search

c-herz / TMOHS1-Root-Utility

An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several useful utilites to change the configuration of the device.
GNU General Public License v3.0
71 stars 19 forks source link

Nothing seems to persist #16

Closed parkerlreed closed 11 months ago

parkerlreed commented 11 months ago

OS 202012112010

Running the root util properly blanks the root password and asks me to set a new one. Gone on reboot.

Enabled persistent ADB, gone on reboot.

Is there something not being saved?

parkerlreed commented 11 months ago

It keeps looping

Enter your weblogin password:
Sending the authentication request. . .
Received authentication token from hotspot: f400a87449c92e1c

Exploiting qcmap_web_cgi. . .

Connection to device may reset. If you are running the exploit via WiFi,
ensure that your device reconnects to the hotspot's network.

Connected! Socket says: {'result': 'success', 'displaytimeout': '0', 'wifistandby': '10'}

Remounted root filesystem r/w. . .
Removed root password. . .
Enabling telnet. . .
Trying to connect via telnet. . .
Telnet connection initialized.
Logging in as root with empty password, please wait. . .

The exploit removed the root password of your device. It is STRONGLY recommended to set a custom root password.
Your device will be EXTREMELY INSECURE if you do not.

Would you like to set a custom root password? (Y/n):
Y
Please enter 'y' or 'n': y

Changing root password. 
IMPORTANT NOTE: the password will be sent insecurely over telnet,
 so you should manually change it later over ADB-USB if you are concerned about security.

Enter new password:
Confirm new password:
Root password successfully updated.

The exploit removed the root password of your device. It is STRONGLY recommended to set a custom root password.
Your device will be EXTREMELY INSECURE if you do not.

Would you like to set a custom root password? (Y/n):
parkerlreed commented 11 months ago

Mount output

rootfs on / type rootfs (rw)
ubi0:rootfs on / type ubifs (rw,relatime,bulk_read,chk_data_crc)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
tmpfs on /dev type tmpfs (rw,relatime,size=64k,nr_inodes=20112,mode=755)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=80448k,nr_inodes=20112,mode=755)
tmpfs on /var/volatile type tmpfs (rw,relatime,size=80448k,nr_inodes=20112)
tmpfs on /var/lib type tmpfs (rw,relatime,size=80448k,nr_inodes=20112)
ubi0:usrfs on /data type ubifs (rw,relatime,bulk_read,chk_data_crc)
ubi0:cachefs on /cache type ubifs (rw,relatime,bulk_read,chk_data_crc)
ubi0:persist on /persist type ubifs (rw,relatime,bulk_read,chk_data_crc)
/dev/ubi1_0 on /firmware type ubifs (ro,relatime,bulk_read,chk_data_crc)
none on /sys/kernel/config type configfs (rw,relatime)
adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
parkerlreed commented 11 months ago

Oh... So the FTP server doesn't start (so ADB persist never gets enabled)

Error starting FTP server. Try again.

EDIT: OH ADB persist disables USB RNDIS so when it goes to check if FTP server is running there's no TCP connection to the device.

When I selected persist it enabled ADB first and then tries to make the FTP modification and thus fails. Is that NOT supposed to drop RNDIS in the process?

parkerlreed commented 11 months ago

If I connect to the WiFi AP after RNDIS drops and try restarting the root script, it always rejects the initial authorization

(deck@dev-arch TMOHS1-Root-Utility)$ nmap 192.168.0.1
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-15 22:02 EST
Nmap scan report for mobile.hotspot (192.168.0.1)
Host is up (0.0072s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
23/tcp open  telnet
53/tcp open  domain
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
(deck@dev-arch TMOHS1-Root-Utility)$ exit
logout
(deck@steamdeck TMOHS1-Root-Utility)$ python rootScript.py 
/home/deck/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.18) or chardet (5.1.0)/charset_normalizer (2.0.12) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
Enter your weblogin password:
Sending the authentication request. . .

Error: The hotspot rejected our request. Please try again.
parkerlreed commented 11 months ago

I just tried the initial exploit over WiFi and the AP never recovers... So I cant connect back

image

parkerlreed commented 11 months ago

After all this I switched to 2.4 GHz instead of 5 and was able to reconnect as part of the initial exploit chain and enable the persistent ADB. Not sure why 5GHz never recovered.

Seems to be fine now. Thank you.