efforg/rayhunter#517

If the install process can be easily automated and rayhunter can get useful information & there’s enough storage space, we’d likely be quite happy to support the device. I have a 5530L and a 6620L that I haven’t taken a look at yet that probably have a very similar unlocking method & userspace.

Looks like they’re fairly inexpensive nowadays; I bought one years ago for a trip and it’s been kicking around on my desk: https://www.ebay.com/sch/i.html?_nkw=jetpack+7730L&_sacat=0&_from=R40&_sop=15 $15 or so

It does support tethering. Is there a good writeup for some step-by-step for how I could check if it’s possible to get an ADB shell? I can test/check via Linux or Windows.

not really, no two devices work the same. things that have worked in the past are:

• looking up <devicename> + telnet – particularly 4pda.to is full of information for how to root various devices (though if this device only works in the US you might be out of luck there)
• just trying to launch adb shell while it’s plugged in and seeing what comes up
• trying to talk to it via serial to run commands as root, worked for orbic: https://xdaforums.com/t/resetting-verizon-orbic-speed-rc400l-firmware-flash.4334899/
• for tplink, shell injection in the UI work, i.e. setting the language to $(busybox telnetd -l /bin/sh)

it’s a creative process. you might want to read the existing code for the installer in rayhunter for inspiration.

adb shell achieved – I see what you mean about poking around.

1. Get the latest mifilink.exe from here: https://www.temblast.com/mifilink.htm
2. Boot and plug in the 7730L to your PC
3. Run .\mifilink.exe diag Note that I tried several different numeric options .\mifilink.exe 0/1/2/3/4/5/6 and I didn’t get any that resulted in ADB access. I had to pull the battery to reset the device quite a few times.
4. Device will reboot
5. Look in device manager under the Ports (COM & LPT) and you’ll see a new COM port.
6. Connect with Putty to the new COM port, for example mine was COM4 with 115200 for speed.
7. Login with credentials:

user: mifi
pass: world2k

9. Run this command: nohup sh -c "export LD_LIBRARY_PATH=/opt/nvtl/lib; /opt/nvtl/bin/usb_cli stop && /opt/nvtl/bin/usb_cli start FTM" & and then the device will reboot. Note that I tried “LTM” like the 4pda.to link suggested and that didn’t work.
10. Unplug and re-plug the device after it boots
11. adb devices should return the device:

List of devices attached
0123456789ABCDEF    device

13. adb shell and you’re in

Notes: The root password seems to be unknown; once I had adb shell I just ran su then passwd to change the root password to something else.

Some references:

• https://xdaforums.com/t/verizon-mifi-8800l-hot-spot-mods-hacking.4323669/page-32
• https://4pda.to/forum/index.php?showtopic=1027100&st=400#entry135725687

Edit: Based on the contents of /opt/nvtl/bin/mifi_rootpass.sh the root password may be dijD31 but since I reset mine, I cannot know for sure.

/ # nwnvitem -r -e NW_NV_LINUX_ROOT_PASSWORD_I
$1$DP.DezWA$7Zp8FXvbf8.Vjx//dijD31/ #

i’m impressed by this turnaround time but also, that list of steps just to get rootshell is long. I feel that it’s not viable to maintain a cross-platform installer for it without trying to find a shortcut. some concerns:

• mifilink.exe probably has to be reverse-engineered with ghidra. we can’t bundle it in the installer even if we can somehow figure out how to run it on linux.
• Step 6, would have to figure out how to do that programmatically

Yea I agree – very manual. In lieu of main support, is there a way to test a bit further / try installing rayhunter on the device as a proof of concept?

I saw some chatter of “InseegoTool-0.7-jar-with-dependencies.jar” being able to do what mifilink.exe does, so I pulled a copy of that and looked. (https://www.decompiler.com/jar/c93a4f4589e54e9bb33f7823d9d09961/InseegoTool-0.7-jar-with-dependencies.jar) FWIW I did look at mifilink.exe as well but I don’t really understand it: https://dogbolt.org/?id=1bca6af9-fabb-47b4-a1f8-c11313cb71a7

When the device initially shows up with mifilink it reports as: Found 1410/b010 MiFi 8x00 (HID)

After modification it shows up as: Found 1410/b021 MiFi 7730 (HID)

This tracks with the java code from what I can tell; it’s sending some command to the HID device with this hid4java library: https://github.com/gary-rowe/hid4java

I think the DEBUG_MODE all 0’s array is why the 8x00 gets dropped.

/*
 * Decompiled with CFR 0.153-SNAPSHOT (d6f6758-dirty).
 */
package su.operator555.inseegotool;

import org.hid4java.HidDevice;
import org.hid4java.HidManager;
import org.hid4java.HidServices;
import org.hid4java.HidServicesSpecification;
import su.operator555.inseegotool.Log;

public class HIDUtil {
    private final Log log;
    final byte[] DEBUG_MODE = new byte[]{0, 0, 0, 0};
    final byte[] END_USER_MODE = new byte[]{2, 0, 0, 0};

    public HIDUtil(Log log) {
        this.log = log;
    }

    public void sendCommand(byte[] action) {
        this.log.i("Tryng send command...");
        this.sendHIDCommand(action);
    }

    private void sendHIDCommand(byte[] ACTION) {
        byte reportID = 0;
        HidServicesSpecification hidServicesSpecification = new HidServicesSpecification();
        hidServicesSpecification.setAutoStart(false);
        HidServices hidServices = HidManager.getHidServices(hidServicesSpecification);
        hidServices.start();
        this.log.i("Start search device...");
        int i = 0;
        boolean commandExected = false;
        for (HidDevice hidDevice : hidServices.getAttachedHidDevices()) {
            this.log.i("[" + ++i + "] [0x" + Integer.toHexString(hidDevice.getVendorId()) + "]: " + hidDevice.getManufacturer());
            if (hidDevice.getVendorId() != 5136) continue;
            this.log.i("[" + i + "]  DEVICE FOUND!!! Trying send command...");
            hidDevice.open();
            byte[] action = ACTION;
            this.log.i("Command write status (size): " + hidDevice.write(action, action.length, reportID));
            this.log.i("Message: " + hidDevice.getLastErrorMessage());
            this.log.i("Sended!!");
            commandExected = true;
            hidDevice.close();
            break;
        }
        if (!commandExected) {
            this.log.i("Device not found...\nDo you connect modem in charge mode?");
        }
        hidServices.stop();
    }
}

assuming the proof of concept succeeds and we see meaningful data in the pcap. it seems to me the main issue is how to make the installer simpler and easier to maintain.

maybe there is a shell injection vulnerability in the admin UI, similar to tplink? This would solve all problems. Now that you have root access you can find the binaries for the web interface and load them into ghidra.

I also just ordered a device for myself to play around with it

In case you wanted to take a look with ghidra ahead of time, I pulled the /opt/nvtl/webui folder. It seems like most things are flowing through webui.cgi per all of the redirects in /opt/nvtl/etc/webui/config.xml. webui.zip

hey i grabbed the mifilink.exe file and my microsoft defender freaked out, is the site compromised or is it just a false flag?

What’s the signature that it detected, @TheHonoredDrunkShoko? Chinese manufacturer utilities often get picked up as malware like Wacatac because they’re written in stuff like .NET and use an obfuscator (to avoid theft of trade secrets, I presume) - you guessed it, in this example the obfuscator is the same one used by Wacatac.

looks like you were right, it marked “Wacatac.H!ml” as a trojan, glad to know im in the clear to continue. im brand new to this so im not really sure what to look out for and what to ignore, i really appreciate you replying and teaching me!

that pcap seems to be empty, maybe let it run for longer and with a different SIM? maybe even an active one.

Active SIM returned some data! Not sure why the inactive SIM didn’t return any data. Active SIM:

• 5048.zip
• Has lots of data in the pcap

Inactive SIM (after the active SIM was used):

• 1754419861.zip
• Notably it does have some data in the pcap now!

You can see in rayhunter.log the cutover when the new SIM came up:

[1970-01-01T01:24:12Z INFO  rayhunter::diag_device] retrieving diag logging capabilities...
/ # cat /data/rayhunter/rayhunter.log
R A Y H U N T E R 🐳
[1970-01-01T01:24:12Z INFO  rayhunter_daemon] Using configuration for device: Orbic
[1970-01-01T01:24:12Z INFO  rayhunter::diag_device] Diag device initialization succeeded after 0 retries
[1970-01-01T01:24:12Z INFO  rayhunter::diag_device] retrieving diag logging capabilities...
[1970-01-01T01:44:06Z WARN  asn1_codecs::per::common::decode] Skipping Extensions Decoding....
[1970-01-01T01:44:06Z WARN  asn1_codecs::per::common::decode] Skipped decoding 1 Extensions.
[1970-01-01T01:44:06Z WARN  asn1_codecs::per::common::decode] Skipping Extensions Decoding....
[1970-01-01T01:44:06Z WARN  asn1_codecs::per::common::decode] Skipped decoding 4 Extensions.
[1970-01-01T01:44:06Z WARN  asn1_codecs::per::common::decode] Skipping Extensions Decoding....
[2025-08-05T18:40:41Z WARN  asn1_codecs::per::common::decode] Skipped decoding 1 Extensions.
[2025-08-05T18:40:41Z WARN  asn1_codecs::per::common::decode] Skipping Extensions Decoding....
[2025-08-05T18:40:41Z WARN  asn1_codecs::per::common::decode] Skipped decoding 1 Extensions.
[2025-08-05T18:41:26Z WARN  asn1_codecs::per::common::decode] Skipping Extensions Decoding....
[2025-08-05T18:41:26Z WARN  asn1_codecs::per::common::decode] Skipped decoding 1 Extensions.
[2025-08-05T18:41:26Z WARN  asn1_codecs::per::common::decode] Skipping Extensions Decoding....
[2025-08-05T18:41:26Z WARN  asn1_codecs::per::common::decode] Skipped decoding 1 Extensions.
[2025-08-05T18:41:26Z WARN  asn1_codecs::per::common::decode] Skipping Extensions Decoding....
[2025-08-05T18:41:26Z WARN  asn1_codecs::per::common::decode] Skipped decoding 1 Extensions.
[2025-08-05T18:41:26Z WARN  asn1_codecs::per::common::decode] Skipping Extensions Decoding....
[2025-08-05T18:41:26Z WARN  asn1_codecs::per::common::decode] Skipped decoding 1 Extensions.

I can’t seem to figure out how to run AT commands or why the daemons don’t start on boot. It captures data with an active SIM, and some data with an inactive SIM after the active one was used. I wonder if the issue was partially datetime related when the system didn’t have updated time information.

I have an Orbic with a Verizon SIM card that isn’t valid, i.e. it is denied attachment to Verizon’s network with EPS cause 8 (EPS services and non-EPS services not allowed.) It came with the Orbic when I purchased it from eBay. As per the “rules” of the modem, it only attempts to authenticate/attach to the tower once and then never again after getting that message, until it is rebooted.

Despite this, it is able to get the current time from the towers (probably through SIB8, field lte-rrc.systemTimeInfo - on average, one SIB8 message is sent every few minutes, so you wouldn’t get it immediately.) Therefore I doubt it’s an issue with the system clock being unset.

I can’t seem to figure out how to run AT commands

If you’re still curious, try:

adb shell
rootshell # if adb shell isn't root by default
echo -e "AT+COMMAND\r\n\r\n" > /dev/smd11

To see output, run another adb shell in another terminal window and run cat /dev/smd11 in there.

Interesting; seems to be some kind of issue with rootshell. But the AT commands work!

since you apparently can su from adb shell (according to an earlier comment of yours) I don’t think you need the rootshell. that’s a binary that’s pretty much specific to orbic imo

This is the point where I admit I first thought this was about the Orbic, then I retroactively edited my comments to ensure Orbic-specific stuff is labelled optional, and crossed my fingers hoping it works on other similar devices… 😂😂😂

But, yes, this is the way I was doing AT commands on the Orbic, so it will work there too.

‘’ The Jetpack Administrator has turned off access to the factory Reset feature. the physical reset button is also turned off. ‘’

I need help. I can’t enter my modem password in the interface, and I can’t even reset it. I’ve tried everything, nothing works.

that’s a different model i think. we don’t have plans to support new devices generally, it happens when there’s a large demand for it. instead of asking if there’s updates please just upvote the post.