Hacking on a MDM9207 based device

Hi,
I have an LTE router from my isp which is this model:
https://avxav.com/product/fdd-lte-cat4-fqt-144-series/

It’s of course it is locked to my isp, after disassembling the router I was able to identify the UART pins and used them to collect info about the device internals:
1- the login shell reads “root@mdm9607:” and I was able to log in using the credentials from osmocom .
2-/proc/cpuinfo:

processor	: 0
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

Hardware	: Qualcomm Technologies, Inc MDM9207
Revision	: 0000
Serial		: 0000000000000000
Processor	: ARMv7 Processor rev 5 (v7l)

From the above information, I believe that this uses something like Quectel ec25 module( how can I be sure?)
I removed the model from the router but the router doesn’t boot if the module is removed, so the router doesn’t have a CPU on its own! Does the module run the entire Linux kernel?

looking at the mainboard it looks is practically empty, I can see no CPU chip in the mainboard that can run the OS, only passive components and some shift register IC, the only chip that i found in the mainboard that looks like a CPU is a chip with the model (qca8337-al3c) but according to a datasheet found online this is just a gigabit switch IC, so maybe my assumption that the entire os runs on the lte modem is correct?

some pictures







I want to test multiple things:
1- is it possible to unlock the module and make it work with any sim card? maybe I can use AT commands from the quectel datasheet but I can't find which tty the modem is running on so I can connect to it, how can I connect to the modem on these models?

2- The module connect to the mainboard using a mini-PCIe connector, I have a turris omnia router that accept an LTE modem in the mini-PCIe form factor, is it possible to connect it to the turris omnia? i am bit hesitant because of my conclusion above that the device runs an entire os, maybe it only uses the mini-PCIe connector and doesn't conform to the mini-PCIe standard, and by connecting it to the standard mini-PCIe connect on the turris omnia may lead to damage to either one(magic smoke?).

3-hopefully be able to port openwrt to it, i couldn't find a device with the same configuration that has openwrt ported to it, so maybe this is might be unlikely to be possible.

Regards

1 Like

As for #3, this might be an interesting read:

Most likely. The module is the router. The host board is mostly switch and power supply.

Yes, it runs a full Linux distro with all the bells and whistles. This is what any Qualcomm LTE modem does, even the one in your Windows laptop..

The difference from the one in your laptop is that this on probably use RGMII to connect to an ethernet switch instead of USB to the PC host.

Yes, that's likely. The connector carries RGMII and serial console and possibly other signals, but probably not the PCIe or USB signals your omnia expects.

As for porting OpenWrt to this platform: Anything is possible. But it is not going to be easy. Lots of unsupported peripherals. In particular the signal processor core(s) making up the radio.

1 Like

In that case is it ok to perform a trial and error by connecting it to the turris omnia and see if it works? Or will that cause damage to the omnia or the lte module?

Can't answer that.

It could damage either or both if any of the pins are re-purposed in such a way that there is a short (e.g VCC connected to a ground pin), or if I/O pins with incompatible voltage levels are mixed.

To be sure, you have to figure out the pinout of both and compare. Which probably means measuring and following traces on the router/modem module since I guess docs are unavailable. Seems like a lot of work, with a remaining risk of errors, for little or no gain. Why do you want to do this? Better get a cheap modem module for the Omnia if you want that. And the LTE router host board is useless without the matching module, so removing it makes no sense in any case.

Any progress?? Idea:-Just use a programer and connect it to bios/Nand flash chip and read the output you might get some code or something maybe get the hole system and modify it.

there's no output, just a boot loader + OS image ...

any progress ?
I have the same LTE router and want to unlock it.

When it runs Linux and some other tools under GPL or similar license, the vendor has to disclose the sources of the GPL parts. Ask them, if they don't comply take legal steps if possible. Maybe if you are lucky you get more than the minimum they need to disclose, and with this some useful information.

This is the great thing about GPL-licenses: Anyone who uses software based on that has no right to keep that software in secret. Even if they start out from GPLed software and modify it -- according to GPL, the modified software also has to follow the GPL. (It does apply only to pieces software using (modified) GPL source code by themselves; it does not apply to proprietary scripts or binaries running besides GPL code and interacting with each other)

What they can do is write completely new software that just speaks with GPLed software -- in that case they only need to disclose the GPLed part.

Regards!