Project Overview and Goals
Project Title: RVLink System Exploitation & MikroTik Integration for Independent WAN Management
Date of Last Redaction: 2025-05-08 (as per the holy scripture)
Core Objective: To achieve direct, authenticated, and programmatic control over the RVLink Roof Unit (MV2402) roof-mounted internet unit (IP: 192.168.10.254). This involves understanding and decisively bypassing the orchestration role of the associated RV2458 Indoor Unit (RV2458) (IP: 192.168.10.1). The ultimate aim is to enable independent WAN management capabilities for the roof unit, facilitating its integration with a downstream Mikrotik Chateau router for advanced functionalities such as WAN failover and sophisticated policy-based routing.
Primary Goals (Status: ACHIEVED):
- Obtain Root Shell Access: Gain privileged (root) access to the operating system of the roof-mounted MV2400 unit.
- Method Utilized: Exploitation of a configuration restore vulnerability (
system_config_backupandsystem_load_configvia/cgi-bin/mbox-config) to overwrite/etc/shadow.
- Method Utilized: Exploitation of a configuration restore vulnerability (
- Perform Full MTD Backup: Secure a complete backup of the roof unit’s flash memory partitions (MTD), especially the critical
artpartition (mtd1) containing calibration data.
Secondary Goal (Status: IN PROGRESS / HIGH PRIORITY):
- Achieve Roof Unit Independence: Liberate the MV2400 roof unit from the control and configuration-reverting mechanisms imposed by the RV2458 indoor unit. This involves sub-objectives:
- Bypass Configuration Reversion: Prevent the roof unit’s network configuration (especially Wi-Fi settings) from being reset by the indoor unit’s Access Controller (AC) functionality, which is believed to interact with the roof unit’s
wtpd(Wireless Termination Point Daemon) suite andheart_beatprocess. - Investigate & Implement Bypass Methods:
- Service Manipulation (Primary Approach): Disable or significantly alter the behavior of the
wtpdandheart_beatservices on the roof unit (e.g., usingrc.commondisable commands like/etc/init.d/wtpd disable). - Service Reconfiguration: Modify the configuration of
wtpd(likely via UCI – Unified Configuration Interface) to prevent communication with the indoor unit’s AC (e.g., by nullifying or redirecting theac_ipsetting). - Flash Stock OpenWrt (Contingency/Definitive Solution): As a more permanent solution, prepare and execute a plan to flash a standard OpenWrt firmware image compatible with the COMFAST CF-E5 hardware (the identified base for the MV2402). This requires careful handling of existing backups, particularly
mtd1/art, and potentially utilizing U-Boot web recovery.
- Service Manipulation (Primary Approach): Disable or significantly alter the behavior of the
- Bypass Configuration Reversion: Prevent the roof unit’s network configuration (especially Wi-Fi settings) from being reset by the indoor unit’s Access Controller (AC) functionality, which is believed to interact with the roof unit’s
Tertiary Goal (Status: PENDING successful completion of Secondary Goal):
- MikroTik Chateau Router Integration: Once the roof unit operates independently and maintains its configuration reliably:
- Integrate its WAN connection with a downstream MikroTik Chateau router. See Network Tap
- Implement advanced network features like WAN failover (e.g., between the RVLink’s cellular connection and another source) and policy-based routing.
- Address any captive portal interactions if present or necessary.
Investigative & Supporting Goals (Status: ONGOING / PRIORITIES REVISED):
- Deepen Understanding of Indoor-Roof Unit Interaction (High Priority if Service Manipulation Fails):
- Analyze network traffic between the indoor (RV2458) and roof (MV2400) units to definitively confirm the communication protocols, port usage, and the exact role of the indoor unit’s
/data/set_setting.htmlendpoint in the configuration commit process.
- Analyze network traffic between the indoor (RV2458) and roof (MV2400) units to definitively confirm the communication protocols, port usage, and the exact role of the indoor unit’s
- Indoor Unit Vulnerability Exploitation (Lower Priority):
- Further investigate and potentially exploit vulnerabilities on the RV2458 indoor unit (e.g., Realtek SDK v1.3 UPnP/WPS vulnerabilities, settings restore flaws via
config.txt) for alternative control or deeper system insights. This is now of lower priority due to successful root access on the primary target (roof unit).
- Further investigate and potentially exploit vulnerabilities on the RV2458 indoor unit (e.g., Realtek SDK v1.3 UPnP/WPS vulnerabilities, settings restore flaws via
- Roof Unit Vulnerability Research (Very Low Priority):
- Further explore other potential vulnerabilities on the MV2400, such as command injection in
mbox-configSET parameters or file upload issues via/upload.html. These are largely superseded by the achieved root access.
- Further explore other potential vulnerabilities on the MV2400, such as command injection in