Hi all,
I have a figured out a way to unlock and enable hidden settings in Sercomm LTE2122GR. Its a very good router Cat18 600Mbps available for under £30 (
https://www.ebay.co.uk/itm/295560905697 )
I wanted to see if I can make it work with non-Three networks ( Vodafone in my case ) and saw that even though the LTE signal lights would be green, the internet light would keep on blinking and internet never worked.
As a few lights are controlled by modem itself and UI sensing signal strength with Vodafone SIM, I guessed that the modem itself is SIM unlocked but router might be forcing the 3internet APN for Three.
I thought of getting access to UART ( Serial ) connection and maybe change APN, but even after many hours of probing Voltages and UART receive pins, it was a dead end. Disappointingly I assembled the router back again and turned my focus to software attack.
To my amazement, it took only 20 minutes for this to happen.
While going through the in the Chrome Developer tools while Web interface was loaded, I searched for APN and landed on source where it checks about "usertype" being "enduser" or "admin". Even though I was logged in as admin but the console reported usertype returned was "enduser". This hinted of "superadmin" users being present. As the web ui is modern reactive UI, it configured itself based on details from a request
This json has usertype set to enduser and some settings screens disabled when corresponding value is "0".
That's it, I just started Charles Proxy which is a debugging MITM (Man in the middle) Proxy, created a rewrite rule to change the value of usertype from enduser to admin and change all "0" -> "1" before it reaches the browser, reloaded the web ui and voila all hidden settings are enabled and I am able to change APN to Vodafone and IT JUST WORKS !!
Surprisingly, it actually works better than my ZTE MF286D.
So anyone who wants to enable it, follow this
1. Install Charles Proxy (
https://www.charlesproxy.com/ )
2. Download Charles rewrite rules from
https://gist.github.com/shantur/b1a9d9de83b9bc2f6410b76a1831a033
3. Goto Tools > Rewrite
4. Click Import and select the downloaded rule file
5. Check Enable Rewrite for both options.
6. Router won't complete setup if setting it up with a non-Three SIM. So both Rewrite options should be enabled.
7. Check Proxy is started in Proxy menu.
8. Check Proxy port from Proxy settings.
9. Now search how to setup proxy for your browser and set charles as the proxy either temporarily for all or just for 192.168.1.254
10. Open
http://192.168.1.254 in your browser and login to router admin page.
11. If its the first time, just change the APN to what you want.
12. Reboot the router and disable the Wizard rewrite rule in Charles.
13. Once router has rebooted, open
http://192.168.1.254 in browser again and login, the wizard will be completed now.
14. Be surprised with all the options.)
Change the IP in the urls and Charles file as per your setup.
Charles is a demo version and the same attack can be done with free MITMProxy. If someone does it please share the steps.
Time for the show
ChangeLog :
2023-05-03 - Changed location of Rewrite rules to Github
2023-05-01 - Updated Rewrite rules to handle first time setup with different SIM.