Modem - jamesmacwhite/hh70-ee GitHub Wiki

The Qualcomm MDM9640 modem is accessible through either 192.168.225.1 or the IPv4 address displayed in the web interface, for the 4GEE Home Router this is usually the IPv4 address displayed on the status page when using IPv4 and IPv4v6 mode. The modem OS is Android based.

There are specific firewall rules on the router side preventing connections to services like SSH and telnet on 192.168.225.1, but you can either connect to the modem by using telnet or SSH into the 4GEE Home Router itself first (bypasses the firewall zone rules) or just directly connecting to the assigned IPv4 address usually starting with 19.x.x.x, 10.x.x.x or 100.x.x.x depending on what address is assigned, which doesn't have firewall rules for telnet, SSH etc. The root login details used by the router are the same for the modem.

Below are nmap scans of the two IP addresses with the default firewall rules in place, note the filtered state with both IP addresses.

root@linksys-wrt3200acm:~# nmap -sT -v 192.168.225.1
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-25 09:33 BST
Initiating Ping Scan at 09:33
Scanning 192.168.225.1 [4 ports]
Completed Ping Scan at 09:33, 0.25s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:33
Completed Parallel DNS resolution of 1 host. at 09:33, 0.00s elapsed
Initiating Connect Scan at 09:33
Scanning 192.168.225.1 [1000 ports]
Discovered open port 80/tcp on 192.168.225.1
Discovered open port 53/tcp on 192.168.225.1
Completed Connect Scan at 09:33, 1.39s elapsed (1000 total ports)
Nmap scan report for 192.168.225.1
Host is up (0.020s latency).
Not shown: 990 closed ports
PORT     STATE    SERVICE
22/tcp   filtered ssh
23/tcp   filtered telnet
53/tcp   open     domain
80/tcp   open     http
139/tcp  filtered netbios-ssn
389/tcp  filtered ldap
445/tcp  filtered microsoft-ds
5555/tcp filtered freeciv
7777/tcp filtered cbt
8888/tcp filtered sun-answerbook
root@linksys-wrt3200acm:~# nmap -sT -v 19.64.60.239
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-25 09:36 BST
Initiating Ping Scan at 09:36
Scanning 19.64.60.239 [4 ports]
Completed Ping Scan at 09:36, 0.26s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:36
Completed Parallel DNS resolution of 1 host. at 09:36, 0.13s elapsed
Initiating Connect Scan at 09:36
Scanning 19.64.60.239 [1000 ports]
Discovered open port 445/tcp on 19.64.60.239
Discovered open port 22/tcp on 19.64.60.239
Discovered open port 23/tcp on 19.64.60.239
Discovered open port 80/tcp on 19.64.60.239
Discovered open port 139/tcp on 19.64.60.239
Completed Connect Scan at 09:36, 1.54s elapsed (1000 total ports)
Nmap scan report for 19.64.60.239
Host is up (0.020s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
23/tcp   open     telnet
80/tcp   open     http
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
5555/tcp filtered freeciv
7777/tcp filtered cbt

netstat

root@mdm9640:~# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      554/smbd
tcp        0      0 127.0.0.1:5037          0.0.0.0:*               LISTEN      189/adbd
tcp       33      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1335/webs
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      189/adbd
tcp        0      0 192.168.225.1:53        0.0.0.0:*               LISTEN      2738/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      507/sshd
tcp        0      0 192.168.225.1:8888      0.0.0.0:*               LISTEN      7781/nc
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      554/smbd
tcp        0      0 0.0.0.0:2016            0.0.0.0:*               LISTEN      1103/core_app
tcp        0      0 192.168.225.1:7777      0.0.0.0:*               LISTEN      694/qmi_ip_multicli
tcp        0      0 fe80::dc5e:e1ff:fe65:5854:53 :::*                    LISTEN      2738/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      507/sshd
tcp        0      0 :::23                   :::*                    LISTEN      655/telnetd
udp        0      0 192.168.225.1:53        0.0.0.0:*                           2738/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2738/dnsmasq
udp        0      0 192.168.225.1:7755      0.0.0.0:*                           694/qmi_ip_multicli
udp        0      0 192.168.225.1:7755      0.0.0.0:*                           694/qmi_ip_multicli
udp        0      0 192.168.225.1:7755      0.0.0.0:*                           677/eMBMs_Tunneling
udp        0      0 169.254.3.255:137       0.0.0.0:*                           558/nmbd
udp        0      0 169.254.3.1:137         0.0.0.0:*                           558/nmbd
udp        0      0 192.168.225.255:137     0.0.0.0:*                           558/nmbd
udp        0      0 192.168.225.1:137       0.0.0.0:*                           558/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*                           558/nmbd
udp        0      0 169.254.3.255:138       0.0.0.0:*                           558/nmbd
udp        0      0 169.254.3.1:138         0.0.0.0:*                           558/nmbd
udp        0      0 192.168.225.255:138     0.0.0.0:*                           558/nmbd
udp        0      0 192.168.225.1:138       0.0.0.0:*                           558/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*                           558/nmbd
udp        0      0 fe80::dc5e:e1ff:fe65:5854:53 :::*                                2738/dnsmasq

WARNING: Attempting to connect with adb on port 5555 will cause the modem to disconnect requiring a full reboot to have connectivity again.

iptables

From nmap scans we can see some ports are filtered on the modem side, this is due to iptables firewall rules. However, this is less of an issue as you can access the modem through SSH with the root user and then get to the filtered services directly. You can also flush the iptables chains to drop the firewall, but this would not be recommended and should only be done on a temporary basis.

root@mdm9640:~# iptables -vnL
Chain INPUT (policy ACCEPT 1687K packets, 182M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:7755
   15   804 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 7777,5555
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:7755
   68  3744 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 7777,5555
    0     0 DROP       tcp  --  rmnet_data0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 DROP       tcp  --  rmnet_data0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 DROP       tcp  --  rmnet_data0 *       0.0.0.0/0            0.0.0.0/0            multiport dports 139,22,23,445,2016
    0     0 DROP       udp  --  rmnet_data0 *       0.0.0.0/0            0.0.0.0/0            multiport dports 54,67,137,138
    0     0 DROP       tcp  --  rmnet_data0 *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
   13   520 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 13
    0     0 DROP       tcp  --  rmnet_data0 *       0.0.0.0/0            0.0.0.0/0            multiport dports 139,22,23,445,2016
    0     0 DROP       udp  --  rmnet_data0 *       0.0.0.0/0            0.0.0.0/0            multiport dports 54,67,137,138
    0     0 DROP       tcp  --  rmnet_data0 *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 13

Chain FORWARD (policy ACCEPT 79575 packets, 6690K bytes)
 pkts bytes target     prot opt in     out     source               destination
   30  1368 DROP       tcp  --  bridge0 *       0.0.0.0/0            0.0.0.0/0            state INVALID

Chain OUTPUT (policy ACCEPT 997K packets, 142M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5555
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5555

ip6tables

root@mdm9640:~# ip6tables -vnL
Chain INPUT (policy ACCEPT 40769 packets, 2937K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp      *      *       ::/0                 ::/0                 multiport dports 22,23
    0     0 DROP       tcp      *      *       ::/0                 ::/0                 multiport dports 22,23

Chain FORWARD (policy ACCEPT 35640 packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 87029 packets, 6459K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain natctrl_tether_counters (0 references)
 pkts bytes target     prot opt in     out     source               destination