TP Link Router M7350 v3
Join our Matrix Channel
SoC: Qualcomm MDM9225
Flash: 2Gbit (256MB) Winbond W71NW20GF3FW
mobile wireless: Skyworks SKY77629
Based on the official sources from kernel.org and with vendor code rsynced
over, we are working on getting this to build in 2024.
https://github.com/m0veax/tplink_m7350-kernel
A config from a real device: kernel/config
If you remove the battery and plugin USB, lsusb shows:
Bus 001 Device 031: ID 18d1:d00d Google Inc. Xiaomi Mi/Redmi 2 (fastboot)
> fastboot devices
MDM9625 fastboot
Above disappears after a few seconds.
If you boot normal, it shows:
Bus 001 Device 032: ID 2357:0005 TP-Link M7350 4G Mi-Fi Router
Enter fastboot without bootloop
fastboot reboot bootloader
Device seems to run Android. You can get the firmware here:
The Firmware is not crypted. You are able to take a deeper look into the configs.
binwalk boot.img
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Android bootimg, kernel size: 3564792 bytes, kernel addr: 0x308000, ramdisk size: 0 bytes, ramdisk addr: 0x308000, product name: ""
2048 0x800 Linux kernel ARM boot executable zImage (little-endian)
18403 0x47E3 gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
3567616 0x367000 Qualcomm device tree container, version: 1, DTB entries: 55
3569664 0x367800 Flattened device tree, size: 49302 bytes, version: 17
3620864 0x374000 Flattened device tree, size: 49218 bytes, version: 17
3672064 0x380800 Flattened device tree, size: 49088 bytes, version: 17
3721216 0x38C800 Flattened device tree, size: 48730 bytes, version: 17
3770368 0x398800 Flattened device tree, size: 49193 bytes, version: 17
3821568 0x3A5000 Flattened device tree, size: 48516 bytes, version: 17
3870720 0x3B1000 Flattened device tree, size: 47693 bytes, version: 17
root:C98ULvDZe7zQ2:0:0:root:/home/root:/bin/sh
Quick search for the hash gives us oelinux123 as a possible value. We need to check that later.
Source: https://svson.xyz/posts/zte-dongle/part4/
admin:admin
Firmware seems to contain an adbd. We need to find a way to start it.
Paths to Files and creating symlinks for autostart ect. Lets try to modify that to activate adb.
In the linked 4pda forum thread is a poc for a Remote Code Execution vuln which allows to start the telnet daemon. There are only windows scripts linked right now. We should build a shellscript to invoke it.
More about this here
We implemented a command line tool
There is a ruby implementation too https://github.com/ecdsa521/tpown/tree/main
The .dtb files of HW rev v3 and v4 are stored in dtb_files and can be visualized with dtvis
There has been posted images on 4PDA to points in another revisions. Could be the same for our device. Take a look here
4PDA has found several ways to backup the installed firmware.
https://4pda.to/forum/index.php?showtopic=669936&view=findpost&p=110738476
usb_composition
902B
nyy
persistent adbd connection should be etablished now
Per cable on your client:
adb shell
After a reboot, the access point seems to be down. So you need to deactivate adbd again
adb shell
usb_composition
tplink
nyy
- Compare Kernel 3.4.0 with TP Link Sources
- Find Qualcomm debug stuff online
- implement script to start telnet based on the vuln quoted in the 4pad forum
- Explore Android / iOS App to find hidden Endpoints
- Can we do Stuff with the ISP Files from the Download Section?
- Try to get OpenWRT running on the Device
- Find a way to start
adbd - Link v3 Firmware instead of v4
- http://forum.archive.openwrt.org/viewtopic.php?id=72055
- http://forum.archive.openwrt.org/viewtopic.php?id=69257
- https://forum.openwrt.org/t/add-support-for-tp-link-m7350-v4/132119
