5fc6925d35
Both devices ship with a Wi-Fi Standby timer that turns off the AP after ~10 minutes with no clients, blocking remote access to Rayhunter until a power cycle. Previous attempt (this PR's earlier commits) added a Rayhunter config toggle to flip gWlanAutoShutdown in WCNSS_qcom_cfg.ini, but the same setting is already exposed in each device's native admin UI under Settings -> Sleep -> Wi-Fi Standby, so a code change is not needed. Replace the config toggle with: - Device-page walkthroughs with screenshots of each native UI setting - FAQ entry for "can't reach the web UI after leaving it alone" - Post-install hint from the tmobile/wingtech installers pointing at the docs and the setting location
4.6 KiB
Wingtech CT2MHS01
Supported in Rayhunter since version 0.4.0.
The Wingtech CT2MHS01 hotspot is a Qualcomm mdm9650-based device with a screen available for US$15-35. This device is often used as a base platform for white labeled versions like the T-Mobile TMOHS1. AT&T branded versions of the hotspot seem to be the most abundant.
Supported bands
There are likely variants of the device for all three ITU regions.
According to FCC ID 2APXW-CT2MHS01 Test Report No. I20N02441-RF-LTE, the ITU Region 2 American version of the device supports the following LTE bands:
| Band | Frequency |
|---|---|
| 2 | 1900 MHz (PCS) |
| 5 | 850 MHz (CLR) |
| 12 | 700 MHz (LSMH) |
| 14 | 700 MHz (USMH) |
| 30 | 2300 MHz (WCS) |
| 66 | 1700 MHz (E-AWS) |
Note that Band 5 (850 MHz, CLR) is suitable for roaming in ITU regions 2 and 3.
Hardware
Wingtechs are abundant on ebay and can also be found on Amazon:
- https://www.ebay.com/itm/135205906535
- https://www.ebay.com/itm/126987839936
- https://www.ebay.com/itm/127147132518
- https://www.amazon.com/AT-Turbo-Hotspot-256-Black/dp/B09YWLXVWT
WiFi client mode
The Wingtech supports WiFi client mode, allowing Rayhunter to connect to an existing WiFi network while keeping the hotspot running. See WiFi Client Mode for setup.
Installing
Connect to the Wingtech's network over WiFi or USB tethering, then run the installer:
./installer wingtech --admin-password 12345678 # replace with your own password
Obtaining a shell
Even when Rayhunter is running, for security reasons the Wingtech will not have telnet or adb enabled during normal operation.
Use either command below to enable telnet or adb access:
./installer util wingtech-start-telnet --admin-password 12345678
telnet 192.168.1.1
./installer util wingtech-start-adb --admin-password 12345678
adb shell
Wi-Fi auto-shutdown
By default the CT2MHS01 turns off its Wi-Fi access point after the configured sleep timer (default 10 minutes) with no connected clients. Rayhunter keeps recording on the device in the background, but once the access point is down you can't reach the web UI, download captures, or see new warnings until you power cycle the hotspot.
The CT2MHS01's native admin UI lets you change this:
- Connect to the Wingtech's Wi-Fi (or USB tether).
- In a browser open
http://192.168.1.1/and log in with the admin password. - Go to Settings → Sleep → Wi-Fi Standby and pick Always on.
- Click Save.
Keeping Wi-Fi always on uses more battery. If you primarily monitor Rayhunter through the device's screen and don't need remote access, leave the timer at its default.
Developing
The device has a framebuffer-driven screen at /dev/fb0 that behaves
similarly to the Orbic RC400L, although the userspace program
displaygui refreshes the screen significantly more often than on the
Orbic. This causes the green line on the screen to subtly flicker and
only be displayed during some frames. Subsequent work to fully control
the display without removing the OEM interface is desired.
Rayhunter has been tested on:
WT_INNER_VERSION=SW_Q89323AA1_V057_M10_CRICKET_USR_MP
WT_PRODUCTION_VERSION=CT2MHS01_0.04.55
WT_HARDWARE_VERSION=89323_1_20
Please consider sharing the contents of your device's /etc/wt_version file here.
Troubleshooting
My hotspot won't turn on after rebooting when installing over WiFi
Reinsert the battery and turn the device back on, Rayhunter should be installed and running. Sometimes the Wingtech hotspot gets stuck off and ignores the power button after a reboot until the battery is reseated.
You do not need to run the installer again.
You'll likely see the following messages, where the installer is stuck at Testing rayhunter ... .
Starting telnet ... ok
Connecting via telnet to 192.168.1.1 ... ok
Sending file /data/rayhunter/config.toml ... ok
Sending file /data/rayhunter/rayhunter-daemon ... ok
Sending file /etc/init.d/rayhunter_daemon ... ok
Rebooting device and waiting 30 seconds for it to start up.
Testing rayhunter ...
If you eventually see:
Testing rayhunter ...
Failed to install rayhunter on the Wingtech CT2MHS01
Caused by:
0: error sending request for url (http://192.168.1.1:8080/index.html)
1: client error (Connect)
2: tcp connect error: Network is unreachable (os error 101)
3: Network is unreachable (os error 101)
Make sure your computer is connected to the hotspot's WiFi network.