The amount of Intelligent people on here...

[Sledneck54]

There are so many of these devices and people want configuration options, what would it take to unlock this thing and install something like OpenWRT as the firmware? I've read through the history and a mention of SoC being an issue. Can someone put it in layman's terms? Will it ever be possible to install another firmware/software interface?

[aschutjer]

There are so many of these devices and people want configuration options, what would it take to unlock this thing and install something like OpenWRT as the firmware? I've read through the history and a mention of SoC being an issue. Can someone put it in layman's terms? Will it ever be possible to install another firmware/software interface?

Interestingly enough my Arcadyan 5G T-Mobile KVD21 runs an OpenWRT firmware as its default and I've confirmed with one of T-Mobile's security people that OpenWRT is at least part of their standard firmware package. My router shows up in multiple interfaces such as Fing and Wifiman as OpenWRT.lan. I'm trying to trace a vulnerability somewhere on my network that allowed a malicious party to run remote PowerShell scripts blocking my debugging apps and these Wifi monitors, along with Wigle Wardriving, all show my KVD21 as having WPS functionality. Which it really really shouldn't have and I really don't want it to have. I was considering attempting some of the steps laid out here to get at the kernel logs to get to the bottom of it when I saw your message. If I find anything like a WPS functionality being installed as a backdoor for persistent exploitation, I'll let you know.

[autryld]

A few days ago, I received an email from T-Mobile. It had a link to a TMHI webpage. Maybe you received the same email. This webpage details nearly every frequently asked question. The website can be found by googling the title including the quotations. Look a couple of hits down for the T-Mobile hit and the title in BOLD. Short answer = The gateway has no WPS ability.

Here's the short version of the webpage. Online Gaming may have issues - talk to the game developer. Third Party Switches, Routers, Mesh and WiFi Extenders work. Security Cameras do work. Dynamic IP and Geolocation may change (Gateway cannot be set to static). Provide your own Firewall. The Gateway has no firewall. Compatible with VOIP. VPN works but talk to your VPN developer for support. WiFi Band Steering. The Gateway WiFi SSID can be hidden. Up to 4 more Wi-Fi networks can be created with the TMHI app There is no Bridge Mode. DNS on Gateway is fixed. Configure your own on connected devices. Neither NAT or port forwarding can be enabled. NAT type cannot be changed. HSI MTU size is set to 1500 across all gateways. SIP ALG is not enabled or supported on T-Mobile 5G Gateways. No WPS button.

[neutronscott]

confirmed OpenWRT. See UDP/4919 traffic during boot as described here https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset.

[qleseid]

confirmed OpenWRT. See UDP/4919 traffic during boot as described here https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset.

Were you able to do anything with the failsafe mode? I feel like I can get my device to enter it, don't know where to go from there.

[neutronscott]

Were you able to do anything with the failsafe mode? I feel like I can get my device to enter it, don't know where to go from there.

I returned it. I figured nothing would be setup to enter failsafe. How come you think it's entered failsafe? ssh or telnet ought to be available

[qleseid]

Once I see this prompt I press and release the reset button. The device never loads and the T-Mobile log remains on the screen forever. It no longer dishes out ip's to devices but responds to pings on 192.168.12.1. Should I try something else?

[neutronscott]

I probably noticed this too.. maybe run nmap or some sort of port scan but it's likely not running anything useful. Also saw serial logs the kernel doesn't print anything. Likely need bootloader access to get far or somehow capture an OTA update.

[Sledneck54]

This is all a moot point. These devices share a public ip address with other TMHI devices in the area. The imei number in cellular networks basically becomes your LAN address. If you're device is sharing a flagged public ip address, your emails will go to someone's spam folder. Even if you're responding to an email sent to you. I stopped worrying about configuration options only because I use it for failover purposes on my UNIFI network equipment. I have one 5ghz network setup to use for certain streaming devices that can receive a decent signal from it. I don't think it's worth the time trying to get it in pass through or bridge mode. It's still a shared public ip address.

[neutronscott]

Still plenty to unlock. Their IPV4 uses CGNAT but you could at least allow IPv6 traffic to come in, or even establish a tunnel to a free Oracle Cloud VM and get IPv4 inbound from that. I also had planned to use for failover but can use an old rooted phone instead.

[qleseid]

I feel time is always well spent if something can be learned. I'm hoping for a bit more network control and even some vlan settings. I'm a bit confused why I can't get any serial data off my unit. Does anyone remember their firmware version while still successfully getting UART to work? Also, additional confirmation OpenWRT is in there somewhere.

[sandstormkeshav]

Once I see this prompt I press and release the reset button. The device never loads and the T-Mobile log remains on the screen forever. It no longer dishes out ip's to devices but responds to pings on 192.168.12.1. Should I try something else?

Did you try SSH'ing into it when it was in failsafe mode?

[qleseid]

Once I see this prompt I press and release the reset button. The device never loads and the T-Mobile log remains on the screen forever. It no longer dishes out ip's to devices but responds to pings on 192.168.12.1. Should I try something else?

Did you try SSH'ing into it when it was in failsafe mode?

I don't recall if I did or not, but running nmap feels very familiar for sure. What's your experience with these devices?