I have no idea if I'm in the right place or not.. I recently bought a 5g modem/router combination from chester tech repairs. The model I selected has a Quectel CAT19-RM520N-GL modem and Mediatek Wi-Fi 6 board.. I asked these guys who developed the firmware and what I was told is that "it's running LEDE, not openWRT".. hints my confusion regarding if I'm in the right place.. I attached a screenshot of the management page.. there's no identifying information other than it says "mesh+ 5g cpe smart wifi system".. screenshot attached.
Anyway, upon logging into the management page I was disappointed to see that there is no ability to create a VPN TO my home network like whats available on the Netgear ax1800.. I am well aware I could put another device behind my modem.. it would just be nice to have this feature imbedded into the firmware of the modem..I'm sure it's possible.. if anyone if familiar with this modem and/or the firmware it's running, would you please point me in the right direction... I'm looking for the source/developers so I can submit feature requests or even tinker (and probably brick) this device.
Oddly enough, upon purchase of the modem I had to submit an approval to get the latest firmware from the guy.. correct me if I'm wrong, but I'm fairly certain that he would need to make the source code publicly available considering it's based on a open source platform..
Hello,
reopening, hopefully others have this device, and have loaded OpenWRT, or ROOter on this device.
I have one of these devices since pre-summer this year, Chester Tech Repairs Cheetah, working great with TMHI.
I wanted to get log data, etc. from the device.
However, it requires a strange windoze executable to enable ssh.
factools.exe
That is not happening on my end, despite all the virus scans, etc.
Isn't this Cheetah device the same as the Alwaylink M10k21 5g NSA_SA X55 NR Sub-6 GHz Mesh Wifi6 5G CPE Router ?
Which is possibly a generic Suncomm 01 knockoff?
I ask, as you can get ROOter firmware for the Alwaylink device.
I really don't want to risk an expensive brick.
Hoping someone has gone through this.
Oh, there is another similar device that looks exactly like the Alwaylink and Cheetah device.
It is on the wireless haven web site.
It runs WixFiX, a customized version of ROOter.
I have one of these too. I tried running the factools.exe in a VM, but haven't gotten it to do anything. It stays running, but no GUI or anything comes up. I'm not inclined to run it on my real machine
A screenshot of the tool in use shows that it asks for a password and router IP. The password just seems to be enforced within the program itself, and it seems to just verify that it's 9 characters long and ends with 'o'?
I loaded it in IDA Pro and looked at what it does to open telnetd on the router. It seems to open a UDP connection to the router on port 55555 and sends:
That string gets encrypted by an AES_CBC_Encrypt function before being sent. I'm not sure where the key comes from, but just sending that with an open source UDP tool didn't do anything so I guess it needs to be encrypted properly before sending.
That this device seems to have a backdoor on udp 55555 is a bit concerning, hopefully that only works on the LAN interface.
Enable SSH on the M01K21 Router
Extract the factools.exe and huawen.ttf files from the archive and place them in a folder.
With the router running and connected to the computer execute factools.exe by double
clicking on it.
You may receive several memory error dialog boxes after this. Just click on OK to dismiss them. It may also be checked as a suspicious program. It will pass that test.
When it starts you will be able to enter the password and router IP Address and enable Telnet on the router.
The password is hqf2020go and the IP Address is what ever you set using the router’s GUI.
Click on the Telnet button. You will see a dialog box appear. Click on Yes.
Telnet is now enabled on the router for as long as it is running and not been rebooted.
There are two ways to access the router by Telnet. The first is to enable telnet on your computer. The other is to use the Putty Terminal program.
I was able to get it working under Windows Sandbox, but the telnet enable failed. I tried over Wifi and over both LAN ports, but the LAN connectivity is through another router. I captured the request it makes to udp 55555 - it's the same every time so if you want to try it without using factools.exe you can paste this into Packet Sender (https://packetsender.com/download):
0d 7d 74 6f ca 70 e8 0e ac 3f ec 1b d8 25 5a 98 8f 18 af 35 a4 58 19 ed 52 08 47 4b f5 63 ea 97 99 f0 dc 69 f5 f8 90 11 81 9b cd 05 94 0f 08 43 9e cd 62 38 d3 b3 ee 7f d9 32 bb 5e 5d 0c ac 21
Maybe it only works on a LAN port with an IP in the same subnet as the cheetah, not sure.
R00ter doesn't say the RM520N-GL modem is supported on their site
There is a service called ledetools that handles listening on udp port 55555. When it gets the right data (hex is a few posts above), it runs telnetd. telnetd also seems to listen on udp port 55555 as well as the normal tcp 23. Either way these are both unauthenticated and listen on the WAN port - not great.
I've disabled the 55555 "feature" and enabled dropbear SSH listening only on the LAN side.
Use Packet Sender or whatever you like to send this hex to udp port 55555 on the router:
0d 7d 74 6f ca 70 e8 0e ac 3f ec 1b d8 25 5a 98 8f 18 af 35 a4 58 19 ed 52 08 47 4b f5 63 ea 97 99 f0 dc 69 f5 f8 90 11 81 9b cd 05 94 0f 08 43 9e cd 62 38 d3 b3 ee 7f d9 32 bb 5e 5d 0c ac 21
Now you should be able to telnet in with no password
Add these lines to /etc/config/dropbear:
option enable '1'
option Interface 'lan'
In /etc/init.d/dropbear, uncomment the START and STOP lines and change START (not sure if this is necessary but I did it to make sure dropbear started up after network interfaces)
#START=50
#STOP=50
change to
START=99
STOP=50
run "/etc/init.d/dropbear enable"
restart the router, verify you can get in with SSH and that it is only listening on the LAN IP:
root@CAP:~# netstat -anp | grep drop
tcp 0 0 10.10.0.1:22 0.0.0.0:* LISTEN 3177/dropbear
tcp 0 0 10.10.0.1:22 10.10.0.2:53060 ESTABLISHED 4326/dropbear
run "/etc/init.d/ledetools disable"
restart the router, go back in with ssh and verify nothing is listening on 55555
netstat -an | grep 55555
I'm guessing using the restore feature will probably undo all of this
I hope I can get to this soon.
I just don't want to mess up my working unit, which is now my main device for service.
Unfortunately I am a working stiff, so, the service I have now is mandatory for me.
uninstall the broken snmpd package opkg remove snmpd
update opkg and reinstall it opkg update (a bunch fail its ok) opkg install snmpd (it will warn about not overwriting the existing /etc/config/snmpd file, its ok)