As a portion of my 5G dwelling recordsdata superhighway offering, Optus bundles a 5G gateway called the Nokia Fastmile. The same tool appears to be like to be shipped by T-Mobile for their 5G offering and is passionately is named the ‘garbage can’ in r/tmobileisp.

Naturally, the first thing I attempted to function is to construct root bag true of entry to on it.

Finding a Privilege Escalation Bug

Without lengthen, the first thing I noticed is that the equipped userAdmin credentials printed on the bottom of the tool seem like a low stage story.

Taking a peak at the requests going on when logging in straight shows an authenticated privilege escalation vulnerability. This seemingly additionally impacts other Nokia gadgets. My firmware model: 3TG00118ABAD52.

When logging in, a call is made to POST /login_web_app.cgi.

Whenever you occur to intercept the response you are going to peek that there is a variable called “is_ctc_admin”.

Whenever you occur to swap this within the response to 1 you bag bag true of entry to to extra functionality and whole admin. The vulnerability is a conventional bag true of entry to control difficulty where authorisation is dealt with finest on the client aspect.

Now we now have bag true of entry to to a further tab but additionally extra functionality in some present tabs.

Editing the Configuration

Doing some Googling I got here all over this tidy man who found out the structure of Nokia’s configuration file structure and wrote a application to unpack, and pack configuration recordsdata in speak that that you can construct changes that set not seem to be readily obtainable by way of the web interface.

The applying he wrote additionally works for the Nokia Fastmile: https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a

Following the write-up gets us all easy the kind to SSH/Telnet bag true of entry to to the tool alternatively we’re stopped by this disturbing password urged for shell bag true of entry to.

No longer some of the passwords within the configuration file work for this shell password.

Another feedback mention altering LimitAccount_ONTUSER to fraudulent and logging in with ONTUSER:SUGAR2A041 alternatively this doesn’t appear to work for the Fastmile.

Giving Up and Transferring to Having a search at Hardware

randomsrvapps over at Whirlpool appears to be like to have managed to bag a trivial root shell by way of UART/ADB revealing that the tool is Android primarily based? Lets verify this.

Flipping the tool over we peek some ports that seem like lined (circled in yellow on the characterize).

These stickers can finest be uncovered from the rear as the stickers they frail are pretty powerful. By undoing circled bolts in crimson (Torx T15H) and striking off the sim card, the feet scheme off and we can inch out the stickers.

This shows a USB-C port and two RJ12 ports.

It runs Android?

As per the thread, plugging into the USB-C port and running ADB shell offers us a straight away root shell on the tool.

Apparently it has a Snapdragon 855 in it, the same processor that turn out to be as soon as in previous generation flagships love the Google Pixel 4.

I additionally confirmed that that you can well also bag this same console bag true of entry to by plugging into the pins outlined within the thread. These terminals are 1.8v logic stage and the pins from interior to out are RX, TX, and ground with a baud rate of 115200.

Having a inch round by way of ADB shell shows some oddities.

The most powerful being that the IP addressing device of my local community configured by way of the WEB-UI (172.10.0.0/24) is non-existent and a few random non-public subnet 192.168.85.0/24 presentations up.

Performing a traceroute from my local machine we peek traffic bag routed by way of this 192.168.85.0/24 subnet as effectively.

This can additionally be verified by performing a tcpdump with a filter on the Fastmile while pinging 9.9.9.9.

Why is our IP take care of 192.168.85.6??

I straight copied over a precompiled binary of busybox onto the Fastmile to preserve a search at to high-tail ARP.

Then the realisation got here.

It’s Two Units in One Field!

Nokia have in general taped a 5G salubrious cell phone to 1 of their frail Alcatel-Lucent routers and shipped it in a cylindrical field. This additionally explains why the configuration modification application earlier worked flawlessly.

Having root on the Android aspect doesn’t abet in any respect with getting root on the router aspect!

Utilizing this recordsdata we can additionally allow remote Android debugging by first adding a firewall rule.

iptables -I INPUT 1 -s 192.168.85.6 -j ACCEPT

Enabling remote debugging on a port.

adb tcpip 5555 //Whereas linked by way of USB.

Then connecting remotely without needing to be tethered to the tool.

Having a search aid at the bodily tool all over again you are going to also peek two varied PCB forms.

UART pins are additionally equipped for the router aspect that are effortlessly accessible. These pins are 3.3v logic stage and the pins from interior out are ground, RX, TX with a baud rate of 115200.

Letting it boot while linked by way of UART drops us into the same restricted shell that we had earlier by way of SSH where we don’t know the ‘shell’ password. No longer precious.

Interrupting boot drops us in CFE but I haven’t got the persistence to dump the characterize over serial as that would preserve ~4 days. Otherwise, I’m not too accustomed to CFE and am not big serious about turning my Fastmile into a $400 brick.

If any person else has any advice/recordsdata be ecstatic to ping me at electronic mail, we soundless don’t seem to be root finally this.

Teardown

Out of curiosity, I took the tool aside slightly extra as I hadn’t considered any other write-americadetailing this.

Tracing aid to the step where we’d removed the bottom of the tool, your next step of disassembly is to bend aid the clips in each place in the perimeter circled in crimson. I’ve additionally circled the UART pins in yellow for clarity.

Now that you can flip the tool and elevate up the white shell to voice the antennas.

Every trip from here on is a Torx T8H. Having a search at the end there are 5 bolts to undo which loosen the LED indicator board.

With the end LED indicator board off we can peek where all of the antenna’s terminate. Whenever you occur to wished to connect an exterior antenna, here is where you are going to function it.

Sadly, accessibility to the connectors may perhaps be very minute as some snake below the heatsink. I did are attempting striking off the heatsink later but it turn out to be as soon as lovely solidly certain to the PCB so I’m not certain if it’s held along with a thermal epoxy or if I ignored some bolts.

Next up, having a search at the aspect of the tool with the smaller heatsink (Android aspect), there are two extra bolts on the diagonal face to loosen.

This lets you elevate up 2/5 sides of the antenna assembly revealing the Android tool.

Pushing aside the 4 bolts that bewitch the Android aspect in permits you to raise and fold the tool over love we now have accomplished with the antenna panels.

This additionally shows the bottom of the Alcatel-Lucent router and the appropriate electrical interconnect between the two gadgets within the bottom correct.

I didn’t lunge any extra as the router aspect is mostly lined up by it’s heatsink and whether it’s a long way the relaxation love the Android aspect then it turn out to be as soon as seemingly to additionally be refined to preserve away.