Arcadyan AW1000 (Telstra 5G Modem) Carrier Unlock
Hacking hardware can be fun, it can be even more fun when there's a goal in mind beyond just getting root! Telstra's 5G modems are locked to the Telstra network so lets see if we can change that.
The Arcadyan AW1000 modems are shipped to customers who sign up for Telstra's 5G home wireless internet plans.
From the factory, these 5G modems are apparently carrier locked to just SIMs on the Telstra network. As people move off their Telstra plans or as the devices inevitably age out, this will end up producing lots of ewaste.
First lets validate that the carrier lock is in fact present.
Inserting a BOOST SIM (Telstra network SIM), the device works perfectly fine and we can browse the internet. The following information is shown in the Mobile Status section.
Remember the PLMN number printed there 50501 for later!
By contrast, inserting an Optus SIM will result in this message stating that the SIM is valid but there's no service.
Carrier lock confirmed!
Investigation
Luckily for us, a path to obtaining root access on the device had already been discovered by some savvy Whirlpool users involving the application of a config file through the web interface: https://forums.whirlpool.net.au/archive/9qr1j570
As it turns out, later versions of firmware encrypt the device config but old unencrypted config files can still be applied. https://forums.whirlpool.net.au/thread/9qr1j570?p=2#r71248396
By applying the config that's provided we can trivially drop into a root shell on the device. After probing around a bit on the file system of the device I found this ltecommander command which lets you list all sorts of information. Most interestingly I noticed the following output, that looks like some kind of whitelist!
After a quick trip to Google I learnt that PLMN stands for Public Land Mobile Network and 50501 is actually Telstra's code.
Each PLMN has a unique PLMN code that combines an MCC (Mobile Country Code) and the operators' MNC (Mobile Network Code).
Here's the full list of carrier's supported out of the box.
| MCC | MNC | Brand | Operator | Notes |
|---|---|---|---|---|
| 001 | 01 | TEST | Test network | |
| 006 | 06 | Invalid??? | ||
| 505 (Australia) | 01 | Telstra | Telstra Corporation Limited | Telstra Corporation Limited |
| 466 (Taiwan) | * | All Taiwanese Carriers |
Interestingly they shipped the device with support for test networks and every Taiwanese carrier. As Arcadyan is a Taiwanese company this must be to help their engineers with development of the product.
We just need to change that config variable!
Sifting through the actual config I found the same matching information in the .glbcfg file.
What happens if we replace that whole thing with just a wildcard and apply it to the device again.
That was too easy..
After inserting the same Optus SIM, we no longer see 'No service' and I also now have access to the internet through the device. Happy days.
Unlock Guide
To recreate your own config file with this modification you can follow the steps below (Linux instructions).
- Rename the downloaded config file to end with the .tgz extension as it's actually a gzipped tar file using
mv 5GCPE_backup.cfg 5GCPE_backup.tgz. - Extract the file using
tar xf 5GCPE_backup.tgz, I actually got some errors during this process but this didn't seem to affect anything. - Replace the line inside config/.glbcfg with *
- Finally tar everything back together and upload it through the web GUI using
tar -czvf 5GCPE_backup.cfg config/
You can verify everything worked by SSH'ing and running ltecommander -G again.
Note
The config file from Whirlpool sets a SSH root password of root and also starts a OpenWRT web interface on port 8080. You can modify these changes if you'd like in the config/firewallExt/M1_99_openvpn.user file.
