wojo's playground

If you’ve rooted your iSpot you’ll want to make sure you lock it down. If you used a pre-made configuration, make sure it disable OTA updates.

UPDATE: I’ve removed my original instructions that said to set the ENABLE_INB_* settings to YES. That was incorrect, sorry! The title in nat.conf was misleading and I jumped the gun. Revert those changes if you already set them to YES.

Also, it may also be possible to prevent or alter how the factory reset is done. This could help protect from inadvertent resets while in a bag, for example.

There’s a lot of interesting binaries and scripts on the devices, such as /bin/fota (Firmware Over The Air flashing I think), a serial console that dumps you into a shell without any login (see the inittab), flashing programs, the two management apps launched via inetd, etc. Lots going on.

Cracking open the case reveals what could be a serial/JTAG port, two unused antenna ports, and some other goodies.

But back to the point… can anyone else see another way for updates to be pushed down?

Disclaimer: Whenever you “jailbreak” a device like this you risk bricking it and getting into some trouble. Be nice and be fair! Do this to learn, gain access on devices that aren’t working correctly (which a lot of people are running into right now), extend the capabilities by installing extra software, etc.

Warning: If you are not familiar with the Linux command line and various tools listed below then see my follow-up about using the pre-made configs from jaku.

This is a follow up to my original post which gives some of the background on the iSpot. Have fun!

To get root access:

1. Download your configuration and extract it
2. Add a line to lan.conf to add a new user with no password to your /etc/passwd
   1. For example: echo “wojo::0:0:root:/root:/bin/sh” >> /etc/passwd
3. Tar up the config and upload it
4. When the iSpot comes back up, go into super user mode (/super via HTTP, u: super, p: super), Tools -> Admin and enable Telnet at the bottom under “Save Telent and Log Configuration” (there are so many typos on this device!)
5. Telnet to 192.168.1.1 and enter the username from above (e.g. wojo)
6. Enjoy root
7. Remove the addition to the /etc/lan.conf on the device so it stops adding the user on every reboot

Want to disable the MAC address restrictions?

1. Edit /system/wimax/tree.xml in your favorite text editor (vi is on the box)
2. Search for “RestrictedUse” and set the value to “false” in the node below
3. Save the file and reboot

How about enable RNDIS so you don’t have to use WiFi?

1. From either your local configuration files or via a shell, edit board.conf
2. Change ENABLE_RNDIS to a value of 1
3. Go to http://192.168.1.1/html/rndis.html
4. Set your preference on WiFi enabled during USB tethering
5. For Windows only: download the driver

Lastly, if you don’t want configs and firmware pushed down, you probably want to at minimum:

• Disable auto-upgrading in upgrade.conf (ENABLE_AUTO_UPGRADE=”NO”),
• disable OMA-DM in super user mode under WiMAX -> OMA-DM to prevent OTA updates, and
• never do a factory reset with a signal as the device could pull down new configs and do a firmware upgrade.

Thanks to Jon at methodicjon.com for a reminder to close up as much as possible in terms of OTA automatic updates.

Now what cool things can the iSpot be extended to do now I wonder?

Update on Tuesday, August 10, 2010 at 11:01PM by Wojo

Almost at the same exact time I posted this I got a tweet from @jaku about http://ispotunrestricted.com/, his site that has a config file you can download that does the modifications for you via some inline vi commands nontheless! No need to get a shell unless you really want to snoop around and lock things down more.

Update on Tuesday, August 17, 2010 at 12:02PM by Wojo

Do not update to firmware v1994 as it removes the ability to upload configs and changes the super user password.

I picked up a Clear iSpot the other day during their $29 deal, and so far so good. Been getting okay signal and speeds throughout Midtown and Buckhead in Atlanta as long as I am near a window, but indoors it’s been very hard to get a signal. Oh well.

The iSpot is manufactured by Infomark and the model number is IMW-C615W. It seems the generic model sold by Infomark is IMW-C600W and the Clear Spot (not limited to Apple devices) is IMW-C610W. Hardware seems to be identical between all models, it’s just the firmware that changes.

One of the big drawbacks to the iSpot is the MAC address limiting to Apple portable devices, namely the iPod, iPhone and iPads. That being said, I actually have been able to connect with my newer MacBook Pro 13” without any MAC spoofing because it is on the whitelist already. My older MacBook Pro 17” doesn’t work, however, and spoofing the MAC address via the standard disassociate/spoof (‘airport -z’ then ‘ifconfig eth1 ether xx:xx:xx:xx:xx:xx’) trick doesn’t work.

This started me down the route of finding out how to expand or disable the MAC address whitelist. 

The latest firmware (1786 as of this time) contains a lot of interesting nuggets in it. Just by analyzing the firmware it you can see that the device is based off of Linux and uses busybox to save space for user-mode tools. My guess is that it uses iptables to redirect non-authorized MACs to the clear.com unsupported device page.

But first I decided to start attacking via the saved configuration files instead. It seems like a much easier attack vector than the firmware. It’s simply a tar’d directory structure that contains configuration files and executables. The last part sounds fun, doesn’t it?

To get the configuration file go into the iSpot’s web interface to Tools -> Admin and hit “Save Device Configuration to File”. This will produce a .bin file that you’ll save. Extract this file with tar and it’ll produce a directory structure starting at ‘tmp’ with the files we’re interested in.

A few interesting things you can see and/or edit (I’ll add details on these later when I can):

1. It’s easy to enable NDIS support over USB making the iSpot act like an Ethernet card. On Mac OS X there is nothing to do for this to work, but if run Windows you need the driver from http://192.168.1.1/html/rndis.html. You can also modify the setting to disable WiFi when tethered via USB from here, too.
2. Auto-updating can be disabled. Probably a good idea if you want these changes to stick around.
3. There’s an executable file in ppp/if-up that could be used to execute code, as long as it runs on connection initiation. Does Clear use PPP for their WiMax?

Obviously #3 could be a great way to run our own code, or possibly even through the configuration files as they could be sourced from shell scripts. It may be possible to extract files into other areas of the filesystem, too.

I didn’t have much time, but I tried a few things such as clearing/adding iptables rules, writing out to the wwwroot and using netcat to communicate with an external box in the if-up script to no avail. I’m not sure if the script is even executing or if I’m not launching the tools correctly through the symlinks and via busybox directly.

Once I’m able to execute whatever I want, I wonder what will be the best way to disable the MAC address filtering. It should be possible to change the WiMax configurations such as:

[OMA] ./WiMAXSupp/Operator/clear/Apps/RestrictedUse/Enabled=true

Lastly, if you log into the super user interface at http://192.168.1.1/super (u: super, p: super) you can play with a few more settings. Telnet was disabled on my device until I went there and played with a setting related to telnet. That could be useful if we can extract the password from the firmware.

That’s where I left off because I ran out of time. I’ll play with the device a little more soon and post any updates.

Also check out David Zatz’s blog post and comments at http://www.zatznotfunny.com/2010-08/more-ispot-speeds-mac-spoofing where there is some work already started. This should be cracked soon :)