How did they pull this off? (TMOUS Hotspot)

I did a little research on how T-Mobile US deploy their IPv6 in their mobile hotspot.

When my laptop connects to the hotspot, these are the IP addresses it got:

$ ip a
2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UP group default qlen 1000
    link/ether 90:2e:1c:71:ee:86 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.248/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp1s0
       valid_lft 6828sec preferred_lft 6828sec
    inet6 2607:fb90:fa26:937c:7336:2811:7657:394/64 scope global temporary dynamic
       valid_lft 602348sec preferred_lft 83516sec
    inet6 2607:fb90:fa26:937c:15fc:57f7:3229:d608/64 scope global mngtmpaddr noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::6ab2:11e2:fdf6:239d/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Traceroute to dns.google:

$ traceroute -6 dns.google
traceroute to dns.google (2001:4860:4860::8844), 30 hops max, 80 byte packets
 1  mobile.hotspot (2607:fb90:fa26:937c:200a:218:bc08:7f90)  0.839 ms  0.882 ms  0.915 ms
 2  fc00:10:6:122::254 (fc00:10:6:122::254)  196.567 ms  196.565 ms fc00:10:5:122::254 (fc00:10:5:122::254)  197.957 ms
 3  fc00:10:6:122::254 (fc00:10:6:122::254)  197.934 ms  197.949 ms  203.421 ms
 4  fd01:976a:0:1::d5 (fd01:976a:0:1::d5)  203.481 ms * *
 5  * * ::ffff:10.169.6.125 (::ffff:10.169.6.125)  203.012 ms
 6  ::ffff:10.169.6.125 (::ffff:10.169.6.125)  206.137 ms  201.722 ms 2001:4860:1:1::1018 (2001:4860:1:1::1018)  201.825 ms
 7  2607:f8b0:8069::1 (2607:f8b0:8069::1)  201.605 ms  54.054 ms 2001:4860:1:1::1018 (2001:4860:1:1::1018)  70.645 ms
 8  2607:f8b0:8311::1 (2607:f8b0:8311::1)  58.428 ms dns.google (2001:4860:4860::8844)  65.929 ms 2607:f8b0:831d::1 (2607:f8b0:831d::1)  63.735 ms

Wait a minute... first hop's IP address is in the same /64 as the laptop IP?

The mobile hotspot acts as a router/gateway, right?

$ ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2607:fb90:fa26:937c::/64 dev wlp1s0 proto ra metric 600 pref medium
fe80::/64 dev wlp1s0 proto kernel metric 1024 pref medium
default via fe80::3138:15d9:a817:28e9 dev wlp1s0 proto ra metric 600 pref medium

NDP-proxy?

I wish there is a way to ssh into the box. There isn't much resources out there about this topic.

So what say you about how the CPE is configured?

The all seeing eye sees everything...

Comments

  • Thanked by (1)Janevski

    Websites have ads, I have ad-blocker.

  • edited August 2023

    More digging:

    $ sudo tcpdump -i wlp1s0 icmp6
    tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
    listening on wlp1s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
    23:06:57.918734 IP6 fe80::d052:37ff:fe7b:198d > ff02::1:ff57:394: ICMP6, neighbor solicitation, who has illyad, length 32
    23:06:57.918815 IP6 illyad > fe80::d052:37ff:fe7b:198d: ICMP6, neighbor advertisement, tgt is illyad, length 32
    23:07:00.592472 IP6 illyad > _gateway: ICMP6, neighbor solicitation, who has _gateway, length 32
    23:07:00.602987 IP6 fe80::d052:37ff:fe7b:198d > illyad: ICMP6, redirect, _gateway to _gateway, length 120
    23:07:00.607748 IP6 _gateway > illyad: ICMP6, neighbor advertisement, tgt is _gateway, length 32
    23:07:00.786507 IP6 fe80::d052:37ff:fe7b:198d > ff02::1:fff6:239d: ICMP6, neighbor solicitation, who has illyad, length 32
    23:07:00.786592 IP6 illyad > fe80::d052:37ff:fe7b:198d: ICMP6, neighbor advertisement, tgt is illyad, length 32
    23:07:03.153423 IP6 illyad > fe80::d052:37ff:fe7b:198d: ICMP6, neighbor solicitation, who has fe80::d052:37ff:fe7b:198d, length 32
    23:07:03.162920 IP6 fe80::d052:37ff:fe7b:198d > illyad: ICMP6, neighbor advertisement, tgt is fe80::d052:37ff:fe7b:198d, length 24
    23:07:03.653802 IP6 fe80::d052:37ff:fe7b:198d > illyad: ICMP6, destination unreachable, unreachable address _gateway, length 80
    ^C
    10 packets captured
    10 packets received by filter
    0 packets dropped by kernel
    

    and

    $ ip -6 n
    fe80::3138:15d9:a817:28e9 dev wlp1s0 lladdr f4:63:49:00:00:01 router REACHABLE
    fe80::d052:37ff:fe7b:198d dev wlp1s0 lladdr f4:63:49:00:00:01 router REACHABLE
    

    ff02::1:ff57:394 seems to come out of nowhere.

    The all seeing eye sees everything...

  • if i had the hardware i probably could have found a way inside it
    did the same with my ISPs router, the way it manages to handle voip and internet while also spying on us is wonderfully executed

    youtube.com/watch?v=k1BneeJTDcU

  • Probably true but no ways to verify for sure:
    2607:fb90:fa26:937c::/64 is assigned to the user facing interface and interfaces of the user's end use devices.

    I have no way of knowing it to be absolutely true but traceroute shows that they use ULAs for all internal equipment.

    The all seeing eye sees everything...

  • MikeAMikeA Hosting ProviderOG

    I had an openwrt router with t-mobile/at&t but returned it yesterday to get another new model. Sadly won't have it for 2-3 weeks. If you want me to test something lmk.

  • @terrorgen said:
    Probably true but no ways to verify for sure:
    2607:fb90:fa26:937c::/64 is assigned to the user facing interface and interfaces of the user's end use devices.

    In wired networks, this would be the effect of DHCPv6 Prefix Delegation.
    Verizon FiOS delegates a /56 prefix to my home router.
    My home router gives a /64 prefix to each internal interface.
    Devices on an internal interface are assigned addresses from that /64 prefix.
    The link between my home router and Verizon equipment has only link-local address.

    In cellular networks, it's somewhat different.
    When the UE registers with the cellular network, the SMF allocates a /64 prefix to the UE, and instructs the data network (UPFs) to route this prefix to the UE.
    The UE i.e. mobile hotspot can then put this /64 on its DHCPv6 server and assigns addresses to the connected devices.
    The link between the mobile hotspot and the core network is not an IP interface and does not need IP addressing.

  • @MikeA said:
    I had an openwrt router with t-mobile/at&t but returned it yesterday to get another new model. Sadly won't have it for 2-3 weeks. If you want me to test something lmk.

    What model is that?

    @yoursunny said:
    The link between the mobile hotspot and the core network is not an IP interface and does not need IP addressing.

    Ah mystery solved!

    The all seeing eye sees everything...

  • MikeAMikeA Hosting ProviderOG

    @terrorgen said:

    @MikeA said:
    I had an openwrt router with t-mobile/at&t but returned it yesterday to get another new model. Sadly won't have it for 2-3 weeks. If you want me to test something lmk.

    What model is that?

    @yoursunny said:
    The link between the mobile hotspot and the core network is not an IP interface and does not need IP addressing.

    Ah mystery solved!

    https://www.gl-inet.com/products/gl-x3000/

    However I pre-ordered the xe3000 which is the same, just with a battery, as I use cell routers when travelling.

    Thanked by (1)terrorgen
  • GL.iNet has good stuff. Really filling in a niche.

    The all seeing eye sees everything...

  • edited August 2023

    @Otus9051 said:
    spying on us is wonderfully executed

    I would love to hear more on this.

    Why?

  • @jmaxwell said:

    @Otus9051 said:
    spying on us is wonderfully executed

    I would love to hear more on this.

    they scan the nearby aps, the dns is obviously obliterated by the isp, the router also runs a weird redirection service which redirects you from websites to this seemingly non existent webpage which keeps loading until its timed out

    if you wanna know more you can just get the firmware or go to https://github.com/JFC-Group/JF-Customisation

    however the spying part isnt mentioned there very well, we recently got the ap scan thing sorted

    another fishy thing is if you change the dns on the router it will always default to jio's dns after a reboot, we found a sftp server of Jio that held VoIP server logs of many, many people

    stuff.

    Thanked by (1)jmaxwell

    youtube.com/watch?v=k1BneeJTDcU

  • Seems to imply you have access to their servers.

    The all seeing eye sees everything...

  • I read the thread title as HUMOUS.

  • DanielDaniel OG
    edited August 2023

    @terrorgen said:
    ff02::1:ff57:394 seems to come out of nowhere.

    It's a type of multicast address:

          Solicited-Node Address:  FF02:0:0:0:0:1:FFXX:XXXX
    
       Solicited-Node multicast address are computed as a function of a
       node's unicast and anycast addresses.  A Solicited-Node multicast
       address is formed by taking the low-order 24 bits of an address
       (unicast or anycast) and appending those bits to the prefix
       FF02:0:0:0:0:1:FF00::/104 resulting in a multicast address in the
       range
    
             FF02:0:0:0:0:1:FF00:0000
    
       to
    
             FF02:0:0:0:0:1:FFFF:FFFF
    
       For example, the Solicited-Node multicast address corresponding to
       the IPv6 address 4037::01:800:200E:8C6C is FF02::1:FF0E:8C6C.  IPv6
       addresses that differ only in the high-order bits (e.g., due to
       multiple high-order prefixes associated with different aggregations)
       will map to the same Solicited-Node address, thereby reducing the
       number of multicast addresses a node must join.
    

    https://www.rfc-editor.org/rfc/rfc4291.html#section-2.7.1

    Thanked by (2)terrorgen FrankZ
  • @Nekki said:
    I read the thread title as HUMOUS.

    I love hummus!

  • @bugrakoc said:

    @Nekki said:
    I read the thread title as HUMOUS.

    I love hummus!

    Yep, I too love humerus. Very tasty :lol:

    Websites have ads, I have ad-blocker.

  • @bugrakoc said:

    @Nekki said:
    I read the thread title as HUMOUS.

    I love hummus!

    Everyone should. It's delicious, versatile, and you can spread it on spotty arse cheeks for an hour and it'll clear those pimples right up!

Sign In or Register to comment.