Project Overview and Goals

Project Title: RVLink System Exploitation & MikroTik Integration for Independent WAN Management

Date of Last Redaction: 2025-05-08 (as per the holy scripture)

Core Objective: To achieve direct, authenticated, and programmatic control over the RVLink Roof Unit (MV2402) roof-mounted internet unit (IP: 192.168.10.254). This involves understanding and decisively bypassing the orchestration role of the associated RV2458 Indoor Unit (RV2458) (IP: 192.168.10.1). The ultimate aim is to enable independent WAN management capabilities for the roof unit, facilitating its integration with a downstream Mikrotik Chateau router for advanced functionalities such as WAN failover and sophisticated policy-based routing.

Primary Goals (Status: ACHIEVED):

  1. Obtain Root Shell Access: Gain privileged (root) access to the operating system of the roof-mounted MV2400 unit.
    • Method Utilized: Exploitation of a configuration restore vulnerability (system_config_backup and system_load_config via /cgi-bin/mbox-config) to overwrite /etc/shadow.
  2. Perform Full MTD Backup: Secure a complete backup of the roof unit’s flash memory partitions (MTD), especially the critical art partition (mtd1) containing calibration data.

Secondary Goal (Status: IN PROGRESS / HIGH PRIORITY):

  1. Achieve Roof Unit Independence: Liberate the MV2400 roof unit from the control and configuration-reverting mechanisms imposed by the RV2458 indoor unit. This involves sub-objectives:
    • Bypass Configuration Reversion: Prevent the roof unit’s network configuration (especially Wi-Fi settings) from being reset by the indoor unit’s Access Controller (AC) functionality, which is believed to interact with the roof unit’s wtpd (Wireless Termination Point Daemon) suite and heart_beat process.
    • Investigate & Implement Bypass Methods:
      • Service Manipulation (Primary Approach): Disable or significantly alter the behavior of the wtpd and heart_beat services on the roof unit (e.g., using rc.common disable commands like /etc/init.d/wtpd disable).
      • Service Reconfiguration: Modify the configuration of wtpd (likely via UCI – Unified Configuration Interface) to prevent communication with the indoor unit’s AC (e.g., by nullifying or redirecting the ac_ip setting).
      • Flash Stock OpenWrt (Contingency/Definitive Solution): As a more permanent solution, prepare and execute a plan to flash a standard OpenWrt firmware image compatible with the COMFAST CF-E5 hardware (the identified base for the MV2402). This requires careful handling of existing backups, particularly mtd1/art, and potentially utilizing U-Boot web recovery.

Tertiary Goal (Status: PENDING successful completion of Secondary Goal):

  1. MikroTik Chateau Router Integration: Once the roof unit operates independently and maintains its configuration reliably:
    • Integrate its WAN connection with a downstream MikroTik Chateau router. See Network Tap
    • Implement advanced network features like WAN failover (e.g., between the RVLink’s cellular connection and another source) and policy-based routing.
    • Address any captive portal interactions if present or necessary.

Investigative & Supporting Goals (Status: ONGOING / PRIORITIES REVISED):

  1. Deepen Understanding of Indoor-Roof Unit Interaction (High Priority if Service Manipulation Fails):
    • Analyze network traffic between the indoor (RV2458) and roof (MV2400) units to definitively confirm the communication protocols, port usage, and the exact role of the indoor unit’s /data/set_setting.html endpoint in the configuration commit process.
  2. Indoor Unit Vulnerability Exploitation (Lower Priority):
    • Further investigate and potentially exploit vulnerabilities on the RV2458 indoor unit (e.g., Realtek SDK v1.3 UPnP/WPS vulnerabilities, settings restore flaws via config.txt) for alternative control or deeper system insights. This is now of lower priority due to successful root access on the primary target (roof unit).
  3. Roof Unit Vulnerability Research (Very Low Priority):
    • Further explore other potential vulnerabilities on the MV2400, such as command injection in mbox-config SET parameters or file upload issues via /upload.html. These are largely superseded by the achieved root access.

Wesley Ray · blog · git · resume