Posted: April 24, 2021 17:39 UTC
Series: mdm
Tags: mdm-story breaking-and-entering
592 words, 3 min read

The last part ended on a bit of a cliffhanger as we encountered the great wall of input validation. Let’s see if and how we can bypass that. The thing right now blocking me from running a traceroute to 192.168.0.100 && cat /etc/passwd is the frontend validation, so let’s bypass the frontend validation! We always could alter it in the browser, but working with a command line is easier. Running a traceroute on an accepted correct IP address results in a POST request being made to /reqproc/proc_post with isTest=false, goformId=SET_TRACEROUTE_TOOL and dest_ip=192.
Read more...

Posted: April 24, 2021 17:39 UTC
Series: mdm
Tags: mdm-story breaking-and-entering
254 words, 2 min read

When plugging the modem into a USB socket it’ll first boot into it’s bootloader mode (reports itself to the PC as “ZTE Bootloader”) and after a couple of seconds it’ll boot into the main firmware. In the main firmware it’ll report itself as an RNDIS modem. Works without issues in Linux. lsusb output in bootloader stage lsusb output in modem stage After logging in using the administrative password provided on the enclosure we’re greeted by the full functionality of the interface.
Read more...

Posted: April 24, 2021 17:39 UTC
Series: mdm
Tags: mdm-story breaking-and-entering
473 words, 3 min read

Unscrewing the two tiny philips head screws and popping the lid off of it reveals the insides of this little modem, which turns out to be not that interesting as most of the insides are EMI shielded. Looking at the edge of the PCB it seems to be a four layer board. The quality control sticker shows that it passed it in January of this year (2021). Looks like it’s not old stock they’re selling off for cheap, since I ordered it in February.
Read more...

Posted: April 23, 2021 19:06 UTC
Series: mdm
Tags: mdm-story breaking-and-entering
211 words, 1 min read

A couple of weeks ago I bought one of those no-brand LTE modems off of Aliexpress to network my laptop while I’m away from home. After some time in the electronics box curiosity got the better of me and I wanted to see what makes this thing tick and if, maybe, I could figure out why the USB data rates are so slow (125kbit down!! Upstream data rates look as expected).
Read more...