The TP-Link M7350 is a series of portable 4G routers roughly equivalent to the Orbic RC400L as found in the US and also used for the Rayhunter project.
The devices are generally based on Qualcomm SoCs.
There are multiple hardware revisions. We have taken them apart and added photos, notes on specific parts and possible hardware modification:
Note that the sources are a bit messy. For example, we have found the display driver for earlier devices to be in the v2 and v4 tarballs, but not in v3.
- https://www.tp-link.com/en/support/download/m7350/
- https://archive.org/download/tp-link-gpl-source/LTE/M7350/
Join our Matrix Channel
- Rayhunter repository
- porting to the M7350 (obsolete)
- femto8 - femto8 is an open-source reimplementation of the PICO-8 fantasy console adapted for the TP-Link M7350
Qualcomm has different kinds of chips:
- MDM is Mobile Data Modem
- MSM is Mobile Station Modem
- APQ is Application Processor
See also https://www.qualcomm.com/products/technology/processors and https://www.ntia.gov/files/ntia/qc_comments_on_firstnet_noi.pdf.
The chips on the portable routers as described here are mostly MDMs. They are powerful enough for small applications.
Based on the official Linux kernel sources and with
vendor code rsynced over, we are working on getting them to build in 2025.
https://github.com/m0veax/tplink_m7350-kernel
A config from a real v3 device: kernel/config
If you remove the battery and plugin USB, lsusb briefly shows:
Bus 001 Device 031: ID 18d1:d00d Google Inc. Xiaomi Mi/Redmi 2 (fastboot)
Then fastboot devices gets:
MDM9625 fastboot
The device disappears after a few seconds.
If you boot normally, it shows:
Bus 001 Device 032: ID 2357:0005 TP-Link M7350 4G Mi-Fi Router
To enter fastboot permanently (until reset), run fastboot reboot bootloader.
An easier way to enter fastboot is to get a telnet root shell, and then:
/ # reboot-bootloader
Qualcomm documents their fastboot commands.
The following getvar commands yield results:
| variable | result |
|---|---|
version |
0.5 |
kernel |
lk |
max-download-size |
0x2f00000 |
product |
MDM9625 |
serialno |
MDM9625 |
You can use fastboot to run a custom kernel.
On the v2 revision, a fastboot device briefly appears on normal boot, without removing the battery.
An SD card with the stock system needs to be FAT32 formatted:
sudo mkfs.vfat -F 32 /dev/mmcblk0Afterwards, via adb shell, run mount /dev/mmcblk0p1 /mnt/ on the device, and
you can access the SD card at /mnt/ now.
Bonus:
> usb_composition
> 902B
Your SD Card will be served as usb device afterwards
The main system seems to be based on Android, however without /dev/binder.
We have extracted the root file system for a better understanding.
See more detailed notes on the firmware from further research regarding other partitions.
root:C98ULvDZe7zQ2:0:0:root:/home/root:/bin/sh
A quick search for the hash gives us oelinux123 as a possible value.
We have confirmed this to be the password.
Source: https://svson.xyz/posts/zte-dongle/part4/
admin:admin
The firmware contains an adbd. ADB access can be obtained
permanently.
It also contains a few reboot scripts: reboot-recovery and reboot-bootloader:
/ # cat /sbin/reboot-recovery
#! /bin/sh
echo 2 > /etc/reboot-cookie
reboot
/ # cat /sbin/reboot-bootloader
#! /bin/sh
echo 1 > /etc/reboot-cookie
reboot
This contains paths to files and creates symlinks for autostart etc.
In the linked 4pda forum thread is a PoC for a Remote Code Execution (RCE) vulnerability which allows to start the telnet daemon. There are only Windows scripts linked right now. We have developed our own tools thusly.
More about this here
We implemented a Rust command line tool and a curl based shell script. The latter performs the login automaticly.
There is a [Ruby implementation](https://github.com/ecdsa521/tpown/tree/main]( https://github.com/ecdsa521/tpown/tree/main) as well.
The .dtb files of HW rev v3 and v4 are stored in dtb_files and can be visualized with dtvis
There are photos on 4PDA from other variants of the same general board design. They are similar for our device.
4PDA has found several ways to backup the installed firmware.
Via telnet, run the usb_composition command on the device as follows:
usb_composition
902B
nyyPersistent adbd connection should be etablished now.
Now via a USB cable on your laptop, adb shell will get you a shell.
After a reboot, the access point seems to be down.
To deactivate adbd again:
adb shell
usb_composition
tplink
nyy
- Compare Kernel 3.4.0 with TP Link Sources
- Find Qualcomm debug stuff online
- implement script to start telnet based on the vuln quoted in the 4pda forum
- Explore Android / iOS App to find hidden Endpoints
- Can we do Stuff with the ISP Files from the Download Section?
- Try to get OpenWRT running on the Device
- Find a way to start
adbd - Link v3 Firmware instead of v4