Looking for information about firmware on modem

Greetings..

I have no idea if I'm in the right place or not.. I recently bought a 5g modem/router combination from chester tech repairs. The model I selected has a Quectel CAT19-RM520N-GL modem and Mediatek Wi-Fi 6 board.. I asked these guys who developed the firmware and what I was told is that "it's running LEDE, not openWRT".. hints my confusion regarding if I'm in the right place.. I attached a screenshot of the management page.. there's no identifying information other than it says "mesh+ 5g cpe smart wifi system".. screenshot attached.

Anyway, upon logging into the management page I was disappointed to see that there is no ability to create a VPN TO my home network like whats available on the Netgear ax1800.. I am well aware I could put another device behind my modem.. it would just be nice to have this feature imbedded into the firmware of the modem..I'm sure it's possible.. if anyone if familiar with this modem and/or the firmware it's running, would you please point me in the right direction... I'm looking for the source/developers so I can submit feature requests or even tinker (and probably brick) this device.

I appreciate your time..

Regards,


of

For all practical purposes, you can think of LEDE as version 17 of OpenWrt, but with a weird name.

However, that screenshot does not look like LEDE at all, perhaps they are using a modified version.

Thank you very much for the clarity!

Oddly enough, upon purchase of the modem I had to submit an approval to get the latest firmware from the guy.. correct me if I'm wrong, but I'm fairly certain that he would need to make the source code publicly available considering it's based on a open source platform..

Open source violations are a grey and muddy area...

and can't afford expensive lawyers.

1 Like

Hello,
reopening, hopefully others have this device, and have loaded OpenWRT, or ROOter on this device.

I have one of these devices since pre-summer this year, Chester Tech Repairs Cheetah, working great with TMHI.

I wanted to get log data, etc. from the device.
However, it requires a strange windoze executable to enable ssh.
factools.exe
That is not happening on my end, despite all the virus scans, etc.

Isn't this Cheetah device the same as the Alwaylink M10k21 5g NSA_SA X55 NR Sub-6 GHz Mesh Wifi6 5G CPE Router ?
Which is possibly a generic Suncomm 01 knockoff?
I ask, as you can get ROOter firmware for the Alwaylink device.

I really don't want to risk an expensive brick.
Hoping someone has gone through this.

Oh, there is another similar device that looks exactly like the Alwaylink and Cheetah device.
It is on the wireless haven web site.
It runs WixFiX, a customized version of ROOter.

? post deleted by author ?

Should I start a new thread with a better, targeted, title?

I think that would get better hits for my questions...

Welcome to the community!

Done - title edited.

I have one of these too. I tried running the factools.exe in a VM, but haven't gotten it to do anything. It stays running, but no GUI or anything comes up. I'm not inclined to run it on my real machine

A screenshot of the tool in use shows that it asks for a password and router IP. The password just seems to be enforced within the program itself, and it seems to just verify that it's 9 characters long and ends with 'o'?

I loaded it in IDA Pro and looked at what it does to open telnetd on the router. It seems to open a UDP connection to the router on port 55555 and sends:

admin\nkillall telnetd;telnetd -l /bin/login.sh;echo $?

That string gets encrypted by an AES_CBC_Encrypt function before being sent. I'm not sure where the key comes from, but just sending that with an open source UDP tool didn't do anything so I guess it needs to be encrypted properly before sending.

That this device seems to have a backdoor on udp 55555 is a bit concerning, hopefully that only works on the LAN interface.

1 Like

from file:
Flash-MK01K21.pdf

from archive:
http://www.aturnofthenut.com/builds/GoldenOrb/Alwaylink-MK01K21-GO2023-09-01.zip

Enable SSH on the M01K21 Router
Extract the factools.exe and huawen.ttf files from the archive and place them in a folder.
With the router running and connected to the computer execute factools.exe by double
clicking on it.
You may receive several memory error dialog boxes after this. Just click on OK to dismiss them. It may also be checked as a suspicious program. It will pass that test.
When it starts you will be able to enter the password and router IP Address and enable Telnet on the router.
The password is hqf2020go and the IP Address is what ever you set using the router’s GUI.
Click on the Telnet button. You will see a dialog box appear. Click on Yes.
Telnet is now enabled on the router for as long as it is running and not been rebooted.
There are two ways to access the router by Telnet. The first is to enable telnet on your computer. The other is to use the Putty Terminal program.

I was able to get it working under Windows Sandbox, but the telnet enable failed. I tried over Wifi and over both LAN ports, but the LAN connectivity is through another router. I captured the request it makes to udp 55555 - it's the same every time so if you want to try it without using factools.exe you can paste this into Packet Sender (https://packetsender.com/download):

0d 7d 74 6f ca 70 e8 0e ac 3f ec 1b d8 25 5a 98 8f 18 af 35 a4 58 19 ed 52 08 47 4b f5 63 ea 97 99 f0 dc 69 f5 f8 90 11 81 9b cd 05 94 0f 08 43 9e cd 62 38 d3 b3 ee 7f d9 32 bb 5e 5d 0c ac 21

Maybe it only works on a LAN port with an IP in the same subnet as the cheetah, not sure.

R00ter doesn't say the RM520N-GL modem is supported on their site

1 Like

That's kind of strange, they are all shipped with this modem, same as with the Alwaylink and all the other knock offs.

Al[quote="dazt, post:14, topic:159950"]
R00ter doesn't say the RM520N-GL modem is supported on their site
[/quote]

After doing a restore the udp command worked:

I set up the IMEI/APN and bands again and restarted, and it still worked so I'm not sure why it wasn't working before

1 Like

Sooo, you are saying that we can telnet/ssh in without using the questionable executable?
This is good, I have been wanting log data since I got mine.

Speaking of logs, SNMP doesn't seems to work.
Have you tried?

Ok I've worked on this a bit more.

There is a service called ledetools that handles listening on udp port 55555. When it gets the right data (hex is a few posts above), it runs telnetd. telnetd also seems to listen on udp port 55555 as well as the normal tcp 23. Either way these are both unauthenticated and listen on the WAN port - not great.

I've disabled the 55555 "feature" and enabled dropbear SSH listening only on the LAN side.

Use Packet Sender or whatever you like to send this hex to udp port 55555 on the router:

0d 7d 74 6f ca 70 e8 0e ac 3f ec 1b d8 25 5a 98 8f 18 af 35 a4 58 19 ed 52 08 47 4b f5 63 ea 97 99 f0 dc 69 f5 f8 90 11 81 9b cd 05 94 0f 08 43 9e cd 62 38 d3 b3 ee 7f d9 32 bb 5e 5d 0c ac 21

Now you should be able to telnet in with no password

Add these lines to /etc/config/dropbear:

    option enable '1'
    option Interface 'lan'

In /etc/init.d/dropbear, uncomment the START and STOP lines and change START (not sure if this is necessary but I did it to make sure dropbear started up after network interfaces)

#START=50
#STOP=50

change to

START=99
STOP=50

run "/etc/init.d/dropbear enable"

restart the router, verify you can get in with SSH and that it is only listening on the LAN IP:

root@CAP:~# netstat -anp | grep drop
tcp 0 0 10.10.0.1:22 0.0.0.0:* LISTEN 3177/dropbear
tcp 0 0 10.10.0.1:22 10.10.0.2:53060 ESTABLISHED 4326/dropbear

run "/etc/init.d/ledetools disable"

restart the router, go back in with ssh and verify nothing is listening on 55555

netstat -an | grep 55555

I'm guessing using the restore feature will probably undo all of this

2 Likes

Speaking of logs, SNMP doesn't seems to work.
Have you tried?

Yeah that's what actually started me on all of this. I still haven't gotten snmpd to work yet. This is in readlog:

Wed May 24 16:55:48 2023 daemon.info procd: Instance snmpd::instance1 s in a crash loop 6 crashes, 0 seconds since last crash

1 Like

ah one more thing of course the WebUI is listening on the WAN. It can be fixed in /etc/config/uhttpd

1 Like

You are the man!
Thanks!

I hope I can get to this soon.
I just don't want to mess up my working unit, which is now my main device for service.
Unfortunately I am a working stiff, so, the service I have now is mandatory for me.

Thanks again!

no problem, I wanted to do this for myself, just sharing

I got snmp working - the installation on the shipped router is just totally broken

first fix the opkg distfeeds configuration to point to a repo that exists:

cd /etc/opkg
cp distfeeds.conf distfeeds.conf.backup
sed -i 's/17.01-SNAPSHOT/17.01.7/' distfeeds.conf

then add this line to distfeeds.conf:

src/gz reboot_packages http://downloads.lede-project.org/releases/17.01.7/packages/mipsel_24kc/packages

uninstall the broken snmpd package
opkg remove snmpd

update opkg and reinstall it
opkg update (a bunch fail its ok)
opkg install snmpd (it will warn about not overwriting the existing /etc/config/snmpd file, its ok)

service snmpd start

now it should respond to an snmp client:

user@mydesktop:~/$ snmpwalk -v 2c -c public 10.10.0.1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux CAP_d41d8cd9 4.4.194 #0 SMP Fri Apr 28 03:09:03 2023 mips"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (39069) 0:06:30.69
iso.3.6.1.2.1.1.4.0 = STRING: "bofh@example.com"
iso.3.6.1.2.1.1.5.0 = STRING: "HeartOfGold"
iso.3.6.1.2.1.1.6.0 = STRING: "office"
iso.3.6.1.2.1.1.8.0 = Timeticks: (5) 0:00:00.05
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.1
.... snip ...

1 Like