PDA

View Full Version : Rooting Mifi 5510L, Help Needed



Bockage
12-02-2016, 10:58 PM
I'm trying to get root access to my MiFi 5510L over serial, anyone able to help?

I found the root password in the DUU exe through a hex editor, and am running it through hashcat and john but it doesn't seem like that's gonna work. So the other option (unless Metasploit can exploit over a serial connection) is to simply change the md5crypted password in the DUU and run the DUU. Except it's not so simple. I changed the password and ran the DUU but still couldn't log in and after some more testing found that it wasn't writing the updated /etc/shadow file (and other files under /etc) at all. So if anyone knows of a way to force the DUU to rewrite everything, please do tell. Thanks.

edit: the md5crypted password is here if anyone has decent equipment and would be willing to try to crack it:
$1$X1yOXSbF$hxfhfLQA96TzuH0vQqjsR/

rich hathaway
12-03-2016, 12:43 PM
You cant crack it, it is crytped, I can read or change the root password for you from the device, that duu will not run firmware if you change a single byte, if you look closely you will see it has not only md5 but also crc 16 in almost every block as well as the loader is sumed and checked with the firm for its crypt, those duu are not easy to crack, took me 3 months working on it off and on to get the 5510 duu security removed. if you want to send it to me ill change your root password to whatever you wish for you for a small fee :)
duu were much easier to crack 4620 model and models before but since 5510 they have new updated security, guess they got smart to us modding our devices lol. I also have for sale 5510 duu fully mod-able with all security removed for sale but it is not cheap enough to buy for a single device, like I told you before if you get tired of fooling with it you can hire me to do it for you if you wish. good luck friend

sandrey133
08-07-2017, 02:48 PM
the md5crypted password is here if anyone has decent equipment and would be willing to try to crack it:
$1$X1yOXSbF$hxfhfLQA96TzuH0vQqjsR/
you can find this crypted pass in some nv_item 6xxxx. just rewrite this nv with known pwd

Bockage
08-09-2017, 09:57 AM
you can find this crypted pass in some nv_item 6xxxx. just rewrite this nv with known pwd

do you know how to do that? I actually was able to change the root password on the 5510 with a different exploit, but someone stepped on it (twas a sad day) so I got a 6620 and it got patched. I think the password is stored in nv item 60253 but NV-items_reader_writer says phone does not answer, DFS triggers a reboot on the mifi when it connects, QPST crashes when searching for ports, nwnvitem on the device itself says "Failed to open QMI communications", most likely requires root even to read values

and there is probably an AT command to do it but documentation for those is hard to come by, also I think it requires a password which I don't have