Microsoft HotSpot in Forbes Magazine Firmware Lifting “Hack”

You may have heard about the free Wi-Fi hotspot that Microsoft pushed out in random Forbes magazines… This device comes with a T-Mobile GSM SIM card with the data service that lasts for only 15 days . I was curious as to what was making this tick, so I decided that it would be a fun experiment to lift the contents of this Linux OS off of the device.

The device has the following chips:

United-Tek H1602PR

Ralink RT5350F

Etron Tech EM63A165TS

These chips should be fairly obvious as to what purpose they serve, if not with a quick Google search.

The device has the following ports open with services started on by default: 80, 23, and 5820. That last one hosts a redirect site for a supposed login (or that’s what my phone seemed to think) in order to initiate the T-Mobile service? Maybe accessing that page triggers the “activation”. Please correct me either way.

Anyway, without further adieu, here are the steps I had to take in order to get the filesystem off of the device.

1. Plug device into computer via microusb and connect battery (this will keep the battery charged)
2. Wait for AP to startup, and connect to the SSID: Microsoft_Office365 with the password Office365
3. Visit 192.168.100.1:80 and login as admin/admin

portable_wifi_web
4. Do whatever you want on this web interface regarding the router’s settings
4a. The FTP setting in here does not actually work, we need to do this via telnet (23)
5. telnet 192.168.100.1
6. Login as username: admin password: admin
7. cd /bin
8. vi new.conf
9. Paste this in vi:

ServerName test
DefaultAddress 127.0.0.1
ServerType standalone
DefaultServer on
AuthUserFile /etc/passwd
Port 21
Umask 022
MaxInstances 10
User admin
Group admin
DefaultRoot /
UseReverseDNS off
IdentLookups off
RootLogin on
DelayEngine off

10. We are changing the DefaultRoot to be the root directory, instead of /media/
11. In the same directory, type: proftpd -c new.conf
12. This will take our new conf and run it with our FTPD

portable_wifi
13. Login as admin/admin on 192.168.100.1 via FTP, 21
14. Copy whatever you want off of the device. Enjoy!

portable_wifi_proftpd

Side note: I believe that you could simply copy off the device block and have it all neatly within a single file by performing the following, then copying it off via our FTP server:

cp /dev/mtdblock0 /tmp/rootfs

In case you don’t want to go through all of that, here are the files extracted: Ralink FileSystem

Cheers!

This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Microsoft HotSpot in Forbes Magazine Firmware Lifting “Hack”

  1. Crispyjones says:

    I’ve been fooling with this too, thanks for sharing. You can also access this by soldering a cat5 cable to the Ralink board for a wired interface. The wired interface, at least on mine, is up by default. https://plus.google.com/photos/116411068052670412416/albums/5874378802547479937?authkey=COyVzNzxyLzNZQ Link to album with all the components disassembled.

  2. admin says:

    Very nice! I was wondering what that would be used for. I think I may give that a go and work on my soldering skills.

    If you do anything else cool with it, post it here. Thanks for contributing!

  3. Ronald says:

    Wonderful article! We are linking to this great article on our site.
    Keep up the good writing.

Leave a Reply

Your email address will not be published. Required fields are marked *