GL.iNet MIFI: A Decent 4G Portable Router

Friday, August 30, 2019

I have relied on the Huawei E5885L for over a year. While it acts as a near-perfect 4G portable router, modifications can transform it into a potent tool for penetration testing. Despite its merits, I encountered several limitations during security research. Switching to the GL.iNet MIFI addressed these needs. While it resolves the core technical issues I faced with the E5885L, the hardware design feels somewhat unrefined. …

Car Bus Knowledge Primer: Introduction

Thursday, August 8, 2019

Preface The automotive industry is exacting, requiring products to be designed according to strict standards. First, let’s clarify the relationship between ISO and SAE. …

Overview of 4G Modem Attack Scenarios in Vehicle Networking

Thursday, August 8, 2019

Communication Module Overview In the connected-car domain, the TCU (Telematics Control Unit) is an indispensable unit in an internet-connected vehicle (also called a T-Box, Telematics Box). The TCU’s networking capability is implemented by a cellular communication module (also called an M2M module). The baseband chipsets used by these modules almost always support multiple carriers, which gives OEMs more flexibility when choosing network operators. …

Firmware Extraction Series: Reading Flash with flashrom

Saturday, July 20, 2019

Introduction to FlashROM It’s been over six months since my last post. The firmware extraction series has now reached Part 11. In my opinion, this topic isn’t particularly sensitive, so I’m sharing it openly. …

Firmware Extraction Series - SATA HDD Unlock

Saturday, April 20, 2019

Preface This post documents the journey of extracting data from a locked hard drive, including the various detours I took along the way. …

Firmware Extraction Series - Raw NAND File Recovery

Sunday, March 10, 2019

Preface This post documents the process of restoring the NAND Flash filesystem from an in-vehicle head unit. …

Visteon Firmware Repacking

Friday, November 30, 2018

Preface The firmware layout is illustrated below. It is organized into three directories—APP, SOC, and MCU—which correspond roughly to the Application Layer, the Core Board, and the Base Board, respectively. …

TinyScheme File I/O

Sunday, October 21, 2018

Preface Scheme is a Lisp dialect created in 1975 by MIT’s Gerald J. Sussman and Guy L. Steele Jr. It is one of the two major modern Lisp dialects; the other is Common Lisp. Despite its long history, Scheme remains active and has implementations for many platforms and environments, such as Racket, Guile, MIT Scheme, and Chez Scheme. TinyScheme is a lightweight embeddable Scheme interpreter that follows the R5RS (Revised^5 Report on the Algorithmic Language Scheme) specification. This specification was released in 1998 and is now widely used. Although TinyScheme lacks extensive official documentation, its adherence to the R5RS standard enables developers to consult documentation from mainstream Scheme implementations, such as Racket, for guidance. …

Firmware Extraction Series - SD Card Unlock

Thursday, October 18, 2018

Preface The SD card (Secure Digital Memory Card) is a NAND flash-based storage medium designed as a successor to the MMC (Multimedia Card). It is commonly found in multimedia players, cameras, and smartphones, and has since been widely adopted in IoT devices and automotive electronics. Physically, SD cards are categorized into three sizes: SD, miniSD, and microSD. …

Huawei E5885L 4G Router Tinkering Notes

Thursday, September 27, 2018

Introduction I frequently rely on a 4G hotspot for work-related travel. The E5885L is an incredibly versatile device: it supports LTE, UMTS, and GSM bands, functions as a power bank, operates as both a router and a cellular modem, and offers both wireless and wired connectivity options. With a proper unlock, it is possible to customize the IMEI, bypass ICCID–IMEI binding restrictions, and evade certain network censorship measures. …