Modem - jamesmacwhite/hh70-ee GitHub Wiki
The Qualcomm MDM9640 modem is accessible through either 192.168.225.1 or the IPv4 address displayed in the web interface, for the 4GEE Home Router this is usually the IPv4 address displayed on the status page when using IPv4 and IPv4v6 mode. The modem OS is Android based.
There are specific firewall rules on the router side preventing connections to services like SSH and telnet on 192.168.225.1, but you can either connect to the modem by using telnet or SSH into the 4GEE Home Router itself first (bypasses the firewall zone rules) or just directly connecting to the assigned IPv4 address usually starting with 19.x.x.x, 10.x.x.x or 100.x.x.x depending on what address is assigned, which doesn't have firewall rules for telnet, SSH etc. The root login details used by the router are the same for the modem.
Below are nmap scans of the two IP addresses with the default firewall rules in place, note the filtered state with both IP addresses.
root@linksys-wrt3200acm:~# nmap -sT -v 192.168.225.1
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-25 09:33 BST
Initiating Ping Scan at 09:33
Scanning 192.168.225.1 [4 ports]
Completed Ping Scan at 09:33, 0.25s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:33
Completed Parallel DNS resolution of 1 host. at 09:33, 0.00s elapsed
Initiating Connect Scan at 09:33
Scanning 192.168.225.1 [1000 ports]
Discovered open port 80/tcp on 192.168.225.1
Discovered open port 53/tcp on 192.168.225.1
Completed Connect Scan at 09:33, 1.39s elapsed (1000 total ports)
Nmap scan report for 192.168.225.1
Host is up (0.020s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
139/tcp filtered netbios-ssn
389/tcp filtered ldap
445/tcp filtered microsoft-ds
5555/tcp filtered freeciv
7777/tcp filtered cbt
8888/tcp filtered sun-answerbook
root@linksys-wrt3200acm:~# nmap -sT -v 19.64.60.239
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-25 09:36 BST
Initiating Ping Scan at 09:36
Scanning 19.64.60.239 [4 ports]
Completed Ping Scan at 09:36, 0.26s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:36
Completed Parallel DNS resolution of 1 host. at 09:36, 0.13s elapsed
Initiating Connect Scan at 09:36
Scanning 19.64.60.239 [1000 ports]
Discovered open port 445/tcp on 19.64.60.239
Discovered open port 22/tcp on 19.64.60.239
Discovered open port 23/tcp on 19.64.60.239
Discovered open port 80/tcp on 19.64.60.239
Discovered open port 139/tcp on 19.64.60.239
Completed Connect Scan at 09:36, 1.54s elapsed (1000 total ports)
Nmap scan report for 19.64.60.239
Host is up (0.020s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5555/tcp filtered freeciv
7777/tcp filtered cbt
netstat
root@mdm9640:~# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 554/smbd
tcp 0 0 127.0.0.1:5037 0.0.0.0:* LISTEN 189/adbd
tcp 33 0 0.0.0.0:80 0.0.0.0:* LISTEN 1335/webs
tcp 0 0 0.0.0.0:5555 0.0.0.0:* LISTEN 189/adbd
tcp 0 0 192.168.225.1:53 0.0.0.0:* LISTEN 2738/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 507/sshd
tcp 0 0 192.168.225.1:8888 0.0.0.0:* LISTEN 7781/nc
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 554/smbd
tcp 0 0 0.0.0.0:2016 0.0.0.0:* LISTEN 1103/core_app
tcp 0 0 192.168.225.1:7777 0.0.0.0:* LISTEN 694/qmi_ip_multicli
tcp 0 0 fe80::dc5e:e1ff:fe65:5854:53 :::* LISTEN 2738/dnsmasq
tcp 0 0 :::22 :::* LISTEN 507/sshd
tcp 0 0 :::23 :::* LISTEN 655/telnetd
udp 0 0 192.168.225.1:53 0.0.0.0:* 2738/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 2738/dnsmasq
udp 0 0 192.168.225.1:7755 0.0.0.0:* 694/qmi_ip_multicli
udp 0 0 192.168.225.1:7755 0.0.0.0:* 694/qmi_ip_multicli
udp 0 0 192.168.225.1:7755 0.0.0.0:* 677/eMBMs_Tunneling
udp 0 0 169.254.3.255:137 0.0.0.0:* 558/nmbd
udp 0 0 169.254.3.1:137 0.0.0.0:* 558/nmbd
udp 0 0 192.168.225.255:137 0.0.0.0:* 558/nmbd
udp 0 0 192.168.225.1:137 0.0.0.0:* 558/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 558/nmbd
udp 0 0 169.254.3.255:138 0.0.0.0:* 558/nmbd
udp 0 0 169.254.3.1:138 0.0.0.0:* 558/nmbd
udp 0 0 192.168.225.255:138 0.0.0.0:* 558/nmbd
udp 0 0 192.168.225.1:138 0.0.0.0:* 558/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 558/nmbd
udp 0 0 fe80::dc5e:e1ff:fe65:5854:53 :::* 2738/dnsmasq
WARNING: Attempting to connect with adb on port 5555 will cause the modem to disconnect requiring a full reboot to have connectivity again.
iptables
From nmap scans we can see some ports are filtered on the modem side, this is due to iptables firewall rules. However, this is less of an issue as you can access the modem through SSH with the root user and then get to the filtered services directly. You can also flush the iptables chains to drop the firewall, but this would not be recommended and should only be done on a temporary basis.
root@mdm9640:~# iptables -vnL
Chain INPUT (policy ACCEPT 1687K packets, 182M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:7755
15 804 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 7777,5555
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:7755
68 3744 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 7777,5555
0 0 DROP tcp -- rmnet_data0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 DROP tcp -- rmnet_data0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 DROP tcp -- rmnet_data0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 139,22,23,445,2016
0 0 DROP udp -- rmnet_data0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 54,67,137,138
0 0 DROP tcp -- rmnet_data0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
13 520 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13
0 0 DROP tcp -- rmnet_data0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 139,22,23,445,2016
0 0 DROP udp -- rmnet_data0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 54,67,137,138
0 0 DROP tcp -- rmnet_data0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13
Chain FORWARD (policy ACCEPT 79575 packets, 6690K bytes)
pkts bytes target prot opt in out source destination
30 1368 DROP tcp -- bridge0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain OUTPUT (policy ACCEPT 997K packets, 142M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555
ip6tables
root@mdm9640:~# ip6tables -vnL
Chain INPUT (policy ACCEPT 40769 packets, 2937K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp * * ::/0 ::/0 multiport dports 22,23
0 0 DROP tcp * * ::/0 ::/0 multiport dports 22,23
Chain FORWARD (policy ACCEPT 35640 packets, 48M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 87029 packets, 6459K bytes)
pkts bytes target prot opt in out source destination
Chain natctrl_tether_counters (0 references)
pkts bytes target prot opt in out source destination