containing inittab, with:

::sysinit:/usr/etc/init.d/rcS
::askfirst:/sbin/getty -L ttyS0 115200 vt100

The rc.S is quite a large script, but very early in it I see "/bin/busybox cp -a /usr/etc /tmp", so that explains that.

rc.S content is here: https://pastebin.com/bzZtzJTP

I see that's also where it forces the CLI menu or just a shell.

3

None of the obvious exploits seem to work thus far. the profile.cfg under /userfs is where the rc.S gets it's defaults from, so I figured if I could modify that file, I could configure it so it will run a root shell instead of CLI menu.

I tried formatting a usb key as e2fs and creating a symlink on it to /usrfs/profile.cfg, hoping the config would be dumb enough for the SMB server on it that it would pass it through, but after finally managing to mount the share (it's configured for SMB 1.0), there's just a "dev" directory in there, which I can't go into, so it's not using the USB key as the root of the share. ADMIN$ and IPC$ don't mount, returning an i/o error, as I pretty much expected.

The FTP server has directory listing disabled, so you don't know where in the fs you are, and trying to pull files which should exist always results in no such file or driectory, so I presume it's in a chroot jail somewhere.

4

OK, well that was easy..

if [ "$TCSUPPORT_RA_MENU" != "" ] ;then
    utelnetd -l /userfs/bin/ra_menu -d
else
    utelnetd -l /userfs/bin/login -d
fi

The above code in rc.S had me thinking it wss calling ra_menu, but the profile.cfg doesn't contain TCSUPPORT_RA_MENU=y (or anything), and there is no ra_menu, so it must be calling login..

$ file login
login: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped

let's see if there's any useful text in that binary..

$ strings login|more
Account_Entry0
username
web_passwd
AutoGenerate_Entry
custom
serial_app
login: 
Password: 
B3cAdm1n
B3C@Matrix3301
gongdaowuRd
5753268
Login incorrect
/userfs/bin/sc
PATH
/userfs/bin:/usr/sbin:/bin:/usr/bin:/sbin
/bin/sh
/userfs/bin/cli

Hmm. I wonder..

Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
login: B3cAdm1n
Password: B3C@Matrix3301

#

sigh.

Let's get some info..

# echo $USER
root

# more /etc/passwd
admin:$1$$/k3ZVBQUSXq.KEIR1xnLL.:0:0:root:/:/bin/sh
B3cAdm1n:$1$$SliNdkTWqix0n38ZehELU1:0:0:root:/:/bin/sh

# uname -a 
Linux home.gateway 2.6.22.15 #3 SMP Wed May 9 10:15:56 CST 2018 mips unknown

# cat /proc/cpuinfo 
system type             : Ralink RT63365 SOC
processor               : 0
cpu model               : MIPS 34K V5.5
BogoMIPS                : 465.30
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp mt
shadow register sets    : 1
VCED exceptions         : not available
VCEI exceptions         : not available
unaligned accesses      : 57759300

processor               : 1
cpu model               : MIPS 34K V5.5
BogoMIPS                : 349.79
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp mt
shadow register sets    : 1
VCED exceptions         : not available
VCEI exceptions         : not available
unaligned accesses      : 57759300

processor               : 2
cpu model               : MIPS 34K V5.5
BogoMIPS                : 349.79
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp mt
shadow register sets    : 1
VCED exceptions         : not available
VCEI exceptions         : not available
unaligned accesses      : 57759300

processor               : 3
cpu model               : MIPS 34K V5.5
BogoMIPS                : 348.97
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp mt
shadow register sets    : 1
VCED exceptions         : not available
VCEI exceptions         : not available
unaligned accesses      : 57759300

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00010000 00010000 "bootloader"
mtd1: 00010000 00010000 "romfile"
mtd2: 0010f300 00010000 "kernel"
mtd3: 009ce000 00010000 "rootfs"
mtd4: 00fa0000 00010000 "tclinux"
mtd5: 00040000 00010000 "reservearea"

# cat /proc/partitions 
major minor  #blocks  name

  31     0         64 mtdblock0
  31     1         64 mtdblock1
  31     2       1084 mtdblock2
  31     3      10040 mtdblock3
  31     4      16000 mtdblock4
  31     5        256 mtdblock5
   8     0    1966080 sda
   8     1    1965056 sda1

# ps auxww
  PID  Uid     VmSize Stat Command
    1 admin       436 S   init       
    2 admin           SW< [kthreadd]
    3 admin           SW< [migration/0]
    4 admin           SWN [ksoftirqd/0]
    5 admin           SW< [migration/1]
    6 admin           SWN [ksoftirqd/1]
    7 admin           SW< [migration/2]
    8 admin           SWN [ksoftirqd/2]
    9 admin           SW< [migration/3]
   10 admin           SWN [ksoftirqd/3]
   11 admin           SW< [events/0]
   12 admin           SW< [events/1]
   13 admin           SW< [events/2]
   14 admin           SW< [events/3]
   15 admin           SW< [khelper]
   20 admin           SW< [kblockd/0]
   21 admin           SW< [kblockd/1]
   22 admin           SW< [kblockd/2]
   23 admin           SW< [kblockd/3]
   39 admin           SW  [pdflush]
   40 admin           SW  [pdflush]
   41 admin           SW< [kswapd0]
   42 admin           SW< [aio/0]
   43 admin           SW< [aio/1]
   44 admin           SW< [aio/2]
   45 admin           SW< [aio/3]
   87 admin           SW< [mtdblockd]
  234 admin           SW< [khubd]
  307 admin      1428 S   /userfs/bin/cfg_manager 
  309 admin      1428 S   /userfs/bin/cfg_manager 
  310 admin      1428 S   /userfs/bin/cfg_manager 
  408 admin           SW< [dmtd]
  542 admin           SW  [RtmpCmdQTask]
  543 admin           SW  [RtmpWscTask]
  568 admin       216 S   tcwdog -t 1 /dev/watchdog 
  573 admin       284 R   utelnetd -l /userfs/bin/login -d 
  583 admin       356 S   /userfs/bin/usb_auto_mount 
  584 admin       356 S   /userfs/bin/usb_auto_mount 
  585 admin       356 S   /userfs/bin/usb_auto_mount 
  590 admin       532 S   /userfs/bin/3gfun 
  591 admin       240 S   /userfs/bin/keepalive 
  592 admin       264 S   /userfs/bin/gobi_idle 
 1132 admin       384 S   /userfs/bin/dhcp6s -c /etc/dhcp6s.conf br0 -p /var/ru
 1134 admin       284 S   /userfs/bin/dropbear 
 1168 admin       392 S   /usr/sbin/udhcpd 
 2716 admin      1232 S   /userfs/bin/tr69 
 2737 admin       352 S   /sbin/syslogd -m 0 -O /tmp/var/log/messages -S -s 32 
 2777 admin      1300 S   /userfs/bin/nmbd -D 
 2787 admin      1440 S   /userfs/bin/smbd -D 
 2801 admin       328 S   /userfs/bin/bftpd -d 
 2807 admin       464 S   /userfs/bin/dnsmasq 
 2829 admin       296 S   /userfs/bin/billion_autoreboot 
 2861 admin       828 S   /userfs/bin/boa -c /boaroot -d 
 2945 admin       172 S   /userfs/bin/tftpd 
 2947 admin       636 S   /userfs/bin/wpa_supplicant -g /var/run/wpa_supplicant
 2955 admin      1232 S   /userfs/bin/tr69 
 2956 admin      1232 S   /userfs/bin/tr69 
 2957 admin      1232 S   /userfs/bin/tr69 
 2962 admin       284 S   /userfs/bin/gremon 
 2983 admin       304 S   /userfs/bin/httpsprovision 
 2986 admin       348 S   /userfs/bin/selfcheck 
 2987 admin       356 S   /userfs/bin/trafficspeed 
 2995 admin       260 S   init       
 3043 admin       568 S   gobi_services  
 3048 admin       568 S   gobi_services  
 3049 admin       568 S   gobi_services  
 3050 admin       568 S   gobi_services  
 3051 admin       568 S   gobi_services  
 3054 admin       568 S   gobi_services  
 3055 admin       568 S   gobi_services  
 3056 admin       568 S   gobi_services  
 3057 admin       568 S   gobi_services  
 3059 admin       752 S   /userfs/bin/bil_mqtt_proc 
 3060 admin       568 S   gobi_services  
 3061 admin       568 S   gobi_services  
 3063 admin       568 S   gobi_services  
 3064 admin       568 S   gobi_services  
 3067 admin       568 S   gobi_services  
 3068 admin       568 S   gobi_services  
 3069 admin       568 S   gobi_services  
 3070 admin       568 S   gobi_services  
 3073 admin       568 S   gobi_services  
 3075 admin       568 S   gobi_services  
 3076 admin       568 S   gobi_services  
 3078 admin       568 S   gobi_services  
 3098 admin       568 S   gobi_services  
 3099 admin       568 S   gobi_services  
 3250 admin       816 S   /userfs/bin/zebra -P 0 -f /etc/zebra.conf -i /var/run
 9674 admin       424 S   sh -c /userfs/bin/wget --http-user=admin --http-passw
 9675 admin       768 S   /userfs/bin/wget --http-user=admin --http-password=ad
12480 admin      2144 S   /userfs/bin/smbd -D 
23667 admin       424 R   ps auxww 
27273 admin       540 S   /bin/sh 
28597 admin           SW< [scsi_eh_0]
28598 admin           SW< [usb-storage]

dmesg just shows the same as I previously posted, but with this new bit on the end:

usb 2-1: new high speed USB device using rt3xxx-ehci and address 3
usb 2-1: configuration #1 chosen from 1 choice
scsi0 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 3
usb-storage: waiting for device to settle before scanning
scsi 0:0:0:0: Direct-Access     VendorCo ProductCode      2.00 PQ: 0 ANSI: 4
sd 0:0:0:0: [sda] 3932160 512-byte hardware sectors (2013 MB)
sd 0:0:0:0: [sda] Write Protect is off
sd 0:0:0:0: [sda] Mode Sense: 03 00 00 00
sd 0:0:0:0: [sda] Assuming drive cache: write through
sd 0:0:0:0: [sda] 3932160 512-byte hardware sectors (2013 MB)
sd 0:0:0:0: [sda] Write Protect is off
sd 0:0:0:0: [sda] Mode Sense: 03 00 00 00
sd 0:0:0:0: [sda] Assuming drive cache: write through
 sda: sda1
sd 0:0:0:0: [sda] Attached SCSI removable disk
FAT: utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive!
FAT: bogus number of reserved sectors
VFS: Can't find a valid FAT filesystem on dev sda1.
usb-storage: device scan complete
mount /tmp/mnt/dev/sda1, /tmp/mnt/usb1_1 failed

so that explains why my e2fs and symlink didn't work, since it appears to be forced to mount as FAT.

looking in usb_auto_mount, I find the following:

/bin/mount -t vfat %s %s
vfat-mount succeed
/userfs/bin/ntfs-3g %s %s
nfts-mount succeed
mount %s, %s failed

back to useful into..

# lsmod
Module                  Size  Used by
GobiNet 59632 18 - Live 0xc026a000
usbnet 16144 1 GobiNet, Live 0xc0229000
GobiSerial 7888 0 - Live 0xc022e000
usbserial 29216 1 GobiSerial, Live 0xc0249000
nf_conntrack_ipv6 19328 0 - Live 0xc0223000
ip6t_LOG 7600 0 - Live 0xc015b000
ip6table_filter 2080 1 - Live 0xc01fe000
ip6_tables 12960 2 ip6t_LOG,ip6table_filter, Live 0xc0204000
iptable_filter 2304 1 - Live 0xc015e000
hw_nat 57520 0 - Live 0xc0213000 (P)
mldsnooping 6976 0 - Live 0xc0112000
igmpsnoop 16160 0 - Live 0xc0138000
ebt_ip6 3360 0 - Live 0xc0115000
ebt_ip 2688 0 - Live 0xc010e000
ebtable_filter 1920 0 - Live 0xc010c000
ebtables 23456 3 ebt_ip6,ebt_ip,ebtable_filter, Live 0xc01f7000
sch_prio 5760 0 - Live 0xc0069000
sch_htb 18912 0 - Live 0xc0155000
cls_fw 4992 0 - Live 0xc0109000
act_mirred 4624 0 - Live 0xc0088000
rt5390ap 865920 1 - Live 0xc0360000 (P)
tc3162_dmt 925456 0 [permanent], Live 0xc027d000 (P)
raeth 92832 1 tc3162_dmt, Live 0xc0120000 (P)
tccicmd 92480 3 rt5390ap,tc3162_dmt,raeth, Live 0xc013d000 (P)
tcledctrl 31760 3 rt5390ap,raeth,tccicmd, Live 0xc0117000 (P)
fuse 47440 0 - Live 0xc00f2000
usb_storage 30448 0 - Live 0xc00e2000
ehci_hcd 34992 0 - Live 0xc00ff000
ohci_hcd 22128 0 - Live 0xc00eb000
usbcore 120400 8 GobiNet,usbnet,GobiSerial,usbserial,usb_storage,ehci_hcd,ohci_hcd, Live 0xc00a3000
vfat 10944 0 - Live 0xc006f000
fat 51888 1 vfat, Live 0xc007a000
nls_cp936 121184 0 - Live 0xc00c3000
nls_utf8 1472 0 - Live 0xc005c000
nls_base 5584 4 vfat,fat,nls_cp936,nls_utf8, Live 0xc006c000
sd_mod 23216 0 - Live 0xc0073000
scsi_wait_scan 864 0 - Live 0xc005a000
scsi_mod 89408 3 usb_storage,sd_mod,scsi_wait_scan, Live 0xc008c000
brg_shortcut 6032 0 - Live 0xc0066000 (P)
tcvlantag 11968 0 - Live 0xc0062000
tcportbind 6288 0 - Live 0xc0051000
tcsmux 11376 0 - Live 0xc005e000
module_sel 2240 4 rt5390ap,tcvlantag,tcportbind,tcsmux, Live 0xc0056000 (P)
tcfullcone 3120 0 - Live 0xc0054000

# cat NVRAMinfo 
_3g_total_data@0=|000000000000|000000000000|000000000000|000000000000|
_3g_ltecells_cellrsrp_1@0=-119.30
_etherUp=0
_3g_total_data@1=|000000000000|000000000000|000000000000|000000000000|
_3g_ltecells_cellrsrp_1@1=-130.10
_3g_ltecells_cellrsrp_1@2=-134.10
_3g_ltecells_cellrsrp_1@3=-128.10
_3g_ports=4
_3g_qmidev_drop@0=0
_3g_qmidev_drop@1=0
_3g_ltecells_cellrssi_1@0=-86.20
_3g_ltecells_cellrssi_1@1=-102.90
_3g_ltecells_cellrssi_1@2=-103.50
_3g_ltecells_cellrssi_1@3=-97.70
_3g_3gfun_restart=0
_3g_get_ip_method@0=dhcp
prio_ppp10=13
prio_ppp11=11
prio_ppp12=12
_3g_ext_casband@0=
_ndis_dialing=0
_3g_ext_sinr@0=
_unit_id=15
T3G_PCICELLID=
_3g_ext_cellid@0=
_3g_ext_rsrq@0=
_lteapn2_speedrx=0.00KBps
_reboot_Mon@0=No
_lte1_tx_bandwidth=0
_reboot_Mon@1=No
_gb_query_signal=0
T3G_SMS_CTRL_PWD=
T3G_KEEP_IP=
_lte_speedrx=0.00KBps
_3g_rxden_status=Enabled
_3g_ltecells_cellpci_1@0=425
_3g_ltecells_cellpci_1@1=454
_3g_ltecells_cellpci_1@2=417
_kp_kill=0
_3g_ltecells_cellpci_1@3=417
T3G_APN_2=
_3g_ltecells_cellcount_1=1
_lb_phy_ready@10=0
_lb_phy_ready@11=1
_reboot_Thu@0=No
_reboot_Thu@1=No
_3g_ext_rsrp@0=
_wifiMacTab=
_lteapn2_speedtx=0.00KBps
_3g_ext_networkband@0=
_lte_speedtx=0.00KBps
T3G_PASSWD=
_adslVdslUp=0
T3G_FASTSCANDIS=0
_3g_ext_phycellid@0=425
WAN_PORT=3G
_3g_sim_status_show@0=SIM Card Not Found
T3G_IPVERSION_2=IPv4
_3gUp=1
_3g_ext_casbw@0=
_mqtt_sigusr1=device_alert
_3g_ext_ltebw@0=
_3g_ext_rate@0=
_force_reset=0
_3g_module_inited@0=1
_3g_ltecells_cellcount_1_lock=1
_3g_ext_div_rssi@0=
_3gUp_1=0
_3g_rtime@0=0
_3g_rtime@1=0
_3g_dialing=0
_3g_ltecells_earfcn_1=900
_usb_vendor@0=0x1199
_3g_module_name=MC7455
_usb_vendor@1=0xffff
3G_SIERRA_MODE=
_3g_ltecells_cellrxlv_1@0=8
_3g_ltecells_cellrxlv_1@1=65533
_3g_ltecells_cellrxlv_1@2=65529
_3g_ltecells_cellrxlv_1@3=65535
_reboot_Tue@0=No
_reboot_Tue@1=No
T3G_AUTHPROT=
_force_reset_trigger=0
_3g_disconnected_0=0
_3g_disconnected_1=0
_lte1_rx_minute=0
T3G_PSCS=
_3g_ext_reg@0=ROAMING
_lte1_rx_bandwidth=0
_reboot_Enable@0=No
_reboot_Enable@1=No
_3g_ext_snr@0=
_3g_nosignal_led=
_3g_mc7355_profile=GENERIC
_selfcheck_pid=2986
cwmp_bind_wan=99
_3g_kp_dialfail@0=0
T3G_LTE_BAND=2+7
_3g_qmi_ip@0=
T3G_IDLETIMER=
cwmp_url_ip=
_usb_product@0=0x9071
_usb_product@1=0x5678
_3g_ext_caschan@0=
T3G_PLMN_SEL=
T3G_LTE_3G_DIFF_APN=0
_3g_devclass@0=2
_3g_devclass@1=3
_kp_reset@0=0
_3g_ltecells_phycellid_1=425
_3g_drivermode=ndis
_3g_qmi_gobiconnect=1
_3g_refresh_sig=1
T3G_PLMN_ACT=
_3g_ok=1
_3g_qmi_stopdata=0
_reboot_Wed@0=No
_reboot_Wed@1=No
_reboot_Fri@0=No
_reboot_Fri@1=No
_3g_ext_sn@0=LQ813777
T3G_PIN=
_3g_check_signal_locked=0
T3G_DIALNUM=*99***1#
_3g_ndismode=qmi
_ewan_upbw=0.00
_trafficspeed_pid=2987
T3G_RXDEN=
_3g_ext_sim_status@0=SIMNOT
T3G_PCIEARFCN=
T3G_MC7455_CARRIER=
_ewan_speedrx=0.00KBps
_3g_ext_sig@0=
prio_nas10=13
_3g_ext_netname@0=
_3g_ext_rssi@0=
_reboot_Sat@0=No
_reboot_Sat@1=No
T3G_APN=
_ewan_speedtx=0.00KBps
_LSvalue=0
_3g_qmi_startdata=0
_LSmaxmac=000000000000
T3G_USER_2=
_3g_ext_imei@0=359072
_pppdid_3g=
_3g_ext_div_rsrp@0=
_3g_driver_ok=1

# cat /proc/iomem
00000000-03ffffff : System RAM
  00020000-002b1097 : Kernel code
  002b1098-0033819f : Kernel data
1fba0000-1fbaffff : rt3xxx-ohci
  1fba0000-1fbaffff : ohci_hcd
1fbb0000-1fbbffff : rt3xxx-ehci
  1fbb0000-1fbbffff : ehci_hcd
20000000-2fffffff : pcie memory space
  20000000-200fffff : PCI Bus #01
    20000000-2000ffff : 0000:01:00.0
      20000000-2000ffff : 0000:01:00.0

# cat /proc/ioports 
1f600000-1f61ffff : pcie IO space

# cat /proc/meminfo
MemTotal:        61076 kB
MemFree:         20704 kB
Buffers:          3884 kB
Cached:          18448 kB
SwapCached:          0 kB
Active:          12568 kB
Inactive:        14568 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:               0 kB
Writeback:           0 kB
AnonPages:        4808 kB
Mapped:           5604 kB
Slab:             8036 kB
SReclaimable:      912 kB
SUnreclaim:       7124 kB
PageTables:        504 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:     30536 kB
Committed_AS:    11344 kB
VmallocTotal:  1048308 kB
VmallocUsed:      4200 kB
VmallocChunk:  1043928 kB
IMEM Remains: 4294963048 Bytes
5

I have opened a support ticket with BEC since they are in violation of the GPL and have not made any source available. I have requested it, so we'll see what happens there.

Going back to look at the existing firmware blob, and the information here https://vasvir.wordpress.com/2015/03/29/trendchip-firmware-xor-checksum-algorithm-disassembly/

binwalking the 0x100 address header looks interesting:

$ binwalk -e 100

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
119668        0x1D374         Certificate in DER format (x509 v3), header length: 4, sequence length: 30
477852        0x74A9C         Certificate in DER format (x509 v3), header length: 4, sequence length: 64
2368456       0x2423C8        Certificate in DER format (x509 v3), header length: 4, sequence length: 16384
2699264       0x293000        Linux kernel version 2.6.22
2731136       0x29AC80        CRC32 polynomial table, little endian
2937240       0x2CD198        Unix path: /usr/gnemul/irix/
2939640       0x2CDAF8        Unix path: /usr/lib/libc.so.1
3023523       0x2E22A3        Neighborly text, "NeighborSolicitsts"
3023547       0x2E22BB        Neighborly text, "NeighborAdvertisementsmp6OutDestUnreachs"
3023748       0x2E2384        Neighborly text, "NeighborSolicitsirects"
3023776       0x2E23A0        Neighborly text, "NeighborAdvertisementssponses"
3026583       0x2E2E97        Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)"