EFForg
Can Rayhunter provide a way to disable wifi or change the wifi password when you haven't activated?
From a security standpoint, it would be great if Rayhunter didn't require the SIM to be activated. I would like to try that out. It kind of defeats the purpose if a CSS can get the IMSI that you've activated with Verizon.
HOWEVER, the only obvious way to change the wifi password is if you've activated the Orbic. Does anyone have a workaround for this? And there is no way to turn off the wifi that I can find.
I would love it if the Rayhunter web page would either let me disable the wifi entirely (preferred) or at least let me change the wifi password.
it's certainly possible, while spelunking through the device i found the password stored in one or two places on-disk, so those might be how the WPA validation's done
While tethered, going to http://my.jetpack will show you a different Web interface to configure the device. The username is admin and the password is the same as the WPA2 passphrase for the default APs (you can view it on the device itself by going through the menus). It looks like you might be able to turn off both WiFi radios. I was at least able to not broadcast the SSID.
On the device itself, turning off WiFi 2.4Ghz just enables 5Ghz, and vice-versa. Maybe this web interface has more control?
I am trying to look into this also. I have it setup with an unactivated SIM and would like to disable Wifi.
While tethered, going to
http://my.jetpackwill show you a different Web interface to configure the device.
I have been trying to do this, but cannot seem to tether via USB successfully, and so can't connect to http://my.jetpack.
(obviously I will need USB tether to be successful, since I would like to disable the Wifi)
It doesn't seem to be recognized as a modem, for some reason. I suspect I need to use usb_modeswitch, but it seems complicated to get the syntax correct and I am out of time for now.
sudo dmesg | tail
[ 6485.691304] usb 1-1.2: new high-speed USB device number 17 using xhci_hcd [ 6485.811038] usb 1-1.2: New USB device found, idVendor=05c6, idProduct=f601, bcdDevice= 3.18 [ 6485.811041] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 6485.811042] usb 1-1.2: Product: MDM9207-MTP _SN:719D5C45 [ 6485.811042] usb 1-1.2: Manufacturer: Android [ 6485.811043] usb 1-1.2: SerialNumber: 719d5c45
lsusb | grep -i MDM9207
Bus 001 Device 017: ID 05c6:f601 Qualcomm, Inc. MDM9207-MTP _SN:719D5C45
lsusb -t
/: Bus 001.Port 001: Dev 001, Class=root_hub, Driver=xhci_hcd/16p, 480M |__ Port 001: Dev 002, If 0, Class=Hub, Driver=hub/4p, 480M |__ Port 002: Dev 017, If 0, Class=Vendor Specific Class, Driver=[none], 480M |__ Port 002: Dev 017, If 1, Class=Vendor Specific Class, Driver=[none], 480M |__ Port 002: Dev 017, If 2, Class=Vendor Specific Class, Driver=[none], 480M |__ Port 002: Dev 017, If 3, Class=Vendor Specific Class, Driver=[none], 480M |__ Port 002: Dev 017, If 4, Class=Vendor Specific Class, Driver=usbfs, 480M |__ Port 002: Dev 017, If 5, Class=Vendor Specific Class, Driver=[none], 480M
mmcli -L
No modems were found
@joelishness Have you tried following these Android tethering config steps (or something similar)? I am going to test this later for this device specifically - though in the past I've had to do this in order to get USB tethering to work.
https://wiki.archlinux.org/title/Android_tethering
Is there a way for someone with no Android dev experience to connect to the device by wifi? I don't have a Verizon sim and that is probably why I'm stuck at "Retrieving data usage info." There doesn't seem to be a way to get the password from the device without a working sim. Even if a non-Verizon one works, I don't have spare activated sims that I can give up to be able to use the device. (And can't immediately access one to test anyway.)
Given that I'm apparently unable to install the xcode tools on this old Mac, I can't access it by USB either. So at the moment I have something that is installed but otherwise not usable.
Update: I figured it out! There's a small rectangular button on the side of the device, that is how you access the menu. 🤦🏻 Yay tiny black on black thing.
I'll open a PR with a doc update when I get a chance.
@joelishness Have you tried following these Android tethering config steps (or something similar)? I am going to test this later for this device specifically - though in the past I've had to do this in order to get USB tethering to work.
https://wiki.archlinux.org/title/Android_tethering
Yes this is what I used for reference (among others) and how I determined that I probably need to use usb_modeswitch. The problem seems to be that device 05c6:f601 is not included with the usb_modeswitch udev rules for automatic recognition...
ls -1 usb_modeswitch.d/ | grep -i 05c6
05c6:0010
05c6:1000:sVe=GT
05c6:1000:sVe=Option
05c6:1000:uMa=AnyDATA
05c6:1000:uMa=CELOT
05c6:1000:uMa=Co.,Ltd
05c6:1000:uMa=DGT
05c6:1000:uMa=Option
05c6:1000:uMa=Qualcomm
05c6:1000:uMa=SAMSUNG
05c6:1000:uMa=SSE
05c6:1000:uMa=StrongRising
05c6:1000:uMa=Vertex
05c6:2000
05c6:2001
05c6:6503
05c6:9024
05c6:98ff
05c6:f000
... and therefore is not activated as a modem. I believe usb_modeswitch can be used to manually switch it from usbfs driver to modem driver, but I haven't invested the time to figure out how.
I'm able to connect to the wifi without an active SIM. You shouldn't need to tether to access the wifi, the psk should be displayed on the device's screen. Navigate to 192.168.1.1 to access the web portal, the admin password should be the same as the psk. If you can't access the device's screen, your password should be the first and last 4 characters of the sha256sum of your IMEI, which is printed on the inside of the battery compartment. e.g., if your imei is 012345678987654, your wifi psk and admin password should be 7678c068.
If you grep around the hard drive you'll notice the wifi configuration on disk. I had a file called /usrdata/data/usr/wlan/wlan_conf_6174.xml. After pretty printing:
<wlan>
<Feature>
<state>1</state> <--------------------------- set <state>0</state> to disable *ALL* wifi, or...
<work_mode>3</work_mode>
<pmf_flag>0</pmf_flag>
<psw_visible>1</psw_visible>
<ssid_visible>1</ssid_visible>
</Feature>
<Basic_0>
<state>1</state> <--------------------------- set <state>0</state> to disable 2.4G wifi
<ssid>Verizon-RC400L-64</ssid>
<security>4</security>
<psk>7678c068</psk>
<encrypt>2</encrypt>
<broadcast_ssid>1</broadcast_ssid>
<max_client>10</max_client>
</Basic_0>
<Advance_0>
<country>US</country>
<wifi80211mode>4</wifi80211mode>
<band>0</band>
<bandwidth>0</bandwidth>
<channel>0</channel>
<channel_list>1-11</channel_list>
<wifiofftime>10</wifiofftime>
<ap_isolate>0</ap_isolate>
<ap_wmm>0</ap_wmm>
</Advance_0>
<WPS_0>
<wps_enable>1</wps_enable>
<wps_default_ap_pin>redacted</wps_default_ap_pin>
</WPS_0>
<Basic_1>
<state>0</state> <--------------------------- and set <state>0</state> to disable 5G wifi
<ssid>Verizon-RC400L-65</ssid>
<security>4</security>
<psk>7678c068</psk>
<encrypt>2</encrypt>
<broadcast_ssid>1</broadcast_ssid>
<max_client>10</max_client>
</Basic_1>
<Advance_1>
<country>US</country>
<wifi80211mode>5</wifi80211mode>
<band>1</band>
<bandwidth>0</bandwidth>
<channel>0</channel>
<wifiofftime>10</wifiofftime>
<ap_isolate>0</ap_isolate>
<ap_wmm>0</ap_wmm>
</Advance_1>
<WPS_1>
<wps_enable>1</wps_enable>
<wps_default_ap_pin>redacted</wps_default_ap_pin>
</WPS_1>
<ACL_0>
<acl_mode>0</acl_mode>
<acl_num>0</acl_num>
<acl_mac/>
</ACL_0>
<ACL_1>
<acl_mode>0</acl_mode>
<acl_num>0</acl_num>
<acl_mac/>
</ACL_1>
<STA>
<state>0</state>
<ap_ssid></ap_ssid>
<ap_security>0</ap_security>
<ap_encryption>0</ap_encryption>
<ap_password>redacted</ap_password>
</STA>
</wlan>
This disabled wifi for me while keeping the rest of the device functional. The on device UI still shows 5GHz wifi as active in the menu, but the wifi icon isn't on the top bar, and I can't detect any wifi signal coming from the device with other hardware I have.
If I just set Basic_0 and Basic_1 state to 0, I see:
% ip addr
[snip]
17: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 3000
...
18: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 3000
But if I set Feature state to 0, I don't see any wlan devices when running ip link.
Setting either Feature state to 0 or both Basic states to 0 will disable wifi.
Wifi capability is embedded in the MDM9607 chip. I've been reversing some of the userspace binaries and libraries on the disk and there's probably more ways to configure the wifi settings directly on the chip via the control interface instead of using config files. I don't know if the config files will get overwritten on device firmware upgrade or not. However, this should suffice to disable wifi entirely for now. Please let me know if you notice this file getting overwritten (maybe by the web interface?).
your password should be the first and last 4 characters of the sha256sum of your IMEI, which is printed on the inside of the battery compartment. e.g., if your imei is
012345678987654, your wifi psk and admin password should be7678c068.
This has the interesting implication that if Alice is running an Orbic with default settings and Bob can learn Alice's IMEI, Bob has access to the web interface.
Also it's just 8 hex characters so it's not like brute forcing cracking the PSK after capturing a handshake would take long either.
But if I set Feature state to 0, I don't see any wlan devices when running
ip link.Setting either Feature state to 0 or both Basic states to 0 will disable wifi.
Confirmed! I leveraged the rootshell to edit the file, and for me it didn't take effect until reboot. Adding some more details for others...
To disable wifi:
adb shell
/bin/rootshell -c "sed -i 's/<wlan><Feature><state>1<\/state>/<wlan><Feature><state>0<\/state>/g' /usrdata/data/usr/wlan/wlan_conf_6174.xml"
/bin/rootshell -c reboot
To enable wifi:
adb shell
/bin/rootshell -c "sed -i 's/<wlan><Feature><state>0<\/state>/<wlan><Feature><state>1<\/state>/g' /usrdata/data/usr/wlan/wlan_conf_6174.xml"
/bin/rootshell -c reboot
Yes for me it didn't work until after rebooting as well. Thanks for making the easy to use sed based instructions! We can see what willg and cooperq think about either folding this functionality into the daemon (as Rust) or leaving it in a "tips and tricks" section for powerusers.
I'm able to connect to the wifi without an active SIM. You shouldn't need to tether to access the wifi, the psk should be displayed on the device's screen. Navigate to 192.168.1.1 to access the web portal, the admin password should be the same as the psk.
Confirming that if you don't want to wholly disable wifi, you can at least use the my.jetpack / 192.168.1.1 web interface to:
- change the ssid
- change the password
- stop showing the password on the screen
- stop broadcasting the ssid
- change the admin username
- change the admin password
Accessed through Settings > Wireless > WLAN Settings and Settings > Management > System Admin
