hardware for european market?

[andrew-ld]

The Orbic RC400L is not easily available for purchase in Europe. The only option is to have it shipped from eBay, which often results in shipping costs that exceed the price of the product itself, along with the added risk of incurring import customs fees.

Recap

Here’s a concise markdown recap of the most important messages from the timeline:

---

Key Highlights from the Conversation

Successful Implementation

• TP-Link M7650 with MDM9240
  User mrsec-dev confirmed that Rayhunter is successfully running on the TP-Link M7650 with the Qualcomm MDM9240 chipset.

  • Screenshot of successful implementation
  • ADB and root access are enabled by default on this device, making it easy to install Rayhunter.
  • Comment link

• TP-Link M7350 with MDM9225
  Another TP-Link device, the M7350, also has ADB and root enabled by default. Testing is ongoing.

  • Comment link

---

GitHub Fork for TP-Link M7350

• User m0veax has forked the Rayhunter repository to work on porting it to the TP-Link M7350.
  • Forked Repository: m0veax/tplink_m7350
  • Contributions and collaboration are welcome.
  • Comment link

---

Matrix Channel for Collaboration

• A Matrix channel has been set up for collaboration on porting Rayhunter to the TP-Link M7350.
  • Join the conversation here: Matrix Channel
  • Comment link

---

Device Compatibility Discussions

• ZTE R219-z
  User rbomze ordered the ZTE R219-z (Vodafone R219) and will test Rayhunter on it once it arrives.

  • Comment link

• AceTel R705 4G LTE Cat4 MIFI Router
  User MatejKovacic suggested the AceTel R705 as another potential candidate for Rayhunter.

  • Comment link

---

European Market Compatibility

• Several users highlighted the need for devices that support European LTE bands (e.g., B3, B7, B8, B20).
  • Devices like the Ruckus Wireless M510 and Sunhans OEM&ODM eSIM MiFi Router were suggested as alternatives.
  • Comment link

---

AT Commands for Band Unlocking

• User MatejKovacic mentioned the possibility of using AT commands (e.g., AT+QCFG="band") to unlock additional bands on devices like the Orbic RC400L.
  • Comment link

---

Next Steps

• Testing Rayhunter on more devices (e.g., ZTE R219-z, TP-Link M7350).
• Collaboration on the m0veax/tplink_m7350 fork.
• Join the Matrix Channel for real-time discussions.

[MatejKovacic]

There is another problem with this device in Europe. In user manual it is written that it supports: Band Designation CAT 4 LTE Bands LTE Bands: B2/B4/B5/B13/B66 UMTS Bands: B2/B4/B5/B8

In my country mobile operators are using LTE bands B3, B7, B8 and B20. So it seems that this device would not work in my country and also not in Europe in general...

If that is correct, this needs to be clearly written on the first page. Also, we are in desperate need of alternatives. :)

[MatejKovacic]

I have done some searching and this device seems interesting:

Ruckus Wireless M510 Access Point. It seems that it supports European LTE bands, and also has Qualcomm MDM9207 chipset (the same as Orbic RC400L).

Another interesting one is this:

Sunhans OEM&ODM eSIM MiFi Router, it also seems that it supports European LTE bands, and also has Qualcomm MDM9207 chipset.

What do you think?

[MatejKovacic]

Also, I came across this device: SHM7520A 4G 5G WiFi Router, where (in user specification) is written that the frequency bands can be customized. Could be the same with Orbic RC400L?

[pgonin]

it would be nice if it worked with GL-AR300M https://www.gl-inet.com/products/gl-ar300m/#specs

[MatejKovacic]

I don't think so. GL.iNet routers use Quectel chipsets for LTE (Qualcomm only for WiFi)...

[tbpoetke]

what about laptop with sim card and linux installed?

[MatejKovacic]

I think the point is that software is written for a specific LTE chipset.

[andrew-ld]

in my opinion with little effort you can port the software to run on other hardware as well but a strict requirement is the ability to capture modem traffic.

I don't know if this is widely expected by modems or if it is something niche.

[MatejKovacic]

I have found another possible candidate: AceTel R705 4G LTE Cat4 MIFI Router

[MatejKovacic]

in my opinion with little effort you can port the software to run on other hardware as well but a strict requirement is the ability to capture modem traffic.

I don't know if this is widely expected by modems or if it is something niche.

As I remember (SnoopSnitch and AIMSICD project), you need a specific baseband chipset to be able to capture modem traffic. That is why we are looking for Qualcomm chipset.

[MatejKovacic]

On some devices you can use AT commands, and there is one interesting command on Quectel devices: AT+QCFG="band" (see this explanation how to unlock additional bands).

I can not find if you can run AT commands on Orbic RC400L, can someone help with this?

[Alifoss]

This would be great if there would be an easily portable solution available for the European market aswell. I've read the article on eff.org, i quote:

We also hope to get a clearer picture of the extent of CSS usage outside of the U.S., especially in countries that do not have legally enshrined free speech protections.

Perhaps there are already plans to 'expand' once the project grows, given that statement?

I'm very interested in this project and will certainly keep an eye on it. If there would come an 'easily deployable' alternative on a router that support european bands, i will happily contribute data.

[rbomze]

i found this having the Qualcomm MDM9207: https://www.aliexpress.com/item/1005004378638160.html shipping to France, UK, Poland. Strangely not to Germany. Did not check other countries.

[MatejKovacic]

They are also on Ebay.de, so I guess it is not a problem for Germany. The main question is - doe Rayhunter work on this device? Can someone test it?

[mrsec-dev]

TpLink M7650 with MDM9240 seems to work

[Alifoss]

TpLink M7650 with MDM9240 seems to work

Allthough a little on the expensive side, availability wise globally, this would be a great option.

[MatejKovacic]

Source? Have you tested it or you have someone to confirm it is working?

[mrsec-dev]

Have it running. currently testing, but seems to work: https://paste.pics/f1737d2750d41d9c04d8f82af5afc7fb

[rbomze]

They are also on Ebay.de, so I guess it is not a problem for Germany. The main question is - doe Rayhunter work on this device? Can someone test it?

We'll know in about 7-12 days when my order arrives. 😅 (I am referring to the ZTE R219-z, also labeled Vodafone R219, for ~21usd with shipping)

[MatejKovacic]

@mrsec-dev - this is great news! Just a question - how did you install Rayhunter? Because instructions on the Github are not very clear. I guess, you need to connect device to your computer with USB cable, but then what? How do you put the device into development mode? (I guess this means that you enable ADB on the device).

[mrsec-dev]

@MatejKovacic Thats very easy with this device... connect to wlan -> adb connect x.x.x.x -> adb shell -> rootshell ^^ There is a rootshell from stock.

[MatejKovacic]

Ah, so ADB is already enabled on this device and you just connect to it through web ADB? I wonder if it is the same with other devices (especially ZTE R219-z)...?

[mrsec-dev]

Yes, already enabled and rootshell. I assume this is a TPLink thing. Got another one: TP-Link M7350 with MDM9225 which has adb and root enabled. Will try this one too if i find it on the weekend.

[m0veax]

Yes, already enabled and rootshell. I assume this is a TPLink thing. Got another one: TP-Link M7350 with MDM9225 which has adb and root enabled. Will try this one too if i find it on the weekend.

Yeah, I already started reading the sources of this project and guess, that we can run it on the device.

For rooting and adb, check out our research repository about that device.

open.sh is the best way we implemented

https://github.com/m0veax/tplink_m7350

Going to fork this repo and start implementing everything needed to port it to tplink-m7350.

Feel free to join us, matrix is linked in the repo.

[m0veax]

Created a fork. Will work on this tomorrow:)

https://github.com/m0veax/rayhunter-tplink-m7350

[wgreenberg]

On some devices you can use AT commands, and there is one interesting command on Quectel devices: AT+QCFG="band" (see this explanation how to unlock additional bands).

I can not find if you can run AT commands on Orbic RC400L, can someone help with this?

rayhunter's serial binary (part of the installation process) lets you run AT commands, check out https://github.com/EFForg/rayhunter/blob/main/dist/install-common.sh#L63

[wgreenberg]

@mrsec-dev @m0veax that's awesome, are you aware of any TPLink devices that are under $50 USD? it's be great to support a cheap device that's got adb/rootshell by default.

[m0veax]

@mrsec-dev @m0veax that's awesome, are you aware of any TPLink devices that are under $50 USD? it's be great to support a cheap device that's got adb/rootshell by default.

a new tplink-m7350 is about 60€. You can find used ones for half the price

[m0veax]

need to downsize rayhunter-daemon because the tplink devices does not have as much space free

UPDATE: found enough space on /dev/shm ... it's tmpfs but good enough for trying

[m0veax]

Good News!