There is a shell injection vulnerability after all, so we can just
launch a remote shell, tplink-style. Except there's no telnetd on this
device so we need to use netcat.
This was found in the goahead binary on the device using Ghidra. The
decompiled code for this endpoint looks like this:
```c
void FUN_0003c614(int param_1)
{
int iVar1;
undefined4 uVar2;
int local_160;
undefined1 auStack_15c [64];
char acStack_11c [256];
int local_1c;
local_1c = __stack_chk_guard;
if (param_1 == 0) {
error("input parameter is NULL!");
uVar2 = 0x66;
goto LAB_0003c808;
}
iVar1 = websGetJsonItemValue(param_1,"password",10,auStack_15c,0x40);
if (iVar1 != 0) {
iVar1 = get_log_level_something();
if (1 < iVar1) {
some_logging_func(2,"modifying root password(%s)...",auStack_15c);
}
iVar1 = sprintf(acStack_11c,"echo root:\"%s\"|chpasswd",auStack_15c);
acStack_11c[iVar1] = '\0';
system(acStack_11c);
}
```
Usage is `./installer orbic-network`, as an alternative to `./installer
orbic`. It should work on Windows without any kind of drivers.
This installer also works on the Moxee device.
Previously, the unlocking method for the wingtech hotspot would add a
invalid mac address to the blocklist. This would prevent the wifi from
coming online after rebooting until the invalid mac was removed.
This commit changes the unlocking method to attempt to *remove* an
invalid mac, creating a no-op condition that still works for unlocking
root access to the hotspot.
This commit also adds documentation for a problem where the hotspot
would occasionally not reboot while completely disconnected and
installing over wifi.
Fixes#466
Because we toggle some ioctl settings based on this field, change the
name to better capture that we're selecting which device we want to load
settings for, not just the display module to load. This creates room for
future per-device settings without needing more config file fields.
Use serde via reqwest to deserialize the login response from qcmap_auth
when obtaining an authentication token instead of golfing based on the
specific token length.
Add support for the Wingtech CT2MHS01 hotspot, a Qualcomm mdm9650-based
device with a screen available for US$15-35. This device is often used
as a base platform for while labeled versions like the T-Mobile TMOHS1.
AT&T branded versions of the hotspot seem to be the most abundant.
The device has a framebuffer-driven screen at /dev/fb0 that behaves
similarly to the Orbic RC400L, although the userspace program
`displaygui` refreshes the screen significantly more often than on the
Orbic. This causes the green line on the screen to subtly flicker and
only be displayed during some frames. Subsequent work to fully control
the display without removing the OEM interface is desired.
