A few months ago, I purchased a cheap chinese 4G LTE/Wifi/Ethernet/External Battery modem router, it's model code is LR511A from the brand "Mifi". At the price of 76€ shipped to France, I was not expecting a wonderful finished product but I got quite surprised when it came.

The router itself feels robust, it is a little heavy because it loads a 5200mAh battery and the overall quality is nice.

The 128x64 oled color screen is visible but you feel that the software inside is more a mix of various pieces of software than a nice and shiny finished product. The web interface is correct, not the fastest one i used but for the price it's OK. You can configure various settings (APN, Mobile mode, IP ranges ...), send and receive SMS, browse, download and upload files to the Micro SD Card.

The router provides a RJ45 Ethernet port and it is the reason i bought this router instead of another one, because I wanted to connect it to a switch and use it as a gateway to internet for a wired network. BUT I was really disappointed when I discovered that it's impossible to use the Ethernet port to share the 4G/LTE connection. The only purpose of if is to share a existing internet connection from a wired network to Wifi. Actually I wanted to do the opposite !

I knew that inside was a Linux operating system so I was thinking that with a few commands, I would be able to do everything I wanted with this tiny LTE/Ethernet computer. I started by opening the router and accessing to the PCB. I Took a few photos and I started to talk about it with JMP, a friend of mine. He saw something on the board that I didn't saw : two pads named "RX" and "TX"... HOURA !

I connected my UART/USB converter and booted the router ... Re-HOURA ! It is talking to the console !
From what it was telling on the console, It was running "OpenEmbedded" on a

So I started probing various fields around to check if all the things were protected. It appears that the fields are protected by javascript checks before sending to the router, so I had to do it from the Chrome Console to send forged requests with my parameters. Like changing the password and including some shell commands into it, but nothing worked. So we turned to the browsing utility for the Micro SD Card. And after pushing this to the console :

showWaitingDialog(common_waiting, sd_hint_wait_a_few_moments);
button_enable('common_delete', '0');

I was able to browse the root directory of the operating system in the router !


The first thing I did was to navigate to /etc and download "passwd". No shadow file here. Of course the password was hashed so I started John The Ripper with default settings to try to crack the pass while findind another way to get in.
I modified the passwd file to set an empty password for root user. and tried to upload it again. At my own surprise it worked on the first try ... amazing !

So, go back to the serial console and ...


**We are in !**

And a few seconds after getting into the router, John announced that it cracked the password.
And the most secure password of the year is ... imrobot3

Finally able to do something with the router.