wojo's playground

I picked up a Clear iSpot the other day during their $29 deal, and so far so good. Been getting okay signal and speeds throughout Midtown and Buckhead in Atlanta as long as I am near a window, but indoors it’s been very hard to get a signal. Oh well.

The iSpot is manufactured by Infomark and the model number is IMW-C615W. It seems the generic model sold by Infomark is IMW-C600W and the Clear Spot (not limited to Apple devices) is IMW-C610W. Hardware seems to be identical between all models, it’s just the firmware that changes.

One of the big drawbacks to the iSpot is the MAC address limiting to Apple portable devices, namely the iPod, iPhone and iPads. That being said, I actually have been able to connect with my newer MacBook Pro 13” without any MAC spoofing because it is on the whitelist already. My older MacBook Pro 17” doesn’t work, however, and spoofing the MAC address via the standard disassociate/spoof (‘airport -z’ then ‘ifconfig eth1 ether xx:xx:xx:xx:xx:xx’) trick doesn’t work.

This started me down the route of finding out how to expand or disable the MAC address whitelist. 

The latest firmware (1786 as of this time) contains a lot of interesting nuggets in it. Just by analyzing the firmware it you can see that the device is based off of Linux and uses busybox to save space for user-mode tools. My guess is that it uses iptables to redirect non-authorized MACs to the clear.com unsupported device page.

But first I decided to start attacking via the saved configuration files instead. It seems like a much easier attack vector than the firmware. It’s simply a tar’d directory structure that contains configuration files and executables. The last part sounds fun, doesn’t it?

To get the configuration file go into the iSpot’s web interface to Tools -> Admin and hit “Save Device Configuration to File”. This will produce a .bin file that you’ll save. Extract this file with tar and it’ll produce a directory structure starting at ‘tmp’ with the files we’re interested in.

A few interesting things you can see and/or edit (I’ll add details on these later when I can):

1. It’s easy to enable NDIS support over USB making the iSpot act like an Ethernet card. On Mac OS X there is nothing to do for this to work, but if run Windows you need the driver from http://192.168.1.1/html/rndis.html. You can also modify the setting to disable WiFi when tethered via USB from here, too.
2. Auto-updating can be disabled. Probably a good idea if you want these changes to stick around.
3. There’s an executable file in ppp/if-up that could be used to execute code, as long as it runs on connection initiation. Does Clear use PPP for their WiMax?

Obviously #3 could be a great way to run our own code, or possibly even through the configuration files as they could be sourced from shell scripts. It may be possible to extract files into other areas of the filesystem, too.

I didn’t have much time, but I tried a few things such as clearing/adding iptables rules, writing out to the wwwroot and using netcat to communicate with an external box in the if-up script to no avail. I’m not sure if the script is even executing or if I’m not launching the tools correctly through the symlinks and via busybox directly.

Once I’m able to execute whatever I want, I wonder what will be the best way to disable the MAC address filtering. It should be possible to change the WiMax configurations such as:

[OMA] ./WiMAXSupp/Operator/clear/Apps/RestrictedUse/Enabled=true

Lastly, if you log into the super user interface at http://192.168.1.1/super (u: super, p: super) you can play with a few more settings. Telnet was disabled on my device until I went there and played with a setting related to telnet. That could be useful if we can extract the password from the firmware.

That’s where I left off because I ran out of time. I’ll play with the device a little more soon and post any updates.

Also check out David Zatz’s blog post and comments at http://www.zatznotfunny.com/2010-08/more-ispot-speeds-mac-spoofing where there is some work already started. This should be cracked soon :)