The Austrian discount market Hofer and it’s mobile brand Hofer Telekom (HoT) started to sell a ZTE MF833V broadband usb modem, yesterday.

It is the successor of the MF831 and features a LTE Cat4 device in CDC mode. It was specified for GSM 850/900 @35dBm, GSM 1800/1900 @ 32 dBm, UMTS I/VIII  @28dBm and LTE 3/7/8/20 @25dBm.

As opposed to the „mini“ SIM form factor, it is equipped with  „micro“ SIM card slot.

When plugging the stick into an USB port of my computer, lsusb reports:

Bus 001 Device 074: ID 19d2:1225 ZTE WCDMA Technologies MSM

which is beeing switched to
Bus 001 Device 075: ID 19d2:1405 ZTE WCDMA Technologies MSM

shortly after.

dmesg reports, MAC partially censored here:

[645228.134041] usb 1-2: new high-speed USB device number 74 using xhci_hcd
[645228.294170] usb 1-2: New USB device found, idVendor=19d2, idProduct=1225, bcdDevice=56.91
[645228.294172] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[645228.294173] usb 1-2: Product: ZTE Mobile Broadband
[645228.294174] usb 1-2: Manufacturer: ZTE,Incorporated
[645228.294175] usb 1-2: SerialNumber: 1234567890ABCDEF
[645228.298872] usb-storage 1-2:1.0: USB Mass Storage device detected
[645228.298993] usb-storage 1-2:1.0: Quirks match for vid 19d2 pid 1225: 1
[645228.299069] scsi host3: usb-storage 1-2:1.0
[645229.318504] scsi 3:0:0:0: CD-ROM ZTE USB SCSI CD-ROM 2.31 PQ: 0 ANSI: 2
[645229.321200] sr 3:0:0:0: Power-on or device reset occurred
[645229.328269] sr 3:0:0:0: [sr0] scsi-1 drive
[645229.328455] sr 3:0:0:0: Attached scsi CD-ROM sr0
[645229.328522] sr 3:0:0:0: Attached scsi generic sg1 type 5
[645234.323025] usb 1-2: USB disconnect, device number 74
[645234.669842] usb 1-2: new high-speed USB device number 75 using xhci_hcd
[645234.829914] usb 1-2: New USB device found, idVendor=19d2, idProduct=1405, bcdDevice=56.91
[645234.829916] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[645234.829917] usb 1-2: Product: ZTE Mobile Broadband
[645234.829918] usb 1-2: Manufacturer: ZTE,Incorporated
[645234.829919] usb 1-2: SerialNumber: 1234567890ABCDEF
[645234.838214] cdc_ether 1-2:1.0 usb0: register ‘cdc_ether’ at usb-0000:00:14.0-2, ZTE CDC Ethernet Device, 0e:84:5a:xx:xx:xx
[645234.840017] usb-storage 1-2:1.2: USB Mass Storage device detected
[645234.840159] scsi host3: usb-storage 1-2:1.2
[645235.848009] scsi 3:0:0:0: CD-ROM ZTE USB SCSI CD-ROM 2.31 PQ: 0 ANSI: 2
[645235.849927] scsi 3:0:0:1: Direct-Access ZTE MMC Storage 2.31 PQ: 0 ANSI: 2
[645235.857944] sr 3:0:0:0: [sr0] scsi-1 drive
[645235.858179] sr 3:0:0:0: Attached scsi CD-ROM sr0
[645235.858260] sr 3:0:0:0: Attached scsi generic sg1 type 5
[645235.858417] sd 3:0:0:1: Attached scsi generic sg2 type 0
[645235.864894] sd 3:0:0:1: Power-on or device reset occurred[645235.875941] sd 3:0:0:1: [sdb] Attached SCSI removable disk

As usual, DHCP is enabled per default – ifconfig shows (partially censored)

usb0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet netmask broadcast
inet6 fe80::e540:9fc0:2exx:xxxx prefixlen 64 scopeid 0x20<link>
ether 92:0d:ef:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 27 bytes 2637 (2.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 52 bytes 7333 (7.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ip route gives a default route in lower metric – that’s fine:

default via dev usb0 proto dhcp metric 20100

Version information:

Software-Version BD_ATMF833VV1.0.0B02
Hardware-Version MF833V-1.0.0


The well known browser based and URI triggered modeswitch commands, that allowed the MF831 to be switched to modem mode, do not work on this model.

You won’t need that anyway: The Web interface has DMZ settings (but no port porward as the MF920 e.g.). The settings for DHCP can easily be adapted, too.

As long as your router understands to handle CDC mode LTE-Sticks there should be no problem. If your router uses as it’s default address, you are advised to change either that or the modems default IP before using both together.

The model, I have held in my hands does not support IPv6!

Nice: you can adapt MTU and MSS sizes from the GUI!



A very cheap LTE Class 4 USB modem (30 Euro) with hardware from the year 2017, it’s software carries a copyright notice from 2019. It is easy to handle, but it’s size, which is similar to the MF831 will probably block a neighbored USB port, physically. Better get an extension cable.

If you need a device, which is capable of IPv6 natively, if your ISP/mobile service provider does likewise, this stick is not for you. There simply is no sign of support for IPv6 anywhere in the software. DMZ features may allow you to use an external IP address, which is a most likely necessity for using 6in4 based IPv6 tunnel broker services today (6to4 and Teredo are almost no longer used for having severe disadvantages), if your MSP/ISP provides a public IP with your contract.

Fun with NFC tags

If your smartphone is capable of Near Field Communications, you can do funny things with a bunch of NFC stickers just like some NTAG 216 compatible tags.

E.g. Enhance your business cards with additional contact information, that’s wirelessly copied into some else’s phone. Set up your WIFI for guest’s just by touching the NFC sticker somewhere. Activate bluetooth and GPS on your phone, just by touching the tag attached to the car’s dashboard…

What you need


To be continued…

Wifi Video Doorbell Analysis

Recently I decided, that a WIFI video doorbell would be a good investment. Since I can be quite penny-pinching, I ordered Generic TS-IWP708 Wifi Digital Wireless Video Tür Bell. By the time I bought it, it was around 30 Euros.

Here is my analysis of the device.

  1. Packaging and Content
    1. The Box
      The white box didn’t give many information. The top side had the general product name printed on it and some pictures of the package’s content are on the right side of the cartoon. Some bar code stickers were on the sides of the box, one of them had “TS-IWP708” printed beneath the code. No producer

      1. Contents of the Box
        1. User’s Manual (20 pages with colored illustrations)
        2. Door bell main unit in a recloseable plastic bag.
        3. Assembly frame featuring a rain shell
        4. Power adapter 230V to 5V 1A with a two-pin-header big CE logo.
        5. LAN adapter (8x17cm unshielded cables with an eight pin header on one end and a RJ45 female connector on the other side.
        6. An adapter consisting of three cables, each of 10.50 cm length with one three pin header on one side an open ends on the other.
        7. Two pieces of double-faced adhesive tape.
        8.  One bag with 4 pieces of cheap screw anchors an cheap screws and a small metal screw.Advertisement: If you are interested in webhosting, VPS an root servers, why don’t you have look at my list of ‘netcup’ vouchers – german quality hosting.
      2. Remarks:
        1. The manual doesn’t have any imprint or license information.
        2. The door bell has a bright enamel optic and a blue door bell touch button. There are two green leds left and right below that button. In the upper region there is the 640×480 camera an six IR leds, three on each side of the camera sensor. Speaker an microphone have slots in the casing. On the back side there is a sunk-in reset button. Two stickers on the back indicate “QC passed” and the date of production.
        3. The weather shell, if we can name that porch this way, has a whole on the buttom. We can use the small screw from to fix the door bell main unit with this casing. A burglar would have an easy role in unmounting the bell that way. I’d recommend to fill the screw with epoxy raisin, if you’d like to keed the device after reading all of this post.
        4. The power cord is ridiculously short for an outdoor door bell. It has approximately 80 cm length.
        5. The LAN adapter is unshielded, no twisted pairs. It might cause radio interference if used that way. I guess we schould wrap that with aluminium foil when mounting the device.
        6. The three pin adapter cable is for a door opener. I would use that, and I’ll explain this later in 3.2.
    1. Setup
        1. Preparations
          1. On page 7 of the manual you’ll find QR codes that should directly link you to Google Play or App Store. Well, for android, the link for Door Phone 4.1 was dead. I found an app called “Door Phone 4.4” (search term: “doorphone”) from “ShenZhen Gogo Link Tech.limited”, which worked for me
          2. Caveats: Before trying to connect, turn off your mobile internet on your smart phone. It will probably interfere with the detection of the doorbell (It may be a country specific effect due to IP address ranges used for 4g/3g/2g networks).
          3. Now plug in the power adapter, that you’ve previously connected to the back of the doorbell – it’s the two pin header.
          4. Wait for the doorbell to boot up. It will announce “welcome to smart home”. After that wait another 30 seconds then press the blue doorbell touch button for about five seconds an release it. The bell will talk again: “Network configuration mode, please set it down in five minutes”.
          5. As soon as you hear that, a wifi access point will be available, that transmits the SSID „GBELL-{parts of the unit’s MAC address}“. Connect to it. The password is 123456789.
          6. Now, that you are associated with the AP, open your app “Door Phone”. And follow the instructions from the manual on page 9. “Please click here to add bell”, then “Search”. Click on the text of the detected “GBELL …”.
          7. Now tap the gear-wheel icon and continue to set up the WIFI.
          8. Don’t forget to change your WLAN on your mobile, when the voice tells you to wait a few seconds.Advertisement: Now, that you’ve read so far, how about having look at my list of ‘netcup’ vouchers – german quality hosting.
        2. Finalisation
          1. Now that the unit has been set up, you will like to fine tune. First turn off the alarm sound from alarm settings, otherwise you’ll probably get crazy…
          2. Mind the “User settings”. Keep in mind, that the bell app won’t accept special chars and passwords must be longer than six chars, but apparently not longer than nine.
          3. Keep that in mind in order to be able to log back in after you changed the password – otherwise the reset button on the back needs to be pressed, and you have to start right from the beginning.Advertisement: How about some FreeTime Unlimited – Amazon content for your kids?
    2. Deeper inspections
      1. Services
        1. Doing a port scan on the unit’s IP address unveals three active TCP ports:
          23/tcp open telnet
          81/tcp open hosts2-ns
          8600/tcp open asterix

          1. The telnet service – or shall we call it backdoor? – can be accessed with the following credentials:
            user: root
            password: 123456
          2. On port 81, there is a web interface, that can be accessed with your users’ credentials. Keep in mind, that special chars don’t work, they are simply left out. The interface is more than crappy an should provide five basic functions:
            1. Video stream window – always black – disfunctional.
            2. WLAN scan – you can scan, but that’s all…
            3. Trigger the door opener, … well clueless, if the video and audio does not work here.
            4. Audio in – no function
            5. Audio out – no function
          3. The purpose of port 8600 is unclear at this point. It seems to be the “go-service”, that’s used for communicating with the app. I haven’t yet analysed that in deep, but it seems to be a monolitic multipurpose binary. It’s definitely not Asterisk.
        2. A deeper look into the firmware
          I used the telnet service with root permission to take a deeper look into the firmware. What I found:

          1. It’s running Busybox and Linux
            Surprise, the firmware uses a Realtek-SDK built on Linux 2.6 and nowhere in the packaging was any hint linking to the GPL license. No mention of reused code and licenses. I notified the producer „Sawful“ an Amazon about this. Waiting for an answer.

            #cat /proc/version 
            Linux version 2.6.21 (root@mailzxh-desktop) (gcc version 3.4.2) #655 Wed Nov 21 22:21:46 CST 2012
            # busybox 
            BusyBox v1.12.1 (2012-11-21 22:17:05 CST) multi-call binary
            Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
            and others. Licensed under GPLv2.
            See source distribution for full notice
          2. Hardware
            1. SoC: Realtek MIPS24K with rt5350 WIFI.
              # cat /proc/cpuinfo 
              system type : Ralink SoC
              processor : 0
              cpu model : MIPS 24K V4.12
              BogoMIPS : 239.10
              wait instruction : yes
              microsecond timers : yes
              tlb_entries : 32
              extra interrupt vector : yes
              hardware watchpoint : yes
              ASEs implemented : mips16 dsp
              VCED exceptions : not available
              VCEI exceptions : not available
              # ls /proc/rt5350 
              gmac skb_free tx_ring rx_ring cp0 esw_cnt
            2. RAM: 32MB
              # cat /proc/meminfo | grep MemTotal
              MemTotal: 29336 kB
            3. Flash
              1. Configuration/partitions
                # cat /proc/mtd 
                dev: size erasesize name
                mtd0: 00800000 00010000 "ALL"
                mtd1: 00030000 00010000 "Bootloader"
                mtd2: 00010000 00010000 "Config"
                mtd3: 00010000 00010000 "Factory"
                mtd4: 00100000 00010000 "Kernel"
                mtd5: 00330000 00010000 "RootFS"
                mtd6: 00300000 00010000 "sys"
                mtd7: 00080000 00010000 "param"

                So, this seems to be an eight megabite flash chip with 7 partitions.

                The firmware can be backed up using Busybox’s tftp client. Set up a TFTP server on a machine within the broadcast domain and run it with “tftp -l [local file] -r [remote file] -p [IP address of server]” to push the contents of  /proc/mtdblock* to your server.

              2. Partitions mounted as..
                # mount
                rootfs on / type rootfs (rw)
                /dev/root on / type squashfs (ro)
                proc on /proc type proc (rw)
                none on /var type ramfs (rw)
                none on /etc type ramfs (rw)
                none on /tmp type ramfs (rw)
                none on /media type ramfs (rw)
                none on /sys type sysfs (rw)
                none on /dev/pts type devpts (rw)
                /dev/mtdblock6 on /system type jffs2 (rw)
                /dev/mtdblock7 on /param type jffs2 (rw
            4. WIFI configuration
              iwconfig shows a ra0 RTWIFI SoftAP device and some wds-devices. wds0 has an SSID of GBELL… – so it seems, that the GBELL-AP is still configured, but I was unable to associate with it, assuming it was just a hidden SSID.
              apcli0 shows the client to the domestic main AP.I seem to be unable to find a regulatory domain setting for this device. It seems, we are restricted to the world domain.
            5. Active network services
              # netstat -aWp
              Active Internet connections (servers and established)
              Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
              tcp 0 0* LISTEN 133/encoder
              tcp 0 0* LISTEN 28/telnetd
              tcp 0 0* LISTEN 31/go-daemon
              tcp 0 213 ESTABLISHED 28/telnetd
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 31/go-daemon
              udp 0 0* 133/encoder
              udp 0 0* 31/go-daemon
              udp 0 0* 133/encoder
              udp 0 0* 102/udhcpd
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 133/encoder
              udp 0 0* 30/cmd_thread
              Active UNIX domain sockets (servers and established)
              Proto RefCnt Flags Type State I-Node PID/Program name Pat
              1. Binary locations: /system/system/bin:
                # ls -la /system/system/bin
                -rwxr-xr-x 1 0 0 156768 go-daemon
                -rwxr-xr-x 1 0 0 8260 cmd_thread
                -rwxr-xr-x 1 0 0 877540 encoder
                drwxrwxrwx 5 0 0 0 ..
                drwxrwxrwx 2 0 0 0 .
            6. Camera:
              A snapshot of the camera can be retrieved using the following URL (credentials as chosen by yourself):
              According to the output of “strings encoder” on my local PC, videostream.cgi should be the corresponding URL for mjpg streaming. It does not work for me right now. The reasons are yet to be investigated.
          3. Security flaws
            1. Telnet with trivial credentials giving root permission level.
            2. WDS is probably susceptible to WPA-KRACK – yet to be tested. If hostapd is in the system binary of go-service, it would likely be, due to the age of the firmware and the fact, that wds configurations habe been used. KRACK mitigation would require not only the AP to fixed, but also most of the clients would have to be immunized to key replay attacks. It is to be expected, that many smart home gadgets haven’t received such an update.
    3. Conclusions
      This is one of the cheapest wifi doorbell devices. While the main unit is of a good design and is of surprisingly high quality at a first glance, the accessories are of surprisingly low quality.The manual isn’t up to date any longer. It also lacks any license information. The manufacturer does not currently publish the SDK used to create the binaries, that contain at least a Linux kernel and Busybox code – both have been released unter the GNU general public license. We’ll see, if the manufacturer or Amazon will react to that GPL violation hint.From a security perspective, a telnet daemon with no user changeable root credentials is an absolute no-go today, as it was 15 years ago. I found an article from Pentest Partners. The guys there have analysed a Maginon IPC-20C, that was built just around the same SDK/Framework – that article has been around for a while now: See: Hacking the IP camera (part 1).The doorbell would be much more comfortable to use, if the german translation of the Gogo-Link Door Phone App was a little bit better. There are also some untranslated chineses symbols. It would even be much better, if the device was equipped with a fully featured and working web interface to interact with. It is not. The fact of being addicted to an app, that already seems to have vanished from the Goolge Play in order to configure the doorbell is quite annoying.From a developers perspektiv, the device is quite interresting. I’ll have to look for some “Asterisk Camera Tools”, that speak the protocol of the go-daemon, which seems to be a static binary containing all necessary function, including a hostapd-alike (or even hostapd) service, or I’ll have to look for a way to get Open IP Cam running on that device. We’ll see.

Advertisement: Having read such a long text, don’t you think you are deserving of some tracks from Amazon Music Unlimited?




Downgrading UBNT Nanostation M2 Loco (XM): ubnt downgrade code=2, msg=Firmware check failed

I recently tried to downgrade a UBNT Nanostation M2 Loco (XM version) in order to flash LEDE afterwards.

The problem is, that AirOS 6.0.6 needs signed firmwares and even original firmwares seem to miss a valid signature for this purpose.  Hence TFTP is always failing with “ubnt downgrade code=2, msg=Firmware check failed“. (Of course the web interface behaves likewise.

Here is what I did instead:

  1. Get a XM version of AirOS 5.5.11¹
  2. scp XM.v5.5.11.28002.150723.1344.bin ubnt@
    ssh -lubnt
  3. /sbin/fwupdate -m ²

Remark – all the steps in one command: ssh -lubnt ‘curl -o /tmp/fwupdate.bin http://dl.ubnt.com/firmwares/XN-fw/v5.5.11/XM.v5.5.11.28002.150723.1344.bin && /sbin/fwupdate -m’

Update: If /sbin/fwupdate does not work for you, look for /sbin/fwupdate.real. /sbin/fwupdate now seems to be a wrapper script, that’s simply invokes /sbin/fwupdate.real -m after doing some more checks (fwupdate.real -c). Use it at your own risk. Double check to use the right firmware file for your platform.


Now I have AirOS 5.5.11 on the device and can flash my individual LEDE 17.01.2 build from the AirOS webinterface. If I’d wanted to revert, I’d have to flash 5.5.11 or lower again according to OpenWRT’s/LEDE’s documentation.


1: http://dl.ubnt.com/firmwares/XN-fw/v5.5.11/XM.v5.5.11.28002.150723.1344.bin

2: https://help.ubnt.com/hc/en-us/articles/204959804-airMAX-How-do-I-upgrade-the-firmware-from-the-CLI-SSH-

3: https://community.ubnt.com/t5/airOS-Software-Configuration/Problem-upgrading-some-XM-devices-5-5-6-to-5-5-11/td-p/1324988

How to prepare TL-WR1043NDv1 for use with DD-WRT, OpenWRT or LEDE.

Alternative title: How to avoid bricking your router.


This is a published draft version for public review. Comments welcome.


Initial position:

When I started to develop a customized build of OpenWRT CC15.05/15.05.1 for my TL-WR1043NDv1, I ran into some problems. I bricked some of my routers. It also happened to me with the current the LEDE 17.01-rc2. Let my start from the beginning:

Continue reading How to prepare TL-WR1043NDv1 for use with DD-WRT, OpenWRT or LEDE.

DIY: DVB-T Streaming server/Austria, Vienna

Despite the end of DVB-T is close, since DVB-T2 is already simulcasted in Austria, there may still be some use for this.

Germany is currently rolling out DVB-T2 HD and the availability of USB-Receivers has been announced. My hope is, that some of these devices will work in this setup as well. We’ll see.

What you need:

Continue reading DIY: DVB-T Streaming server/Austria, Vienna

OpenWRT and WLAN-USB-Sticks (Updated with an example)

USB-WiFi support in OpenWRT

Recently one of my blog’s visitors (Michael) asked me, if it was possible to extend his router with an additional USB-Wifi device. The short answer is: yes.
I’ll give you an example of a tested configuration below. If you are planning to use different parts, please check the  caveats here and be sure to get chipsets, that are known to work.

Continue reading OpenWRT and WLAN-USB-Sticks (Updated with an example)

IEEE 802.11ac – first devices

According to an article on heise.de, dated 4th June 2012, Asus demonstrated their first router which complies to IEEE 802.11ac – also referred to as ‘gigabit wlan’ [- edit: which may be a misleading term in some cases]: the ‘RT-AC660U‘.

The same magazine performed tests on a set of Buffalo devices: Router WZR-D1800HClient WLI-H4-D1300. These are interesting aspects, despite the standard 802.11ac has not yet been released. So consider, that these devices can only be compliant to the actual draft version. Unfortunately no information about support of OpenWRT is known at this time.

Edit: June 8, 2012:
Even more devices have been announced today, so this post will be edited continuously to reflect new development:


WZR-D1800H (Router)
WLI-H4-D1300 (Client)

BR-6673AC (Router)
BR-6476AC (Router)

TEW-812DR (Router)
TEW-800MB (Bridge)

Remarks and caveats: Some of the announced devices seem to be hybrid developments. E.g.: There are 802.11ac devices, that only use 2 MIMO streams. As a result only around 800Mbit can be achieved. Other devices, especially some usb sticks don´t use their full potential, if they do not support USB 3.0, but rather USB 2.0.
The effective data rate will never exceed the nominal 480Mbit in that case.

I will try to make a list containing Manufacturer, Chipset, interfaces and, where applicable, ram, cpu and flash size. Unfortunately most manufacturers still don’t print that necessary information on their boxes or ever data sheets.

Disclaimer: Any of the trademarks, service marks, collective marks, design rights or similar rights that are mentioned, used or cited within this post are the property of their respective owners.