I’ve recently bought myself a Netgear AC810 mobile hostpot. It is a rather old model but it’s lightyears better than those cheap Huawei soapbar-style modems which our ISPs provide. Also, since 4G is not my main connection and is only used on-the-go, I didn’t want to invest in a higher-end model, like Nighthawk M1 or M2.

Now, since I’m a computer geek, I wanted to take a look what’s under the hood of that small black box with an LCD screen on it.
I know that this thing, like most 4G routers out there runs some version of Linux. Now how do I access the shell ?
After some research, I found that there’s an AT terminal running on port 5510. Since this modem uses a Qualcomm chipset, it is probably based on the same software as those Sierra Wireless modems. Fortunately, the unit I have had all advanced AT commands (which are usually locked by a password, which in case of my model should be “whistler”) unlocked out the box.
But AT!CUSTOM=? returned an error. So there is some lock present. Fortunately, a keygen is available to enable custom commands on Qualcomm/Sierra Wireless modems.
https://github.com/bkerler/SierraWirelessGen (use model MDM9x40)

With this keygen, I was able to unlock AT!CUSTOM commands (commands will again be locked after a reboot). On my particular unit, AT!CUSTOM=”ADBENABLE”,1 succeeded but did not actually enable ADB. But AT!CUSTOM=”ENABLETELNET”,1 did enable Telnet. I was able to get a password-less root shell on port 23. Bingo !

Now, for the specs:
SoC: Qualcomm MDM9640 (aka. Snapdragon X12), single core ARM Cortex-A7
RAM: 160 MB
Storage: 512 MB, divided into multiple partitions, usable space is formatted as UBIFS. There’s a total of about 126 MB of usable free space available. Root is writable as are most other locations.
Kernel: Linux 3.10.49

Router’s interface is purely web-based. Even the LCD interface is done using a tiny DirectFB based web browser (WebKit based, judging from the logs) which simply loads a web page ( during boot. This browser seems to have some kind of custom API accessible via JavaScript. I have not yet fully reverse-engineered it but I do plan to do so.

For compiling custom software, Linaro v13.08 ARM toolchain should work, it has the same version of libc (eglibc 2.17) as that used on the router:
There are GPL sources provided, but compiling GCC toolchain from schratch is a large amount of work and the result probably wouldn’t work any better than the Linaro toolchain.

I was pleasantly surprised that Netgear developers have enabled the option to include a kernel configuration in /proc/config.gz, this should help greatly when building new modules for modem’s kernel. /proc/config.gz is a very rare sight on production devices. This modem is the first device I’ve ever seen to have /proc/config.gz enabled out of the box.

What I’ve done so far:
* Customized dropbear SSH server, https://github.com/zcutlip/dropbear-hacks (replace MIPS compilers with ARM ones in the build script) which works without relying on getpwnam(). Now, I can add a password and stop relying on Telnet for shell access.

* zRAM module. OS is extremely poorly optimized. With GUI and SSH running there’s only about 5 MB of RAM free !
* DnsCrypt for secure DNS lookups.
* OpenVPN client for VPN passthrough.
* Password lock for LCD UI

Will update.