Alcatel HH71VM LTE Router

[ungeskriptet]

I recently decided to purchase an Alcatel HH71VM LTE Router, with the goal to hopefully port OpenWrt to it. The stock firmware doesn't offer many features and has some shortcomings, particularly with IPv6.

---

Pictures

---

Details

• Brand: Alcatel
• Model: HH71VM
• SoC: RealTek RTL8197F
• RAM: 128 MB
• NAND: 16 MB (Winbond W25Q128)
• Modem: Qualcomm MDM9640

There are actually multiple versions of this router. As far as I know, there exists the stock Alcatel version, distributed by T-Mobile PL and the Congstar version, distributed by Congstar in Germany (I have the latter). The hardware between the two doesn't seem to differ, except that it has the carrier logo on the top of the router. The software however, has noticeable differences: The default hostname has been changed from hh71.home to congstar.home and the Congstar version doesn't seem to have a password on the UART shell (or perhaps Alcatel removed the password after version HH71_GK_02.00_04?).

---

Disassembly
To disassemble the device, I had to pop of the top plastic piece with the logo on it using a plastic card. The top part is only held in with clips, which some of them have broken off for me. Underneath the top part are hiding two phillips screws. Then, there's one more screw hiding on the bottom of the device behind a sticker. After removing the screw and prying of the bottom part using a prying tool (there is a handy little gap in the casing where I was able to insert my tool), I was able to get to the mainboard.

---

UART
The baud rate for UART is 38400 (as is usual for RealTek devices)

---

Dumping firmware over TFTP
The stock firmware includes busybox with tftp, which we can use to dump the firmware. I used atftpd for the TFTP server.

Connect your PC to the router with Wi-Fi or ethernet and run these commands:

Code: Select all

sudo mkdir /srv/tftp
sudo chown nobody:nogroup -R /srv/tftp
sudo atftpd --daemon --no-fork --logfile - /srv/tftp
# Don't forget to allow UDP port 69 if you use a firewall.

Run these commands in the UART shell of the router:

Code: Select all

cd /dev
# Replace the IP with the IP of your PC
for i in mtdblock*; do tftp -l $i -p 192.168.1.100 69; sleep 3; done

If you see an "No such device or address" error in the command above, you can safely ignore it since this router only has mtd0, mtd1 and mtd2, according to /proc/mtd.

When it has finished dumping every partition we can find them in /srv/tftp on our computer.

---

Partition map

Code: Select all

root@congstar:~# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00300000 00001000 "boot+cfg+linux"
mtd1: 00900000 00001000 "rootfs"
mtd2: 00400000 00001000 "jffs2 file"

[ungeskriptet]

---

Analyzing the stock firmware
There is a salted MD5 hash in the /etc/passwd file, perhaps someone can crack it:

Code: Select all

root:$1$E.K8Ff..$Hcy2Drxqx6TyB4.dOKf1n/:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/:/dev/null

Using the command "telnet 192.168.225.1" or "module_execute" we can get a root shell to the modem:

Code: Select all

root@congstar:~# module_execute 

Entering character mode
Escape character is '^]'.


msm 20200804 mdm9640

/ #

The JFFS2 partition can be mounted like this (total size and erase size are taken from /proc/mtd):

Code: Select all

mnt_jffs2=$(mktemp -d)
sudo modprobe mtdram total_size=$((0x400000/0x400)) erase_size=$((0x1000/0x400))
sudo modprobe mtdblock
cat mtdblock2 | sudo tee /dev/mtdblock0 > /dev/null
mount -t jffs2 /dev/mtdblock0 $mnt_jffs2
cd $mnt_jffs2

The SquashFS partition can be mounted like this:

Code: Select all

mnt_squashfs=$(mktemp -d)
sudo mount -t squashfs mtdblock1 $mnt_squashfs
cd $mnt_squashfs

---

Decoding the backup file
I was able to write a little program to decode the "configure.bin" backup file, which can be downloaded from the web UI:

main.c

(2.35 KiB) Downloaded 1 time

https://gist.github.com/ungeskriptet/90 ... 3ae1ab4331
Usage:

Code: Select all

gcc main.c && ./a.out configure.bin

Note: It doesn't seem to work on the backup file generated by firmware HH71_GK_02.00_04. Firmware HH71_LI_02.00_06 seems to work fine with the program.