Rayhunter on TP-Link M7350 v8
Rayhunter by EFF is an open-source tool to detect cellular spying, aka IMSI catchers, aka Stingrays. This tool monitors the cellular network and detects anomalies. Specifically, it looks for IMSI requests, 2G downgrade, SIB types 6 and 7 and null cipher. It is originally written for Orbic RC400L, which are hard to purchase in Europe. Githubuser m0veax has created a fork and documentation to bring Rayhunter to the TP-Link M7350, which is available in Europe.
Rooting the TP-Link M7350 v8
Last time I heard about TP-Link, it was because TP-Links security is a joke. TP-Links routers are only good to install Open-Wrt, because they are so easy to root; don’t use them for anything serious. The same is true for their modems. There exist multiple hardware revisions for the device, with v3 and v4 having good rooting scripts. I have a v8, which can be rooted using the “Chrome hack”. Githubuser Ping2A discovered that the following JavaScript snippet opens telnet:
Globals.models.PTModel.add({applicationName: "telnet", enableState: 1, entryId: 1, openPort: "2300-2400", openProtocol: "TCP", triggerPort: "$(busybox telnetd -l /bin/sh)", triggerProtocol: "TCP"})
Essentially, it is a system command injection vulnerability in the admin panel. Telneting into the device shows we are root. Looking around, the system does not inspire confidence in terms of TP-Link’s security; the device runs Linux 3.18.20 and a “tp-link-ca” certificate is installed, which uses 2048-bit RSA and has a validity until 2068.
To get better shell access, adbd can be enabled:
/ # usb_composition
usb_composition
boot hsusb composition: 902B
boot hsic composition: empty
Choose Composition by Pid:
<snip>
902B - RNDIS + ADB + Mass Storage
<snip>
tplink - RNDIS + Mass Storage:ECM + Mass Storage(User Mode)
tplink_rndis - RNDIS + Mass Storage:ECM + Mass Storage(User Mode)
Pid number : 902B
902B
Choose core: y - hsic, n - hsusb ? (y/n)n
n
Would you like it to be the default composition ? (y/n)y
y
Would you like the composition to change immediately? (y/n)y
y
Are you performing the composition switch from adbd? (y/n)n
n
Switching to composition number 0x902B
/ # Starting adbd: done
Uploading Rayhunter
A custom build of Rayhunter is provided by m0veax, I use this version. Some of the changes have been added upstream; I have not tested them.
adb push rayhunter.config
adb push rayhunter-deamon
Starting Rayhunter
Rayhunter states that it is recommended to install a SIM card, but it does not need to be online. Luckally, I had my old Vodafone SIM card lying around, which I migrated to eSIM in December to be able to use a Chaos Card. Thus, I did not need to go to the Handyshop. The TP-Link did not take my PIN, so I plugged it in my phone, removed the PIN, and put it back in the TP-Link. On adb Rayhunter can be started:
# /media/card/rayhunter-daemon /data/rayhunter/config.toml
Rayhunter web interface
On port 8080 Rayhunter serves a web interface, showing information about the software itself and the analysis.
The PCAPs can be downloaded and analyzed in Wireshark.
Conclusion
Lucky for me but also boringly, I have not yet encountered a warning. I will continue to run the software, especially when I am in Hamburg in December again. I have encountered decoding errors due to “CHOICE Addition not supported yet” and “ignoring unhandled log type: WcdmaSignallingMessage”. Furthermore, I thank everyone involved with getting the Rayhunter on the TP-Link and my colleges for gifting me the device. In the future I hope to see the patches upstream and adding new features. Finally, I recommend installing a SD-Card to store the logs and PCAPs.