I have relied on the Huawei E5885L for over a year. While it acts as a near-perfect 4G portable router, modifications can transform it into a potent tool for penetration testing. Despite its merits, I encountered several limitations during security research. Switching to the GL.iNet MIFI addressed these needs. While it resolves the core technical issues I faced with the E5885L, the hardware design feels somewhat unrefined.
Chassis
The side features a peculiar air vent resembling a face (o皿o), revealing a fan-shaped structure inside. The aesthetics are debatable, and the functionality seems questionable.
Disassembling the unit reveals a generic battery adhered directly to the chassis, covered only by a dark green insulating sheet.
The E5885L utilizes a HiSilicon LTE Cat6 chipset (baseband model hi6932), which is also found in the automotive-grade 919 series. While performance is generally respectable, automotive Network Access Devices (NADs) typically operate under low network loads. Portable routers often have significantly less RAM than their automotive counterparts. Consequently, heavy network loads—common during penetration testing—can lead to system instability.
I often require twin RJ45 ports. Unlike the E5885L, the GL-MIFI features dual RJ45 ports, with the WAN port reconfigurable as a LAN port, offering superior flexibility.
Additionally, specific network configurations on the E5885L hinder the successful execution of ARP spoofing attacks.
Regarding IMEI modification: the E5885L requires a full system reboot to apply changes. In contrast, the GL-MIFI separates the application processor from the baseband, allowing IMEI changes to take effect by simply resetting the 4G module.
The GL-MIFI supports external 3G/4G USB modems. This is particularly useful when a PC lacks the necessary drivers or configuration to dial out directly. Plugging the target modem into the GL-MIFI bypasses these compatibility issues, often saving the effort of soldering wires for eSIM interfacing.
Usage
Like the battery, the internal antennas are adhered to the casing. The device uses a Quectel EC20 4G module (Mini PCI-E). The Chinese domestic version typically includes the EC20-CEHCLG variant, which is data-only and lacks voice call support.
The PCB exposes numerous AR9331 GPIO pins, facilitating IoT application development.
/dev/ttyUSB0 DM
/dev/ttyUSB1 GPS NMEA message output
/dev/ttyUSB2 AT commands
/dev/ttyUSB3 PPP connection or AT commands
wwan0 (QMI mode)USB network adapter
The web interface includes a plugin for sending raw AT commands, which simplifies basic operations.
Modifying the IMEI is straightforward.
APN configuration is also fully supported.
SSH is enabled by default. The firmware is based on OpenWrt, and GL.iNet maintains high-speed package repositories.
Installing OPKG Packages on SD Card
https://forum.gl-inet.com/t/mifi-install-package-on-external-storage-usb-or-sd-card/4332
Additional Notes
You can refer to the official tutorial for using the MIFI communication module:
https://github.com/domino-team/docs/blob/master/docs/mini/mifi.md
Osmocom also has notes on hacking the Quectel EC20:
https://osmocom.org/projects/quectel-modems/wiki/EC20
In newer firmware versions, AT+QLINUXCMD has been disabled, preventing the direct execution of system commands via AT.
CC BY-NC-SA 4.0