Hardware Security

GL.iNet MIFI: A Decent 4G Portable Router

Friday, August 30, 2019

I have relied on the Huawei E5885L for over a year. While it acts as a near-perfect 4G portable router, modifications can transform it into a potent tool for penetration testing. Despite its merits, I encountered several limitations during security research. Switching to the GL.iNet MIFI addressed these needs. While it resolves the core technical issues I faced with the E5885L, the hardware design feels somewhat unrefined. …

Overview of 4G Modem Attack Scenarios in Vehicle Networking

Thursday, August 8, 2019

Communication Module Overview In the connected-car domain, the TCU (Telematics Control Unit) is an indispensable unit in an internet-connected vehicle (also called a T-Box, Telematics Box). The TCU’s networking capability is implemented by a cellular communication module (also called an M2M module). The baseband chipsets used by these modules almost always support multiple carriers, which gives OEMs more flexibility when choosing network operators. …

Huawei E5885L 4G Router Tinkering Notes

Thursday, September 27, 2018

Introduction I frequently rely on a 4G hotspot for work-related travel. The E5885L is an incredibly versatile device: it supports LTE, UMTS, and GSM bands, functions as a power bank, operates as both a router and a cellular modem, and offers both wireless and wired connectivity options. With a proper unlock, it is possible to customize the IMEI, bypass ICCID–IMEI binding restrictions, and evade certain network censorship measures. …

eSIM Notes

Sunday, December 10, 2017

Introduction SIM (Subscriber Identification Module) is an IC that can securely store mobile communication configuration. …

Hardware Repair Notes

Sunday, November 12, 2017

Soldering Station …

Getting Root Access on Verizon FIOS-G1100

Friday, September 1, 2017

Preface I wrote this post in September last year. Back in July, our team lead brought in a router and handed it to an intern to work on. He couldn’t crack it and eventually stopped. Later, when I had some free time, I continued, but the decryption part still wasn’t finished—halfway through I got pulled onto other work. So this is an unfinished post. …

HackRF GPS Spoofing Notes

Sunday, July 30, 2017

Preface Leader lent me two HackRF Ones to play with, and I planned to use them for GPS spoofing experiments. It was my first time working with software-defined radio; I got interested immediately and decided to learn it seriously. …

D-Link DIR-850L Router Vulnerability Verification Report

Thursday, June 22, 2017

Preface I flipped through my notes to see if there was anything worth publishing, and found this one—but it’s already outdated. I spent one night getting about halfway through it, then got sent on a business trip. Another intern couldn’t finish it, so it ended up being dropped. It doesn’t have much research value now, so I’ll just post it anyway. …

Cracking a Milk Membership Card with an ACR122U on Arch Linux

Tuesday, October 25, 2016

Preface This kind of post has been written to death years ago—there’s nothing particularly novel here. I’m posting it mainly as part of my learning process. A few days ago I got a milk-shop membership card as a bonus after topping up 100. It wasn’t tied to my real name. I just put the card on the reader, swiped once, and the payment went through, which caught my interest. For RFID hacking people usually use a Proxmark3; back when I didn’t know better, I bought an ACR122U. First I used Mifare Classic Tool on my Nexus 5 to verify whether the card provided by the milk shop was a Mifare Classic card (the Nexus 5 hardware doesn’t support this card type, so it can only read basic info). After confirming it was, I dug out my dusty ACR122U and started tinkering on Arch Linux. I’d also lost both of my meal cards while out, and I happened to have backups of the old cards, so I restored those two as well. …