I have a Verizon Ellipsis Jetpack MHS800L LTE hotspot (designed by Franklin Wireless). I downloaded the firmware update package from here, ran
binwalk on it, and found that it's running OpenWrt Barrier Breaker. Also, /etc/passwd and /etc/shadow are fully visible, so cracking the root password shouldn't be difficult.
There's no source available from either Verizon or Franklin. Here are some pictures of the board. I gave it a try, but couldn't find a UART. Does anything on here look like a UART to you guys? Here's the FCC data. There are these weird metal pieces on the plastic bumpers that bridge some of those pads on the side of the board (visible in FCC pictures). Does anyone know what that would do?
Also, it's running a telnet server, but connecting to it says "connection closed by foreign host." How do you think I get a shell over telnet?
That answers that question.
Hi, I've recently got a couple of these devices. Any updates on your progress?
Since I made that post, the firmware update page has been taking down, and my laptop's SSD died, so I don't have the firmware image anymore. It may be on my desktop, but I'm not certain. Also, if I find it, I'm not sure I can legally repost it.
There's a secret page in the firmware that allows you to (among other things) enable an SSH server, and upload firmware updates. The updates are tarballs with some kind of hashing/signature scheme. I also emailed Franklin Wireless a few times asking for source code, and have been ignored every time.
If you can't tell, it's been a long time. I haven't worked on this since the winter, but I may give it another shot.
Internal photos here.
It contains a VZ22Q module (see page 23 of 24 of the FCC page; the module is also contained in the technicolor MBHA10VWQ).
Its CPU is Broadcom's BCM63139, which IS NOT supported under the bcm63xx target (as it is actually an ARM CPU).
The closest OpenWrt-related thing I can find to this series of ARM xDSL-focused CPUs is this forum thread about a BCM63138-based board to which someone has CFE bootloader access.
I found a download link for the firmware updater.
Binwalking the updater exe gives you the rootfs. There are some hidden pages in the webserver (
/etc/www). If you navigate to
http://<the_router_ip>/webpst/labpst/index.html you'll find some interesting dev options that may be of use.