My inspiration: the wall-mount and antenna adapter from FTS Hennig.
Unfortunately, the mount is with a price tag of around 50 EUR rather expensive. So I decided to use our new lab 3D-printer and try do design it myself usings AutoDesk’s Fusion 360 software. The result is released here under a creative commons license:
The mount contains two three mounting holes which can be used for screwing it against a wall as well as some cutouts at the bottom for the accessibility of the TS9 antenna, USB-C and Ethernet ports.
My model rendered by AutoDesk Fusion 360.
For the TS9 antenna ports, I am using the following TS-9 to SMA adapters which can be screwed into the respective holes of the mount. This allows a permanent installation of an external 5G/LTA antenna while the router can be easily removed as the adapters align right with the connectors of the router.
This blog posts covers the required steps to gain root access via Telnet on Netgear Nighthawk Mobile 5G/LTE Routers. Its the first post in a small series covering my experiences playing around with this device.
Last month I obtained one of Netgear’s latest mobile 5G routers, the Netgear Nighthawk M5 (model MR5200-100EUS) . Being one of the most expensive consumer 5G routers, I was lucky to get a fairly good second hand deal from eBay.
Gaining root access to the device is actually fairly simple in comparison to rooting modern Android-based devices. The router exposes an open TCP port providing an AT command interface. However, this port is only accessible via a tethered USB connection, not via Wifi.
Using this AT command interface, we can interact with the modem, unlock an extended command set which allows us enable a Telnet daemon.
(More detailed installation instructions are covered in the README file of the repo.)
2. Connect your machine via USB-C to the Netgear router.
3. Make sure to disconnect from the Netgear Wifi.
4. Open a terminal an connect to the AT command interface via netcat (nc). (Make sure not to miss the -c option as it will the enable nc to use the proper CRLF line-endings which are required for the AT interface).
nc -c 192.168.1.1 5510
4. Once connected to the AT command interface, you need to request a unlock challenge code by sending:
AT!OPENLOCK?
The previous command will return a challenge code which we use to generate a corresponding response code via the previously installed sierrakeygen.py tool:
You can now close the AT command session by pressing Ctrl+C.
6. Power-cycle the Netgear Router to start the Telnet daemon.
Voila, you can now telnet into the device via both the tethered USB-C cable or Wifi.
nc -c 172.23.156.129 23
��������
mdm 1623 sdxprairie
/ # uname -a
uname -a
Linux sdxprairie 4.14.117 #1 PREEMPT Thu Aug 19 23:42:26 UTC 2021 armv7l GNU/Linux
Disclaimer: Please be aware that the device security is now breached as all devices connected to the Wifi or USB can gain root access to the device. The root Telnet login requires no password.
Next steps
Before proceeding we should make sure that we can bring the device back to a secure state by replacing the Telnet by an Secure Shell (SSH) daemon. In one of the next posts of this series, I will be building a statically linked version of the Dropbear SSH server to replace Telnet.
Before continuing my reverse engineering efforts on the device, I would like to ensure that I will not brick the router while doing so by dumping the firmware and extract all the details from it. This will allow us to hopefully restore the device by flashing the original firmware. Maybe we will be able to run OpenWRT on it.
Einige dürften das Problem gut genug kennen: Viele Filehoster begrenzen den Downloadtraffic einer IP auf wenige hundert Megabytes pro Tag. Um diese Begrenzung zu umgehen bedarf es einer neuen IP. Hier zeigt sich der wohl einzigste Vorteil der dynamischen IP Adressen für Privatkunden. Die begrenzte Verfügbarkeit von IP Adressen zwingt die Accessprovider die IP Adressen dynamisch aus einem Pool an die Router zu verteilen. Bei einem erzwungenen Reconnect ändert sich die IP Adresse dann mindestens jeden Tag einmal. Diese Dauer ist aber nur nach oben begrenzt. Prinzipiell wäre es möglich seine IP Adresse jede 10 Minuten zu ändern. Oder wenn das Downloadlimit des Filehosters erreicht wurde. Dazu bedarf es normalerweise ein paar Klicks im Adminmenü des Routers. Für das „Arcor-DSL WLAN-Modem 100“ hinter dem sich ein Zyxel Prestige HW660 verbirgt habe ich folgendes Bashscript geschrieben.