#485 [Alcatel MW43TM] Orbic Speed alternative

Sami322025-03-27, edited 2026-01-04OpenIdeas

new-hardware

Alcatel Linkzone 2 (MW43TM):

https://us.alcatelmobile.com/alcatel-linkzone-2/

https://www.ebay.com/sch/i.html?nkw=alcatel+mw+43+tm+linkzone+2+wifi+4+g+lte+hotspot&norover=1&mkevt=1&mkrid=711-153677-323661-0&mkcid=2&mkscid=102&keyword=Electronics,SRP&crlp=&MT_ID=&geo_id=&rlsatarget=dat-2328490750103156:loc-66&adpos=&device=c&mktype=&loc=186981&poi=&abcId=&cmpgn=603518122&sitelnk=&adgroupid=1227055987794418&network=s&matchtype=b

Cheaper with a better battery and based on the same Qualcomm chipset.

Edit: Unlockable as well.

Comments (9)

cooperq2025-03-27, edited 2025-07-28

It looks like an interesting device for sure, we would have to think about how to do notifications on it but maybe we could do something with the LEDs. The real question is can we get a shell on it and can we get root? if we can do that I would say its possibly a viable device.

antecgaming900-web2025-11-21, edited 2025-11-21

I have one of these as well as the Franklin T9 RT717 T-Mobile Black. are any of these possible to load with rayhunter. I’m very curious. thanks

Sami322025-03-27, edited 2025-07-28

It seem so but i cannot confirm it:

https://github.com/jtanx/LinkZoneRoot https://alex.studer.dev/2021/01/04/mw41-1

https://www.alcatelmobile.com/product/mobile-broadband/mobile-wifi/linkzone-cat4-mobile-wi-fi/

oopsbagel2025-04-21, edited 2025-07-28

Alex Studer’s exploit is for the MW41, not the MW43– it seems to work to put the MW43 into a debug mode. I can send AT commands after sending sudo sg_raw /dev/sgX 16 f9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -v, although none of them have led to getting a shell yet. I can see an adb interface show up with lsusb, but I can’t get adb to recognise it. I’m unsure if that means I need to change a setting on the actual device to make it accept connections or if there’s something I can do on my end (tweak the client to send to a different interface?).

If I send 16 f5 ... (shown in the Russian tool screenshot), it will put the device into firmware update mode.

Having a copy of the firmware would help, then I could reverse atfwd_daemon and see if there’s anything like AT+SYSCMD. I’ve tried some variants I’ve found online (like AT+QLINUXCMD) without luck. Or if there’s a way to properly enable the debug bridge.

1👍 1

Sami322025-04-21, edited 2025-07-28

I see. Then i hope that this link could help:

https://gofirmware.com/downloads/alcatel-linkzone-2-firmware-update

1👍 1

oopsbagel2025-04-23, edited 2025-07-28

I was able to root the device by using a modified adb_client and installed rayhunter. It doesn’t work out of the box yet, but we at least have a shell and can load software. I’ve started a thread about it in mattermost.

Do you have one of these yourself Sami32?

1👍 1

Sami322025-04-23, edited 2025-07-28

Great news +1

No, i don’t, not yet at least. I recently discovered your great project from a friend’s link, and saw the USA limited use case until now so i searched how to extend your project reach with other hardwares. This one is interesting because it can be found for very cheap compared to other alternatives proposed, so the reach and real life test results on cellulars listening would be worldwide spreaded in these difficult times IMHO.

oopsbagel2025-07-23, edited 2025-07-28

I was able to port rayhunter, but the output of /dev/diag is useless, even with a SIM card. I will keep investigating in my free time but it’s not a priority.

1👍 1👀 2

delta911turbo2026-01-04

Have you had any further luck with getting a usable port on this device? I have one of these hotspots that I’m not using for anything and I am willing to help if I can.