I have a Verizon Ellipsis Jetpack MHS800L LTE hotspot (designed by Franklin Wireless). I downloaded the firmware update package from here, ran
binwalk on it, and found that it's running OpenWrt Barrier Breaker. Also, /etc/passwd and /etc/shadow are fully visible, so cracking the root password shouldn't be difficult.
There's no source available from either Verizon or Franklin. Here are some pictures of the board. I gave it a try, but couldn't find a UART. Does anything on here look like a UART to you guys? Here's the FCC data. There are these weird metal pieces on the plastic bumpers that bridge some of those pads on the side of the board (visible in FCC pictures). Does anyone know what that would do?
Also, it's running a telnet server, but connecting to it says "connection closed by foreign host." How do you think I get a shell over telnet?